Update, C&A, FISMA
The auditors we hired to perform our external Security Test and Evaluation for our C&A were onsite last week for the second phase of their testing. Things seem good and we await their final report.
I was at the University of California Information Technology Policy and Security in Santa Cruz last week. Among other interesting topics, some early discussion about the security and policy implications of dedicated on-demand connections of the kind being proposed throughout the R&E community turned out to be very interesting. Steve Lau and I gave a presentation about NIST and did some theorizing about the misapplication of FISMA to University grants and government partnerships. If you listen to my interview at Educause 2005, you can hear the outline of the problem we are seeing.
Basically, as agencies like the VA get into trouble you see broader (and improper) reading of the FISMA "on behalf of" and "government information" definitions, which are so overly broad as to trigger the FISMA requirements in pretty much any situation in which the government is involved (including research grants). This presents a situation where you might end up doing Certification and Accreditation type processes under small University research environments simply because they receive Federal funds. Not good.
Labels: fisma
posted by IT Policy @ 2:51 PM
1 Comments
1 Comments:
Depends on what you use the system and the data for. If it's just research with no live data, then
Have a look at section 2.4 of NIST SP 800-53. Basically, you're a service provider and the government needs to use compensating controls just like it would for any contractor.
The problem for the government is that they have a dependency on private industry and the university system. It's too easy for them to try to boil the ocean, when there isn't really a noticeable value out of all that effort.
Post a Comment
<< Home