Sunday, June 14, 2009

NIST Security Control Document Available for Review

The National Institute of Standards and Technology (NIST) has released the latest draft of its 800-53 publication on security controls. The updated document, Revision 3, part of the well-known 800 series of NIST guidelines for IT security, is available on their web site for public comment until July 1.

The document has input, as well, from both the military and intelligence communities on improving security controls for IT systems.

Here are highlights from the document of some of the updates:
  • A simplified, six-step Risk Management Framework
  • Additional security controls and control enhancements for advanced cyber threats
  • Recommendations for prioritizing or sequencing security controls during implementation or deployment
  • Revised security control structure with a new references section to list applicable federal laws, Executive Orders, directives, policies, standards, and guidelines related to a control
  • Elimination of security requirements from Supplemental Guidance sections
  • Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services
  • Updates to security control baselines consistent with current threat information and known cyber attacks
  • Removal of the FIPS 199 security control baseline allocation bar resident with each control
  • Organization-level security controls for managing information security programs
  • Guidance on the management of common controls within organizations
  • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001


Post a Comment

<< Home