• Your Supply Chain Security Deadline is Looming

    If your organization has a contract with DoD and that contract contains the DFARS 252.239-7018 clause you have until 31 December of this year to implement the requirements specified in NIST Special Publication 800-161. What is driving this emphasis on supply chain security? An increasing trend in cyber-attacks on DoD contractors via the supply chain. ... Read More →

    read more »
  • The Evolution of Continuous Monitoring

    When organizations first started efforts towards FISMA compliance, the requirement of Continuous Monitoring (CM) was interpreted at a high level. To most organizations, CM meant conducting quarterly risk assessments, periodic vulnerability scanning, and annual FISMA assessments. However, with the emergence of cloud computing and FedRAMP, CM began to be viewed as a more vital component ... Read More →

    read more »
  • Have you Google Hacked Your Site Yet?

    Sometimes organizations store files on their web sites that they believe are not accessible to the general public.  As part of ongoing vulnerability scanning and pen testing it is also good to add Google Hacking to your tool box.  Google Hacking involves using the Google search engine to identify vulnerabilities in websites.  A multitude of ... Read More →

    read more »
  • Classical FISMA versus the Risk Management Framework System Categorization and Control Selection

    System categorization and control selection is a key component of FISMA which can greatly impact the level of effort.   Depending on whether you are using the classic FISMA approach or the Risk Management Framework it is critical you get it right.  The following discusses this process under both scenarios. System categorization is the process of ... Read More →

    read more »
  • The Latest News On NIST 800-53 Revision 5

    As always, we like to keep you up to date on the latest federal government security requirements. The planned release of NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations has been delayed and is still in internal review. The key objectives of this standard are to provide a comprehensive set of ... Read More →

    read more »

As always, we like to keep you up to date on the latest federal government security requirements. The planned release of NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations has been delayed and is still in internal review.

The key objectives of this standard are to provide a comprehensive set of safeguarding measures that make our systems more resistant to attacks; limit the damage from any attacks that occur and increase the systems survivability. The following includes the latest information from the NIST Computer Security Resource Center regarding the changes expected in Revision 5.

“Revision 5 of this foundational NIST publication represents a one-year effort to develop the next generation security and privacy controls that will be needed to accomplish the above objectives. It includes significant changes to make the controls more consumable by diverse groups including, for example, enterprises conducting mission and business operations; engineering organizations developing systems and systems-of-systems; and industry partners building system components, products, and services. The major changes to the publication include:

  • Making the security and privacy controls more outcome-based by changing the structure of the controls;
  • Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for systems and organizations;
  • Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
  • Eliminating the term information system and replacing it with the term system so the controls can be applied to any type of system including, for example, general purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices;
  • Deemphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
  • Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state of the practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability…”

We will keep you updated as to any changes to the Revision 5 schedule via future newsletters and our web site.  Keep in mind that the version that was due to be released in March was still a draft version for outside review.  Any changes based on revision 5 do not need to be fully implemented by your organization until one year after the final version of the standard is released.  But as we all know if it makes your systems more secure, the sooner they are implemented, the better.