Last week, Dr. Ron Ross, National Institute of Standards and Technology fellow, joined Telos’ own Steve Horvath for a webinar to discuss the upcoming release of NIST Special Publication 800-53 Rev. 5, its relationship with the NIST RMF Rev. 2, as well as other prevalent cybersecurity topics. I’d like to thank Dr. Ross for giving us all a better understanding of the latest versions of these publications, why these changes were made, and expectations for the future.
This webinar dealt with a number of topics that allowed Dr. Ross to provide some insight into the NIST way of thinking, in addition to how and why perspectives and requirements have changed over the years. It was very helpful to hear the reasoning behind these updates.
A common thread throughout the webinar was that security and privacy are paramount to any organization. Thankfully, it’s becoming more common to think about security as an on-going process, rather than a one-and-done, set-the-binder-on-the-shelf activity. That’s why I especially liked when Steve brought up continuous monitoring, with Dr. Ross deeming it “the only way to operate… [as] those who are tied to a checklist-based approach [are] not going to survive in the dynamic world that we face today.” Telos recognized this problem and we designed our cyber risk management solution, Xacta, to help lessen the workload by automating the continuous monitoring of systems, networks, and resources.
Steve noted that NIST SP 800-53, Rev. 5 has a clear applicability to the private sector. That’s huge. Commercial organizations have increasingly been embracing the NIST frameworks and controls, with the prediction that 50% of U.S. companies will adopt the NIST Cybersecurity Framework (CSF) in some form by the end of this year. The original purpose of the CSF was to help U.S. critical infrastructure manage risk. However, commercial and international adoption of NIST frameworks shows how important it is to any organization to have a common language and process for cyber risk management.
NIST SP 800-53 Rev. 5 also addresses the cloud and continuous integration/continuous delivery (DevSecOps), which many argue remove the need for assessment and authorization (A&A). When Steve asked Dr. Ross his thoughts, he said, “It doesn’t do away with the [A&A] process, it just makes it more efficient… so [government] can do security at the speed of commercial industry.” That resonated with me because, for years, I have been an avid supporter of cloud and the need for the government to move at the speed of commercial organizations. A coalition that I’m proud to be a part of, the Alliance for Digital Innovation (ADI), includes innovative, cloud-forward companies that advocate for the acceleration of government IT modernization.
Again, thank you, Dr. Ross, for speaking on our platform and for clarifying the changes that will make a huge difference in the efficiency of cyber risk management for organizations, both government and commercial. I urge you all to watch the webinar recording, if you haven’t already, to hear directly from Telos VP Steve Horvath and NIST Fellow Dr. Ron Ross about the topics I’ve mentioned, and much more: https://www.telos.com/reserved/webinar-nist-special-publication-800-53-revision-5/.