NIST Alters Guidance Wording to Appeal to Non-Federal Audience

Risk Assessments , Risk Management

NIST Alters Guidance Wording to Appeal to Non-Federal Audience Words Matter: Changes Coming to NIST Special Publication on Security and Privacy Controls NIST Alters Guidance Wording to Appeal to Non-Federal AudienceNIST Fellow Ron Ross

Information security specialists at the National Institute of Standards and Technology are dotting the "i's" and crossing the "t's" on a revision of one of NIST's most well-known guidance publications: Security and Privacy Controls for Federal Information Systems and Organizations.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

That's right, the title of Special Publication 800-53 is changing for its fifth revision - the first draft is slated to be published March 28 - to reflect that the NIST guidance is used beyond the federal government. NIST is striking the word "Federal" from the title.

NIST Fellows Ron Ross explains why the phraseology of NIST guidance is important.

"This change facilitates inclusiveness for all types of organizations - state, local and tribal governments; industry; academia - and promotes the view that security and privacy are national areas of concern, not just for the federal government," says Ron Ross, the NIST fellow who is the lead author on SP 800-53.

NIST is modifying other wording in the guidance that reflects the evolving nature of information security and risk. It will use the term "systems" rather than "information systems" as well as remove the terms that introduce each security and privacy control - "The organization" or "The information systems" - from the guidance.

Making Guidance Relevant to All

Removing the word "information" from "information systems" makes the guidance relevant to all types of systems that have computers embedded in them.

"That way," Ross says, "it's more welcoming to communities of interest that do not have those traditional types of information systems but may have a cyber-physical system or something that is more along the lines of the internet of things, where we're dealing more with devices and connecting those devices up."

By eliminating the introductory terms "The organization" or "The information systems" before each control, the new phraseology would emphasize what must get done to protect the system or information and not which entity carries out the action or where it's carried out.

This isn't the first time NIST has altered the title of its SP 800-53 guidance, which was first issued in 2006. In the 2013 update, known as Revision 4, NIST added the word "Privacy" to its title to reflect the addition of controls that deal with privacy. In Revision 4, the catalog of privacy controls appears in Appendix J. In the next revision, most of those privacy controls will be absorbed into Appendix F, the security control catalog.

Security, Privacy Synergy

Although privacy and security are different disciplines, they're complementary. "Privacy has to operate on a strong foundation of good security, especially with confidentiality, for example," Ross says. "The end result will be a seamless view of controls in one catalog."

The Federal Information Security Management Act, implemented in 2003, requires all federal agencies to employ NIST guidance. But many other organizations in and out of the federal government have used the NIST guidance, especially SP 800-53, when taking steps to secure their systems.

Ross says he's seen an uptick in emails and other messages from entities outside of the federal government since NIST introduced in February 2014 its cybersecurity framework to safeguard the digital assets of critical infrastructure. Since then, interest in NIST guidance - which is referenced in the framework - is also on the rise, and the revised wording of SP 800-53 Revision 5 demonstrates the broadening of that audience.