· Overview · Program Management Support · Capital Planning · PRISMA · Return on Investment · Certification and Accreditation · Critical Infrastructure · FISMA and POA&M · Performance Metrics and A-130 Compliance

Situation Each federal agency must implement and maintain an active information technology security program that adequately secures agency information assets. An agency's IT security program must: (1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; and (2) protect information commensurate with the level of risk and magnitude of harm resulting from the information's loss, misuse, unauthorized access, or modification. The mission of the National Institute of Standards and Technology's (NIST) Computer Security Division is to assist the agencies in improving the agencies security posture.

Analysis An independent expert assessment of the agency's IT security maturity level would provide the agencies assistance in determining their strengths and weaknesses so they could prioritize their limited resources for more effective investments.

Solution System 1 was selected to update and enhance the CSEAT (Computer Security Expert Assist Team) methodology to reflect new standards and public laws to provide federal agencies with a business case based roadmap to cost-effectively enhance the protection of information system assets. System 1 developed CSEAT and has reviewed several agencies. PRISMA (Programmatic Review of Information Security Management Activities) uses the newest computer security requirements and guidance to establish a strong link between the types of information (NIST SP 800-60), their classification (FIPS 199), required security controls (NIST SP 800-53) and accreditation and certification of systems (NIST SP 800-37). This is the first NIST effort that integrates the new and revised requirements (such as FISMA) and standards relating to information security and certification and accreditation, into a single, up-to-date construct This methodology is hierarchical based to allow agencies to quickly pinpoint areas of weakness, eliminating the often long and costly assessment period, allowing these dollars to be used for corrective action. PRISMA is expected to be endorsed by the Office of Management and Budget (OMB) in FY04.