NIST drafts updated guidance for agencies assessing security, privacy

Share this article:
“Cybersecurity as realpolitik”
The guidance gives federal agencies improved assessment procedures for securing systems and networks.

The National Institute of Standards and Technology (NIST) is updating guidance that helps federal agencies assess the security and privacy controls of their information systems and networks.

The guide will serve as a “companion work” to the “Security and Privacy Controls for Federal Information Systems and Organizations” (SP 800-53), allowing organizations to evaluate their implementation of recommended security controls as dictated by the Federal Information Security Management Act (FISMA), NIST announced on Friday.

According to the release, the updated guide called “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans” (SP 800-53A), provides new assessment procedures for testing SP 800-53 controls, as well as a new appendix for evaluating privacy controls that is still being developed to be released at a later date.

“The privacy assessment procedures that will eventually populate Appendix J in this publication are currently under development by a joint inter-agency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee,” NIST announced in late July on its site. “The new assessment procedures, when completed, will be separately vetted through the traditional public review process employed by NIST and integrated into this publication at the appropriate time.”  

Changes to the guide will support continuous monitoring and ongoing authorization programs, and the use of automated tools for assessment and monitoring activities, NIST revealed. The guidance will also give agencies and contractors necessary tools for root-cause failure analysis.

The draft publication will be open to public comment until Sept. 26, the cut-off day NIST set for feedback. A PDF of the guidance can be viewed in its entirety here.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.