The National Institute of Standards and Technology is revising its foundational catalog of cybersecurity controls, broadening it to address the challenges of an increasingly complex and interconnected information infrastructure.
NIST’s Security and Privacy Controls for Information Systems (Special Publication 800-53), was first published in 2005 as guidance for federal agency compliance with FISMA—then the Federal Information Security Management Act, now the Federal Information Security Modernization Act . Since then the Internet of Things has emerged as a global network of Internet enabled sensors and other devices, and industrial control and process systems have become increasingly interconnected with the Internet. System and enterprise perimeters have blurred and the boundaries between public and private sector infrastructures are less-well-defined.
The fifth revision of SP 800-53 reflects these changes. It includes security and privacy controls for IoT and control systems and is intended to be useful to private sector organizations as well as agencies.
“There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure,” NIST’s Ron Ross writes in the revised document. “The publication describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions and business functions, technologies, environments of operation, and sector-specific applications.”
A draft of revision 5 has been released for public comment. Revision 5 has been in the works for a year. NIST plans to publish a final draft for comment in October and the final version by the end of the year.
Over the years, the catalog of controls has expanded to address privacy as well as IT security. The latest version of the document continues the process of integrating privacy controls for into the list of security controls. Two new families of controls have been added focusing solely on privacy, including controls for minimizing the collection of unnecessary data captured by IoT sensors.
SP 800-53 is not prescriptive. It provides a catalog of security and privacy controls—both technical and procedural—but does not tell organizations what security controls to use. Selecting the appropriate controls is up to each organization. The proposed revision streamlines the document somewhat (although it still is nearly 500 pages) by separating guidelines for the selection process from the catalog of controls. Guidance on selecting controls will be moved to other publications, including the Risk Management Framework (SP 800-37). The intent is to make this guidance more applicable to organization’s using a variety of public and private sector security frameworks.
Other changes in the proposed revision include:
• Making the security and privacy controls more outcome-based by changing the structure of the controls;
• Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
• Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.
Comments on the draft revision should be made by Sept. 12 to firstname.lastname@example.org with “Comments on Draft SP 800-53 Rev.5” in the subject line.