NIST drops ‘federal’ from cyber controls guidance

The National Institute of Standards and Technology has removed federal-specific verbiage from its prominent cybersecurity and privacy controls publication.

CyberScoop’s Shaun Waterman reported that the move to remove the word “federal” from the title of its magisterial catalog of cybersecurity and privacy controls, NIST SP-800-53, is one of a series of proposed changes NIST rolled out this week after a long delay.

The catalog sets the cybersecurity and privacy controls and standards that non-national security federal agencies must comply with.

“The reality is, today we’re all of us — federal, state and local government and the private sector — using the same technologies … and facing the same [cyber] threats” as a result, said NIST Fellow Ron Ross.

As NIST was doing the re-write — a year-and-a-half long process — the authors realized that in addition to their traditional “customer base” in the federal agencies mandated by law to use the controls in the catalog, there were many others who might find it useful.

So NIST changed the name of SP-800-53 from Security and Privacy Controls for Federal Information Systems and Organizations, by cutting the word federal. SP 800-53 was last revised in 2015, although the last full rewrite was two years before that.

“There are whole other communities of interest out there that could benefit from using the controls in this catalogue on a voluntary basis,” Ross, one of the chief authors of the new draft, told CyberScoop. “We wanted [the new draft] to feel more welcoming for those new customers … including industry and academia” and even stretching beyond the borders of the U.S.

“There is a global audience” for this kind of material, Ross said.