NIST Unveils Security, Privacy Controls

Guide Introduces Concept of Overlays, 'Rebrands' Assurance

By , April 30, 2013.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
NIST Unveils Security, Privacy Controls
 

Listen Now

NIST's Ron Ross, a big NASCAR fan, likens new security controls guidance to the tools race-car builders use to prevent drivers from breaking their necks when crashing into a brick wall at 200 miles an hour.

"It's all about strength of mechanism," Ross says.

After more than two years of work, the National Institute of Standards and Technology issued on April 30 the latest version of its quintessential guidance: Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. A team of computer scientists led by Ross, a NIST fellow and project leader, produced the guidance.

Although the guidance is written for U.S. federal government agencies, it's commonly adopted by businesses, not-for-profit organizations and local, state and foreign governments.

In an interview with Information Security Media Group, Ross discusses:

  • The growing importance of privacy in the new controls; the word privacy is included in the publication's title for the first time.
  • Overlays, an approach to IT security being introduced in revision 4. Overlays provide a structured way to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation and/or technologies.
  • NIST's consideration of updating new controls online so users of the guidance don't need to wait until a printed version of the next revision is issued in 2015 or later.

Assurance a Key Element

Ross says a key element in the new version of SP 800-53 is the "reintroduction of the notion of assurance, or trustworthiness of information systems."

"Assurance has been rebranded to make the argument that you can associate certain security controls with assurance, and you can associate certain ones with functionality," Ross says. "The assurance ones are important because they really do talk to quality, and that's important to reduce the number of latent errors that are in our software programs that lead to vulnerabilities, which can lead to systems being breached. That's a very big investment. I call it the down payment on the future of our build-it-right part of the strategy."

According to the guidance, the build-it-right strategy is coupled with a variety of security controls for continuous monitoring to give organizations near real-time information that is essential for senior leaders to make continuing risk-based decisions affecting their critical missions and business functions.

New Features

Among new features added to the revised guidance:

  • Assumptions relating to security-control baseline development;
  • The ability to tailor the controls to align with the enterprise's mission;
  • Additional assignment and selection statement options for security and privacy controls;
  • Descriptive names for security and privacy control enhancements;
  • Consolidated tables for security controls and control enhancements by family with baseline allocations;
  • Tables for security controls that support development, evaluation and operational assurance; and
  • Mapping tables for international security standard ISO/IEC 15408, known as the Common Criteria.

SP 800-53 Revision 4 was developed by the Joint Task Force Transformation Initiative Interagency Working Group with representatives from NIST, the federal intelligence community, departments of Defense and Commerce, the Office of the Director of National Intelligence and the Committee on National Security Systems.

Besides leading the Joint Task Force Transformation Initiative Interagency Working Group, Ross heads NIST's Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure. He also serves as the architect of the risk-management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Defending Against Government Intrusions

Government intelligence agencies' information security offensive capabilities may far outstrip...

Latest Tweets and Mentions

ARTICLE Defending Against Government Intrusions

Government intelligence agencies' information security offensive capabilities may far outstrip...

The ISMG Network