[ISN] NIST details minimum security controls
isn at c4i.org
Tue Oct 12 02:20:04 EDT 2004
By Florence Olsen
Oct. 11, 2004
Guidelines for setting computer security controls to protect federal
information systems are described in a new publication from the
National Institute of Standards and Technology. NIST officials said
the document forms the basis for security controls that will become
mandatory in December 2005.
The 88-page publication, known as Special Publication 800-53 ,
spells out the minimum security controls that federal agency officials
must use to comply with the statutory requirements of the Federal
Information Security Management Act of 2002, which applies to all
federal information systems that are not national security systems.
The document, which NIST officials released late last month, is the
second version of a draft that NIST officials revised after receiving
The latest document, still not considered final, will be available
until Nov. 30 for the public to review and submit additional
suggestions for revision. NIST officials said they are especially
interested in receiving comments about the cost and potential impact
that the recommended computer security controls could have on federal
The document describes not only technical controls, such as
intrusion-detection tools, but also a multitude of recommended
management and operational controls for safeguarding the
confidentiality, integrity and availability of federal information and
the systems that provide that information.
Recommended controls vary, depending on the importance of a particular
information system to an agency's mission. But the list is extensive
and includes 17 categories of security controls. Among them are access
and audit controls, configuration management, user identification and
authentication, and media protection.
The guidelines suggest that minimum security controls required for
broad classes of information systems, whether they are classified as
high, moderate or low-risk, can be centrally managed and the costs
amortized across multiple systems.
More information about the ISN