Prepare for controls

NIST SP 800-53 database application

Federal agencies will soon be required to put minimum security controls on their computer systems as part of an intensive governmentwide effort to bring all agencies into compliance with the Federal Information Security Management Act.

Federal agencies will asked to implement no fewer than 17 minimum controls on each of their major applications and general support systems, said Ron Ross, project leader for the FISMA Implementation Project at the National Institute of Standards and Technology. The more important application or system is to the agency, the stronger the controls must be, he said.

"It's not going to be easy to put in all these controls and get them working," Ross said, speaking today at an information security training workshop sponsored by the nonprofit Potomac Forum in Washington, D.C. Ross said making the effort is too important to ignore. "We're trying to establish a federal level of due diligence for all these systems," he said.

A draft version of the document that mandates the minimum security controls will be released in two or three weeks, Ross said. After the Commerce Department secretary signs a final version of that document, Federal Information Processing Standard (FIPS) 200, the security controls will become mandatory beginning in January 2006.

Federal agencies then will have a year to add the security controls to their existing systems, said Marianne Swanson, senior adviser for information security at NIST. But the controls are mandatory immediately in January for any new systems that agencies acquire, she said.

Ross said the FIPS 200 document will be closely linked to a 122-page NIST document, Special Publication 880-53: Recommended Security Controls for Federal Information Systems, which NIST will update as technology changes.

Ross also announced at the training workshop that NIST has assigned a unique number and name to each security control in the 122-page document to help make the job of implementing security controls easier.

NIST developers have also created a database for managing security controls information, he said. The database is free for downloading from the NIST Web site.


  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

  • IT Modernization
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA plans 'strategic review' of $16B software program

    New Veterans Affairs chief Denis McDonough announced a "strategic review" of the agency's Electronic Health Record Modernization program of up to 12 weeks.

Stay Connected