This week we heard about CAG, the Consensus Audit Guidelines, and people have been asking us how this relates to FISMA and NIST. The CAG is not meant to be a comprehensive information security fix. This list of twenty control objectives is prioritized based on the results of the Commision on Cyber Security for the 44th Presidency and address the known high-priority attacks. This is not a comprehensive list of controls that for auditors and other information security professionals. This is a cybersecurity band aid for the time being.
The National Institute of Standards and Technology (NIST), on the other hand, has developed an extensive and powerful library of standards. These standards are for not only complying with Federal IT security requirements, but standardizing and improving security program as a whole. We included many of the same control elements addressed in the CAG initiative,” said Ron Ross, senior computer scientist at NIST. “Security managers need to take a holistic approach to a challenging set of problems,” he said. “The controls work as an interlocking set.”
To Learn More:
NIST Computer Security Resource Center:
http://csrc.nist.gov/
“Consensus Audit Guidelines no substitute for FISMA guidance” by William Jackson”
http://gcn.com/Articles/2009/02/24/CAG-no-substitute-for-FISMA.aspx?Page=1