The final version of the 2014 update to a guide on assessing the security and privacy safeguards for federal information systems and organizations just released.
The revised guide ended up issued in draft for public comment last August by the National Institute of Standards and Technology (NIST).
Assessing Security and Privacy Controls in Federal Information Systems and Organizations (NIST Special Publication 800-53A, Revision 4) is one of two basic NIST publications used by government IT security professionals to assess software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks. The document is a guide to the tests and procedures needed to check security controls are in place and functioning as intended.
The assessment guide complements NIST’s Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53), a catalog of available methods or “controls” that can safeguard information systems ranging from desktop computers to major data networks. The fourth revision of SP 800-53 ended up issued in April 2013.
The latest revision of SP 800-53A, the assessment guide, brings it into alignment with the most recent version of SP 800-53, and includes several significant changes from the previous edition released in 2010. In addition to adding new assessment methods for some controls and clarifying some of the terminology, the new edition has improvements meant to provide better support for continuous monitoring and ongoing authorization programs, and for use with automated assessment and monitoring tools. All of these modifications aim to make IT security procedures more flexible and responsive to changing threats.
The new edition of SP 800-53A also continues an ongoing process to better integrate privacy safeguards into the information security framework in parallel with the privacy controls defined in SP 800-53, Appendix J. The privacy assessment procedures that will add into this guide in the future are under development by a joint interagency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee. They will end up separately vetted through the traditional NIST public review process and integrated into SP 800-53A.
Click here for SP 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations.