Having just finished a multi-year revision of what you might call the bible of cybersecurity controls, there’s something new. The National Institute of Standards and Technology cybersecurity crew has a new, companion guide. With an update, NIST Fellow Ron Ross joined Federal Drive with Tom Temin.
Insight by Galvanize: During this webinar Marianne Roth, the chief risk officer of the Consumer Financial Protection Bureau, will provide a deep dive into enterprise risk management at CFPB. Additionally, Dan Zitting, the CEO of Galvanize, will discuss how making better use of data and technology can help federal agencies more rapidly allow decision makers address and mitigate risks.
Tom Temin: Ron, good to have you back.
Ron Ross: Good morning. It’s great to be with you Tom.
Tom Temin: And calling you a fellow is like saying Ernest Hemingway had a typewriter. But let’s get into the first of those publications. 853 is a venerable one. And yet it’s been totally refreshed. Give us the highlights of what’s new in there and how that process all went.
Ron Ross: Well, as you said, it took quite a long time for us to bring this publication to its final state, which we did in September. And it’s really a remarkable update since revision four. And I like to remind everybody that revision four was downloaded over 20 million times from the time it was published in 2013. So it’s a very widely used publication, both in the federal space and in the private sector. But we had some great updates in the 2020 version, that one of the most important things we did is integrated privacy into the catalog of controls. We took all of the previous privacy controls that were in an appendix, and we integrated them throughout the catalog. And so now that catalog is a consolidated catalog fully staffed with both security and privacy controls. That’s really critical today, because privacy stands shoulder to shoulder with cybersecurity as being very important in federal agencies, and the private sector as well. The other thing we did is we we moved the baselines, we have groups of controls that we recommend to our customers based on the criticality of their systems. And we had those baselines, those grouping of controls move to another publication, which I think we’ll talk about later. 53 Bravo. But that that was a big step as well. And then we populated the catalog with a lot of new controls that are based on some of the cyber attacks and the threat space that we see evolving continuously into 2020. So every time there’s a new threat or a new type of attack, we’re going down and making sure that we can develop an appropriate safeguard to help our customers stop those types of attacks. So you’re going to see a lot of new controls in that area. The other group of controls that we brought in were cyber resiliency controls, this is tied to our our system security engineering project. And these controls are basic controls that developers would use to build stronger, more penetration resistant and cyber resilient systems. So there’s an awful lot of information in this new update. And it took us a long time. But we’re really proud the final products and hope all of our customers will enjoy using the document.
Tom Temin: Well, here’s to the next 20 million downloads. And a question about the new controls. I mean, are they adaptable as the threat landscape and the technology is continuously changing. And I’ll just make an analogy, if a control is to turn a certain bolt to 10 pounds of pressure on your torque wrench, and it’s a half inch bolt, and the next time you need a five eighths inch bolt still with the same torque, the same control applies just in a different situation.
Ron Ross: You summed it up very well. That’s how our controls are built. We develop all of our controls to be policy and technology neutral. So you’re right, we’re always advancing the technology space. We’ve gone from mobile to the cloud computing revolution, and all of that. And we didn’t have to develop a separate set of controls for mobile and cloud, we take the controls that we have there based on fundamental concepts of cybersecurity and privacy. And those controls are implemented in the context of the technology that you’re looking at. So if it’s a smartphone or a tablet, you still have access control, you still have identification, authentication, and all the fundamentals are reflected in those controls. And yes, there are some times you have to tweak them. We had a whole generation of tweaks in our industrial control systems application of those controls. That goes back over a decade, we looked at every control that how would this operate in an operational technology mode, so in power plants or industrial control systems, so some of the controls had to be interpreted, but the good news for our customers is, there’s lots of stability in those controls. And we feel that the catalog now has the broadest and deepest set of controls of any control catalog anywhere in the world. And the fact that we have privacy integration now across the entire space is really a remarkable thing. The final thing I forgot to mention is we have a brand new family. We have five for supply chain risk management. My colleague is the author of NIST 801-61. That’s a supply chain risk management pub. And now we have a whole family of controls that are dedicated to helping protect the supply chain, which as you know is a critical aspect of our overall defense in depth and cybersecurity strategy.
Tom Temin: And just a quick diversion question because supply chain is on everybody’s lips these days, and we do have programs like the CMMC going on at the Pentagon. But the set of controls that comes up in the cybersecurity maturity model certification program, they refer to Special Publication 800-171. So how does that fit into the whole picture?
Ron Ross: Well, it’s very much tied together, we developed the 800-171 publication. Those are security requirements for protecting controlled unclassified information. That’s a special category of information that NARA defines where there’s special protections required or dissemination requirements for certain types of information. So in 2015, we developed 109, which is now 110 requirements for protecting CUI. If you look in that publication, though, every one of those requirements is traceable back to a security control in 853. So 853 is still the kind of the foundation. And we build a lot of different types of publications off of those controls. They’re cast as requirements. In this case, because we did a lot of catering we took out all of the federally unique things because 800-171 applies to non federal organizations. When you’re with a federal agency and you’re sending CUI to that non federal organization, you want to make sure they protect the information just as if it were on the federal side. So it all traces back to 853, which is good news again, for our customers.
Tom Temin: Alright, let’s get back to 800-53 Bravo, that’s the latest thing and tell us what 53 B is and what is accomplishes.
Ron Ross: Well, the 800-53 Bravo is our baseline document. And previously the we had three baselines. A baseline is a set of controls that you would recommend to a customer based upon the type of system they’re operating. And we have three different categories of systems that we deal with in the federal government, we call it high, moderate and low impact. Where impact is impacting your business or your mission, if that system is breached, or compromised. So we traditionally over the past 10, 15 years, we’ve had our three security control baselines and the document in 800-53. We chose at this point in time to take those baselines out of 800-53 and put them in a separate document. The reason we did that is because we want 800-53 to be used by not just folks at the enterprise level who are building security programs, but also a systems engineers who were building real systems and want a good set of controls to use. So we wanted to kind of separate the baselines, which are used mostly by the enterprise folks from the engineering community, and they could all see a single unified catalog. So Bravo came out along with the tailoring guidance, each of those baselines in 53. And by the way, they were updated in 2020 when that document came out about a month ago, and we added some new controls based on some of the threats we discussed. But you also get a full set of tailoring guidance, which means every organization starts with that recommended baseline. So you kind of pick whether your system is low, moderate, or high. And then you go through our tailoring guidance, maybe taking out some controls, maybe adding some and that that targets that baseline and makes it very organization specific. So you get the exact protection you need. The bigger add in 53 Bravo was we for the first time ever, you remember we talked about the privacy controls in 53, we now have a privacy baseline, that’s again a starting set of privacy controls that are tied back to OMB circular A-130 in the privacy requirements. And again, all of these controls can be used either in our risk management framework, our cybersecurity framework, or we now have brand new privacy framework too. So those baselines are really an attempt to help our customers give them a starting point. And then from there, they customized to their needs.
Tom Temin: And sounds like if you do that customizing homework upfront, then you will have a much more manageable and understandable system when you actually implement.
Ron Ross: Yeah, it’s totally true. And the other thing we introduced Tom back in 2018, we updated our risk management framework for the first time in a long time, that’s about a year and a half old now. Actually is coming up on two years. But we give our customers now a choice. They can use our baselines to start with that starting set of controls, or they can start from scratch. And they can use a systems engineering process and define their own security requirements. So let’s say you’re in the DoD, and you’re building a weapon system or a command and control system, or a medical device in a healthcare organization. You can start with your security requirements as part of your engineering process. And then you can pick the exact controls to satisfy each of those security or privacy requirements. That is another way to customize our solutions so we can work smarter, more efficiently. And we can reduce the costs to organizations and also achieve better cybersecurity and privacy protections for our customers.
Tom Temin: Ron Ross is a fellow with the National Institute of Standards and Technology. As always, thanks so much.
Ron Ross: Thank you Tom. Have a great day.