The National Institute of Standards and Technology recently rolled out Revision 4 of its SP 800-53 protocol that provides data compliance and security guidance to government agencies. The release marks the first update to the standard since 2005, and it includes new sections and appendices pertaining to cyber security and privacy.
Government bodies have long depended upon SP 800-53 to steer them toward compliance with the Federal Information Security Management Act, but can the protocol provide comprehensive guidance in the current threat environment? Recent IT phenomena such as cloud services and mobility initiatives have created many new attack vectors for cyber criminals.
Although SP 800-53r4 specifically addresses a broad range of issues, some observers have argued that it has been transformed into a document more concerned with check-box compliance than actual security. At best, they contend, following SP 800-53r4 to the letter will put agencies in a prime starting position to secure their assets, meaning that they will have to take additional – possibly nonstandard – measures in order to be adequately safe.
Still, NIST’s latest changes may represent useful codification of issues that have affected government IT for years. With tweaks that update guidance for issues like application security, SP 800-53r4 could maintain its spot as the public sector’s cyber security bible and ensure that all government organizations are on the same page.
NIST SP 800-53r4 addresses privacy and new cyber security risks
In early 2012, the Joint Task Force Transformation Initiative, which included the NIST, the Department of Defense, the Department of Homeland Security and members of the intelligence community, proposed the changes that would eventually turn into SP 800-53r4.
The initial set of revisions addressed the complementary relationship between privacy and security by adding a new appendix on the subject, and it also offered updated guidance on mobility, insider threats, supply chain risk management and cloud computing. Additionally, the draft pushed for government agencies to use data analytics to better understand and respond to the full range of threats.
“The changes we propose in Revision 4 are directly linked to the current state of the threat space – the capabilities, intentions and targeting activities of adversaries – and analysis of attack data over time,” FISMA Implementation Project Leader and NIST fellow Ron Ross stated at the time of the initial release.
Other specific changes included a revision to assurance guidance in Appendix E that altered the minimum requirements for security controls. Writing for InformationWeek, Vincent Berk remarked that FISMA and SP 800-53 both continue to stress the importance of classifying data in order to identity the most sensitive assets and protect them.
Possible issues with NIST SP 800-53r4
Criticisms of the 800-53r4 update have ranged from claims that its guidance is too obvious to the insinuation that it may be making agencies too complacent about security.
NoVA Infosec proposed that the update failed to add any essential new controls that agencies did not already have access to in the previous version, citing cyber security expert Dan Philpott’s observations on the SP 800-53r4 draft. Philpott pointed out that some of SP 800-53r4’s suggested mechanisms were not entirely new and observed that the document spent little time dealing with issues of application security.
Berk took a bolder line, arguing that SP 800-53r4 emphasizes compliance at the expense of security. More specifically, he stated that even agencies that achieve compliance with FISMA are not completely safe because of the sheer number of attack surfaces and vulnerabilities that they must confront.
Altering cybersecurity tactics to more fully account for attacker behavior may be the key to protecting assets within the current threat environment. However, Berk claimed that the defense-minded SP 800-53r4 did not give agencies a framework in which to adopt such a proactive approach.
“The truth remains, however, that we cannot simply expect the NIST guidelines to be a step-by-step recipe for achieving decent data security,” Berk posited. “Understanding the nature of the data at stake, and the risks to it, will be the most important step any agency can take to bolster the appropriate defenses. Simply putting up the wall might get the compliance checkbox checked, but it won’t make you that much more secure.”
NIST announces framework for private companies
What can government agencies do to be more secure? While some of Berk’s proposals seem sensible, creating real security in the public sector will still require adherence to a generally agreed-upon set of standards. If organizations instead take security into their own hands, they invite new risks that ultimately put everyone in danger.
There are still opportunities for the public and the cyber security community to contribute to standard frameworks. CNET’s Dara Kerr reported on the NIST’s recent unveiling of cybersecurity standards for private companies, as mandated by an executive order from U.S. president Barack Obama.
“The framework provides a common language for expressing, understanding, and managing cyber security risk, both internally and externally,” stated the draft version. “The framework can be used to help identify and prioritize actions for reducing cyber security risk and is a tool for aligning policy, business, and technological approaches to managing that risk.”
The holistic approach of this guidance for the private sector is promising. With feedback from professionals and companies, this framework can become an essential cyber security asset. Plus, it may serve as an example of how the NIST can work with others to improve SP 800-53 at the same time.