Typically, the process to update the cybersecurity controls that form the basis of federal information security standards takes at least a month, if not longer.
But the National Institute of Standards and Technology today is proposing a more urgent “patch release” to Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations.” It was last updated through a major revision finalized in December 2020.
Today’s proposed update features an expedited two-week comment period. It proposes one new control and two corresponding “control enhancements” to address a major gap in identity and access control processes.
“Historically, NIST has gone through long drafting periods, and done a 30-, 60-, 90-day public comment on our guidelines,” Victoria Yan Pillitteri, manager of the security engineering and risk management group at NIST’s Computer Security Division, said in an interview.
“Really, given the severity of this vulnerability, the time to act is now,” she added.
The update specifically addresses cybersecurity procedures related to “identity providers and authorization servers, protection of cryptographic keys, and verification of identity assertions and access tokens,” NIST explained in a factsheet.
“This would provide outcome-based guidance to focus on how to better protect identity providers and authorization servers to manage user device and non-person entity identities, attributes and access rights,” Pillitteri said.
The security of identity providers and access control tokens has surfaced as a major federal cybersecurity issue after suspected Chinese hackers broke into the unclassified email accounts of Commerce Secretary Gina Raimondo and other federal officials earlier this year.
Microsoft later confirmed the hackers used a stolen consumer signing key to forge access to the breached email accounts. The Department of Homeland Security’s Cyber Safety Review Board is now investigating the incident as part of a broader review of cloud security.
“While we won’t call out a specific vendor implementation or instance, this broadly is an issue, and this was identified as a gap that we had in our control catalog,” Pillitteri said when asked about the Microsoft incident.
The update to the information security controls catalog comes as NIST also drafts revisions to its digital identity guidelines.
“We’re doing a lot of work to improve our identity related guidance, and as that drafting team was working on their research, they also brought this to our attention,” Pillitteri said.
NIST is also using the proposed patch release to unveil a new SP 800-53 public website. It gives users the opportunity to comment on proposed changes, as well as offer feedback on existing controls and suggest new controls or control enhancements.
The public comment period on the new control runs through Oct. 31. NIST will then adjudicate the comments and issue the patch release in early November through its Cybersecurity and Privacy Reference Tool, which features machine-readable data.
While the new identity and authentication control should help organizations address a potential gap in their cyber defenses, NIST isn’t proposing to add it to the “control baseline,” meaning it won’t be an immediate requirement for organizations, such as federal agencies, that follow the NIST guidelines.
“However, like the entire 800-53 catalog, these are good security and privacy outcomes that organizations can elect to select and implement if that helps them manage their risk,” Pillitteri said. “So we’re not saying you have to do it, but it’s good advice.”
The new patch release process also gives NIST a more “dynamic” option for updating cybersecurity controls, Pillitteri said. NIST has been knocked by some in the cybersecurity community for being too slow to update its widely used security guidelines.
“It doesn’t mean we will be changing the catalog day in and day out,” Pillitteri said. “But it provides us that agility if there is an incident like the situation we’re in now, that we have the tools and mechanisms to go through public comment and issue updates in a transparent and open way.”