By Sese Bennett, guest blogger
The information security landscape is consistently changing. As new risks and mitigation strategies arise, frameworks must evolve or risk becoming irrelevant.
One of the more robust information security frameworks, the NIST-800-53, has consistently evolved to meet the information security needs of federal organizations, but now it’s expanding its reach.
The most recent revision to the framework—NIST-800-53-Rev-5—has been purposely revised to be more generally applicable to all types of businesses including state, local and tribal governments as well as the public and private sectors. The revision also addresses a broader scope of systems including industrial control systems, IoT devices, and other physical cyber devices and systems.
According to Covington & Burling, “The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems.”
NIST has been transparent about this shift as well, specifically stating that one of the major changes to the framework is “separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners.”
If you’ve taken a look at the revised framework, you’ll notice something obviously different from Revisions 3 and 4…
It’s easier to read!
NIST has changed the structure of controls to make them more easily readable—which seems to be an extension of the effort to make the framework more easily accessible to all types of organizations. Terms such as “the information system” and ” the organization” have been replaced with simpler more understandable terminology that is focused on the outcome versus the language.
Here’s an example.
Rev 4 (Control AC-3):
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Rev 5 (Control AC-3):
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Note the bolded text.
On the scale of a single control, this change isn’t huge. But overall, it makes the framework much easier to consume and clearly indicates a shift in focus from an advanced audience to a more general one.
In addition to making its framework more generally applicable, Revision 5 also places a higher emphasis on privacy. This revision seems to emphasis a seamless holistic integration between Security and Privacy controls, by combining the privacy and security controls into a single integrated appendix. Ease of use is also considered here as privacy only controls are differentiated from those controls that include both privacy and security.
This holistic view means, in large part, making information security an integrated part of business operations, rather than an add-on or afterthought. Revision also 5 provides the much- needed feature of mapping revision 5 controls back to standards that are commonly used by non-federal agencies. This alone should encourage the adoption of the standards by those organizations.
The emphasis on ease of use and wider integration is important, as it points to a necessary shift in the entire information security landscape. As threat agents become more evolved and companies store more and more sensitive data, protecting that data must become a continuous, integrated part of every business practices, lest organizations put themselves and their customers at huge risk.
Whether you’re hearing “NIST” for the first time or you’re all-too-familiar with the framework, we’d love to help you navigate the changes you may need to make to accommodate NIST-800-53-Rev-5.
Just click here to get in touch, and we’ll tell you exactly how we can help.