NIST Special Publication 800-53

NIST Special Publication 800-53

NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," and catalogs security controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and to help with managing cost effective programs to protect their information and information systems.[1]

National Institute of Standards and Technology
NIST logo.svg



NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information system security, and on ITL’s activity with industry, government, and academic organizations.[2]

Specifically, NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk.[3] The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability.[4]

A key part of the certification and accreditation process for federal information systems is selecting and implementing a subset of the controls (safeguards) from the Security Control Catalog (NIST 800-53, Appendix F) . These controls are the management, operational, and technical safeguards (or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. To implement the needed safeguards or controls, agencies must first determine the security category of their information systems in accordance with the provisions of FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems.” The security categorization of the information system (low, moderate or high) determines the baseline collection of controls that must be implemented and monitored. Agencies have the ability to adjust these controls and tailor them to fit more closely with their organizational goals or environments.[1]


Agencies are expected to be compliant with NIST security standards and guidelines within one year of the publication date (February 2005) unless otherwise directed. Information systems that are under development are expected to be compliant upon deployment.[1]


Third Draft

The third version of NIST's Special Publication 800-53 document incorporates several recommendations from people who commented on previously published versions, who recommended a reduction in the number of security controls for low-impact systems, a new set of application-level controls and greater discretionary powers for organizations to downgrade controls. Also included in the final draft is language that allows federal agencies to keep their existing security measures if they can demonstrate that the level of security is equivalent to the standards being proposed by NIST.[4] The third version also represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems. The management, operational, and technical controls in SP 800-53 Revision 3 provide a common information security language for all government information systems. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures to address advanced cyber threats and exploits. Significant changes in this revision of the document include

  • A simplified, six-step risk management framework;
  • Additional security controls and enhancements for advanced cyber threats;
  • Recommendations for prioritizing security controls during implementation or deployment;
  • Revised security control structure with a new references section;
  • Elimination of security requirements from supplemental guidance sections;
  • Guidance on using the risk management framework for legacy information systems and for external information system services providers;
  • Updates to security control baselines based on current threat information and cyber attacks;
  • Organization-level security controls for managing information security programs;
  • Guidance on the management of common controls within organizations; and
  • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.[5]

Fourth Draft

As part of the ongoing cyber security partnership among the United States Department of Defense, the intelligence community, and the federal civil agencies, NIST has launched its biennial update to Special Publication 800‐53, scheduled to be released December 13, 2011. The 2011 initiative will include an update of current security controls, control enhancements, supplemental guidance and an update on tailoring and supplementation guidance that form key elements of the control selection process. Key focus areas include, but are not limited to:

  • Insider threats;
  • Software application security (including web applications);
  • Social networking, mobiles devices, and cloud computing;
  • Cross domain solutions;
  • Advanced persistent threats;
  • Supply chain security;
  • Industrial/process control systems; and
  • Privacy.


Version A

NIST Special Publication 800-53 A is titled “Guide for Assessing Security Controls in Federal Information Systems and Organizations." This version will describe testing and evaluation procedures for the 17 required controls.[4] These assessment guidelines are designed to enable periodic testing and are used by federal agencies to determine what security controls are necessary to protect organizational operations and assets, individuals, other organizations, and the nation.[3] According to Ron Ross, senior computer scientist and information security researcher at NIST, these guidelines will also allow federal agencies to assess "if mandated controls have been implemented correctly, are operating as intended, and are... meeting the organization's security requirements."

To do this, version A describes assessment methods and procedures for each of the security controls mandated in Special Publication 800-53. These methods and procedures are to be used as guidelines for federal agencies. These guidelines are meant to limit confusion and ensure that agencies interpret and implement the security controls in the same way.[6]


External links

Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • NIST Special Publication 800-37 — NIST Special Publication 800 37, Guide for Applying the Risk Management Framework to Federal Information Systems was developed by the Joint Task Force Transformation Initiative Working Group. It aims to transform the traditional Certification and …   Wikipedia

  • Cyber security standards — are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber… …   Wikipedia

  • Triple DES — Triple Data Encryption Algorithm General First published 1998 (ANS X9.52) Derived from DES Cipher detail Key sizes 168, 112 or 56 bits (Keying option 1, 2, 3 respectively) Block sizes …   Wikipedia

  • Galois/Counter Mode — GCM mode (Galois/Counter Mode) is a mode of operation for symmetric key cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and privacy. GCM mode is defined for block ciphers with a… …   Wikipedia

  • Блочный шифр — Общая схема работы блочного шифра Блочный шифр  разновидность симметричного шифра …   Википедия

  • Federal Information Security Management Act of 2002 — The Federal Information Security Management Act of 2002 ( FISMA , usc|44|3541, et seq. ) is a United States federal law enacted in 2002 as Title III of the E Government Act of 2002 (USPL|107|347, USStat|116|2899). The act was meant to bolster… …   Wikipedia

  • Data remanence — is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that… …   Wikipedia

  • Dual_EC_DRBG — or Dual Elliptic Curve Deterministic Random Bit Generator[1] is a controversial pseudorandom number generator (PRNG) designed and published by the National Security Agency. It is based on the elliptic curve discrete logarithm problem (ECDLP) and… …   Wikipedia

  • Information security — Components: or qualities, i.e., Confidentiality, Integrity and Availability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security… …   Wikipedia

  • Domain Name System Security Extensions — Internet protocol suite Application layer BGP DHCP DNS FTP HTTP …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”