The National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-53 provides a unified information security framework to achieve information system security and effective risk management across the entire federal government. In the previous article in this series, Paul J. Brusil outlined the framework for risk management offered in SP 800-53. In this third of four articles about the latest revision of this landmark Special Publication from the Joint Task Force Transformation Initiative in the Computer Security Division of the Information Technology Laboratory, Brusil reviews the comprehensive repository of security controls presented in Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3, which was prepared by a panel of experts drawn from throughout the U.S. government and industry. Everything that follows is Brusil's work with minor edits.
* * *
SP800-53 establishes a comprehensive repository of security controls (documented in Appendices D, F and G). Through revisions to SP 800-53, this catalog changes over time to reflect changes in security requirements, new technologies, and evolving and emerging threats, vulnerabilities and attack strategies.
Part 1 and Part 2
In the current Revision 3 update of SP 800-53 there are more than 200 security controls for protecting information and information systems. The controls are organized into 18 families ranging from Planning, Access Control and Awareness & Training to Configuration Management, Contingency Planning and Program Management. The first control in each family stipulates policies and procedures needed to implement the remaining security controls in the family. The security controls address security requirements specified in FIPS 199 and FIPS 200.
The cataloged security controls provide broad, state-of-the-art safeguards and contemporary countermeasures. These controls are selectively employed, under organization-specific direction, to protect information and information systems from contemporary threats and exploits during information processing, storage and transmission.
These controls range from system-independent, security program management safeguards to information-specific and information-system-specific technical and operational security safeguards and countermeasures. The security controls are policy neutral and independent of technology or implementation. They are tailorable so that organizations can specify organizationally-specific security controls that meet organizationally-specific security requirements.
For each cataloged security control, priority code recommendations are given (in Appendix D) for prioritizing or sequencing security controls during implementation or deployment. Furthermore (in Appendix F), there are initial allocations of security controls and control enhancements for information systems of different impact levels.
There are also 11 security controls (Appendix G) targeted for protecting information security programs.
In aggregate, the program management controls (SP 800-53, Appendix G), baseline security controls (Appendix D) and families of technical, operational and management controls (SP 800-53, Appendix F) are designed to protect the confidentiality, integrity and availability of programs, systems and their data. Controls are available for mitigating advanced cyber threats consistent with current threat information and cyber attacks known as of the publication date (August 2009) of the currently revised SP 800-53.
For each cataloged security control, a list of applicable, related federal laws, Executive Orders, directives, policies, standards, and guidelines is provided to guide an organization's unique selection, implementation and assessment of security controls. The list eases compliance verification of organizationally applicable security requirements in each of the listed references. The list eases traceability of each selected security control back to specific requirements applicable to an organization's specific information and information systems. The list ensures that selected security controls are no more, or no less, than what is appropriate, necessary and sufficient to meet the stated security requirements.
SP 800-53 (Appendix D) also specifies assurance requirements to be used to help establish confidence in the selected security controls. SP 800-53 specifies three, hierarchical levels of minimum assurance requirements for the security controls used in conjunction with the three levels of information system impact (low-impact, moderate-impact and high-impact). Security controls in higher impact level systems inherit all the assurance requirements of the next lower impact level. The assurance requirements stipulate actions to be taken on a control-by-control basis to increase confidence that the information
Post new comment