A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
new NIST documentation
May 7, 2010 at 9:17 pm #100121
DRAFT Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
The final draft of Special Publication 800-53A, Revision 1 provides guidelines for developing security assessment plans and associated security control assessment procedures that are consistent with Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 (including updates as of 05-01-2010).
The final draft of Special Publication 800-53A, Revision 1, developed by the Joint Task Force Transformation Initiative Working Group is part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors. This publication represents the third in a series of publications being developed under the auspices of the Joint Task Force Transformation Initiative. For the past three years, NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its contractors. The updated security assessment guideline incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies and includes security control assessment procedures for both national security and non national security systems. The guideline for developing security assessment plans is intended to support a wide variety of assessment activities in all phases of the system development life cycle including development, implementation, and operation.
Special Publication 800-53A, Revision 1, contains the following significant changes:
* Updated assessment procedures for all security controls and control enhancements in Special Publication 800-53, Revision 3 (including the Program Management family controls);
* Elimination of the Extended Assessment Procedure;
* Simplification of and common nomenclature for depth and coverage attributes;
* Elimination of the L, M, and H designators in the assessment procedures catalog, providing organizations with greater flexibility in selecting appropriate assessment methods for conducting various types of assessments (e.g., assessments supporting information system development, initial and ongoing security authorizations, and continuous monitoring);
The important changes described in Special Publication 800-53A, Revision 1, are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. The increased flexibility in the selection of assessment methods, assessment objects, and depth and coverage attribute values empowers organizations to place the appropriate emphasis on the assessment process at every stage in the system development life cycle. For example, carrying out an increased level of assessment early in the system development life cycle can provide significant benefits by identifying weaknesses and deficiencies in the information system early and facilitate more cost-effective solutions. Alternatively, allowing organizations to customize their assessment activities during continuous monitoring can place the right emphasis on the assessment of those security controls providing the greatest return on investment. As always, communities of interest may establish certain floors or ceilings on the level of assessment activities based on mission/business needs.
Upon final publication of Special Publication 800-53A, Revision 1, NIST in coordination with its partners in the Joint Task Force, plan to update the web-based Assessment Cases described in Appendix H, providing organizations and assessors with additional detail in conducting specific assessments of federal information systems.
NIST requests comments on the final draft publication by June 4, 2010. Comments should be submitted to [email protected].
You must be logged in to reply to this topic.