NIST drafts updated guidance for agencies assessing security, privacy

Share this article:
“Cybersecurity as realpolitik”
The guidance gives federal agencies improved assessment procedures for securing systems and networks.

The National Institute of Standards and Technology (NIST) is updating guidance that helps federal agencies assess the security and privacy controls of their information systems and networks.

The guide will serve as a “companion work” to the “Security and Privacy Controls for Federal Information Systems and Organizations” (SP 800-53), allowing organizations to evaluate their implementation of recommended security controls as dictated by the Federal Information Security Management Act (FISMA), NIST announced on Friday.

According to the release, the updated guide called “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans” (SP 800-53A), provides new assessment procedures for testing SP 800-53 controls, as well as a new appendix for evaluating privacy controls that is still being developed to be released at a later date.

“The privacy assessment procedures that will eventually populate Appendix J in this publication are currently under development by a joint inter-agency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee,” NIST announced in late July on its site. “The new assessment procedures, when completed, will be separately vetted through the traditional public review process employed by NIST and integrated into this publication at the appropriate time.”  

Changes to the guide will support continuous monitoring and ongoing authorization programs, and the use of automated tools for assessment and monitoring activities, NIST revealed. The guidance will also give agencies and contractors necessary tools for root-cause failure analysis.

The draft publication will be open to public comment until Sept. 26, the cut-off day NIST set for feedback. A PDF of the guidance can be viewed in its entirety here.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.