information.”43 The initial public draft of NIST SP 800-53 is scheduled for release in September 2003.
NIST Special Publication 800-53A:
Techniques and Procedures for Verifying the Effectiveness of Security Controls in Federal Information Systems
N I S T S P 8 0 0 - 5 3 A h a s n o t y e t b e e n r e l e a s e d f o r p u b l i c r e v i e w . T h e N I S T C & A w e b s i t e 4 4 s t a t e s t h a t t h i s g u i d e w i l l “ e s t a b l i s h a s e t o f t e c h n i q u e s a n d p r o c e d u r e s to verify the effectiveness of security controls listed in NIST SP 800-53.” Anticipated techniques to be included in verification process include: 45
“Interviewing agency personnel associated with the security aspects of the system;
Reviewing and examining security-related policies, procedures, and documentation;
Observing security-related activities and operations;
Analyzing, testing, and evaluating the security relevant and security critical aspects of system hardware, software, firmware, and operations; and
Conducting demonstrations and exercises.”46
Much of what will come out of NIST SP 800-53A is likely to be fairly standard for monitoring the effects of security controls at various government agencies and private companies currently. However, these techniques and procedures will help verify that all groups following these guidelines are validating their systems using t h e s a m e o r a t l e a s t v e r y s i m i l a r c r i t e r i a , m a k i n g t h e C & A p r o c e s s m o r e “consistent, comparable and repeatable.” 4 7
Lessons Learned and Contractor Responsibilities
More often than not, federal contracts have been designed with security and information-sharing spelled out; it is clear who owns what pieces of information and what must be delivered to the government. However, given privacy and proprietary laws it is not as clear-cut as a contractor just handing over their security documentation to an agency. Security plans, business continuity plans, disaster recovery plans, risk assessments, etc. all contain highly sensitive information that should only be accessed by a few individuals in a private company let alone handed over to an agency for evaluation and review. Add to this that many agencies use multiple contractors to handle their IT work. For example, an agency could have one contractor responsible for development and management of a software project, such as a website, but have a different
© SANS Institute 2004, Author retains full rights.
43 44 45 46 47
Security Controls – http://csrc.nist.gov/sec-cert/ca-controls.html Verification Techniques and Procedures – http://csrc.nist.gov/sec-cert/ca-verification.html IBID IBID IBID
© SANS Institute 2004,
As part of the Information Security Reading Room
12 Author retains full rights.