NIST Updating Catalogue of Controls

Seeking Public Comment on Draft Special
NIST Updating Catalogue of Controls
More than a year in the making, the National Institute of Standards and Technology issued Feb. 28 an initial public draft updating one of its premier special publications, SP 800-53: Security and Privacy Controls for the Federal Information Systems and organizations, which incorporates expanded privacy controls and addresses new threats that were unheard of when NIST issued revision 3 in 2009.

"The past year, we've taken a thorough scrub at that catalogue and we have been able to add a significant number of new controls and enhancements that deal with some of the challenges we have had, and the new technologies that we're routinely using, like mobile and cloud," says Ron Ross, NIST fellow and leader of the institute's Federal Information Security Management Act implementation project.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

NIST added the word privacy to the title of the draft guidance, its fourth revision, unveiled at RSA Conference 2012 in San Francisco, because it expands the number of privacy controls to the framework that federal agencies use to protect their information and information systems. "Privacy and security are complementary, so we decided to combine them in SP 800-53," Ross says.

The draft revision also provides controls to handle insider threats, supply chain risk, and cloud computing technologies and other cybersecurity challenges as well as application security, firmware integrity, distributed systems and advanced persistent threat. "The changes we propose in revision 4 are directly linked to the current state of the threat space - the capabilities, intentions and targeting activities of adversaries - and analysis of attack data over time," Ross says.

NIST also modified its guidance on security assurance Appendix E, which outlines how agencies can establish measures of confidence that the security controls put in place are providing the necessary security capability to protect critical missions and business operations. "Having security functionality in your information systems without the appropriate assurance is like skydiving without a backup parachute: you don't need it until you need it," Ross says. "And without it, the outcome is very predictable."

As part of the update to SP 800-53, NIST addressed potential gaps in coverage, added new security controls and control enhancements, provided additional supplemental guidance for these controls, and clarified security control requirements and specification language. Keeping the potential threats in mind, NIST updated security control baselines and revised minimum assurance requirements.

NIST wants to hear from its stakeholders on how best the public draft should be revised. NIST seeks comments on SP 800-53, Revision 4, by April 6. E-mail should be sent to

About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network