The National Institute of Standards and Technology on Tuesday released proposed revisions to its requirements that govern how agencies secure their federal information systems.
Proposed changes to Special Publication 800-53, Revision 4, address new challenges that agencies face, including insider threats, supply chain risk, mobile and cloud computing technologies, and other cybersecurity issues and challenges, NIST said in a news release.
“The changes we propose in Revision 4 are directly linked to the current state of the threat space — the capabilities, intentions and targeting activities of adversaries — and analysis of attack data over time,” NIST fellow Ron Ross said in a statement.
“Many organizations are concerned about advanced persistent threats, so we added new controls that will allow organizations to use different strategies to combat those types of threats,” Ross said.
The proposed revisions add new security controls, or descriptions of what agencies must do to properly manage an information system, clarify security control requirements and enhance others.
Once approved, the changes will be used by the Federal Risk and Authorization Management Program (FedRAMP) to asses the security of cloud computing service providers. The administration plans to begin certifying cloud computing solutions under the mandatory security assessment program in June.
The public comment period for NIST’s revisions is from Feb. 28 to April 6, and the final document is expected to be released in July, after FedRAMP reviews begin.
It isn’t clear how long cloud vendors will have to adjust to the changes. And those details were not included in a new charter that defines the role of FedRAMP’s Joint Authorization Board, composed of chief information officers at the General Services Administration and Homeland Security and Defense departments.
The board will prioritize which cloud vendors will be first to undergo FedRAMP reviews, define security authorization requirements for vendors and provide the criteria for approving independent assessors to review the security of cloud solutions. The board is required to meet formally at least twice a year and appoint technical representatives that meet on a monthly basis.
