Photo courtesy of

Many of our readers – especially associated with government contracting — may not know that the National Institute of Standards and Technology (NIST) is now a step closer to publishing its 4th version of one of its premier information security guides — i.e. Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations.

More specifically, on Feb 5th 2013, NIST issued the final public draft of the guidance, seeking comments from the public as NIST will then publish the final version of SP 800-53 Rev 4, — expected sometime this month of April.

Another point to note is that while the guidance is aimed at federal government IT systems, it is frequently followed by local, state and tribal governments, as well as, many private sector enterprises.

What’s New in the SP 800-53 Rev 4 Guidance?

A quick summary of the major changes in Revision 4 include:

•           New security controls and control enhancements addressing the advanced persistent threat, supply chain, insider threat, application security, distributed systems, mobile and cloud computing and developmental and operational assurance;

•           Clarification of security control language;

•           New tailoring guidance, including the fundamental assumptions used to develop the security control baselines;

•           Significant expansion of supplemental guidance for security controls and enhancements;

•           Streamlined tailoring guidance to facilitate customization of baseline security controls;

•           New privacy controls and implementation guidance based on the internationally recognized Fair Information Practice Principles;

•           Updated security control baselines;

•           New summary tables for security controls and naming convention for control enhancements to facilitate ease-of-use;

•           New mapping tables for ISO/IEC 15408 (Common Criteria);

•           The concept of overlays, allowing organizations and communities of interest to develop specialized security plans that reflect specific missions/business functions, environments of operation and information technologies;

•           Designation of assurance-related controls for low-impact, moderate-impact and high-impact information systems and additional controls for responding to high assurance requirements.

According to Ron Ross, the NIST computer scientist who heads the initiative that is revising the guidance, “…The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, information security programs capable of addressing sophisticated threats”.

Click here to view the current final draft version of the guidance.

Click here to read more about this process as posted on the Government Information Security website.

If you are not that familiar with the history of NIST and SP 800-53, you may want to click here to view a quick one-stop read on this topic organized by content inputed to the Wikipedia website.

Our writing staff welcomes your comments and thoughts on this topic.

Pin It on Pinterest