NIST security controls update addresses privacy, mobile, cloud
A draft update (.pdf) to the principal catalog of security controls used by federal agencies for the first time couples privacy controls with security controls, introduces mobile-specific controls, addresses insider-threat mitigation and elevates the importance of information system assurance and trustworthiness.
The National Institute of Standards and Technology published on Feb. 28 the draft, which will become the fourth revision of a document known as Special Publication 800-53. The draft revision is the first proposed update since revision 3 (.pdf) came out in August 2009, and will be out for public comment until April 6.
"This is the first time we've done a full court press, if you will, on privacy," said Ron Ross, FISMA Implementation Project leader and NIST fellow, during an interview.
"Privacy has its own legislative requirements and policy requirements--the Privacy act of 1974 and OMB policies--and now we actually have real controls that can be implemented and there's a standard language...and more importantly can be assessed to ensure those controls are effective," said Ross.
The Federal CIO Council's privacy subcommittee helped formulate the privacy controls, which will integrate and mutually reinforce security and privacy, he added, stating that closer coordination and communication between privacy and security offices within agencies should ensue.
Threats have also changed considerably since the last revision, said Ross. The newly-introduced draft controls draw heavily from actual attack reporting data from agencies. And while none of the controls are specifically tagged in "cloud-computing" or "mobile" sections, there are additions that address security in those emerging environments. A new remote wiping control, for example, is clearly for mobile devices, he said.
The controls for the government's new cloud-computing acquisition program, called FedRAMP, are taken directly from SP 800-53. The FedRAMP joint authorization board will update its controls to match the baselines in Revision 4, a General Services Administration official said in early February. Ross called FedRAMP a perfect "use case" for the controls catalog update, because it defines the set of security controls needed in a cloud system.
"NIST is working with GSA to develop an assessment program so cloud service providers can go out and hire qualified assessors to come in and determine if those controls are actually effective," said Ross.
Many supply chain security and insider threat controls are also new to Revision 4, not to mention an entirely rewritten Appendix E, which is the assurance appendix, said Ross. Assurance--or confidence that a control will work when it's supposed to work and do what it's supposed to do--is an important topic area, he said.
"[We're trying] to elevate the whole concept of assurance so it becomes something that people care about again...[it] is critical to having the resiliency that we need to make sure that these systems cannot only absorb a cyberattack, but continue to operate after they have been attacked," said Ross.
It's best to think of SP 800-53 as a tool box, he added. It's the NIST publication that catalogs security controls and designates low-, medium- and high-baseline criteria so agencies can tailor controls to their exact mission or the environment of operations. Ninety percent or more of government IT systems are legacy, so integration means some controls may be unnecessary while others will be needed to supplement the baseline, he added.
Specific assessment procedures for these security and privacy controls will be outlined in the forthcoming companion publication, SP 800-53 A, which addresses assessment of controls outlined in SP 800-53. Ross said the revision to SP 800-53 A (.pdf) is now underway and will, much like SP 800-53, include an entirely new section on assessment procedures for privacy controls.
SP 800-53 A will also be important for those closely following FedRAMP, as it will outline the procedures for ensuring the cloud-computing "controls that FedRAMP requires are actually implemented, operating as intended and producing whatever effect they need to produce," said Ross.