The National Institute of Standards and Technology (NIST) has issued for public comment a draft update of its primary guide to assessing the security and privacy controls that safeguard federal information systems and networks. Public comments are due by Sept. 26, 2014.
NIST publishes two complementary publications that together provide its basic guidance and recommendations for ensuring data security and privacy protection in federal information systems and organizations, a role assigned to NIST under the Federal Information Security Management Act (FISMA). The publications are so famous they are generally known just by their numbers.
The first, Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800-53), is an encyclopedic catalog, organized by function, of available methods or "controls" that can be established to safeguard an information system no matter how small or large. The fourth revision of SP 800-53 was issued in April 2013.*
The new updated guide is the companion work, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (SP 800-53A). If SP 800-53 is all about planning for appropriate controls to safeguard an information system, SP 800-53A is a methodology for determining how well you did. The draft revision of the assessment guide has been updated to keep it aligned with SP 800-53.
The guide, updated from the 2010 version of the document and reflecting current and future needs of federal agencies, provides new assessment procedures for the security controls in SP 800-53 and a new appendix for the assessment procedures currently under development for the privacy controls.
"We have made some significant changes to our security control assessment guidelines to support continuous monitoring and ongoing authorization" says Ron Ross, NIST Fellow and Joint Task Force Project Leader. "These changes can lead to greater efficiencies and cost-effective testing and evaluation of our critical information systems and supporting infrastructure."
The guide gives organizations flexibility to define specific parts of security and privacy goals that require more scrutiny, tailor the scope and effort level required for assessments, assign assessment and monitoring frequencies on a more targeted basis, and conduct assessments of security or privacy capabilities.
"It also provides critical information to support root-cause failure analysis and initiatives such as the Department of Homeland Security's Continuous Diagnostics and Mitigation program," Ross adds.
The draft publication offers new naming conventions in a more structured format and syntax for assessment procedures that will aid industry as it develops automated assessment tools. Other improvements grew out of lessons learned from agencies using the Risk Management Framework.
"We have also begun the very important task of integrating privacy control assessments into the traditional security assessment guideline, anticipating the addition of privacy assessment procedures into the NIST publications soon," Ross says.
This Joint Task Force publication is written for federal agencies and contractors, the Department of Defense and the Intelligence community.
The initial public draft of Assessing the Security and Privacy Controls in Federal Information Systems and Organizations, Building Effective Assessment Plans is available at http://csrc.nist.gov/publications/PubsDrafts.html#800-53ar4. Public comments are requested by Sept. 26, 2014, and can be sent to sec-cert [at] nist.gov (subject: Comments%20Draft%20SP%20800-53Arev4) (sec-cert[at]nist[dot]gov).
* See "NIST Issues Major Revision of Core Computer Security Guide: SP 800-53."