NIST posts security control guidelines for comment
- By William Jackson
- Nov 14, 2003
The National Institute of Standards and Technology yesterday released an initial public draft of recommended security controls for federal information systems. The guidelines for mandatory controls are expected to go into effect in two years.
The agency's IT Laboratory drafted Special Publication 800-53
under the Federal Information Security Management Act. SP 800-53 is one of seven NIST publications to be completed over the next two years as a security framework.
Federal Information Processing Standard Publication 200, 'Minimum Security Controls for Federal Information Systems,' will replace SP800-53 in late 2005 and will be mandatory for government systems not involved in national security.
Controls include management, operational and technical safeguards and countermeasures that ensure the confidentiality, integrity and availability of government systems.
The current 238-page report is preliminary and covers only guidelines for low and moderate security baselines. 'For the high baseline, the number of security controls will increase significantly,' the report said. That section will be added to the guidelines next year.
NIST will host a workshop on the high security guidelines at its Gaithersburg, Md., headquarters in March. Public feedback is a prerequisite for moving forward on a high security baseline, the report said.
NIST's Computer Security Division will accept comments on the initial draft of SP 800-53 until Jan. 31, 2004, by e-mail to email@example.com, or by postal mail to 100 Bureau Dr., Mail Stop 8930, Gaithersburg, Md., 20899-8930.
William Jackson is a Maryland-based freelance writer.