Related Links

Related Stories

Top 5 Stories


NIST publishes its new draft Security and Privacy Controls specification

01 March 2012

After a year in the making, NIST has published its initial public draft of SP800-53 revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.

Weighing in at a mere 375 pages, this new Special Publication from the National Institute of Standards and Technology (NIST) is a ‘public draft’ open for comment until 6 April 2012 (comments can be mailed to The final publication is due in July 2012. While it will be mandatory for federal information systems, it will be equally valuable for managers of corporate information systems.

The report states that “many of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT).” Its purpose, then, is to bring federal security requirements up-to-date with current perceptions of the threat arena.

It will not, however, be much help to people wishing to study security in a particular subject area – advanced persistent threat (APT), for example. “Rather,” says the report, “the controls and enhancements are distributed throughout the control catalog in various families and provide specific security capabilities that are needed to support those new computing technologies and computing approaches.” This is how security works in real life. Security cannot separate out a specific threat and treat it in isolation; but it does need to be covered within the overall security strategy.

The one exception is ‘privacy’, which is covered in depth and in particular within Appendix J. While “protecting the privacy of PII collected, used, maintained, shared, and disposed of by programs and information systems, is a fundamental responsibility of federal organizations,” it is nevertheless more than just security “and includes, for example, the principles of transparency, notice, and choice.”

The purpose of SP800-53 revision 4 is to provide the framework for information systems able to counter both current and future threats. It provides, says NIST, “the requisite tools to implement effective, risk- based, cyber security programs – capable of addressing the most sophisticated of threats on the horizon.”

This article is featured in:
Cloud Computing  •  Compliance and Policy  •  Identity and Access Management  •  Internet and Network Security  •  Public Sector  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×