Yesterday the National Institute of Standards and Technology (NIST) released the 4th iteration of what will ultimately be a mainstay document for federal agencies required to comply with provisions of the Federal Information Security Management Act (FISMA) and FIPS 200. As a result it should have a significant affect on federal cloud security practices that will ultimately also effect commercial non-governmental cloud usage.
Weighing in at 375 pages, NIST’s Special Publication 800-53, Rev. 4, entitled Security and Privacy Controls for Federal Information Systems and Organizations, is the first “public draft” of SP800-53. Previous iterations of parts of SP800-53 were released essentially piecemeal (i.e. Appendix J, Privacy Control Catalog, was earlier distributed separately, etc.). Given the breadth and scope of SP800-53 follow-up posts will examine specific notable sections of this important NIST SP. In addition, the public comment period for SP 800-53 runs until April 6, 2012. Comments may be sent via email to email@example.com.
This latest public draft includes major changes that include…
…according to NIST:
- New security controls and control enhancements;
- Clarification of security control requirements and specification language;
- New tailoring guidance including the introduction of overlays;
- Additional supplemental guidance for security controls and enhancements;
- New privacy controls and implementation guidance;
- Updated security control baselines;
- New summary tables for security controls to facilitate ease-of-use; and
- Revised minimum assurance requirements and designated assurance controls.
NIST notes that "[m]any of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT)."
Interestingly, despite the cloud-heavy focus of many recent NIST SP’s and reports, the release stresses that "in most instances, with the exception of the new privacy appendix, the new controls and enhancements are not labeled specifically as ‘cloud’ or ‘mobile computing’ controls or placed in one section of the catalog." In following posts I’ll explore the ramifications of this orientation and examine why NIST’s approach makes sense in light of the current infosec and threat landscape. We’ll also dig through the expected additional markup versions of Appendices D, F and G following the comment period and Appendices E and J, containing security and privacy controls. Stay tuned.
To discuss the latest SP800-53 public draft or expected implications of the recommended controls on your entity’s security and data infrastructure please feel free to contact me or any of the InfoLawGroup team of attorneys.