NIST SP800-53 Revision 5, one year later
It will be a year since NIST released its final version of SP800-53 Revision 5 to September 23, 2020. As a reminder, SP800-53 is the document released by NIST that specifies security and privacy controls that are to be used by federal government agencies. We wrote about SP800-53 Revision 5 back when it was a draft before it was finalized and you can find extensive details about SP800-53 in this article. With the document finalizing, federal government agencies have one year to adhere to the new guidelines, and since SP800-53 Revision 5 was finalized on September 23, we will hit the one-year mark this week.
When do government agencies need to be in compliance?
Although this is a federal requirement for federal agencies to follow NIST guidelines, the implementation schedule requirement can be found in a publication of the Office of Management and Budget (OMB), in particular circular A130. The requirement is that legacy systems have one year from the date of publication to be compliant, while a developing system must be compliant when deployed. The exact text of the A130 is below:
For existing information systems, agencies must meet requirements and be in compliance with NIST standards and guidelines within one year of their respective publication dates, unless otherwise specified by OMB. The one-year compliance date for revisions of NIST publications applies only to new or updated material in publications. For information systems under development or for existing systems undergoing significant change, agencies must meet requirements and be in compliance with NIST standards and guidelines upon deployment of the systems.
If you are looking for the reference, it can be found on p. 53, Annex I-16, 5.a. Federal agencies that are unable to comply by the time a year has passed may request a waiver.
RASP and IAST added to the security framework
The big change for application security in Revision 5 of the Security and Privacy Framework was the addition of RASP (Runtime Application Self-Protection) and IAST (interactive application security test). It was a first in recognizing these two advances in application security and now requiring them as part of the NIST security framework.
Although it has been a year since the standard was finalized, it is probably too early to say that the new requirements are a success. We know that last year violations and attacks increased. The increase in attacks and breaches should convince any organization that it is time to reassess its security, and the NIST framework offers a model for organizations to adopt the same level of security that is used by federal agencies.
At K2 Cyber ââSecurity, we would like to help you with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while generating the fewest false positives and alerts. Rather than relying on technologies such as signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without limiting ourselves to detecting attacks based on prior attack knowledge. Deterministic security uses application runtime validation and verifies that API calls are working as expected by code. No prior knowledge of an attack or the underlying vulnerability is used, giving our approach the true ability to detect new zero-day attacks. Our technology has 8 granted / pending patents, and has no false alerts.
We also recently posted a video, The need for deterministic security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs), fail to prevent zero day attacks and how deterministic security meets the need for detect zero day attacks. The video explains why technologies such as artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of ‘attacks where these technologies work and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change the way you protect your apps, include RASP, and verify K2’s app workload security.