Comment on FR Doc # 2012-20881

This rule severely downgrades existing recommendations in place by the NIST regarding the proper procedures and controls that should be used to protect federal information systems. Be consistent -- it would be much more effective to require contractors servicing federal information systems to adhere to the same standards required of federal agencies by the NIST SP 800-x series and FISMA that are established best practice norms. Supporting these requirements will also drive a norm of adoption in the civilian marketplace, further enhancing our nation's security. I would also recommened that contractor information security employees be required to obtain the same levels of certification and training as is seen in DOD 8570 guidelines that many civilian employers also refer to as the "norm". Most reputable employers either require new hires (or contractors) to have certifications in place at the time of hire, or require their adoption within a certain date -- often 6 months. -- Kathleen Jungck, CISSP, MS ITM - IAAS