NIST SP 800-53 Revision 5 Represents a Multi-Year Effort to Develop Next-Generation Security and Privacy Controls
The National Institute for Standards and Technology (NIST) has published the draft version of SP 800-53 (revision 5): Security and Privacy Controls for Information Systems and Organizations. This is the first update to SP 800-53 since revision 4 was published seven years ago, and reflects the major changes to the security landscape over the last few years.
The publication (PDF) provides a catalog of security and privacy controls (also called ‘safeguards’ by NIST) that will help protect organizational operations and assets. Use of the publication is a requirement for federal information systems, but it is designed to be equally accessible and valuable to private enterprises and systems developers.
“Our objective is to make the information systems we depend on more resistant to cyberattacks,” explains NIST’s Ron Ross, one of the publication’s authors. “We want to limit the damage from those attacks when they occur, make the systems cyber-resilient, and at the same time protect the security and privacy of information.”
He explained that organizations would first assess their risks using tools such as NIST’s Risk Management Framework, Cybersecurity Framework and Privacy Framework; and then use SP 800-53 to find specific solutions. “An organization can use this catalog together with any approach to risk management,” he said. “We reference other NIST publications for readers’ convenience, but we have designed it to be agnostic.”
There are many updates and improvements in revision 5. Three of the primary ones include the integration of privacy controls in the main catalog (they had previously been consigned to an appendix); the addition of a new family of supply chain controls; and new ‘state-of-the-practice’ for areas such as cyber resiliency and secure systems design.
But it’s not just the content that has improved. “NIST has made Revision 5 a lot easier to read and understand,” Connor Gilbert, senior product manager at containers and Kubernetes security firm StackRox, told SecurityWeek. “Even small changes like switching from declarative to imperative language makes the controls significantly easier to read.”
Michael Daly, CTO of cybersecurity and special missions at Raytheon, also sees improvements beyond just the controls. “One that I find especially helpful,” he told SecurityWeek, “is in providing an implementation collaboration index. This is meaningful guidance because we have predominantly divided these responsibilities inside organizations, even up to the level of the senior leadership team, and this guidance helps to delineate a common framework for how work should be segmented and made accountable.”
Furthermore, adds Bob Post, managing principal at security advice firm Coalfire, “Providing the controls in the Open Security Controls Assessment Language (OSCAL) supports the much-needed shift to automation by moving away from proprietary frameworks to standardized, machine-readable formats.”
Among the controls, the expanded privacy content has been welcomed. “The expansion of privacy-related controls and their integration into the overall security catalog emphasizes that privacy is no longer an ‘add-on’,” comments Post. This reflects the increased importance of privacy over the last few years, from shocking breaches like that at OPM to national (CCPA) and international (GDPR) privacy regulations.
“Basically, security would have the company interest in mind, but not the individual/consumer,” says Chris Morales, head of security analytics at AI-based threat detection firm Vectra. “We have always believed in security and privacy being one. That has been difficult to convey when compared to tools that disregard privacy for the sake of monitoring and control. Hopefully,” he added, “this sees a shift in how the industry views the implementation of security to be more friendly to personal rights.”
Post is pleased with the new supply chain controls. “The new control family on Supply Chain Risk Management,” he told SecurityWeek, “recognizes how business is really done in the modern age.” It is also how cybercrime is done in the modern age.
“Of particular interest with the latest revision is the new set of supply-chain controls,” agrees Tom Kellermann, head cybersecurity strategist at VMware’s Carbon Black business unit. “Island-hopping continues to be a major concern for businesses and agencies. Better protecting the supply chain can better protect the whole organization. Too many high-profile breaches in recent years at some major organizations have come as the result of supply-chain vulnerabilities.”
The ‘state-of-practice’ improvements for secure systems design reflect the many calls, including regulatory calls, for ‘security by design’ to be standard practice. Too often, new product vulnerabilities occur because products have been rushed to market at the cost of building security into product development. If security is built into new products, rather than bolted on as an afterthought, the entire security landscape would improve.
Morales is pleased with the new cyber resiliency ‘state-of-practice’ inclusion. “I’m a big fan of cyber resilience,” he told SecurityWeek. “Resilience speaks to surviving an attack, not just preventing it. The philosophy becomes ‘assume the breach and reduce the impact’. This is the reality we live in, where attacks happen and systems need to be able to sustain under duress.”
The document as published by NIST is described as the ‘final public draft’. NIST is inviting and considering public comment until May 15, 2020.
Raytheon’s Daly has one immediate suggestion. “One area that I would like to see enhanced,” he said, “would be around data labeling and destruction. Various global privacy regulations mandate the identification, reporting, and, upon request by the owner, destruction of personally identifiable information if not required to be retained under other regulations. This activity requires much collaboration across roles and should be accounted for in the updates.”
The current document offers an ideal starting point for the practical implementation of necessary security controls. “Threats continue to evolve,” says Kellermann. “NIST’s long anticipated revision can further empower organizations to better tackle security and privacy risk. With a vast number of devices (from individual computers to large systems) housing critical data, the framework offers a good starting point for organizations to consider.”
But it is just the starting point, and NIST is already working on additional advice to increase the full value of SP 800-53. “These [SP 800-53] controls from NIST help users know ‘what’ their environment should look like,” explains Alex Peay, SVP of product at automation software firm SaltStack. “But the broader challenge is ‘how’ to maintain that recommended system state.”
NIST has an ongoing effort to help organizations take action and fix infrastructure security vulnerabilities. A current project, where SaltStack is collaborating with NIST, is called ‘Critical Cybersecurity Hygiene: Patching the Enterprise’. The project, says NIST, will examine how commercial and open source tools can aid with the most challenging aspects of patching general IT systems. We will include actionable, prescriptive guidance on establishing policies and processes for the entire patching lifecycle to include defining roles and responsibilities for all affected personnel and establishing a playbook containing mitigation actions for destructive malware outbreaks.”
SaltStack, said Peay, “is working with NIST directly on how to determine which toolsets can be used to secure enterprise infrastructure using controls from [the 800-53] initiative.”
Related: Analyzing Cyberspace Solarium Commission’s Report
Related: UK Publishes Minimum Cyber Security Standard for Government Departments
Related: NIST Publishes Cybersecurity Workforce Framework
Related: NIST Releases Cyber Security Framework for Critical Industries
