NIST Overhauls “Security and Privacy Controls” and Emphasizes VDP as a Best Practice

Back in 2005, the Computer Security Resource Center (CRSC) published NIST 800-53: the “Security and Privacy Controls for Information Systems and Organizations” publication. This Special Publication contains valuable guideposts for organizations looking to reduce risk. However, its last iteration, Revision 4, was released in April 2013. It was well past time for an update. 

Earlier this year, NIST published SP 800-53 Revision 5. The revision was followed by NIST SP 800-53B, the Control Baselines for Information Systems and Organizations, which outlines best practices for organizations looking to mitigate risk. Crucially, it positions vulnerability disclosure programs (VDPs) as a core component of every security strategy.

However, before you update your security strategy to comply with NIST guidelines, it’s important to understand a few key components. Read on to learn about NIST’s updated recommendations, and how you can leverage these best practices to mitigate risk.

Increasing Your Resistance to Attacks

For years, leading organizations have leveraged vulnerability disclosure programs (VDPs) and bug bounty programs to find and remediate vulnerabilities before they can be exploited. The latest Revision recommends that all organizations use a VDP to “ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible.” Specifically, this appears in section 800-53 RA-5 (11) - Vulnerability Monitoring and Scanning | Public Disclosure Program as follows:

(11) VULNERABILITY MONITORING AND SCANNING | PUBLIC DISCLOSURE PROGRAM

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite nondisclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

The section strongly recommends organizations deploy something “as simple as publishing a monitored email address or web form that can receive reports” of potential vulnerabilities discovered by friendly hackers and researchers. But NIST also goes further, adding that obscurity is outdated and dangerous thinking. Instead, security teams should “generally expect that such research is happening with or without their authorization.” Ignoring incoming reports, or allowing them to go unchecked, is itself a vulnerability.

Rather, organizations should “use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.” Revision 5 also references ISO 29147 as guidance for implementing these programs, an excellent standard upon which we based the core workflows for HackerOne Response.

Bug bounty programs are also called out as a tool to “further encourage external security researchers to report discovered vulnerabilities.” Bounty programs come in many flavors, and even NIST explains how they can be customized to fit any organization’s needs. HackerOne Bounty offers incredible flexibility with public or private bug bounty programs and time-bound programs to fulfill structured testing needs.

More Value for Non-Government Organizations

Federal agencies run and are structured differently from private sector organizations. Revision 5 recognizes this and, in an effort to make the document usable and helpful to everyone, has moved their control baselines and tailoring guidance to separate subdocuments. This maintains directives for federal organizations but also frees up their security and risk reduction guidance to be used by other organizations to improve their own security and privacy efforts. 

In essence, Revision 5 has been restructured to provide a customizable security and privacy framework for any organization. This flexibility and guidance lets you build or expand your security efforts based on your own business and industry needs.

Modernized for Today’s Tech and Today’s Threats

Revision 5 includes new language for managing risk beyond your walls to incorporate risk management up and down the supply chain. The intent is to “protect system components, products, and services that are part of critical systems and infrastructures.” That’s increasingly important as companies and their suppliers, partners, and customers become more digitally connected to streamline operations and accelerate the delivery of goods and services. 

We’ve all heard the stories of breaches originating from third-party systems. These updates again take a realistic approach to how today’s organizations operate. The new controls are intended to bring more attention, and more controls, to the potential risks across your supply chain. 

The risks themselves are continuing to evolve with our digital world. Revision 5 adds “new state-of-the-practice controls” which are “needed to protect the critical and high- value assets of organizations including individual’s privacy and personally identifiable information.” These new controls, NIST says, are based on the changing threats seen by the security community, as well as modern protocols and organizational governance designed to keep security measures advancing along with both technology and attackers. 

Public Disclosure: A NIST Best Practice

As a companion to Revision 5, NIST released SP 800-53B, which presents best practices for organizations looking to mitigate their risk. According to these guidelines, every organization must implement a VDP regardless of their expected level of risk. 

SP 800-53B has crucial ramifications for federal agencies. Although NIST guidelines are nonregulatory, the Federal Information Security Modernization ACT (FISA) and OMB Circular A-130 require that federal agencies implement a minimum set of controls from SP 800-53. Put simply, a VDP is no longer optional for agencies and organizations working with the federal government. NIST recognizes public disclosure as vital for securing federal information systems and assets.

“Many external programs and organizations depend on the NIST recommendations to help protect cloud, health care, financial, transportation, manufacturing, defense and industrial control systems,” says Ron Ross, a NIST fellow and an author of the SP 800-53B. “It’s our goal to get all of them the right kind of protection.”

The Bottom Line

NIST’s ultimate goal is “is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.”

The first step is getting your organization started with a VDP. Leveraging a continuous bug bounty program can further increase your resistance to threats. 

To learn more about VDPs, check out “The 5 Critical Components of a Vulnerability Disclosure Policy.”