March Updates on Frameworks & Standards

Last month I posted some information on several information security framework/standards being updated and sense then there have been updated on all of them.  So here we go:

  • NIST CSF v1.1.  The second draft was released at the end of 2017, and we just wrapped up the comment period on this.  I believe the plans are to review and hopefully come out with the final release in a few months.  Not clear when.  They have also set a tentative date for the 2018 workshop as September 11-13 in “the DC area”.  Now NIST headquarters is in Baltimore, so does that count as the “DC area”?  I should also point out that NIST has done a great job of revamping their NIST CSF website, with some more info.
  •  NIST SP 800-53 and 800-37.  NIST is also working on updated for a couple of important documents in FISMA/RMF.  SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the Risk Management Framework, and should also have info on how the RMF can work with the CSF.  As I had noted, the original plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it slipped.  We were promised they they would re-asses and put out new dates, which they have: 
  • NIST Special Publication 800-37, Revision 2 (Risk Management Framework)
  • Initial Public Draft:  May 2018
  • Final Public Draft: July 2018
  • Final Publication:  October 2018
  • NIST Special Publication 800-53, Revision 5 (Security and Privacy Controls)
  • Final Public Draft:  October 2018
  • Final Publication:  December 2018
  • NIST Special Publication 800-53A, Revision 5 (Assessment Procedures for 800-53)
  • Initial Public Draft:  March 2019
  • Final Public Draft:  June 2019
  • Final Publication:  September 2019
  • FIPS Publication 200, Revision 1 (Minimum Security Requirements)
  • Initial Public Draft:  October 2018
  • Final Public Draft:  April 2019
  • Final Publication:  July 2019
  • FIPS Publication 199, Revision 1 (Security Categorization)
  • Initial Public Draft:  December 2018
  • Final Public Draft:  May 2019
  • Final Publication:  August 2019
  • CIS Critical Security Controls.  Better known as the “SANS Top 20”, the Critical Security Controls are now managed by the Center for Internet Security.  The current version is 6.1 and they are working on a v7.  I had seen stuff on their site last year about this, but it disappeared, so I thought the effort was dead.  They put out a draft of v7 out with a short comment period.  And are rolling out v7 on March 19th in DC (or you can attend on-line).  So that is pretty quick

The only thing I am concerned is that both SP800-53 and the CSC are Informational References in the NIST CSF.  If they come out with new versions, will the Information References in the CSF be updated to these new versions?  I hope they will be.  Now NIST has on their new CSF website an on-line version of the Informational References that allows them to expand them.  Tho why they didn’t include the HIPAA crosswalk here I don’t know. Still awaiting the official PCI-CSF crosswalk to be made available as well.

AWS Builder Community Hub

As I learn more about these new updates, I’ll be blogging about them.  I look forward to getting my hands on v7 of the CSC due to what I read in the draft version.

*** This is a Security Bloggers Network syndicated blog from Michael on Security authored by Michael R. Brown. Read the original post at: