by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : March 2013
[BrieFing] GCN MARCH 2013 • GCN.COM 7 The National Institute of Standards and Technology has released the nal draft of its updated catalog of IT security con- trols, expanded to address new threats and with the exibility to let agencies tai- lor controls to their needs. NIST expects to publish the nished product in April. Special Publication 800-53, Secu- rity and Privacy Controls for Federal Information Systems and Organizations, is a foundational document underly- ing federal cybersecurity regulation. Agencies are required under the Federal Information Security Management Act to apply appropriate controls detailed in the document to their IT systems, based on the level of assurance needed for each system. Originally published in 2005, SP 800- 53 was last updated in 2009 as part of what NIST called a historic collaboration with the military and intelligence com- munities to produce a set of govern- mentwide IT security controls. The latest update, Revision 4, is the most compre- hensive to date and re ects changes in the IT and security landscapes over the past two years. "The changes are substantial," said Ron Ross, the FISMA implementation lead at NIST. "The fundamental un- derpinnings haven't changed," but the catalog of security controls has grown from more than 600 to more than 850 controls, and there is a new emphasis on the underlying trustworthiness of systems and on privacy controls. Comments on the draft were due by March 1 and sent to firstname.lastname@example.org, with nal publication now anticipated in April. "We want to get this out sooner rather than later," Ross said. The guidelines are part of a set of documents developed by the Joint Task Force Transformation Initiative, a collaborative effort formed to harmonize IT security requirements across civilian agencies, the military and the intelligence communities. The security controls enumerated in the SP 800-53 Rev. 4 re ect recent concerns, including Advanced Persis- tent Threats, supply chain risks, insider threats, application security, distributed systems, mobile and cloud computing, and developmental and operational assurance. The major difference in the new ver- sion is its exibility, giving agencies the ability to enhance a baseline of required controls with overlays tailored to speci c missions and business cases, environ- ment or technology. FedRAMP (the Federal Risk and Authorization Manage- ment Program) for cloud providers is an example of an overlay, Ross said, and the military is developing Space Com- mand and other tactical overlays. Federal requirements have put empha- sis on the need to continuously monitor the status of IT systems in recent years, but the new document also focuses on the need to ensure that the systems being monitored are trustworthy to begin with. There are guidelines for assessing development processes and assuring that system architecture, design and analysis produce a nal product that meets baseline security requirements. "You can't patch or con gure your way out of this problem," Ross said. "You have to start at the front end." The document also contains an ap- pendix devoted to privacy controls, based on internationally recognized Fair Information Practice Principles, new in this revision. Work on the revision began two years ago and the rst public draft was released in February 2012. That and sub- sequent drafts generated thousands of comments that have been addressed. "This was a tough update," Ross said. But it is expected to be comprehensive and exible enough to hold up for a number of years. NIST guidance typically is reviewed every ve years.• 'Substantial' changes ahead for federal cybersecurity controls BY WILLIAM JACKSON In addition to the security controls in 800-53, the task force has produced: SP 800-30 Rev. 1: Guide for Conducting Risk Assessments. SP 800-37 Rev. 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. SP 800-39: Managing Information Security Risk: Organization, Mission and Information System View. SP 800-53A Rev. 1: Guide for Assessing the Security Controls in Federal Informa- tion Systems and Organizations. A NIST security controls bibliography NEWS ANALYSIS