'Substantial' changes ahead for federal cybersecurity controls
The National Institute of Standards and Technology has released the final draft of its updated catalog of IT security controls, expanded to address new threats and with the flexibility to let agencies tailor controls to their needs. NIST expects to publish the finished product in April.
Special Publication 800-53, Security and Privacy Controls for Federal information Systems and Organizations, is a foundational document underlying federal cybersecurity regulation. Agencies are required under the Federal Information Security Management Act to apply appropriate controls detailed in the document to their IT systems, based on the level of assurance needed for each system.
Originally published in 2005, SP 800-53 was last updated in 2009 as part of what NIST called a historic collaboration with the military and intelligence communities to produce a set of governmentwide IT security controls. The latest update, Revision 4, is the most comprehensive to date and reflects changes in the IT and security landscapes over the past two years.
“The changes are substantial,” said Ron Ross, the FISMA implementation lead at NIST. “The fundamental underpinnings haven’t changed,” but the catalog of security controls has grown from more than 600 to more than 850 controls, and there is a new emphasis on the underlying trustworthiness of systems and on privacy controls.
Comments on the draft can be sent by March 1 to email@example.com, with final publication now anticipated in April. “We want to get this out sooner rather than later,” Ross said.
The guidelines are part of a set of documents developed by the Joint Task Force Transformation Initiative, a collaborative effort formed to harmonize IT security requirements across civilian agencies, the military and the intelligence communities.
In the past, NIST has produced guidance and standards for civilian agencies for complying with FISMA. These requirements did not apply to the military and national security systems, however, which led to a fragmented set of cybersecurity requirements that are being replaced with a single set of standards.
The security controls enumerated in the SP 800-53 Rev. 4 reflect recent concerns, including Advanced Persistent Threats, supply chain risks, insider threats, application security, distributed systems, mobile and cloud computing, and developmental and operational assurance.
The major difference in the new version is its flexibility, giving agencies the ability to enhance a baseline of required controls with overlays tailored to specific missions and business cases, environment or technology. FedRAMP (the Federal Risk and Authorization Management Program) for cloud providers is an example of an overlay, Ross said, and the military is developing Space Command and other tactical overlays.
Federal requirements have put emphasis on the need to continuously monitor the status of IT systems in recent years, but the new document also focuses on the need to ensure that the systems being monitored are trustworthy to begin with. There are guidelines for assessing development processes and assuring that system architecture, design and analysis produce a final product that meets baseline security requirements.
“You can’t patch or configure your way out of this problem,” Ross said. “You have to start at the front end.”
The document also contains an appendix devoted to privacy controls, based on internationally recognized Fair Information Practice Principles, new in this revision.
Work on the revision began two years ago and the first public draft was released in February 2012. That and subsequent drafts generated thousands of comments that have been addressed.
“This was a tough update,” Ross said. But it is expected to be comprehensive and flexible enough to hold up for a number of years. NIST guidance typically is reviewed every five years, but the security controls in SP 800-53 can be supplemented with out-of-cycle updates that will keep it current, he said.