18 August 2017 – A new draft of the Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations has been proposed by the US National Institute of Standards and Technology (NIST). The publication focuses on privacy and addresses current issues of the Internet of things and smart home devices.
Such devices have recently come under the spotlight as many have been easily hijacked to form Botnets used to initiate Distributed Denial of Service (DDoS) attacks against parties investigating (or having policies opposed to) cyber criminals (read more about this in my blog).
The proposed publication will be the de-facto standard for US federal agencies, but also serves as a guideline for the broader industry. This version is the culmination of a year of research into the development of the next generation of security and privacy controls by a task force consisting of representatives from intelligence, defence, and civil communities. In this revision, the controls have been updated to address the needs of a broader user group, including system engineers, product developers, and enterprise-level security and privacy professionals. Most of these roles embrace leading-edge technology without fully understanding the security implications. Development houses are also oblivious to the risks of putting unsecured and ill-configured devices on the Internet in the rush to meet demand and competition in the market.
“For example, an IT system may employ cameras. Security experts determine security controls for the camera sensor, while privacy professionals decide on privacy controls such as a control to preserve a passerby’s privacy.” – NIST
Ron Ross, NIST fellow and team leader of the joint task force that wrote the updated publication, stated the following:
Revision 5 “takes the guidance in new directions—we are crafting the next-generation catalog of controls that can also be applied to secure the Internet of Things.”
The publication contains controls that are designed to meet privacy requirements and manage the associated privacy risks that are exposed throughout the a company’s information path from creation and collection, storage, to disclosure and disposal.
The controls are included in the NIST Risk Management Framework so that non-governmental organisations can more easily adapt them in the frameworks they currently use (such as ISO 27001 and the Cybersecurity Framework).
The closing date for comments is 12th September 2017. NIST hopes to release the final draft in October, and the final version in December.