The National Institute of Standards and Technology (NIST) has broadened an updated version of its security and privacy controls framework beyond federal agencies to include state and local government, the private sector and academia.
The wider view frames a refresh, one-year in the making, of its authoritative document SP 800-53, newly rebranded as Security and Privacy Controls for Information Systems and Organizations. In this latest revision, the NIST removed the word “Federal” from the catalog, which dates to 2005 and was last worked on in 2015. The revision's audience is expected to include enterprise-level security and privacy professionals and system engineers.
Federal agencies, other than those of national security, by law must comply with the security and privacy controls stipulated in the framework. The NIST regards controls as security and privacy safeguards—both technical and procedural—designed to protect systems, organizations and individuals.
The catalog was developed by a joint task force consisting of representatives of the civil, defense and intelligence communities. The NIST also intends for the updated publication to apply to securing the Internet of Things, said Ron Ross, NIST fellow, who led the team that wrote the document.
“The reality is, today we’re all of us — federal, state and local government and the private sector — using the same technologies … and facing the same threats,” Ross told CyberScoop.
“There are whole other communities of interest out there that could benefit from using the controls in this catalogue on a voluntary basis,” he reportedly said. Ross added that the NIST wanted the rewrite to “feel more welcoming” to new audiences such as industry and academia.
The NIST outlined the thinking behind the rewrite in the publication’s opening pages:
"There are several key questions that should be answered by organizations when addressing their security and privacy concerns:
- What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
- Have the security and privacy controls been implemented or is there an implementation plan in place?
- What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?
The answers to these questions are not given in isolation, but rather in the context of an effective risk management process for the organization that identifies, assesses, responds to, and monitors on an ongoing basis, security and privacy risks arising from its information and systems."
Here are some specifics of the revised draft, according to the NIST:
- Privacy is now fully integrated throughout the new draft. The revision covers the overlap in security and privacy for systems and also the ways they are distinct from one another.
- SP 800-53 Revision 5 adds two new control families that focus solely on privacy. The remaining privacy controls are integrated throughout the rest of the control families.
- The controls have been updated to address the needs of the more diverse user group, including enterprise-level security and privacy professionals, component product developers, and systems engineers who are now working on privacy and security.