Most software needs updating after its initial release to address bugs, newly identified vulnerabilities, and revisions to features and functionality. But software patches and other changes can introduce new cybersecurity and privacy risks and can impair operations if not managed effectively. To support successful, secure software updates and patches, the National Institute of Standards and Technology (NIST) has finalized modifications to its catalog of security and privacy safeguards to assist both the developers who create patches and the organizations that receive and implement them in their own systems.
Many IT professionals will instantly recognize this catalog as one of NIST's flagship risk management publications: Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication (SP) 800-53). It is a comprehensive catalog of security and privacy safeguards, called controls, for strengthening the systems, products and services that underlie the nation's businesses, government and critical infrastructure.
The modifications respond to Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. Completed with the help of a new commenting system in which stakeholders could provide feedback to proposed changes in real time and preview the proposed revisions prior to final publication, the update is available in several electronic formats.
"The changes are intended to emphasize secure software development practices, and to help organizations understand their role in ensuring the security of the software on their systems," said NIST computer scientist Victoria Pillitteri, who led the project. "Ultimately, we want to help them achieve their goals while minimizing the risk of a patch creating unintended consequences."
Most software is directly exposed to the internet, which puts it at significant risk of compromise. Patching is a critical component of preventive maintenance that helps to reduce the risk of data breaches and other adverse events.
Update management can be challenging because of the need to balance the trade-offs between deploying patches quickly to address critical vulnerabilities or bugs and thoroughly testing to ensure that critical functions and services are not affected. Once a vendor detects a vulnerability in its software, deploying a patch quickly reduces the window of opportunity for attackers, but it increases the risk that the less thoroughly tested patch might disrupt an organization's operations. Conversely, thorough testing decreases the risk of operational disruption but increases the window of opportunity for attackers.
"The updated controls emphasize the importance of monitoring the particular component being updated as well as the component's relationship to the overall system," Pillitteri said.
The changes to SP 800-53 address multiple aspects of the software development and deployment process, including addressing software and system resiliency by design, developer testing, deployment and management of updates, and software integrity and validation. Among the changes are three entirely new controls:
- Logging Syntax (SA-15) defines an electronic format for recording security-related events to support better incident response. Defining data formats facilitates automation and helps teams more quickly reconstruct security-related incidents.
- Root Cause Analysis (SI-02(07)) specifies conducting a review to find the cause of an issue or failure with the software update and coming up with an action plan and implementing it.
- Design for Cyber Resiliency (SA-24) recommends designing systems for survivability - the ability to anticipate, withstand, respond and recover from attack while maintaining critical functions.
The update also revises the technical content of some existing controls and provides additional examples of how to implement them.
The complete set of changes is available at the Cybersecurity and Privacy Reference Tool (CPRT), where the updated version is listed as SP 800-53 Rev. 5.2.0.
In addition, NIST is now providing updates to the control catalog through CPRT, which allows downloads in machine-readable formats including OSCAL and JSON. The agency has also adopted a new public engagement process that allows stakeholders to respond to proposed changes in real time during comment periods, and to make suggestions at any time.
Pillitteri said that the new engagement process will allow NIST to maintain its usual rigor and transparency, while the different available formats make it easier for users to implement the updated controls.
"We are trying to keep this comprehensive set of security and privacy controls agile," she said. "NIST can now develop and rapidly issue updates to this guideline while coordinating with stakeholders in a transparent way that meets customer demand. It's part of our effort to develop and issue standards at the pace of technology."
