The National Institute of Standards and Technology (NIST) has released a new ‘Quick Start’ manual for those using its Risk Management Framework. The manual is designed to make it easier for organizations to assess their own security needs, and to implement the appropriate measures based on that assessment.
The Quick Start guide was written to complement the NIST’s more comprehensive SP 800-53 Revision 5 manual, and is titled Control Baselines for Information Systems and Organizations (NIST Special Publication (SP) 800-53B). It establishes baselines for those with low, moderate, and high security requirements, and then outlines the security and privacy controls that organizations would need to put in place to follow cybersecurity best practices at each of those levels. It also includes a separate privacy control baseline for organizations that process personally identifiable information, and therefore need to be able to guarantee the privacy of their users.
“Choosing security and privacy controls is a bit like building a car from parts that fit the driving conditions you expect,” said NIST Fellow Ron Ross, who is one of the authors of the guide. “If you’re building an SUV for trips around town, you might choose different parts than you’d use for a race car. Whether you’re managing risk for a routine business system or one whose breach would compromise our nation’s critical infrastructure, we’ve got a baseline for you.”
The NIST noted that the Quick Start guide is only intended to serve as a starting point. Each organization will have unique requirements that reflect its own specific goals and infrastructure, so organizations will need to supplement the baseline with other security tools. In that regard, the new manual does provide customization guidelines for organizations in select industries and for those using various security technologies.
The NIST SP 800-53 Revision 5 controls are requirements for federal information systems in the US, and can be integrated with the NIST’s Cybersecurity and Privacy Frameworks.
The news comes shortly after the NIST updated the review process of the Organization of Scientific Area Committees (OSAC) for Forensic Science to make it easier to develop new science-based standards. The FIDO Alliance has also asked the NIST to revise its authentication classifications in its upcoming update of its Digital Identity Guideline.
November 2, 2020 – by Eric Weiss