Information Assurance
Lots of thing we'd like to say about IT security architecture belong here. Maybe, someday we'll take the time.
For now, it's....
Control Implementation
Frankly, security controls are just one small piece of a complete IT security architecture. With that said, we spend a
lot of time flipping back and forth through NIST's SP800-53rev2, Appendix F controls catalog, and Appendix G's
crosswalks to OMB, FIPS and NIST Special Publications. To help speed up some
policy tasks, we've built an on-line form of Appendix F and Appendix G.
SP800-53rev2 Desktop Reference
We hope you find it useful.
While we've chosen to web-ify just Appendix F & G, the rest of
SP800-53rev1
is actually far more significant to the understanding of the proper context and implementation of controls.
SP800-53rev2
has been published.
(SP800-53rev3 is in draft somewhere, too.)
Here are "redlined" comparisions of:
SP800-53rev1 to SP800-53(org)
SP800-53rev2 to SP800-53rev1.
With respect to the control catalog,
SP800-53rev1 is chock full of substantial adjustments to existing controls, splits at least one in to two, and
adds several new ones.
SP800-53rev2, however, has only two additional edits:
* CP-04, "Contingency Plan Testing and Exercises;" base control has been added to the default Low baseline.
* PL-04, "Rules of Behavior;" a comma has been added to fix a grammatical error.
Beyond these, SP800-53rev2 introduces "Industrial Control System" controls. Industrial Control Systems are
used in the operation of power plants, dams, bridges, factories, etc., and have additional security concerns.
If you're not involved in securing such systems, SP800-53rev2 provides the same controls and recommended baseline
selections as SP800-53rev1.
If you're focused on assessment of controls as opposed to implementation, look to the assessment
complement to SP800-53rev[1,2],
SP800-53a, instead. Even better, use the
SP800-53a, Appendix J Assessment Cases
to help plan, execute, and
document your control evaluations.
