NIST Seeks Comments on Security Controls GuideAssessing the Security Controls in Federal Information Systems, Organizations
The final draft of SP 800-53A, Revision 1 - Guide for Assessing the Security Controls in Federal Information Systems and Organizations, is the third in the series of publications and incorporates best practices in information security. The guideline includes security control assessment procedures for national security and non-national security systems and is intended to support a variety of assessment activities in all phases of the system development life cycle, including development, implementation and operation.
NIST FISMA Implementation Project Leader Ron Ross said in a statement that changes in the final draft are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management. "Achieving the objective of near real-time risk management means that organizations must have the flexibility to tailor their assessment activities based on where the information system is in its life cycle, from initial development to continuous monitoring in operational environments," Ross said.
SP 800-53A, Revision 1, updates assessment procedures for all security controls and control enhancements in SP 800-53, Revision 3, including the program management family controls. The update also eliminates the extended assessment procedure, simplifies the common nomenclature for depth and coverage attributes, and eliminates the L, M and H designators (used to indicate low-, moderate- and high-impact information systems) in the assessment procedures catalogue. NIST contends these simplifications will provide organizations with greater flexibility in selecting appropriate assessment methods, such as those supporting information system developments, initial and ongoing security authorizations, and continuous monitoring.
Ross said the increased flexibility in the revised publication empowers organizations to place the appropriate emphasis on the assessment process throughout the system development life cycle. Organizations can increase the level of assessment in the beginning of system development to identify weaknesses and deficiencies early and promote cost-effective solutions and customize assessment activities during continuous monitoring to emphasize assessing security controls that provide the greatest return on investment, he said.
NIST encourages the public to read SP 800-53A, Revision 1, and to submit comments to firstname.lastname@example.org by June 4.
NIST has been working with its partners in the Joint Task Force Transformation Initiative Working Group - the Office of the Director of National Intelligence, the Department of Defense and the Committee on National Security Systems - for three years to develop a unified information security framework for the federal government and its contractors. The first publication developed by the Joint Task Force was SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, which was published last August.