The National Institute of Standards and Technology finalized assessment procedures to correspond with updated information system security and privacy controls, in its latest special publication revision released Tuesday.
NIST published Special Publication (SP) 800-53A Revision 5 assessment procedures in multiple data formats, so agencies can process them using automated tools and free up cybersecurity assessors for more challenging work.
Updated privacy and supply chain risk management controls came out in September for agencies to choose from in managing their cyber risk. Now agencies can use the corresponding assessment procedures to determine if those controls are indeed in place, operating as intended and producing desired results.
“Agencies are always excited to get the assessment procedures and organizations that support federal agencies,” Victoria Yan Pillitteri, acting manager of NIST’s Security Engineering and Risk Management Group, told FedScoop. “As part of their implementation of their risk management programs, they have to select and implement the 800-53 control set, and they also have to evaluate the effectiveness.”
Within agencies, different cyber personnel will prioritize different controls and assessment procedures. Policy and procedures controls are foundational, whereas technical controls apply to specific implementations.
NIST’s SP 800-53 joint task force includes Department of Defense and intelligence community representatives to ensure the controls and assessment procedures are accepted governmentwide. The latter were opened to public comment in August.
The agency released the finalized assessment procedures as a PDF but also as comma-separated values (CSV) for use in Excel; plain text, for use by automated tools for security program management; and Open Security Controls Assessment Language (OSCAL), an enriched XML, JSON, YAML format. Use of OSCAL is a NIST first.
“Using this common format expressing a set of controls or requirements really allows organizations to take the content of NIST publications, especially the ones that are like 800-53, and leverage it,” Yan Pillitteri said. “We’re really here to try to encourage the use of automation where feasible.”
While no dates have been set for Revision 6, NIST is considering how to modernize the process for its entire portfolio of risk management guidelines to keep pace with rapid changes in cyber and technology, she added.
NIST developed an online tool allowing anyone to submit comments on its guidance at any time, whether they’ve found a typo or thought up a new control for an unaddressed cyber threat.
For Revision 6, NIST will integrate assessment procedures into the online comment tool in order to issue draft and finalized controls concurrently with the corresponding assessment procedures — eliminating the year-plus wait time between the two.
“I think that’s going to be a huge gamechanger for how organizations implement our guidance because they’re not in this waiting stage as the team is meticulously going through every single control and control enhancement,” Yan Pellitteri said.