NIST Issues Final Draft of Security Controls for Comment

Over three previous drafts of its Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication 800-53, the National Institute of Standards and Technology ("NIST") has honed focus while expanding the reach of infosec controls, all culminating in this latest 455-page "Revision 4" released for public comment last week. Dubbed the "Final Public Draft" as NIST moves to finalize 800-53 in April 2013, SP 800-53 is expected to become a key reference component of the federal information security strategy of “Build It Right, Then Continuously Monitor,” joining the FIPS 200 and FIPS 199 mandatory federal standards created in response to the Federal Information Security Management Act ("FISMA").  As such we anticipate it will be a valuable and often used "desk reference" work for non-governmental security controls as well.

Privacy and security controls are a crucial component of any data and information security schedule controlling contractual obligations and data best practices.  Numerous standards entities have developed security controls geared for specific applications and industries, but one of the most influential work has been the  NIST two year effort as part of the Joint Task Force Transformation Initiative to create and finalize SP 800-53.

The Revision 4 released represents significant major changes from previous SP 800-53 versions and includes a wide range of new materials, including new security control and control enhancements addressing the range of advanced persistent threats, supply chain issues, insider danger, app security, distributed systems, and notably, mobile and cloud computing concerns.  Read on for more details on SP 800-53 Rev.4

As an initial matter NIST has, to the extent possible, attempted to create security controls that are "technology-neutral" and focus on security capabilities and security policies.  In addition, SP 800-53 is a solid primer of the risk management process landscape for privacy and data security, and even those without frontline responsibility for implementing infosec measures, risk management or legal compliance will find it a comprehensive and valuable reference.

With this Revision 4 NIST stresses a "renewed emphasis on security controls that can be implemented to increase the reliability, trustworthiness, and resiliency of information systems, system components, and information system services."

To this end NIST catalogs the major changes in Revision 4 include:

• New security controls and control enhancements addressing the advanced persistent threat (APT), supply chain, insider threat, application security, distributed systems, mobile and cloud computing, and developmental and operational assurance;
• Clarification of security control language;
• New tailoring guidance including the fundamental assumptions used to develop the security control baselines;
• Significant expansion of supplemental guidance for security controls and enhancements;
• Streamlined tailoring guidance to facilitate customization of baseline security controls;
• New privacy controls and implementation guidance based on the internationally recognized Fair Information Practice Principles;
• Updated security control baselines;
• New summary tables for security controls and naming convention for control enhancements to facilitate ease-of-use;
• New mapping tables for ISO/IEC 15408 (Common Criteria);
• The concept of overlays, allowing organizations and communities of interest to develop specialized security plans that reflect specific missions/business functions, environments of operation, and information technologies; and
• Designation of assurance-related controls for low-impact, moderate-impact, and high-impact information systems and additional controls for responding to high assurance requirements.

For those looking for quick "in and out" materials within SP 800-53, the Appendixes are the place to start.  Appendixes B and C provide a good starting point for infosec newbies with a detailed Glossary and definitions of common Acronyms.  Security professionals will likely tab immediately to Appendix F and J, which bore the majority of substantive changes over the three previous revisions and handle, respectively, the Security Control Catalog and Privacy Control Catalog.

NIST to date, in its efforts to development a unified information security framework built around a core of near real-time risk management, has created and release a score of "Special Publications" addressing different facets of the security landscape, which are available for free download and review at NIST's Computer Security Resource Center. We highly recommend checking the list of available NIST Special Publications when developing, implementing or updating your own information security frameworks and we frequently consult with clients on different SP aspects when reviewing legal compliance and legally defensible security.