The National Institute of Standards and Technology has released a draft guidance for federal agencies, contractors and the intelligence community to evaluate the privacy and security controls used on federal information systems and information technology networks.
NIST said Friday that the “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans” document (SP 800-53A) and the supplementary catalog of controls (SP 800-53) are available for public comments through Sept. 26.
“We have made some significant changes to our security control assessment guidelines to support continuous monitoring and ongoing authorization,” said Ron Ross, a NIST fellow and Joint Task Force project leader.
Ross said the updates are intended to support testing, root-cause failure analysis and related initiatives across agencies.
The latest version of the guide was released to align with the fourth SP 800-53 revision issued in April 2013 and includes new procedures for assessment of security controls and an appendix indicating the upcoming procedures to assess privacy controls.
Other updates focus on tailoring the scope, effort level and frequency of assessment and additional naming conventions for procedures and tools that industry could automate, NIST said.