FISMA guide updated to reflect APT, mobile threats
- By William Jackson
- Mar 12, 2012
The set of security controls that form a foundation for compliance with the Federal Information Security Management Act is being updated to reflect the latest cybersecurity threats.
The National Institute of Standards and Technology, in collaboration with the military and intelligence communities, has released for comment Revision 4 of its "Security and Privacy Controls for Federal Information Systems and Organizations" (Special Publication 800-53).
The draft, which is expected to be finalized in July, is the culmination of a yearlong initiative to update the catalog of security controls for federal IT systems. It is being conducted as part of the Joint Task Force Transformation Initiative.
NIST releases 'historic' final version of Special Publication 800-53
NIST releases final piece of IT security foundation
“The proposed changes included in Revision 4 are directly linked to the current state of the threat space,” according to the draft document. “Many of the changes were driven by particular cybersecurity issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat.”
Major changes proposed in Revision 4 of the document include new security controls and clarifications in language, new privacy controls and implementation guidance, and revised requirements for minimum assurances.
The current version of SP 800-53, Revision 3, was called historic on its release in 2009 because it represented the first effort to develop a unified information security framework for federal IT systems, including national security systems not covered by FISMA that previously had adhered to a separate set of security requirements.
The controls included in the latest draft are intended to provide the needed tools to implement effective risk-based security programs and reflect the trend under FISMA to near-real-time risk management based on continuous monitoring.
SP 800-53 is intended to be used in conjunction with Federal Information Processing Standards 200, "Minimum Security Requirements for Federal Information Systems," a mandatory standard. FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems," provides a framework for determining the appropriate level of security required.
The new risk areas being addressed are, for the most part, not broken out in separate sections but are distributed throughout the catalog of controls. The exception is a separate section on privacy controls that is included in Appendix J.
The proposed privacy controls include administrative, technical and physical safeguards for the protection of personally identifiable information, whether in paper or electronic form. They provide a road map for identifying and implementing privacy controls over the life of personal information in all formats.
Privacy controls are broken out in a separate appendix because although security and privacy are complementary, they are separate challenges. Effective privacy requires adequate security to ensure confidentiality but also includes the principles of transparency, notice and choice for the subjects of that information.
The proposed revision of SP 800-53 draws on the experience of a variety of government and nongovernmental sectors, including audit, financial, health care and industrial process control industries, as well as the defense and intelligence communities. The security controls included in the document are intended not only to protect IT systems and the information they contain but also to allow demonstration of compliance with government and industry regulations and requirements.
Each organization must select and implement the appropriate controls depending on its requirements and risks.
Comments on draft SP 800-53 should be made by April 6 to email@example.com. NIST says it does not anticipate any more comment periods before final publication, expected in July.
William Jackson is freelance writer and the author of the CyberEye blog.