NIST details minimum security controls
A publication from the National Institute of Standards and Technology spells out the minimum security controls feds must use to comply with FISMA.
Recommended Security Controls for Federal Information systems
Guidelines for setting computer security controls to protect federal information systems are described in a new publication from the National Institute of Standards and Technology. NIST officials said the document forms the basis for security controls that will become mandatory in December 2005.
The 88-page publication, known as Special Publication 800-53, spells out the minimum security controls that federal agency officials must use to comply with the statutory requirements of the Federal Information Security Management Act of 2002, which applies to all federal information systems that are not national security systems. The document, which NIST officials released late last month, is the second version of a draft that NIST officials revised after receiving public comments.
The latest document, still not considered final, will be available until Nov. 30 for the public to review and submit additional suggestions for revision. NIST officials said they are especially interested in receiving comments about the cost and potential impact that the recommended computer security controls could have on federal agencies.
The document describes not only technical controls, such as intrusion-detection tools, but also a multitude of recommended management and operational controls for safeguarding the confidentiality, integrity and availability of federal information and the systems that provide that information.
Recommended controls vary, depending on the importance of a particular information system to an agency's mission. But the list is extensive and includes 17 categories of security controls. Among them are access and audit controls, configuration management, user identification and authentication, and media protection.
The guidelines suggest that minimum security controls required for broad classes of information systems, whether they are classified as high, moderate or low-risk, can be centrally managed and the costs amortized across multiple systems.
NEXT STORY: GAO policy reflects security concerns