The National Institute of Standards and Technology (NIST) has finalized updates to its catalog of security and privacy safeguards, a move aimed at helping both software developers who release patches and the organizations that implement them.
The modifications come in response to President Donald Trump’s June executive order, which tasked NIST with updating the catalog by Sept. 2 “to provide guidance on how to securely and reliably deploy patches and updates.”
NIST’s catalog of security and privacy safeguards is formally known as the Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication (SP) 800-53).
“The changes are intended to emphasize secure software development practices, and to help organizations understand their role in ensuring the security of the software on their systems,” said Victoria Pillitteri, the NIST computer scientist who led the project. “Ultimately, we want to help them achieve their goals while minimizing the risk of a patch creating unintended consequences.”
In an Aug. 27 press release detailing the update, NIST explained that when a vendor deploys a patch, it reduces the window of opportunity for attackers. However, it also increases the risk that “the less thoroughly tested patch” could disrupt an organization’s operations.
“The updated controls emphasize the importance of monitoring the particular component being updated as well as the component’s relationship to the overall system,” Pillitteri said.
Notably, the changes to SP 800-53 include three entirely new controls. The first, Logging Syntax (SA-15), defines an electronic format for recording security-related events to support better incident response.
The second new control, Root Cause Analysis (SI-02(07)), specifies conducting a review to find out the root cause of an issue or failure with a software update and implementing an action plan. The third, Design for Cyber Resiliency (SA-24), recommends designing systems for survivability from attacks.
The update also fine-tunes the technical details of several existing controls and introduces new examples to guide their implementation.
NIST said it completed the modifications with the help of a commenting system in which stakeholders could provide feedback to proposed changes in real-time and preview the proposed revisions before final publication.
“We are trying to keep this comprehensive set of security and privacy controls agile,” Pillitteri said. “NIST can now develop and rapidly issue updates to this guideline while coordinating with stakeholders in a transparent way that meets customer demand. It’s part of our effort to develop and issue standards at the pace of technology.”
The update is available in several electronic formats – some of which are machine-readable, including OSCAL and JSON.