On June 3, 2009 NIST SP 800-53 Rev.3 'Recommended Security Controls for Federal Information Systems and Organizations' Final Public Draft was released. This will be a historic document as it will become the most comprehensive control catalog available to date. They have taken the controls used for federal agencies and added the controls used for national security. In addition NIST was working to establish specific mappings and relationships between the security standards and guidelines developed by NIST and the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001.
"The public draft of Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems. The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems." NIST SP 800-53 Rev3 Final Public Draft
Additional noteworthy changes:
A new Risk Management framework is introduced with the intent to create an enterprise-wide, near real-time risk management framework.
A new control family has been added. Program management under the Management class of controls. Program Management class provides controls for information security programs.
You can check the draft out and make comments until June 30. ETA on final release is July 31, 2009.
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.