New version … time for everyone to update their paperwork… In the first major update since 2005, NIST has released the official version of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Packed with new goodies covering supply chains, web apps, cloud, insider threats and privacy, the 457 page document represents the goto bible for government agencies either directly or indirectly.
It’s nice that they added specific controls/families covering these new areas however we’ve always been of the belief that all the necessary security controls were already there. All you had to do was combine the existing ones in different ways to address these new areas. But hey … at least it’s now officially buzzword compliant…
The National Institute of Standards and Technology has rewritten federal cybersecurity standards for the first time in nearly a decade to address evolving smartphone vulnerabilities and foreign manipulation of the supply chain, among other new threats.
The 457-page government computer security bible, officially called “SP (Special Publication) 800-53,” has not undergone a major update since its inception in 2005. That was long before the rise of advanced persistent threats — infiltrations that play off human failings to linger in systems until finding sensitive data.
Agencies are not required to follow all the specifications, but rather choose among the protections that suit their operational environments, such as space in the case of NASA.
Congressional reports indicate that foreign adversaries have attempted to corrupt the supply chain at some point between agency system design and operation to disrupt or spy on the government. To protect critical computer parts, the compendium recommends sometimes withholding the ultimate purpose of a technology from contractors by “using blind or filtered buys.”
Anyway … grab your very own copy of NIST SP 800-53 Rev 4 (PDF) and give it a read. And coming on May 7th NIST plans to release a marked up version for anyone that’s interested in seeing exactly what changed from Rev 3.
Any thoughts on the new version? Let us know in the comments below. Today’s post pic is from ContinuityCompliance.org. See ya!