The National Institute of Standards and Technology (NIST) has released the final version of the 2014 update to its core guide to assessing the security and privacy safeguards for federal information systems and organizations. The revised guide was issued in draft for public comment last August.
Assessing Security and Privacy Controls in Federal Information Systems and Organizations (NIST Special Publication 800-53A, Revision 4) is one of two basic NIST publications used by government IT security professionals to assess a wide range of software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks. The document is a guide to the tests and procedures needed to check that security controls are both in place and functioning as intended.
The assessment guide complements NIST’s Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53), a catalog of available methods or “controls” that can be used to safeguard information systems ranging from desktop computers to major data networks. The fourth revision of SP 800-53 was issued in April 2013.
The latest revision of SP 800-53A, the assessment guide, brings it into alignment with the most recent version of SP 800-53, and includes several significant changes from the previous edition released in 2010. In addition to adding new assessment methods for some controls and clarifying some of the terminology, the new edition has improvements meant to provide better support for continuous monitoring and ongoing authorization programs, and for use with automated assessment and monitoring tools. All of these modifications are aimed at making IT security procedures more flexible and responsive to changing threats.
The new edition of SP 800-53A also continues an ongoing process to better integrate privacy safeguards into the information security framework in parallel with the privacy controls defined in SP 800-53, Appendix J. The privacy assessment procedures that will be added to this guide in the future currently are under development by a joint interagency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee. They will be separately vetted through the traditional NIST public review process and integrated into SP 800-53A.