Addressing NIST Special Publications 800-37 and 800-53
The National Institute of Standards & Technology (NIST), a non-regulatory agency of the U.S. Dept. of Commerce, is a measurement standards laboratory that develops the standards federal agencies must follow in order to comply with the Federal Information Security Management Act of 2002 (FISMA). By defining an information-security framework for U.S. federal agencies (or contractors working for them), this Act (which is a federal law) aims to improve computer and network security within the federal government. NIST’s standards and guidelines (800-series publications) further define this framework.
FISMA originally required agencies to certify the security of their online systems with annual inspections. However, a recent major update to FISMA requires agencies to continuously monitor their networks in real-time for cyber vulnerabilities. The FISMA update mandates “automated security tools to continuously diagnose and improve security.”
NIST’s 800-series publications (two of which are described below) contain detailed security guidance and recommendations for federal agencies.
NIST Special Publication 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems," which originally focused on certification and accreditation, now stresses security from an information system’s initial design phase through implementation and daily operations. It places equal emphasis both on defining the correct set of security controls and on implementing them in a robust continuous-monitoring process.
The publication states that “when security requirements are considered as an integral subset of other information system requirements, the resulting system has fewer weaknesses and deficiencies, and therefore, fewer vulnerabilities that can be exploited in the future.”
Special Publication 800-37 is centered on the Risk Management Framework (RMF), which outlines six steps federal agencies must take to secure their information systems:
- Security categorization: based on impact analysis
- Security control selection
- Security control implementation
- Security control assessment
- Information system authorization
- Security control monitoring
The overall goals of the guidelines in 800-37 are:
- To ensure that managing information system-related security risks aligns with the organization’s business objectives and overall risk strategy
- To ensure that security controls are integrated into the organization’s enterprise architecture and system development lifecycle
- To support continuous security monitoring and transparency of security and risk-related information
- To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies
The second step of the RMF is to select the appropriate security controls from the control catalog in NIST Special Publication 800-53 (see details below).
NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations
The purpose of NIST Special Publication 800-53 is to provide guidelines for selecting security controls for information systems supporting federal agencies. The guidelines apply to all components of an information system that process, store or transmit federal information.
To optimize security, this publication recommends first selecting an initial set of baseline security controls, then customizing these baseline controls, and finally supplementing the controls based on assessments of risk.
These controls include the management, operational and technical safeguards (or countermeasures) that protect the confidentiality, integrity and availability of the system and its information.
Special Publication 800-53 was recently revised based on the federal information security strategy of “Build It Right, Then Continuously Monitor.” The guidelines now include an emphasis on building security into products from the beginning and monitoring the systems continuously, rather than relying on periodic audits.
In addition, this updated version includes new security controls that address mobile and cloud computing, insider threats and supply chain security. The “Build It Right” strategy, coupled with a variety of security controls for “Continuous Monitoring,” is intended to give organizations the near real-time information that is essential for making ongoing risk-based decisions affecting critical business functions.
Veracode the Ideal Partner to Help Address NIST Guidelines
Veracode offers a scalable and automated cloud-based service — backed by world-class security experts — to systematically reduce risk across web, mobile and third-party applications.
To identify vulnerabilities earlier in the development cycle (via static analysis), our cloud-based platform integrates with agile development processes via APIs, and offers centralized policies and metrics to consistently measure improvements in secure coding practices over time.
Finally, by combining rich reporting with automated compliance workflows, Veracode simplifies compliance processes and reduces the time and effort to prepare for audits.