NIST has released the fifth revision of the Security and Privacy Controls draft of Special Publication 800-53 (PDF), now available for comments through September 12, 2017. The old draft was last fully rewrote in 2013.
In this draft, NIST has incorporated state-of-the-practice controls based on new threat intel, plus changed the structure of the controls to make them more outcome-based. They’ve also consolidated and integrated privacy controls into security controls, and clarified the relationship between security and privacy to improve control selection.
While the primary audience for this publication is federal agencies, they acknowledge that “different communities of interest” such as systems engineers, software developers, enterprise architects and business owners might want to use similar controls.
As a result, NIST has dropped “federal” from the title, as the document was formerly named, Security and Privacy Controls for Federal Information Systems and Organizations. NIST Fellow Ron Ross told Cyberscoop:
“The reality is, today we’re all of us — federal, state and local government and the private sector — using the same technologies … and facing the same [cyber] threats.”
Security and Privacy in An Interconnected World
NIST refers to the need to strengthen underlying infrastructure, information systems, components and services that support this new, interconnected world - specifically calling out the need for security and privacy controls in cloud and mobile systems and for Internet of Things (IoT) devices. As Draft NIST SP 800-53, Revision 5 puts it:
“As we push computers to “the edge” building an increasingly complex world of interconnected information systems and devices, security and privacy continue to dominate the national dialog.”
According to CPOMagazine, this is the first version of the Security and Privacy Controls that addresses how IoT is impacted by remote sensors and media collection devices (cameras, recorders and voice-activated controls). These are all components of IoT devices and systems, such as cars and traffic monitoring systems.
New Control Enhancements for Password-Based Authentication
While version four previously required enforcing minimum password complexity (including uppercase and lower-case letters, numbers, special characters etc.), draft five noticeably removes that requirement, focusing instead on allowing users to select long passwords/passphrases (page 113).
Read more about the password recommendation updates in the final version of SP 800-63B: Authentication & Lifecycle Management in another article I wrote, NIST Update: Passphrases In, Complex Passwords Out.
Security Benefits of Combining MFA & SSO
Within the Identification and Authentication control, the document carries on its recommendation to implement multi-factor authentication (MFA) for access to non-privileged accounts.
NIST also provides more supplemental guidance on the sub-control for single sign-on (SSO), commenting on SSO’s ability to “improve system security, for example by providing the ability to add multi-factor authentication for applications that may not be able to natively support this function. This situation may occur in legacy applications for systems.”
This shows NIST’s acknowledgement of the benefits of combining the productivity and usability gains of SSO with the strong authentication security provided by MFA - and not just for federal, but across many other industries that can leverage the same technology and systems to protect access to their applications.