NIST Updates Security Assessment Procedures

Tuesday, August 5, 2014 @ 08:08 PM gHale

The National Institute of Standards and Technology (NIST) issued for public comment a draft update of its primary guide to assessing the security and privacy controls that safeguard federal information systems and networks.

NIST publishes two complementary publications that provide its basic guidance and recommendations for ensuring data security and privacy protection in federal information systems and organizations, a role assigned to NIST under the Federal Information Security Management Act (FISMA).

IoT Devices Vulnerable to Attacks: Report
Spam Indicates Security Vulnerabilities
Organizations ‘More Vulnerable Than They Think’
Endpoints Need More Security: Report

The first, Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800-53), is an encyclopedic catalog, organized by function, of available methods or “controls” that can safeguard an information system no matter how small or large. The fourth revision of SP 800-53 came out in April 2013.

The new updated guide is the companion work, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (SP 800-53A). If SP 800-53 is all about planning for appropriate controls to safeguard an information system, SP 800-53A is a methodology for determining how well you did. The draft revision of the assessment guide just updated to keep it aligned with SP 800-53.

The guide, updated from the 2010 version of the document and reflecting current and future needs of federal agencies, provides new assessment procedures for the security controls in SP 800-53 and a new appendix for the assessment procedures currently under development for the privacy controls.

“We have made some significant changes to our security control assessment guidelines to support continuous monitoring and ongoing authorization” said Ron Ross, NIST Fellow and Joint Task Force Project Leader. “These changes can lead to greater efficiencies and cost-effective testing and evaluation of our critical information systems and supporting infrastructure.”

The guide gives organizations flexibility to define specific parts of security and privacy goals that require more scrutiny, tailor the scope and effort level required for assessments, assign assessment and monitoring frequencies on a more targeted basis, and conduct assessments of security or privacy capabilities.

“It also provides critical information to support root-cause failure analysis and initiatives such as the Department of Homeland Security’s Continuous Diagnostics and Mitigation program,” Ross adds.

The draft publication offers new naming conventions in a more structured format and syntax for assessment procedures that will aid industry as it develops automated assessment tools. Other improvements grew out of lessons learned from agencies using the Risk Management Framework.

“We have also begun the very important task of integrating privacy control assessments into the traditional security assessment guideline, anticipating the addition of privacy assessment procedures into the NIST publications soon,” Ross said.

This Joint Task Force publication is mainly for federal agencies and contractors, the Department of Defense and the Intelligence community.

Click here to view the initial public draft of Assessing the Security and Privacy Controls in Federal Information Systems and Organizations, Building Effective Assessment Plans.

Public comments
are due by Sept. 26.

Leave a Reply

You must be logged in to post a comment.