• Systems are being categorized as low, medium, or high without using the tailoring feature and evaluating them for their compliance with the low, medium, or high controls. In other words, risk assessments have ceased to be real RA but turn into a rating on how the system conforms to 800-53. The exposure of the system to the various threats is not considered. A system that is behind locked doors with no access to the Internet gets the same assessment as a system connected full time to the Internet.
• Agencies are being rated on a scorecard using the 800-53 compliance ratings of their systems, not on the true risk to public safety and agency mission.
• Under NIST standards, if a system has a high confidentiality requirement, it must have the same controls as one with high availability. Providing protection for high confidentiality can negatively affect availability. A weather information system for controllers managing an airport's traffic must be available 24/7. If the system goes down, aircraft safety could be affected. The data is not confidential. The system should not lock up if the user does not touch it. 800-53 control, AC-11, requires lockout, and AC-12 requires session termination after a period of inactivity. However, if a system administrator using the system fails to sign out, the system should revert to the safe controller mode, not stop displaying the weather.
• Safety must be rule number one for critical infrastructure systems. Security controls must not negatively impact safety.
• The NIST standards don't consider the interactions when there is a "system of systems" with multiple interconnected systems. Security vulnerabilities that impact multiple systems are a much higher risk than ones that just involve a single system. One system is a backup if another system fails.