This blog post is an excerpt from our recent industry perspective, Aligning Security Solutions With Federal Requirements. To read more, head here.
The foundation of federal cybersecurity requirements for civilian executive branch agencies remains FISMA, which requires agencies to have risk-based information security programs that are regularly updated. DHS oversees compliance with the law and provides assistance to agencies when needed.
A risk-based security program aligns security controls according to the level of risk to data and systems. Because it is not practical or possible to remove all risk, a certain amount remains. A characteristic of a mature cybersecurity environment is the mitigation of this remaining risk. Effective use of cybersecurity tools can help agencies with risk mitigation.
FISMA does not prescribe the technology to be used for security; it lays out broad cybersecurity goals and requirements. Because the technology, missions and risks differ from agency to agency, the appropriate security solutions and controls will be different for each. Agencies use NIST guidance in implementing the appropriate levels and types of security. At the core of this guidance is SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
Updating the Guidance
SP 800-53 is a catalog of security and privacy controls for federal information systems. It also lays out the process for selecting and implementing the appropriate controls to protect agency missions and information. It is now in its fourth revision, and NIST is preparing to release a fifth revision in the near future. According to NIST, some of the most significant changes agencies will find in the newest version include:
•Reducing federal focus. Although written for federal agencies, SP 800-53 also is widely used in the private sector. The more general language in the latest revision reflects this.
•Decoupling information from systems. The publication no longer refers to “information systems” as a single entity. Instead, the word “system” is used alone to make it more applicable to all system types.
•Moving controls to the main body of the document. Controls are moved from an appendix to Chapter 3 to emphasize their importance and make them easier to find.
• Integrating privacy throughout the document. Instead of keeping privacy as an afterthought in the appendix, the controls are integrated throughout this version.