- Security and Privacy Controls for Federal Information Systems and Organizations (Rev. 4) (Apr. 2013) (full-text)
- Security and Privacy Controls for Information Systems and Organizations (Rev. 5) (Aug. 2017) (full-text).
This publication was developed in support of the Federal Information Security Management Act of 2002 (FISMA). It provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the United States from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional).
The security and privacy controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs.
The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and assurance helps to ensure that information technology component products and the information systems built from those products using sound system and security engineering principles are sufficiently trustworthy.
Changes made in Revision 4 Edit
Revision 4 represents the culmination of a two-year initiative to update the guidance for the selection and specification of security controls for federal information systems and organizations. The changes included in Revision 4 support the federal information security strategy of "Build It Right, Then Continuously Monitor" and are directly linked to the current threat space (i.e., capabilities, intentions, and targeting of adversaries) as well as the attack data collected and analyzed over a substantial period of time. In this revision, there is renewed emphasis on security controls that can be implemented to increase the reliability, trustworthiness, and resiliency of information systems, system components, and information system services — especially in those systems, components, and services supporting critical organizational missions and business operations (including, for example, critical infrastructure applications). In particular, the major changes in Revision 4 include:
- New security controls and control enhancements addressing the advanced persistent threat (APT), supply chain, insider threat, application security, distributed systems, mobile and cloud computing, and developmental and operational assurance;
- Clarification of security control language;
- New tailoring guidance including the fundamental assumptions used to develop the security control baselines;
- Significant expansion of supplemental guidance for security controls and enhancements;
- Streamlined tailoring guidance to facilitate customization of baseline security controls;
- New privacy controls and implementation guidance based on the internationally recognized Fair Information Practice Principles;
- Updated security control baselines;
- New summary tables for security controls and naming convention for control enhancements to facilitate ease-of-use;
- New mapping tables for ISO/IEC 15408 (Common Criteria);
- The concept of overlays, allowing organizations and communities of interest to develop specialized security plans that reflect specific missions/business functions, environments of operation, and information technologies; and
- Designation of assurance-related controls for low-impact, moderate-impact, and high-impact information systems and additional controls for responding to high assurance requirements.
Changes made in Revision 5 Edit
Revision 5 responds to the call by the Defense Science Board by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial process control systems, and Internet of Things (IoT) devices. Those safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.
Revision 5 of this foundational NIST publication represents a one-year effort to develop the next generation security and privacy controls that will be needed to accomplish the above objectives. It includes changes to make the controls more consumable by diverse consumer groups including, for example, enterprises conducting mission and business operations; engineering organizations developing information systems and systems-of-systems; and industry partners building system components, products, and services. The major changes to the publication include:
- Making the security and privacy controls more outcome-based by changing the structure of the controls;
- Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
- Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
- Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
- Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
- Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.