2.7 revisions and extensions
The security controls listed in this publication represent the state-of-the-practice safeguards and countermeasures for federal information systems and organizations. The security controls[57]</sup> will be carefully reviewed and revised periodically to reflect:
- Experience gained from using the controls;
- New federal legislation, Executive Orders, directives, regulations, or policies;
- Changing security requirements;
- Emerging threats, vulnerabilities, and attack methods; and
- Availability of new technologies.
The security controls in the security control catalog are expected to change over time, as controls are withdrawn, revised, and added. The security controls defined in the low, moderate, and high baselines are also expected to change over time as the level of security and due diligence for mitigating risks within organizations changes. In addition to the need for change, the need for stability is addressed by requiring that proposed modifications to security controls go through a rigorous public review process to obtain both public and private sector feedback and to build consensus for such change. This provides over time, a stable, flexible, and technically sound set of security controls for the federal government, contractors, and any other organizations using the security control catalog.
chapter three
57. The privacy controls listed in Appendix J will also be updated on a regular basis using similar criteria. ↩