Federal IT security recommendations released in final NIST draft

The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems.

The controls are included in the final draft version of Special Publication 800-53, Revision 3, titled “Recommended Security Controls for Federal Information Systems and Organizations,” released yesterday.

What readers are saying about this article:

The new document is a good step forward in defining the requirements, but more importantly, it provides guidance on what the feds think is important, and the level of detail needed.

Add you own comments at the bottom of this article

NIST called the document, which is expected to be finalized July 1, historic.

“For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non-national-security systems,” NIST said. “The updated security control catalog incorporates best practices in information security from the United States Department of Defense, intelligence community and civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.”

SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act. This revision is the first major update of these guidelines since its initial publication in December 2005. This document specifies the baseline security controls needed to meet the mandatory requirements of Federal Information Processing Standard  (FIPS) 199, titled “Standards for Security Categorization of Federal Information and Information Systems,” and FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems.”

The controls specified in SP 800-53 are regularly updated, and this version represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems.

“NIST handles the non-national-security side of the house,” said Ron Ross, who is NIST’s FISMA implementation lead.

The military and intelligence communities in the past issued their own requirements and recommendations for national security systems, and until recently there has been little coordination between the two sides. But for the past two years, NIST has been cooperating with the Defense Department and the Office of the Director of National Intelligence on the Committee on National Security Systems to bring the various communities closer together, improve overall security and reduce duplicate efforts.

“A common foundation for information security will provide the intelligence, defense, and civil sectors of the federal government and their support contractors, more uniform and consistent ways to manage the risk to organizational operations and assets, individuals, other organizations, and the nation that results from the operation and use of information systems,” the document says. “NIST is also working with public- and private-sector entities to establish specific mappings and relationships between the security standards and guidelines developed by NIST and the International Organization for Standardization and International Electrotechnical Commission 27001, Information Security Management System.”

Other significant changes in this revision of SP 800-53 include:

  • A simplified, six-step Risk Management Framework.
  • Additional security controls and control enhancements for advanced cyber threats.
  • Recommendations for prioritizing or sequencing security controls during implementation or deployment.
  • Revised security control structure with a new references section to list applicable federal laws, executive orders, directives, policies, standards and guidelines related to a control.
  • Elimination of security requirements from Supplemental Guidance sections.
  • Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services.
  • Updates to security control baselines consistent with current threat information and known cyber attacks.
  • Removal of the FIPS 199 security control baseline allocation bar resident with each control.
  • Organization-level security controls for managing information security programs.
  • Guidance on the management of common controls within organizations.
  • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.

Comments on the final draft of the publication will be accepted until June 30, 2009, and should be sent to

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Fri, Jun 19, 2009 mlandry Wash. DC

IA comes in two flavors. The current "market" view of Information Assurance is a tech-heavy individual that can do the hands on security operations needed to manage the operational and technical side of the IT Security equation. The "academic" view of IA is an individual that is capable of understanding and applying the "governance" side of the IT Security equasion. SP800-53R3 speaks to the academic side of IT Security more that the previous versions. The focus of IT Security is changing and the emphasis is going to plan and program development as well as the ops and tech sides. Many CIOs are not aware of the need for good governance practices for managing their IT Security programs. SP800-53 is the begining of a new conversation that opens the door to the governance processes and firmly puts the need for solid program planning and documentation into the IT Security mix.

Mon, Jun 15, 2009 davidc Atlanta GA

The new document is a good step forward in defining the requirements, but more importantly, it provide guidance on what the feds think is important, and the level of detail needed. If you jump into FISMA, the extent of documentation is overwhelming. This update is a good thing if you are trying to understand the inent. Compliance.....we'll get to that eventually.

Mon, Jun 8, 2009 tuomoks Chicago

Agree with Roxanne, good news for IA specialists. But maybe not for same reasons or maybe I don't know what an "IA specialist" is anymore? NIST does and has always(?) done a good work. Almost all coming out from NIST is "common sense" which normally wouldn't even need to be written down but today when / if you haven't memorized a recommendation, standard, vendor Q&A, etc (usually old already when published) to get "certified" by some commercial entity (not gov. accredited?), etc you are not supposed to know which button to push? Seriously, there is a reason NIST documents, standards, regulations, etc are written on high school level language - easy to understand! Anyone can read them, not depend on, sometimes not so good, "teachers" who work for money but have actually no idea what the ideas / etc they teach mean! Yes we need operators, oops - sorry, administrators, who know which button to push, not why, on all levels but NIST recommendations are mostly (all?) way over that level - or?

Sat, Jun 6, 2009 Roxanne Liebermann,CISSP,ISSEP Ft Meade MD

This is wonderful news for IA specialists.

Fri, Jun 5, 2009

You "assume" agencies are already appropriately staffed at levels to meet the current control level requirements.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group