NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

News & Events

News -- 2013

Final Public Draft of NIST Special Publication 800-53 Revision 4
February 5, 2013
 
NIST announces the release of Draft Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal information Systems and Organizations (Final Public Draft). Special Publication 800-53, Revision 4, represents the culmination of a two-year initiative to update the guidance for the selection and specification of security controls for federal information systems and organizations. This update, the most comprehensive since the initial publication of the controls catalog in 2005, was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, and the Committee on National Security Systems. NIST received and responded to several thousand comments during the extensive public review and comment period.
 
The proposed changes included in Special Publication 800-53, Revision 4, support the federal information security strategy of “Build It Right, Then Continuously Monitor” and are directly linked to the current threat space (i.e., capabilities, intentions, and targeting of adversaries) as well as the attack data collected and analyzed over a substantial period of time. In this update, there is renewed emphasis on security controls that can be implemented to increase the reliability, trustworthiness, and resiliency of information systems, system components, and information system services—especially in those systems, components, and services supporting critical organizational missions and business operations (including, for example, critical infrastructure applications). In particular, the major changes in Revision 4 include:

  • New security controls and control enhancements addressing the advanced persistent threat (APT), supply chain, insider threat, application security, distributed systems, mobile and cloud computing, and developmental and operational assurance;
     
  • Clarification of security control language;
     
  • New tailoring guidance including the fundamental assumptions used to develop the security control baselines;
     
  • Significant expansion of supplemental guidance for security controls and enhancements;
     
  • Streamlined tailoring guidance to facilitate customization of baseline security controls;
     
  • New privacy controls and implementation guidance based on the internationally recognized Fair Information Practice Principles;
     
  • Updated security control baselines;
     
  • New summary tables for security controls and naming convention for control enhancements to facilitate ease-of-use;
     
  • New mapping tables for ISO/IEC 15408 (Common Criteria);
     
  • The concept of overlays, allowing organizations and communities of interest to develop specialized security plans that reflect specific missions/business functions, environments of operation, and information technologies; and
     
  • Designation of assurance-related controls for low-impact, moderate-impact, and high-impact information systems and additional controls for responding to high assurance requirements.
As the federal government continues to implement its unified information security framework using the core publications developed under the Joint Task Force, there is also a significant transformation underway in how federal agencies authorize their information systems. Near real-time risk management and the ability to design, develop, and implement effective continuous monitoring programs, depends first and foremost, on the organization’s ability to develop a strong information technology infrastructure—in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions. The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, information security programs—capable of addressing sophisticated threats.
 
To support the final public review process, NIST will publish a markup version of Appendices D, F, and G (i.e., baseline allocations and the catalog of security controls for information systems and organizations) on or about February 8th to show the changes from the initial public draft. This will help organizations plan for any future update actions they may wish to undertake after Revision 4 is finalized. There will not be any markups provided for the main chapters or other appendices. A markup showing changes from Revision 3 to Revision 4 for the aforementioned appendices will be provided upon final publication of Special Publication 800-53, anticipated for April 2013.
 
Public comment period: February 5th through March 1st, 2013.
 
Comments can be sent to: sec-cert@nist.gov .


Final Approval of NIST Interagency Report (IR) 7511 Revision 3 is now available
February 5, 2013
NIST announces the release of NIST Interagency Report (NISTIR) 7511 Revision 3, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements. NISTIR 7511 defines the requirements that must be met by products to achieve SCAP 1.2 Validation. Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. NISTIR 7511 Revision 3 has been written primarily for accredited laboratories and for vendors interested in producing SCAP validated products.


DRAFT Special Publication 800-63-2, Electronic Authentication Guideline is now available for comment
February 1, 2013
 
NIST announces the release of Draft Special Publication 800-63-2, Electronic Authentication Guideline for public review and comment. This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication will supersede NIST Special Publication 800-63-1.
 
This draft is a limited update of Special Publication 800-63-1 and substantive changes are made only in section 5. Registration and Issuance Processes. The substantive changes in the revised draft are intended to facilitate the use of professional credentials in the identity proofing process, and to reduce the need to use postal mail to an address of record to issue credentials for level 3 remote registration. Other changes to section 5 are minor explanations and clarifications. New or revised text is highlighted in the review draft. Other sections of NIST Special Publication 800-63-1 have not been changed in this draft.
 
Please submit comments on the revision to eauth-comments@nist.gov with the subject line: “Draft SP 800-63-2 Comments”. The comment period closes on March 4, 2013.


Update Status on (Draft) NIST Special Publication 800-53 Revision 4
January 18, 2013
 
NIST anticipates the release of Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal information Systems and Organizations (Final Public Draft) on Tuesday, February 5th. The final public comment period will run from February 5th through March 1st. Final publication is expected by the end of April.
 
NIST Computer Security Division released a paper "The Role of the National Institute of Standards and Technology in Mobile Security".



For 2012 News & archived news