NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

FISMA NEWS

DRAFT Special Publication 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans -- is available for public comment
July 31, 2014
 
Please send comments to sec-cert@nist.gov with "Comments Draft SP 800-53Arev4 in subject line. Comments will be accepted through September 26, 2014.
 
NIST announces the release of Draft Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (Initial Public Draft). SP 800-53A is a Joint Task Force publication and a companion guideline to SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
 
This update to SP 800-53A contains significant changes to the 2010 version of the publication in both content and format. The changes have been driven by four fundamental needs of federal agencies:

  • The need for new or updated assessment procedures for the security controls and privacy controls defined in NIST SP 800-53, Revision 4;
  • The need for a more granular breakdown of assessment objectives to support continuous monitoring and ongoing authorization programs;
  • The need for a more structured format and syntax for assessment procedures to support the use of automated tools for assessment and monitoring activities; and
  • The need to support assessments of security capabilities and privacy capabilities and root cause analysis of failure modes for individual security or privacy controls or groups of controls.

By addressing the above needs, organizations will have the flexibility to: (i) define specific parts of security controls and privacy controls requiring greater scrutiny; (ii) more effectively tailor the scope and level of effort required for assessments; (iii) assign assessment and monitoring frequencies on a more targeted basis; and (iv) take advantage of potential new opportunities to conduct assessments of security or privacy capabilities including analysis of control dependencies.
 
There have also been some significant improvements in the current security assessment procedures based on feedback from federal agencies reflecting lessons learned during the conduct of actual assessments as part of the Risk Management Framework (RMF) process. The improvements include, for example, clarification of terminology, expansion of the number of potential assessment methods and assessment objects on a per-control basis, and a simpler decomposition of assessment objects to align more closely with control statements.
 
In addition to the above, privacy terminology has been integrated into SP 800-53A in a manner that is complementary to and supportive of the privacy controls defined in SP 800-53, Appendix J. While security and privacy disciplines are distinct programmatic entities, there are also important dependencies between those entities—highlighting the need for the programs to complement one another to ensure the security and privacy goals and objectives of organizations are satisfied. As with any transformation, there will be changes in this publication and other supporting publications as the privacy integration moves forward and is completed. Privacy assessment procedures are not included in this draft. The privacy assessment procedures that will eventually populate Appendix J in this publication are currently under development by a joint interagency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee. The new assessment procedures, when completed, will be separately vetted through the traditional public review process employed by NIST and integrated into this publication at the appropriate time.
 
The changes to the current security assessment procedures in SP 800-53A and the future privacy assessment procedures, should result in significant improvements in the efficiency and cost-effectiveness of control assessments for federal agencies. Efficient and cost-effective assessments are essential in order to provide senior leaders with the necessary information to understand the security and privacy posture of their organizations and to be able to make credible, risk-based information security and privacy decisions.
 
Please note that NIST has made a one-time change in the revision number of SP 800-53A (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-53.


Errata Update to Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
June 10, 2014
 
NIST announces the release of an errata update to Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This update will ensure that the Risk Management Framework (RMF) process and associated implementation guidance are consistent with the new federal policy on ongoing authorization and tightly coupled to the emerging continuous monitoring activities within the federal government.


Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management
June 3, 2014
 
NIST announces the release of Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management. This publication responds to Office of Management and Budget (OMB) Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, that directed NIST to publish guidance establishing a process and criteria for federal agencies to conduct ongoing assessments and ongoing authorization. This is the first of three major updates to NIST guidance supporting the Risk Management Framework and the full transition to ongoing authorization by employing best practices in information security continuous monitoring. The second publication, an errata update to NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, will be released on June 10, 2014. This update will ensure that the Risk Management Framework (RMF) process is consistent with the new federal policy on ongoing authorization and tightly coupled to the emerging continuous monitoring activities within the federal government. The third publication, NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, will be released as an Initial Public Draft in July 2014. This update will ensure that the security assessment procedures are consistent with the security controls in NIST Special Publication 800-53, Revision 4. In addition, to help facilitate ease of use for our customers, the revision number of SP 800-53A is being changed to Revision 4, to be consistent with the current revision number of SP 800-53.


Update on Three FISMA Publications Ongoing Authorization Supplemental Guidance, SP 800-37, Rev 1 (Errata), SP 800-53A Rev 4 (IPD)
May 20, 2014
 
The FISMA Implementation Project is announcing the following schedule for three publications.

  • First, a new publication, Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management, will be released within the next ten days. This 13-page publication responds to a requirement from the Office of Management and Budget (OMB) in Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, and provides clarifying and amplifying guidance on the application of current NIST guidelines to the security authorization process to facilitate the transition to ongoing authorization.
  • Second, an errata update for NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, will be released within the next fifteen days. This update will ensure that the Risk Management Framework (RMF) process is consistent with the new federal policy on ongoing authorization and tightly coupled to the emerging continuous monitoring activities within the federal government.
  • Third, NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, will be released as an Initial Public Draft within forty-five days. This update will ensure that the security assessment procedures are consistent with the security controls in NIST Special Publication 800-53, Revision 4. In addition, to help facilitate ease of use for our customers, the revision number of SP 800-53A is being changed to Revision 4, to be consistent with the current revision number of SP 800-53.


NIST SP 800-53 On-Line Database Updated to Revision 4
May 20, 2014
 
The NIST Special Publication 800-53 Revision 4 On-line Reference Database has been posted which contains the catalog of security controls from Appendix F and G of SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations (April 2013). This on-line database version provides customers with the functionality to quickly and efficiently browse the security controls, control enhancements, and supplemental guidance (including summarizing by control class, control family and control impact baseline) and search the security control catalog using user-specified keywords.


Special Publication 800-53 Revision 4
Security and Privacy Controls for Federal Information Systems and Organizations (Final)
(April 2013)
To view the full announcement of document release.

Updated FISMA Publication Schedule Posted
August 21, 2012
 
The NIST FISMA Implementation Project has updated its publications schedule. The schedule (dated August 20, 2012) can be downloaded at: http://csrc.nist.gov/groups/SMA/fisma/schedule.html.

The modified schedule accounts for the recent changes in publication priorities for SP 800-30, Revision 1 and SP 800-53, Revision 4. The changes also affect the publication schedule for SP 800-53A, Revision 2.

You will note that:

SP 800-30, Revision 1: Guide for Conducting Risk Assessments

  • Publication refocused to address only risk assessments.
  • Publication developed as part of the Joint Task Force Transformation Initiative (DOD, ODNI, CNSS, and NIST).
  • Publication priority changed due to request from JTF partners, releasing the publication three months earlier than originally scheduled.

SP 800-53, Revision 4: Recommended Security and Privacy Controls for Federal Information Systems and Organizations

  • Publication developed as part of the Joint Task Force Transformation Initiative (DOD, ODNI, CNSS, and NIST).
  • Publication priority changed due to request from JTF partners, delaying publication until after the release on SP 800-30, Revision 1.
  • Publication may be finalized in November 2012 (eliminating FPD), pending final decision by JTF partners.

SP 800-53A, Revision 2: Guide for Assessing the Security and Privacy Controls in Federal Information Systems and Organizations

  • Publication developed as part of the Joint Task Force Transformation Initiative (DOD, ODNI, CNSS, and NIST).
  • Publication schedule will be adjusted if SP 800-53, Revision 4, is published (final) in November.

Article by Dr. Ron Ross, What Continuous Monitoring Really Means, posted July 24, 2012 in FedTech magazine



Special Publication 800-39
Managing Information Security Risk: Organization, Mission, and Information System View

(March 2011)


NIST Seeks Input for Planned 2011 Update of Security Control Catalog For Federal Information Systems and Organizations (Special Publication 800-53)
(February 24, 2011)

On-line Course Available: "Applying the Risk Management Framework to Federal Information Systems"
(June 29, 2010
See full announcement on CSRC News page.

Special Publication 800-53 Rev 3 database updated
(June 2010)

NIST Releases Special Publication 800-53A, Revision 1,
Guide for Assessing the Security Controls in Federal Information Systems and Organizations

(June 2010)
See full announcement on CSRC News page.

NIST releases FAQ on Continuous Monitoring
(June 2010)

NIST Special Publication 800-53 Revision 3
Recommended Security Controls for Federal Information Systems and Organizations

updated May 1, 2010 - see errata page for update, see CSRC news for detail
(July 2009)

NIST Special Publication 800-37 Revision 1
Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

(February 2010)

DRAFT NIST IR 7328
Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

(September 2007)

Presentation from the GCN Webinar on FISMA Implementation

Presentation from the FISMA Security Seminar
   Black and white for printing

Status of NIST Special Publication 800-26

Presentation from the Automated Security Tools Conference
       Black & White for printing

Submit comments and suggestions to:
sec-cert@nist.gov