How to Customize IT Security ControlsNIST Unveils Overlays as Tools to Help Tailor Security Controls
Organizations in and out of government can more easily tailor their information security plans to fit their specific business missions and operational environments by using overlays, new tools introduced in the latest revision of the National Institute of Standards and Technology's information security controls guidance.
"We realize that organizations have to be able to develop their security plans that really talk to their specific mission," says NIST Fellow Ron Ross, who oversaw the drafting of the latest catalogue of IT security and privacy controls. "The overlay concept is introduced to allow that specialization."
NIST last month issued the latest version of its quintessential guidance: Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations [see NIST Unveils Security, Privacy Controls].
Introduced in revision 4 is the concept of overlays. Overlays provide a structured way to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific business functions, environments of operations and/or technologies.
"You can select the right controls to do the job," Ross says in an interview with Information Security Media Group [transcript below]. "You start with our baseline controls and the low, the moderate and the high impact baselines. But it allows the customization that can eliminate controls or add additional controls as necessary."
In the interview, Ross discusses:
- The growing importance of privacy in the new controls;
- NIST's consideration of updating new controls online so users of the guidance don't need to wait until a printed version of the next revision is issued in 2015 or later; and
- The reintroduction of the notion of assurance, or trustworthiness, of information systems.
Besides leading the Joint Task Force Transformation Initiative Interagency Working Group, Ross heads NIST's Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure. He also serves as the architect of the risk-management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program.
Growing Importance of Privacy
ERIC CHABROW: NIST first published the catalog of controls in 2005, and the last time NIST updated 800-53 in 2009, the word "privacy" wasn't in the title. Why is privacy now an important element of Revision 4 of the guidance?
RON ROSS: Privacy has been a very important topic area for a very long time. We had our first special publication, 800-122, come out several years ago. That dealt with the confidentiality of personally identifiable information. In working with the CIO Council, the privacy subcommittee, we found that privacy goes well beyond just the protection of PII with regard to confidentiality. There are many other privacy-related issues that are very important. With this major revision of 800-53, Rev. 4, we took the opportunity to work with the privacy committee on the CIO Council, and the new privacy families and the privacy controls are patterned directly from the Fair Information Practice Principles. This is an international standard. It's well-recognized. We still have the Privacy Act of 1974 and all the OMB policy. The integration of the privacy controls into Appendix J of the new publication really brings back to the forefront and sits side-by-side with security now so the security and privacy teams can work together. They have a lot of overlap in what they do, but privacy goes well beyond what the traditional security aspects are.
CHABROW: Give us an example or two of the types of privacy controls in the revised guidance.
ROSS: Privacy goes back to the eight Fair Information Practice Principles. The privacy folks, in addition to worrying that the information is protected from nondisclosure with regard to confidentiality, worry about things like: How much data is collected on an individual; how long is that data retained; and what kinds of things can the data be used for. All of those things you would never have found in our security control because those are really privacy issues. The controls are laid out just like our security control - same type of format - and they're organized into eight families that map directly to the Fair Information Practice Principles. It really gives a good breadth and depth of all of the things that we worry about with regard to privacy, which is becoming really important now with all the mobile technologies and the digital footprint getting so much bigger.
CHABROW: With an expanded list of controls, NIST, in its latest revision, introduces the concept of overlays, which are designed to give organizations greater flexibility and agility in defending their IT systems. What are overlays and how do they work?
ROSS: Overlays is a great new concept and construct that we introduced into Rev. 4 that allows organizations to specialize their security plans. What that really means is that as our catalog of controls grows over time with regard to the threat space, every time we see a new cyber-attack or there's a new threat that we see that either has occurred in the form of a cyber-attack or we think it may occur, that drives us to develop a defensive mechanism, a safeguard or countermeasure. We call those our security controls. As you would expect, as that threat space gets larger and larger, so does the catalog of controls.
But at the same time, we realize that organizations have to be able to develop their security plans that really talk to their specific mission, their business model, their environment of operations and maybe the technologies they deploy. The overlay concept is introduced to allow that specialization. You can select the right controls to do the job. Of course, you start with our baseline controls and the low, the moderate and the high impact baselines, but it allows the customization that can eliminate controls or add additional controls as necessary.
A good example might be the military is building an overlay for tactical environments. When the military is in combat operations, they don't have the capacity sometimes to audit and build those big audit logs as you would do back in the facility here in the States. The space command is building an overlay. The physical security controls are relevant when that space craft is on the ground. But when it's up in space, the physical controls are not so relevant anymore. Overlays can bring that time sequencing in as well, and it really allows people to work more efficiently.
Assurance in Information Systems
CHABROW: What other new features can be found in this latest version of 800-53?
ROSS: After the overlay, the one that I think is the most critical is the reintroduction of the whole notion of assurance, or trustworthiness of information systems. When we look at protecting our information systems, there's a lot of work today on what we call cybersecurity hygiene, where you make sure you understand all the boxes on your network and make sure those boxes are configured properly. We do all the patching types of activities, and that's good hygiene that can really eliminate a good number of cyber-attacks [from] being successful.
But there's another aspect to our protection strategy that I call the "build it right" strategy, and that talks to the quality of the hardware, software and firmware components that make up our systems. Assurance is a way to express your requirements to developers so the developers can send evidence back to you that they've done the right thing with regard to design, the development practices and maybe the types of testing they do on these products that we purchase. Then, we integrate these through good security engineering techniques into our critical systems.
The assurance has been rebranded. That's the term I'm using; rebranding it. It really makes the argument that you can associate certain security controls with assurance and you can associate certain ones with functionality. The assurance ones are important because they really do talk to quality, and that's important in order for us to reduce the number of latent errors that are in our software programs that lead to vulnerabilities, which can lead to systems being breached. That's a very big investment, and I call it a down payment on the future of our "build-it-right" part of the strategy.
CHABROW: The threat landscape is evolving, as is technology. When will NIST begin work on Revision 5?
ROSS: As tired as we are - this has been a two-year process, and all of us are pretty worn out - we actually start working on Rev. 5 as soon as Rev. 4 is released. What I mean by that is we start to look at the controls that we currently have and what are some of the new things we see coming down the road with regard to the threat space, [and] try to make the catalog as efficient as it can be. There's an information-gathering process that starts after the publication is released. As we gather that information over the next year or so, we'll then start to think about Revision 5 around the second year because it does take a good year to put one of these revisions together. This one was especially long because it was such an extensive revision and we covered so many topics, from insider threat to application security, cloud and mobile to the new privacy controls. This has been an exceptional revision, but we'll be thinking about the next one in about two years from now.
Updating New Controls Online
CHABROW: Because IT security isn't static and new controls will be created between now and in two years, maybe a year or so after that to address new cyberthreats, what can NIST do to help organizations make sure they're aware of newer controls that may be coming out?
ROSS: We have a lot of things going on. What we're trying to do also, in addition to waiting for the two-year cycles which can be problematic in an environment where it's very dynamic and the threats are evolving very quickly, is we can develop security controls in the interim between Rev. 4 and Rev. 5. I call those beta controls. They would be developed because of a specific threat that we become aware of. We could actually post those on our website after we vet those controls internally. They wouldn't be official, they wouldn't be in the catalog, but they would be there for our customers to use if they were concerned about that type of threat. That's more of the online web-based nature.
We're also finding new ways to deliver the content of 800-53, so the content can be downloaded and imported into tools and things that make it easier for our customers. There's lots of ways we can use the technology today to deliver content to our customers so they can be prepared on a day-by-day basis.