New Insider Threat Controls in 800-53 rev4 DRAFT

NIST is working on a DRAFT revision to 800-53 controls that is known as rev4. The new controls include materials related to insider threats.

  • PM-12 (0) INSIDER THREAT PROGRAM – this is the master control requiring an insider threat program, including a team that is focused on insider threat incident handling. The team needs to have cross-discipline representation that allows them to monitor and correlate behavior patterns from different parts of the organization and in different forms. The program should include security controls that require such monitoring and correlation. The controls listed below this one offer a good starting point.
  • AT-2 (2) SECURITY AWARENESS | INSIDER THREAT – training on how to notice indicators and pre-cursors of insider threat activity.
  • AU-6 (9) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH INPUT FROM NON-TECHNICAL SOURCES – correlation of non-technical input with audit information can reveal patterns of potential insider threat activity.
  • CA-2 (2) SECURITY ASSESSMENTS | TYPES OF ASSESSMENTS – selectable parameters offer a variety of forms of security assessments, including a focus on insider threat.
  • IR-4 (6) INCIDENT HANDLING | INSIDER THREATS – SPECIFIC CAPABILITIES – this control can be added to the baseline during the tailoring process to provide an emphasis on specific aspects of insider threat and how the organization intends to defend against the threat and respond to it when detected.
  • IR-4 (7) INCIDENT HANDLING | INSIDER THREATS – INTRA-ORGANIZATION COORDINATION – it should be obvious that intra-organizational cooperation will be key to handling insider threats. A selectable parameter allows organizational elements to be specified.
  • SC-5 (1) DENIAL OF SERVICE PROTECTION | RESTRICT INTERNAL USERS – it may be wise to restrict or limit the ability of insiders to use components of the information system to launch denial of service attacks. A selectable parameter allows such attacks to be specified.

[NOTE – rev4 is still in DRAFT status and changes may be made before it goes final]

NIST SP 800-53 rev4 IPD (Initial Public Draft)

SEE ALSO:
New OPSEC Controls in 800-53 rev4

Comments are closed.