NIST issues final draft of IT security controls

The National Institute of Standards and Technology has released the final public draft of recommended security controls for federal systems, a fine-tuned version of a document that will become a mandatory Federal Information Processing Standard by the end of the year.

The agency's IT Laboratory says this third version of Special Publication 800-53 contains modest changes based on more than 400 responses to earlier releases. It is one of seven NIST publications being produced as required by the Federal Information Security Management Act.

NIST released the initial draft in November 2003 and the second last September. The agency's Computer Security Division will accept comments on the current draft until Feb. 11 by e-mail at

The agency expects a final version to get Commerce Department approval by the end of February.

"SP 800-53 has special significance in that the security controls contained in the recommended baselines will form the basis for those controls that will become mandatory in December 2005," NIST said in releasing the publication. "At that time, FIPS 200, Minimum Security Controls for Federal Information Systems, will take effect and be applicable to all federal information systems other than national security systems."

The controls include management, operational and technical safeguards, and countermeasures that ensure the confidentiality, integrity and availability of government systems. They create baseline configurations for low, moderate and high risk systems.

Changes in the current draft include:

  • The class designations management, operational and technical have been reinstated to more closely conform to the existing organization of agencies' security programs.

  • Guidance has been enhanced for evaluating public access systems and addressing scalability, with expanded risk-based considerations to provide more flexibility in establishing appropriate controls.

  • The concept of compensating security controls has been added to allow for equivalent or comparable controls not included in the publication.

  • The low baseline security controls have been adjusted to reduce the minimum controls for low-impact systems.

  • A new set of application-level security controls has been added.

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.