Early Look: New Controls NIST Will Offer
Cloud, Insider Threat, Mobility Controls on HorizonRon Ross becomes animated when discussing the next revision, due in December, of NIST's storied Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations. "This has been one of the most exciting projects I've worked on since the Joint Task Force started," Ross told me (see Ron Ross on NIST's New Privacy Controls), referring to the 2-year-old group of civilian-, defense- and intelligence-agency infosec experts working to produce a unified, federal IT security framework.
There are two reasons why this fires up Ross. First, stakeholder response has been overwhelmingly to requests by the National Institute of Standards and Technology for suggestions to improve the controls' guidance. "Some of the best security professionals in the world provided really good recommendations," he said. Second, the controls' guidance could represent a sea-change in the way organizations approach risk management and IT security.
Besides privacy, Ross said, look for new controls involving insider threats - "one of the big ones." He specifically noted contributions made by the Software Engineering Institute at Carnegie Mellon University: "They have a great insider-threat research team up there; they've been working on this for over 10 years."
Other controls likely to be added to SP 800-53 deal with mobility, cloud computing, industrial controls, application security and web applications. "We're looking deep down into the system," Ross said. "We have a security stack that goes from applications to middleware to operating systems, down to the actual firmware and hardware."
The revised guidance should place at the fingertips of NIST customers - which go beyond federal agencies and include state and local governments as well as private-sector organizations - the most robust set of security and privacy controls that will allow them to create the exact type of security and privacy safeguards their organizations need, he said.
"Having this kind of catalogue - I call it a parts bin - you can go find almost anything you need to stop certain types of cyberattacks," Ross said. "We're focusing on building more resilient systems, starting back at the architectural level, that, I think, is going to go a long way in really changing the whole way we're doing cybersecurity and risk management."