NIST issues final draft of IT security controls

NIST issues final draft of IT security controls

The National Institute of Standards and Technology has released the final public draft of recommended security controls for federal systems, a fine-tuned version of a document that will become a mandatory Federal Information Processing Standard by the end of the year.

The agency's IT Laboratory says this third version of Special Publication 800-53 contains modest changes based on more than 400 responses to earlier releases. It is one of seven NIST publications being produced as required by the Federal Information Security Management Act.

NIST released the initial draft in November 2003 and the second last September. Comments on the current draft can be e-mailed to the agency's Computer Security Division until Feb. 11.

The agency expects a final version to get Commerce Department approval by the end of February.

'SP 800-53 has special significance in that the security controls contained in the recommended baselines will form the basis for those controls that will become mandatory in December 2005,' NIST said in releasing the publication. 'At that time, FIPS 200, Minimum Security Controls for Federal Information Systems, will take effect and be applicable to all federal information systems other than national security systems.'

The controls include management, operational and technical safeguards, and countermeasures that ensure the confidentiality, integrity and availability of government systems. They create baseline configurations for low, moderate and high risk systems.

Changes in the current draft include:

  • The class designations management, operational and technical have been reinstated to more closely conform to the existing organization of agencies' security programs.


  • Guidance has been enhanced for evaluating public access systems and addressing scalability, with expanded risk-based considerations to provide more flexibility in establishing appropriate controls.


  • The concept of compensating security controls has been added to allow for equivalent or comparable controls not included in the publication.


  • The low baseline security controls have been adjusted to reduce the minimum controls for low-impact systems.


  • A new set of application-level security controls has been added.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • Get ready for IoT-enabled threats

    Mirai creators helping FBI crack cybercrime cases

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group