The National Institute of Standards and Technology (NIST) issues major revision of core computer security guide: SP 800-53
The National Institute of Standards and Technology (NIST) have published the fourth revision of the government's foundational computer security guide, Security and Privacy Controls for Federal information Systems and Organizations. Better known to the federal computer security and contractor community as "SP (Special Publication) 800-53," this fourth revision is the most comprehensive update to the security controls catalog since the document's inception in 2005.
The Fourth Draft Included 
As part of the ongoing cyber security partnership among the United States Department of Defense, the intelligence community, and the federal civil agencies, NIST has launched its biennial update to Special Publication 800‐53, with an initial public draft released on February 28, 2012. The 2011-12 initiative will include an update of current security controls, control enhancements, supplemental guidance and an update on tailoring and supplementation guidance that form key elements of the control selection process. Key focus areas include, but are not limited to:
- Insider threats
- Software application security (including web applications)
- Social networking, mobiles devices, and cloud computing;
- Cross domain solutions
- Advanced persistent threats
- Supply chain security
- Industrial/process control systems
- Privacy
Many of you are thinking what is the SP (Special Publication) 800-53? Well it dictates and catalogs security controls for all U.S. federal information systems except those related to national security. It is published and revised by the National Institute of Standards and Technology. This is a non-regulatory agency of the United States Department of Commerce. NIST develops, reviews and issues standards, guidelines and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA). This helps with managing cost effective programs to protect information and information systems.
"This update was motivated by the evolving threats we all face" explained Project Leader and NIST Fellow Ron Ross. "These include the increasing sophistication of cyber-attacks and the fact that we are being challenged more frequently and more persistently." He continued to state.
State-of-the-practice security controls and control enhancements have been integrated into the new revision to address the evolving technology and threat space. Examples include issues particular and not limited to; mobile and cloud computing; insider threats, applications security, supply chain risks, advanced persistent threat, trustworthiness, assurance and resilience of information systems. The revision also features eight new families of privacy controls that are based on the internationally accepted Fair Information Practice Principles.
SP 800-53, Revision 4 also takes a more holistic approach to information security and risk management. The publication calls for maintaining "cyber security hygiene"—the routine best practices that help reduce information security risks—but also appeals for hardening those systems by applying state-of-the-practice architecture and engineering principles to minimize the impacts of cyber-attacks and other threats.
"The 'Build It Right' strategy”, coupled with security controls for continuous monitoring, provides organizations with near real-time information that leaders can use to make ongoing risk-based decisions to protect their critical missions and business functions," said Ross.
To provide organizations with greater flexibility and agility in building information security programs, the baseline set of security controls can be tailored for specific needs according to the organization's missions, environments of operation, and technologies used. Specific lists of controls and implementation guidance, or overlays, focus on a variety of missions, including space operations, military tactical operations and health care applications. Overlays also support specific technologies such as cloud computing and mobile devices.
"This specialization approach to security control selection is important as the number of threat-driven controls and control enhancements increases and organizations develop specific risk management strategies," Ross said.
The new revision of SP 800-53, Security and Privacy Controls for Federal information Systems and Organizations, was developed by NIST, the Department of Defense, the Intelligence Community and the Committee on National Security Systems as part of the Joint Task Force, which was formed in 2009. It can be obtained below via download, prepare for a long read its 400+ pages.