[ISN] NIST details minimum security controls

InfoSec News isn at c4i.org
Tue Oct 12 02:20:04 EDT 2004


By Florence Olsen 
Oct. 11, 2004

Guidelines for setting computer security controls to protect federal 
information systems are described in a new publication from the 
National Institute of Standards and Technology. NIST officials said 
the document forms the basis for security controls that will become 
mandatory in December 2005. 

The 88-page publication, known as Special Publication 800-53 [1],
spells out the minimum security controls that federal agency officials
must use to comply with the statutory requirements of the Federal
Information Security Management Act of 2002, which applies to all
federal information systems that are not national security systems.  
The document, which NIST officials released late last month, is the
second version of a draft that NIST officials revised after receiving
public comments.

The latest document, still not considered final, will be available 
until Nov. 30 for the public to review and submit additional 
suggestions for revision. NIST officials said they are especially 
interested in receiving comments about the cost and potential impact 
that the recommended computer security controls could have on federal 

The document describes not only technical controls, such as 
intrusion-detection tools, but also a multitude of recommended 
management and operational controls for safeguarding the 
confidentiality, integrity and availability of federal information and 
the systems that provide that information.

Recommended controls vary, depending on the importance of a particular 
information system to an agency's mission. But the list is extensive 
and includes 17 categories of security controls. Among them are access 
and audit controls, configuration management, user identification and 
authentication, and media protection.

The guidelines suggest that minimum security controls required for 
broad classes of information systems, whether they are classified as 
high, moderate or low-risk, can be centrally managed and the costs 
amortized across multiple systems.

[1] http://csrc.nist.gov/publications/drafts/SP800-53-Draft2nd.pdf

More information about the ISN mailing list