Focuses on information security assessments required for federal IT systems. Share ideas, practices, and independent consultant references.
New NIST publication
August 1, 2009 at 10:51 am #76985
NIST Releases Special Publication 800-53 Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
July 31, 2009
NIST announces the final publication of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems. The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems. In addition to the expansion of the security control catalog, Special Publication 800-53, Revision 3 contains significant changes including:
* A simplified, six-step Risk Management Framework;
* Additional security controls and control enhancements for advanced cyber threats;
* Recommendations for prioritizing or sequencing security controls during implementation or deployment;
* Revised security control structure with a new references section;
* Elimination of security requirements from Supplemental Guidance sections;
* Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services;
* Updates to security control baselines consistent with current threat information and known cyber attacks;
* Organization-level security controls for managing information security programs;
* Guidance on the management of common controls within organizations; and
* Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.
The important changes described in Special Publication 800-53, Revision 3 are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. Following the final publication of Special Publication 800-53, Revision 3, the collaborative work between the national security and non national security communities will continue with updates to other key publications such as:
* NIST Special Publications 800-37, Applying the Risk Management Framework to Federal Information Systems;
* NIST Special Publication 800-39, Integrated Enterprise-wide Risk Management: Organization, Mission, and Information Systems View;
* NIST Special Publication 800-30, Guide for Conducting Risk Assessments; and
* NIST Special Publication 800-53A, Guide for Assessing Security Controls in Federal Information Systems and Organizations.
The schedule for the development of all key FISMA-related publications based on new milestones established among the participating partners in the Joint Task Force Transformation Initiative can be found at: http://csrc.nist.gov/groups/SMA/fisma/schedule.html.
August 3, 2009 at 3:02 pm #76990
Kevin R WinegardnerParticipant
Hey Henry, what is your take on the new family that was added in rev 3 regarding managing information system security programs? I am appreciating the recognition of the various elements that are required to have a comprehensive IS security program.
August 3, 2009 at 3:21 pm #76988
On FIRST blush(with general concurrence with the security team at my current agency) going to PERHAPS MAYBE require more dedication(and or additional workforce) to the security process. We are still trying to study the details closely to determine the actual requirements.
Suspect that I am not alone in that, what with the workload, not a lot of time was spent taking on the drafts (I understand that there has been at least 3 draft versions)
You must be logged in to reply to this topic.