NIST testing automated delivery of new security controls
Starting this summer, the National Institute of Standards and Technology will begin to automate delivery of revisions to Special Publication 800-53.
A "web-based, automated content control development and delivery system" is in beta testing now, according to NIST Fellow Ron Ross, who said he expects the “revolutionary and groundbreaking” process to building consensus to be ready sometime this summer.
"We're basically not going to wait five or six years to update 800-53," he said at FCW's Jan. 27 Cloud Security Workshop. "We're going to have an online development process where you can propose new controls ... and when the controls have gone through enough of that public review and vetting, we will then pull the trigger and put that control into the catalog."
The new system will allow users to automatically download controls in different formats so they can be directly integrated with security support tools. “It's just a great way to make the delivery quicker, more efficient and really help our customers get that real time information they need to do a better job in protecting their systems and organizations.” he said.
Traditionally, creating standards “has been a fairly slow process,” Ross said, but now “you’ve got to be nimble and agile and move at the speed of the adversary” without impacting quality.
Stakeholders will have to adjust their approach to reviewing as well -- effectively moving from a waterfall process to a DevOps tempo. Real-time interactions with customers whose needs and challenges are rapidly changing, will help NIST build better safeguards.
This new approach to standards development will require a new mindset for engaging customers and stakeholders, but the pandemic has taught us to use technology in new ways, Ross said.
He was confident it would be a change for the better. "We're never going to sacrifice quality or our customer interaction," Ross said, "no matter what kind of process we use."
Troy K. Schneider is editor-in-chief of FCW and GCN, as well as General Manager of Public Sector 360.
Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of NationalJournal.com, Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, National Journal, Governing, and many of the other titles listed above.
Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.
Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.