On April 30, 2013, the National Institute of Standards and Technology (NIST) published Revision 4 of its standard-setting cybersecurity controls guide, Special Publication 800-53. Now titled “Security and Privacy Controls for Federal Information Systems and Organizations,” Revision 4 notably features a new set of privacy controls based on the Fair Information Practice Principles, as well as controls aimed specifically at newer technologies, such as mobile and cloud computing, and more sophisticated threats, such as advanced persistent threats. For instance, Revision 4:

  • Establishes controls for accessing cloud services from organizational information systems; and
  • Tailors the supply chain to avoid custom configurations that may have been corrupted via supply chain actions targeted at specific organizations.

NIST issued the revision in advance of an upcoming public meeting of its Information Security and Privacy Advisory Board (ISPAB), set for June 12-14 in Washington, DC. The ISPAB’s duties include identifying emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy, and advising the Secretary of Commerce, the Director of the Office of Management and Budget, and the Director of NIST on information security and privacy issues pertaining to federal computer systems, including thorough review of standards and guidelines proposed by NIST. The agenda covers, among other topics, the recent critical infrastructure cybersecurity Executive Order as well as NIST’s subsequent Request for Information on cybersecurity standards and practices and Notice of Inquiry on incentives to participate in a voluntary cybersecurity program. The meeting was announced in the Federal Register and is open to members of the public.