Using the new NIST standards in private industry

NIST is in the process of finalizing updates for two important information security standards: NIST 800-53 Rev. 5 (“Security and Privacy Controls for Federal Information Systems and Organizations”) and NIST 800-37 Rev. 2 (“Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems”). These updates will be familiar for anyone who has to comply with FISMA, but in this post I want to summarize the implications for private industry. In summary, NIST is trying to make its standards broadly applicable outside the federal space; as a result these standards represent the most current “best practices” we have on managing security risks.

I was inspired to write this post by the recent webinar, hosted by Tripwire, in which Dr. Ron Ross of NIST summarized the intentions of the standards updates. I recommend you listen to it here. For users outside the federal government, the changes in these revisions represent updated “best practices” that you can apply. I’m going to note both high level and detailed changes that caught my attention.

So what are the changes? At a high level, SP 800-53 now has removed most of the references to “federal.” The goal is to make it easier for private industry to use this control catalog. Many in industry are already using the NIST CSF; this maps to the 800-53 controls. A second big change is the incorporation of privacy controls on an equal footing with security controls. This will make it easier for privacy professionals and security professionals to collaborate on risk management. Hopefully we will end up with a common controls language, not today’s tower of babel. A third significant change is that 800-53 removed references to the NIST 800-37 document. The goal was to enable private industry to use the control catalog, without having to use the NIST RMF.

High level changes to 800-37 include adding a new risk management phase:  “preparation.” This could help implement the concepts of “build security in.” It also may serve a similar function to “Context Establishment” in ISO 27005, “Information Security Risk Management.” At this point, I don’t have further details on 800-37 Revision 2, since it has not been released for comments.

But going back to the draft Revision 5 version of 800-53, several detailed changes caught my eye. I regard these as controls you should be already using or considering for your security program. I’m going to look at changes that apply to “moderate” impact system, which account for most systems deployed. I’ll look at the privacy controls in a separate post. You can read the entire new draft here. 

• Awareness Training (AT-2): Added mandatory training on social engineering.  Since this is probably the biggest attack vector you should be doing this.
• Continuous Monitoring (CA-7): Added a control for continuous risk monitoring, including control effectiveness monitoring, compliance monitoring and change monitoring. Right now everyone does regular monitoring of logs. This control goes further and is looking for continuous compliance.
• Least Functionality (CM-7): Added a control requiring application whitelisting.  According to the Australian Signals Directorate (ASD) this is the top control of four, to prevent cybersecurity breaches.
• Information Location (CM-12): This one may seem obvious, but is a new control for Rev. 5. With most people thinking about systems and software, it is a good addition.
• Identity Proofing (IA-12): Another new control, requiring organizations to set up identify assurance levels and verify identity evidence.
• Baseline Selection and Baseline Tailoring (PL-11 and PL-10): Both are new controls that align with the language in the NIST CSF. CSF recommends selecting a target profile after determining the current profile. These profiles then can be mapped to the corresponding 800-53 controls.
• Risk Assessment (RA-3): Added specific control to require supply chain risk assessment.
• Criticality Analysis (RA-9): Added the requirement to identify critical system components and functions. Not all parts of all systems need equal protection.
• Supply Chain Risk Management (SA-12): You should already be doing this.

Based on my experience many of these are being done in industry already. But the Revision 5 document forms a good reminder for everyone. The best thing is to review the markup, so you can see changes that might affect you. The most significant change, in my mind, is continuous monitoring. When we get to continuous risk monitoring and continuous compliance, then we will be an order of magnitude more secure.