Refer to NIST Special Publication 800-53A (http://nvlpubs.nist.gov/nistpubs/Spec

Question

Refer to NIST Special Publication 800-53A (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf (Links to an external site.)Links to an external site.) to answer the following questions: What are the three assessment methods defined by NIST and to what types of assessment objects does each apply? In a security assessment scenario of your choosing, select an example of an assessment object and briefly describe how you would conduct the relevant assessment (i.e. what tool/technique you would use).

Explanation / Answer

NIST provides a catalog of security controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

The third version of NIST's Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," incorporates several recommendations from people who commented on previously published versions, who recommended a reduction in the number of security controls for low-impact systems, a new set of application-level controls and greater discretionary powers for organizations to downgrade controls. Also included in the final draft is language that allows federal agencies to keep their existing security measures if they can demonstrate that the level of security is equivalent to the standards being proposed by NIST.[5] The third version also represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems. The management, operational, and technical controls in SP 800-53 Revision 3 provide a common information security language for all government information systems. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures to address advanced cyber threats and exploits. Significant changes in this revision of the document include

    A simplified, six-step risk management framework;

    Additional security controls and enhancements for advanced cyber threats;

    Recommendations for prioritizing security controls during implementation or deployment;

    Revised security control structure with a new references section;

    Elimination of security requirements from supplemental guidance sections;

    Guidance on using the risk management framework for legacy information systems and for external information system services providers;

    Updates to security control baselines based on current threat information and cyber attacks;

    Organization-level security controls for managing information security programs;

    Guidance on the management of common controls within organizations; and

    Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001

Related Questions

Navigate

• Browse (All)
• Browse R
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.