SP 800-53A Now Finally Final
Posted July 1st, 2008 by rybolovThe perpetual draft document, SP 800-53A, has been officially released after 3 years. Check out the announcement from NIST here.
Now the interesting thing to me is that NIST is working with some other players (DNI comes to mind) on reference implementations of 800-53A. This is big, so big that I can’t add enough hyperbole to it.
Why do they need to do reference implementations? Well, because by itself, SP 800-53A is dangerous if it’s given to people who “don’t get it”. By that what I mean is this:
- SP 800-53 needs tailoring to distill into actual requirements.
- SP 800-53A needs a huge amount of tailoring to distill into test cases/procedures that match the tailoring that you did with 800-53.
- Taken at face value, 800-53 and 800-53A become the source of “death by compliance”.
- If you think the auditors could grill you to death with 800-53, 800-53A gives them tons more material.
Now time for a war story: I worked on a project where the contractor was having a hard time building a security program, mostly because they didn’t have the right staff to get the job done. The government told the contractor to use 800-53A as a starting point, and 6 months of insanity followed with 13 “security engineers” in a conference room cranking out documentation that had no basis in reality. At the end of it all, the contractor handed the Government a bill for $1M.
Now don’t get me wrong, I like the ideas behind 800-53A, but the first thing you need to know when you start using it is when you shouldn’t use it:
- Don’t run test procedures on every computer you have, use an automated tool and do spot-checks to validate that the automated tool works.
- Use less test procedures on low-criticality systems.
- “This procedure is conducted as part of the hardening validation process.”
- Common controls are even more important because you do not want the repetition of effort.
And whatever you do, don’t let 800-53A turn your risk management into a compliance activity. It has all the potential to do that.
US Government Doc’s photo by Manchester Library.
Similar Posts:
Posted in FISMA, NIST, Risk Management, What Doesn't Work, What Works | 12 Comments »
Tags: 800-53 • 800-53A • auditor • catalogofcontrols • compliance • fisma • government • infosec • itsatrap • management • security
July 1st, 2008 at 9:17 am
…and good luck printing a copy. It’s 300+ Pages.
Tailoring itself can be a black art — most importantly, make sure that traceability is maintained!
I’ve written more than my share of test plans… Several are still in use today. Understand that it is possible to devise series of tests that will demonstrate effectiveness of multiple controls. Don’t think that each requirement has to have its own individual test case!
What traceability amounts to is taking credit for one’s work, and making the jobs of the certifier and ultimately, the approval authority much easier. What you’ll end up with is a test report that has written itself and a no-brainer recommendation.
Cheers,
Vlad
July 1st, 2008 at 9:26 am
After delving into the 53A, one nedd go no further than the Preface to find the first “nugget.:”
“Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives.”
…the only point missing is that control assessment are not about “compliance. ”
Cheers,
Vlad
July 1st, 2008 at 12:29 pm
This is probably heresy around here, but I like 800-53. I like that it provides a foundation for security controls. It even provides some reasoning as to why and what exactly they are looking for. If people don’t want to use certain controls and mark them N/A, fine. But, at least it gets people thinking about appropriate items.
However, I can’t stand 800-53a. It seems to be written by scientists living in an ivory tower. Nice in theory, but who could actually implement those in a time effective manner? There are just too many items. Like Vlad said above, it is 300 pages. I think that the last time I took a look at the draft it was something like 1700+ tests to run? God forbid, you are certifying a HIGH rated system.
July 2nd, 2008 at 11:38 am
@Vlad but that’s the problem, if you give people a catalog of controls and then hold them to that standard, you’re not expecting them to go above and beyond that. In other words, just by having a catalog of controls, you’re implying some kind of compliance. What happens when I want to do something that improves security drastically but I can’t make it fit into the catalog? I can’t justify it to the beancounters at what’s in charge.
@Jeremy I agree with you on 800-53, it’s pretty good. My point with this post is that 800-53A doesn’t work without a reference implementation to look at because it is very thick with theory.
July 3rd, 2008 at 3:50 pm
Have to agree with both of you. I have maintained over the years that NIST was doing an outstanding job with the 53 in spite of Congress (never missing a chance to cry foul or score points) and the executive branch (meaning well but always falling short).
I look back on the days when there was for anyone to use, and feel very good about how far we’ve come. I haven’t been thrown out of a government executive’s office for preaching holistic security for almost two decades now… (let it go, I know I’m geezin’)
My point is — we run the risk of ignoring a very powerful message when we look merely to comply.
I don’t know how the end-state — where we do security and don’t even give it a second thought (like breathing) — can be achieved. Oversight/audit is important — but running a good security program is not just about your score on the last checklist. It will take leadership and some success stories that don’t end up simply as books, but as the shining example for government (even industry) to follow.
Don’t even get me started on ROSI…
July 3rd, 2008 at 3:53 pm
Evidently stuff within the -greater than- -less than- symbols gets borked.
Second paragraph should read “…the days when there was NOTHING for anyone to use…”
Cheers,
Vlad
July 8th, 2008 at 2:15 pm
So, is there an industry to look at that takes security seriously and proactively? The first thing that comes to mind for me is Vegas. It certainly wouldn’t be our evoting standards. But, that is just a stab in the dark. Usually, when billions are on the line, things are taken seriously. Of course, the federal government deals in billions on a daily basis, so…
January 8th, 2009 at 11:33 pm
800-53 Rev 2 is a good document. 800-53 A is a waste of paper and is unnecessary. What’s worse, some agencies are re-writing 800-53 A to come up with their own customized version…and usually they miss the mark on it.
January 9th, 2009 at 11:04 pm
FISMA Geek, the problem is that 800-53A is such a huge learning curve that most people won’t make it.
Gotta look at what NIST is trying to do, which is to give something to the auditors of the world–IGs, GAO, etc–so that they can have some sort of standardization across findings/reports. Deep down inside, however, I flip-flop between thinking this is a great thing v/s “OMG, what kind of a monster have we unleashed?”
January 15th, 2009 at 9:05 am
One thing we’ve created is the misallocation of work into our buckets. CM for instance. Necessary and important to implement security but it’s its own discipline. Yet I now have managers asking me about their CM program because now (since it’s in 800-53 and they are being audited on it) “it’s security”
January 17th, 2009 at 6:03 pm
Hi fin
I think at a certain point there are things classified as “security” which should be “plain ol’ good management”. So yeah, I agree with you.
August 27th, 2009 at 8:20 am
The problem is there no documentation when the systems were built and now (1-3) years later, people are trying to record controls they never documented.