NIST Draft Addresses Security Threats and Privacy Controls

Wednesday, March 07, 2012

David Navetta

A7290c5bd7bc2aaa7ea2b6c957ef639b

Article by Richard L. Santalesa

NIST Releases Public Draft SP800-53 Addressing Cybersecurity Threats & Privacy Controls

Recently the National Institute of Standards and Technology (NIST) released the 4th iteration of what will ultimately be a mainstay document for federal agencies required to comply with provisions of the Federal Information Security Management Act (FISMA) and FIPS 200.

As a result it should have a significant affect on federal cloud security practices that will ultimately also effect commercial non-governmental cloud usage.

Weighing in at 375 pages, NIST’s Special Publication 800-53, Rev. 4, entitled Security and Privacy Controls for Federal Information Systems and Organizations, is the first “public draft” of SP800-53. Previous iterations of parts of SP800-53 were released essentially piecemeal (i.e. Appendix J, Privacy Control Catalog, was earlier distributed separately, etc.). 

Given the breadth and scope of SP800-53 follow-up posts will examine specific notable sections of this important NIST SP.  In addition, the public comment period for SP 800-53 runs until April 6, 2012. Comments may be sent via email to sec-cert@nist.gov.

This latest public draft includes major changes that include…

...according to NIST:

  • New security controls and control enhancements;
  • Clarification of security control requirements and specification language;
  • New tailoring guidance including the introduction of overlays;
  • Additional supplemental guidance for security controls and enhancements;
  • New privacy controls and implementation guidance;
  • Updated security control baselines;
  • New summary tables for security controls to facilitate ease-of-use; and
  • Revised minimum assurance requirements and designated assurance controls.

NIST notes that "[m]any of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT)."

Interestingly, despite the cloud-heavy focus of many recent NIST SP's and reports, the release stresses that "in most instances, with the exception of the new privacy appendix, the new controls and enhancements are not labeled specifically as 'cloud' or 'mobile computing' controls or placed in one section of the catalog." 

In following posts I'll explore the ramifications of this orientation and examine why NIST's approach makes sense in light of the current infosec and threat landscape. We'll also dig through the expected additional markup versions of Appendices D, F and G following the comment period and Appendices E and J, containing security and privacy controls.  Stay tuned.

To discuss the latest SP800-53 public draft or expected implications of the recommended controls on your entity's security and data infrastructure please feel free to contact me or any of the InfoLawGroup team of attorneys.

Cross-posted from InfoLawGroup

Possibly Related Articles:
6846
Network->General
Information Security
NIST Privacy Compliance Cloud Security FISMA Controls Security Threats Guidelines Standards SP800-53
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.