NIST SP 800-53 Rev. 4 and FISMA: Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-53 is a guide developed by the Joint Task Force Transformation Initiative Interagency Working Group specifically focused on security controls, mandated by the Federal Information Security Management Act (FISMA). This working group is an ongoing information security partnership among the U.S. Department of Defense, the Intelligence Community, the Committee on National Security Systems, the Department of Homeland Security, and U.S. federal civil agencies.
Special publication 800-53 focuses on ‘Controls’ to underpin security best practices for anyone operating Federal Information Systems, although IT related to National Security are covered separately. The assessment guidelines mandate the need for periodic testing and evaluation of the security controls federal agencies need to put in place.
Naturally there is strong emphasis on ‘Software, Firmware and Information Integrity’, and ‘Configuration Management Policy and Procedures’ see below
“Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications.
State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications”
“The organization employs automated mechanisms to maintain an up -to-date, complete, accurate, and readily available baseline configuration of the information system”
The most recent revision published in April 2013 was updated to reflect new and evolving considerations for Federal Information Systems and Organizations Risk Management Frameworks, including greater emphasis on
- Insider threats;
- Software application/web application security
- Social networking, mobiles devices, and cloud computing;
- Cross domain solutions;
- Advanced persistent threats;
- Supply chain security;
- Industrial/process control systems; and
Read more in the official NIST publication http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
NNT Change Tracker uses a continuous monitoring approach to provide integrity verification in real-time, providing audit trail evidence and alerts in line with SP 800-53 controls. In addition Configuration Management Policy and Procedure controls can be provided using Change Tracker Compliance Reports and Planned Change operation to ensure only approved changes are made and any configuration drift is highlighted, with Who Made the Change and Remediation instructions provided as standard.
Register for a free trial and automate your systems now.