Newsroom

The National Institute of Standards and Technology on Tuesday released a draft update of security and privacy controls for public- and private-sector organizations that includes a set of safeguarding measures for all types of computing platforms, including mobile devices and process control systems.

The draft update is for Special Publication 800-53, which contains the baseline privacy and security control standards prescribed for civilian agencies under the Federal Information Security Modernization Act (FISMA). The draft is open for public comment until Sept. 12.

The new document clarifies the "the relationship between security and privacy." It also promotes integration of various "risk management" lexicons, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity. As part of NIST's modernization effort, the new draft also incorporates "new, state-of-the-practice controls based on threat intelligence and empirical attack data."

NIST said the ultimate objective "is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable."

The update may also require the NCUA to revisit its current privacy control practices. In November 2016, NCUA's Office of Inspector General audited NCUA's compliance with FISMA and determined that the agency needed to improve its privacy program. Additionally, the OIG noted that NCUA needed to improve security controls governing state supervisory authority examiner accounts, which may be used to upload or download sensitive credit union information.