DRAFT Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (Initial Public Draft)

Editor’s Note:  The draft of SP-800-53 Rev. 4 is attached below.  Comments are due: April 6, 2012

From: NIST

NIST announces the Initial Public Draft of Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4, represents the culmination of a year-long initiative to update the content of the security controls catalog and the guidance for selecting and specifying security controls for federal information systems and organizations. The project was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, the Committee on National Security Systems, and the Department of Homeland Security. The proposed changes included in Revision 4 are directly linked to the current state of the threat space (i.e., capabilities, intentions, and targeting activities of adversaries) and the attack data collected and analyzed over a substantial time period. In particular, the major changes in Revision 4 include:

  • New security controls and control enhancements;
  • Clarification of security control requirements and specification language;
  • New tailoring guidance including the introduction of overlays;
  • Additional supplemental guidance for security controls and enhancements;
  • New privacy controls and implementation guidance;
  • Updated security control baselines;
  • New summary tables for security controls to facilitate ease-of-use; and
  • Revised minimum assurance requirements and designated assurance controls.

Many of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT). In most instances, with the exception of the new privacy appendix, the new controls and enhancements are not labeled specifically as “cloud” or “mobile computing” controls or placed in one section of the catalog. Rather, the controls and enhancements are distributed throughout the control catalog in various families and provide specific security capabilities that are needed to support those new computing technologies and computing approaches. The breadth and depth of the security and privacy controls in the control catalog must be sufficiently robust to protect the wide range of information and information systems supporting the critical missions and business functions of the federal government—from the Department of Homeland Security, to the DoD warfighters, to the Federal Aviation Administration, to the Social Security Administration. As the federal government continues to implement its unified information security framework using the core publications developed under the Joint Task Force, there is also a significant transformation underway in how federal agencies authorize their information systems. Near real-time risk management and the ability to design, develop, and implement effective continuous monitoring programs, depends first and foremost, on the organization’s ability to develop a strong information technology infrastructure—in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions. The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, cyber security programs—capable of addressing the most sophisticated of threats on the horizon.
 
Public comment period: February 28th through April 6th, 2012.
 
Public comment period: February 28th through April 6th, 2012. This will be the only comment period. Publication of the final document is anticipated in July 2012. Comments can be sent to: sec-cert@nist.gov.
 
To support the public review process, NIST will publish a markup version of Appendices D, F and G. This will help organizations plan for any future update actions they may wish to undertake after Revision 4 is finalized. There will not be any markups provided for the main chapters or the other appendices.NIST announces the Initial Public Draft of Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4, represents the culmination of a year-long initiative to update the content of the security controls catalog and the guidance for selecting and specifying security controls for federal information systems and organizations. The project was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, the Committee on National Security Systems, and the Department of Homeland Security. The proposed changes included in Revision 4 are directly linked to the current state of the threat space (i.e., capabilities, intentions, and targeting activities of adversaries) and the attack data collected and analyzed over a substantial time period. In particular, the major changes in Revision 4 include:

  • New security controls and control enhancements;
  • Clarification of security control requirements and specification language;
  • New tailoring guidance including the introduction of overlays;
  • Additional supplemental guidance for security controls and enhancements;
  • New privacy controls and implementation guidance;
  • Updated security control baselines;
  • New summary tables for security controls to facilitate ease-of-use; and
  • Revised minimum assurance requirements and designated assurance controls.

Many of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT). In most instances, with the exception of the new privacy appendix, the new controls and enhancements are not labeled specifically as “cloud” or “mobile computing” controls or placed in one section of the catalog. Rather, the controls and enhancements are distributed throughout the control catalog in various families and provide specific security capabilities that are needed to support those new computing technologies and computing approaches. The breadth and depth of the security and privacy controls in the control catalog must be sufficiently robust to protect the wide range of information and information systems supporting the critical missions and business functions of the federal government—from the Department of Homeland Security, to the DoD warfighters, to the Federal Aviation Administration, to the Social Security Administration. As the federal government continues to implement its unified information security framework using the core publications developed under the Joint Task Force, there is also a significant transformation underway in how federal agencies authorize their information systems. Near real-time risk management and the ability to design, develop, and implement effective continuous monitoring programs, depends first and foremost, on the organization’s ability to develop a strong information technology infrastructure—in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions. The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, cyber security programs—capable of addressing the most sophisticated of threats on the horizon.
 
Public comment period: February 28th through April 6th, 2012.
 
Public comment period: February 28th through April 6th, 2012. This will be the only comment period. Publication of the final document is anticipated in July 2012. Comments can be sent to: sec-cert@nist.gov.
 
To support the public review process, NIST will publish a markup version of Appendices D, F and G. This will help organizations plan for any future update actions they may wish to undertake after Revision 4 is finalized. There will not be any markups provided for the main chapters or the other appendices.

sp800-53-rev4-ipd

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *