Stop Freaking Adding New NIST Controls – They Are Not Needed

NIST LogoI came across an article over at where they interviewed Ron Ross about the future of Special Publication 800-53. As most of you have probably heard there is a draft appendix that contains a bunch of new privacy controls. We discussed this a while ago, mentioning how in most cases new controls are not needed. But guess what? They’re not finished yet. In the interview Mr. Ross mentions adding several new controls to address fads like Cloud.

To further complicate matters many agencies treat NIST guidance as gospel and require systems to meet all controls. So adding new redundant controls could increase the cost of getting systems approved and maintained under FISMA. We already have Congress breathing down our neck about  how much each piece of paper costs … new controls are just going to create additional pieces of paper.

Now I’m not saying we don’t need controls for technologies associated with these terms du jour but we do need to be very careful about adding too many fad controls. My recommendation is to boil these new technologies down to their core components and have controls only for those. In many cases you’ll find NIST already has controls addressing these core components. For core components that are not present, first try broadening existing similar ones. If that approach doesn’t work then a new control may be in order. Also to satisfy people who want to refer to the current fad terms, I suggest creating an appendix that does nothing more than group core controls that compose these technologies.

Beyond cloud, NIST plans to create new controls addressing Insider Threats, Mobility, Industrial, Application, and Web Applications. Now I wouldn’t call these fads per say however, like cloud, if you break these technologies down into their core components, there will be a lot of overlap or similarities with existing controls.

Well the good news is that we all get to comment on these NIST guidelines … so for now go review the Privacy draft appendix [PDF] and shoot your suggestions over to [email protected] to let them know what you think by September 2nd.


Ron Ross becomes animated when discussing the next revision, due in December, of NIST’s storied Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations. “This has been one of the most exciting projects I’ve worked on since the Joint Task Force started,” Ross told me (see Ron Ross on NIST’s New Privacy Controls), referring to the 2-year-old group of civilian-, defense- and intelligence-agency infosec experts working to produce a unified, federal IT security framework.

Besides privacy, Ross said, look for new controls involving insider threats – “one of the big ones.”

Other controls likely to be added to SP 800-53 deal with mobility, cloud computing, industrial controls, application security and web applications.

Continued here.

##### also did a follow-up interview with Mr. Ross. Here is the transcript for those interested.

3 comments for “Stop Freaking Adding New NIST Controls – They Are Not Needed

  1. August 19, 2011 at 10:49 am

    BLOGGED: Stop Freaking Adding New NIST Controls – They Are Not Needed

  2. August 19, 2011 at 11:42 am

    #NOVABLOGGER: Stop Freaking Adding New NIST Controls – They Are Not Needed

  3. August 19, 2011 at 8:42 pm

    Stop Freaking Adding New NIST Controls – They Are Not Needed: [] I came across an article…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.