NIST Updating Catalogue of ControlsSeeking Public Comment on Draft Special
"The past year, we've taken a thorough scrub at that catalogue and we have been able to add a significant number of new controls and enhancements that deal with some of the challenges we have had, and the new technologies that we're routinely using, like mobile and cloud," says Ron Ross, NIST fellow and leader of the institute's Federal Information Security Management Act implementation project.
NIST added the word privacy to the title of the draft guidance, its fourth revision, unveiled at RSA Conference 2012 in San Francisco, because it expands the number of privacy controls to the framework that federal agencies use to protect their information and information systems. "Privacy and security are complementary, so we decided to combine them in SP 800-53," Ross says.
The draft revision also provides controls to handle insider threats, supply chain risk, and cloud computing technologies and other cybersecurity challenges as well as application security, firmware integrity, distributed systems and advanced persistent threat. "The changes we propose in revision 4 are directly linked to the current state of the threat space - the capabilities, intentions and targeting activities of adversaries - and analysis of attack data over time," Ross says.
NIST also modified its guidance on security assurance Appendix E, which outlines how agencies can establish measures of confidence that the security controls put in place are providing the necessary security capability to protect critical missions and business operations. "Having security functionality in your information systems without the appropriate assurance is like skydiving without a backup parachute: you don't need it until you need it," Ross says. "And without it, the outcome is very predictable."
As part of the update to SP 800-53, NIST addressed potential gaps in coverage, added new security controls and control enhancements, provided additional supplemental guidance for these controls, and clarified security control requirements and specification language. Keeping the potential threats in mind, NIST updated security control baselines and revised minimum assurance requirements.
NIST wants to hear from its stakeholders on how best the public draft should be revised. NIST seeks comments on SP 800-53, Revision 4, by April 6. E-mail should be sent to firstname.lastname@example.org.