Security Guidance on Social Media

NIST has posted for public comment a draft of NIST Special Publication 800-53 (Revision 3), Recommended Security Controls for Fedral Information Systems and Organizations. This revision is the first major update of NIST Special Publication 800-53 since December 2005. The proposed draft standard PL4 from the document contains a control enhancement that applies to posting to social networking sites.

I extracted the following draft recommendation from Appendix F applicable to low impact, moderate impact and high impact government information systems. [“Organization” refers to a Federal government agency]:

Control: The organization:

a.Establishes and makes readily available to all information system users, a set of rules that describes their responsibilities and expected behavior with regard to information and information system usage; and,

b.Receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.

Supplemental Guidance: Electronic signatures are acceptable for use in acknowledging rules of behavior unless specifically prohibited by organizational policy. NIST Special Publication 800-18 provides guidance on preparing rules of behavior. Related control: PS-6.

Control Enhancements:
(1) The organization includes in the rules of behavior, explicit restrictions on the use of social networking sites, posting information on commercial web sites, and sharing information system account information.”

NIST’s Information Technology Laboratory is accepting public comment on the draft standards in SP 800-53 until March 27, 2009. Comments can be submitted electronically to: [email protected].

Leave a Comment


Leave a Reply

David Harrity

Allan, thank you for the post. I reviewed the public draft and one thing to note is that this is listed as a Control Enhancement. Per NIST Special Publication guidelines, control enhancements must be performed when specifically called out in the associated table listed below..


The draft PL-4 curently does not list this control enhancement as a requirement and leaves it to the agency to determine whether or not to (internally) required PL-4(1) or not. If NIST requires it, then would be written as (for example):

HIGH PL-4 (1)

Allan Eustis

Good catch. The way PL4 is currently listed, I assumed it applied to low, moderate and high impact IT systems. There is no introductory descriptive text in the draft SP that indicates the format for applicability.