NIST details minimum security controls

Recommended Security Controls for Federal Information systems

Related Links

Guidelines for setting computer security controls to protect federal information systems are described in a new publication from the National Institute of Standards and Technology. NIST officials said the document forms the basis for security controls that will become mandatory in December 2005.

The 88-page publication, known as Special Publication 800-53, spells out the minimum security controls that federal agency officials must use to comply with the statutory requirements of the Federal Information Security Management Act of 2002, which applies to all federal information systems that are not national security systems. The document, which NIST officials released late last month, is the second version of a draft that NIST officials revised after receiving public comments.

The latest document, still not considered final, will be available until Nov. 30 for the public to review and submit additional suggestions for revision. NIST officials said they are especially interested in receiving comments about the cost and potential impact that the recommended computer security controls could have on federal agencies.

The document describes not only technical controls, such as intrusion-detection tools, but also a multitude of recommended management and operational controls for safeguarding the confidentiality, integrity and availability of federal information and the systems that provide that information.

Recommended controls vary, depending on the importance of a particular information system to an agency's mission. But the list is extensive and includes 17 categories of security controls. Among them are access and audit controls, configuration management, user identification and authentication, and media protection.

The guidelines suggest that minimum security controls required for broad classes of information systems, whether they are classified as high, moderate or low-risk, can be centrally managed and the costs amortized across multiple systems.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.