The IT Law Wiki

NIST Special Publication 800-53

32,563pages on
this wiki
Add New Page
Talk0 Share

Citation Edit

National Institute of Standards and Technology, Recommended Security Controls for Federal Information Systems (NIST Special Publication 800-53) (Rev. 3) (Aug. 2009) (full-text); Security and Privacy Controls for Federal Information Systems and Organizations (Rev. 4) (Apr. 2013) (full-text).

Overview Edit

This publication was developed in support of the Federal Information Security Management Act of 2002 (FISMA). It provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the United States from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional).

The security and privacy controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs.

The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and assurance helps to ensure that information technology component products and the information systems built from those products using sound system and security engineering principles are sufficiently trustworthy.

Changes made in Revision 4 Edit

Revision 4 represents the culmination of a two-year initiative to update the guidance for the selection and specification of security controls for federal information systems and organizations. The changes included in Revision 4 support the federal information security strategy of "Build It Right, Then Continuously Monitor" and are directly linked to the current threat space (i.e., capabilities, intentions, and targeting of adversaries) as well as the attack data collected and analyzed over a substantial period of time. In this revision, there is renewed emphasis on security controls that can be implemented to increase the reliability, trustworthiness, and resiliency of information systems, system components, and information system services — especially in those systems, components, and services supporting critical organizational missions and business operations (including, for example, critical infrastructure applications). In particular, the major changes in Revision 4 include:

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.