The National Institute of Standards and Technology (NIST) is updating guidance that helps federal agencies assess the security and privacy controls of their information systems and networks.
The guide will serve as a “companion work” to the “Security and Privacy Controls for Federal Information Systems and Organizations” (SP 800-53), allowing organizations to evaluate their implementation of recommended security controls as dictated by the Federal Information Security Management Act (FISMA), NIST announced on Friday.
According to the release, the updated guide called “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans” (SP 800-53A), provides new assessment procedures for testing SP 800-53 controls, as well as a new appendix for evaluating privacy controls that is still being developed to be released at a later date.
“The privacy assessment procedures that will eventually populate Appendix J in this publication are currently under development by a joint inter-agency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee,” NIST announced in late July on its site. “The new assessment procedures, when completed, will be separately vetted through the traditional public review process employed by NIST and integrated into this publication at the appropriate time.”
Changes to the guide will support continuous monitoring and ongoing authorization programs, and the use of automated tools for assessment and monitoring activities, NIST revealed. The guidance will also give agencies and contractors necessary tools for root-cause failure analysis.
The draft publication will be open to public comment until Sept. 26, the cut-off day NIST set for feedback. A PDF of the guidance can be viewed in its entirety here.