Training 3 - Annual Computer Security Applications Conference (ACSAC) 2009

Training TR3 – Cyber Security Controls: NIST SP 800-37

Dr. Ron Ross, National Institute of Standards and Technology

Thursday, December 10th, 13:30-15:00

The National Institute of Standards and Technology (NIST), in collaboration with the Office of the Director of National Intelligence, the Department of Defense, and the Committee on National Security Systems (CNSS), recently updated Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, (formerly the security certification and accreditation guideline). The revised publication transforms the traditional static, stovepiped certification and accreditation process into a process that supports near real-time risk management. This session describes how the process of certification and accreditation is integrated into the Risk Management Framework, and focuses on the continuous monitoring of security controls to determine the security state of organizational information systems and environments of operation.

Prerequisites

None

About the Instructor

Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project for NIST, which includes the development of key security standards and guidelines for the federal government, support contractors, and the United States critical information infrastructure. His recent publications include Federal Information Processing Standards (FIPS) Publication 199 (security categorization standard), FIPS Publication 200 (security requirements standard), NIST Special Publication 800-53 (security controls guideline), NIST Special Publication 800-53A (security assessment guideline), NIST Special Publication 800-37 (security certification and accreditation guideline), and NIST Special Publication 800-39 (risk management guideline). Dr. Ross is also the principal architect of the NIST Risk Management Framework that provides a disciplined and structured methodology for integrating the suite of FISMA security standards and guidelines into a comprehensive enterprise-wide information security program.