author photo
By Bruce Sussman
Tue | Mar 17, 2020 | 8:18 AM PDT

The NIST Cybersecurity Framework seems to be the top choice of information security leaders across North America.

Tim Callahan, Global Chief Security Officer at Aflac, told us on a recent SecureWorld Sessions podcast why Aflac is a NIST shop:

"I think by adopting that [NIST CSF] we become defensible in saying 'We've taken a standard that was meant for critical infrastructure, although we're not that, we're applying that standard to our company and infusing it with other applicable criteria.' It gives us and the board a simple way to measure progress toward our goal and maintain that progress. So that's why we adopted it."

Now, NIST has given one of the framework's supporting documents a significant update.

NIST updates security and privacy controls 

The update is titled Security and Privacy Controls for Information Systems and Organizations.

NIST says the publication provides a catalog of safeguards for all types of platforms, from general purpose computers to industrial control systems (ICS) to Internet of Things (IoT) devices.

And NIST says it is intended for a broad audience of security experts, systems developers, and even cloud computing platforms.

"Our objective is to make the information systems we depend on more resistant to cyberattacks," said NIST's Ron Ross, one of the publication's authors. "We want to limit the damage from those attacks when they occur, make the systems cyber-resilient, and at the same time protect the security and privacy of information."

9 updates in latest NIST security and privacy controls catalog

Although there are many changes throughout the controls catalog, NIST highlights nine significant shifts in this update:

  1. Creating security and privacy controls that are more outcome-based by changing the structure of the controls;
  2. Fully integrating privacy controls into the security control catalog, creating a consolidated and unified set of controls;
  3. Adding two new control families for privacy and supply chain risk management;
  4. Integrating the Program Management control family into the consolidated catalog of controls;
  5. Separating the control selection process from the controls—allowing controls to be used by different communities of interest;
  6. Separating the control catalog from the control baselines;
  7. Promoting alignment with different risk management and cybersecurity approaches and lexicons, including the NIST Cybersecurity and Privacy Frameworks;
  8. Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  9. Incorporating new, state-of-the-practice controls based on threat intelligence, empirical attack data, and systems engineering and supply chain risk management best practices

You can download the document and even comment before the final version is approved: Security and Privacy Controls for Information Systems and Organizations.

Also, if you want to learn more from Aflac CSO Tim Callahan and how he went from disarming bombs to leading cybersecurity, check out the podcast episode: