NIST’s New Draft SP 800-53: Broad Scope, Significant IoT Impact, and Short Comment Window
NIST has released Special Publication 800-53 Revision 5: Draft Security and Privacy Controls for Federal Information Systems and Organizations. This document purports to offer a “comprehensive set of safeguarding measures for all types of computing platforms.” Importantly, NIST has specifically highlighted that Internet of Things (IoT) devices are covered under this document. As an example, NIST states that the new IoT controls would require IoT sensors such as those used in traffic-monitoring cameras in smart cities to minimize the data captured about individuals “that’s not necessary for the traffic-monitoring system to carry out its function.”
The scope of the new draft is incredibly broad. NIST intends for this document to cover everything from general purpose computing systems to industrial/process control systems, including cloud and mobile systems and IoT devices. And even though the title of the document implies that its audience is federal systems, NIST is making clear, both in the document and in its discussions of the document, that 800-53 can be used all kinds of organizations, both public and private. As NIST describes: “the latest draft goes beyond both information security and the federal government to address ways all kinds of organizations can maintain security and privacy in their interconnected systems”
The main changes from the last revision of 800-53, which was published in April 2013, as outlined by NIST, include:
-
Making the security and privacy controls more outcome-based by changing the structure of the controls;
-
Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
-
Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
-
Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
-
Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
-
Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability
NIST is asking for a quick turnaround for public comments. The draft was released on August 15; comments are due September 12. That is less than a 30-day comment window. Following comments, NIST plans to release a final draft in October, and a final version no later than December 29 of this year.