Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Security Program: NIST, ISO, other?
From: Alan <astockdale () EDC ORG>
Date: Thu, 17 Jan 2013 11:04:08 -0500

For federal contract work that is subject to FISMA, implementation of the NIST Risk Management Framework is a 
requirement (i.e. NIST SP800-37, NIST SP800-53 controls, etc.). There is no other option. A lot of institutions seem to 
carve out an enclave for that type of work as it is demanding to implement the RMF system-wide. Since 2010, when OMB 
started requiring the Inspectors General to assess agency oversight of contractor FISMA compliance, the security 
requirements in federal contract RFPs have become a lot more explicit and demanding.

UT and UC have some useful webinars on FISMA:

Federal Information Security Comes to Higher Education

FISMA Compliance

Alan Stockdale
Education Development Center
43 Foundry Avenue, Waltham, MA 02453-8313


On 1/17/2013 9:36 AM, Wright, A J (A. J.) wrote:
Hello all,

At the University of Tennessee, our security program is based on the NIST 800 Series special publications rather than 
ISO 27001.  While we don’t claim to implement 100% of it (it wouldn’t be appropriate,) we’re making heavy use of 
FIPS199, 800-37, 800-53, 800-66, etc.

I’ve had staff calling and emailing around asking this, but I figured I’d ask this list also: what is your school’s 
security program based on?

A. J. Wright
Chief Information Security Officer

University of Tennessee – System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637
Email: ajw () tennessee edu<mailto:ajw () tennessee edu>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]