Final Cybersecurity Assessment Guidance Document Released
The National Institute of Standards and Technology (NIST) has changed the cybersecurity assessment process over the past several months. They recently released their final copy of the NIST Special Publication 800-53A Revision 5, which guides organizations through the assessment process for their internal security IT systems.
The Updated Document
The updated document is titled “Assessing Security and Privacy Controls in Information Systems and Organizations.” It focuses on helping various businesses manage their cybersecurity risks across their various networks.
Goals and Guidelines
The guidelines outlined by the document’s final draft emphasize the importance of improving organizational assessments of current cybersecurity infrastructure, enabling cost-effective security assessment procedures and privacy controls, promoting better cybersecurity awareness among users, and creating reliable security information for executives. New measures will be implemented to ensure that cybersecurity within the supply chain will be taken more seriously in the future.
In assembling the massive new security document, NIST officials reviewed the best practices in assessment procedures to determine the effectiveness of the defense software. They looked at the practices that had been in place and instances when they were not effective. By analyzing the moments in which cybersecurity measures had failed, they could make adjustments that should further reduce risk.
What Are the Most Significant Changes?
The most notable change from revision 4 to revision 5 is the addition of many new controls. In total, 63 controls got 149 new enhancements. The sections that received the most significant changes were AC-4: Information Flow Enforcement and SA-8: Security and Privacy Engineering Principles. They received 10 and 33 new enhancements, respectively. Additionally, a new control family, Personally Identifiable Information Processing and Transparency, was created to emphasize privacy controls previously outlined in Appendix J of revision 4. This new baseline directly incorporates control enhancements while omitting some base controls.
The latest revision also added the new security control family: Supply Chain Risk Management. There have been significant increases in threats to the supply chain and critical infrastructure, and as a result, Supply Chain Risk Management was added as a category. SR-4: Provenance was added to identify risk origins as a new base control.
In revision 4 and all previous document iterations, there was a prioritization concept for controls. Under that model, once a baseline was selected for an information system, the priority of controls would determine the order in which the controls would develop. However, this was dropped in revision 5, and now organizations will need to build their prioritization for control application.
The Three Phases of Testing
Three testing phases occur to find the best methods to keep the supply chain: preparing, conducting, and analyzing.
When preparing, officials look for areas in cybersecurity procedures that have been less effective than is ideal. They then conduct tests to compile data on the quality of those procedure sections. Finally, they analyze their results before deciding what changes need to be made. These controlled assessments were critical to the development of new cybersecurity procedures.
What GSec Can Do to Help
When looking at the revision 4 and 5 documents, it is not easy to immediately see the differences. They are two massive documents with similarities in nearly every area. Fortunately, GSec can help assist organizations in incorporating these changes. Contact us, and we can put together a plan to adjust your cybersecurity plan!
By: Alex O’Reilly
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53ar4.pdf (old document)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar5.pdf (new document)