New strategy for IT security: Focus on the systems, not the threats
- By William Jackson
- May 02, 2013
The newly revised catalog of IT security controls from the National Institute of Standards and Technology gives administrators more flexibility in protecting information systems and focuses more on designing and acquiring systems that have security built in.
3 Steps for implementing changes in FISMA security controls
The latest revision of SP 800-53 is a major update to NIST’s catalog of FISMA security controls. But NIST recommends a “measured, risk-based approach in accordance with organizational risk tolerance and current risk assessments.”
Unless the Office of Management and Budget says otherwise, NIST recommends that agencies follow these steps in implementing the changes:
First, determine if any added security controls or enhancements are applicable to agency information systems or environments, using the guidelines for tailoring in the publication.
Next, review changes to the guidance provided throughout the publication to determine if any immediate actions are required.
Finally, if changes are needed, incorporate them into the continuous monitoring process to the extent possible. Implementing new or modified security controls to address specific, active threats is always the highest priority. Modifications to templates or minor language changes in policy or procedures generally are the lowest priority.
Special Publication 800-53, “Security and Privacy Controls for Federal information Systems and Organizations,” is a foundational document underlying federal cybersecurity regulation. The latest update, Revision 4, is the most comprehensive to date. It reflects not only changes in the IT landscape over the past two years, but it also beefs up the section on assurance and trustworthiness.
“That’s the most important part of the revision,” said Ron Ross, the FISMA implementation lead at NIST.
Security controls in that section, Appendix E, are directed toward industry and acquisition officials to help ensure that systems and components actually do what they are supposed to do and that security controls and policies are executed properly. This can help take the emphasis in cybersecurity away from patching and updating systems against each new threat as it appears.
“We need to stop wringing our hands about the threat,” Ross said. “It’s not going away. We’ve got to be in control of the things we can control,” and that is designing software and hardware that is less vulnerable and more adaptable to a rapidly evolving threat environment. “Now we have the tools to specify that to industry.”
Having the tools does not mean developing a trustworthy computing environment will be a simple task, Ross said. “We’re not there yet. It’s going to be a long process.”
Originally published in 2005, SP 800-53 was last updated in 2009 as part of what NIST called a historic collaboration with the military and intelligence communities to produce a set of governmentwide IT security controls. Contributors to the current version, in addition to NIST, are the Defense Department, the Office of the Director of National Intelligence and the Committee on National Security.
The document is a catalog of security controls that can be applied to federal IT systems as appropriate. The catalog is used along with Federal Information Processing Standard 200, “Minimum Security Requirements for Federal Information and Information Systems,” a mandatory standard for agencies, and FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems.” SP 800-53 specifies baseline security controls for IT systems, based on the category of the system. The specific controls chosen can be tailored to meet the needs of each system.
The controls enumerated in the SP 800-53 Rev. 4 reflect recent security concerns, including Advanced Persistent Threats, supply chain risks, insider threats, application security, distributed systems, mobile and cloud computing, and developmental and operational assurance. There also is an appendix devoted to privacy controls, new in this revision, based on internationally recognized Fair Information Practice Principles.
The updated document gives more flexibility in selecting appropriate controls. Although the catalog has grown from about 600 to more than 850 controls, most of them are optional rather than included in baselines. Baseline controls also can be more closely tailored to specific needs through the use of overlays, which more closely match security controls with mission, business cases, operational environment and the technology being used.
FedRAMP (the Federal Risk and Authorization Management Program) for cloud providers is an example of an overlay, Ross said, and the military is developing tactical overlays for controls appropriate to the conditions of a tactical environment. DOD’s Space Command is also developing its own overlays.
Ross said the interagency task force that created SP 800-53 Rev. 4 expects to release this year IT engineering guidelines and supply chain security guidelines. These, along with SP 800-53, will form a triad of guidance for developing trustworthy systems.
Although the new publication is a major revision, Ross said there is not an urgent need for agencies to review and revise IT security controls.
“They should go through this on a lifecycle basis,” he said. Work should be prioritized by focusing first on critical systems and identifying security gaps that should be filled. “That can be done in a very methodical process. It doesn’t all have to be done immediately.”