NIST SP800-65-Final.pdf

With the release of the Federal Information Security Management Act (FISMA) in 2002, the need for information technology (IT) security guidance within the federal community has increased. Capital planning was once seen as applying primarily to IT systems. With FISMA underscoring the emphasis on IT security at both the system and enterprise levels, security investments must now be brought into the capital planning process. FISMA, the Clinger-Cohen Act, and other associated guidance and regulations, including Office of Management and Budget (OMB) Circulars A-11 and A-130, charge agencies with integrating IT security and the capital planning and investment control (CPIC) process. Determining the benefit to the agency from IT security investments is a key criterion of IT security planning. Traditionally, IT security and capital planning have been thought of as separate activities by security and capital planning practitioners. However, with FISMA legislation and existing federal regulations that charge agencies with integrating the two activities and with increased competition for limited federal budgets, agencies must effectively integrate their IT security and capital planning processes. This guidance introduces common criteria against which agencies can prioritize security activities and ensure that corrective actions identified during the FISMA reporting process are incorporated into the capital planning process to deliver maximum security and financial benefit to the agency. This special publication was developed under the assumption that the reader possesses a basic familiarity with requisite IT security and capital planning guidance and legislation including FISMA, OMB Circulars A-11 and A-130, the Clinger-Cohen Act, NIST special publications, and is familiar with IT security controls and requirements. While detailed knowledge of these regulations and guidance documents is not essential to understanding this special publication, a basic familiarity with these regulations and guidance would assist with comprehension of this document. The National Institute of Standards and Technology (NIST) first explored this topic in its 2002–2003 Return on Security Investment (ROSI) study. During this effort, NIST interviewed Chief Information Officers (CIO), Chief Financial Officers (CFO), and Chief Technology Officers of federal agencies and private sector companies to generate a common body of knowledge and to identify best practices in returns on IT security investments in both the public and private sectors. NIST used the information collected through the ROSI study as the foundation for a workshop on integrating security and capital planning efforts. On June 4, 2003, and June 30, 2003, NIST presented a workshop entitled Integrating IT Security into the Capital Planning and Investment Control Process. Over 200 members of the federal community attended the two workshops, where they learned how to prioritize security investments to ensure that the most cost-effective, highest impact investments would receive funding. This document captures and expands upon the proceedings of the two workshops, including the prioritization process.