The National Institutes of Standards and Technology has published supplemental guidance intended to clarify and amplify current guidance on information security authorizations to deploy systems – such as that found in its Guide for Applying the Risk Management Framework to Federal Information Systems.
OMB required NIST to publish guidance establishing a process and criteria for agencies to conduct ongoing assessments and authorizations, ahead of a requirement that agencies adopt continuous diagnostics and mitigation as their approach to security all systems by 2017.
The supplement describes a risk management framework for a more flexible, dynamic, approach for effective management of information system-related security risk in highly diverse environments and throughout the system development life cycle.
It also covers security authorization, information security continuous monitoring, ongoing authorization, systems and organizational conditions for implementation, information generation and collection, criteria for ongoing authorization and reauthorization, the authorization process, and transitioning from static to ongoing authorization to run systems.
Link: http://www.nist.gov/manuscript-publication-search.cfm?pub_id=916095
