NIST promotes common cybersecurity controls


Agency cybersecurity controls should be commonly assessed and monitored within entire agencies to the greatest extent possible, states revised guidance from the National Institute of Standards and Technology.

NIST released June 29 an update of its guide for assessing federal agency security controls, a 399 page document formally known as Special Publication 800-53A. The publication, despite its nondescript title, greatly affects how agencies protect their networked systems.

The revised guidance, which applies to all systems except those that support national security, calls for agencies to maximize commonly implemented controls as a way to reduce costs and to allow for a more comprehensive understanding of control effectiveness, since cross-system comparisons would be easier.

Agencies can re-use assessment results of previously accepted common controls when making risk determinations of their deployment into new systems, but they should first consider the credibility of previous assessments, and whether changing conditions have rendered the controls moot, the guidance states.

Security assessments of information technology systems should be done early during development, the publication also states. "Security weaknesses and deficiencies identified early in the system development life cycle can be resolved more quickly and in a much more cost-effective manner before proceeding to subsequent phases in the life cycle," it says.

The publication also stresses that agencies have flexibility in selection of assessment methods, assessment objects, and depth and coverage attribute values.

The updated guidance is part of an overall effort "enterprise-wide, near real-time risk management," states an online NIST announcement written by Ron Ross, project leader of an interagency working group that's reviewing NIST guidance on implementing the Federal Information Security Management Act.

For more:
- download the revised NIST Special Publication 800-53A (.pdf)

Related Articles:
Ross: Defense only goes so far, real cybersecurity is agile
NIST: Continuous monitoring can lead to false sense of security
House committee approves FISMA reform