NIST Revises Security Controls BibleSP 800-53A, Rev. 1, Developed with DoD, Intel Community
NIST Tuesday issued SP 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. This latest guidance is aimed at helping agencies implement continuous monitoring of their IT systems as they move away from the traditional paper-based compliance rules under the Federal Information Security Management Act.
The third in a series of publication NIST is developing in partnership with the federal intelligence community, Defense Department and the Committee on National Security of Systems, under the auspices of the Joint Taskforce Transformation Initiative, 800-53A, Revision 1, provides guidelines for developing security assessment plans and associated security control assessment procedures that are consistent with Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, that NIST released last August and updated on May 1.
According to a statement posted on the NIST website:
"The important changes in Special Publication 800-53A, Revision 1, are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management - that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations and the nation. The increased flexibility in the selection of assessment methods, assessment objects and depth and coverage attribute values empowers organizations to place the appropriate emphasis on the security control assessment process at every stage in the system development life cycle to include a robust continuous monitoring process.
"For example, carrying out an increased level of assessment early in the system development life cycle can provide significant benefits by identifying weaknesses and deficiencies in the information system early and facilitate more cost-effective solutions. Alternatively, allowing organizations to customize their assessment activities during continuous monitoring can place the right emphasis on the assessment of those security controls providing the greatest return on investment, adjusting to varying operational environments and threats. As always, communities of interest may establish certain floors or ceilings on the level of assessment activities based on mission/business needs."
In coordination with its partners in the Joint Taskforce, NIST aid it plans to update and post to the FISMA Implementation Project website, assessment cases for the assessment procedures as described in SP 800-53A, providing organizations and assessors with additional detail in conducting specific assessments of federal information systems. NIST will provide progress reports regarding updates for the assessment cases.