NIST Revises Security and Privacy Controls Before Public Meeting

3 min

On April 30, 2013, the National Institute of Standards and Technology (NIST) published Revision 4 of its standard-setting cybersecurity controls guide, Special Publication 800-53. Now titled “Security and Privacy Controls for Federal Information Systems and Organizations,” Revision 4 notably features a new set of privacy controls based on the Fair Information Practice Principles, as well as controls aimed specifically at newer technologies, such as mobile and cloud computing, and more sophisticated threats, such as advanced persistent threats. For instance, Revision 4:

  • Establishes controls for accessing cloud services from organizational information systems; and
  • Tailors the supply chain to avoid custom configurations that may have been corrupted via supply chain actions targeted at specific organizations.

NIST issued the revision in advance of an upcoming public meeting of its Information Security and Privacy Advisory Board (ISPAB), set for June 12-14 in Washington, DC. The ISPAB’s duties include identifying emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy, and advising the Secretary of Commerce, the Director of the Office of Management and Budget, and the Director of NIST on information security and privacy issues pertaining to federal computer systems, including thorough review of standards and guidelines proposed by NIST. The agenda covers, among other topics, the recent critical infrastructure cybersecurity Executive Order as well as NIST’s subsequent Request for Information on cybersecurity standards and practices and Notice of Inquiry on incentives to participate in a voluntary cybersecurity program. The meeting was announced in the Federal Register and is open to members of the public.

FERC Proposes Approval of New Version of Electric Industry Cybersecurity Standards

Similarly, on April 18, 2013, the Federal Energy Regulatory Commission (Commission or FERC) issued a Notice of Proposed Rulemaking (NOPR) to approve Version 5 of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Reliability Standards, a group of mandatory cybersecurity regulations applicable to much of the electric industry. Version 5 features bright-line criteria identifying systems critical to the reliability of the electric grid and introduces risk-based categorization of these systems.

In the NOPR, the Commission states that the Version 5 CIP Standards will improve the currently-approved CIP Reliability Standards but expresses significant concern regarding the enforceability of a new and much lauded feature of Version 5 - the so-called “identify, assess, and correct” requirements - which emphasize continuous monitoring and improvement of various cybersecurity programs instead of penalization for all compliance violations. The Commission also expresses concern regarding the sufficiency of protections for “low impact” cyber systems. Specifically, the Commission asks whether it should direct NERC to provide further detail regarding the required content of cybersecurity policies and procedures applicable to low impact systems. Comments on the NOPR are due Monday, June 24, 2013.

Venable LLP offers a broad array of legal services to a variety of different players within the cybersecurity arena. Our attorneys are adept at understanding complex client issues and tapping into the extensive experience of our many practice areas including privacy and data security, e-commerce, intellectual property, government contracting, telecommunications, energy, and corporate.

If you have any questions concerning this alert, please contact any of the authors listed in the left rail.