NIST Calls for Comments on Draft of Federal Computer Security Controls Guidelines

Computer scientists at the Commerce Department's National Institute of Standards and Technology (NIST) today released an initial public draft of NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems (NIST SP 800-53), which explains recommended security controls for computer systems. The publication, which details controls that will become mandatory for most federal systems in 2005, is expected to have a wide audience beyond the federal government.

NIST invites public comments on the new draft guidelines for three months and will hold an open, public workshop in March 2004 to share comments and discuss possible revisions to the draft. The document is downloadable as a .pdf file at http://csrc.nist.gov/publications/drafts.html.

Security controls are the management, operational and technical safeguards and countermeasures prescribed for a computer system that, taken together, adequately protect the confidentiality, integrity and availability of a system and its information.

Management safeguards range from risk assessment to security planning. Operational safeguards include factors such as personnel security and basic hardware/software maintenance. Technical safeguards include items such as audit trails and communications protection.

NIST SP 800-53 provides a method for categorizing security risk levels based upon another recent NIST document, the draft FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems (downloadable version available at the same Web address listed previously for the draft SP 800-53). The recommendations in the new NIST SP 800-53 guidelines are based on factors such as how critical is a particular information system and the potential for harm to individuals (including privacy).

State, local and tribal governments, as well as private-sector organizations comprising the critical infrastructure of the United States, are encouraged to review the draft guidelines and may wish to consider using them once finalized. They are applicable to all federal computer systems, with the exception of those designated as national security systems.

NIST SP 800-53 will serve as NIST's interim guidance to civilian federal agencies on security controls. This will allow agencies to gain practical experience with the guidelines and offer appropriate feedback to NIST. The guidelines, once modified using agency and public comments, will serve as the basis for NIST's development of Federal Information Processing Standard (FIPS) 200, Minimum Security Controls for Federal Information Systems. NIST expects to publish FIPS 200 in the fall of 2005. While NIST SP 800-53 is a guideline, FIPS 200 will be mandatory for all systems at civilian federal agencies, excluding those designated for national security.

The Federal Information Security Management Act of 2002 mandated that NIST develop the new FIPS.

As a non-regulatory agency of the U.S. Department of Commerce's Technology Administration, NIST develops and promotes measurement, standards and technology to enhance productivity, facilitate trade and improve the quality of life.