NIST releases final draft of cybersecurity document for public comment
After two years of toiling and several revisions, the National Institute of Standards and Technology is seeking public comment on a final draft of the fourth revision to the security safeguards and countermeasures that federal agencies will use to protect their data and information systems, according to a Feb. 6 NIST press release.
Calling it the "most extensive update" to SP 800-53, its control catalog, in 8 years, NIST says it received and responded to several thousand comments from across the federal government, industry and academia during the initial public comment period. As a result, they insist they have "greatly increased the cybersecurity toolset" for their customers.
The final draft is the product of revisions from the multi-agency Joint Task Force Transformation Initiative and includes new guidance for handling insider threats, supply chain risk, mobile and cloud computing technologies and other cybersecurity issues and challenges. Other areas addressed in the updated publication include application security, firmware integrity, distributed systems, and advanced persistent threat.
NIST will accept comments on the 455-page final public draft (.pdf) until March 1.
In the updated publication, NIST says it addresses potential gaps in threat coverage, adds new security controls and control enhancements, clarifies security control language, provides new mapping tables to international security standards and provides more user-friendly naming conventions for controls and control enhancements. NIST also introduces a new concept of "overlay" to allow agencies to specialize their security plans for specific missions or business applications, particular operating environments, and for specific technologies.
According to the draft, the security and privacy controls that the document lays out are customizable and part of an organization-wide process that manages information security and privacy risk. The controls detailed in the document "address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, executive orders, policies, directives, regulations, standards, and/or mission/business needs," states the draft.
In addition, the updated publication describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. The catalog of security controls addresses security from both a functionality perspective and an assurance perspective to "ensure that information technology component products and the information systems built from those products using sound system and security engineering principles are sufficiently trustworthy," according to the document.