Computer scientists at the National Institute of Standards and Technology (NIST) released on Nov. 3 an initial public draft of Recommended Security Controls for Federal Information Systems (NIST SP 800-53). The publication, which details controls that will become mandatory for most federal systems in 2005, is expected to have a wide audience beyond the federal government.
NIST invites public comments on the new draft guidelines for three months. The agency will hold an open, public workshop in March 2004 to share comments and discuss possible revisions to the draft.
The document is available at http://csrc.
Security controls are the management, operational and technical safeguards, and countermeasures prescribed for a computer system that, taken together, adequately protect the confidentiality, integrity and availability of a system and its information. Management safeguards range from risk assessment to security planning. Operational safeguards include factors such as personnel security and basic maintenance of hardware and software. Technical safeguards include items such as audit trails and communications protection.
NIST SP 800-53 provides a method for categorizing security risk levels based upon another recent NIST document, the draft FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, also available at the Web address above.
State, local and tribal governments, as well as private-sector organizations comprising the critical infrastructure of the United States, are encouraged to review the draft guidelines and may wish to consider using them once finalized. The guidelines are applicable to all federal computer systems, except those designated as national security systems.