NIST issues revised security controls guide

Federal information systems are typically complex, and providing strong security for them is a challenge. The National Institute of Standards and Technology (NIST) is offering help here by releasing a new version of a draft guide for assessing the effectiveness of security of controls in federal information systems, aiming to make the challenge just a bit less daunting. The content of the new guide is expected to be incorporated into automated tools which support the information security programs of federal agencies.

The lengthy guide — it comes in at 387 pages — was issued in order to assist information system owners and security managers in making sure that the various computer security controls implemented at their organizations work as intended to protect information systems from being compromised.

The guide is a companion document to NIST Special Publication 800-53, Minimum Security Controls for Federal Information Systems, which spells out the types of security controls such as user authentication, spam protection, cryptography and transmission confidentiality that must be used to protect federal information systems. The Federal Information Security Management Act (FISMA) of 2002 instructs NIST to prepare minimum computer security requirements for all federal information systems other than national security systems.

NIST wants to hear from you, and will accept comments on the draft document through 31 July 2007.

Note these changes in the new draft relative to the old version:

* assessment procedures that focus on meeting stated objectives

* tailoring assessments to whether a security breach would produce low, moderate or high impacts

* elimination of redundancies in previous procedures

* new guidelines for establishing policies and procedures, identifying roles and responsibilities of security managers and assessors, conducting penetration testing, and several other areas