The National Institute for Standards and Technology is updating SP 800-53 (Revision 3 below), that gives federal agencies (excluding those tied to national security) recommend security controls for information technology systems, NIST computer scientist and advanced security researcher Ron Ross tells us.
This will be the fourth update to the document since its original release in 2005, but will also be the largest as the threat space has grown so rapidly in the past year.
The document is expected to be released at the end of the calendar year focusing on insider threats, software application security, social networking, mobile devices, cloud computing, cross domain solutions, advanced persistent threats, supply chain security, process control systems and privacy. The document will also include a systems engineering guide.
“Our goal is to build more security early on when designing the system than trying to clean up the mess afterward,” Ross tells us.
And that mess can be huge. Ross agreed with a statement we passed along from FBI Cyber Division Deputy Assistant Director Steven Chabinsky who said that the country is more equipped at cybersecurity now than ever before, but the problem is the worst it’s ever been.
Part of the reason, says Ross, is that hackers today don’t really even need to be hackers.
“A few years ago, hackers used to be a specialized trade, but with the advent of low cost computers and the ability to purchase sophisticated attack tools online almost anyone on the planet can do significant damage to a system,” Ross said. “That’s what makes our job so challenging, because our adversary is continually evolving.”