This report first appeared on CyberScoop.
NIST Special Publication 800-53 isn’t the most exciting book, but for federal IT managers, the canonical catalogue of cybersecurity controls is like the English Hymnal and the Book of Common Prayer rolled into one. Changes to it are a very big deal.
The latest version, put together by top federal scientists from the U.S. National Institute for Standards and Technology, incorporates privacy controls as well, one of its principal authors told CyberScoop.
“It’s a leap ahead document,” NIST Cybersecurity Advisor Ron Ross said of the new draft of NIST SP 800-53: “Security and Privacy Controls for Federal Information Systems and Organizations.”
Ross and other cyber experts from NIST last week briefed the agency’s Information Security and Privacy Board about the latest, long-awaited set of proposed revisions to the magisterial index of security controls — 800-53 Rev5.
SP 800-53 lists the security controls federal managers have to choose from to ensure their IT systems comply with the security standards laid out in the Federal Information Security Modernization Act. Increasingly, it’s also used outside of the federal government.
Revisions are a big deal, but Rev5 is especially keenly awaited. It was scheduled for publication last week, but is held up in “internal review,” Ross said. Other officials said privately that the document was awaiting sign-off from the White House.
A statement from NIST’s Computer Security Resource Center posted Friday night read in part: “We hope to be able to release the publication in the very near future.”
Ross said the revisions made a series of changes designed to integrate privacy measures more fully into the security catalogue and to make it “more welcoming for private sector people who want it to use it voluntarily … and more broad-based, more inclusive” for others who want to use it to secure non-traditional IT systems, like those created by the internet of things or those that run industrial machinery.
“We’ve taken the word ‘federal’ out of the title, out of the whole document,” said Ross, “and we use ‘system’ instead of ‘information system,’ to help make it clear that you can use this for IoT, for medical devices, for cars … Any place there’s a computer that’s connected.”
Ross said another major change was that “we’ve decoupled the controls from the process” of choosing them. The existing version, which dates back to 2012, was designed to be used with NIST’s Federal Risk Management Framework. “We cut that out,” Ross said, so now the controls are process agnostic: “You can use it with the RMF, you can use it with the [NIST] Cybersecurity Framework, you can use it with ISO 27001, you can use it with whichever process works for your organization.”
“We think we built the most comprehensive control set, unparalleled in its breadth and depth,” said Ross. “We want it useable, used, by as many people as possible.”
Finally, Ross said, NIST scientists took what had been an appendix listing privacy controls that an organization could adopt and integrated them into the body of the catalogue. “We have privacy controls, we have security controls, we have dual purpose controls,” Ross said. As examples of the latter category, he gave “awareness and training” and “audits.”
“Training should be designed so as to include privacy and security,” said Ross. “Audits, likewise, can measure both.”
“There’s a table at the back that lists all the privacy-related controls,” he said, “but they are completely integrated throughout the new document.”