The National Institute of Standards and Technology announced a revision of the federal government’s computer security guide, “Security and Privacy Controls for Federal information Systems and Organizations (SP 800-53)” (pdf). The update includes “eight new families of privacy controls that are based on the internationally accepted Fair Information Practice Principles,” NIST said. Also:
State-of-the-practice security controls and control enhancements have been integrated into the new revision to address the evolving technology and threat space. Examples include issues particular to mobile and cloud computing; insider threats; applications security; supply chain risks; advanced persistent threat; and trustworthiness, assurance, and resilience of information systems. […]
SP 800-53, Revision 4 also takes a more holistic approach to information security and risk management. The publication calls for maintaining “cybersecurity hygiene”—the routine best practices that help reduce information security risks—but also appeals for hardening those systems by applying state-of-the-practice architecture and engineering principles to minimize the impacts of cyber attacks and other threats.
Here’s the abstract from the report:
This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and security assurance ensures that information technology products and the information systems built from those products using sound systems and security engineering principles are sufficiently trustworthy.