NIST updates recommendations for IT security controls
Draft release of FISMA guidance reflects changes in the threat environment and efforts to establish a common security baseline for IT systems across government
- By William Jackson
- Feb 06, 2009
The National Institute of Standards and Technology has released an initial draft for public comment of a revised version of its Recommended Security Controls for Federal Information Systems and Organizations.
Although this is Revision 3 of Special Publication (SP) 800-53, NIST calls it the first major update of the guidelines since its initial publication in December 2005. NIST tries to revisit its security guidance every two years and update them as needed, said senior computer scientist Ron Ross. But revising a 200-plus-page comprehensive set of recommendations is expensive and time-consuming.
“We don’t want to undertake it unnecessarily,” Ross said. “But the threat environment has changed quite a bit and we’ve learned a lot in that time from the agencies in their implementation of the controls. All of this made a compelling need to do an update.”
SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act (FISMA). It is intended to answer these questions:
- What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
- Have the selected security controls been implemented or is there a realistic plan for their implementation?
- What is the desired or required level of assurance (i.e. grounds for confidence) that the selected security controls, as implemented, are effective in their applications?
This update also is part of an effort to harmonize security requirements across government. NIST guidance typically does not apply to government information systems identified as national-security systems.
“NIST handles the non-national security side of the house,” said Ross, who is NIST’s FISMA implementation lead. The military and intelligence communities issue their own requirements and recommendations for national security systems, and until recently there has been little coordination between the two sides.
For two years, NIST has been cooperating with the Defense Department and the Office of the Director of National Intelligence on the Committee on National Security Systems, which is trying to bring both sides closer together.
“Everything we are doing now is being transferred to CNSS,” Ross said. The goal is a single set of foundational documents for both sides of the house, to which additional controls can be added for national security systems as needed. “That has huge cost-savings potential,” in addition to improving security, he said.
The document also is an effort to bridge the gap between government and nongovernmental systems. Recommendations in SP 800-53 now are mapped to international standards in ISO/IEC 2701, which many contractors are using, Ross said.
“We’re trying to show compatibility between the two documents,” he said.
Among the changes in the document are a new family of program management controls on issues that do not apply to specific information systems, but which an agency should consider in areas such as capital planning and budget, risk management and the Federal Enterprise Architecture. This allows the recommendations to cover the entire spectrum of managing information systems, from the systems level to operations to the enterprise.
Privacy-related material, originally scheduled to be included in this revision of SP 800-53, will undergo a separate public review process in the near future and be incorporated into this publication when completed.
Specific changes in this revision of SP 800-53 include:
- Restructuring security controls to include specific requirements previously stated in Supplemental Guidance.
- Adjusting security control/control enhancement allocations to security control baselines.
- Eliminating security controls and control enhancements that are redundant or no longer needed.
- Incorporating the revised, simplified, six-step Risk Management Framework.
- Strengthening selected security controls by adding new security control enhancements.
- Adding security program management controls that affect organizations, at large, including areas such as capital planning and budgeting, enterprise architecture, and risk management.
- Providing additional guidance on the management of common controls within organizations.
- Adding security controls and control enhancements for advanced cyberthreats, including supply-chain threats.
- Introducing a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards, including an updated mapping table for security controls in ISO/IEC 27001 (Annex A).
- Updating supporting appendices including references, glossary, and acronyms.
Comments on the revised SP 800-53 should be e-mailed by March 27 to firstname.lastname@example.org.
William Jackson is a Maryland-based freelance writer.