The Public Eye with Eric Chabrow

Early Look: New Controls NIST Will Offer

Cloud, Insider Threat, Mobility Controls on Horizon
Early Look: New Controls NIST Will Offer

Ron Ross becomes animated when discussing the next revision, due in December, of NIST's storied Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations. "This has been one of the most exciting projects I've worked on since the Joint Task Force started," Ross told me (see Ron Ross on NIST's New Privacy Controls), referring to the 2-year-old group of civilian-, defense- and intelligence-agency infosec experts working to produce a unified, federal IT security framework.

There are two reasons why this fires up Ross. First, stakeholder response has been overwhelmingly to requests by the National Institute of Standards and Technology for suggestions to improve the controls' guidance. "Some of the best security professionals in the world provided really good recommendations," he said. Second, the controls' guidance could represent a sea-change in the way organizations approach risk management and IT security.

Besides privacy, Ross said, look for new controls involving insider threats - "one of the big ones." He specifically noted contributions made by the Software Engineering Institute at Carnegie Mellon University: "They have a great insider-threat research team up there; they've been working on this for over 10 years."

Other controls likely to be added to SP 800-53 deal with mobility, cloud computing, industrial controls, application security and web applications. "We're looking deep down into the system," Ross said. "We have a security stack that goes from applications to middleware to operating systems, down to the actual firmware and hardware."

The revised guidance should place at the fingertips of NIST customers - which go beyond federal agencies and include state and local governments as well as private-sector organizations - the most robust set of security and privacy controls that will allow them to create the exact type of security and privacy safeguards their organizations need, he said.

"Having this kind of catalogue - I call it a parts bin - you can go find almost anything you need to stop certain types of cyberattacks," Ross said. "We're focusing on building more resilient systems, starting back at the architectural level, that, I think, is going to go a long way in really changing the whole way we're doing cybersecurity and risk management."



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.