Publication Number: NIST Special Publication (SP) 800-53 ...

The attached DRAFT document (provided here for historical purposes) has been superseded by

the following publication:

Publication Number:

NIST Special Publication (SP) 800-53 Revision 4

Title:

Security and Privacy Controls for Federal Information

Systems and Organizations

Publication Date:

04/30/2013

? Final Publication: (which links to

).

? Information on other NIST Computer Security Division publications and

programs can be found at:

The following information was posted with the attached DRAFT document:

Feb. 28, 2012

SP 800-53 Rev. 4

DRAFT Security and Privacy Controls for Federal Information Systems and

Organizations (Initial Public Draft)

NIST announces the Initial Public Draft of Special Publication (SP) 800-53, Revision 4, Security and

Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53,

Revision 4, represents the culmination of a year-long initiative to update the content of the security

controls catalog and the guidance for selecting and specifying security controls for federal

information systems and organizations. The project was conducted as part of the Joint Task Force

Transformation Initiative in cooperation and collaboration with the Department of Defense, the

Intelligence Community, the Committee on National Security Systems, and the Department of

Homeland Security. The proposed changes included in Revision 4 are directly linked to the current

state of the threat space (i.e., capabilities, intentions, and targeting activities of adversaries) and the

attack data collected and analyzed over a substantial time period. In particular, the major changes in

Revision 4 include:

? New security controls and control enhancements;

? Clarification of security control requirements and specification language;

? New tailoring guidance including the introduction of overlays;

? Additional supplemental guidance for security controls and enhancements;

? New privacy controls and implementation guidance;

? Updated security control baselines;

? New summary tables for security controls to facilitate ease-of-use; and

? Revised minimum assurance requirements and designated assurance controls.

Many of the changes were driven by particular cyber security issues and challenges requiring

greater attention including, for example, insider threat, mobile and cloud computing, application

security, firmware integrity, supply chain risk, and the advanced persistent threat (APT). In most

instances, with the exception of the new privacy appendix, the new controls and enhancements are

not labeled specifically as ¡°cloud¡± or ¡°mobile computing¡± controls or placed in one section of the

catalog. Rather, the controls and enhancements are distributed throughout the control catalog in

various families and provide specific security capabilities that are needed to support those new

computing technologies and computing approaches. The breadth and depth of the security and

privacy controls in the control catalog must be sufficiently robust to protect the wide range of

information and information systems supporting the critical missions and business functions of the

federal government¡ªfrom the Department of Homeland Security, to the DoD warfighters, to the

Federal Aviation Administration, to the Social Security Administration. As the federal government

continues to implement its unified information security framework using the core publications

developed under the Joint Task Force, there is also a significant transformation underway in how

federal agencies authorize their information systems. Near real-time risk management and the

ability to design, develop, and implement effective continuous monitoring programs, depends first

and foremost, on the organization¡¯s ability to develop a strong information technology

infrastructure¡ªin essence, building stronger, more resilient information systems using system

components with sufficient security capability to protect core missions and business functions. The

security and privacy controls in this publication, along with the flexibility inherent in the

implementation guidance, provide the requisite tools to implement effective, risk-based, cyber

security programs¡ªcapable of addressing the most sophisticated of threats on the horizon.

Public comment period: February 28th through April 6th, 2012.

Public comment period: February 28th through April 6th, 2012. This will be the only comment

period. Publication of the final document is anticipated in July 2012. Comments can be sent to:

sec-cert @ .

To support the public review process, NIST will publish a markup version of Appendices D, F and G.

This will help organizations plan for any future update actions they may wish to undertake after

Revision 4 is finalized. There will not be any markups provided for the main chapters or the other

appendices.

NIST Special Publication 800-53

Revision 4

Security and Privacy Controls

for Federal Information Systems

and Organizations

JOINT TASK FORCE

TRANSFORMATION INITIATIVE

INFORMATION

S E C U R I T Y

INITIAL PUBLIC DRAFT

Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

Gaithersburg, MD 20899-8930

February 2012

U.S. Department of Commerce

John E. Bryson, Secretary

National Institute of Standards and Technology

Patrick D. Gallagher, Under Secretary for Standards and Technology

and Director

Special Publication 800-53

Security and Privacy Controls for Federal Information Systems and Organizations

________________________________________________________________________________________________

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and

Technology (NIST) promotes the U.S. economy and public welfare by providing technical

leadership for the nation¡¯s measurement and standards infrastructure. ITL develops tests, test

methods, reference data, proof of concept implementations, and technical analyses to advance the

development and productive use of information technology. ITL¡¯s responsibilities include the

development of management, administrative, technical, and physical standards and guidelines for

the cost-effective security and privacy of other than national security-related information in

federal information systems. The Special Publication 800-series reports on ITL¡¯s research,

guidelines, and outreach efforts in information system security, and its collaborative activities

with industry, government, and academic organizations.

PAGE ii

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download