NIST to issue cyber updates, introduce new security controls

The National Institute of Standards and Technology is revising segments of its security controls, part of a larger patch release aimed at further fortifying U.S. cybersecurity posture.

Patches are recommended software system updates that fix existing vulnerabilities. In NIST’s latest patch release 5.1.1, slated to be unveiled in early November, the agency will be enhancing two existing controls outlined under special publication 800-53 and introducing a new security control.

A public comment period seeking user community feedback will be open from through Oct. 31, 2023.

“NIST recognizes the importance of stability and agility in our guidance,” the agency said in an announcement. 

The control enhancements will have corresponding assessment procedures, focused on identity management and server authorization, as well as safeguarding cryptographic keys. NIST said it will also be making minor grammatical adjustments and edits which will not impact any security control procedures or outcomes, but mainly changes the nomenclature of controls.

As a publication, SP 800-53 acts as a resource to help users in both public and private sectors  manage cyber risks that threaten network security. The updated and new controls aim to bridge a gap in the control catalog, a NIST spokesperson told NextGov/FCW.

As with NIST’s other products, the new controls in the risk management framework are not mandatory. 

“The proposed new control and control enhancements are not selected in any [SP 800-53B] control baseline, and the other changes do not impact the technical content or implementation,” NIST’s announcement reads. “Organizations have the option to defer implementing the changes included in Patch Release 5.1.1 until SP 800-53 Release 6.0.0 is issued.”

The control updates will be available to download in NIST’s Cybersecurity and Privacy Reference Tool upon clearance in early November.