The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53. NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 (“FISMA”). The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems.
In its announcement of the draft revision, NIST explains that the update “responds to the need by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.” In particular, a key purpose of the update process was to assess the relevance and appropriateness of the current security controls and control enhancements designated for each baseline (low, moderate, and high) to ensure that protections are commensurate with the harm that would result from a compromise of applicable government data and systems. In addition, the revised guidelines recognize the need to secure a much broader universe of “systems,” including industrial control systems, IoT devices, and other cyber physical systems, than the “information systems” that were the focus of the prior iterations of SP 800-53. Relatedly, the revised publication also identifies those controls that are both security and privacy controls, as well as those controls that are the primary responsibility of privacy programs.
This stated purpose, and expanded scope of the updated guidelines, is evident in some of the key changes to NIST SP 800-53, which include:
- Removing the term “federal” from the title and throughout the publication to deemphasize the federal focus of the publication and to encourage use of the guidelines by state, local, and tribal governments, as well as private sector organizations.
- Replacing the term “information system” with “system” throughout the publication to expand the scope of the guidelines in recognition of the threats to all types of systems (e.g., industrial/process control systems, cyber physical systems, weapons systems, IoT devices, etc.).
- Adding and integrating privacy controls directly into the existing security control catalog. For example, control CM-4 SECURITY IMPACT ANALYSIS, has been changed as follows:
Control: The organization aAnalyzes changes to the information system to determine potential security and privacy impacts prior to change implementation.
- Changing the structure of the controls to make them more outcome-based by removing introductory term (such as “the organization” and “the information system”) from the controls to focus on the capabilities, provide greater alignment with other NIST guidance and the NIST Cybersecurity Framework, and to reduce ambiguity. For example, control IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATION USERS), has been changed as follows:
Control: The information system uUniquely identifyies and authenticates organizational users (or processes acting on behalf of organizational users).
- Mapping the security and privacy controls of NIST SP 800-53 to international security and privacy standards, including ISO/IEC 27001 (Information Security Management Systems), ISO/IEC 15408 (Common Criteria), and OMB Circular A-130 for ease of use by public and private entities. (Appendix I contains the mapping)
- Removing priority sequencing codes (i.e., P0, P1, P2, P3) to eliminate confusion about the priority code designations and provide flexibility in the implementation of security and privacy controls.
- The revised guidelines also recognize that the controls and their applicability depend on specific technologies, environments, and business functions, and makes it easier for organizations to analyze the applicability of each control by: physically separating the control selection process from the catalog of controls; including tailoring considerations as a separate appendix (see Appendix G); adding control keywords to help users develop security and privacy plans and tailor the controls to their systems; and adding hyperlinks to help navigate through the document and access other related publications.
This update also represents a step in implementing OMB Circular A-130, which was issued by the Obama administration in July 2016 and requires all federal agencies to adopt a risk-based approach to managing information and networks. The Circular includes two appendices, one on data security and another on privacy protections, which together provide guidance to federal agencies on managing information resources and personally identifiable information (“PII”). The NIST SP 800-53 revisions are responsive to the requirements imposed by the Circular, including mapping the Circular’s privacy requirements to related controls in the publication.
Typically, contractors that operate information systems on behalf of the government are also required to implement protections on those systems consistent with SP 800-53. However, before agencies (and contractors) can implement the revised SP 800-53, NIST will need to update NIST SP 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations” to match the final SP 800-53 security controls adopted by NIST. The Department of Defense (“DoD”) will have a number of additional tasks including:
- Publishing a revised edition of Committee on National Security Systems (“CNSS”) Instruction 1253, “Security Categorization and Control Selection for National Security Systems.” CNSS 1253 provides guidance on implementing (and tailoring) the security controls from NIST SP 800-53 for use in the DoD National Security System environment.
- Incorporating the new/revised security controls into the eMASS database. The eMASS computer application is managed by the Defense Information Systems Agency (“DISA”) and is used as a tool when implementing the NIST Risk Management Framework (“RMF”) for DoD information systems.
NIST seeks customer feedback regarding the relevance and appropriateness of the current security controls and control enhancements designated in each baseline—that is, do the security controls and control enhancements in each baseline provide the appropriate starting point for tailoring that baseline. Comments should be sent to sec-cert@nist.gov with the Subject line “Comments on Draft SP 800-53 Rev. 5”. This draft revision is open for public comment until September 12, 2017.