The National Institute of Standards and Technology (“NIST”) is seeking comments on its draft NIST SP 800-160, Volume 2, Revision 1, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach,” and draft NIST SP 800-53A, Revision 5, “Assessing Security and Privacy Controls in Information Systems and Organizations.” The public comment periods currently are open and conclude on September 20, 2021 and October 1, 2021, respectively.

Draft NIST SP 800-160, Volume 2, Revision 1

In response to the ever-growing threat of cyber attacks, NIST has decided to turn “the traditional perimeter defense strategy on its head” when it comes to an organization’s cyber resiliency strategies. This change in strategy focuses on defending systems “from the inside out instead of from the outside in.” NIST SP 800-160 is meant to apply broadly to a wide variety of systems (including shared services, Internet of Things, and critical infrastructure systems) and in a wide variety of circumstances (including new systems, reactive modifications to fielded systems, and planned upgrades to fielded systems).

The goal of the update is to place organizations in a position where they can anticipate, withstand, recover from, and adapt to adverse situations such as hostile and increasingly destructive cyber attacks from nation states, criminal gangs, and disgruntled individuals. Among other things, the draft publication lists 14 cyber resiliency techniques and describes considerations for selecting and prioritizing cyber resiliency constructs and developing a cyber resiliency baseline, as well as a flexible process for applying cyber resiliency concepts, constructs, and practices to a system.

As mentioned, the comment period for this draft closes on September 20, 2021. With this major revision to the defense strategy focusing on defending systems from the inside out, rather than the outside in, it is important that contractors provide industry perspective to ensure these new practices and processes are clearly defined to ensure the best protective measures are in place and facilitate implementation. Comments should be emailed to security-engineering@nist.gov.

Draft NIST SP 800-53A, Revision 5

NIST 800-53A, Revision 5 provides organizations with a set of procedures for use in conducting assessments of the security and privacy controls in NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations.” This assessment methodology is meant to be a starting point to assess enhanced security requirements and can be tailored to the needs of organizations and independent third-party assessors. The results of a control assessment provide organizations with evidence of the effectiveness of their implemented controls, an indication of the quality of their risk management processes, and insight into the strengths and weaknesses of the systems supporting the organization.

Revision 5 updates the assessment procedures to correspond with the controls in NIST SP 800-53 and provides a new format for assessment procedures. This new format focuses on improving the efficiency of conducting control assessments, providing better traceability between assessment procedures and controls, and facilitating the use of automated tools, continuous monitoring, and ongoing authorization programs. This new format was initially introduced in Revision 4 and is further improved in this revision. Specifically, Revision 5 updates:

• Identify determination statements for organization-defined parameters (ODPs) first and separately from the determination statements for each control item to enable the assessor to determine if the ODPs are defined by the organization;

• Improve the readability of the assessment procedures;

• Provide a better format and structure for automated tools when assessment information is imported into such tools;

• Provide greater flexibility in conducting assessments by giving organizations the capability to target certain aspects of controls (highlighting the particular weaknesses and/or deficiencies in controls);

• Improve the efficiency of security and privacy control assessments; and

• Support continuous monitoring and ongoing authorization programs by providing a greater number of component parts of security and privacy controls that can be assessed at organization-defined frequencies and degrees of rigor.

The comment period for this draft closes October 1, 2021. NIST is seeking comments on these assessment procedures including the assessment objectives, determination statements, and potential assessment methods and objects. NIST also is interested in comments regarding the approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives. Considering NIST SP 800-53A is meant to provide organizations with a starting point for their assessment methodology, it is important for contractors to provide industry perspective to ensure this purpose is being fulfilled. More information on the commenting process can be found on the NIST website.