An Office of Management and Budget review is delaying the release of new supply chain and privacy security standards, subsequently creating a bottleneck that’s delaying the release of several other security publications from National Institute of Standards and Technology, according to NIST fellow Ron Ross, who leads NIST’s Federal Information Security (FISMA) Modernization Act Implementation Project.
Ross said that OMB’s Office of Information and Regulatory Affairs (OIRA) review of NIST’s publication 800-53 revision 5, which provides new security controls for the government to follow, is delaying several other security publications that refer back to controls set in that document.
“There are so many dependencies on 800-53,” Ross said. “That document, as long as it’s being held up for its final public draft, that’s kind of put a hold on six other publications. We’ve got things in the queue. We’re just waiting for release from OIRA.”
NIST’s fifth revision of the 800-53 publication removed privacy controls from the appendix and integrated them into the publication, Ross said.
“We have now taken those privacy controls and fully implemented them across the entire catalog. … A lot of privacy controls got integrated into security controls where one control can do double duty,” Ross said. “It’s much more efficient to operate that way.”
Giving a brief overview of the revision of 800-53, which Ross said he hoped would be released “soon,” he said there are three new families of security controls in this final draft: program management, privacy control and supply chain security controls. There are now 20 families of controls, up from 17.
Another important NIST publications awaiting release is 800-171B, which Ross said has been written in response to cyberthreats from nation-state actors. NIST 800-171B, which was started and then delayed after the government shutdown, was finished “in record time” post-shutdown. The Pentagon had pushed for the B-version in the aftermath of a breach of a Navy subcontractor a few years ago, he said.
“The longer this bleeding continues, you’re going to see our capabilities continue to degrade,” Ross said. “That’s why we have a sense of urgency about all of these requirements and the publications.”
Ross said the 800-171B publication has 30 new “enhanced requirements” that are specifically geared toward stopping advanced persistent threats. Ross called the requirements “some of the best we’ve ever had before.”
“That document, just like a bunch of other publications, has a dependency on the 853 security and privacy control catalog,” Ross said. "Because those 30 new requirements we reference those ... security controls in .”
Ross also said that the final draft of NIST’s 800-160 Vol. 2 will be released Sept. 5, updating Vol. 1 that outlined 30 processes to build a system with proper cybersecurity controls into the lifecycle. Volume two is about cyber resiliency, he said, calling it “one of the most important publications we’ve ever had.”
Ross said that the publication is trying to move away from a “one-dimensional” strategy of entities using boundary protection technologies, like firewalls, to a multidimensional approach that prepares agencies if an adversary enters the network.
“We have to be able to build into systems the capability to limit the damage the adversaries can do once they’re on target,” Ross said.