Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/NIST Special Publication 800-53, Revision 5 and the NIST Cybersecurity Framework

From LIMSWiki
Jump to navigationJump to search

4. NIST Special Publication 800-53, Revision 5 and the NIST Cybersecurity Framework

National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg

Originally released in 2005, NIST's Special Publication 800-53, Revision 5: Security and Privacy Controls for Information Systems and Organizations has since gone through five revisions. The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks."[1]

The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using impact value classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.

The controls are organized into 20 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family Access control has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable accounts" is a control enhancement that further stipulates the system be able to automatically disable certain accounts after a designated period of time.

This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.

4.1 NIST Cybersecurity Framework

The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. Executive Order 13636: Improving Critical Infrastructure Cybersecurity.[2] Building off the frameworks of NIST Special Publication 800-53 (Revision 5), COBIT 5, and the ISO 27000 series of standards, the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.[3][4]

Version 1.0 of the framework was introduced in 2014, and by 2016[5]:

  • Seventy percent of organizations viewed the framework as "a security best practice," though fifty percent noted its required high level of investment as problematic to adoption.
  • Sixty-four percent of organizations chose to use only part of the framework "due to cost and lack of regulatory pressures."
  • Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.

However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement approaches.[5][6][7] Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.[8] As of March 2023, the NIST continues to update the Cybersecurity Framework, publishing a version 2.0 concept paper in January "to seek additional input on the structure and direction of the Cybersecurity Framework (CSF or Framework) before crafting a draft of CSF 2.0." The authors note the potential for significant changes from version 1.1, including scoping the document to organizations of all sizes, types, and sectors, while also increasing international collaboration and engagement and better reflecting changes in cybersecurity practices.[9] Since the framework is:

  • already based upon NIST SP 800-53 and other solid frameworks, with plans to further relate the framework to other NIST frameworks for version 2.0[9];
  • developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders"[10]; and
  • potentially going to see greater international collaboration and engagement among foreign governments and industry for upcoming revisions[9];

... the framework is likely to be further embraced in some form worldwide.

It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.[4] At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.[4]

References

  1. "NIST SP 800-53, Rev. 5 Security and Privacy Controls for Information Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. 10 December 2020. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final. Retrieved 21 March 2023. 
  2. "Fact Sheet: EO 13636 Improving Critical Infrastructure Cybersecurity and PPD 21 Critical Infrastructure Security and Resilience". Cybersecurity & Infrastructure Security Agency. 17 December 2020. https://www.cisa.gov/resources-tools/resources/fact-sheet-eo-13636-improving-critical-infrastructure-cybersecurity-and. Retrieved 21 March 2023. 
  3. Chang-Gu, A. (2 March 2015). "NIST Cybersecurity Framework vs. NIST Special Publication 800-53". Praetorian Security Blog. Praetorian Security, Inc. https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53/. Retrieved 21 March 2023. 
  4. 4.0 4.1 4.2 Morgan, J. (4 April 2018). "How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett". Security. BNP Media. https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework. Retrieved 21 March 2023. 
  5. 5.0 5.1 Dark Reading Staff (30 March 2016). "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Dark Reading - Attacks/Breaches. Informa PLC Informa UK Limited. https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds. Retrieved 21 March 2023. 
  6. BizTech Staff (20 December 2017). "Why a Risk-Based Approach Leads to Effective Cybersecurity". BizTech. CDW LLC. https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity. Retrieved 21 March 2023. 
  7. Daniel, M. (25 January 2018). "Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds". Cyber Threat Alliance Blog. https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/. Retrieved 21 March 2023. 
  8. "NIST Releases Version 1.1 of its Popular Cybersecurity Framework". National Institute of Standards and Technology. 16 April 2018. https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework. Retrieved 21 March 2023. 
  9. 9.0 9.1 9.2 "NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework" (PDF). National Institute of Standards and Technology. 19 January 2023. https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdf. Retrieved 21 March 2023. 
  10. "Getting Started". Cybersecurity Framework. National Institute of Standards and Technology. 14 April 2022. https://www.nist.gov/cyberframework/getting-started. Retrieved 21 March 2023.