Similar to the security plan, resources should be identified and the proper managers consulted to ensure that the appropriate people, facilities, tools and budget are available.
In addition to configuration management, good system maintenance calls for the security controls to be monitored for effectiveness. As technology changes and threats mutate the security controls need to be re-evaluated and then evaluated again. This can be a costly process, so for federal systems the guidelines call for the identification of a subset of controls to limit scope.39 NIST SP 800-53 assists agencies in identifying which subset of security controls to evaluate and monitor. After the appropriate security controls have been identified the must be monitored for their effectiveness. NIST SP 800-53A identifies techniques and procedures for verifying security controls.
When changes are made to the system and either the system itself changes or the security controls change, the security plan and other supporting documentation must be updated. The schedule for releases is determined by individual agencies and by project, but generally it would be a good idea for large systems to update the supporting documentation as changes occur and subsequently distribute the plans at least quarterly.
Lastly, status reports to the authorizing official should identify on-going activities, a n y u p d a t e s t o s u p p o r t i n g d o c u m e n t a t i o n , a n d s h o u l d i n c l u d e a p l a n o f a c t i o n and milestones. 4 0
NIST Special Publication 800-53: Guide for the Selection and Specification of Security Controls for Federal Information Systems
NIST SP 800-53 has not yet been released for public review. The NIST C&A website,41 however, states that this guide will “establish a set of minimum security controls for low, moderate, and high risk information systems. These predefined sets of security controls provide a baseline, or starting point, for agencies in addressing the necessary safeguards and countermeasures required for their information systems.”42 Adjustments to the baseline set of controls will be allowed but any differences must be clearly stated in the system’s security plan. “Upon completion of the security control process (which is part of the Continuous Monitoring phase of the C&A) the agreed upon set of controls, taken together, should satisfy the specified security requirements and adequately protect the confidentiality, integrity, and availability of the system and its
© SANS Institute 2004, Author retains full rights.
NIST SP 800-37, pg. 37
Security Controls – http://csrc.nist.gov/sec-cert/ca-controls.html
© SANS Institute 2004,
As part of the Information Security Reading Room
11 Author retains full rights.