The first day of the Internet Security and Privacy Advisory Board’s (ISPAB’s) three-day quarterly meeting included a presentation by Dr. Ron Ross on NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations. The meeting is being held on the NIST campus in Gaithersburg, MD.
The central theme of Dr. Ross’ talk was that SP 800-53 Rev. 4 supports “A New Cyber Defense Vision — Build it right — Continuously Monitor.” For more information about the continuous monitoring aspects of the presentation, please see “Build it right — Continuously Monitor” on FISMA Focus’ Continuous Monitoring Discussion Forum.
The presentation discussed Rev. 4’s support for the key elements of cyber defense:
- Incorporating cyber security requirements, principles and concepts (through integrated project teams) into — (a) Enterprise architecture, (b) Systems engineerintg processes, and (c) Acquisition processes.
- Employ architecture, engineering adn acquisition to develop stronger and more resiliant information systems and system components.
Dr. Ross’ discussion of cyber defense noted that there are two type of protection strategies, Boundary Protection to keep attackers outside the defensive perimeter, and Agile Defense to keep operations going while under attack and the attacker is inside the defensive perimeter.
One of the reasons for updating SP 800-53, in addition to incorporating new empirical data on attacks, emphasizing the importance of security assurance and trustworthiness and providing tailoring for specific environments/missions, was to address gaps in the security control catalog. Gap areas addressed in Rev. 4 include:
- Insider threat;
- Application security;
- Supply chain risk;
- Security assurance and trustworth systems;
- Mobile and cloud computing technologies;
- Advanced persistent threats;
- Tailoring guidance and overlays; and
The types of overlays discussed by Dr. Ross include: communities of interest such as health care, law enforcement and intelligence; information technologies such as PKI and SmartGrid; industry sectors; environment of operations; types of information systems such as industrial control systems; and types of mission/operations, such as R&D and first responders.
Significant changes were made to security controls and control enhancements to support trustworthiness and assurance. Appendix E (Trustworthiness and Assurance) of 800-53 has been completely reworked to increase its usibility.
Dr. Ross also discussed OMB policy changes, particularly with respect to the use of continuous monitoring instead of the three year security reauthorization process. In support of new information management needs, OMB Circular A-130 is currently being revised.