Welcome back. The next part of the series will be about the organization of the NIST site and what to look for. The fact to keep in mind is that Cyber Security is ever-evolving. threats change constantly and to combat (or mitigate) those threats and risks, the responses have to change too. This is VERY similar to biology and viruses, consider them the same.
The NIST site is organizated along different publication types and yes, I’m taking the following directly from their site.
- Federal Information Processing Standards (FIPS) Publications are standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA).
- Special Publications (SP)
- SP 800, Computer Security (December 1990-present):
NIST’s primary mode of publishing computer/cyber/information securityguidelines, recommendations and reference materials
(SP 800s are also searchable in the NIST Library Catalog);
- SP 1800, NIST Cybersecurity Practice Guides (2015-present): A new subseries created to complement the SP 800s; targets specific cybersecurity challenges in the public and private sectors; practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity;
- SP 500, Computer Systems Technology (January 1977-present): A general IT subseries used more broadly by NIST’s Information Technology Laboratory (ITL), this page lists selected SP 500s related to NIST’s computer security efforts. (Prior to the SP 800 subseries, NIST used the SP 500 subseries for computer security publications; seeArchived NIST SPs for a list.)
- NIST Internal or Interagency Reports (NISTIRs) describe research of a technical nature of interest to a specialized audience. The series includes interim or final reports on work performed by NIST for outside sponsors (both government and nongovernment). NISTIRs may also report results of NIST projects of transitory or limited interest, including those that will be published subsequently in more comprehensive form.
Sounds scary? Like a mountain of documents in government speak about security?
Navigating the documents
There is a path to this madness, but there is also a shortcut that will get you to the same place. First of all all the documents are in a PDF format and you don’t have to pay for them. The US taxpayers already did that. Security guidelines are and should be free as these are just guidelines.
First of all navigate to the NIST SPECIAL PUBLICATIONS (SP) and download 3 PDF files.
- SP800-53 Rev 4. Security and Privacy Controls for Federal Information Systems and Organizations
- SP800-53 A rev 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
- SP800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
These 3 publications contain over 90% of what is needed to establish and maintain an effective cyber security program. Hundreds of pages, months of work.
Using SP171 as a starting point, everything is considered to be NIST Moderate (due to high water mark principle). Design you own security controls around the NIST Moderate level. 800-53 will instruct you what to do and 800-53 A (A is for audit) will give you the guidelines on how to measure your control to determins if they are effective in design and implementation.
A security program
The traditional program of project management to implementation won’t work in Security. NIST is designed around “Control Families”, 18 in all. In the NIST site, there are specific SP docs that relate to a control family. Don’t get too hung up about the specifics of the control family as there are a lot of overlap in the SP documents and 1 SP doc may relate to all control families.
800-53 R4 has references to consult witht he FIPS -199 doc when implementing a RMF (Risk Management Framework) process. Simply the RMF process is like the PMO (plan, Do, check, Act) approach or any other SDLC process. RMF just formalizes the steps and documents to follow at each step. Again THIS IS A GUIDELINE!
The end goal for all of this is to ensure that NOTHING IS DONE IN SECRET, implementations, updrages, and patch management is ALWAYS done with management knowledge and approvals. This goes down to the code reviews, testing plans and implementation schedules.
- is it cumbersome? yes!
- is it a ridicilous amount of approvals? yes!
- and it needs to be.
Because if you have implemented the Moderate NIST guidelines and have management approvals at each step, you can demonstrate that you have effective controls over your computer systems. Make the bad guy work harder, don’t just hand them the keys.