It will be one year since NIST released their final version of SP800-53 Revision 5 on September 23, 2020. As a quick reminder SP800-53 is the document issued by NIST that specifies the Security and Privacy Controls that need to be used by agencies of the Federal government. We wrote about SP800-53 Revision 5 back when it was draft before it was finalized and you can find extended details on SP800-53 in that article. With the finalization of the document, agencies of the Federal government are given a year to adhere to the new guidelines, and since SP800-53 revision 5 was finalized last September 23, we’ll hit the one year mark this week.
When Must Government Agencies Be in Compliance?
While it’s a federal requirement for federal agencies to follow NIST guidelines, the implementation timing requirement is found in a publication from the Office of Management and Budget (OMB), specifically circular A130. The requirement is that legacy systems have one year from the date of publication to be in compliance, while a system in development is required to be in compliance upon deployment. The exact text from A130 is below:
For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems.
If you are looking for the reference it is found on p. 53, Appendix I-16, 5.a. Federal agencies that are unable to comply by the time a year passes, can request a waiver.
RASP and IAST added to Security Framework
The big change for application security in Revision 5 of the security and privacy framework was the addition of RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). It was a first in recognizing these two advancements in application security by now requiring them as part of the NIST security framework.
While it’s been a year since the standard has been finalized it’s probably too soon to be able to say the new requirements are a success. We do know that in the last year breaches and attacks have increased. The increase in attacks and breaches should convince any organization that it’s time to re-evaluate their security and the NIST framework offers a template for organizations to adopt the same level of security used by federal agencies.
Here at K2 Cyber Security, we’d like to help out with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.