A draft update to the National Institute of Standards and Technology’s (NIST) widely used data privacy and security guidance was released August 15 for public comment.
This fifth revision to Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, was developed by a joint task force consisting of representatives of the civil, defense, and intelligence communities. SP 800-53 was originally issued in 2005 and most recently updated in 2013.
The latest draft represents an ongoing effort to produce a unified information security framework for the federal government, but this version would broaden the focus to address how all kinds of organizations can maintain security and privacy in their interconnected systems.
Revision 5 “takes the guidance in new directions—we are crafting the next-generation catalog of controls that can also be applied to secure the Internet of Things,” said NIST Fellow Ron Ross in announcing the release of the draft. Controls are security and privacy safeguards—both technical and procedural—designed to protect systems, organizations, and individuals.
Privacy is now fully integrated throughout the new draft, a first for any control catalog. “This revision covers the overlap in security and privacy for systems, as well as the ways in which they are distinct,” said NIST senior privacy policy advisor Naomi Lefkovitz. “It also enhances the ability for both professional teams to collaborate yet still maintain their respective authorities.” SP 800-53 Revision 5 adds two new control families that focus solely on privacy; the remaining privacy controls are integrated throughout the rest of the control families.
While previous versions targeted federal agencies, other organizations, particularly industry, are voluntarily adopting SP 800-53, NIST noted. The controls have been updated to address the needs of the more diverse user group, including enterprise-level security and privacy professionals, component product developers, and systems engineers who are now working on privacy and security.
For example, an IT system may employ cameras. Security experts determine security controls for the camera sensor, while privacy professionals decide on privacy controls—for example, to preserve a passerby’s privacy. Also, the control selection process is now separated from the security control catalog and included in NIST’s Risk Management Framework, so organizations outside the federal government can more easily use the NIST controls with the frameworks they currently use.
The security and privacy controls catalogued in SP 800-53 are designed to protect organizational operations and assets, individuals, other organizations, and the nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.
NIST is accepting public comments on the draft until September 12. Comments may be e-mailed to sec-cert@nist.gov, using the subject line “Comments on Draft SP 800-53 Rev. 5.” NIST expects to publish a final version by the end of the year.
NIST standards are directly binding only on federal agencies, but are looked to by the private sector as well. In the Health Insurance Portability and Accountability context, the U.S. Department of Health and Human Services’ breach notification rule expressly requires compliance with certain NIST standards to meet the exemption for “secured” protected health information.
Learn more about protecting your company data when you join Usama Kahf of Fisher Phillips, LLP and Lucas Amodio of Armstrong Teasdale LLP as they copresents the breakout session—“Is Your TV Watching You? Cybersecurity Protection from the Internet of Things”—at the 22nd annual Advanced Employment Issues Symposium (AEIS), being held at the Paris Hotel in Las Vegas, November 15-17. Click here to learn more, or to register today. |