What the critics say
Although SP 800-53 is generally getting high marks from the IA community, it, and FISMA, are not without their critics.
Some say that certain agencies are not proficient in conducting a meaningful risk assessment and therefore will have difficulty identifying vital risks. Some feel that SP800-53 should have included measurable testing, third-party validation and certification that IT systems meet their security requirements.
Yet others argue that most threats are now high-end threats. Since systems are so interconnected and often have ill-defined, inadequate, leaky borders, low-impact systems are effectively higher-impact systems because low-impact systems can become insider attack platforms against interconnected higher-impact systems. Accordingly, they dismiss SP800-53's discussion of low-impact and moderate-impact targets as irrelevant; all systems need to be protected against the types of attacks/attackers associated with high impact systems.
Some say that FISMA and the SP800-53 revision process are too static to keep up with quickly emerging threat landscapes or emerging protection technologies. Others say SP 800-53 is too flexible and is overly complex because so many security control choices are offered.
With regard to the latter point, some believe that a narrower subset or profile of SP800-53 provides the most critical security controls that address the most critical risks common to all parties. They feel some of the basic critical risks include• Not knowing the instantaneous inventory of hardware, software and configurations.• Providing "good" security features but not necessarily the "necessary" security features.• Not providing auditing to validate security and to verify ongoing protection over time.
Unlike SP 800-53's security control baselines, proponents of an alternative feel there is only a small set of common and critical technical and operational controls that are applicable to all parties. Additional, organization-unique controls may be added as necessary. These common controls, called the "20 Critical Security Controls", can also be used by auditors to check if organizations are compliant with the standards of SP 800-53. The majority of these Critical Security Controls can also be automated for testing. Automation might make it easier to ensure that systems maintain information security and assurance over time. NIST officials are planning to include more automation, where feasible, in the next update to SP 800-53.