Hello everybody! We are very pleased to announce the next installment to the RSA Archer eGRC Content Library. First and foremost, some clarification on quarterly intervals: Previously the quarterly content updates were retroactive for the prior quarter (e.g. the Q4 updated would go out in January). Originally this was to allow a full quarter's worth of development time at the end of the year, but could also be confusing and ended up being more trouble than it's worth. Beginning this year the quarterly update name will coincide with the quarter it falls. As such, to get things aligned this Q1-2013 update is also the Q4-2012 too. Clear as mud, right? Not to worry, it will get better. The Q2 update will go out in April, the Q3 in September, and so on. Hopefully all will be right with the world after that.
Our focus this quarter was NIST SP 800-53, or more specifically 53A, officially titled as the Guide for Assessing Security Controls in Federal Information Systems and Organizations. For those of you unfamiliar with “53 Alpha” it’s essentially the specialized assessment component of the NIST Special Publication 800-53 set of security controls. It describes the testing and evaluation procedures for each 800-53 control and is used to identify and prioritize control selection for a given asset.
NIST SP 800-53 Revision 3 was already an authoritative source in Archer and we’re pleased to be able to offer the companion control assessment resource as a set of integrated Archer Control Procedures. These control procedures have also been cross-mapped to both Archer Control Standards and the SP 800-53 authoritative source. As such, a new version of the Control Standards library and the NIST 800-53 Authoritative Source are also included in this bundle. (Note: The authoritative source content itself has not changed. The purpose of re-releasing the authoritative source import is to slipstream the updated mappings to Archer Control Standards and the new mappings to the companion Archer Control Procedures.)
At this point you’re probably realizing that the direct relationship between Authoritative Sources and Control Procedures doesn’t exist today so how will the import work? The beauty of having such a flexible platform like Archer is that adding this new cross-reference is a breeze. The original 800-53A taxonomy also contains several other useful categorization elements to support filtering and classification activities. In order to accommodate this and enable these 800-53A control procedures to be fully functional in Archer, several new values list fields are being added to the Archer Control Procedures application. A future platform release will make these additions permanent. The good news is you don’t have to wait to take advantage. You can very easily add these additional fields manually today with minimal time and effort. The field specs can be found in either this quarter’s release notes or the import tip sheet.
Not ready to make changes to your Archer instance just yet? No worries, this 800-53A base control procedure content will still import into a default instance of Archer without these new supplemental field values. This will establish the control records and language but the advanced 53A taxonomy filtering and direct mapping back to the authoritative source won’t be enabled.
Here's a snapshot of this quarter's full bundle:
- Authoritative Sources:
- The specified item was not found. (mapping release only – same authoritative source content)
- Control Standards:
- 20+ updates and new standards
- Control Procedures
- 656 new control procedures
Hopefully you will find this new content a useful addition to your eGRC library. I’m especially interested in how you’re able to use the 800-53A procedures to drive stronger ITGRC compliance in your organization, so please send me your feedback! The Release Notes are posted on the RSA Archer Exchange and content import packs are available through Customer Support.