NIST Special Publication 800-53 Revision 4 report

Why it matters

NIST develops and issues standards, guidelines and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA), including minimum requirements, for providing adequate information security for all agency operations and assets but such standards and guidelines shall not apply to national security systems. Federal Information Processing Standards (FIPS) are developed by NIST in accordance with FISMA. Since FISMA requires that federal agencies comply with these standards, they must do so. Guidance documents and recommendations are issued in the NIST Special Publication (SP) 800 series. Office of Management and Budget (OMB) policies state that for other than national security programs and systems, agencies must follow NIST guidance.

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory, non-waiverable standard developed in response to FISMA. To comply with the federal standard, agencies must fist determine the security category of their information system in accordance with the provisions of FIPS 199, standards for security categorization of Federal Information Systems, and then apply the appropriate set of baseline security controls in NIST SP 800-53. The Agency's risk assessment validates the security control set by determining if any additional controls are needed to protect agency operations, agency assets, or individuals. The resulting set of security controls establishes a level of "security due diligence" for federal agencies and their contractors.

Agencies are expected to be in compliance with NIST security standard and guidelines within one year of the publication date unless otherwise directed by OMB or NIST. (The one year compliance date for revisions to NIST SP applies only to new and/or updated material.)