Observations on SP 800-37R1

Posted March 29th, 2010 by

So by now NIST SP 800-37 R1 has made the rounds.  I want to take a couple of minutes to go over my theory on this update.

Summary of changes:

  • Certification is gone.  Accreditation has now changed to “Authorization”.  This is interesting to me because it removes certification which I’ve always equated with compliance.
  • There is more focus on continuous monitoring.
  • NIST has made it more obvious that the process in 800-37 is the security aspects of a SDLC.
  • There is much more more emphasis on enterprise-level controls.

So those of you out there who have been succeeding with the NIST Risk Management Framework  have been doing this all along, and it’s actually why you’ve succeeded.  For the rest of you, if you have to change your existing process, you’ve been doing it wrong.

Now for what’s missing and where you need to fill in the gaps:

  • Prioritization of controls.  If everything is important, nothing is important.  You have to be able to determine which controls you need to succeed 100% of the time and which controls only need 75% reliability.  Hey, I even give credit to the SANS 20 Critical Security Controls, as flawed as they are, for this.
  • Delineation of controls into shared/common, hybrid, and system-specific.  This is by design, it’s up to the departments and agencies to figure this out.  If you do this correctly, you save a ton of time and effort.  I remember the day my certifier told me that we didn’t recognize shared controls and that it was on me to provide evidence of controls that were provided at the enterprise–it still baffles me how you really expect one person on a project team to have the resources of the entire IT security staff.
  • Continuous monitoring is up to you.  Along with prioritization, you have to determine which controls you need to monitor and a plan on how to do that.  Protip: these are usually technical controls that you can automate and should do so because it’s the only way to get the job done.
  • Tailor, tailor, tailor.  It is not enough to use generic 800-53 controls.  It definitely is sub-par to use untailored 800-53A test procedures as your test plan.  These all depend on the implementation and need to be tailored to fit.

And finally, a shout-out to Dan Philpott at FISMAPedia.org.  Dan literally consumes new legislation, regulation, guidelines, and standards as they come out and annotates them with a wealth of analysis.

Wordle of NIST SP 800-37R1

800-37 WordCloud by ME! Thanks to wordle.net for the tool to make it.

Similar Posts:

Posted in FISMA, NIST, What Doesn't Work, What Works | 3 Comments »

3 Responses

  1.  Mark C. Wallace Says:

    Continuous monitoring ought to be risk related.

    I don’t disagree with your statement that Continuous monitoring should be technically feasible.

    But when I do tailoring, I group the controls into high risk (monitor weekly or more often) and low risk (monitor annually or less often).


  2.  Tweets that mention Observations on SP 800-37R1 | The Guerilla CISO -- Topsy.com Says:

    […] This post was mentioned on Twitter by rybolov and grecs, novainfosec. novainfosec said: #NOVABLOGGER: Observations on SP 800-37R1 http://bit.ly/a6OEdZ http://j.mp/nispblog […]

  3.  Clara Welch Says:

    Okay, so I am on the 6th page of Google search results and I finally encounter your blog. You are only the 3rd source I have encountered who has bothered to offer an independent opinion of NIST SP 800-37 Rev 1, although it seems to be generating low level persistent annoyance in government IT security workers. Prioritizing controls is well stated, if everything is important, nothing is important. Also, within NASA it is a real struggle at the bottom level to FIND out the common controls that apply at a given site IF a project is in the initial stages of development. So much for “baked in security.” Another big change according to some colleagues is the treatment of external systems.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: