Federal agencies will asked to implement no fewer than 17 minimum controls on each of their major applications and general support systems.
NIST SP 800-53 database application
Federal agencies will soon be required to put minimum security controls on their computer systems as part of an intensive governmentwide effort to bring all agencies into compliance with the Federal Information Security Management Act.
Federal agencies will asked to implement no fewer than 17 minimum controls on each of their major applications and general support systems, said Ron Ross, project leader for the FISMA Implementation Project at the National Institute of Standards and Technology. The more important application or system is to the agency, the stronger the controls must be, he said.
"It's not going to be easy to put in all these controls and get them working," Ross said, speaking today at an information security training workshop sponsored by the nonprofit Potomac Forum in Washington, D.C. Ross said making the effort is too important to ignore. "We're trying to establish a federal level of due diligence for all these systems," he said.
A draft version of the document that mandates the minimum security controls will be released in two or three weeks, Ross said. After the Commerce Department secretary signs a final version of that document, Federal Information Processing Standard (FIPS) 200, the security controls will become mandatory beginning in January 2006.
Federal agencies then will have a year to add the security controls to their existing systems, said Marianne Swanson, senior adviser for information security at NIST. But the controls are mandatory immediately in January for any new systems that agencies acquire, she said.
Ross said the FIPS 200 document will be closely linked to a 122-page NIST document, Special Publication 880-53: Recommended Security Controls for Federal Information Systems, which NIST will update as technology changes.
Ross also announced at the training workshop that NIST has assigned a unique number and name to each security control in the 122-page document to help make the job of implementing security controls easier.
NIST developers have also created a database for managing security controls information, he said. The database is free for downloading from the NIST Web site.
NEXT STORY: GSA considers one schedule