NIST Updates Control Baselines, Integrates Privacy

The U.S. National Institute of Standards and Technology (NIST) issues numerous standards, guides and directions on a wide variety of technology and security issues.

Most readers are familiar with the benefits provided by the Cybersecurity Framework and the NIST Computer Security Resource Center (CSRC). Governments around the world, as well as small, medium and large companies, have benefitted greatly from the excellent work produced by NIST on a wide variety of topics.

Recently Updated NIST Guidance

Over the past few months, NIST has released two very significant documents that deserve the attention of the cyber industry, both in the U.S. and worldwide.

First was the release of NIST SP 800-53 Rev. 5, entitled “Security and Privacy Controls for Information Systems and Organizations,” in September 2020. The abstract describes the document this way:

“This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.”  

NIST also posted a spreadsheet of the controls here.

Second was the release of SP 800-53B, entitled “Control Baselines for Information Systems and Organizations,” in October 2020. The abstract describes the document this way:

“This publication provides security and privacy control baselines for the Federal Government. There are three security control baselines (one for each system impact level—low-impact, moderate-impact, and high-impact), as well as a privacy baseline that is applied to systems irrespective of impact level. In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.”

Excellent Coverage of 800-53B and 800-53 Revision 5

I really like the coverage of these releases and related topics in this interview of NIST Fellow Ron Ross by Tom Temin for the Federal News Network. The interview session is called “NIST has a new cybersecurity companion guide,” and it is worth listening to or reading in its entirety.

Here is part of one answer from Mr. Ross: “It took quite a long time for us to bring this publication to its final state, which we did in September. And it’s really a remarkable update since revision four. And I like to remind everybody that revision four was downloaded over 20 million times from the time it was published in 2013. So it’s a very widely used publication, both in the federal space and in the private sector. But we had some great updates in the 2020 version, that one of the most important things we did is integrated privacy into the catalog of controls. We took all of the previous privacy controls that were in an appendix, and we integrated them throughout the catalog. And so now that catalog is a consolidated catalog fully staffed with both security and privacy controls.”

Here’s some other related news coverage of these new releases:

Final Thoughts

I urge organizations to examine these updates and consider updating appropriate internal policies and procedures in accordance with the new guidance. These updates have been a long time coming and there have been some significant changes, especially in the privacy area.

I especially want to highlight supply chain risk management. As Ross said, “we have a whole family of controls that are dedicated to helping protect the supply chain, which as you know is a critical aspect of our overall defense in depth and cybersecurity strategy.”

More to come in a future blog on supply chain risk management, but needless to say this is a critical area globally that is not covered at the level required by many. This NIST guidance will certainly help.   


Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.