NIST finalizing standard government-wide security controls
After more than two years of collaboration among civilian, defense, and intelligence agencies, the National Institute of Standards and Technology’s Information Technology Laboratory has released the final public draft of revision 3 of its Special Publication 800-53, “Recommended Security Controls for Federal Information Systems and Organizations.” The most notable aspect of this release is not the set of controls it contains, as the control structure has been largely the same since 800-53 was originally published in 2005, with minor modifications in 2006 and again in 2007. What is remarkable this time around is the consensus achieved by Ron Ross and his team at NIST in for the first time getting DOD, the intel community, and civilian agencies to agree to a single set of government-wide standards. Dr. Ross leads the Joint Task Force Transformation Initiative Interagency Working Group, whose primary focus is harmonizing security practices, standards, and guidelines across the government, even for national security systems not falling under the scope of the Federal Information Security Management Act. Similar consolidation is forthcoming in the area of Certification and Accreditation under Special Publication 800-37, “Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach,” still in draft, which when finalized and adopted, will unify the DIACAP approach (itself a revision of DITSCAP) long used in the Department of Defense with the civilian agency C&A process that became required for use in 2004. This trend of agreement on standards and practices throughout government seems to be a positive indicator for those (like President Obama) who advocate more central oversight and administration of federal information security.