Friday, February 5, 2016

Why you need to read the Summary of NIST SP 800-53 Revision 4

This is the most concise list of answers I've seen to the most commonly asked questions and misconceptions my customers, peers, and students have about NIST SP800-53r4.

http://csrc.nist.gov/publications/nistpubs/800-53-rev4/sp800-53r4_summary.pdf

Just read the table of contents for a readout on those topics... It will look as if someone is reading my email! Nice work Kelly, Greg, and Doug.

Summary of NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
Kelley Dempsey
Computer Security Division Information Technology Laboratory
Greg Witte
Doug Rike G2, Inc. Annapolis Junction, MD
February 19, 2014
Table of Contents

1 Introduction
2 NIST SP 800-53 Revision 4 and the Risk Management Framework (RMF)
3 Control Baselines and Tailoring
4 Documenting the Control Selection Process
5 Assurance
6 Security Controls
7 International Information Security Standards
8 Overlays
9 Privacy

Here's how I loosely explain it.
  • [Introduction] 800-53 was put in place to define controls for federal systems. Controls keep bad things from happening.
  • [RMF] This assumes the use of the Risk Management Framework. You cannot get away from this. Learn and use it. Repeatedly.
  • [Baselines and Tailoring] The baselines are not meant to be blindly applied. They must be tailored for your situation.
  • [Documentation] Document everything.
  • [Assurance] Systems assurance helps you sleep at night.
  • [Controls] Security controls enable you to protect your systems from bad stuff.
  • [International] Yes!! There is a tremendous amount of overlap between these recommendations and international ISO-IEC recommendations. Look at how they line up! Perfectly? No. But wave your hands and explain it away. Don't do that... that's a joke. Seriously. Don't do that.
  • [Overlays] NIST understands they don't cover every situation and expect you to document additional protections they don't cover. Call these overlays.
  • [Privacy] Here's an example overlay.
On my wish list is a NIST for Dummies explained using Legos...