[ISN] NIST readies guidance on IT security assessments

From: InfoSec News (alerts@private)
Date: Wed May 30 2007 - 22:10:42 PDT


http://www.gcn.com/online/vol1_no1/44383-1.html

By William Jackson
GCN Home
05/30/07

The National Institute of Standards and Technology has finished the 
third and possibly final draft of its revised guidelines for assessing 
the adequacy of IT security. Special Publication 800-53A, Guide for 
Assessing the Security Controls in Federal Information Systems, will be 
released for comment June 4.

NIST is charged under the Federal Information Security Management Act 
with developing standards and guidance for implementing IT security 
programs. SP 800-53 is part of a series of documents developed for 
selecting the proper level and types of IT security controls. The core 
of the series is Federal Information Processing Standard 200, which 
establishes minimum security requirements under FISMA. Once those 
requirements have been established, agencies select the appropriate set 
of controls from NIST SP 800-53, Recommended Security Controls for 
Federal Information Systems. SP 800-53A is an addendum that sets out the 
framework for conducting mandatory assessments of security controls 
required under FISMA.

Comments on previously released drafts have resulted in significant 
changes in the third draft version, according to NIST. Changes are 
expected to include a greater emphasis on two-factor authentication, 
trust relationships to assure adequate security controls at IT vendors 
and greater restrictions on remote access to sensitive data.

Comments on the current version will be accepted by the Computer 
Security Division of NISTs IT Laboratory through July 31. Comments can 
be e-mailed to sec-cert@private All of the FISMA-related security 
standards and guidelines can be found at http://csrc.nist.gov/sec-cert .

Final publication of SP 800-53A is expected early next year. NIST will 
decide on whether additional public drafts are needed based on comments 
received on the present draft.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed May 30 2007 - 22:29:10 PDT