This special blog is to highlight the NIST’s publication of their Recommended Security Controls for Federal Information Systems and Organizations guidance.


Have another great week.


Dan Swanson



NIST released Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, onJuly 31, 2009. 


SpecialPublication 800-53, Revision 3, is historic in nature. For the firsttime, and as part of the ongoing initiative to develop a unifiedinformation security framework for the federal government and itscontractors, NIST has included security controls in its catalog forboth national security and non national security systems.  The updatedsecurity control catalog incorporates best practices in informationsecurity from the United States Department of Defense, IntelligenceCommunity, and Civil agencies, to produce the most broad-based andcomprehensive set of safeguards and countermeasures ever developed forinformation systems. 


Thestandardized set of management, operational, and technical controlsprovide a common specification language for information security forfederal information systems processing, storing, and transmitting bothnational security and non national security information.  The revisedsecurity control catalog also includes state-of-the- practicesafeguards and countermeasures needed by organizations to addressadvanced cyber threats capable of exploiting vulnerabilities in federalinformation systems. 


Inaddition to the expansion of the security control catalog, SpecialPublication 800-53, Revision 3 contains significant changes including:


– A simplified, six-step Risk Management Framework;


– Additional security controls and control enhancements for advanced cyber threats;


– Recommendations for prioritizing or sequencing security controls during implementation or deployment;


– Revised security control structure with a new references section;


– Elimination of security requirements from Supplemental Guidance sections;


-Guidance on using the Risk Management Framework for legacy informationsystems and for external providers of information system services;


– Updates to security control baselines consistent with current threat information and known cyber attacks;


– Organization- level security controls for managing information security programs;


– Guidance on the management of common controls within organizations; and


– Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.


Theimportant changes described in Special Publication 800-53, Revision 3are part of a larger strategic initiative to focus on enterprise-wide,near real-time risk management; that is, managing risks frominformation systems in dynamic environments of operation that canadversely affect organizational operations and assets, individuals,other organizations, and the Nation. 


Followingthe final publication of Special Publication 800-53, Revision 3, thecollaborative work between the national security and non nationalsecurity communities will continue with updates to other keypublications such as:


– NIST Special Publications 800-37, Applying the Risk Management Framework to Federal Information Systems;


– NIST Special Publication 800-39, Integrated Enterprise-wide Risk Management: Organization, Mission , and Information Systems View;


– NIST Special Publication 800-30, Guide for Conducting Risk Assessments; and


– NIST Special Publication 800-53A, Guide for Assessing Security Controls in Federal Information Systems and Organizations.


The NIST CSRC Special Publications website is here.


The NIST FISMA Implementation Project website is located here.


The schedule for the development of all key FISMA-related publications based on

new milestones established among the participating partners in the Joint Task Force Transformation Initiative can be found here.


Comments should be forwarded via email to sec-cert@nist. gov


Ron Ross
Project Leader, FISMA Implementation Project

Related Download
CanadianCIO Census 2016 Mapping Out the Innovation Agenda Sponsor: Cogeco Peer 1
CanadianCIO Census 2016 Mapping Out the Innovation Agenda
The CanadianCIO 2016 census will help you answer those questions and more. Based on detailed survey results from more than 100 senior technology leaders, the new report offers insights on issues ranging from stature and spend to challenges and the opportunities ahead.
Register Now