National Institute of Standards and Technology (NIST) Issues Draft Security Controls for Federal Information Systems
By McKenna Long & Aldridge LLP
As cybersecurity has taken center stage in recent months, with several high profile attacks on commercial and public institutions (including a cybersecurity attack on the Federal Reserve this week), a potentially significant development is in the works regarding the security of Federal information systems, one that could have a substantial effect on government contractors. On February 6, 2013, the National Institute of Standards and Technology (NIST), the agency charged with developing information security standards and guidelines for Federal information systems, announced that it was seeking comments on the final public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP)800-53, Revision 4. Once finalized, this document, developed by a joint task force of security experts from NIST, the Department of Defense, the Intelligence Community and the Committee on National Security Systems, will provide primary guidance for security safeguards and countermeasures used to protect Federal information systems. NIST notes that the latest draft supports the Federal information strategy of “Build It Right, Then Continuously Monitor.”
A comprehensive analysis of the current draft, which is over 450 pages, is beyond the scope of this alert. However, there are a couple of key points that should be made about the guidelines in their current form. First, as with previous guidelines produced by NIST, these guidelines would apply to all federal information systems, except for those designated as national security systems under 44 U.S.C. § 3542. This means that any system used by an executive agency or the contractor of an executive agency will be subject to the finalized guidelines, unless the system is used for national security purposes, such as intelligence activities, military command and control, or weapons systems. Second, the revised guidelines would provide new security controls and control enhancements addressing a wide range of cybersecurity concerns, including advanced persistent threats, supply chains, insider threats, application security, distributed systems, and mobile and cloud computing. For many government contractors, compliance with these guidelines will require the adoption of extensive new security measures.
Contractors that could be affected by these new guidelines can offer comments on the current draft through March 1, 2013. McKenna will continue to monitor the NIST’s efforts to promulgate new guidelines and other cybersecurity related developments relevant to government contractors.
For additional information, please contact:
Elizabeth “Beth” Ferrell
202.496.7544
Patrick J. Stanton
202.496.7316
McKenna Long & Aldridge LLP (MLA) is an international law firm with more than 575 attorneys and public policy advisors in 13 offices and 11 markets. The firm is uniquely positioned at the intersection of law, business and government, representing clients in the areas of complex litigation, corporate law, energy, environment, finance, government contracts, health care, infrastructure, insurance, intellectual property, private client services, public policy, real estate, and technology. To further explore the firm and its services, go to mckennalong.com.
© 2013 MCKENNA LONG & ALDRIDGE LLP, 303 PEACHTREE STREET NE, ATLANTA, GA, 30308. All Rights Reserved.
*This Advisory is for informational purposes only and does not constitute specific legal advice or opinions. Such advice and opinions are provided by the firm only upon engagement with respect to specific factual situations. This communication is considered Attorney Advertising.
