NIST releases 'historic' final version of Special Publication 800-53
The agency also released a draft of specs for SCAP
- By William Jackson
- Aug 03, 2009
The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems.
The controls are included in the final version of Special Publication 800-53, Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations,” released Friday.
NIST called the document historic.
“For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non-national security systems,” the agency said. “The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.”
A draft version of the document was released in June for public comment. This is the final version of the guidelines.
NIST also has released a draft of SP 800-126, “The Technical Specification for the Security Content Automation Protocol (SCAP),” for public comment. SCAP comprises specifications for the standardized organization and expression of security-related information. SP 800-126 provides an overview of SCAP, focusing on how software developers can integrate SCAP technology into their product offerings and interfaces.
SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act. This revision is the first major update of these guidelines since its initial publication in December 2005. It specifies the baseline security controls needed to meet the mandatory requirements of Federal Information Processing Standards 199, “Standards for Security Categorization of Federal Information and Information Systems,” and FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems.”
The controls specified in SP 800-53 are regularly updated, and this version represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems.
The military and intelligence communities in the past issued their own requirements and recommendations for national security systems and until recently there has been little coordination between the two sides. But for the past two years NIST has been cooperating with the Defense Department and the Office of the Director of National Intelligence on the Committee on National Security Systems to bring the various communities closer together, improve overall security and reduce duplicate efforts.
The management, operational and technical controls in SP 800-53 Revision 3 provide a common information security language for all government information systems. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures to address advanced cyber threats and exploits. Significant changes in this revision of the document include:
- A simplified, six-step Risk Management Framework;
- Additional security controls and enhancements for advanced cyber threats;
- Recommendations for prioritizing security controls during implementation or deployment;
- Revised security control structure with a new references section;
- Elimination of security requirements from Supplemental Guidance sections;
- Guidance on using the Risk Management Framework for legacy information systems and for external information system services providers;
- Updates to security control baselines based on current threat information and cyber attacks;
- Organization-level security controls for managing information security programs;
- Guidance on the management of common controls within organizations; and
- Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.
The collaborative work between the national security and non-national security communities will continue with updates to other key NIST special publications including:
- 800-37, “Applying the Risk Management Framework to Federal Information Systems;”
- 800-39, “Integrated Enterprise-wide Risk Management: Organization, Mission and Information Systems View; ”
- 800-30, “Guide for Conducting Risk Assessments;” and
- 800-53A, “Guide for Assessing Security Controls in Federal Information Systems and Organizations.”
Participating partners in the Joint Task Force Transformation Initiative have established a schedule for development of all key FISMA-related publications that can be found at: http://csrc.nist.gov/groups/SMA/fisma/schedule.html.
The draft SP 800-126 is intended to facilitate development of interoperable SCAP tools and content and defines SCAP Version 1.0. This technical specification describes the requirements and conventions to ensure consistent and accurate exchange of SCAP content and its use on SCAP validated tools. It is technically oriented, and assumes a basic understanding of system security.
SCAP is a suite of specifications that use the eXtensible Markup Language (XML) to standardize how software products exchange information about software flaws and security configurations. It includes software flaw and security configuration standard reference data, provided by the National Vulnerability Database (NVD), is managed by NIST and sponsored by the Homeland Security Department. SCAP supports automated vulnerability checking, technical control compliance activities and security measurement. Government, in cooperation with academia and private industry, is adopting SCAP and encourages its use to automate security activities.
SCAP 1.0 contains six specifications grouped into three categories:
- Languages. The SCAP languages provide standard vocabularies and conventions for expressing security policy, technical check mechanisms and assessment results.
- Enumerations. Each SCAP enumeration defines a standard nomenclature or naming format and an official dictionary or list of items expressed using that nomenclature.
- Vulnerability measurement and scoring systems. In SCAP, this refers to evaluating specific characteristics of a vulnerability and generating a score for the vulnerability’s severity.
Comments on draft SP 800-126 should be sent by Aug. 31 to firstname.lastname@example.org with "Comments SP 800-126" in the subject line.
William Jackson is freelance writer and the author of the CyberEye blog.