Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

TR2: Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53 Revision 4

Thursday, 6 December 2012
10:30 - 12:00


An overview of the most significant changes included in Revision 4 including:

  • New security controls and control enhancements;

  • Clarification of security control requirements and specification language;

  • New tailoring guidance including the introduction of overlays;

  • Additional supplemental guidance for security controls and enhancements;

  • New privacy controls and implementation guidance;

  • Updated security control baselines;

  • New summary tables for security controls to facilitate ease-of-use; and

  • Revised trustworthiness requirements and designated assurance controls.

Many of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT). In most instances, with the exception of the new privacy appendix, the new controls and enhancements are not labeled specifically as “cloud” or “mobile computing” controls or placed in one section of the catalog. Rather, the controls and enhancements are distributed throughout the control catalog in various families and provide specific security capabilities that are needed to support those new computing technologies and computing approaches. The breadth and depth of the security and privacy controls in the control catalog must be sufficiently robust to protect the wide range of information and information systems supporting the critical missions and business functions of the federal government. As the federal government continues to implement its unified information security framework using the core publications developed under the Joint Task Force, there is also a significant transformation underway in how federal agencies authorize their information systems. Near real-time risk management and the ability to design, develop, and implement effective continuous monitoring programs, depends first and foremost, on the organization’s ability to develop a strong information technology infrastructure—in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions. The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, cyber security programs—capable of addressing the most sophisticated of threats on the horizon.

Dr. Ron Ross is a Fellow at the National Institute of Standards and Technology (NIST). Dr. Ross currently leads the Federal Information Security Management Act (FISMA) Implementation Project for NIST, which includes the development of key security standards and guidelines for the federal government, contractors supporting the federal government, and the critical information infrastructure. Dr. Ross is also the principal architect of the Risk Management Framework (RMF) that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise-wide information security program. Dr. Ross is a graduate of the United States Military Academy at West Point and the Program Management School at the Defense Systems Management College. He holds both Masters and Ph.D. degrees in Computer Science from the United States Naval Postgraduate School.


Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC