The Inner Circle

 View Only

  • 1.  NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations Draft

    Posted Aug 03, 2021 11:32:00 AM
      |   view attached
    Hi All,

    @Daniele Catteddu

    NIST just published for comment NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations.

    This document provides organizations with a flexible, scalable, and repeatable assessment methodology and assessment procedures that correspond with the controls in NIST SP 800-53, Revision 5. Like previous revisions of SP 800-53A, the generalized assessment procedures provide a framework and starting point to assess the enhanced security requirements and can be tailored to the needs of organizations and assessors. The assessment procedures can be employed in self-assessments or independent third-party assessments.
    In addition to the update of the assessment procedures to correspond with the controls in SP 800-53, Revision 5, a new format for assessment procedures in this revision to SP 800-53A is introduced to:
    • Improve the efficiency of conducting control assessments,
    • Provide better traceability between assessment procedures and controls, and
    • Better support the use of automated tools, continuous monitoring, and ongoing authorization programs.
    NIST is seeking feedback on the assessment procedures in this publication and in electronic versions (OSCAL, CSV, and plain text), including the assessment objectives, determination statements, and potential assessment methods and objects. We are also interested in the approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives. To facilitate their review and use by a broad range of stakeholders, the assessment procedures are available for comment and use in PDF format, as well as comma-separated value (CSV), plain text, and Open Security Controls Assessment Language (OSCAL) formats.

    The comment period is open through October 1, 2021. See the publication details


    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations Draft

    Posted Aug 04, 2021 07:52:00 AM
    So far, the only dither is  that the 6 line sentences here and there should be broken down eg Line 582-588.

    ------------------------------
    Geoffrey Groves
    CEO
    CloudTrust Inc
    ------------------------------

    Original Message


  • 3.  RE: NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations Draft

    Posted Aug 04, 2021 11:07:00 AM
    It's 800 pages long and mentions the word "cloud" twice, the word "container" 3 times, and a quick flip through doesn't show anything I haven't seen mentioned in the last 10-20 years and there's a lot of things like "de-idenfication is performed using validated algorithms and software" with no mention of what those are or how to validate them. It's certainly comprehensive, but I'm not sure how useful this is. I'm not sure this would be helpful feedback either.

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------

    Original Message


  • 4.  RE: NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations Draft

    Posted Aug 12, 2021 02:52:00 PM
    I think NIST would be transparent that they always like to be "outcome focused" - the goal not the path to it. certainly not a turn by turn GPS tool.   more like an atlas of the world ... at least you know where the 3PAOs will focus there control tests in the next 12 months based on the differences :)

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------

    Original Message


  • 5.  RE: NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations Draft

    Posted Aug 12, 2021 03:01:00 PM
    Agreed. Now I know there will be a ton of differing opinions, but, it looks to me like they are still trying to maintain as pragmatic a stance as possible given the current hackathons going on within our adversaries borders.

    ------------------------------
    Geoffrey Groves
    CEO
    CloudTrust Inc
    [email protected]
    ------------------------------

    Original Message


  • 6.  RE: NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations Draft

    Posted Aug 13, 2021 10:15:00 AM
    I agree with the outcome-based focus, but they also need to give a hint as to what standard/technology one uses to achieve "de-idenfication is performed using validated algorithms and software" because that phrase occurs a grand total of once in Google (this paper). Looking without quotes gives a ton of results but nothing concrete, just general stuff like "replace their names and addresses with fake ones" and as we've all seen de-anonymization of anonymized (de-identified) data is entirely possible:

    https://techcrunch.com/2019/07/24/researchers-spotlight-the-lie-of-anonymous-data/

    My concern here is that by "leaving it as an exercise to the reader" so to speak we'll end up with a lot of bad implementations. 

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------

    Original Message