So by now NIST SP 800-37 R1 has made the rounds. I want to take a couple of minutes to go over my theory on this update.
Summary of changes:
- Certification is gone. Accreditation has now changed to “Authorization”. This is interesting to me because it removes certification which I’ve always equated with compliance.
- There is more focus on continuous monitoring.
- NIST has made it more obvious that the process in 800-37 is the security aspects of a SDLC.
- There is much more more emphasis on enterprise-level controls.
So those of you out there who have been succeeding with the NIST Risk Management Framework have been doing this all along, and it’s actually why you’ve succeeded. For the rest of you, if you have to change your existing process, you’ve been doing it wrong.
Now for what’s missing and where you need to fill in the gaps:
- Prioritization of controls. If everything is important, nothing is important. You have to be able to determine which controls you need to succeed 100% of the time and which controls only need 75% reliability. Hey, I even give credit to the SANS 20 Critical Security Controls, as flawed as they are, for this.
- Delineation of controls into shared/common, hybrid, and system-specific. This is by design, it’s up to the departments and agencies to figure this out. If you do this correctly, you save a ton of time and effort. I remember the day my certifier told me that we didn’t recognize shared controls and that it was on me to provide evidence of controls that were provided at the enterprise–it still baffles me how you really expect one person on a project team to have the resources of the entire IT security staff.
- Continuous monitoring is up to you. Along with prioritization, you have to determine which controls you need to monitor and a plan on how to do that. Protip: these are usually technical controls that you can automate and should do so because it’s the only way to get the job done.
- Tailor, tailor, tailor. It is not enough to use generic 800-53 controls. It definitely is sub-par to use untailored 800-53A test procedures as your test plan. These all depend on the implementation and need to be tailored to fit.
And finally, a shout-out to Dan Philpott at FISMAPedia.org. Dan literally consumes new legislation, regulation, guidelines, and standards as they come out and annotates them with a wealth of analysis.
Posted in FISMA, NIST, What Doesn't Work, What Works | 3 Comments »
Tags: 800-37 • accreditation • authorization • C&A • catalogofcontrols • certification • compliance • fisma • government • infosec • management • NIST • security