NIST releases draft guidance regarding security and privacy controls

August 7, 2014 |

The US National Institute of Standards and Technology has updated its guidance “Assessing Security and Privacy Controls in Federal Information Systems and Organisations Building Effective Assessment plans.”  Public comment is being sought by 26 September 2014.  It is a very influential document within the USA but also beyond.

The NIST summary (found here) provides:

NIST announces the release of Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (Initial Public Draft). SP 800-53A is a Joint Task Force publication and a companion guideline to SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
 
This update to SP 800-53A contains significant changes to the 2010 version of the publication in both content and format. The changes have been driven by four fundamental needs of federal agencies:
 
    • The need for new or updated assessment procedures for the security controls and privacy controls defined in NIST SP 800-53, Revision 4;
    • The need for a more granular breakdown of assessment objectives to support continuous monitoring and ongoing authorization programs;
    • The need for a more structured format and syntax for assessment procedures to support the use of automated tools for assessment and monitoring activities; and
    • The need to support assessments of security capabilities and privacy capabilities and root cause analysis of failure modes for individual security or privacy controls or groups of controls.
 
By addressing the above needs, organizations will have the flexibility to: (i) define specific parts of security controls and privacy controls requiring greater scrutiny; (ii) more effectively tailor the scope and level of effort required for assessments; (iii) assign assessment and monitoring frequencies on a more targeted basis; and (iv) take advantage of potential new opportunities to conduct assessments of security or privacy capabilities including analysis of control dependencies.
 
There have also been some significant improvements in the current security assessment procedures based on feedback from federal agencies reflecting lessons learned during the conduct of actual assessments as part of the Risk Management Framework (RMF) process. The improvements include, for example, clarification of terminology, expansion of the number of potential assessment methods and assessment objects on a per-control basis, and a simpler decomposition of assessment objects to align more closely with control statements.
 
In addition to the above, privacy terminology has been integrated into SP 800-53A in a manner that is complementary to and supportive of the privacy controls defined in SP 800-53, Appendix J. While security and privacy disciplines are distinct programmatic entities, there are also important dependencies between those entities—highlighting the need for the programs to complement one another to ensure the security and privacy goals and objectives of organizations are satisfied. As with any transformation, there will be changes in this publication and other supporting publications as the privacy integration moves forward and is completed. Privacy assessment procedures are not included in this draft. The privacy assessment procedures that will eventually populate Appendix J in this publication are currently under development by a joint interagency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee. The new assessment procedures, when completed, will be separately vetted through the traditional public review process employed by NIST and integrated into this publication at the appropriate time.
 
The changes to the current security assessment procedures in SP 800-53A and the future privacy assessment procedures, should result in significant improvements in the efficiency and cost-effectiveness of control assessments for federal agencies. Efficient and cost-effective assessments are essential in order to provide senior leaders with the necessary information to understand the security and privacy posture of their organizations and to be able to make credible, risk-based information security and privacy decisions.
 
Please note that NIST has made a one-time change in the revision number of SP 800-53A (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-53.

Inforisktoday covers the release in NIST Revising Key Security Controls Publication which provides:

The National Institute of Standards and Technology is updating its guidance that helps organizations assess their IT systems to determine which security and privacy controls to adopt.

Just before midnight on Aug. 1, NIST issued a draft of SP 800-53A Revision 4, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans.”

The draft furnishes a set of procedures to conduct assessments of security and privacy controls used by U.S. federal government information systems and organizations. But NIST guidance is often adopted by other governments and businesses worldwide.

NIST says the changes in the draft have been driven by four fundamental needs of federal agencies to:

  • Provide new assessment procedures for security and privacy controls defined in its previously issued guidance,
  • Furnish a more granular breakdown of assessment objectives to support continuous monitoring and authorization programs,
  • Facilitate a more structured format and syntax to assess procedures that support the use of automated tools for assessment and monitoring activities and
  • Support assessments of security and privacy capabilities and root-cause analysis of failure modes for individual or groups of controls.

Flexibility, Cost-Effectiveness

By addressing these needs, NIST says organizations will have the flexibility to define specific parts of security and privacy controls requiring greater scrutiny; more effectively tailor the scope and level of effort required for assessments; assign assessment and monitoring frequencies on a more targeted basis; and take advantage of potential new opportunities to conduct assessments of security or privacy capabilities, including analysis of control dependencies.

NIST Fellow Ron Ross, principal author of the guidance, says the changes to the security and privacy assessment procedures should result in significant improvements in the efficiency and cost-effectiveness of control assessments.

“Efficient and cost-effective assessments are essential in order to provide senior leaders with the necessary information to understand the security and privacy posture of their organizations and to be able to make credible, risk-based information security and privacy decisions,” Ross says.

One Response to “NIST releases draft guidance regarding security and privacy controls”

  1. NIST releases draft guidance regarding security and privacy controls | Australian Law Blogs

    […] NIST releases draft guidance regarding security and privacy controls […]

Leave a Reply