NIST Seeks Comments on Security Control Catalog for Federal Information Systems and Organizations

Computer scientists at the National Institute of Standards and Technology (NIST) are requesting comments from interested parties on their biennial update of the catalog of security controls for the federal government. The security control catalog provides a comprehensive set of management, operational and technical safeguards—protective measures—that can be used by federal agencies to help protect federal information systems. The deadline for comment submission is April 29, 2011.

The publication being updated is Recommended Security Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53). SP 800-53 is one of the key Federal Information Security Management Act (FISMA) publications that federal agencies and their contractors have relied on for the past five years to help achieve more secure information systems.

SP 800-53 is also one of the five foundational publications included in the Joint Task Force Transformation Initiative—a federal cyber security partnership made up of the Department of Defense, the Intelligence Community and NIST—to develop a unified information security and risk management framework for the federal government. For the first time since the document's original publication in 2005 and its major updates in 2006 and 2009, NIST is seeking public input prior to developing its updated cyber security guidance.

"To keep pace with the growing threat brought about by an increasing number of cyber attacks against federal information systems, NIST is committed to producing a comprehensive catalog of cutting-edge safeguards and countermeasures that are necessary to help protect the core missions and business functions of the federal government," says Joint Task Force Leader and NIST Fellow Ron Ross.

The 2011 initiative will include an update of current security controls, control enhancements and supplemental guidance as well as new tailoring and supplementation guidance that form key elements of the control selection process. Key focus areas for the update for which input is requested include, but are not limited to:

• insider threats;
• software application security (including web applications);
• social networking, mobiles devices, and cloud computing;
• cross domain solutions;
• advanced persistent threats;
• supply chain security;
• industrial/process control systems; and
• privacy.

Suggestions should be sent to sec-cert [at] nist.gov (sec-cert[at]nist[dot]gov) by April 29, 2011. The current version of SP 800-53 Revision 3 can be downloaded from http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf.