2017 is a busy year for The National Institute of Standards Technology (NIST). In January 2017, the lab and federal non-regulated agency organization updated its Cyber Security Framework, a risk-based guideline which organizations can leverage to combat ransomware and other digital threats. Additionally, who can forget the December 2017 deadline for government contractors, system integrators, state and local governments, schools, and other civilian organizations to achieve compliance with sensitive but unclassified data protection measures set forth in NIST's Special Publication (SP) 800-171? Incidentally, SP 800-171 isn't NIST's only publication with which organizations managing federal information systems should concern themselves in 2017. The discovery of Industroyer/CrashOverride and other malware that target industrial control systems (ICS), not to mention a spate of digital attacks against Ukraine's critical infrastructure, underscore the need for the US to strengthen its own vital assets and systems. NIST recognizes that necessity, too, which is why it's decided to revise some of its guidelines. In particular, the measurement standards laboratory has slated revisions of two Special Publications for public release. The first will constitute a second revision to SP 800-37. Published in February 2010 and last updated in June 2014, NIST SP 800-37 (PDF) provides guidance on how to apply the six steps of the Risk Management Framework (RMF) to federal information systems, which includes:
- Categorization of information systems
- Selection of security controls
- Implementation of security controls
- Assessment of security controls
- Authorization of information systems
- Monitoring of security controls
As of this writing, there is no publicly available release date for the second revision of SP 800-37. NIST has also designated Special Publication 800-53 for revision. The federal non-regulated agency organization first published SP 800-53 in April 2013. Since then, those privacy and security controls for federal information systems specified in the publication have increasingly attracted the attention of enterprises in their efforts to combat insider threats and other digital risks. Revision 5 of NIST SP 800-53 is now available for public consumption (PDF). No doubt the revisions for SP 800-37 and SP 800-53 will shape practitioners' future efforts to secure federal and non-federal information systems alike – but to what extent remains unclear. What impact can professionals expect from these updated publications? I will be holding a webinar to help answer that question. Joining me will be Dr. Ron Ross, NIST fellow and principal architect of the NIST Risk Management Framework. Together, we'll discuss NIST's efforts to develop updated privacy and security controls for federal information systems and beyond. The webinar, entitled "NIST Updates Are Coming, So What is the Impact?," will take place on August 30, 2017, at 11:00 PDT / 14:00 EDT. You can register for the presentation here.