Your agency has terabytes of data that must be secured properly at all times. However, it can be challenging to provide privileged access – meaning the right people have access to the right data sets at the right time. This aspect of security is key to keeping your agency’s data protected.
To make sure that all federal agencies are meeting security and privacy standards for data management, Congress passed the Federal Information Security Management Act of 2002 (FISMA). The Act requires federal agencies to develop, document and implement agency-wide programs to provide information security for the agency’s systems.
The National Institutes for Standards and Technology’s Security (NIST) is responsible for developing these standards and guidelines. One of NIST’s most pertinent publications is Security and Privacy Controls for Federal Information Systems and Organizations, also known as SP800-53. The publication is a catalog of security and privacy controls for federal information systems and organizations and provides a process for selecting controls to protect organizational operations and assets from threats, including cyberattacks.
The publication is currently on its fourth iteration but NIST is preparing to release the fifth version in the near future. To talk more about what the fifth revision of the document looks like and better understand how leveraging it can help keep agencies FISMA compliant, GovLoop sat down with Vicky Yan Pillitteri, Advisor for Information System Security at NIST and Shunta Sharod Sanders, Senior Sales Engineer of Federal at BeyondTrust.
From their discussion, we learned what is changing in SP800-53 version five and how agencies can leverage tools to maintain FISMA compliance.
NIST Special Publication 800-53
To understand how NIST could enhance the tools put forth in SP 800-53, Pillitteri and her team talked and coordinated with stakeholders to develop necessary changes. A few of the most pertinent alterations include:
- Reducing federal focus. “We heard from our stakeholders that version four of SP 800-53 is widely used in the public sector even though it is only required for the federal government,” Pillitteri explained. “As a result, we shifted some of the language that was too heavily focused on federal government and made it more generalizable.”
- Decoupling information from systems. The language in the publication also no longer refers to information systems as a single entity. Instead, readers just see the word system to make the information more applicable to all system types.
- Moving controls to chapter three. “We wanted to move controls out of an appendix and into the actual body of the publication to show the importance and robust nature of the control set and to easily give people what they are coming to the document for,” Pillitteri said.
- Integrating privacy throughout the document. Privacy was also tucked away in an appendix of version four. Pillitteri explained that instead of keeping privacy as an afterthought at the back, they instead integrated it throughout version five.
Leveraging Tools and Practices to Remain FISMA compliant
It is critical for agencies to have a clear understanding of SP 800-53 and the controls found within it because the publication helps them achieve FISMA compliance. Two of these controls particularly help agencies avoid breeches.
- Identity, Credential, and Access Management (ICAM). According to Sanders, the goal of ICAM is, “to implement a set of capabilities that ensure network users are using strong authentication to access federal IT resources and to limit users’ access to the resources and data required for their job functions.” Essentially, agencies should manage privileged credentials with greater discipline and enforce least privilege to limit who can access data. He recommended achieving this by securing and automating password management, controlling how credentials are accessed, leveraging auto-login, recording all administrator activity, and putting in place real time alerts when session activity is started.
- Information Security Continuous Monitoring Mitigation (ISCM). Similarly, ISCM’s goal is to combat information security threats by maintaining ongoing awareness of information security, vulnerabilities and threats to federal systems and information. Sanders explained some key considerations when working towards ISCM are the capability to discover and provide information on any asset with an IP address, the ability to prioritize and remediate vulnerabilities, and integrating with current infrastructure and cybersecurity investments.
Sanders concluded by emphasizing that a secure environment is born from FISMA compliance. “Despite all the hard work that goes into preventative measures, there isn’t a silver bullet to meet all cyber needs and you may still experience a breech at your agency,” Sanders explained. “Leveraging a unified approach can reduce vulnerability and instances of attack.”
Waiting at the edge of your seat for SP800-53 version five to be released? Don’t worry. Pillitteri assured that a draft of the new version will be available to the public soon and that she and her team at NIST are looking forward to feedback from users across sectors.