NIST Updating Security ControlsFinal Draft Issued of Revisions to Special Publication 800-53
The National Institute of Standards and Technology is a step closer to publishing its fourth version of one of its premier information security guides - Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations.
NIST, on Feb. 5, issued the final public draft of the guidance, seeking comments from the public as it finalizes the final version of SP 800-53 Rev. 4, which is expected to be published in April.
"This is by far the most extensive update to our control catalog since it was first published in 2005," says Ron Ross, the NIST computer scientist who heads the initiative that's revising the guidance. "We received and responded to several thousand comments from across the federal government, industry and academia during the initial public comment period and have greatly increased the cybersecurity toolset for our customers as a result."
Ross says the revised guide supports NIST's strategy of "build it right, then continuously monitor," and its security and privacy controls furnish the needed tools to implement effective, risk-based, information security programs, capable of addressing sophisticated threats.
Though the guidance is aimed at federal government IT systems, it is frequently followed by local, state and tribal governments as well as private-sector enterprises.
What's New in the Guidance?
Major changes in Revision 4 include:
- New security controls and control enhancements addressing the advanced persistent threat, supply chain, insider threat, application security, distributed systems, mobile and cloud computing and developmental and operational assurance;
- Clarification of security control language;
- New tailoring guidance, including the fundamental assumptions used to develop the security control baselines;
- Significant expansion of supplemental guidance for security controls and enhancements;
- Streamlined tailoring guidance to facilitate customization of baseline security controls;
- New privacy controls and implementation guidance based on the internationally recognized Fair Information Practice Principles;
- Updated security control baselines;
- New summary tables for security controls and naming convention for control enhancements to facilitate ease-of-use;
- New mapping tables for ISO/IEC 15408 (Common Criteria);
- The concept of overlays, allowing organizations and communities of interest to develop specialized security plans that reflect specific missions/business functions, environments of operation and information technologies;
- Designation of assurance-related controls for low-impact, moderate-impact and high-impact information systems and additional controls for responding to high assurance requirements.
Addressing Sophisticated Threats
Ross says NIST guidance facilitates the significant transformation underway on how organizations authorize their IT systems securely.
"Near real-time risk management and the ability to design, develop and implement effective continuous monitoring programs depends first and foremost on the organization's ability to develop a strong information technology infrastructure, in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions," Ross says.
"The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, information security programs capable of addressing sophisticated threats," he says.
Comments on the final draft revision should be sent by March 1 to firstname.lastname@example.org.
Revisions to SP 800-53 are being developed by the Joint Task Force Transformation Initiative Interagency Working Group with representatives from the federal intelligence community, departments of Defense and Commerce, the Office of the Director of National Intelligence and the Committee on National Security Systems.