DigiPro Digital Productions

Information Assurance

Lots of thing we'd like to say about IT security architecture belong here. Maybe, someday we'll take the time. For now, it's....

Control Implementation

Frankly, security controls are just one small piece of a complete IT security architecture. With that said, we spend a lot of time flipping back and forth through NIST's SP800-53rev2, Appendix F controls catalog, and Appendix G's crosswalks to OMB, FIPS and NIST Special Publications. To help speed up some policy tasks, we've built an on-line form of Appendix F and Appendix G. SP800-53rev2 Desktop Reference We hope you find it useful. While we've chosen to web-ify just Appendix F & G, the rest of SP800-53rev1 is actually far more significant to the understanding of the proper context and implementation of controls.

SP800-53rev2 has been published. (SP800-53rev3 is in draft somewhere, too.) Here are "redlined" comparisions of:
SP800-53rev1 to SP800-53(org)
SP800-53rev2 to SP800-53rev1.

With respect to the control catalog, SP800-53rev1 is chock full of substantial adjustments to existing controls, splits at least one in to two, and adds several new ones. SP800-53rev2, however, has only two additional edits:
* CP-04, "Contingency Plan Testing and Exercises;" base control has been added to the default Low baseline.
* PL-04, "Rules of Behavior;" a comma has been added to fix a grammatical error.
Beyond these, SP800-53rev2 introduces "Industrial Control System" controls. Industrial Control Systems are used in the operation of power plants, dams, bridges, factories, etc., and have additional security concerns. If you're not involved in securing such systems, SP800-53rev2 provides the same controls and recommended baseline selections as SP800-53rev1.

If you're focused on assessment of controls as opposed to implementation, look to the assessment complement to SP800-53rev[1,2], SP800-53a, instead. Even better, use the SP800-53a, Appendix J Assessment Cases to help plan, execute, and document your control evaluations.



 
Page URI:   http://ia.digipro.com/
Last Changed:   12:59 Saturday, June 21st, 2008

Copyright, "DigiPro Digital Productions, 1993-2008"
DigiPro is a federally registered trademark of DigiPro Digital Productions