Major update to keystone NIST data security and privacy document
The federal government’s technology standards body, NIST, has completed a major update to its data security and privacy guidance, which includes advice on biometrics and digital identity use. The new document is being billed as “historic,” and offers help in protecting IT systems and organizations without sacrificing the personal privacy of individuals.
The document, NIST SP 800-53, revision 5, is described by NIST as “a multi-year effort to develop the first comprehensive catalog of security and privacy controls” for managing the risks any organization faces in using data systems from supercomputers to Internet of Things devices.
Biometrics are discussed several times in the context of multi-factor authentication and authenticator management, with the need to implement presentation attack detection mechanisms included recommended as part of organizational login system controls.
A summary of the revision calls out seven updates as warranting special attention.
The new document focus on “the protection outcome to be achieved by the application of the control.” In doing this, its authors cut from the control statement the information system, organization and other entities that are responsible for satisfying the recommended control.
Information privacy and security controls have been integrated into a consolidated catalog for systems and organizations. The changes allow “the controls to serve both the security and privacy communities as well as achieving more efficient control implementation.”
Also new is the supply chain risk management control section and how it has been integrated throughout other control sections to help protect systems. The new controls make sure security and privacy requirements, threats, and other factors are dealt with in system development life cycles and global supply chains.
The authors decided to split the control selection process from controls. By doing that, controls can be used across communities of interest, which is expected to increase collaboration.
Control baselines have been transferred and guidance has been tailored to a separate publication in the update. Baselines now are at NIST SP 800-53B, Control Baselines for Information Systems and Organization.
Content relationship descriptions have been improved as well. The update makes the relationship between requirements and controls clearer. The same is true, according to NIST, of the relationship between security and privacy controls.
The last point spotlighted addresses new state-of-the-practice controls. They are based on the most recent intelligence and attack data.