The National Institute of Standards and Technology (NIST) is requesting comments on a draft revision of Recommended Security Controls for Federal Information Systems (NIST Special Publication 800-53). Issued in February 2005, SP 800-53 is one of the key standards and guidelines developed by NIST to help federal agencies improve their security and comply with the Federal Information Security Management Act (FISMA).
The publication recommends management, operational and technical controls needed to protect the confidentiality, integrity and availability of federal information systems. The controls cover 17 security focus areas, including risk assessment, contingency planning, access control and incident response. The draft changes include new and enhanced controls and additional guidance on implementing security controls in external environments and responding to information system incidents.
These proposed changes reflect the first of what will be a biennial review and update cycle for SP 800-53. "It is important to ensure that the security controls represent the current state-of-the-practice in safeguards and countermeasures for information systems. These changes will help federal agencies and others effectively select and specify security controls for their information systems, and by using a risk-based approach, do so in a cost-effective manner," says Ron Ross, leader of NIST's FISMA implementation project.
The draft document is available at http://csrc.nist.gov/publications/PubsSPs.html. Comments on the revisions will be accepted through Aug. 25, 2006, and should be sent to NIST, Computer Security Division, 100 Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930 or via e-mail to sec-cert [at] nist.gov.