Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (Draft) [open pdf - 569KB]
"Traditionally, information security and capital planning have been treated as separate activities by security and capital planning practitioners. However, with Federal Information System Management Act (FISMA) legislation, existing federal regulations that charge agencies with integrating the two activities. Additionally, with increased competition for limited federal budgets, agencies must effectively integrate their information security and capital planning processes. This guidance discusses how information security considerations, including continuous monitoring, Plans of Action and Milestones (POA&M), external evaluations, new mandates, evolving threats, and system life cycle considerations impact capital planning considerations. This guidance also discusses considerations and frameworks agencies can use to prioritize security investments and help ensure that security concerns are incorporated into the capital planning process to deliver maximum security and mission value to the agency. […] Information security is an important element in the planning, acquisition and management of federal information systems. Information security drivers impact an investment's business requirements and must be addressed throughout the Select, Control and Evaluate life cycle phases. Planning for information security is strategically important to ensure that the investment is adequately funded to satisfy information security requirements and that cost-effective security controls are in place to meet information security requirements and to protect the investment's information assets."
NIST Special Publication 800-65, Revision 1 (Draft)
National Institute of Standards and Technology: http://www.nist.gov/