nist 发布的云计算安全标准
Certain commercial entities,equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities materials, or equipment are necessarily the best available for the purpose There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication including concepts, practices, and methodologies may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST Organizations are encouraged to review draft publications during the designated public comment periods and provide feedback to NIST. Many nist cybersecurity publications, other than the ones notedaboveareavailableathttp:/csrc.nistgov/publications ● ● RON ROSS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY COMMON SECURITY AND PRIVACY FOUNDATIONS In developing standards and guidelines required by FISMA, NIST consults with federal agencies state, local, and tribal governments, and private sector organizations to improve information security and privacy; avoid unnecessary and costly duplication of effort and ensure that its publications are complementary with the standards and guidelines used for the protection of national security systems. In addition to a comprehensive and transparent public review and vetting process, NIST is engaged in a collaborative partnership with the office of Management and Budget, Office of the Director of National Intelligence, Department of Defense, Committee on National Security Systems, and the Federal Privacy Council-and has established a risk management framework applicable to both information security and privacy for the federa government. This common foundation for security and privacy provides the Civil, Defense, and Intelligence Communities of the federal government and their contractors more cost-effective flexible, and consistent ways to manage security and privacy risks to organizational operations and assets, individuals, other organizations, and the Nation The unified framework also provides a strong basis for reciprocal acceptance of authorization decisions and facilitate nformation sharing and collaboration. NIST continues to work with public and private sector entities to establish mappings and relationships between the information security and privacy standards and guidelines developed by NiSt and those developed by external organizations. DEVELOPMENT OF INFORMATION SYSTEMS, COMPONENTS, AND SERVICES With a renewed nation-wide emphasis on the use of trustworthy information systems and supply chain security, it is essential that organizations can express their security and privacy requirements with clarity and specificity in order to engage the information technology industry and obtain the systems, components, and services necessary for mission and business success. Accordingly, this publication provides controls in the System and Services Acquisition (SA) family that address requirements for the development of information systems, system components and system services. To that end, many of the controls in the sa family are directed at developers of those systems, components, and services. It is important for organizations to recognize that the scope of the controls in that family includes information system, component, and service development and the developers associated with such development whether the development is conducted internally or externally by industry partners(manufacturers, vendors, integrators through the contracting and acquisition processes. the affected controls in the control catalog include sA-8, SA-10, SA-11 SA-15 SA-16 SA-17, SA-20, and sA-21