Key Message: Security controls, including those for insider threat, are the safeguards necessary to protect information and information systems.Executive Summary
“The selection and implementation of security controls for organizations and information systems are important tasks that can have major implications on the operations and assets of organizations as well as the welfare of individuals and the Nation. Security controls are the safeguards/countermeasures employed within organizational information systems to protect the confidentiality, integrity, and availability of the information systems and the information that is processed, stored, and transmitted by those systems.” 
In this podcast, Dr. Ron Ross, with the U.S. National Institute of Standards and Technology (NIST), discusses major updates to NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. Ron is the Project Leader for the FISMA (Federal Information Security Management Act) Implementation Project. Ron is joined by Joji Montelbano, a member of the Insider Threat team at CERT. Joji discusses the recommendations that his team made for control updates and additions to NIST SP 800-53.
Background and Scope
NIST SP 800-53 was one of the original guidance documents that NIST was asked to develop in response to the Federal Information Security Management Act of 2003 (2002).
Its publication in 2005 was preceded by the development of FIPS 199 Standards for Security Categorization of Federal Information and Information Systems and FIPS 200 Minimum Security Requirements for Federal Information and Information Systems.
NIST SP 800-53 is a security and privacy controls catalog. It covers:
The most historic revision prior to Revision 4 was Revision 3 (August 2009). NIST partnered with the US Department of Defense and the Intelligence Community under the Office of Director of National Intelligence and in collaboration with the Committee on National Security Systems.
Revision 3 included security controls for both national and non-national security systems.Revision 4
This revision was the most extensive NIST has ever done. It involved the first public call for input. The drivers for this revision included the following:
NIST received over 1000 comments.Evolution of the Use of NIST SP 800-53
The first catalog described a set of baseline security controls, a starter set. The intent was that these be applied to the three categories of systems defined in FIPS 199 – low, moderate, and high impact. Impact describes the potential adverse effects on an organization’s mission if that system is compromised or breached.
Typically baseline controls were implemented without much change. The catalog of controls has expanded from 600 controls to 850 controls, so some level of specialization is now required when developing a security plan.
Security plans and controls are being tailored to address specific missions, technologies, and operational environments. Examples include a military tactical overlay for military operations in combat environments, operations in space, and operations of nuclear power plants.
CERT insider threat recommended practices and controls derive from over 500 cases of actual insider attacks.
Recommendations for updates to NIST SP 800-53 were developed in response to the question “If organizations were to implement these controls, would they be more able to mitigate insider threats?”
CERT staff provided recommendations for 10 NIST SP 800-53 control families (AC, AT, AU, CA, CM, DP, PE, PS, SA, SI) and 20 controls across those families. Recommendations ranged from technical controls to enterprise, organization-level controls and focused on:
CERT staff also recommended a new control for the Project Management (PM) family – the creation of an insider threat program. The Office of Management and Budget mentions this in Memorandum M-11-08. Executive Order EO-13587 calls for an insider threat program to help safeguard classified data.
NIST uses a disciplined, structured process for reviewing public comments as follows:
The series of WikiLeaks incidents highlighted the need to pay more attention to insider threat. As NIST was reviewing CERT’s recommendations, they asked themselves “Would these kinds of changes have stopped something like WikiLeaks?” and concluded that they would.
Advanced persistent threat also emphasizes the importance of an insider threat program. If boundary safeguards fail, organizations have a greater ability to detect, respond, and limit damage once the attack is detected.How Do We Know Controls Are Effective?
NIST’s philosophy is to “build it right initially and then continuously monitor over time to ensure the security state of your system and your environment of operations is maintained.”
NIST constantly monitors the types of attacks and implemented controls in collaboration with the DoD and the Intelligence Community and collects empirical data. Successful attacks indicate that the current set of controls are not effective, we don’t have the right controls, or we need additional, stronger controls.
CERT insider threat staff work closely with the Department of Homeland Security Federal Network Security and other customers to determine how insider threat controls are working. They share their insights with NIST.Future Plans
NIST plans to release the next verions of SP 800-53 Revision 4 in the July 2012 timeframe. There may be a final draft based on the number of comments received during this public review process.
NIST plans to maintain a two-year update cycle. Revision 5 will not be nearly as extensive.
Going forward, NIST will focus on:
 National Institute of Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4, February 2012.
NIST Computer Security Division Computer Security Resource Center Publications website
NIST CSD CSRC Special Publications website
CERT Insider Threat website
CERT podcasts on insider threat