Comments Requested on Risk Management Publication

The National Institute of Standards and Technology (NIST) has released the second public draft of NIST Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective, for comment. This is the flagship publication in a series of standards and guidelines developed by NIST that relate to the Federal Information Security Management Act.

Information technology is critical to the nation’s economy, and threats to information systems are real and costly. These dangers can come from human error, environmental problems and planned attacks. They can compromise information confidentiality, integrity and availability.

Special Publication 800-39 provides a framework for managing the risk arising from the operation and use of information systems and is built upon a common foundation of best security practices. The target audience for this publication includes agency heads, chief information officers, information system designers, developers and administrators, auditors and inspectors general.

NIST is responsible for establishing information security standards and guidelines for federal agencies that own and operate information systems processing, storing or transmitting other than classified, national security-related information. The agency also works closely with the Office of the Director of National Intelligence and the Department of Defense to develop key information security standards and guidelines for use across the federal government.

The public comment period is from April 7-30, 2008. Comments should be emailed to sec-cert@nist.gov.