(ISC)2 Blog

On February 5, 2009, NIST released a major revision to NIST SP 800-53.  This is the third revision of the original document widely known among the federal government as the abbreviated 800-53, includes significant changes to the various control baselines ("Low", "Moderate", and "High") used as a basis for assessing the effectiveness of the security of federal information systems.  The changes also reflect adding additional controls that have not been assigned to a control baseline, but may be assigned in the final release or added in future updates:

• AC-21 (User-Based Collaboration and Information Sharing)
• CM-9 (Configuration Management Plan)
• SC-25 (Thin Nodes)
• SC-26 (Honeypots)
• SC-27 (Operating System-Independent Applications)
• SC-29 (Hoterogeneity)
• SC-30 (Abstraction Techniques)
• SC-31 (Covert Channel Analysis)

In the summary of changes in the draft of NIST SP 800-53 Rev. 3, NIST noted changes, however some significant significant changes that are important to highlight, include:

• Consolidation of the steps in the Risk Management Framework (RMF) from 8 to 6 based on changes in NIST SP 800-37 Rev. 1 (Draft) and the new NIST SP 800-39 (Second Public Draft)
• Many of the security controls were rescoped to either consolidate related controls, or expanded to require additional security requirements (specifically “Moderate” and “High” control baselines
• A new section was added that focused on Information Security Programs (PM Controls), requiring System Security Plans (SSPs) for Security Programs and also tied in organizational Common Controls
• Mapping of NIST SP 800-53 Security Controls to the ISO/IEC 270001, (Information technology-Security techniques-Information security management system-Requirements)