No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out
The National Institute of Standards and Technology has removed the word “federal” from the title of its magisterial catalogue of cybersecurity and privacy controls — one of a series of proposed changes they rolled out this week after a long delay.
“The reality is, today we’re all of us — federal, state and local government and the private sector — using the same technologies … and facing the same [cyber] threats” as a result, said NIST Fellow Ron Ross.
As they were doing the re-write — a year-and-a-half long process — the authors realized that in addition to their traditional “customer base” in the federal agencies mandated by law to use the controls in the catalogue, there were many others who might find it useful.
So they changed the name of the catalogue, known as NIST SP-800-53, from Security and Privacy Controls for Federal Information Systems and Organizations, by cutting the word federal. SP 800-53 was last revised in 2015, although the last full rewrite was two years before that.
“There are whole other communities of interest out there that could benefit from using the controls in this catalogue on a voluntary basis,” Ross, one of the chief authors of the new draft, told CyberScoop. “We wanted [the new draft] to feel more welcoming for those new customers … including industry and academia” and even stretching beyond the borders of the U.S. “There is a global audience” for this kind of material, Ross said.
Other changes, all of which have been long flagged, include the integration of privacy controls into the catalogue, which made it “unique,” said Ross. “There isn’t another document out there … so comprehensive … that integrates cybersecurity and privacy” into a single guide.
This is especially important, explained Ross, with the burgeoning growth of the Internet of Things. “If you’re designing and IoT device or a smart home appliance … pushing all that computing power to the edge [of the network] … traditionally, it’s been security — confidentiality, integrity, availability — that’s been the concern, but now [with IoT and smart home devices] there is personal data in there, and a need for privacy, too … they’re mutually reinforcing.”
Personal identifying information, or PII, like Social Security numbers or dates of birth, will be rendered more secure by cybersecurity controls. “But there are questions you have to ask about PII that you don’t [with other types of data], like: How information about users should I collect? How long should I keep it? What should I use it for?” There were even joint controls — that protect both privacy and security — in the new catalogue.
“The days are long gone when [privacy and security] can be considered separately,” Ross said, “we’re bring the two communities [— of cybersecurity and privacy engineers —] together.”
But he added that — in the federal government — privacy and cybersecurity had different legislative bases and “will always be different to some degree” as a result.