» Federal IT security recommendations released in final NIST draft

[MaXe]

The National Institute of Standards and Technology has collaborated with
the military and intelligence communities to produce the first set of security
controls for all government information systems, including national security systems.

The controls are included in the final draft version of Special Publication
800-53, Revision 3, titled “Recommended Security Controls for Federal
Information Systems and Organizations,” released yesterday.

NIST called the document, which is expected to be finalized July 1, historic.
“For the first time, and as part of the ongoing initiative to develop a unified
information security framework for the federal government and its
contractors, NIST has included security controls in its catalog for both
national security and non-national-security systems,” NIST said. “The
updated security control catalog incorporates best practices in information
security from the United States Department of Defense, intelligence
community and civil agencies, to produce the most broad-based and
comprehensive set of safeguards and countermeasures ever developed for
information systems.”

SP 800-53 is part of a series of documents setting out standards,
recommendations and specifications for implementing the Federal
Information Security Management Act. This revision is the first major
update of these guidelines since its initial publication in December 2005.
This document specifies the baseline security controls needed to meet the
mandatory requirements of Federal Information Processing Standard (FIPS)
199, titled “Standards for Security Categorization of Federal Information
and Information Systems,” and FIPS 200, “Minimum Security Requirements
for Federal Information and Information Systems.”

The controls specified in SP 800-53 are regularly updated, and this version
represents an effort to harmonize security requirements across government
communities and between government and non-government systems. In the
past, NIST guidance has not applied to government information systems
identified as national security systems.
“NIST handles the non-national-security side of the house,” said Ron Ross,
who is NIST’s FISMA implementation lead.

The military and intelligence communities in the past issued their own
requirements and recommendations for national security systems, and until
recently there has been little coordination between the two sides. But for
the past two years, NIST has been cooperating with the Defense
Department and the Office of the Director of National Intelligence on the
Committee on National Security Systems to bring the various communities
closer together, improve overall security and reduce duplicate efforts.

“A common foundation for information security will provide the intelligence,
defense, and civil sectors of the federal government and their support
contractors, more uniform and consistent ways to manage the risk to
organizational operations and assets, individuals, other organizations, and
the nation that results from the operation and use of information systems,”
the document says. “NIST is also working with public- and private-sector
entities to establish specific mappings and relationships between the
security standards and guidelines developed by NIST and the International
Organization for Standardization and International Electrotechnical
Commission 27001, Information Security Management System.”

Other significant changes in this revision of SP 800-53 include:

• A simplified, six-step Risk Management Framework.
• Additional security controls and control enhancements for advanced cyber threats.
• Recommendations for prioritizing or sequencing security controls during implementation or deployment.
• Revised security control structure with a new references section to list applicable federal laws, executive orders, directives, policies, standards and guidelines related to a control.
• Elimination of security requirements from Supplemental Guidance sections.
• Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services.
• Updates to security control baselines consistent with current threat information and known cyber attacks.
• Removal of the FIPS 199 security control baseline allocation bar resident with each control.
• Organization-level security controls for managing information security programs.
• Guidance on the management of common controls within organizations.
• Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.

Comments on the final draft of the publication will be accepted until June 30, 2009, and should be sent to sec-cert@nist.gov

External Links:
http://csrc.nist.gov/publications/dr...-FPD-clean.pdf