NIST moves a step closer to a unified security framework

Final draft document includes controls for national security as well as other IT systems

The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems.

The controls are included in the final draft version of Special Publication 800-53, Revision 3, titled “Recommended Security Controls for Federal Information Systems and Organizations,” released yesterday.

NIST called the document, which is expected to be finalized July 1, historic.

“For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non-national-security systems,” NIST said. “The updated security control catalog incorporates best practices in information security from the United States Department of Defense, intelligence community and civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.”

SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act. This revision is the first major update of these guidelines since its initial publication in December 2005. This document specifies the baseline security controls needed to meet the mandatory requirements of Federal Information Processing Standard  (FIPS) 199, titled “Standards for Security Categorization of Federal Information and Information Systems,” and FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems.”

The controls specified in SP 800-53 are regularly updated, and this version represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems.

“NIST handles the non-national-security side of the house,” said Ron Ross, who is NIST’s FISMA implementation lead.

The military and intelligence communities in the past issued their own requirements and recommendations for national security systems, and until recently there has been little coordination between the two sides. But for the past two years, NIST has been cooperating with the Defense Department and the Office of the Director of National Intelligence on the Committee on National Security Systems to bring the various communities closer together, improve overall security and reduce duplicate efforts.

“A common foundation for information security will provide the intelligence, defense, and civil sectors of the federal government and their support contractors, more uniform and consistent ways to manage the risk to organizational operations and assets, individuals, other organizations, and the nation that results from the operation and use of information systems,” the document says. “NIST is also working with public- and private-sector entities to establish specific mappings and relationships between the security standards and guidelines developed by NIST and the International Organization for Standardization and International Electrotechnical Commission 27001, Information Security Management System.”

Other significant changes in this revision of SP 800-53 include:

  • A simplified, six-step Risk Management Framework.
  • Additional security controls and control enhancements for advanced cyber threats.
  • Recommendations for prioritizing or sequencing security controls during implementation or deployment.
  • Revised security control structure with a new references section to list applicable federal laws, executive orders, directives, policies, standards and guidelines related to a control.
  • Elimination of security requirements from Supplemental Guidance sections.
  • Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services.
  • Updates to security control baselines consistent with current threat information and known cyber attacks.
  • Removal of the FIPS 199 security control baseline allocation bar resident with each control.
  • Organization-level security controls for managing information security programs.
  • Guidance on the management of common controls within organizations.
  • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.

Comments on the final draft of the publication will be accepted until June 30, 2009, and should be sent to sec-cert@nist.gov

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.