« AIとセキュリティに関する論文2つ<=日本セキュリティ・マネジメント学会誌 | Main | US、UKのテレワークガイダンス »

2020.03.17

NIST SP 800-53 Rev. 5(Draft) Security and Privacy Controls for Information Systems and Organizations (Final Public Draft)

こんにちは、丸山満彦です。

NIST SP 800-53 Rev. 5のドラフトが公開されていますね。。。コメントの受付は2020.05.15までです。2017.08.15に最初のドラフトが公開されてから2年半経っています。。。

主な変更点として、コントロールの記述の仕方をOutcomeベースにするとか、新しく2つのコントロールファミリー(プライバシー、サプライチェーン)を加えるとか、NISTのCyber security framework, Privacy frameworkとの整合性をとったり、いろいろとあるようです。。。

ーーーーー

Revision 5 of this foundational NIST publication represents a multi-year effort to develop next-generation security and privacy controls. The major changes to the publication include:

  • Creating security and privacy controls that are more outcome-based by changing the structure of the controls;
  • Fully integrating privacy controls into the security control catalog, creating a consolidated and unified set of controls;
  • Adding two new control families for privacy and supply chain risk management;
  • Integrating the Program Management control family into the consolidated catalog of controls;
  • Separating the control selection process from the controls—allowing controls to be used by different communities of interest;
  • Separating the control catalog from the control baselines;
  • Promoting alignment with different risk management and cybersecurity approaches and lexicons, including the NIST Cybersecurity and Privacy Frameworks;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state-of-the-practice controls based on threat intelligence, empirical attack data, and systems engineering and supply chain risk management best practices, including controls to:
    • Strengthen security and privacy governance and accountability;
    • Support secure system design; and
    • Support cyber resiliency and system survivability.

The integration of security and privacy controls into one catalog recognizes the essential relationship between security and privacy objectives. This relationship requires security and privacy officials to collaborate across the system development life cycle. In particular, control implementation is one area in which collaboration is important. Because security and privacy objectives are aligned in many circumstances, the implementation of a particular control can support achievement of both sets of objectives. However, there are also circumstances when controls are implemented differently to achieve the respective objectives, or the method of implementation can impact the objectives of the other program. Thus, it is important that security and privacy programs collaborate effectively with respect to the implementation of controls to ensure that both programs’ objectives are met appropriately.

ーーーーー

NIST ITL
・2020.03.15
SP 800-53 Rev. 5(Draft) Security and Privacy Controls for Information Systems and Organizations (Final Public Draft)

・[PDF

・[PDF] Rev. 4からの重要な変更点の要約

 

SECURITY AND PRIVACY CONTROL FAMILIES

No ID FAMILY
01 AC Access Control
02 AT Awareness and Training
03 AU Audit and Accountability
04 CA Assessment, Authorization, and Monitoring
05 CM Configuration Management
06 CP Contingency Planning
07 IA Identification and Authentication
08 IR Incident Response
09 MA Maintenance
10 MP Media Protection
11 PE Physical and Environmental Protection
12 PL Planning
13 PM Program Management
14 PS Personnel Security
15 PT PII Processing and Transparency
16 RA Risk Assessment
17 SA System and Services Acquisition
18 SC System and Communications Protection
19 SI System and Information Integrity
20 SR Supply Chain Risk Management

米国の場合、カテゴリーで分類せずにABC順で並べることが多いですよね。政府統一基準を作るときに、アイウエオ順を提案してみたけど、受けが悪くて採用されませんでした(^^)

 

■ 2020.04.03 追記

EXCEL版が追加されましたね。

・[EXCEL]  Spreadsheet version of 800-53 FPD controls (xls)

|

« AIとセキュリティに関する論文2つ<=日本セキュリティ・マネジメント学会誌 | Main | US、UKのテレワークガイダンス »

Comments

Post a comment



(Not displayed with comment.)


Comments are moderated, and will not appear on this weblog until the author has approved them.



« AIとセキュリティに関する論文2つ<=日本セキュリティ・マネジメント学会誌 | Main | US、UKのテレワークガイダンス »