NIST SP800-53 Rev. 3: Key to Unified Security Across Federal Government and Private Sectors

Standards play a critical role in information assurance. Given the impossibility of defining a deterministic model that includes billions of users, millions of computers, and thousands of programs and protocols potentially interacting with each other unpredictably, we have to rely on human consensus about best practices if we are to progress in our field. Standards also provide a basis for demonstrating due care and diligence in fulfilling our fiduciary responsibilities to stakeholders.

In this first of four articles about the latest revision of a landmark Special Publication (SP) from the Joint Task Force Transformation Initiative in the Computer Security Division of the Information Technology Laboratory of the National Institute of Standards and Technology (NIST), Paul J. Brusil reviews the key recommendations and strategic guidance offered in Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3, which has been prepared by a panel of experts drawn from throughout the U.S. government and industry. Everything that follows is Brusil's work with minor edits.

* * *

From the furthest corners of the U.S. Defense and Intelligence communities to every civil office in the U.S. federal government, a single new security standard applies to all government information systems – including national security systems. Traditionally, the Department of Defense (DoD) and the civilian federal agencies independently develop their own standards. Harmonizing the security needs of all government agencies has been a long time coming; but, for the first time ever, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3 dated August 2009 does just that.

SP 800-53 provides a unified information security framework that applies across the entire federal government. It is the harbinger of other soon-to-appear, cross-government, security recommendation collaborations in areas including certification and accreditation, risk assessments, security control assessment procedures and others.

SP 800-53 is part of an extensive library of guidelines, recommendations and standards NIST publishes and continually updates to help organizations protect their information systems and data. Protected information systems include all constituent components – local and remote – for processing, storing and transmitting information.

The SP 800-53 standard, titled "Recommended Security Controls for Federal Information Systems and Organizations", was co-developed by the Computer Security Division of NIST, DoD and the U.S. Intelligence Community, as well as the Industrial Control System community. It benefited by extensive public review and comments. It represents the best practices and guidance available today, not only for the government but for private enterprises as well.

The purpose of SP800-53 is to achieve information system security and effective risk management, in part, by providing a common information security language for all information systems and by providing consistent and repeatable guidelines for selecting and specifying standard security controls. With the aid of SP 800-53, organizations are able to select appropriate security controls to meet security requirements, to implement the selected controls correctly and to demonstrate the confidence and effectiveness of selected controls in complying with security requirements. SP 800-53 guides security managers, security service providers, security technology developers, system developers, system implementers and system assessors.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.