NIST Deems Special Report as 'Historic'Unifies Defense, Civilian Agencies' Guidance
Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of a continuing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for national security and non-national security systems in its latest revision, No. 3, of Special Publication 800-53.
"The important changes described (in the publication) are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the nation," Ron Ross, NIST's Federal Information Security Management Act implementation project leader, said in a message incorporated into the 220-page report.
According to the document, the updated security control catalogue incorporates best practices in information security from the Department of Defense, intelligence community and civilian agencies to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.
These standardized set of management, operational and technical controls provide a common specification language for information security for federal information systems processing, storing and transmitting national security and non-national security information, NIST said, adding that the revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems.
In addition to the expansion of the security control catalog, according to NIST, the special publication details:
- A simplified, six-step risk management framework;
- Additional security controls and control enhancements for advanced cyber threats;
- Recommendations for prioritizing or sequencing security controls during implementation or deployment;
- Revised security control structure with a new references section to list applicable federal laws, executive orders, directives, policies, standards and guidelines related to a control;
- Elimination of security requirements from supplemental guidance sections;
- Guidance on using the risk management framework for legacy information systems and for external providers of information system services;
- Updates to security control baselines consistent with current threat information and known cyber attacks;
- Removal of the Federal Information Processing 199 security control baseline allocation bar resident with each control;
- Organization-level security controls for managing information security programs;
- Guidance on the management of common controls within organizations; and
- Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.
NIST is seeking feedback on this publication before issuing a final version. Comments will be accepted until July 1, and should be sent to email@example.com. NIST will post the markup version of Special Publication 800-53, Revision 3, not later than June 5. A final version of the special report is scheduled to be released on or about July 31.