Weighing in at a mere 375 pages, this new Special Publication from the National Institute of Standards and Technology (NIST) is a ‘public draft’ open for comment until 6 April 2012 (comments can be mailed to firstname.lastname@example.org). The final publication is due in July 2012. While it will be mandatory for federal information systems, it will be equally valuable for managers of corporate information systems.
The report states that “many of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT).” Its purpose, then, is to bring federal security requirements up-to-date with current perceptions of the threat arena.
It will not, however, be much help to people wishing to study security in a particular subject area – advanced persistent threat (APT), for example. “Rather,” says the report, “the controls and enhancements are distributed throughout the control catalog in various families and provide specific security capabilities that are needed to support those new computing technologies and computing approaches.” This is how security works in real life. Security cannot separate out a specific threat and treat it in isolation; but it does need to be covered within the overall security strategy.
The one exception is ‘privacy’, which is covered in depth and in particular within Appendix J. While “protecting the privacy of PII collected, used, maintained, shared, and disposed of by programs and information systems, is a fundamental responsibility of federal organizations,” it is nevertheless more than just security “and includes, for example, the principles of transparency, notice, and choice.”
The purpose of SP800-53 revision 4 is to provide the framework for information systems able to counter both current and future threats. It provides, says NIST, “the requisite tools to implement effective, risk- based, cyber security programs – capable of addressing the most sophisticated of threats on the horizon.”