December 21, 2006
For Immediate Release: December 21, 2006
The National Institute of Standards and Technology (NIST) has issued a revised version of Recommended Security Controls for Federal Information Systems (NIST Special Publication 800-53). First issued in February 2005, SP 800-53 is one of the key standards and guidelines developed by NIST to help federal agencies improve their information technology security and comply with the Federal Information Security Management Act (FISMA).
The publication recommends management, operational and technical controls needed to protect the confidentiality, integrity and availability of federal information systems. The controls are organized into 17 families, including risk assessment, contingency planning, access control and incident response. The changes focus on clarifying the security controls, eliminating redundancies and expanding supplemental guidance. Specific changes include: expanded information on the media protection family to address powerful, highly mobile processing and storage devices; new concepts to promote more cost-effective assessments, extend the life of security accreditations over time and reduce the paperwork associated with reaccreditations; and a more thorough discussion of the implications and risks of using external information system services and service providers.
The changes reflect the first of what will be a biennial review and update cycle for SP 800-53. The document is available at http://csrc.nist.gov/publications/nistpubs/index.html.