Standards play a critical role in information assurance. Standards also provide a basis for demonstrating due care and diligence in fulfilling our fiduciary responsibilities to stakeholders. Given the impossibility of defining a deterministic model that includes billions of users, millions of computers, and thousands of programs and protocols potentially interacting with each other unpredictably, we have to rely on human consensus about best practices if we are to progress in our field. In this first of four articles about the latest revision of a landmark Special Publication (SP) from the Joint Task Force Transformation Initiative in the Computer Security Division of the Information Technology Laboratory of the National Institute of Standards and Technology (NIST), Paul J. Brusil reviews the key recommendations and strategic guidance offered in Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3, which has been prepared by a panel of experts drawn from throughout the U.S. government and industry.
Traditionally, the Department of Defense (DoD) and the civilian federal agencies independently develop their own standards. Everything that follows is Brusil's work with minor edits. * * * From the furthest corners of the U.S. Defense and Intelligence communities to every civil office in the U.S. federal government, a single new security standard applies to all government information systems – including national security systems. Harmonizing the security needs of all government agencies has been a long time coming; but, for the first time ever, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3 dated August 2009 does just that. It is the harbinger of other soon-to-appear, cross-government, security recommendation collaborations in areas including certification and accreditation, risk assessments, security control assessment procedures and others. SP 800-53 provides a unified information security framework that applies across the entire federal government. SP 800-53 is part of an extensive library of guidelines, recommendations and standards NIST publishes and continually updates to help organizations protect their information systems and data.
The SP 800-53 standard, titled "Recommended Security Controls for Federal Information Systems and Organizations", was co-developed by the Computer Security Division of NIST, DoD and the U.S. Intelligence Community, as well as the Industrial Control System community. Protected information systems include all constituent components – local and remote – for processing, storing and transmitting information. It benefited by extensive public review and comments. The purpose of SP800-53 is to achieve information system security and effective risk management, in part, by providing a common information security language for all information systems and by providing consistent and repeatable guidelines for selecting and specifying standard security controls. It represents the best practices and guidance available today, not only for the government but for private enterprises as well.
With the aid of SP 800-53, organizations are able to select appropriate security controls to meet security requirements, to implement the selected controls correctly and to demonstrate the confidence and effectiveness of selected controls in complying with security requirements. Office of Management and Budget (OMB) policies mandate all federal agencies, their contractors and their external service providers use SP 800-53. The existence of SP800-53 as a government regulation has many benefits beyond the stipulation of security best practices. SP 800-53 guides security managers, security service providers, security technology developers, system developers, system implementers and system assessors. For one, it elevates security awareness to senior management. SP800-53 is a living document updated periodically.
Correspondingly, security funding can be positively impacted. The just-released Revision 3 supersedes the previous revision released 18 months earlier. In the next part of this four-part series, Brusil discusses the risk management section of SP 800-53 Rev. 3. * * * Dr Paul J. Brusil, PhD, MD graduated from Harvard University with a joint degree in Engineering and Medicine. It contains or amplifies a risk management framework, a security control catalog, a security control selection process, traceability of security controls to underlying security requirements, assurance requirements for security controls, and extensions for use in communities outside the U.S. government. He has authored more than 100 papers and book chapters in his distinguished career and worked in a wide range of industry and government sectors as a respected security, network management and program management consultant. He is on the editorial boards of several journals including the Journal of Network and Systems Management and is a Lead Instructor for the Master of Science in Information Assurance at Norwich University.