Don't feel sorry that Ron Ross spent part of Veterans Day working on new guidance from NIST. The retired U.S. Army lieutenant colonel is passionate about his work.
Ross leads a National Institute of Standards and Technology initiative to update Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations, and was so engrossed in his work on his day off that he forgot our 11 a.m. appointment. Calling a half-hour late, Ross effusively apologized, explaining - justifiably - his tardiness: "800-53 rev. 4 is the doc that keeps on giving; it's a beast."
We've lost a whole generation of people who understand what information assurance is.
It is. And, the immensity of the undertaking to revise SP 800-53 explains why NIST is more than a year late getting it done.
In an ideal world, where security best practices would keep pace with technological changes, NIST would update its security controls every two years. We don't live in an ideal world, and nearly three-and-a-half years after NIST issued its third revision of SP 800-53, the institute has yet to publish revision 4. But Ross says he expects either the final version of the guidance, or at least a final draft version of the publication, to be ready early next year, perhaps in late January.
The reasons for the delay are understandable. Not only has information technology changed immensely since August 2009 when NIST published revision 3 - think about advances in mobility, the cloud and social networking since then - but so, too, has the threat landscape - advanced persistent threats, insiders and disruptive distributed denial of service attacks. Plus, revision 4 will incorporate many new privacy controls [the guidance's new title adds the word privacy: Security and Privacy Controls for Federal Information Systems]. It takes time to develop and codify best practices to deal with the evolving threats emanating from the cyberworld.
"We want to do an update every two years, but this is taking more time because of the complexity and the number of comments we got and the sheer volume of the changes going into the document, which is principally driven by the threat space," Ross says.
Revision 4 isn't just an update of revision 3. "It's a total rewrite," he says.
Revision 3 catalogued 600 security controls; revision 4 should have about 850 controls. NIST issued a draft of the guidance last February [see NIST Updating Catalogue of Controls], and Ross says 2,000 stakeholders sent NIST 5,000 suggestions on how to improve it.
"There're just so many issues that are on the radar that were not quite addressed in the 2009 version," Ross says. "It's going to be a very, very different looking publication. It will also have very important new concepts in there."
Among the new concepts in revision 4 are overlays, security controls that can be tailored to meet the needs of specific sectors such as government, financial and healthcare. "Instead of having these cookie-cutter solutions, you have the ability now to customize your secure solutions, which translate to hopefully saving money, to be more cost effective and getting better protection," Ross says.
Another major aspect of revision 4 is its emphasis on information assurance, which he characterizes as a forgotten component of information security over the past decade. "We've lost a whole generation of people who understand what information assurance is," he says. "That has to do with how developers build software, hardware and systems and how people evaluate those to make sure they met the specification.
"We focus a lot on functionality, building in 2-factor, doing encryption, doing the access-control mechanisms, doing contingency plans and all that, but we focused very little about how good that functionality really is. In other words, can those mechanisms stand up under stressful conditions, like on the battlefield or under a cyberattack? How good is the stuff that you're deploying?"
To encourage information assurance, revision 4 incorporates information-assurance best practices into the security controls. "It has to be actionable; people have to look at what you're writing and be able to translate into things that they actually can do to achieve this thing we call assurance," Ross says. "We haven't expressed (assurance) in terms of security controls before, now we're doing that because controls are what people actually read and that's what they actually use to build their security plan."
Ross says the new guidance will help organizations couple information and functionality to build trustworthy and resilient systems, adding it's "a theme that is going to continue to resonate through rev. 4."