NIST extends comment period for draft assistance in assessing security controls
- By William Jackson
- Nov 18, 2008
An interagency work group led by the Justice Department is developing a set of examples to help information technology administrators meet requirements for assessing security controls on information systems, and the National Institute of Standards and Technology is seeking comment on these assessment cases.
The assessment cases
are being developed in support of Special Publication 800-53A, titled 'Guide for Assessing the Security Controls in Federal Information Systems.' An initial public draft of the cases was released in August. The comment period for this draft has been extended until Jan. 30. Comments should be sent to email@example.com
NIST said the comment period is being extended because of the large number of cases in the draft and the desire to ensure the security community's input into this collaborative effort.
Federal Information Processing Standard 200 establishes minimum security requirements under the Federal Information Systems Management Act, and agencies must select the appropriate set of controls for those requirements from NIST SP 800-53, titled 'Recommended Security Controls for Federal Information Systems.' SP 800-53A is an addendum to this publication that sets out the framework for conducting mandatory assessments of security controls required under FISMA. SP 800-53A was published in its final form
The Assessment Case Project led by DOJ includes representatives from NIST, the Energy and Transportation departments, and Office of the Director of National Intelligence Office CIO. It is intended to provide a multiagency recommendation for the specific actions an assessor might perform to obtain the evidence necessary for assessment procedures established in NIST SP 800-53A for determining the effectiveness of the security controls in their information systems.
The assessment cases are intended to provide helpful information and not to limit the flexibility of an assessor in applying his or her own judgment. The assessment cases provide examples that have worked in the past for organizations to use in developing their assessment plans.
William Jackson is a Maryland-based freelance writer.