Security
Controls
____________________
NIST
Special Publication 800-53 Revision 1
Recommended Security Controls for Federal Information Systems
The purpose of
Special Publication 800-53 is to provide guidelines for selecting
and specifying security controls for information systems supporting
the executive agencies of the federal government. The guidelines have
been developed to help achieve more secure information systems within
the federal government by:
- Facilitating
a more consistent, comparable, and repeatable approach for selecting
and specifying security controls for information systems;
- Providing a
recommendation for minimum security controls for information systems
categorized in accordance with FIPS
199, Standards for Security Categorization of Federal Information
and Information Systems;
- Providing a
stable, yet flexible catalog of security controls for information
systems to meet current organizational protection needs and the
demands of future protection needs based on changing requirements
and technologies; and
- Creating a
foundation for the development of assessment methods and procedures
for determining security control effectiveness.
The guidelines
provided in Special Publication 800-53 are applicable to all federal
information systems1 other than those systems designated as national
security systems as defined in 44 U.S.C., Section 35422. The guidelines
have been broadly developed from a technical perspective to complement
similar guidelines for national security systems. This publication
is intended to provide guidance to federal agencies implementing FIPS
200, Minimum Security Requirements for Federal Information
and Information Systems. In addition to the agencies of the
federal government, state, local, and tribal governments, and private
sector organizations that compose the critical infrastructure of the
United States, are encouraged to use these guidelines, as appropriate.
The security controls
in Special Publication 800-53 have been developed using inputs from
a variety of sources including NIST Special Publication 800-26, Department
of Defense (DoD) Policy 8500, Director of Central Intelligence Directive
(DCID) 6/3, ISO/IEC Standard 17799, General Accounting Office (GAO)
Federal Information System Controls Audit Manual (FISCAM), and Health
and Human Services (HHS) Centers for Medicare and Medicaid Services
(CMS) Core Security Requirements. The security controls cover the
following topic areas:
- Risk
Assessment;
- Certification,
Accreditation and Security Assessments;
- System
Services and Acquisition;
- Security
Planning;
- Configuration
Management;
- System
and Communications Protection;
- Personnel
Security;
- Awareness
and Training;
- Physical
and Environmental Protection;
- Media
Protection;
- Contingency
Planning;
- Maintenance;
- System
and Information Integrity;
- Incident
Response;
- Identification
and Authentication;
- Access
Control; and
- Accountability
and Audit
Footnotes:
1.
A federal information system is an information system used
or operated by an executive agency, by a contractor of an executive
agency, or by another organization on behalf of an executive agency.
2.
NIST
Special Publication 800-59 provides guidance on identifying
an information system as a national security system.
|
