The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems.
The controls are included in the final draft version of Special Publication 800-53, Revision 3, titled “Recommended Security Controls for Federal Information Systems and Organizations,” released yesterday.
NIST called the document, which is expected to be finalized July 1, historic.
“For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non-national-security systems,” NIST said. “The updated security control catalog incorporates best practices in information security from the United States Department of Defense, intelligence community and civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.”
SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act. This revision is the first major update of these guidelines since its initial publication in December 2005. This document specifies the baseline security controls needed to meet the mandatory requirements of Federal Information Processing Standard (FIPS) 199, titled “Standards for Security Categorization of Federal Information and Information Systems,” and FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems.”
The controls specified in SP 800-53 are regularly updated, and this version represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems.
“NIST handles the non-national-security side of the house,” said Ron Ross, who is NIST’s FISMA implementation lead.
The military and intelligence communities in the past issued their own requirements and recommendations for national security systems, and until recently there has been little coordination between the two sides. But for the past two years, NIST has been cooperating with the Defense Department and the Office of the Director of National Intelligence on the Committee on National Security Systems to bring the various communities closer together, improve overall security and reduce duplicate efforts.