[ISN] NIST issues final draft of IT security controls
isn at c4i.org
Tue Feb 1 04:01:00 EST 2005
By William Jackson
The National Institute of Standards and Technology has released the
final public draft of recommended security controls for federal
systems, a fine-tuned version of a document that will become a
mandatory Federal Information Processing Standard by the end of the
The agency's IT Laboratory says this third version of Special
Publication 800-53  contains modest changes based on more than 400
responses to earlier releases. It is one of seven NIST publications
being produced as required by the Federal Information Security
NIST released the initial draft in November 2003 and the second last
September. Comments on the current draft can be e-mailed  to the
agency's Computer Security Division until Feb. 11.
The agency expects a final version to get Commerce Department approval
by the end of February.
"SP 800-53 has special significance in that the security controls
contained in the recommended baselines will form the basis for those
controls that will become mandatory in December 2005," NIST said in
releasing the publication. "At that time, FIPS 200, Minimum Security
Controls for Federal Information Systems, will take effect and be
applicable to all federal information systems other than national
The controls include management, operational and technical safeguards,
and countermeasures that ensure the confidentiality, integrity and
availability of government systems. They create baseline
configurations for low, moderate and high risk systems.
Changes in the current draft include:
* The class designations management, operational and technical have
been reinstated to more closely conform to the existing organization
of agencies. security programs.
* Guidance has been enhanced for evaluating public access systems and
addressing scalability, with expanded risk-based considerations to
provide more flexibility in establishing appropriate controls.
* The concept of compensating security controls has been added to
allow for equivalent or comparable controls not included in the
* The low baseline security controls have been adjusted to reduce the
minimum controls for low-impact systems.
* A new set of application-level security controls has been added.
 sec-cert [at] nist.gov
More information about the ISN