Extensive Catalog Provides Security Controls for Contemporary Security Requirements

The National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-53 provides a unified information security framework to achieve information system security and effective risk management across the entire federal government. In the previous article in this series, Paul J. Brusil outlined the framework for risk management offered in SP 800-53. In this third of four articles about the latest revision of this landmark Special Publication from the Joint Task Force Transformation Initiative in the Computer Security Division of the Information Technology Laboratory, Brusil reviews the comprehensive repository of security controls presented in Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3, which was prepared by a panel of experts drawn from throughout the U.S. government and industry. Everything that follows is Brusil's work with minor edits.

* * *

SP800-53 establishes a comprehensive repository of security controls (documented in Appendices D, F and G). Through revisions to SP 800-53, this catalog changes over time to reflect changes in security requirements, new technologies, and evolving and emerging threats, vulnerabilities and attack strategies.

Part 1 and Part 2

In the current Revision 3 update of SP 800-53 there are more than 200 security controls for protecting information and information systems. The controls are organized into 18 families ranging from Planning, Access Control and Awareness & Training to Configuration Management, Contingency Planning and Program Management. The first control in each family stipulates policies and procedures needed to implement the remaining security controls in the family. The security controls address security requirements specified in FIPS 199 and FIPS 200.

The cataloged security controls provide broad, state-of-the-art safeguards and contemporary countermeasures. These controls are selectively employed, under organization-specific direction, to protect information and information systems from contemporary threats and exploits during information processing, storage and transmission.

These controls range from system-independent, security program management safeguards to information-specific and information-system-specific technical and operational security safeguards and countermeasures. The security controls are policy neutral and independent of technology or implementation. They are tailorable so that organizations can specify organizationally-specific security controls that meet organizationally-specific security requirements.

For each cataloged security control, priority code recommendations are given (in Appendix D) for prioritizing or sequencing security controls during implementation or deployment. Furthermore (in Appendix F), there are initial allocations of security controls and control enhancements for information systems of different impact levels.

There are also 11 security controls (Appendix G) targeted for protecting information security programs.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.