Prepare for controls

NIST SP 800-53 database application

Federal agencies will soon be required to put minimum security controls on their computer systems as part of an intensive governmentwide effort to bring all agencies into compliance with the Federal Information Security Management Act.

Federal agencies will asked to implement no fewer than 17 minimum controls on each of their major applications and general support systems, said Ron Ross, project leader for the FISMA Implementation Project at the National Institute of Standards and Technology. The more important application or system is to the agency, the stronger the controls must be, he said.

"It's not going to be easy to put in all these controls and get them working," Ross said, speaking today at an information security training workshop sponsored by the nonprofit Potomac Forum in Washington, D.C. Ross said making the effort is too important to ignore. "We're trying to establish a federal level of due diligence for all these systems," he said.

A draft version of the document that mandates the minimum security controls will be released in two or three weeks, Ross said. After the Commerce Department secretary signs a final version of that document, Federal Information Processing Standard (FIPS) 200, the security controls will become mandatory beginning in January 2006.

Federal agencies then will have a year to add the security controls to their existing systems, said Marianne Swanson, senior adviser for information security at NIST. But the controls are mandatory immediately in January for any new systems that agencies acquire, she said.

Ross said the FIPS 200 document will be closely linked to a 122-page NIST document, Special Publication 880-53: Recommended Security Controls for Federal Information Systems, which NIST will update as technology changes.

Ross also announced at the training workshop that NIST has assigned a unique number and name to each security control in the 122-page document to help make the job of implementing security controls easier.

NIST developers have also created a database for managing security controls information, he said. The database is free for downloading from the NIST Web site.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.