Changes Coming to NIST 800-53 & 800-37

News from the DGI 930Gov, Cyber & IT Security Conference

In May 2017, the White House issued a Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With the change last fall in the Presidential administration, I attended the DGI 930Gov, Cyber & IT Security Conference on Sept. 6 in Washington, D.C. to learn more about recent updates and revisions made to this Executive Order. For me, the highlight of this conference was the discussion led by Dr. Ron Ross, NIST Fellow, during the panel discussion on the Presidential Executive Order Cybersecurity of Federal Networks and Infrastructure. Of particular interest to me was the dialogue around the key changes for:

• Rev 5 of NIST 800-53, Security and Privacy Controls
  • The term “information” was purposely eliminated from “information system” in most cases to explicitly emphasize the applicability of the controls to cover the IOT. To me, this change facilitates inclusiveness for all types of systems (e.g., industrial/process control systems, cyber physical systems, weapons systems, IoT devices, etc.), while not affecting use within “information systems.”
  • In addition, the Risk Management Framework (RMF) was taken out of Rev 5 to separate the process from the control set because the controls have wider application than just to the Federal RMF. See more of his comments here.
• Rev 2 of NIST 800-37, the Risk Management Framework (RMF)
  • These include a new 7th step in the RMF, Organizational Preparation, and executive participation in the set of security controls. Discussion also included the relationship of the Cyber Security Framework (CSF) risk identification and the RMF — utilizing the RMF as the “engine” of the CSF. Read more here.

TalaTek is looking forward to implementing these changes to the RMF, with greater emphasis on high level participation in the RMF to set the appropriate risk framework.