What’s New In Draft NIST Special Publication 800-53 .

2y ago
37 Views
2 Downloads
4.86 MB
24 Pages
Last View : 9d ago
Last Download : 5m ago
Upload by : Camryn Boren
Transcription

What’s New in Draft NIST SpecialPublication 800-53, Revision 5Security and Privacy Controls for InformationSystems and OrganizationsVirtual EventApril 8, 20202:00 – 3:30 PM ET1

Virtual Event Resources and FAQThis virtual event will be recorded and available by April 17th, 2020;slides from today’s event are currently available: https://go.usa.gov/xd7VqTechnical IssuesFor technical issues using slido,connection, sound, video, etc., please firstrefer to the troubleshooting steps listedon the Event page.If the technical issues have not beenresolved after trying the troubleshootingsteps, please contact: webcast@nist.govQuestions for the Speakers*Please check the NIST SP 800-53 Rev. 5 (final publicdraft) FAQ Page: https://go.usa.gov/xvxtqORSubmit questions at any time during thepresentation using the slido website or app.*Speakers may not be able to respond to each questionsubmitted during the Q&A; an updated FAQ will be postedthat addresses submitted questions with no attributionNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov2

Agenda: What’s New in Draft NIST SP800-53, Revision 5Security and Privacy Controls for Information Systems and Organizations2:00 PM ETWelcome and Opening RemarksRon Ross, NIST Fellow and JointTask Force Working Group Leader2:20 PM ETWhat’s New in the NIST SP 800-53, Revision 5(Final Public Draft)Victoria Yan PillitteriNaomi LefkovitzJon Boyens2:50 PM ETFeedback Requested: Security and PrivacyCollaboration IndexNaomi Lefkovitz2:55 PM ETNext Steps, Resources and ContactVictoria Yan Pillitteri3:00 PM ETLive Q&A ChatJoin the discussion through the slido “ask thespeaker” feature!Speakers may not be able to respond toeach question submitted during theQ&A; an updated FAQ will be postedthat addresses submitted questionsNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov3

Agenda: What’s New in Draft NIST SP800-53, Revision 5Security and Privacy Controls for Information Systems and Organizations2:00 PM ETWelcome and Opening RemarksRon Ross, NIST Fellow and JointTask Force Working Group Leader2:20 PM ETWhat’s New in the NIST SP 800-53, Revision 5(Final Public Draft)Victoria Yan PillitteriNaomi LefkovitzJon Boyens2:50 PM ETFeedback Requested: Security and PrivacyCollaboration IndexNaomi Lefkovitz2:55 PM ETNext Steps, Resources and ContactVictoria Yan Pillitteri3:00 PM ETLive Q&A ChatJoin the discussion through the slido “ask thespeaker” feature!Speakers may not be able to respond toeach question submitted during theQ&A; an updated FAQ will be postedthat addresses submitted questionsNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov4

NIST SP 800-53, Revision 5Next Generation Controls for Systems and OrganizationsNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov5

Background: NIST Special Publication (SP)800-53Dec 2007NIST SP 800-53,Rev. 2 publishedNov 2001NIST SP 800-26, SecuritySelf-Assessment Guide forIT Systems, published2001Dec 2006NIST SP 800-53,Rev. 1 published20052006Feb 2005NIST SP 800-53,Recommended SecurityControls for FederalInformation Systems,originally published17 security controlfamilies based on FIPS200Addedindustrialcontrol systemsguidance20072008Aug 2009NIST SP 800-53,Rev. 3 published2009July 2008NIST SP 800-53A, Guide forAssessing the SecurityControls in FederalInformation Systems andOrganizations: BuildingEffective SecurityAssessment Plans,publishedBecame Joint Task Force(JTF) Publication;added guidance onInformation SecurityPrograms (PM Family)Dec 2014NIST SP 800-53A,Rev. 4, published20132014April 2013NIST SP 800-53, Rev. 4publishedAdded PrivacyControl Catalog(Appendix J)NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov6

Agenda: What’s New in Draft NIST SP800-53, Revision 5Security and Privacy Controls for Information Systems and Organizations2:00 PM ETWelcome and Opening RemarksRon Ross, NIST Fellow and JointTask Force Working Group Leader2:20 PM ETWhat’s New in the NIST SP 800-53, Revision 5(Final Public Draft)Victoria Yan PillitteriNaomi LefkovitzJon Boyens2:50 PM ETFeedback Requested: Security and PrivacyCollaboration IndexNaomi Lefkovitz2:55 PM ETNext Steps, Resources and ContactVictoria Yan Pillitteri3:00 PM ETLive Q&A ChatJoin the discussion through the slido “ask thespeaker” feature!Speakers may not be able to respond toeach question submitted during theQ&A; an updated FAQ will be postedthat addresses submitted questionsNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov7

Summary of Significant Changes in NIST SP800-53SP 800-53, Rev. 4SP 800-53, Rev. 5 (Final Public Draft)Control structure updated to be more outcome-focusedNew controls, control enhancements, and discussion to addressevolving threat landscape (including IPv6 transition)Control baselines (security & privacy), overlay and tailoringguidance moved to forthcoming draft SP 800-53BMappings to ISO 27001 and 15408 moved; new CSF mapping; newPF mapping will be posted online when Rev 5 finalizedPrivacy and supply chain risk management controls added toProgram Management (PM) FamilyAppendix J – Privacy Control Catalog(8 families: AP – Authority & Purpose; AR – Accountability, Audit,& Risk Management; DI - Data Quality & Integrity; DM – DataMinimization & Retention; IP – Individual Participation andRedress; SE – Security; TR – Transparency; UL – Use Limitation) Privacy Control Family (PT – Personally Identifiable InformationProcessing and Transparency)All other privacy controls integrated in other families, includingProgram ManagementNew Supply Chain Risk Management (SR) FamilyNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov8

New Outcome-Focused Control StructureExampleSP 800-53 Rev 4SC-10 NETWORK DISCONNECTControl: The information system terminates the network connectionassociated with a communications session at the end of the session orafter [Assignment: organization-defined time period] of inactivity.SP 800-53 Rev 5(FPD)SC-10 NETWORK DISCONNECTControl: Terminate the network connection associated with acommunications session at the end of the session or after [Assignment:organization-defined time-period] of inactivity.NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov9

New Systems Security Engineering ControlEnhancementsSP 800-53, Rev 5 (FPD)SA-8 Security and Privacy Engineering PrinciplesSP 800-53, Rev 4SA-8 (1) Clear AbstractionsSA-8 (2) Least Common MechanismSA-8: SecurityEngineeringPrinciplesSA-8 (3) Modularity and LayeringSA-8 (4) Partially Ordered DependenciesSA-8 (5) Efficiently Mediated AccessSA-8 (6) Minimized SharingNew controlenhancementslink to securitydesignprinciples inSP 800-160,Vol 1.NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov10

Forthcoming: New Related Publicationand Supplemental Materials OnlineControls in OSCAL,mappings, keywords, andthe Security ControlOverlay Repository –Moved to OnlineResourcesControl Baselines,Overlay and TailoringGuidance – Moved toforthcomingSP 800-53BSP 800-53 Rev 5 (FPD) controls available in Open Security Control Assessment Language(OSCAL) at: tent/nist.gov/SP800-53The Security Control Overlay Repository (SCOR) is available at: https://nist.gov/rmfOther resources (mappings and keywords) will be available pending final publication of SP 800-53, Revision 5NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov11

Proposed Appendix J ReorganizationSP 800-53, Rev 4 App J ControlSP 800-53, Rev 5 FamiliesSP 800-53 Rev 4 App J ControlSP 800-53, Rev 5 FamiliesAP-1PTDM-2MP, SIAP-2PTDM-3PM, SIAR-1PMIP-1PTAR-2RAIP-2AC, PMAR-3SAIP-3IR, PM, SIAR-4CAIP-4PMAR-5AT, PLSE-1PMAR-6PMSE-2IRAR-7PL, PM, PT, SITR-1PM, PT, SCAR-8PMTR-2PTDI-1PM, SITR-3PMDI-2PM, SIUL-1PT, SCDM-1PM, PT, SC, SIUL-2AC, PTNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov12

Proposed Program Management (PM)Control FamilyPM ControlPM-1 Information Security Program PlanPM-2 Information Security Program Leadership RolePM-3 Information Security and Privacy ResourcesPM-4 Plan of Action and Milestones ProcessPM-5 System InventoryPM-6 Measures of PerformancePM-7 Enterprise ArchitecturePM-8 Critical Infrastructure PlanPM-9 Risk Management StrategyPM-10 Authorization ProcessPM-11 Mission and Business Process DefinitionPM-12 Insider Threat ProgramPM-13 Security and Privacy WorkforcePM-14 Testing, Training, and MonitoringPM-15 Security and Privacy Groups and AssociationsPM-16 Threat Awareness ProgramPM-17 Protecting CUI on External SystemsPM ControlPM-18 Privacy Program PlanPM-19 Privacy Program Leadership RolePM-20 Dissemination of Privacy Program InformationPM-21 Accounting of DisclosuresPM-22 Personally Identifiable Information Quality ManagementPM-23 Data Governance BodyPM-24 Data Integrity BoardPM-25 Minimization of PII Used in Testing Training, and ResearchPM-26 Complaint ManagementPM-27 Privacy ReportingPM-28 Risk FramingPM-29 Risk Management Program Leadership RolesPM-30 Supply Chain Risk Management StrategyPM-31 Continuous Monitoring StrategyPM-32 PurposingPM-33 Privacy Policies on Websites, Applications, and Digital ServicesNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov13

Proposed New Control Family: PIIProcessing and Transparency (PT)PT ControlPT-1 Policy and ProceduresPT-2 Authority to Process Personally Identifiable InformationPT-3 Personally Identifiable Information Processing PurposesPT-4 MinimizationPT-5 ConsentPT-6 Privacy NoticePT-7 System of Records NoticePT-8 Specific Categories of Personally Identifiable InformationPT-9 Computer Matching RequirementsNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov14

Risk Assessment Family: Security andPrivacy Integration ExampleRA-3RISK ASSESSMENTControl:a. Conduct a risk assessment, including:1. The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, ordestruction of the system, the information it processes, stores, or transmits, and any related information; and2. The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiableinformation;b. Integrate risk assessment results and risk management decisions from the organization and mission orbusiness process perspectives with system-level risk assessments;c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report;[Assignment: organization-defined document]];d. Review risk assessment results [Assignment: organization-defined frequency];e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; andf. Update the risk assessment [Assignment: organization-defined frequency] or when there are significantchanges to the system, its environment of operation, or other conditions that may impact the security orprivacy state of the system.NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov15

PII Processing and Transparency Family:ExampleSP 800-53 Rev 4,App JSP 800-53 Rev 5(FPD)AP-2 PURPOSE SPECIFICATIONControl: The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained,and shared in its privacy notices.PT-3 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSESControl:a. Identify and document the [Assignment: organization-defined purpose(s)] for processing personally identifiable information;b. Describe the purpose(s) in the public privacy notices and policies of the organization;c. Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is compatiblewith the identified purpose(s); andd. Monitor changes in processing personally identifiable information and implement [Assignment: organization-defined mechanisms]to ensure that any changes are made in accordance with [Assignment: organization-defined requirements].Control Enhancements:(1) PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES DATA TAGGINGAttach data tags containing the following purposes to [Assignment: organization-defined elements of personally identifiableinformation]: [Assignment: organization-defined processing purposes].(2) PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES AUTOMATIONTrack processing purposes of personally identifiable information using [Assignment: organization-defined automated mechanisms]NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov16

Supply Chain Risk Management (SCRM)Changes in Draft SP 800-53, Revision 5 Align Supply Chain Risk Management with SP 800-161, CNSSD 505 & FurtherConsolidated Appropriations Act 2020, §208. Integrated SP 800-161 new controls/enhancements and Implementation Guidanceinto draft SP 800-53 Rev. 5. RA-3(1), Supply Chain Risk Assessment – new control enhancement. RA-9, Criticality Analysis - moved from SA-14, reference NISTIR 8179. PM-30, Program Management - to reflect a Tier 1 SCRM Plan/SCRM Strategy. Integrated NISTIR 8179, Criticality Analysis Process Model, throughout References. Last, but not least NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov17

Proposed New Control Family: Supply Chain RiskManagement (SR)SP 800-53, Rev 5 (FPD) SR ControlSR-1 Policy and ProceduresNewSR-2 Supply Chain Risk ManagementNewSR-3 Supply Chain Controls and Processes[SP 800-53, Rev 4, SA-12(15)]SR-4 ProvenanceNewSR-5 Acquisition Strategies, Tools, and Methods[SP 800-53, Rev 4, SA-12(1)]SR-6 Supplier Reviews[SP 800-53, Rev 4, SA-12(2)]SR-7 Supply Chain Operations Security[SP 800-53, Rev 4, SA-12(9)]SR-8 Notification AgreementsSR-9 Tamper Resistance and DetectionSR-10 Inspection of Systems or ComponentsSR-11 Component Authenticity[SP 800-53, Rev 4, SA-12(12)][SP 800-53, Rev 4, SA-18][SP 800-53, Rev 4, SA-18(2)][SP 800-53, Rev 4, SA-19]NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov18

Agenda: What’s New in Draft NIST SP800-53, Revision 5Security and Privacy Controls for Information Systems and Organizations2:00 PM ETWelcome and Opening RemarksRon Ross, NIST Fellow and JointTask Force Working Group Leader2:20 PM ETWhat’s New in the NIST SP 800-53, Revision 5(Final Public Draft)Victoria Yan PillitteriNaomi LefkovitzJon Boyens2:50 PM ETFeedback Requested: Security and PrivacyCollaboration IndexNaomi Lefkovitz2:55 PM ETNext Steps, Resources and ContactVictoria Yan Pillitteri3:00 PM ETLive Q&A ChatJoin the discussion through the slido “ask thespeaker” feature!Speakers may not be able to respond toeach question submitted during theQ&A; an updated FAQ will be postedthat addresses submitted questionsNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov19

Feedback Requested: Security and PrivacyCollaboration IndexPurpose:Provide better guidance oncontrol implementationcollaboration betweensecurity and privacy programsNIST seeks feedback on thenotional example included in theNotes to Reviewers SupplementThree control families included as notional examplesAccess Control (AC), Program Management (PM)and PII Processing and Transparency (PT)Option 1Option 2SControls are primarily implemented by securityprograms – minimal collaboration neededbetween security and privacy programs.SPControls are generally implemented by securityprograms – moderate collaboration neededbetween security and privacy programs.SPControls are implemented by security andprivacy programs – full collaboration neededbetween security and privacy programs.PSControls are generally implemented by privacyprograms – moderate collaboration neededbetween security and privacy programs.PControls are primarily implemented by privacyprograms – minimal collaboration neededbetween security and privacy programs.SSecurity programs have primaryresponsibility for implementation – minimalcollaboration needed between security andprivacy programs.SPSecurity and privacy programs both haveresponsibilities for implementation – morethan minimal collaboration is neededbetween security and privacy programs.PPrivacy programs have primaryresponsibility for implementation – minimalcollaboration needed between security andprivacy programs.NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov20

Collaboration Index: Notional ExamplesCONTROLNUMBERCONTROL NAMECONTROL ENHANCEMENT NAMEACCESS CONTROL (AC) FAMILYCOLLABORATION INDEX3-GRADIENT SCALECOLLABORATION INDEX5-GRADIENT SCALEAC-1Policy and ProceduresSPSPAC-2Account ManagementSPSPAC-2(1)AUTOMATED SYSTEM ACCOUNT MANAGEMENTSSAC-2(2)AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENTSSPROGRAM MANAGEMENT (PM) FAMILYPM-22Personally Identifiable Information Quality ManagementPPPM-23Data Governance BodySPSPPM-24Data Integrity BoardPPPM-25Minimization of PII Used in Testing Training, and ResearchSPSPPM-26Complaint ManagementPPPERSONALLY IDENTIFIABLE INFORMATION PROCESSING & TRANSPARENCY (PT) FAMILYPT-1Policy and ProceduresPPPT-2Authority to Process Personally Identifiable InformationPPPT-2(1)DATA TAGGINGSPSPPT-2(2)AUTOMATIONSPSPNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov21

Agenda: What’s New in Draft NIST SP 800-53,Revision 5Security and Privacy Controls for Information Systems and Organizations2:00 PM ETWelcome and Opening RemarksRon Ross, NIST Fellow and JointTask Force Working Group Leader2:20 PM ETWhat’s New in the NIST SP 800-53, Revision 5(Final Public Draft)Victoria Yan PillitteriNaomi LefkovitzJon Boyens2:50 PM ETFeedback Requested: Security and PrivacyCollaboration IndexNaomi Lefkovitz2:55 PM ETNext Steps, Resources and ContactVictoria Yan Pillitteri3:00 PM ETLive Q&A ChatJoin the discussion through the slido “ask thespeaker” feature!Speakers may not be able to respond toeach question submitted during theQ&A; an updated FAQ will be postedthat addresses submitted questionsNIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov22

Next Steps, Resources and ContactNIST seeks your feedback on Draft SP 800-53, Rev. 5https://go.usa.gov/xdevJ Draft SP 800-53, Rev 5Summary of Changesfrom Rev. 4Comment Template Open Security ControlAssessment Language(XML, JSON, YAML) and.XLSX versions of controlsPublic comment period: March 16 – May 15, 2020Submit comments and questions to: sec-cert@nist.govA special note of appreciation to the team from NIST Conference Services and Computer Security Division –Hoyt Cox, Akeem Henry, Kevin Hill, Joe Hynes, Eduardo Takamura, Pauline Truong & Crissy Robinson– for coordinating this event! Thank you for job well done!!NIST SP 800-53 Revision 5 (FPD) FAQ: https://go.usa.gov/xvxtqStill have questions? Email sec-cert@nist.gov23

LIVE CHAT Q&ADr. zJonBoyensSecurityPrivacySupply Chain*Speakers may not be able to respond individually to each question submittedduring the live chat Q&A; an updated FAQ will be posted that addresses submittedquestions with no attribution. Questions can be submitted at any time to sec-cert@nist.gov

Apr 08, 2020 · Email sec-cert@nist.gov Background: NIST Special Publication (SP) 800-53 Feb 2005 NIST SP 800-53, Recommended Security Controls for Federal Information Systems, originally published Nov 2001 NIST SP 800-26, Security Self-Assessment Guide for IT Systems, published Dec 2006 NIST SP 800-53, Rev. 1 published July 2008 NIST SP 800-53A, Guide for

Related Documents:

Independent Personal Pronouns Personal Pronouns in Hebrew Person, Gender, Number Singular Person, Gender, Number Plural 3ms (he, it) א ִוה 3mp (they) Sֵה ,הַָּ֫ ֵה 3fs (she, it) א O ה 3fp (they) Uֵה , הַָּ֫ ֵה 2ms (you) הָּ תַא2mp (you all) Sֶּ תַא 2fs (you) ְ תַא 2fp (you

Final Date for TC First Draft Meeting 6/14/2018 3/15/2018 Posting of First Draft and TC Ballot 8/02/2018 4/26/2018 Final date for Receipt of TC First Draft ballot 8/23/2018 5/17/2018 Final date for Receipt of TC First Draft ballot - recirc 8/30/2018 5/24/2018 Posting of First Draft for CC Meeting 5/31/2018 Final date for CC First Draft Meeting .

DRAFT DOCUMENT FOR PUBLIC COMMENTS DRAFT DOCUMENT DRAFT DOCUMENT FOR PUBLIC COMMENTS DRAFT DOCUMENT . means a quantity standard for determining throughput of game carcasses in a . The Scheme is applicable throughout the Republic of South

to conditions that resulted from austerity following the financial crisis of 2008. . Broadly speaking three ‘waves’ of feminism have occurred in the EU . organisations that have appeared in the five-year period up to 2015 and that e

Furnace Draft Control Delayed Coking Operational Optimization Draft should be measured under the first row of convection tubes High Draft causes more air leakage and lowers the heater's efficiency, the higher the draft higher the leakage. High draft changes the burner flame pattern-longer flames. High draft can cause a heater .

Development of NFPA Standards, Section 4.3.12, the following First Draft Report has been developed for public review. . parts and consists of the First Draft Report and the Second Draft Report. (See Regs at 1.4) III. Step 1: First Draft Report. The First Draft Report is defined as "Part one of the Technical Committee Report, which

2019 Contenders Draft Picks Baseball features some of the first autographs from this year’s top draft picks and current hot prospects! Look for on-card autographs from players drafted in the first 3 rounds from this year’s draft in RPS Draft Ticket! New this year,

shall be steel to AAR M-201 Grade E and shall withstand drag and buff load 300 t for PAC draft gear and 450 t for MAC draft gear. 2.3. Pre compression load at installed height of draft gear assembly to be kept 7 1 ton for PAC & 12 2 ton for MAC draft gear. 2.4.