NIST Issues Final Version of SP 800-53; Enables Rapid Adoption of the Twenty Critical Controls (Consensus Audit Guidelines)
SANS NewsBites Vol. 11 Num. 61 (August 3, 2009)
The National Institute of Standards and Technology (NIST) has published the final version of SP 800-53, Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations." The document is the first major revision of guidelines for implementing the Federal Security Management Act (FISMA) since 2005. Among the changes in this updated version are "A simplified, six-step Risk Management Framework; Recommendations for prioritizing security controls during implementation or deployment; and Guidance on using the Risk Management Framework for legacy information systems and for external information system services providers." The new version of 800-53 solves three fatal problems in the old version - calling for common controls (rather than system by system controls), continuous monitoring (rather than periodic certifications), and prioritizing controls (rather than asking IGs to test everything). Those are the three drivers for the 20 Critical Controls (CAG). In at least five agencies, contractors that previously did 800-53 evaluations are being re-assessed on their ability to implement and measure the effectiveness of the 20 Critical Controls in those agencies. One Cabinet-level Department has proven that implementing the 20 Critical Controls with continuous monitoring reduced the overall risk by 84% across all departmental systems world-wide.
http://gcn.com/Articles/2009/08/03/NIST-release-of-800-53-rev-3-080309.aspx
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf
[Editor's Note (Paller): This is very good news. John Gilligan reports that a new version of the 20 Critical Controls document will be released next week with a table, put in the document at NIST's request, showing how the 20 Critical Controls are a proper subset of the priority one controls in the revised 800-53. A course on implementing and testing the 20 Critical Controls will be run in San Diego next month and in Chicago in October https://rr.sans.org/ns2009/description.php?tid=3467.]
No comments:
Post a Comment