The National Institute of Standards and Technology (“NIST”) is seeking comments on its draft NIST SP 800-160, Volume 2, Revision 1, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, “and NIST Project SP 800-53A, Revision 5,”Assessment of security and privacy controls in information systems and organizations. “The public comment periods are currently open and end on September 20, 2021 and October 1, 2021, respectively.
NIST Project SP 800-160, Volume 2, Revision 1
In response to the ever-growing threat of cyberattacks, NIST has decided to reverse “the traditional perimeter defense strategy” when it comes to an organization’s cyber-resilience strategies. This shift in strategy focuses on defending systems “from the inside out rather than from the outside in”. NIST SP 800-160 is intended for broad application in a wide variety of systems (including shared services, the Internet of Things, and critical infrastructure systems) and under a wide variety of circumstances (including new systems, reactive changes to commissioned systems and field system upgrades).
The objective of the update is to place organizations in a position where they can anticipate, resist, recover and adapt to adverse situations such as hostile and increasingly destructive nation-state cyber attacks, criminal gangs and disgruntled individuals. Among other things, the publication project lists 14 cyber resilience techniques and describes considerations for selecting and prioritizing cyber resilience constructs and developing a baseline for cyber resilience, as well as a flexible process for applying the cyber resilience constructs. concepts, constructions and practices of cyber resilience to a system.
As mentioned, the comment period for this project ends on September 20, 2021. With this major overhaul of the defense strategy focused on defending systems from the inside out, rather than from the outside out. interior, it is important that contractors provide the industry perspective to ensure that these new practices and processes are clearly defined to ensure that the best safeguards are in place and facilitate implementation . Comments should be emailed to [email protected]
NIST Project SP 800-53A, Revision 5
NIST 800-53A, Revision 5 provides organizations with a set of procedures to use in performing security and privacy control assessments in NIST SP 800-53, “Security and privacy controls for information systems and organizations. “This assessment methodology is intended to be a starting point for assessing enhanced security requirements and can be tailored to the needs of organizations and independent third-party assessors. The results of a control assessment provide organizations with evidence of the effectiveness of the controls implemented, an indication of the quality of their risk management processes and an overview of the strengths and weaknesses of the systems that support the organization.
Revision 5 updates the assessment procedures to match the controls in NIST SP 800-53 and provides a new format for the assessment procedures. This new format focuses on improving the efficiency of the conduct of control assessments, offering better traceability between assessment procedures and controls, and facilitating the use of automated tools, continuous monitoring and current licensing programs. This new format was originally introduced in Revision 4 and is further improved in this Revision. Specifically, revision 5 updates:
Identify the determination statements for organization-defined parameters (ODP) first and separately from the determination statements for each control item to enable the assessor to determine if the ODPs are organization-defined;
Improve the readability of assessment procedures;
Provide a better format and structure for automated tools when assessment information is imported into these tools;
Provide greater flexibility in the conduct of assessments by giving organizations the ability to target certain aspects of controls (highlighting specific weaknesses and / or deficiencies in controls);
Improve the effectiveness of security and privacy control assessments; and
Support continuous monitoring and continuous authorization programs by providing a greater number of security and privacy control components that can be evaluated at organization-defined frequencies and severity levels.
The comment period for this project ends October 1, 2021. NIST is seeking comments on these assessment procedures, including assessment objectives, determination statements, and potential assessment methods and objects. NIST is also interested in comments regarding the approach taken to incorporate organization-defined metrics into assessment goal setting statements. Since NIST SP 800-53A is intended to provide organizations with a starting point for their assessment methodology, it is important that entrepreneurs provide the industry perspective to ensure this goal is met. . More information on the feedback process can be found on the NIST website.
Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.Revue nationale de droit, volume XI, number 243