Prepare for controls

NIST SP 800-53 database application

Federal agencies will soon be required to put minimum security controls on their computer systems as part of an intensive governmentwide effort to bring all agencies into compliance with the Federal Information Security Management Act.

Federal agencies will asked to implement no fewer than 17 minimum controls on each of their major applications and general support systems, said Ron Ross, project leader for the FISMA Implementation Project at the National Institute of Standards and Technology. The more important application or system is to the agency, the stronger the controls must be, he said.

"It's not going to be easy to put in all these controls and get them working," Ross said, speaking today at an information security training workshop sponsored by the nonprofit Potomac Forum in Washington, D.C. Ross said making the effort is too important to ignore. "We're trying to establish a federal level of due diligence for all these systems," he said.

A draft version of the document that mandates the minimum security controls will be released in two or three weeks, Ross said. After the Commerce Department secretary signs a final version of that document, Federal Information Processing Standard (FIPS) 200, the security controls will become mandatory beginning in January 2006.

Federal agencies then will have a year to add the security controls to their existing systems, said Marianne Swanson, senior adviser for information security at NIST. But the controls are mandatory immediately in January for any new systems that agencies acquire, she said.

Ross said the FIPS 200 document will be closely linked to a 122-page NIST document, Special Publication 880-53: Recommended Security Controls for Federal Information Systems, which NIST will update as technology changes.

Ross also announced at the training workshop that NIST has assigned a unique number and name to each security control in the 122-page document to help make the job of implementing security controls easier.

NIST developers have also created a database for managing security controls information, he said. The database is free for downloading from the NIST Web site.


  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

Stay Connected