NIST Updates Federal Cybersecurity Guidelines

The National Institute for Standards and Technology (NIST) on Wednesday released an updated set of guidelines that organizations can use to develop their security assessment plans, as well as their associated procedures for security controls.

The 399-page set of guidelines is officially dubbed NIST Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations Building Effective Security Assessment Plans. The guidelines are designed to complement Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations.

According to NIST, 800-53A include procedures "for both national security and non-national security systems," which are aimed at all parts of the development lifecycle, including development, implementation, and operation.

Revisions include numerous simplifications, such as eliminating the extended assessment procedure, simplifying much of the nomenclature, and removing various designations in the assessment procedures catalog.

"These simplifications will provide organizations with greater flexibility in selecting appropriate assessment methods, such as those supporting information system developments, initial and ongoing security authorizations, and continuous monitoring," according to NIST.

These revisions "are part of a larger strategic initiative to focus on enterprise-wide, near-real-time risk management," according to a statement from Ron Ross, who leads the FISMA Implementation Project, which was established in 2003, as required by Congressional legislation, to develop security guidelines and standards.

"Achieving the objective of near-real-time risk management means that organizations must have the flexibility to tailor their assessment activities based on where the information system is in its lifecycle, from initial development to continuous monitoring in operational environments," he said.

NIST said the revised 800-53A guide remains consistent with the Federal Information Security Management Act (FISMA), which sets guidelines and security standards for government agencies, as well as contractors. FISMA can also assess their compliance through audits.