The National Institute of Standards and Technology (NIST) released the final draft for version 4 of its Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800-53). On February 5, 2013, the 455-page document was posted for comment (until March 1, 2013). This most recent version is the culmination of two-years of work and marks the most comprehensive update since the document’s first publication in2005.
Work on the revision started two years ago, the first public draft being released in February 2012. And the team at NIST is eager to get the final version in released, expecting to publish by the end of April. Additional appendices will also be released, along a markup of the changes from version 3.
Version 4 takes the changing threat environment into consideration, focusing on secure development as well as continuous monitoring. Along with an increased emphasis on privacy and system trustworthiness, the catalog of security controls has increased from 600 to over 850 controls. Another major difference in the newest revision is the guidance around tailoring to specific requirements.
While some of the new controls pertain to cloud computing, there is no separate catalog for cloud security in the document. Those security baseline controls were established by the General Service Administration’s FedRAMP, which drew from version 3 of SP 800-53 to shape cloud security requirements. While updates have been anticipated for the FedRAMP controls, it’s unclear how the program will be impacted. Having awarded the first two provisional Authority to Operate (ATO) certifications, there are still seventy-some cloud provider applications with pending reviews. A major change to the baseline requirements at this point could pose a significant disruption to moving the program into its full operation phase.
Nonetheless, at a recent industry event, leadership from Homeland Security noted that they were reviewing their own security requirements for update in light of the NIST guidance. After all, security needs to keep pace with the advances technology has made over the past few years. Parallel to the shift in security practices, the revisions in the NIST update are aimed to support a strategy of “Build It Right, Then Continuously Monitor.” Ron Ross, who heads the federal government's implementation of FISMA, commented, "It's just as important to build a stronger IT infrastructure as it is to monitor it when it's in place."
With the Executive Order signed February 12th the administration has reiterated a commitment to improving critical infrastructure, driven in part through government collaboration with industry and in part by the continued development of a cybersecurity framework by NIST. On February 13th, NIST announced that it would issue a Request for Information (RFI) from critical infrastructure providers, government organizations, industry and other stakeholders. It’s clear that government risk management and security requirements will continue to evolve. In the meantime, both cloud service providers and third party assessment organizations should familiarize themselves with the new controls and consider the steps required to accommodate any additions or changes to their offerings.