On February 5, 2009, NIST released a major revision to NIST SP 800-53. This is the third revision of the original document widely known among the federal government as the abbreviated 800-53, includes significant changes to the various control baselines ("Low", "Moderate", and "High") used as a basis for assessing the effectiveness of the security of federal information systems. The changes also reflect adding additional controls that have not been assigned to a control baseline, but may be assigned in the final release or added in future updates:
- AC-21 (User-Based Collaboration and Information Sharing)
- CM-9 (Configuration Management Plan)
- SC-25 (Thin Nodes)
- SC-26 (Honeypots)
- SC-27 (Operating System-Independent Applications)
- SC-29 (Hoterogeneity)
- SC-30 (Abstraction Techniques)
- SC-31 (Covert Channel Analysis)
In the summary of changes in the draft of NIST SP 800-53 Rev. 3, NIST noted changes, however some significant significant changes that are important to highlight, include:
- Consolidation of the steps in the Risk Management Framework (RMF) from 8 to 6 based on changes in NIST SP 800-37 Rev. 1 (Draft) and the new NIST SP 800-39 (Second Public Draft)
- Many of the security controls were rescoped to either consolidate related controls, or expanded to require additional security requirements (specifically “Moderate” and “High” control baselines
- A new section was added that focused on Information Security Programs (PM Controls), requiring System Security Plans (SSPs) for Security Programs and also tied in organizational Common Controls
- Mapping of NIST SP 800-53 Security Controls to the ISO/IEC 270001, (Information technology-Security techniques-Information security management system-Requirements)
More...