After a public comment period, the National Institute of Standards and Technology (NIST) has published an updated set of guidelines for developing security assessment plans and associated security control assessment procedures that are consistent with the Federal Information Security Management Act (FISMA).
The revised Guide for Assessing Security Controls in Federal Information Systems and Organizations (NIST Special Publication 800-53A, Revision 1) reflects the most recent, third revision of Recommended Security Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, Revision 3), one of the principal documents for FISMA implementation. Changes in the guide are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management. The guideline includes security control assessment procedures for both national security and non-national security systems and is intended to support a variety of assessment activities in all phases of the system development life cycle, including development, implementation and operation.
This new publication is the third in a series of special publications that NIST has produced with its partners in the Joint Task Force Transformation Initiative Working Group—the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD) and the Committee on National Security Systems (CNSS). The Joint Task Force's goal is to develop a unified information security framework for the federal government and its contractors.
More details are available in the May 11, 2010, NIST Tech Beat article "Comments Sought on Updated Guide for Assessing Federal IT Security Controls" at http://www.nist.gov/public_affairs/techbeat/tb2010_0511.htm#security. SP 800-53A, Revision 1, can be downloaded in PDF format from http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf.