Pulse

By GCN Staff

Blog archive
NIST revises guidance on security, privacy assessments

NIST revises guidance on security, privacy assessments

The National Institute of Standards and Technology has revised Special Publication 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. This fourth revision contains significant changes to the 2010 version of the publication in content and format, according to NIST.

The publication is intended to provide guidelines for building security and privacy assessment plans as well as a comprehensive set of procedures for assessing security and privacy controls used in information systems and organizations.

The guidelines have been developed to help achieve more secure information systems within the federal government by:

  • Enabling more consistent, comparable and repeatable assessments.
  • Promoting a better understanding of risks resulting from the operation and use of federal information systems.
  • Facilitating more cost-effective assessments of security and privacy controls.
  • Creating more complete, reliable, and trustworthy information to support risk management decisions, reciprocity of assessment results, information sharing, and compliance to federal laws and policies.

Based on feedback from federal agencies that have conducted actual assessments as part of the risk management framework process, NIST made improvements in current security assessment procedures, including:

  • Clarification of terminology.
  • Expansion of the number of potential assessment methods and objects on a per-control basis.
  • A simpler decomposition of assessment objects to align more closely with security control statements.

The changes should result in significant improvements in the efficiency and cost-effectiveness of control assessments for federal agencies, which NIST said will give senior leaders the information they need to understand the security and privacy of their organizations and to be able to make credible, risk-based information security and privacy decisions.

Posted by GCN Staff on Dec 16, 2014 at 9:11 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.