NIST drafts new safeguards for information systems, Internet of things
The National Institute of Standards and Technology (NIST) has issued a new draft revision of its Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations.
Developed by a joint task force comprised of civil, defense and intelligence representatives, the draft takes into account the ongoing effort to create a unified information security framework for the federal government.
This latest draft particularly goes beyond both information security and the federal government to address practices that all kinds of organizations can implement to maintain security and privacy in their interconnected systems.
Revision 5 “takes the guidance in new directions—we are crafting the next-generation catalog of controls that can also be applied to secure the Internet of Things,” said Ron Ross, NIST fellow and team leader of the joint task force that authored the updated publication.
The controls refer to the security and privacy safeguards (technical and procedural) designed to protect systems, organizations and individuals.
This marks the first control catalog that fully integrates privacy guidelines throughout the entire draft.
SP 800-53 Revision 5 adds two new control families that focus solely on privacy, with the remaining privacy controls integrated throughout the rest of the control families.
One privacy control, for example, addresses the data captured by sensors as in the case of those used in traffic-monitoring cameras in smart cities.
The control recommends configuring these kinds of sensors in a manner that reduces their capturing data about individuals that’s unnecessary for the traffic-monitoring system to conduct its function.
While previous versions targeted federal agencies, other organizations are freely adopting SP 800-53.
The controls have been revised to take into account the needs of a more diverse user group, including enterprise-level security and privacy professionals, component product developers, and systems engineers who are now working on privacy and security.
In addition, the control selection process is now separated from the security control catalog and included in the NIST Risk Management Framework so that organizations outside of the federal government can more easily use the NIST controls with the frameworks they currently use.
Interested participants are asked to email their comments regarding the revised draft to [email protected] by no later than September 12.
Earlier this week, scientists from NIST and Michigan State University revealed they have developed an algorithm that automates a key step in the fingerprint analysis process.