NIST SP 800-53 Rev. 5(Draft) Security and Privacy Controls for Information Systems and Organizations (Final Public Draft)
こんにちは、丸山満彦です。
NIST SP 800-53 Rev. 5のドラフトが公開されていますね。。。コメントの受付は2020.05.15までです。2017.08.15に最初のドラフトが公開されてから2年半経っています。。。
主な変更点として、コントロールの記述の仕方をOutcomeベースにするとか、新しく2つのコントロールファミリー(プライバシー、サプライチェーン)を加えるとか、NISTのCyber security framework, Privacy frameworkとの整合性をとったり、いろいろとあるようです。。。
ーーーーー
Revision 5 of this foundational NIST publication represents a multi-year effort to develop next-generation security and privacy controls. The major changes to the publication include:
- Creating security and privacy controls that are more outcome-based by changing the structure of the controls;
- Fully integrating privacy controls into the security control catalog, creating a consolidated and unified set of controls;
- Adding two new control families for privacy and supply chain risk management;
- Integrating the Program Management control family into the consolidated catalog of controls;
- Separating the control selection process from the controls—allowing controls to be used by different communities of interest;
- Separating the control catalog from the control baselines;
- Promoting alignment with different risk management and cybersecurity approaches and lexicons, including the NIST Cybersecurity and Privacy Frameworks;
- Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
- Incorporating new, state-of-the-practice controls based on threat intelligence, empirical attack data, and systems engineering and supply chain risk management best practices, including controls to:
- Strengthen security and privacy governance and accountability;
- Support secure system design; and
- Support cyber resiliency and system survivability.
The integration of security and privacy controls into one catalog recognizes the essential relationship between security and privacy objectives. This relationship requires security and privacy officials to collaborate across the system development life cycle. In particular, control implementation is one area in which collaboration is important. Because security and privacy objectives are aligned in many circumstances, the implementation of a particular control can support achievement of both sets of objectives. However, there are also circumstances when controls are implemented differently to achieve the respective objectives, or the method of implementation can impact the objectives of the other program. Thus, it is important that security and privacy programs collaborate effectively with respect to the implementation of controls to ensure that both programs’ objectives are met appropriately.
ーーーーー
●NIST ITL
・2020.03.15 SP 800-53 Rev. 5(Draft) Security and Privacy Controls for Information Systems and Organizations (Final Public Draft)
・[PDF]
・[PDF] Rev. 4からの重要な変更点の要約
・SECURITY AND PRIVACY CONTROL FAMILIES
| No | ID | FAMILY |
| 01 | AC | Access Control |
| 02 | AT | Awareness and Training |
| 03 | AU | Audit and Accountability |
| 04 | CA | Assessment, Authorization, and Monitoring |
| 05 | CM | Configuration Management |
| 06 | CP | Contingency Planning |
| 07 | IA | Identification and Authentication |
| 08 | IR | Incident Response |
| 09 | MA | Maintenance |
| 10 | MP | Media Protection |
| 11 | PE | Physical and Environmental Protection |
| 12 | PL | Planning |
| 13 | PM | Program Management |
| 14 | PS | Personnel Security |
| 15 | PT | PII Processing and Transparency |
| 16 | RA | Risk Assessment |
| 17 | SA | System and Services Acquisition |
| 18 | SC | System and Communications Protection |
| 19 | SI | System and Information Integrity |
| 20 | SR | Supply Chain Risk Management |
米国の場合、カテゴリーで分類せずにABC順で並べることが多いですよね。政府統一基準を作るときに、アイウエオ順を提案してみたけど、受けが悪くて採用されませんでした(^^)
Comments