Updated FedRAMP Controls for Cloud Services coming based on NIST SP 800-53 Rev 5

The National Institute of Science and Technology (NIST) have been busy updating their SP 800-53 Security and Privacy Controls Catalog (Revision 5).  On August 15, 2017, NIST released their public draft for comments.  They intend to release their final draft in October 2017, and final version by December 29, 2017.  Here are some of the changes they have made from SP 800-53 Revision 4. The FedRAMP program for cloud computing services accreditation is based on NIST SP 800-53 and likely require cloud service providers to begin migrating to the new standard.

1. “Making the security and privacy controls more outcome-based by changing the structure of the controls.”

In Revision 4 and earlier versions, each control and control enhancement was prefixed by ‘The Information System…’ or ‘The organization…’.  The intent being to identify the entity responsible for implementing the control.  In this public draft, NIST has removed these prefixes and asks if this is a beneficial change or not.  They ask if a change such as this would provide greater emphasis on the purpose of the control, better reflect the intended outcome of the control in providing security, and/or provide organizations with greater flexibility regarding control implementations.  In the table outlining which controls and enhancements apply to which baseline, a new column has been added to indicate whether the control is typically aligned with the Organization or the System.  However, in keeping with NISTs intentions, this is likely just guidance and not a requirement.

2. “Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls,” and, “Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks.”

The Privacy Controls catalog has been removed and incorporated into the existing controls and control enhancements.  The only exception is the Individual Participation (IP) privacy control family, which has remained independent and added to the main control catalog. In the table outlining which controls and enhancements apply to which baseline, a new column has been added to indicate whether the control is privacy related on not.  In addition, Appendix F outlines which of these privacy controls are fully under the purview of the agency’s privacy program, and which are under joint purview of the privacy program and the security program.  Lastly, the controls are also either ‘Required, Situationally Required, or Discretionary.’  Discretionary controls are optional, while situationally required depends on the laws, regulations, or policy guiding the organization.

3. “Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners.”

Per OMB Circular A-130, federal agencies and organizations are required to use the NIST Risk Management Framework (RMF) to select the necessary security controls.  However, with no authority over state, local, and tribal governments, as well as private sector organizations, NIST can only encourage the use of this guide as appropriate.  Therefore, in Revision 5, NIST aims to be more inclusive of these other organizations and has removed the control selection process from the actual controls.  For federal agencies and organizations, tailoring guidance and informative material will be moved into SP 800-37, and can also be found in SP 800-53 Revision 4 until the next update cycle for SP 800-37.

4. “Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework.”

Updates to control and supplemental guidance in SP 800-53 revision 5 has incorporated lexicon from other frameworks like the “Framework for Improving Critical Infrastructure Cybersecurity” Version 1.0 dated February 12, 2014.  Making controls more outcome based also aligns with this change.

5. “Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.”

As is typical with each revision of SP 800-53, controls have been updated, added, and removed from the baseline.  Some of the notable additions include controls in the Risk Assessment (RA), Program Management (PM), Planning (PL), Incident Response (IR), and Identification and Authentication (IA) control families.

6. Other changes of note:
   1. Dash 1 (policy and procedure controls) now include requirements to ensure the organization is developing, documenting, and implementing remediation actions for violations of policy. This may apply to policy items that don’t tie to a specific NIST SP 800-53 control as remediation actions tied to control failures are noted in Plan of Actions and Milestones (POA&Ms)
   2. Dash 1 (policy and procedure controls) supplemental guidance states: “It is important to recognize that restating controls does not constitute an organizational policy or procedure.” Many agencies have been guilty of this in the past so it is interesting that NIST specifically calls this behavior out.
   3. Implementation priority codes have been removed (P0, P1, P2, P3).
   4. Hyperlinks have been included throughout the document to allow for easier navigation for the reader.
   5. Appendix H includes key words for each control and control enhancement to promote greater consistency in search results that may contain similar content or have a similar purpose. NIST states that such information may be useful in developing security and privacy plans, conducting tailoring activities, constructing overlays, or using automated tools to support risk management or system life cycle activities.
   6. The term ‘federal’ has been removed from the title of the publication as well as in various parts of the document to facilitate the inclusiveness of the SP 800-53 to organizations outside of federal authority.
   7. The term ‘information system’ has been replaced with ‘system’ to facilitate the inclusiveness of all types of systems such as industrial/process control systems, cyber physical systems, weapons systems, IoT devices, etc.
   8. Program Management (PM) controls are documented within the main catalog of controls instead of an appendix.