NIST issues final draft of IT security controls

The National Institute of Standards and Technology has released the final public draft of recommended security controls for federal systems, a fine-tuned version of a document that will become a mandatory Federal Information Processing Standard by the end of the year.

The agency's IT Laboratory says this third version of Special Publication 800-53 contains modest changes based on more than 400 responses to earlier releases. It is one of seven NIST publications being produced as required by the Federal Information Security Management Act.

NIST released the initial draft in November 2003 and the second last September. The agency's Computer Security Division will accept comments on the current draft until Feb. 11 by e-mail at sec-cert@nist.gov.

The agency expects a final version to get Commerce Department approval by the end of February.

"SP 800-53 has special significance in that the security controls contained in the recommended baselines will form the basis for those controls that will become mandatory in December 2005," NIST said in releasing the publication. "At that time, FIPS 200, Minimum Security Controls for Federal Information Systems, will take effect and be applicable to all federal information systems other than national security systems."

The controls include management, operational and technical safeguards, and countermeasures that ensure the confidentiality, integrity and availability of government systems. They create baseline configurations for low, moderate and high risk systems.

Changes in the current draft include:

• The class designations management, operational and technical have been reinstated to more closely conform to the existing organization of agencies' security programs.



• Guidance has been enhanced for evaluating public access systems and addressing scalability, with expanded risk-based considerations to provide more flexibility in establishing appropriate controls.



• The concept of compensating security controls has been added to allow for equivalent or comparable controls not included in the publication.



• The low baseline security controls have been adjusted to reduce the minimum controls for low-impact systems.



• A new set of application-level security controls has been added.