• SMS-Messaging Patients is Easy – But is it HIPAA Compliant?

    Mr. Bedman, a new homecare patient, isn’t feeling well.  So his daughter texts a nurse at his physician’s office. The nurse texts back with questions about symptoms and activity levels, and receives a reply prompting the nurse to consult with the doctor. After a few moments the nurse returns a text to the daughter with ... Read More →

    read more »
  • Does Your Business Need to Comply with GDPR?

    The requirements of the European Union´s General Data Protection Regulation (GDPR) for US companies who collect, maintain or process EU Citizen personal data will be significant and compliance is not an option. When GDPR takes effect on May 25, 2018, the European Commission will enforce the regulation around the world through administration of major fines. ... Read More →

    read more »
  • Your Vendor, Your Responsibility: 10 Key Elements for Vendor Selection Criteria

    Supplier and Vendor Vetting is a critical security activity that is sometimes treated lightly by even the most secure organizations.  If you share client data with your vendors, it is imperative that they have at least the same level of security as your organization. Vetting activity can be performed in house or can be outsourced ... Read More →

    read more »
  • The Deadline for SP 800-171 Has Come and Gone: What to Know and Do If You Missed It

    For government contractors who deal with Controlled Unclassified Information (CUI), the deadline for compliance with DFARS 252.204.7012/NIST SP 800-171 came and went on December 31, 2017.  Did you make it? The purpose of 800-171 is basically two-fold: To ensure that those who handle CUI have in place standardized security procedures, allowing the government to assess ... Read More →

    read more »
  • NIST 800-53 Rev 5 Update

    Winter is Coming Reminder:  The planned winter release of NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations now has a date and it is December 27, 2018. The draft version is available at https://csrc.nist.gov/News/2017/NIST-Release-First-Draft-SP-800-53-Rev-5 and the last public draft for final review is out on September 14, 2018. We recommended that you start reviewing ... Read More →

    read more »

Winter is Coming

Reminder:  The planned winter release of NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations now has a date and it is December 27, 2018. The draft version is available at https://csrc.nist.gov/News/2017/NIST-Release-First-Draft-SP-800-53-Rev-5 and the last public draft for final review is out on September 14, 2018. We recommended that you start reviewing it now so you will know ahead of time how the new standard impacts your current implementation and support documentation.

The key objectives of this standard are to provide a comprehensive set of safeguarding measures that make your systems more resistant to attacks; limit the damage from any attacks that occur and increase the systems survivability. The following includes the latest information from the NIST Computer Security Resource Center regarding the changes expected in Revision 5.

  • Making the security and privacy controls more outcome-based by changing the structure of the controls;
  • Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for systems and organizations;
  • Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
  • Eliminating the term information system and replacing it with the term system so the controls can be applied to any type of system including, for example, general purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices;
  • Deemphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
  • Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state of the practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability…”