By Kathryn M. Farrish, CISSP of BAI, Inc.
At long last, NIST has finally released a draft copy of the updated version of SP 800-53A, entitled Assessing Security and Privacy Controls in Federal Information Systems and Organizations. This is an important document in the RMF “document library” because it contains the “how to” for assessing compliance with the security controls in SP 800-53.
Several things are significant about this new edition. First of all, it is labeled as Rev4, even though the version it is about to replace is Rev 1. What’s up with that? What happened to Rev 2 and Rev 3? Weird as it appears at first glance, there is actually a valid reason for “jumping” to Rev 4. This new version of SP 800-53A is written to correspond to the current version of SP 800-53, which also happens to be Rev 4! Presumably, subsequent revisions of the two documents will continue to bear identical Rev designations.
A small change on the cover page indicates the document is authored by NIST, along with the Joint Task Force Transformation Initiative (JTFTI). The fact that JTFTI has taken “ownership” of the document indicates it is intended for use across all “sectors” of the federal executive branch, to wit: DoD, federal “civil” departments/agencies, and the intelligence community. This document joins other NIST SP’s such as 800-37, 800-39, and 800-53 in forming a “unified framework for information security.”
Most significantly, the format and nomenclature of the assessment methods them-selves has been altered. Instead of broadly-stated assessment objectives, the new document presents assessment objectives that are broken down into small, granular parts and sub-parts, each of which is uniquely numbered, as in the example below:
Publication of the “final” version of NIST SP 800-53A Rev 4 is expected on or about 1 November 2014.
IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here.
A ton of other information can be found on the NIST web site.