NIST Overhauls “Security and Privacy Controls” Publication - Here’s What You Need to Know

September 25, 2020 HackerOne Team

Back in 2005, the Computer Security Resource Center (CRSC) published NIST 800-53: the “Security and Privacy Controls for Information Systems and Organizations” publication. This “Special Publication,” or SP, has been downloaded millions of times. Its last iteration, Revision 4, was released in April 2013. 

It was well past time for an update. 

But, now we can celebrate the recently published NIST SP 800-53, Revision 5, which aims to help public and private organizations, of any size or industry, better manage their risk. That’s especially helpful as the world continues to become more and more digitized and connected, which opens everyone’s systems and data to more potential attacks. NIST takes a clear-eyed view that this digitization and connectivity will continue to increase, categorizing this revision as “designed to provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21st century.”

A major change is that this is the first standard of its kind to incorporate both risk and privacy controls in the same standard, and treating both as equally imperative. Privacy is quickly becoming a top concern for organizations across the board, both due to a shift in consumer interests and because of increased legal requirements. This framework can then help businesses understand what constitutes a good privacy program in the context of their overall privacy and security initiatives.

This latest revision also includes new risk management controls, adds in language for vulnerability disclosure policies (VDP), and was restructured to allow public and private organizations to use it as a customizable security framework. 

Let’s take a deeper look at the key updates to NIST 800-53. 

Increasing Your Resistance to Attacks

A key inclusion in Revision 5 is the promotion of VDPs and bug bounty programs as effective techniques to “ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible.” Specifically, this appears in section 800-53 RA-5 (11) - Vulnerability Monitoring and Scanning | Public Disclosure Program as follows:

(11) VULNERABILITY MONITORING AND SCANNING | PUBLIC DISCLOSURE PROGRAM

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

Discussion: The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite nondisclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

The section introduction implores organizations to deploy anything “as simple as publishing a monitored email address or web form that can receive reports” of potential vulnerabilities discovered by friendly hackers and researchers. But NIST also goes further, and adds the pragmatic realism that security by obscurity is outdated and dangerous thinking. Instead, security teams should “generally expect that such research is happening with or without their authorization.” Ignoring incoming reports, or allowing them to go unchecked, is itself a vulnerability.

Instead, organizations should “use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.” HackerOne Response is ideally suited to deliver this type of disclosure channel quickly and effectively. Revision 5 also references ISO 29147 as guidance for implementing these programs, an excellent standard upon which we based the core workflows for HackerOne Response.

Bug bounty programs are also called out as a tool to “further encourage external security researchers to report discovered vulnerabilities.” Bounty programs come in many flavors, and even NIST explains how they can be customized to fit any organization’s needs. HackerOne Bounty offers incredible flexibility with public or private bug bounty programs, time-bound programs to fulfill structured testing needs, and virtual or live hacking events to add a dynamic angle that accelerates vulnerability discovery. 

More Value for Non-Government Organizations

Federal agencies run and are structured differently from private sector organizations. Revision 5 recognizes this and, in an effort to make the document usable and helpful to everyone, has moved their control baselines and tailoring guidance to separate subdocuments. This maintains directives for federal organizations, but also frees up their security and risk reduction guidance to be used by other organizations to improve their own security and privacy efforts. 

In essence, Revision 5 has been restructured to provide a customizable security and privacy framework for any organization. This flexibility and guidance lets you build or expand your security efforts based on your own business and industry needs.

Modernized for Today’s Tech and Today’s Threats

Revision 5 includes new language for managing risk beyond your walls to incorporate risk management up and down the supply chain. The intent is to “protect system components, products, and services that are part of critical systems and infrastructures.” That’s increasingly important as companies and their suppliers, partners, and customers become more digitally connected to streamline operations and accelerate the delivery of goods and services. 

We’ve all heard the stories of breaches originating from third-party systems. These updates again take a realistic approach to how today’s organizations operate. The new controls are intended to bring more attention, and more controls, to the potential risks across your supply chain. 

The risks themselves are also changing as our digital world changes. Revision 5 adds “new state-of-the-practice controls” which are “needed to protect the critical and high value assets of organizations including individual’s privacy and personally identifiable information.” These new controls, NIST says, are based on the changing threats seen by the security community, as well as modern protocols and organizational governance designed to keep security measures advancing along with both technology and attackers. 

Security Never Stops

The updates to NIST SP 800-53, Revision 5 reflect the constantly changing threat landscape your organization faces. Criminals don’t rest, and neither can you. This document is a valuable resource for those just starting to understand their cyberisk and security responsibilities, and even for those who have advanced controls in place. 

NIST states their ultimate object “is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.”

The first step is getting your organization started with a VDP. Quickly moving to a continuous bug bounty program can further help increase your resistance to threats. 

To learn more about VDPs and how to craft your own, check out “The 5 Critical Components of a Vulnerability Disclosure Policy.”

Previous Article
AT&T Celebrates $1 Million Awarded to Hackers in One Year
AT&T Celebrates $1 Million Awarded to Hackers in One Year

AT&T Communications recently celebrated its first anniversary on HackerOne, passing $1 million in payouts t...

Next Article
Hacker Spotlight: Interview with ajxchapman
Hacker Spotlight: Interview with ajxchapman

Alex Chapman, otherwise known as @ajxchapman, has been a bug bounty hunter for over a decade after starting...