2 May 2013
On April 30th, 2013 the National Institute of Standards and Technology (NIST) issued their latest version of essential guidance: Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. Led by Ron Ross, a NIST fellow and the project leader, a team of computer scientists spent the past two years developing this latest 457 page revision. One of the Essential Themes of the New Guidance Mr. Ross indicated that a key theme in the new guidance is the “reintroduction of the notion of assurance, or trustworthiness of information systems.” The bottom line is that organizations will now be under higher scrutiny in terms of how effective they are at identifying vulnerabilities and security weaknesses in systems, which directly affect their ability to assure the trustworthiness of their information systems. Mr. Ross explained that, “Assurance has been rebranded to make the argument that you can associate certain security controls with assurance, and you can associate certain ones with functionality. The assurance ones are important because they really do talk to quality, and that’s important to reduce the number of latent errors that are in our software programs that lead to vulnerabilities, which can lead to systems being breached. That’s a very big investment. I call it the down payment on the future of our build-it-right part of the strategy.” Ross’s group understands the importance of how new cyber threats prey on the weaknesses inherent in many of today’s commonly used software applications and operating systems when not properly developed, installed, and maintained with patches and security updates. While the guidance has always provided a roadmap to compliance, it’s the recent ever-expanding threat landscape that has forced further granularity and emphasis in this area. Today’s security threats demand more than a basic annual IT Security Assessment; they mandate a strategic shift towards audit depth and quality to root out weaknesses, so that organizations can truly ensure the privacy and protection of customer data. Additional Key Changes Found in the Revised Guidance: Assumptions relating to security-control baseline development;
- The ability to tailor the controls to align with the enterprise’s mission;
- Additional assignment and selection statement options for security and privacy controls;
- Descriptive names for security and privacy control enhancements;
- Consolidated tables for security controls and control enhancements by family with baseline allocations;
- Tables for security controls that support development, evaluation and operational assurance
- Mapping tables for international security standard ISO/IEC 15408, known as the Common Criteria.