NIST logo

Comments Sought on Updated Guide for Assessing Federal IT Security Controls

For Immediate Release: May 11, 2010

*

Contact: Evelyn Brown
301-975-5661

The National Institute of Standards and Technology (NIST) has issued the final draft of Special Publication 800-53A, Revision 1, Guide for Assessing Security Controls in Federal Information Systems and Organizations, and is seeking public comments. The publication provides guidelines for developing security assessment plans and associated security control assessment procedures that are consistent with the recently revised foundational Federal Information Security Management Act (FISMA) publication, NIST Special Publication 800-53, Revision 3.

NIST has been working with its partners in the Joint Task Force Transformation Initiative Working Group—the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD) and the Committee on National Security Systems (CNSS)—for three years to develop a unified information security framework for the federal government and its contractors. The first publication developed by the Joint Task Force was SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, which was published in August 2009.

The final draft of SP 800-53A, Revision 1, is the third in the series of new joint publications and incorporates best practices in information security from the organizations in the Joint Task Force. The guideline includes security control assessment procedures for both national security and non-national security systems and is intended to support a variety of assessment activities in all phases of the system development life cycle, including development, implementation and operation.

SP 800-53A, Revision 1, updates assessment procedures for all security controls and control enhancements in SP 800-53, Revision 3, including the Program Management family controls. The update also eliminates the Extended Assessment Procedure, simplifies the common nomenclature for depth and coverage attributes, and eliminates the L, M and H designators (used to indicate low-, moderate- and high-impact information systems) in the assessment procedures catalog. These simplifications will provide organizations with greater flexibility in selecting appropriate assessment methods, such as those supporting information system developments, initial and ongoing security authorizations, and continuous monitoring.

“Changes in SP 800-53A, Revision 1, are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management,” explains FISMA Implementation Project Leader Ron Ross. “Achieving the objective of near real-time risk management means that organizations must have the flexibility to tailor their assessment activities based on where the information system is in its life cycle, from initial development to continuous monitoring in operational environments.”

The increased flexibility in the revised publication empowers organizations to place the appropriate emphasis on the assessment process throughout the system development life cycle. Organizations can both increase the level of assessment in the beginning of system development to identify weaknesses and deficiencies early and promote cost-effective solutions and customize assessment activities during continuous monitoring to emphasize assessing security controls that provide the greatest return on investment.

The public is encouraged to read SP 800-53A, Revision 1, available at http://csrc.nist.gov/publications/PubsDrafts.html#800-53A-rev1, and to submit comments to sec-cert@nist.gov by June 4, 2010.