800-53 Revision 4

00:00

So for less than 1.5, we're gonna be looking at specifically at Inter 53 revision, for which we've talked about a little bit.

00:09

So for this lesson, going to be able to define the new features and read for they've explained why the changes were needed and also look at the need for assurances. Was someone of a new idea for a revision for, but it is important that they highlight and create a whole section for it.

00:27

What changed in revision for explains a little bit Maur of the assumption there spent some time explaining why that created the baselines and why they set controls per baseline.

00:39

Provided a lot more guidance on how to tailor the systems, how to make them specific to your organization, and then they've actually added privacy controls. We'll talk about that in module two,

00:51

but there is there a specific one. So if you have Pea II and your system, these are controls you want implement.

00:58

They worked a little bit except naming convention some of the control of streamlined emperor, improving some of the text on that.

01:04

There's also added a mapping to comment criteria. If that's something you need. There's a whole arrive, a section that you could go take a look at. If you're curious what changed from a ridge in 3 to 4 or really any the revisions as they come out, you can see what has changed.

01:21

The topics they incorporated are things that we've been hearing a lot in cybersecurity recently, so

01:27

it's a two year cycle of them developing the document. And so you can see how much changes in between those times and what they really need to incorporate. So there's mobile cloud computing applications, security, trustworthiness, resilience, things we'll talk about it. It's got to do with supply Chain

01:48

is the insider threat.

01:49

I think the idea of a P. T s now these state actors that threatening your systems

01:56

and then the idea of its your usher.

02:00

So here's a again. There's a couple arcs table out of text, but I just want to put it out to sea and see you can actually look at Appendix E. So there's a whole section or the whole appendix is about assurance and trustworthiness,

02:12

and the way they defined it is assurance is the measure of cup of confidence and that the security functions, features, practices, policies, procedures, mechanism of the architecture of an organisation, information system, accurately mediate and force established security policies.

02:27

That's a lot. What does it actually mean? It means we trust what we're expecting to get to do. It actually does. So the control are expecting Isn't actually doing what what we said it is. When? When you were talking about supply chain, Am I getting what I said I wanted, or is there additional or something else in there that that I wasn't expecting?

02:46

So the previous revisions talked about insurance, but it was very It was abstracted again. They meant a lot more concrete now. So, for example, this table that's here is shows how they said for So you've done this for low, moderate, high impact systems for each one of them. They've

03:02

they've given you a table and said, Here's the controls. If you're interested in assurance

03:08

you're contracting officer or somebody wants, someone should talk about this. Here's the controls that you really need to focus on. You'll see a lot of them are Dash 1 80 81 81 We haven't talked about that, but all the dash ones are using policy procedures other than the high level documents

03:25

Come, You can look through Appendix E and kind of see how this is laid out

03:30

on def. You remember my remember from the security control I should before they took that same structure and put it into these assurance assurance requirements. So for a low impact system, here is the assurance requirements and they give you information about what that actually means. And they give you supplemental guidance

03:49

specific to this and point you to, in this case, appendix D, And say, if you want, if you're low impact system,

03:54

take a look at the baseline Appendix D. Look back at that. The matrix. We sit up

04:00

and this is what it is, what you need to take care of.

04:05

So the additional topics give their Their idea of their quote was that Revision four provides a more holistic approach by providing organizations with the breadth and depth of security controls, contributing to systems that are more resilient in the face of cyber attacks and other threats.

04:23

So the terminology is changed a little bit, which is kind of way understand now is that they're cyber attacks and there's other threats

04:29

out there that are that are specific to maybe insiders or malicious or problems like that.

04:35

But he also introduced the idea of continuous monitoring for risk based decisions. So way back, these two accredited A system and say, All right, you're good to go. Here's your auf authorization Operate. Come back In three years, we've realized over time that I T systems aren't actually like that.

04:53

They're constantly changing. So we need this continuous monitoring

04:56

process to keep looking at the controls, making sure the system is doing what it said are protecting the data like it said it wa ce

05:03

again. They had the privacy controls.

05:06

We'll talk about those a little bit later, and then they came up with this idea of overlays. Which is interesting idea is that you have the bass lines and you implement your system the way you wanted to do it, or a fire according to the baseline. But then you have this overlay, which may be specific to a mission or business within the organization

05:27

they plan to do with environment technologies

05:30

or the idea of ah community of interest. Sort of the national security system is they create, they define the variables within the controls. They define the baseline. And they say, If you want to be part of this community interest

05:43

here, on top of which already doing, here's how you need Thio implement these controls, or here's the one that controls you need to use. So

05:49

you take a look at that and take find the Delta between the two and say, Okay, if I want to be part of this, here's what Here's what I other controls I need to put in place.

05:59

We have another quiz here. So in did revision for our side prevention for Added, which new topic that is, the advanced, persistent threat.

06:09

Encryption or awareness and trading.

06:14

So the answer is a B T. A little bit of a trick. You think encryption is there. It's encryption is not a specific topic. It's already been in and incorporated into a lot of the controls. The technical ones