NIST Unveils Updated Guide to Privacy, Security ControlsGuidelines Describe How to Use 'Next Generation' of Controls
The U.S. National Institute of Standards and Technology this week released a long-awaited guidance update, Special Publication 800-53 Revision 5, describing "next-generation security and privacy controls" and how to use them.
It's the first time since 2013 that NIST has updated the document, which addresses the cybersecurity risks faced by federal government agencies as well as organizations in the private sector and offers guidelines on mitigating risks, protecting data and stopping breaches.
"This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations and the nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities and privacy risks," according to the document.
The update provides a list of security and privacy controls for managing IT systems, with a special emphasis on those that process or store personally identifiable information.
Ron Ross, a NIST Fellow and a co-author of the Special Publication 800-53 Revision 5 document, tells Information Security Media Group that that the updated guidelines are designed to allow multiple users - whether they are system engineers or those looking to build security and privacy programs for their organization - to be able to access a set of common controls to achieve their goals. (NIST uses the term "controls" to designate a specific capability used to safeguard information. For example, on the technical side, a control can be the deployment of encryption or two-factor authentication.)
"Now we have the only control catalog in the world that has both security and privacy controls in the same catalog," Ross says. "And some of those controls - I call them dual-purpose controls - can be used by both security and privacy programs."
NIST made several critical changes to help government and private organizations adopt what it calls "next-generation security and privacy controls."
These changes include new guidelines on strengthening existing controls within IT systems, and making them more adaptable to organizations using modern technologies and platforms, such as cloud computing, mobile devices and IoT devices.
By adopting these updated and enhanced controls, organizations can protect themselves from advanced persistent threats posed by hackers, the risks that come with collecting and storing personally identifiable information within IT networks and the vulnerabilities found in software and hardware, NIST says.
"The controls can be implemented within any organization or system that processes, stores or transmits information," according to the document. "It accomplishes this objective by providing a comprehensive and flexible catalog of security and privacy controls to meet current and future protection needs. The publication also improves communication among organizations by providing a common lexicon that supports the discussion of security, privacy and risk management concepts."
Federal agencies will be required to implement the new provisions and updates found in the updated guidance, according to NIST.
The updated document is designed to help government agencies, as well as their third-party contractors, meet the requirements under the Federal Information Security Management Act. The law requires U.S. governments agencies to develop security standards for the IT systems they use.
Following the guidelines is voluntary in the private sector, but NIST encourages companies to adopt the new guidelines, just as many have already adopted NIST's Cybersecurity Framework (see: Highlights of NIST Cybersecurity Framework Version 1.1).
Ross says NIST is offering practical advice any organization can use to tackle security and privacy issues.
"These are some of the broadest sets of security and privacy controls in the world," Ross says. "The beauty of the catalog is that it's flexible and adaptable for every type of organization. ... You can go to the website and find the list of controls that your organization needs to fulfill a list of missions and obligations. These controls can be applied to any type of technology - whether it's an IoT device or power plant or an industrial control system or a supercomputer. You can apply the controls and help to deter a very determined threat actor."
Changes in the updated version of Special Publication 800-53 include:
- Guidance for information security and privacy controls that can be integrated into a seamless, consolidated control catalog for IT systems and their organizations;
- New standards for supply chain risk management and how to integrate these standards throughout an organization;
- New "state-of-the-practice" controls based on modern threat intelligence and the latest data from attacks, providing support for cyber resiliency, secure systems design, security and privacy governance as well as accountability;
- Improved descriptions of the relationship between requirements and controls as well as the relationship between security and privacy controls;
- Separation of control selection processes from the controls.
"The controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States," the three authors write.
Managing Editor Scott Ferguson contributed to this report.