SP 800-53 is Essential for Security in Federal Government IT Systems

The National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-53 provides a unified information security framework to achieve information system security and effective risk management across the entire Federal Government.

By M. E. Kabay

Wed, November 04, 2009Network World The National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-53 provides a unified information security framework to achieve information system security and effective risk management across the entire Federal Government. In previous articles in this series, Paul J. Brusil summarized the risk management framework and the catalog of security controls offered in SP 800-53. In this last of four articles, Brusil reviews the relationship of Recommended Security Controls for Federal Information Systems and Organizations, Rev. 3 to other standards as well as its suitability for government and non-governmental organizations. Everything that follows is Brusil's work with minor edits.

Slideshow: Quiz: Separate Cyber Security Fact From Fiction

* * *

Communities Impacted by SP800-53

SP 800-53 (Appendix H) provides two-way mappings between security controls defined in SP 800-53 and security controls defined in international security standard ISO/IEC 27001, Information Security Management Systems. The latter standard applies to all types of organizations and non-government communities. SP 800-53 also outlines a strategy for harmonizing and converging these two standards.

Part 1, Part 2 and Part 3

SP 800-53 (Appendix I) also contains additions to the SP 800-53 Appendix D security control baselines so that such augmented security control baselines (in Appendix I) can be used in the Industrial Control Systems community. SP 800-53 (Appendix I) also contains community-specific, security control tailoring guidelines and other supplemental guidance for 64 of the security controls applicable to Industrial Control Systems from the SP 800-53 (Appendix D) security control catalog.

First and foremost, SP 800-53 is essential for security in U.S. federal government IT systems. Federal agencies and their external service providers must comply with FISMA, the Federal Information Systems Management Act of 2002, and the set of associated federal documents – FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems), FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems) and SP 800-53 – that delineate standards, specifications and recommendations for implementing FISMA. FISMA requires agencies in the US government and their contractors to understand risk and to undertake a risk management process on all their IT systems.

Specifically, FISMA requires that all agencies develop, document and implement agency-wide IA programs that support operations and assets and provide "adequate security." Every year, Inspectors General evaluate agency progress to achieve such requirements in the context of each agency's unique mission, environment and organization. SP800-53 is used as a guiding document to implement and to improve security under FISMA.

What the critics say

Security
Loading...
Security MarketSpace
Beyond PCI Checklists: Securing Cardholder Data
How do organizations pass their PCI DSS audits yet still suffer security breaches? Learn more »
Best Practices to Mitigate Risk
Make SOX Efforts More Effective Learn more »
FISMA Prescriptive Guide
Tripwire helps federal agencies, as well as the organizations and contractors that store, process or transmit federal information. Learn more »
Packet Analysis Shortfalls
This EBook, from Realtime Publishers, provides independent advice and technical insight on improving network troubleshooting. Learn more »
A Holistic Approach to Compliance Makes Business Sense
Smarter Protection For the Enterprise
Read this IDC paper for background on today's threat ecosystem with an overview of network security threats, the impact of the threats on enterprises, and the operational challenges faced by IT. Learn more »
Reduce Impact of Unplanned Downtime by 85%
Based on new research, IDC offers best practices to help identify vulnerabilities, "weak links" and mitigate external and internal risks. Learn more »
A Hidden Benefit of Desktop Virtualization?
This IDG eZine explores the many user benefits of desktop virtualization. Learn more »
 
SPONSORED LINKS
 

Making Consumer Two-Factor Authentication Simple and Cost-Effective

Mining the Cloud to Ease the Enterprise Compliance Burden

Solve Five Key IT Security Challenges with Cloud-Based Authentication

White Paper: A Security Blueprint Delivered From within the Network

Efficiency goes up. Costs come down.

Verint Systems. Discover the Power of Intelligence in Action"

Global Research: CIOs Weigh In On Virtualization

Generation Remote Infrastructure Management - Changing the Paradigm

Lower IT Costs with Oracle Database 11g Release 2

Taking the Service Desk to the Next Level

AT&T Application Management & Hosting. Let us help you S T R E T C H

Microsofts new client operating system helped Pella reduce power consumption.

A Clear View Toward Virtualization

Virtualization Technology as a Business Solution

Dark Fiber from Sunesys Save on Unlimited Bandwidth with Fixed Costs.

Forrester Webcast - Managing Desktop Support Costs

Be Prepared for Windows 7. Register for this Webcast Series.

Stay informed with custom newsletters from Tech Dispenser

Build your 1st app FREE with Force.com

Virtualization Technology as a Business Solution

eZine: A Roadmap to Reducing IT Complexity

CRM Built for IT: The Executive Guide to Selecting CRM that Meets IT Needs

ROI of Application Delivery Controllers

SharePoint - Unchecked growth of content is unsustainable.

Enterprise Capture: Your Onramp to Business Process Automation

Authentication as a Service by Forrester Research

Cloud-Based Authentication for Next-Generation Extranets

Mobile Security: The Essential Ingredient for Today's Enterprise

Do IT pros use social media? Tell us & get a $10 gift card

Maximizing efficiencies with unified communications.

Cut Costs & Green Your IT Operations with PC Power Management

White Paper: Next Generation Remote Infrastructure Management

Cloud-Based Email Management: Opinion Shifts In Favor

Achieving Business Agility with Application Grid

Seven Ways ITIL Can Help You in an Economic Downturn

Forrester: The real-world financial impact of Windows 7

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

eZine: A Roadmap to Reducing IT Complexity

Build your 1st app FREE with Force.com

Secure & simplify your data center w/Juniper Networks.

Gartner ITxpo Panel Webcast: Real-world Early Adoption of Windows 7.

Masters of Virtualization and Cloud Computing - Daily News

Trend Micro ranked #1 against real-world malware. Read more.

The rules of infrastructure management just changed.

A Clear View Toward Virtualization

IT pros: get a $10 ThinkGeek gift card by taking this survey

What's Next for Enterprise Resource Planning?

Gartner Magic Quadrant, Application Delivery Controllers 2009

Five-Step Mobility Management Plan

Removing the Barriers to IT Governance: How On-Demand Software Changes the Game

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords