NIST Special Publication 800-53

Citation: NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems (Dec. 2007).

Overview
The security controls defined in NIST Special Publication 800-53 (as amended) and recommended for use by organizations in protecting their information systems should be employed in conjunction with and as part of a well-defined and documented information security program. An effective information security program should include:


 * Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization;


 * Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level and address information security throughout the life cycle of each organizational information system.

Cloud computing
While NIST SP 800-53 covers general security areas important to cloud computing to some extent, the guidance lacks specificity in key security areas. For example, NIST guidance does not directly address key cloud computing security issues such as portability and interoperability, data center operations, and virtualization.

Both public and private sector officials identified interoperability issues and concerns about virtualization as challenges agencies face when making decisions on whether to implement cloud computing.