Providing strong security for complex federal information systems is a challenging job. But now there’s a new version of a draft guide* for assessing the effectiveness of security of controls in federal information systems from the National Institute of Standards and Technology (NIST) that aims to make the job easier. The content of the new guide is expected to be incorporated into automated tools that support the information security programs of federal agencies.
The 387-page guide is designed to help information system owners and security managers ensure that appropriate computer security controls work as intended to protect information systems from being improperly accessed or compromised. NIST will accept comments on the draft document through July 31, 2007. Comments should be emailed to sec-cert@nist.gov or mailed to NIST at 100 Bureau Dr., M.S. 8930, Gaithersburg, Md. 20899-8930.
The guide is a companion document to NIST Special Publication 800-53, Minimum Security Controls for Federal Information Systems, which spells out the types of security controls such as user authentication, spam protection, cryptography and transmission confidentiality that must be used to protect federal information systems. The Federal Information Security Management Act (FISMA) of 2002 instructs NIST to prepare minimum computer security requirements for all federal information systems other than national security systems.
“The assessment requirements presented in this latest draft are intended to make compliance with FISMA easier, more efficient and ultimately to produce better computer and information security for the federal government,” noted NIST’s FISMA Implementation Project Leader Ron Ross.
Key changes to the document since the previous draft include:
- assessment procedures that focus on meeting stated objectives;
- tailoring assessments to whether a security breach would produce low, moderate or high impacts;
- elimination of redundancies in previous procedures; and
- new guidelines for establishing policies and procedures, identifying roles and responsibilities of security managers and assessors, conducting penetration testing, and several other areas.
The report includes a comprehensive catalog of assessment procedures matched to specific types of security controls. To download a copy, go to http://csrc.nist.gov/publications/drafts/800-53A/SP-800-53A-tpd-final-sz.pdf.
* Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans, (NIST SP 800-53A), June 2007, pp. 387.