The perpetual draft document, SP 800-53A, has been officially released after 3 years. Check out the announcement from NIST here.
Now the interesting thing to me is that NIST is working with some other players (DNI comes to mind) on reference implementations of 800-53A. This is big, so big that I can’t add enough hyperbole to it.
Why do they need to do reference implementations? Well, because by itself, SP 800-53A is dangerous if it’s given to people who “don’t get it”. By that what I mean is this:
- SP 800-53 needs tailoring to distill into actual requirements.
- SP 800-53A needs a huge amount of tailoring to distill into test cases/procedures that match the tailoring that you did with 800-53.
- Taken at face value, 800-53 and 800-53A become the source of “death by compliance”.
- If you think the auditors could grill you to death with 800-53, 800-53A gives them tons more material.
Now time for a war story: I worked on a project where the contractor was having a hard time building a security program, mostly because they didn’t have the right staff to get the job done. The government told the contractor to use 800-53A as a starting point, and 6 months of insanity followed with 13 “security engineers” in a conference room cranking out documentation that had no basis in reality. At the end of it all, the contractor handed the Government a bill for $1M.
Now don’t get me wrong, I like the ideas behind 800-53A, but the first thing you need to know when you start using it is when you shouldn’t use it:
- Don’t run test procedures on every computer you have, use an automated tool and do spot-checks to validate that the automated tool works.
- Use less test procedures on low-criticality systems.
- “This procedure is conducted as part of the hardening validation process.”
- Common controls are even more important because you do not want the repetition of effort.
And whatever you do, don’t let 800-53A turn your risk management into a compliance activity. It has all the potential to do that.
US Government Doc’s photo by Manchester Library.
Posted in FISMA, NIST, Risk Management, What Doesn't Work, What Works | 12 Comments »
Tags: 800-53 • 800-53A • auditor • catalogofcontrols • compliance • fisma • government • infosec • itsatrap • management • security