NIST issues revised IT security controls

Agencies now have updated guidelines for selecting and specifying security controls for all IT systems, including hardware and software such as personal digital assistants and administrative services.

The National Institute of Standards and Technology yesterday released Special Publication 800-53, Revision 1 that details 'broadly developed' approaches to improve federal IT security.

NIST issued SP 800-53 in February 2005 and has to update it every two years. This update lays out 17 minimum security controls agencies must meet, said Ron Ross, NIST's senior computer scientist, earlier this year.

The authors of the document, which included Ross, also said the new version is to be used in conjunction with Federal Information Processing Standard 200, which outlines minimum security requirements for federal information systems.

'The objective of [800-53] is to provide a set of security controls that is sufficiently rich to satisfy the breadth and depth of security requirements levied on information systems,' the document said. '[A]nd that is consistent with and complementary to other established security standards.'

The authors also said 800-53 is intended to be a 'starting point' to determine how much risk an agency can endure on its IT systems.

In addition to SP 800-53, NIST issued a white paper entitled Managing Enterprise Risk in Today's World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost- Effective Information Security Programs, written by Ross as a complement to the revised publication.

The 18-page paper provides, among other things, an eight-step framework to managing risk to IT systems.

'Managing enterprise risk is a fundamental departure from the risk avoidance approaches used by many organizations in the past,' Ross wrote. 'Risk management recognizes the need to operate in a highly complex and interconnected world using state-of-the-art information technology ' technology that enterprises depend upon to accomplish critical business functions and successfully accomplish corporate-wide missions.'

inside gcn

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group