Not all security controls the National Institute of Standards and Technology provides are completely mandatory, according to the Department of Homeland Security’s cyber division.
The division issued fiscal 2012 guidance to auditors that the NIST control special publication 800-53 document insists flexibility, Fierce Government IT reports.
The division said there is considerable flexibility in applying controls as long as the agency can do so in a documented risk-based manner.
Auditors are set to assess agency cybersecurity efforts under the Federal Information Security Management Act, which requires agencies to choose and implement specified security controls.
The cyber division cautions that there are circumstances where it is not appropriate to implement every possible security measure listed in the NIST control set.
Computers that are used to perform real-time control, for example, would not benefit from session lock and screen saver when the computer is inactive.
The division said this process could disrupt the mission the computer is being used for and it would not be advisable for air traffic controllers to implement this standard, the group noted.
Agencies have the option to pursue alternate controls from those recommended in the SP 800-53, if it is cost-effective, secure and can be justified by the agency, the division said.
NIST also recently assessed organizations’ ability to conduct identity verification with iris scans and algorithms.