[ISN] NIST issues final draft of IT security controls

InfoSec News isn at c4i.org
Tue Feb 1 04:01:00 EST 2005


By William Jackson 
GCN Staff

The National Institute of Standards and Technology has released the 
final public draft of recommended security controls for federal 
systems, a fine-tuned version of a document that will become a 
mandatory Federal Information Processing Standard by the end of the 

The agency's IT Laboratory says this third version of Special
Publication 800-53 [1] contains modest changes based on more than 400
responses to earlier releases. It is one of seven NIST publications
being produced as required by the Federal Information Security
Management Act.

NIST released the initial draft in November 2003 and the second last
September. Comments on the current draft can be e-mailed [2] to the
agency's Computer Security Division until Feb. 11.

The agency expects a final version to get Commerce Department approval 
by the end of February. 

"SP 800-53 has special significance in that the security controls 
contained in the recommended baselines will form the basis for those 
controls that will become mandatory in December 2005," NIST said in 
releasing the publication. "At that time, FIPS 200, Minimum Security 
Controls for Federal Information Systems, will take effect and be 
applicable to all federal information systems other than national 
security systems."

The controls include management, operational and technical safeguards, 
and countermeasures that ensure the confidentiality, integrity and 
availability of government systems. They create baseline 
configurations for low, moderate and high risk systems. 

Changes in the current draft include: 

* The class designations management, operational and technical have 
  been reinstated to more closely conform to the existing organization 
  of agencies. security programs. 

* Guidance has been enhanced for evaluating public access systems and 
  addressing scalability, with expanded risk-based considerations to 
  provide more flexibility in establishing appropriate controls. 

* The concept of compensating security controls has been added to 
  allow for equivalent or comparable controls not included in the 

* The low baseline security controls have been adjusted to reduce the 
  minimum controls for low-impact systems. 

* A new set of application-level security controls has been added.

[1] http://csrc.nist.gov/publications/drafts/SP-800-53-FinalDraft.pdf
[2] sec-cert [at] nist.gov

More information about the ISN mailing list