GovDefenders Wednesdays | Revisiting the changes in NIST SP800-53
The National Institute of Standards and Technology (NIST) has published the fourth revision of the cybersecurity guide, Security and Privacy Controls for Federal information Systems and Organizations - or "SP (Special Publication) 800-53".
This revision is a result of two years of concerted collaboration, including working with the CIO Council to craft the new privacy controls. The revisions aim to address potential gaps in coverage, add new security controls and control enhancements, and provide much needed additional supplemental guidance. The tailoring guidance, coupled with overlays, make it straightforward for IT enterprises to create security plans and policies.
The new controls focus on privacy – as being distinct from, but interrelated with, security -- and provides a structured set of controls that specifically address compliance with privacy requirements. This is good for the market because it provides a structured approach to meet those requirements. Further, it also provides controls that help verify compliance with privacy requirements and provides reassurance on what that the market needs in order to transact business with an improved level of confidence.
The new tailoring guidance allows organizations to align the controls more closely with their environment’s specific conditions. Organizations now have the flexibility to perform the tailoring process at the organization level, mission/business process level, the individual information system level, or by using a combination of them. This new guidance enables organizations to use the tailoring process to achieve cost-effective, risk-based security that supports organizational business needs.
The introduction of the concept of overlays - a fully-specified set of security controls, control enhancements and supplemental guidance - allows IT enterprises to simplify development of security plans. In essence, overlays are intended to reduce the need for customized guidelines. They bring an opportunity to build consensus among enterprises’ various departments by enabling increased collaboration, resulting in operational efficiencies.
The basics of cybersecurity don't change over time, but SP 800-53 re-frames how to apply security controls for new threats. Threats have changed considerably since NIST released SP 800-53 rev 3 and the newly-introduced controls draw heavily from actual attack reporting data from agencies. NIST SP 800-53 rev 4 guides enterprises in building stronger, resilient IT systems with sufficient security capability to protect core missions. As industry implements the new controls, improvements in secured computing will lead to heightened confidence in our inter-connected ecosystem by creating an opportunity for resellers and contractors that are knowledgeable about the revised publication to lead the federal community into the next stage of secured computing.