anweiss
commented
6 years ago Adding a few more for NIST. These all roll up to the Computer Security Division (CSD) of the Information Technology Laboratory (ITL). The NIST National Cybersecurity Center of Excellence (NCCoE) is also a key publisher of security standards and recommendations and is an FFRDC (Federally Funded Research and Development Center) created as a result of Executive Order 13636, "Improving Critical Infrastructure Cybersecurity".
NIST SP 800-53: https://nvd.nist.gov/800-53
- Considered by many to be the de-facto, most comprehensive security control catalog for any systems, components and processes
- ~900 controls
- 800-53 Revision 5 is due out at the end of the year and encompasses privacy controls and some more modern system constructs
- For context, NIST SP 800-66 provides a cross-walk between HIPAA and 800-53
- FedRAMP is heavily dependent on 800-53
NIST SP 800-37 (aka RMF): https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final
- Considered a key guidance document by the U.S. Government for IT risk management
- At a very high-level, it's a 6 step process for securing and authorizing Federal systems for use
- Revision 2 is due out at the end of the year and is much more aligned to the NIST Cybersecurity Framework (CSF) and privacy overlays
- Revision 2 has a big focus on supply chain security as well
- FedRAMP follows a process based on RMF
NIST SP 800-190: https://csrc.nist.gov/publications/detail/sp/800-190/final
- One of the first container-specific security publications from NIST
Security Content Automation Protocol (SCAP): https://csrc.nist.gov/projects/security-content-automation-protocol:
- Development of SCAP 2.0 was announced the other day ... bigger emphasis on IoT and cloud native
Open Security Controls Assessment Language (OSCAL): https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language:
- Still in early development
- Considered a "standard-of-standards" that aims to automate the attestation and assessment processes (aka the paperwork) for many security control catalogs, frameworks, etc ... FISMA, PCI, HIPAA, etc
Software Identification (SWID) Tagging: https://csrc.nist.gov/publications/detail/sp/800-66/rev-1/final
- SWID is actually an ISO standard (ISO/IEC 19770-2)
- The concept of SWID is somewhat aligned to distribution/registry projects but would guidelines for the use of SWID in these cloud native constructions would likely need to be developed
stale[bot]
TheFoxAtWork
As requested, a list of groups with potential liaison and socialization opportunities
NIST Big Data WG - Mark U can liaise
IEEE P2675 DevOps Security https://standards.ieee.org/develop/project/2675.html
IEEE Product Safety Engineering Society http://ewh.ieee.org/soc/pses/
NIST Cloud Security SP 500-291 https://www.nist.gov/sites/default/files/documents/itl/cloud/NIST_SP-500-291_Jul5A.pdf
IEEE 7009 - Standard for Fail-Safe Design of Autonomous and Semi-Autonomous Systems WG https://standards.ieee.org/develop/project/7009.html
IEEE P1915.1 - Standard for Software Defined Networking and Network Function Virtualization Security https://standards.ieee.org/develop/project/1915.1.html
IEEE P7000 (series of interrelated standards in development, including privacy, transparency, etc. related to ethical concerns in autonomous systems). https://standards.ieee.org/develop/project/7000.html