The National Institute of Standards and Technology warned there is an urgent need to strengthen the trustworthiness and resilience of the information systems, component products, and services that we as a nation depend on in every critical infrastructure sector that support the economic and national security interests of the United States.
The final public draft revision of NIST Special Publication 800-53 presents a proactive and systemic method to developing comprehensive safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices, NIST reported in a release.
Those safeguarding measures include the security and privacy controls to protect the critical and essential mission and business operations of organizations, the organization’s high value assets, and the personal privacy of individuals. NIST said, “the objective is to manage mission, business, and system risks for organizations, making the systems we depend on more penetration-resistant to cyber-attacks; limiting the damage from those attacks when they occur; making the systems cyber-resilient and survivable; and protecting the security and privacy of information.”
Summary of changes to Revision 5:
Revision 5 of this foundational NIST publication represents a multi-year effort to develop next-generation security and privacy controls. The major changes to the publication include:
• Creating security and privacy controls that are more outcome-based by changing the structure of the controls;
• Fully integrating privacy controls into the security control catalog, creating a consolidated and unified set of controls;
• Adding two new control families for privacy and supply chain risk management;
• Integrating the Program Management control family into the consolidated catalog of controls;
• Separating the control selection process from the controls—allowing controls to be used by different communities of interest;
• Separating the control catalog from the control baselines;
• Promoting alignment with different risk management and cybersecurity approaches and lexicons, including the NIST Cybersecurity and Privacy Frameworks;
• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
• Incorporating new, state-of-the-practice controls based on threat intelligence, empirical attack data, and systems engineering and supply chain risk management best practices, including controls to: Strengthen security and privacy governance and accountability;
• Support secure system design; and
• Support cyber resiliency and system survivability.
The integration of security and privacy controls into one catalog recognizes the essential relationship between security and privacy objectives. This relationship requires security and privacy officials to collaborate across the system development life cycle. In particular, control implementation is one area in which collaboration is important. Because security and privacy objectives are aligned in many circumstances, the implementation of a particular control can support achievement of both sets of objectives.
However, there are also circumstances when controls are implemented differently to achieve the respective objectives, or the method of implementation can impact the objectives of the other program. Thus, it is important that security and privacy programs collaborate effectively with respect to the implementation of controls to ensure that both programs’ objectives are met appropriately.
Feedback Requested
Reviewers should refer to the “Notes to Reviewers” that begins on page v of this draft. NIST requests feedback on: (1) the updates to the control catalog identified above; and (2) the concept of including a collaboration index for each control. The index aims to indicate the degree of collaboration between security and privacy programs for each control. This collaboration index is a starting point to facilitate discussion between security and privacy programs since the degree of collaboration needed for control implementation for specific systems depends on many factors.
For purposes of review and comment, three control families are identified as notional examples: Access Control (AC); Program Management (PM); and Personally Identifiable Information Processing and Transparency (PT). The notional examples are provided as a “Notes to Reviewers Supplemental Material” section at the end of the document, following Appendix D.
Your feedback on this NIST draft publication is important.
“The very insightful comments from both the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our customers,” NIST said.
NIST is planning a webcast to provide an overview of the changes in Revision 5. More information will follow.
Supplemental Material:
Comment template (xls)
Summary: Significant Changes from Rev. 4 (pdf)
OSCAL version of 800-53 FPD controls (other)
The public comment period for this draft is open through May 15, 2020. Please use the comment template for organizing and submitting comments. Email comments to: sec-cert@nist.gov