Initial observations on Revision 3 of SP800-53

NIST last week released the final version of Revision 3 of its Special Publication 800-53, “Recommended Security Controls for Federal Information Systems and Organizations.” This update has a number of really interesting characteristics, beyond the simple summary about the number of controls in the latest version of the 800-53 framework, which serves as the basis for determining which controls should be used in federal computing environments and for evaluating those controls as part of the process of certifying and accrediting information systems. The new release is among the first final products resulting from a NIST-managed effort to incorporate the perspectives of civilian, defense, and intelligence agency security programs, with a single control framework applicable to all federal agencies. (A separate but related effort will standardize the certification and accreditation process by normalizing aspects of the DIACAP process favored by the Department of Defense with the civilian agency standard guidance in Special Publication 800-37.) The influence of DOD and intelligence community contributions is evident in the new 800-53, especially in areas such as the System and Communications Protection security control family, where nearly a third of controls new to the framework appear.

From an overall perspective, the most notable change may be the expansion of the coverage of 800-53 to begin to address agency security programs in addition to information systems. The obvious change here is in the addition of an 18th security control family called “Program Management,” but the change in scope is apparent even in the title of the document, which in its two previous versions did not include the words “and Organizations.” This change in consistent with a need now recognized in Congress as well as among agencies that the existing emphasis on information system security fails to address the overall effectiveness of the agency information security programs mandated by FISMA. While the vast majority of current federal security standards and guidance is still focused on information and information systems (with little or no attention to business processes or programs), subtle changes in language and tone in 800-53 and other recent draft documents such as Special Publication 800-39, “Managing Risk from Information Systems: An Organizational Perspective” suggest that NIST is evolving away from this narrow system focus to try to raise the visibility of enterprise risk management and information assurance functions. Another significant new feature is the addition of a prioritization rating (1 to 3) that gives an indication of what controls to address first. These ratings don’t obviate the need to implement all required controls corresponding to the security categorization of an information system, but seems to be a practical recognition that you can’t address everything at once.

In the aggregate, the number of security control families went from 17 to 18, with 34 new controls added and seven withdrawn, bringing the total number of controls across all families to 198. Something else to keep in mind is that deltas don’t tell the whole story — some controls were re-named or had their emphasis changed so organizations will need to revisit these to make sure existing controls are consistent with the new intent in 800-53. While a detailed review of all the changes in the framework is well beyond the scope of this forum, a few noteworthy aspects are summarized here.

  • In the Access Control family, the new AC-21 (User-based collaboration and information sharing) for the first time addresses the distinct authorizations needed for information sharing partners, as opposed to internal users. In a similar vein, the Identification and Authentication family now separates identification and authorization into two separate controls, one (IA-2) for internal (organizational) users and another (IA-8) for external (non-organizational) users.
  • A new audit control AU-13 (Monitoring for information disclosure) extends and augments the Information System Monitoring (SI-4) control, with an explicit emphasis on inappropriate data flows out of the organization, consistent with the industry momentum behind Data Loss Prevention technologies and approaches.
  • In System and Services Acquisition, new controls including SA-13 (Trustworthiness) and SA-14 (Critical Information System Components) that formally introduce the idea of level of trust as an organizationally defined parameter, and recognize that at high security levels, organizations may not find sufficiently trustworthy products or components (even if functionality requirements are met) and will need to come up with internally developed alternatives.
  • The single biggest update at the family level is to System and Communications Protection, which now comprises 34 controls (to be fair, most of the new additions are not required within the existing security profiles), some of which suggest an acknowledgement from NIST that newer and more pervasive types of threats have to be addressed. One such control is SC-28 Protection of Information at Rest, highlighting an area of security that the government has increasingly stressed given the recurrence of breaches of sensitive data.
  • Some other controls in System and Communications Protection reflect very explicit thinking about ways to enhance the security posture of agencies and their systems, even if that thinking conflicts with other current practices. For example, SC-29 (Heterogeneity) encourages diversity of system components to enhance security, a recommendation often in conflict with emphases on using technology standards and reducing the overall number of technologies used or supported in the organization. In SC-30 (Virtualization techniques) NIST postulates that virtualizing system components can be a security enhancing approach, by disguising systems through random instantiation of virtualized components. This is an interesting contrast to some of the current (negative) hype about security applications and data in outsourced infrastructure, platform, and application delivery models such as cloud computing.
  • Still other new additions to System and Communications Protection demonstrate very clearly the incorporation of DOD-favored information assurance practices. Examples of these defense-influenced controls include SC-32 (Information system partitioning) also known familiarly as “physical separation”; SC-33 (Transmission preparation integrity); and SC-34 (Non-modifiable executable programs). While many of these controls are not required under any of the 800-53 annex information system security profiles, it will be interesting to see how civilian agencies accommodate new requirements such as physical separation.

Putting 800-53 Revision 3 into effect by itself will have a reasonably significant impact on agencies, particularly as the re-authorizations come due for their existing production systems. It is not yet clear if agencies will feel the need to re-authorize sooner, perhaps based on required annual risk assessments that are bound to turn up controls that need to be addressed that weren’t included in 800-53 when the previous certification and accreditation was performed.