NIST moves a step closer to a unified security framework

The latest draft of this revision of Special Publication 800-53 contains security controls for national security as well as other IT systems, and was developed in conjunction with the military and intelligence communities.

The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems.

The controls are included in the final draft version of Special Publication 800-53, Revision 3, titled “Recommended Security Controls for Federal Information Systems and Organizations,” released yesterday.

NIST called the document, which is expected to be finalized July 1, historic.

“For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non-national-security systems,” NIST said. “The updated security control catalog incorporates best practices in information security from the United States Department of Defense, intelligence community and civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.”

SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act. This revision is the first major update of these guidelines since its initial publication in December 2005. This document specifies the baseline security controls needed to meet the mandatory requirements of Federal Information Processing Standard  (FIPS) 199, titled “Standards for Security Categorization of Federal Information and Information Systems,” and FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems.”

The controls specified in SP 800-53 are regularly updated, and this version represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems.

“NIST handles the non-national-security side of the house,” said Ron Ross, who is NIST’s FISMA implementation lead.

The military and intelligence communities in the past issued their own requirements and recommendations for national security systems, and until recently there has been little coordination between the two sides. But for the past two years, NIST has been cooperating with the Defense Department and the Office of the Director of National Intelligence on the Committee on National Security Systems to bring the various communities closer together, improve overall security and reduce duplicate efforts.

“A common foundation for information security will provide the intelligence, defense, and civil sectors of the federal government and their support contractors, more uniform and consistent ways to manage the risk to organizational operations and assets, individuals, other organizations, and the nation that results from the operation and use of information systems,” the document says. “NIST is also working with public- and private-sector entities to establish specific mappings and relationships between the security standards and guidelines developed by NIST and the International Organization for Standardization and International Electrotechnical Commission 27001, Information Security Management System.”

Other significant changes in this revision of SP 800-53 include:

  • A simplified, six-step Risk Management Framework.
  • Additional security controls and control enhancements for advanced cyber threats.
  • Recommendations for prioritizing or sequencing security controls during implementation or deployment.
  • Revised security control structure with a new references section to list applicable federal laws, executive orders, directives, policies, standards and guidelines related to a control.
  • Elimination of security requirements from Supplemental Guidance sections.
  • Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services.
  • Updates to security control baselines consistent with current threat information and known cyber attacks.
  • Removal of the FIPS 199 security control baseline allocation bar resident with each control.
  • Organization-level security controls for managing information security programs.
  • Guidance on the management of common controls within organizations.
  • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.

Comments on the final draft of the publication will be accepted until June 30, 2009, and should be sent to