NIST SP 800-53B (Draft) Control Baselines for Information Systems and Organizations

こんにちは、丸山満彦です。

NISTがSP800-53Bのドラフトのパブコメを募集していますね。SP800-53のドラフトが出ているのでその影響ですね。プライバシー制御ベースラインを提供するものですね。

 

● NIST - ITL

・2020.07.31 SP 800-53B (Draft)  Control Baselines for Information Systems and Organizations

・[PDF] SP 800-53B (Draft)

Related NIST Publications:
・[PDF] SP 800-53 Rev. 5 (Draft)

 

---

Announcement

Draft SP 800-53B provides three security control baselines for low-impact, moderate-impact, and high-impact federal systems, as well as a privacy control baseline for systems irrespective of impact level. The security and privacy control baselines have been updated with the controls described in SP 800-53, Revision 5; the content of control baselines reflects the results of a comprehensive interagency review conducted in 2017 and continuing input and analysis of threat and empirical cyber-attack data collected since the update to SP 800-53.

In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions to help guide and inform the control selection process for organizations. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation. The control baselines were previously published in NIST SP 800-53, but moved so that SP 800-53 could serve as a consolidated catalog of security and privacy controls that can be used by different communities of interest.

In addition to your feedback on the three security control baselines, NIST is also seeking your comments on the privacy control baseline and the privacy control baseline selection criteria.  Since the selection of the privacy control baseline is based on a mapping of controls and control enhancements in SP 800-53 to the privacy program responsibilities under OMB Circular A-130, suggested changes to the privacy control baseline must be supported by a reference to OMB A-130.  Alternatively, you may provide a description and rationale for new or modified privacy control baseline selection criteria. 

...

 

Abstract

This publication provides security and privacy control baselines for the Federal Government. There are three security control baselines for low-impact, moderate-impact, and high-impact information systems as well as a privacy baseline that is applied to systems irrespective of impact level. In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process for organizations. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.

---

 

 

Executive Summary

As we push computers to “the edge,” building an increasingly complex world of connected information systems and devices, security andp privacy will continue to dominate the national dialogue. In its 2017 report entitled, Task Force on Cyber Deterrence [DSB 2017], the Defense Science Board provides a sobering assessment of the current vulnerabilities in the U.S. critical infrastructure and the information systems that support the mission-essential operations and assets in the public and private sectors.

 “…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…”

 There is an urgent need to further strengthen the underlying information systems, component products, and services that the Nation depends on in every sector of the critical infrastructure— ensuring those systems, components, and services are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States.

 NIST SP 800-53B responds to the call by the Defense Science Board by providing a proactive and systemic approach to developing and making available to federal agencies and private sector organizations a comprehensive set of security and privacy control baselines for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud-based systems, mobile devices, and industrial and process control systems. The control baselines provide a starting point for organizations in the security and privacy control selection process. Using the tailoring guidance and assumptions provided, organizations can customize their security and privacy control baselines to ensure that they have the capability to protect their critical and essential operations and assets. The ultimate objective is to make the systems we depend on more penetration-resistant, limit the damage from attacks when they occur, make the systems cyber resilient and survivable, and protect individuals’ privacy.

 

---

Table of Contents

CHAPTER ONE INTRODUCTION

1.1         PURPOSE AND APPLICABILITY
1.2         TARGET AUDIENCE
1.3         ORGANIZATIONAL RESPONSIBILITIES
1.4         RELATIONSHIP TO OTHER PUBLICATIONS
1.5         REVISIONS AND EXTENSIONS
1.6         PUBLICATION ORGANIZATION

CHAPTER TWO THE FUNDAMENTALS

2.1         CONTROL BASELINES
2.2         SELECTING CONTROL BASELINES
2.3         CONTROL BASELINE ASSUMPTIONS
2.4         TAILORING CONTROL BASELINES
2.5         CAPABILITIES

CHAPTER THREE THE CONTROL BASELINES

3.1         ACCESS CONTROL FAMILY
3.2         AWARENESS AND TRAINING FAMILY
3.3         AUDIT AND ACCOUNTABILITY FAMILY
3.4         ASSESSMENT, AUTHORIZATION, AND MONITORING FAMILY
3.5         CONFIGURATION MANAGEMENT FAMILY
3.6         CONTINGENCY PLANNING FAMILY
3.7         IDENTIFICATION AND AUTHENTICATION FAMILY
3.8         INCIDENT RESPONSE FAMILY
3.9         MAINTENANCE FAMILY
3.10        MEDIA PROTECTION FAMILY
3.11        PHYSICAL AND ENVIRONMENTAL PROTECTION FAMILY
3.12        PLANNING FAMILY
3.13        PROGRAM MANAGEMENT FAMILY
3.14        PERSONNEL SECURITY FAMILY
3.15        PII PROCESSING AND TRANSPARENCY FAMILY
3.16        RISK ASSESSMENT FAMILY
3.17        SYSTEM AND SERVICES ACQUISITION FAMILY
3.18        SYSTEM AND COMMUNICATIONS PROTECTION FAMILY
3.19        SYSTEM AND INFORMATION INTEGRITY FAMILY
3.20        SUPPLY CHAIN RISK MANAGEMENT FAMILY

REFERENCES

APPENDIX A GLOSSARY
APPENDIX B ACRONYMS
APPENDIX C OVERLAYS