This special blog is to highlight the NIST’s publication of their Recommended Security Controls for Federal Information Systems and Organizations guidance.
Have another great week.
Dan Swanson
NIST released Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, onJuly 31, 2009.
SpecialPublication 800-53, Revision 3, is historic in nature. For the firsttime, and as part of the ongoing initiative to develop a unifiedinformation security framework for the federal government and itscontractors, NIST has included security controls in its catalog forboth national security and non national security systems. The updatedsecurity control catalog incorporates best practices in informationsecurity from the United States Department of Defense, IntelligenceCommunity, and Civil agencies, to produce the most broad-based andcomprehensive set of safeguards and countermeasures ever developed forinformation systems.
Thestandardized set of management, operational, and technical controlsprovide a common specification language for information security forfederal information systems processing, storing, and transmitting bothnational security and non national security information. The revisedsecurity control catalog also includes state-of-the- practicesafeguards and countermeasures needed by organizations to addressadvanced cyber threats capable of exploiting vulnerabilities in federalinformation systems.
Inaddition to the expansion of the security control catalog, SpecialPublication 800-53, Revision 3 contains significant changes including:
– A simplified, six-step Risk Management Framework;
– Additional security controls and control enhancements for advanced cyber threats;
– Recommendations for prioritizing or sequencing security controls during implementation or deployment;
– Revised security control structure with a new references section;
– Elimination of security requirements from Supplemental Guidance sections;
-Guidance on using the Risk Management Framework for legacy informationsystems and for external providers of information system services;
– Updates to security control baselines consistent with current threat information and known cyber attacks;
– Organization- level security controls for managing information security programs;
– Guidance on the management of common controls within organizations; and
– Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.
Theimportant changes described in Special Publication 800-53, Revision 3are part of a larger strategic initiative to focus on enterprise-wide,near real-time risk management; that is, managing risks frominformation systems in dynamic environments of operation that canadversely affect organizational operations and assets, individuals,other organizations, and the Nation.
Followingthe final publication of Special Publication 800-53, Revision 3, thecollaborative work between the national security and non nationalsecurity communities will continue with updates to other keypublications such as:
– NIST Special Publications 800-37, Applying the Risk Management Framework to Federal Information Systems;
– NIST Special Publication 800-39, Integrated Enterprise-wide Risk Management: Organization, Mission , and Information Systems View;
– NIST Special Publication 800-30, Guide for Conducting Risk Assessments; and
– NIST Special Publication 800-53A, Guide for Assessing Security Controls in Federal Information Systems and Organizations.
The NIST CSRC Special Publications website is here.
The NIST FISMA Implementation Project website is located here.
The schedule for the development of all key FISMA-related publications based on
new milestones established among the participating partners in the Joint Task Force Transformation Initiative can be found here.
Comments should be forwarded via email to sec-cert@nist. gov.
Ron Ross
Project Leader, FISMA Implementation Project
