Just a Standard Blog
One cannot pick up a newspaper, watch TV, listen to the radio, or scan the news on the internet without some direct or veiled reference to the lack of information security or intrusions into personal privacy. Many intrusions into government and private-sector systems have exposed sensitive mission, business and personal information. Every day it seems that more and more systems are breached and more and more personal information is made available either on the web or, worse, the dark web. Given this backdrop, it is often easy to get lost in the details of cybersecurity and privacy and the seemingly endless discussions about cyber attacks, system breaches, frameworks, requirements, controls, assessments, continuous monitoring and risk management and forget why security and personal privacy matter in an increasingly digital world.
We are witnessing and taking part in the greatest information technology revolution in the history of mankind as our society undergoes the transition from a largely paper-based world to a fully digital world. As part of that transformation, we continue to push computers closer to the edge. The “edge” today is the burgeoning and already vast world of the “Internet of Things,” or IoT. This new world consists of an incredibly diverse set of familiar everyday technologies, including dishwashers, refrigerators, cameras, DVRs, medical devices, satellites, automobiles, televisions, traffic lights, drones, baby monitors, building fire/security systems, smartphones and tablets. It also includes technologies that are perhaps less familiar to the average person but absolutely vital to maintaining and safeguarding the familiar world in which they live: advanced military weapons systems; industrial and process control systems that support power plants and the nationwide electric grid, manufacturing plants and water distribution plants; emergency response systems; banking and financial systems; and transportation systems—in short, our most critical infrastructure. Yes, we have fully embraced this emerging technology and pushed computers, software and devices everywhere to the edge of this new world. And as those technologies, both familiar and critical, become increasingly integrated with IoT, so does information, all kinds of information, including intellectual property and your personal information.
It goes without saying that innovations in information technology and IoT will continue to make us more productive, help us solve difficult and challenging problems, entertain us, allow us to communicate with virtually anyone in the world instantaneously, and provide all kinds of additional, and previously unimaginable, benefits. For instance, who wouldn’t want an app that tells you the optimal time to go to the restroom during the movie you’re about to see at your local theater? These new technologies are not only compelling, but also intoxicating and addicting—leaving us with a huge blind spot that puts us at great risk of losing our property, our privacy, our security and, in some cases, our lives.
We have built an incredibly complex information technology infrastructure consisting of millions of billions of lines of code, hardware platforms with integrated circuits on computer chips, and millions of applications on every type of computing platform from smart watches to mainframes. And right in the middle of all that complexity, your information is being routinely processed, stored and transmitted through global networks of connected systems. From a security and privacy perspective, we are not only concerned about the confidentiality, integrity and availability of the data contained in the systems embedded deep in the nation’s critical infrastructure, but also of our personal information.
Recognizing the importance of both security and privacy safeguards for systems, organizations and individuals, NIST recently initiated several groundbreaking projects to bring these concepts closer together—to facilitate the development of stronger, more robust security and privacy programs and provide a unified approach for protecting all types of information, including personal information. The first installment in this new approach occurred with the release of NIST Special Publication 800-53, Revision 5, which provided, for the first time in the standards community, a consolidated catalog of security and privacy controls—standing side by side with the broad-based safeguards needed to protect systems and personal privacy.
Today, NIST is announcing the second installment of the unified approach to privacy and security by releasing a discussion draft of NIST Special Publication 800-37, Revision 2. This publication responds to the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and the Office of Management and Budget’s Memorandum M-17-25 (implementation guidance for the Executive Order) to develop the next-generation Risk Management Framework (RMF 2.0) for systems, organizations and individuals. RMF 2.0 provides a disciplined, structured and repeatable process for organizations to select, implement, assess and continuously monitor security and privacy controls.
NIST Special Publication 800-37, Revision 2, empowers customers to take charge of their protection needs and provide security and privacy solutions to support organizational missions and business objectives. It includes a new organizational preparation step, instituted to achieve more timely, effective, efficient and cost-effective risk management processes. The organizational preparation step incorporates concepts from the Cybersecurity Framework to facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners—conveying acceptable limits regarding the implementation of security and privacy controls within the established organizational risk tolerance. The enterprise-wide preparation also facilitates the identification of common controls and the development of organization-wide tailored security and privacy control baselines. This significantly reduces the workload on individual system owners, provides more customized security and privacy solutions, and lowers the overall cost of system development and protection.
And finally, RMF 2.0 helps organizations reduce the complexity of their IT infrastructure by consolidating, standardizing and optimizing systems, applications and services through the application of enterprise architecture concepts and models. Such complexity reduction is critical to identifying, prioritizing and focusing organizational resources on high-value assets that require increased levels of protection—taking steps commensurate with risk such as moving assets to cloud-based systems or shared services, systems and applications.
The transformation to consolidated security and privacy guidelines will help organizations strengthen their foundational security and privacy programs, achieve greater efficiencies in control implementation, promote greater collaboration of security and privacy professionals, and provide an appropriate level of security and privacy protection for systems and individuals.
Thank you for your kind remarks, Mr. Salinas. They are very much appreciated. It is an honor and a privilege to be able to serve our public and private sector customers by providing standards, guidelines, and best practices to help them build robust security and privacy programs.
I only just now received the link to the draft SP 800-37. In my opinion, NIST did a great job on RMF already. Unfortunately, I am familiar with a segment of government that immediately assumes it must have its own variations of anything and everything. This "organization" made a mess of RMF from the start, seemingly only wanting to make it as painless as possible. They failed in that by the way. If I had to pick one overriding issue that I would change If I could, it would be the apparent universality of the term "organization" used in so many controls absent a consistent understanding of who or what part of a large organization is being addressed. When an assessment procedure tells me "organizations" are automatically compliant because <insertAgencyNameHere> has defined the <widget> for me, and this control part is not identified as a tier 1 or common offering, several veins of logic are now varicose. The very next control or part may speak of "organization" as if it is the CCP or the ISO without regard for what precedes or follows. My assumption is that many people worked on controls independently and never came to agreement on a standard definition of "organization."
Beautiful blog author.Thank you for sharing.Keep it up.Good wishes for your work.
Beautiful blog post author.Thank you.
Excellent post & thank you so much for sharing
Thank you for your post.
Good afternoon Mr. Ross,
I just want to let you know that I do admire your leadership at NIST with such an incredible publications like the SP-800's and others to keep our beautiful country safe. I did work before supporting and improving the ICD503 and your publications were read and exercise by me in order to do my job. I want to thank you for giving me opportunity to continue reading every day on your new development publications on Cyber Security and Information Assurance that are my passion. Have a wonderful day.
Best Regards
Carlos G. Salinas