HackingTheUniverse

A new version of 800-53 (revision 3) is in Initial Public Draft (IPD) and available for comments on the NIST web site.

[note – IPD means the document is in “draft” mode while NIST collects comments from the public and incorporates them into changes/corrections before releasing the document in a final form, usually many months later]

Draft-SP800-53 Rev.3.pdf (2,112 KB)

From the “Notes to Reviewers” section, here is a list of changes:

The specific changes in Special Publication 800-53, Revision 3 include:
•Restructuring of security controls to include specific requirements previously stated in Supplemental Guidance;
•Adjusting security control/control enhancement allocations to security control baselines;
•Eliminating security controls and control enhancements that are redundant or no longer needed;
•Incorporating the revised, simplified, six-step Risk Management Framework;
•Strengthening selected security controls by adding new security control enhancements;
•Adding security program management controls that affect organizations, at large, including areas such as capital planning and budgeting, enterprise architecture, and risk management;
•Providing additional guidance on the management of common controls within organizations;
•Adding security controls and control enhancements for advanced cyber threats, including supply chain threats;
•Introducing a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards including an updated mapping table for security controls in ISO/IEC 27001 (Annex A); and
•Updating supporting appendices including references, glossary, and acronyms.

Here’s what some of this means – there are numerous changes to controls, including some that have been deleted, some that have been changed and some new controls. The concept of “common controls” continues to be elevated in importance by NIST (this is in concurrence with the recently released new draft version of 800-37 on Authorization/C&A). 800-53 controls seem to be going through a modification and consolidation process to bring them more in line with both Department of Defense standards and ISO 27001.

Here is a list of changes to controls that I have noted:

AC-2 ACCOUNT MANAGEMENT (inclusions from AC-13)

AC-3 ACCESS ENFORCEMENT
Control Enhancements: (1) [Withdrawn: Incorporated into AC-6].

AC-6 LEAST PRIVILEGE (inclusions from AC-3)

AC-12 SESSION TERMINATION
[Withdrawn: Incorporated into SC-10].

AC-13 SUPERVISION AND REVIEW — ACCESS CONTROL
[Withdrawn: Incorporated into AC-2 and AU-6].

AC-15 AUTOMATED MARKING
[Withdrawn: Incorporated into MP-3].

AC-17 REMOTE ACCESS (inclusions from AC-18)

AC-18 WIRELESS ACCESS RESTRICTIONS
[Withdrawn: Incorporated into AC-17].

AC-21 USER-BASED COLLABORATION AND INFORMATION SHARING
(new control added)

AU-2 AUDITABLE EVENTS
Control Enhancements: (1) [Withdrawn: Incorporated into AU-13].
(2) [Withdrawn: Incorporated into AU-13].
[note – there is no AU-13 in rev3, this content is found in AU-12]

AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING (inclusions from AC-13)
Control Enhancements: (2) [Withdrawn: Incorporated into SI-4].

AU-12 AUDIT GENERATION (inclusions from AU-2)
(new control)

AU-13 ?? (inclusions from AU-2)
note – there is no AU-13 control included in rev3 IPD, this appears to be a typo and the content removed from AU-2 is actually found in AU-12

CA-2 SECURITY ASSESSMENTS (inclusions from CA-4)

CA-4 SECURITY CERTIFICATION
[Withdrawn: Incorporated into CA-2].

CM-9 CONFIGURATION MANAGEMENT PLAN
(new control)

CP-2 CONTINGENCY PLAN (inclusions from CP-5)

CP-4 CONTINGENCY PLAN TESTING AND EXERCISES (inclusions from CP-10_

CP-5 CONTINGENCY PLAN UPDATE
[Withdrawn: Incorporated into CP-2].

CP-9 INFORMATION SYSTEM BACKUP
Control Enhancements: (4) [Withdrawn: Incorporated into CP-9]
[a focus on integrity has been added to both the main control description and the guidance section to replace this CE]

CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
Control Enhancements: (1) [Withdrawn: Incorporated into CP-4].

IA-8 IDENTIFICATION AND AUTHENTICATION (NON ORGANIZATIONAL USERS)
(new control)

MP-3 MEDIA LABELING (inclusions from AC-15)

MP-5 MEDIA TRANSPORT (inclusions from CE-1 below)
Control Enhancements: (1) [Withdrawn: Incorporated into MP-5].

PE-10 EMERGENCY SHUTOFF (inclusions from CE-1 below)
Control Enhancements: (1) [Withdrawn: Incorporated into PE-10].

New PM (Program Management) family inserted here:
PM-1 SECURITY PROGRAM PLAN
PM-2 SENIOR AGENCY INFORMATION SECURITY OFFICER
PM-3 INFORMATION SECURITY RESOURCES
PM-4 PLAN OF ACTION AND MILESTONES PROCESS
PM-5 INFORMATION SYSTEM INVENTORY
PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE
PM-7 ENTERPRISE ARCHITECTURE
PM-8 CRITICAL INFRASTRUCTURE PLAN
PM-9 RISK MANAGEMENT STRATEGY
PM-10 SECURITY AUTHORIZATION PROCESS
PM-11 MISSION/BUSINESS PROCESS DEFINITION

PL-2 SYSTEM SECURITY PLAN (inclusions from PL-3

PL-3 SYSTEM SECURITY PLAN UPDATE
[Withdrawn: Incorporated into PL-2].

RA-3 RISK ASSESSMENT (inclusions from RA-4)

RA-4 RISK ASSESSMENT UPDATE
[Withdrawn: Incorporated into RA-3].

SA-12 SUPPLY CHAIN PROTECTION
(new control)

SA-13 TRUSTWORTHINESS
(new control)

SC-10 NETWORK DISCONNECT (inclusions from AC-12)

new controls:
SC-24 FAIL IN KNOWN STATE
SC-25 THIN NODES
SC-26 HONEYPOTS
SC-27 OPERATING SYSTEM-INDEPENDENT APPLICATIONS
SC-28 CONFIDENTIALITY OF INFORMATION AT REST
SC-29 HETEROGENEITY
SC-30 ABSTRACTION TECHNIQUES
SC-31 COVERT CHANNEL ANALYSIS