Archive for NIST Computer Security

You are browsing the archives of NIST Computer Security.

The NIST PM Security Control Family

The NIST PM control family is a set of security controls that were added to the NIST SP 800-53 catalog of controls in version 3. These controls are fundamental and foundational and need to be established early in the System Development Life Cycle (SDLC). They lay the groundwork for processes that are critical to information […]

Simple Secure Configuration Management

Here’s a simplified plan to use a configuration management process to lock down your key network components: Know everything on your network – having a good inventory is prerequisite to everything else. If you don’t know what’s on your network, you can’t defend it or fix it. If you don’t know what state it’s in, […]

Patch and Vulnerability Management

NIST 800-40 “Creating a Patch and Vulnerability Management Program” describes the functions and processes that a patch and vulnerability management program should cover in order to maintain effective security. Importance of patch management As operating systems, applications and utility tools continue to manifest exploitable flaws, rapid application of security patches becomes critical to security. Attackers […]

FIPS Validated Encryption

FIPS 140-2 is the current (soon to be revised to FIPS 140-3) NIST encryption standard for government agencies protecting sensitive but unclassified information. NIST operates a Cryptographic Module Validation Program (CMVP) that offers testing of encryption (cryptographic modules) in products to ensure they are compliant with the FIPS standard. This testing involves not only which […]

Security Control Matrix

This matrix is a map that correlates attackers methodology with NIST 800-53 security controls: ATTACK METHODOLOGY/CONTROL Recon General/Google RA-3 RISK ASSESSMENT – you can only reduce exposure and can never “stop” general reconnaissance, but you damn well better know what you’re defending before the attacker starts to find out Network scanning CM-7 LEAST FUNCTIONALITY – […]

800-53 rev3 FINAL

NIST has released the final copy of SP 800-53 rev3 “Recommended Security Controls for Federal Information Systems and Organizations”. This document is the encyclopedia of security controls for federal agencies and this is the third revision since it was originally released in 2005. The impact level baseline information bar that was removed in the Final […]

800-53 rev3 FPD

The new revision of NIST SP 800-53 (rev3) is now in FINAL Public Draft (FPD) and should be published in final form soon. When NIST moves a draft document from IPD status to FPD status, the changes are often few as the document is nearly ready for final publishing. In this case, however, the changes […]

800-53 rev3 IPD

A new version of 800-53 (revision 3) is in Initial Public Draft (IPD) and available for comments on the NIST web site. [note – IPD means the document is in “draft” mode while NIST collects comments from the public and incorporates them into changes/corrections before releasing the document in a final form, usually many months […]

Awareness and Training

Need Awareness and training is a critical part of any information security program People are the weakest link in any security defense Components – there is a security learning continuum: Awareness Basic training Functional training Specialized education Designing a program Identify needs Behavior (awareness) Skills (training and education) Plan Get buy-in Priorities Material – audience […]

Policy and Procedure

Each of the seventeen families of security controls found in 800-53 contain a first control that requires the development of policy and procedures for that specific family of controls. Here is an example from the PL family: 800-53 security control PL-1 SECURITY PLANNING POLICY AND PROCEDURES Control: The organization develops, disseminates, and periodically reviews/updates: (i) […]