NIST to tweak mandatory security controls

FISMA Implementation Project Web site

Federal officials say it is not too late to submit suggestions for changes in a standards document describing security controls that will become mandatory for federal information systems in 2006.

The National Institute of Standards and Technology plans to revise its Special Publication 800-53 on mandatory security controls and to publish the revised version when it releases a companion document, Federal Information Processing Standard (FIPS) 200.

The FIPS 200 document probably will not be signed by the Commerce Department’s secretary until February 2006, according to the latest FIPS 200 status update from Ronald Ross, a senior computer scientist and leader of the Federal Information Security Management Act project at NIST.

Once the secretary signs the FIPS 200 document, federal agencies will be required to use appropriate computer security controls to protect government information that could be at risk without those controls in place. The FIPS document describes those controls as measures taken to protect information confidentiality, integrity and availability.

“It's not going to be easy to put in all these controls and get them working," Ross said, speaking at a security seminar earlier this year. But making the effort is too important to ignore, he said. "We're trying to establish a federal level of due diligence for all these systems,” he said, adding that the more important an application or system is to an agency's mission, the stronger the controls must be.

NIST officials said they will accept suggestions for minor revisions of Special Publication 800-53 through Dec. 31 at the following e-mail address: sec-cert@nist.gov.