If you’ve ever tried to set up a home entertainment system by poring over a thick manual, you might appreciate the manufacturer also providing you with a quick-start guide so you can get your party going in short order. Information security experts at the National Institute of Standards and Technology (NIST) have created what is essentially a quick-start guide to their flagship risk management tool, to help organizations reduce their security and privacy risks more easily.
Their creation, whose full title is Control Baselines for Information Systems and Organizations (NIST Special Publication (SP) 800-53B), is a companion publication to SP 800-53 Revision 5, which NIST updated last month after a multiyear effort. SP 800-53 offers a comprehensive set of security and privacy safeguards — referred to as controls — that address specific weaknesses in an organization or information system. It is used by organizations of all sizes, across public and private sectors. The new companion guide can help them with selecting the baseline, or group of safeguards, that is appropriate for the risk level and threats the organization faces.
“Using the guidance we provide, an organization can choose the right security and privacy baseline and then customize it effectively.” —Ron Ross, NIST Fellow
“Choosing security and privacy controls is a bit like building a car from parts that fit the driving conditions you expect,” said Ron Ross, a NIST Fellow and one of the guide’s authors. “If you’re building an SUV for trips around town, you might choose different parts than you’d use for a race car. Whether you’re managing risk for a routine business system or one whose breach would compromise our nation’s critical infrastructure, we’ve got a baseline for you.”
The federal government needs wildly varying levels of cybersecurity as it performs a diverse set of functions for the country, ranging from operating the air traffic control system to conducting financial transactions in the banking system to providing veterans’ health care. The 800-53B guide offers low-, moderate- and high-impact security control baselines, and it also offers a privacy control baseline to protect individual privacy in the processing of personally identifiable information.
“Every system is important in its own right, but some systems support functions that are more critical to the national and economic security interests of the United States, making them more attractive targets for our adversaries,” Ross said. “These systems need higher levels of protection, and NIST provides appropriate safeguarding recommendations for them.”
Ross described the control baselines as starting points for security and privacy. Because every organization will have its own specific goals, the guide also provides tailoring guidance for specific communities of interest, technologies and environments of operation.
“Using the guidance we provide, an organization can choose the right security and privacy baseline and then customize it effectively,” Ross said. “That way they can ensure that they have the capability to protect their critical operations and assets.”
While NIST guidelines are nonregulatory, the Federal Information Security Modernization Act (FISMA) and OMB Circular A-130 require implementation of a minimum set of controls selected from SP 800-53 to protect federal information and information systems. Because many organizations interact with the federal government, Ross said the security and privacy control baselines will have far-reaching effects.
“Many external programs and organizations depend on the NIST recommendations to help protect cloud, health care, financial, transportation, manufacturing, defense and industrial control systems,” he said. “It’s our goal to get all of them the right kind of protection.”
The new control baselines and the security and privacy controls from NIST SP 800-53 Revision 5 can also be used with NIST’s Risk Management Framework, Cybersecurity Framework and Privacy Framework, which together provide a comprehensive toolkit to help manage security and privacy risk.