NIST Revises Guide on Security ControlsPublication Seen as Aiding with Continuous Monitoring
New guidance published by the National Institute of Standards and Technology is aimed at helping federal agencies and other organizations in and out of government assess proper security and privacy controls, especially those tied to the continuous monitoring of IT systems for vulnerabilities.
NIST unveiled on Dec. 15 Special Publication 800-53A Revision 4, "Assessing Security and Privacy Controls in Federal Information Systems and Organizations," which supplements SP 800-53 Rev. 4, "Security and Privacy Controls for Federal Information Systems and Organizations," published in April 2013.
The Federal Information Security Management Act, the law that governs federal government IT security, requires government agencies to "reauthorize" the security of their IT systems every three years using a checkbox process to attest that proper security controls were implemented. FISMA also requires inspectors general to review annually their respective agencies' cybersecurity programs.
Congress last week enacted FISMA reform that would codify the federal government's transition from the checkbox approach to IT security to one employing continuous monitoring of IT systems (see FISMA Reform Heading to the White House).
SP 800-53A Rev. 4 documents a number of controls that support continuous monitoring, and the new assessment guidance helps put those controls into perspective. "The most important feature in the new guidance is that it's going to support this whole transition to ongoing authorization and continuous monitoring," says NIST Fellow Ron Ross, chief author of the institute's risk assessment guidance.
As cybersecurity becomes more complex, so have the controls needed to ensure security and privacy, with many of the controls having multiple parts. "We broke down the procedures so you can target a specific part of the control," Ross says.
Security Control Assessment Process
Ross cites, as an example, the security control dealing with account management, which has 11 sub-controls. Some of the sub-controls have their own multiple parts. If the controls function properly except for one area - say, disabling the accounts of former employees - an agency might not be deemed compliant. The assessment process in the new guidance would help enable the organization to zero in only on that sub-control to remediate the problem, saving time and money, Ross says.
"Having the ability to do that finer grain assessment is really important by allowing organizations to develop more efficient assessment plans," Ross says. "That's always good news when you're trying to conserve your scarce resources and have those additional funds that are freed up that can be re-invested in stronger controls in different area."
SP 800-53A Rev. 4 adopts a more structured format and numbering system for assessing controls than previous versions of the guidance that will support the use of automated tools for assessment and monitoring activities. "We wanted to make sure toolmakers who are building automated tools for assessments had a very structured syntax [that] would allow us to import into automated tools all these assessment procedures, and the pieces of those procedures that folks are going to want to use and execute over time."
NIST Fellow Ron Ross discusses accelerating vetting of new guidance.
The next version of the security controls assessment guidance should be published in two years. However, Ross says NIST is developing a new process that could be deployed next year that would allow NIST to vet new controls and publish them earlier on the Web.