New NIST publication helps IT assess security controls

July 10, 2008
Publication assists IT managers in supporting FISMA risk management framework

A new publication released by the National Institute of Standards and Technology (NIST) on June 30 can help information system managers negotiate the often complex process of assessing security controls in their information systems. Although designed specifically to meet the needs of federal IT managers who must satisfy government requirements called for in the 2002 Federal Information Security Management Act (FISMA), the new guide can be useful to IT professionals across the industry.

The document, Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, is designed to assist managers in assessing the effectiveness of the security controls called for in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. SP 800-53 is one of the core documents supporting the Risk Management Framework that was developed for federal agencies by NIST as part of its FISMA responsibilities. SP 800-53 specifies a flexible and extensible process for selecting security controls for federal information systems in accordance with the mission and business functions being carried out by federal agencies.

The assessment procedures provided in SP 800-53A close the loop by defining a disciplined and structured process for determining if the security controls in federal information systems are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting organizational security policies.

“When security controls are less than fully effective,” says Ron Ross, project leader, FISMA Implementation Project, “information system vulnerabilities can be exploited by adversaries to compromise the confidentiality, integrity and availability of information processed, stored and transmitted by the system.”

For simplicity and ease of use, SP 800-53A lists the security controls from SP 800-53 together with the assessment procedures for those controls.

SP 800-53A authors developed additional tools and techniques for implementing the assessment procedures in SP 800-53A that will be available on the NIST Web site after July 25. NIST, working with security control assessors from the Departments of Energy, Justice and Transportation and the intelligence community, generated a suite of assessment cases based on SP 800-53A procedures. The cases provide additional assessor-related information that can be used for more consistent and cost-effective security control assessments.

SP 800-53A can be found at http://csrc.nist.gov/publications/PubsSPs.html#800-53A. After July 25, the assessor case studies will be at http://csrc.nist.gov/sec-cert.