Draft guidance from the National Institute of Standards and Technology issued last week, pushes government agencies to adopt a comprehensive, continuous approach to cybersecurity, tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits.
The guidance, encapsulated in a draft revision to NIST Special Publication 800-37, will likely be finalized early next year. While federal agencies aren't required to follow all of its recommendations, NIST is officially charged with creating standards for compliance with the Federal Information Systems Management Act, (FISMA), which sets cybersecurity requirements in government, so this guidance should at the very least be influential.
As official statistics show attacks on the federal government continuing to rise, the Government Accountability Office and agency inspector generals have repeatedly found the federal government or particular agencies falling short of the spirit of FISMA, if not its letter. Meanwhile, critics have repeatedly found fault with either FISMA or its implementation in practice, saying that it doesn't do enough to ensure that government agencies remain consistently vigilant about cybersecurity.
The link for this article located at Information Week is no longer available.