NIST Revising Key Security Controls PublicationUpdate Aims to Help Organizations Identify Controls to Adopt
Just before midnight on Aug. 1, NIST issued a draft of SP 800-53A Revision 4, "Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans."
The draft furnishes a set of procedures to conduct assessments of security and privacy controls used by U.S. federal government information systems and organizations. But NIST guidance is often adopted by other governments and businesses worldwide.
NIST says the changes in the draft have been driven by four fundamental needs of federal agencies to:
- Provide new assessment procedures for security and privacy controls defined in its previously issued guidance,
- Furnish a more granular breakdown of assessment objectives to support continuous monitoring and authorization programs,
- Facilitate a more structured format and syntax to assess procedures that support the use of automated tools for assessment and monitoring activities and
- Support assessments of security and privacy capabilities and root-cause analysis of failure modes for individual or groups of controls.
By addressing these needs, NIST says organizations will have the flexibility to define specific parts of security and privacy controls requiring greater scrutiny; more effectively tailor the scope and level of effort required for assessments; assign assessment and monitoring frequencies on a more targeted basis; and take advantage of potential new opportunities to conduct assessments of security or privacy capabilities, including analysis of control dependencies.
NIST Fellow Ron Ross, principal author of the guidance, says the changes to the security and privacy assessment procedures should result in significant improvements in the efficiency and cost-effectiveness of control assessments.
"Efficient and cost-effective assessments are essential in order to provide senior leaders with the necessary information to understand the security and privacy posture of their organizations and to be able to make credible, risk-based information security and privacy decisions," Ross says.
NIST is seeking comments from stakeholders on the new guidance. Comments should be sent to firstname.lastname@example.org with the subject line "Comments Draft SP 800-53Arev4" by Sept. 26.