Security Controls for Federal Information Systems (NIST Special Publication 800-53)
Techniques and Procedures for Verifying the Effectiveness of Security Controls in Federal Information Systems (NIST Special Publication 800-53A)
Guide for Mapping Types of Information and Information Systems to Security Objectives and Risk Levels (NIST Special Publication 800-60)
These papers are considered to be in draft form until all have been thoroughly reviewed, approved, and released to the public. Currently only FIPS 199: Standards for Security Categorization of Federal Information and Information Systems and NIST 800-37: Guide for the Security Certification and Accreditations of Federal Information Systems have been released. Once completed these five documents are “intended to provide a structured, yet flexible framework for identifying, employing, and evaluating the security controls in federal information systems”28 and will provide the framework for complying with FISMA.
Federal Information Processing Standards Publication (FIPS PUB) 199:
Standards for Security Categorization of Federal Information and Information Systems
FIPS PUB 199 was released in draft form in May 2003. It seeks to create security categorization standards to “provide a common framework and understanding.” 29
table31 and descriptions provided in the guide, agencies can categorize their level of risk for enclosure in the System Information section of their security plan.
NIST SP 800-37:
Guide for the Security Certification and Accreditation of Federal Information Systems
© SANS Institute 2004, Author retains full rights.
T h e r e a r e t h r e e p o t e n t i a l l e v e l s o f r i s k ( l o w , m e d i u m , a n d h i g h ) a s s o c i a t e d w i t h e a c h s e c u r i t y o b j e c t i v e ( c o n f i d e n t i a l i t y , i n t e g r i t y , a n d a v a i l a b i l i t y ) . 3 0 Using the
NIST SP 800-3732 was initially released in draft form in October 2002 and a second draft was released in June 2003.33 The initial draft identified two phases:
28 29 30 31 32 33
NIST SP 800-37 – 2nd Public Draft, pg. iv. FIPS PUB 199, pg. 2 FIPS PUB 199, pg. 5 FIPS PUB 199, pg. 7 NIST SP 800-37 - http://csrc.nist.gov/sec-cert/ca-process.html Publications Development Schedule - http://www.csrc.nist.gov/sec-cert/ca-schedule.html
© SANS Institute 2004,
As part of the Information Security Reading Room
7 Author retains full rights.