The National Institute of Standards and Technology (NIST), in partnership with the Department of Defense (DOD), the Intelligence Community (IC), and the Committee on National Security Systems (CNSS), has released the first installment of a three-year effort to build a unified information security framework for the entire federal government. Historically, information systems at civilian agencies have operated under different security controls than military and intelligence information systems. This installment is titled NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations.
"The common security control catalog is a critical step that effectively marshals our resources," says Ron Ross, NIST project leader for the joint task force. "It also focuses our security initiatives to operate effectively in the face of changing threats and vulnerabilities. The unified framework standardizes the information security process that will also produce significant cost savings through standardized risk management policies, procedures, technologies, tools and techniques."
This publication is a revised version of the security control catalog that was previously published in response to the Federal Information Security Management Act (FISMA) of 2002. This special publication contains the catalog of security controls and technical guidelines that federal agencies use to protect their information and technology infrastructure.
When complete, the unified framework will result in the defense, intelligence and civil communities using a common strategy to protect critical federal information systems and associated infrastructure. This ongoing effort is consistent with President Obama's call for "integrating all cybersecurity policies for the government" in his May 29 speech on securing the U.S. cybersecurity infrastructure.
The revised security control catalog in SP 800-53 provides the most state-of-the-practice set of safeguards and countermeasures for information systems ever developed. The updated security controls—many addressing advanced cyber threats—were developed by a joint task force that included NIST, DOD, the IC and the CNSS with specific information from databases of known cyber attacks and threat information.
Additional updates to key NIST publications that will serve the entire federal government are under way. These will include the newly revised SP 800-37, which will transform the current certification and accreditation process into a near real-time risk management process that focuses on monitoring the security state of federal information systems, and SP 800-39, which is an enterprise-wide risk management guideline that will expand the risk management process.
NIST Special Publication 800-53, Revision 3, is open for public comment through July 1, 2009. The document is available online at http://csrc.nist.gov/publications/PubsDrafts.html#800-53_Rev3. Comments should be sent to sec-cert [at] nist.gov.