Archive for 800-53

You are browsing the archives of 800-53.

Federal Cyber-Security

NIST (National Institute of Standards and Technology) has provided Federal Agencies with all the tools they need to get cyber-security done right. But obviously, it’s not being done right yet at most agencies. Why not?

Failure to understand the threat level - this was certainly once the top problem… maybe not so much anymore with all [...]

800-53 rev3 IPD

A new version of 800-53 (revision 3) is in Initial Public Draft (IPD) and available for comments on the NIST web site.
[note - IPD means the document is in "draft" mode while NIST collects comments from the public and incorporates them into changes/corrections before releasing the document in a final form, usually many months later]
Draft-SP800-53 [...]

Policy and Procedure

Each of the seventeen families of security controls found in 800-53 contain a first control that requires the development of policy and procedures for that specific family of controls. Here is an example from the PL family:
800-53 security control PL-1 SECURITY PLANNING POLICY AND PROCEDURES
Control:
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, [...]

Supplementing Controls

After the baseline of security controls have gone through the tailoring process of: scoping guidance, compensating controls and organizationally defined parameters, it is possible that additional controls or enhancements may be needed in order to mitigate the risk that has been assessed. It is also possible to simple add restrictions to already existing controls. [...]

Tailoring Controls

NIST SP 800-53 sets terms and conditions for tailoring the security control baseline to organizational and operational needs.   There are three specific areas addressed as follows:

Scoping Guidance
Compensating Controls
Organizationally Defined Parameters

Scoping Guidance offers considerations on how individual security controls are applied and implemented. The following areas are discussed:

Common Controls
Common Controls are controls that protect more [...]

Categorization and Baseline Selection

Categorization is the process of selecting an Impact Level according to FIPS 199, which is a public law and must be adhered to. FIPS 199 sets three impact levels of HIGH, MODERATE and LOW. They are selected according to a consideration of the potential impact level on an organization if a security event [...]

Control Recommendations

The goal of the controls is to reduce risk to a level that is acceptable