Submitted by Amy Korman, CISSP, ISSMP/AP, CPA
PEC Solutions, Inc.

Introduction
The following article provides key information regarding NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems. The information herein stems from the document itself, as well as from a conversation with NIST authorities. The purpose of this article is to provide an overview of the new publication, discuss how it will effect Information Assurance professionals, what the major differences are between the new SP 800-53 and older more familiar documents, and provide information surrounding the timeframe and usage of documents going forward.

NIST SP 800-53: What Is It?
SP 800-53 (February 2005) is NIST's latest document that is to be "the primary source of recommended security controls for federal information systems, replacing the security control [framework] described in NIST Special Publications 800-18 (Guide for Developing Security Plans for Information Technology Systems) and 800-26 (Security Self-Assessment Guide for Information Technology Systems). Future versions of SP 800-18 will eliminate the listing of security controls and [will instruct readers to use the controls listed in] SP 800-53."

Timeframe
The recommended baseline security controls contained in SP 800-53 will form the basis for those controls that will become mandatory in December 2005 when SP 800-53 becomes Federal Information Processing Standard (FIPS) 200, Minimum Security Controls for Federal Information Systems. While SP 800-53 is a guideline, FIPS 200 will be mandatory for all systems at civilian federal agencies (as required by FISMA), excluding those designated for national security.

The FISMA Implementation Project web site at http://csrc.nist.gov/sec-cert has the latest information on FIPS 200. Currently, the schedule has been revised to include issuing the first public drafts of the SP 800-53A and FIPS 200 documents in June and April 2005, respectively.

What Will Change?
Per discussion with NIST authorities, they are currently in the planning stages of the rewrite of SP 800-26, as its self-assessment questionnaire will be updated to align with SP 800-53. The first several sections of the SP 800-26 document will remain the same, however, information about FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems), compensating controls, common controls, SP 800-53 and SP 800-53A (Guide for Assessing the Security Controls in Federal Information Systems) will be added. The SP 800-26 questionnaire will be used solely as a reporting format in the future. The questionnaire will have the seventeen families that are in SP 800-53, with each control title and number listed. The control and the enhancements will not be repeated in SP 800-26; rather, the document will direct the reader to go to SP 800-53A. SP 800-53A will contain the control along with enhancements and the assessment criteria that should be accomplished prior to annotating in SP 800-26 the level that the control has reached. "SP 800-53A provides guidance on assessment methods and procedures for security controls defined in this publication. SP 800-53A can also be used to conduct self-assessments of information systems."

Difference in Old and New Documents
SP 800-53 continues the framework of the SP 800-26 document in that there are seventeen topical control areas divided into Management, Operational, and Technical controls. In the new SP 800-53 document, there are still seventeen control areas, however, they are now referred to in the context of classes and families. Classes represent the type of control, such as Management, Operational, or Technical; family refers to the control area, such as Awareness and Training or Incident Response. Appendix D in SP 800-53 provides a summary of minimum security controls to be implemented based up whether a system is classified as low, moderate, or high-impact.

The seventeen families per the SP 800-53 document are not a direct one-to-one mapping of the seventeen control areas and objectives of the SP 800-26 document. Some control areas are easily mapped on the surface, such as Personnel Security, which goes by the same name in both publications. However, some control areas from the 800-26 do not appear at all in SP 800-53, and the SP 800-53 has some new control objectives (families) that were not referenced in SP 800-26. Some of the new families, such as System and Information Integrity (SP 800-53) are easy to map back to SP 800-26 (Data Integrity); this is just a matter of semantics. The crux of the change is that the original control objectives from the SP 800-26 are scattered amongst multiple families in the SP 800-53, and one control objective may now be mapped to multiple control objectives.

How will this affect you?
Conducting a review based on the new SP 800-53 document will require an exercise in reformatting any existing review templates. Many of the same questions previously asked per the SP 800-26 questionnaire will still apply, however, from a documentation perspective they are no longer within the same category as per the SP 800-26 Questionnaire. For example, Personnel Security questions (controls) that were previously located in Category 6 of SP 800-26 are now located throughout several sections of SP 800-53, such as Access Control and Configuration Management, as well as the Personnel Security category. This will require new documentation to be created in order to effectively conduct the current year review. In addition, this will require additional thought and mapping when attempting to track weaknesses noted in the prior year POAM as an agency can no longer say that a question from a particular SP 800-26 category such as Contingency Planning, was deficient and easily map it to a control objective per the 800-53 to track the progress. The particular weakness could likely be found in Contingency Planning (which kept its name), or it could actually be found within Maintenance or System and Communications Protection.

A more detailed review of SP 800-53's Appendix G reveals a mapping of the SP 800-53 families to the SP 800-26 control objectives. This nicely shows the mapping between the new organization of controls with the old, well-known controls and their layout. Appendix G shows, for example, that the new family, Audit and Accountability, maps to two of the SP 800-26 categories of Audit Trails and Logical Access Controls. It does not easily show that questions (controls) from section 17, Audit Trails, from the SP 800-26 are now contained within the SP 800-53 Maintenance family, as well as within the Access Control and Audit & Accountability families. A reverse mapping to better explain this area is currently being worked on.

Training
It is imperative that awareness training be provided to those groups who were involved in utilizing the SP 800-26 in the past, as the new layout of controls is vastly different. Now that the SP 800-53 will be mandatory as FIPS 200 (the 800-26 was only a suggested guideline) it is important that the controls and the format are understood. Users must be educated as to the new schema of classes and families and how they relate to the SP 800-26 document. Finally, users must be educated as to how to determine the minimum controls for their particular system.

(The author, Amy Korman, CISSP, ISSMP/AP, CPA may be contacted at amy.korman@pec.com)

(The "History of FISSEA" was first printed in the January 1999 newsletter. While some newer members may not be aware of FISSEA's beginnings the earlier article is repeated below.)

"The Federal Information Systems Security Educators' Association (FISSEA) is a volunteer organization for federal information systems security professionals, contractors of federal agencies and faculty members of accredited educational institutions. The concept of such an organization originated in 1984 at a meeting held in the Fort Meade Officers' Club. Over the years interest in computer security awareness, training, and education grew.

In 1989, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) Subcommittee on Automated Information Systems Security (SAISS) approved the charter for the "EDUCATORS." NSA's Larry Martin, Harold Segal, and Horace Peele were founding members of the working group. Later, when the group formalized in direct support of the Education, Training and Awareness Working Group of AIS, the Educator's Subgroup became known as the National Computer Security Educators (NCSE). During this time, the organization was under the sponsorship of the National Security Agency.

The enactment of P.L. 100-235 (the Computer Security Act of 1987) was a motivating factor for moving the sponsorship of FISSEA from NSA to NIST as classified and unclassified information was divided between the two agencies. In 1991, the name, National Computer Security Educators (NCSE), was changed to the Federal Information Systems Security Educators' Association (FISSEA). Emphasis was placed on the federal community, but membership and interests also included academic institutions and others interested in computer security education.

To name names, early Executive Board members from 1991-1993 included Jon Arneson, Joan Capel-Pohly, Patricia Ciuffreda, James Colburn, Richard Costello, Barbara Cuffie, Dorothea de Zafra, Joseph Easley, Kathie Everhart, Duane Fagg, Janet Jelen, Delmar Kerr, Charles Kellerman, Ray Letter, Geoffrey Lewis, Vic Maconachy, Victor Marshall, Harold McConnell, Dennis Poindexter, Roger Quane, Gary Smith, Lauresa Stillwell, and Althea Whieldon.

The first NCSE seminar was held in 1989 with the theme Trainer's response to the training requirements of the Computer Security Act of 1987. The NCSE seminars have evolved into an annual FISSEA conference. A complete listing of past conference themes can be found on the FISSEA website.

At the conference each year, an award is presented to a candidate selected as Educator of the Year, honoring distinguished accomplishments in information systems security training programs. The first award, given in 1991, was presented to Gary W. Smith. Other recipients include: Vic Maconachy (1992), Corey Schou (1993), Lt. Col. E. C. Chambers (1994), Gale Warshawsky (1995), and Joan Pohly (1996). The 1997 Educator of the Year was awarded to a group of individuals: Dorothea de Zafria, John Ippolito, Sadie Pitcher, and John Tressler. The 1998 EOY Award will be presented at the March conference. The FISSEA website has information on nominating a candidate for the Educator of the Year award. The deadline for submission is mid-February and the award is given at the annual conference held in March.

Today, FISSEA is growing and thriving. Its program of work remains focused on computer security education, a more vitally important agenda now than in 1984 when FISSEA was conceived. FISSEA's 290 members are encouraged to serve on task groups, to contribute to the newsletter, to network with other members and to foster the goals of FISSEA in their own organizations. Then, we will have more good news to write in the next chapter of FISSEA's history."

Next Chapter:

To bring this article up-to-date since it was originally written in 1999… FISSEA continues to hold annual conferences, now offers free workshops, encourages people to submit articles for the newsletter, maintains a website and a list serve for members to communicate with each other. In 1999, there were 290 members. Today, there are 1,140. However, the list serve has less than half the members in it, if you would like your email address included, please send an email to fisseamembership@nist.gov. You can view complete guidance on the website under On-Line Email List Rules and Guidance.

The Educator of the Year award was presented to Louis Numkin (1998), Dr. Roger Quane (1999), George Bieber (2000), LTC Daniel Ragsdale (2001), Patricia Black (2002), and Jeff Recor (2003). Most recently, congratulations go to Dr. Gail-Joon Ahn, University of North Carolina, who was presented with the 2004 Educator of the Year Award at this year's conference.

In the last two years, a contest has been held for the best Website, Trinket, and Poster Contest. Marvella Towns coordinated this popular contest and announced the winners at the annual conference. The winning entries are shown on the website. In 2004, Diane Coleman, IRS, won the trinket portion; Melissa Guenther, University of Arizona won for the poster, and Capt. Cheryl Seaman, HHS, won the website portion.

The 2005 FISSEA Poster, Trinket, and Website Contest winning entries were presented to:
        Poster - Vicky Hansen, A.G. Edwards & Sons
        Trinket - K Rudolph, Native Intelligence Inc.
        Website - Crystal Lowe, Internal Revenue Service

FISSEA conferences are relatively small in attendance but the networking opportunities are giant-sized. The computer security professional can discover new ways to improve their security program as the program focuses on awareness, training, and education. For the past few years, LTC Curt Carver and LTC Will Suchan have done an awesome job on the program and have agreed to do it again for 2006. Please check the website for an announcement on next year's date and the Call for Presentations.

The newsletter will have new editors for future issues. Volunteers were asked to take over this role at the March conference and Nanette Poulios, Walsh College; Shon Harris, Logical Security, and Diane Maier, RS Information Systems came forward. Please continue to submit articles to either peggy.himes@nist.gov or louis.numkin@irs.gov until further instructions are given.

You are encouraged to bookmark the FISSEA website, http://csrc.nist.gov/fissea and check it often. The website and list serve will be used to announce future workshops. You may find the summaries from past workshops presented by Susan Hansche and Mark Wilson helpful.

Individuals that have contributed greatly to FISSEA's evolvement are Phil Sibert (retired from DOE), Barbara Cuffie (retired from SSA), Louis Numkin (now with IRS), and Mark Wilson (NIST). FISSEA continues to be a great networking opportunity for members and continues its purpose to assist federal agencies in meeting their computer security training responsibilities.