The National Institute of Standards and Technology (NIST) released its draft version of Revision 5 of Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, in late March 2020.
Though not yet finalized, Revision 5 represents a fundamental restructuring of 800-53 to make it more inclusive and serve an even broader base of users—from enterprise programs using 800-53 with a Risk Management Framework to a new constituency of IT roles that didn’t exist prior to the revision. These new areas of focus strengthen security and privacy governance and accountability, support system survivability from attack, and support secure system design.
Over the last several years, privacy has proven to be a critical concern that requires the same visibility that cybersecurity has received. As a result, NIST began FISMA 2020, a multiyear effort to integrate privacy into the Federal Information Security Management Act regulations culminating in the updates included in Revision 5 and other controls as a key underlying requirement for most federal agency compliance efforts.
NIST’s 800-53 R5 uses a technology and policy-neutral approach by systemically developing safeguards for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.
Separating security and privacy controls from baselines
In addition, NIST made a major design decision to separate controls from baselines, tailoring guidance, and mapping tables. 800-53 R5 will continue to contain security and privacy controls, and baselines, tailoring guidance, and mapping tables have been moved to a new publication, 800-53B, Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations, projected for publication in late 2020.
It also moves the privacy controls from an appendix (In 800-53 R4, privacy controls were detailed in Appendix J) into the main catalog by integrating them with relevant security controls and creating a new Privacy control family, Personally Identifiable Information Processing and Transparency (PT), which addresses privacy risk management.
How SP 800-53 R5 maps out
Revision 5 is focused on three areas: 1) developing controls to prevent current and future threats and vulnerabilities, 2) cyber resiliency, and 3) supply chain risk management.
As new technologies are developed—such as cloud, mobile, and IoT—NIST wants to ensure the same controls can be used by applying them differently depending on the technology. 800-53 R5 is inclusive to more IT communities, including privacy and security engineers, supply chain, private sector, nonprofit, and academia.
Another fundamental change is NIST’s move to an online content delivery model, where a user will go to a website to search the control catalog, select the necessary controls and build security plans. This new delivery model allows users to forego reviewing the 400+ pages of control documentation and instead easily find only those topics that are pertinent to their business operation or mission. The online delivery model also will allow NIST to do more frequent updating. For instance, when a new threat or cyberattack is identified, a control or enhancement can be quickly put online and beta tested by the user community and NIST labs.
With this approach, users have two ways to select controls:
For users who want to use baselines, they will find that information in 800-53B.
For user who want to use controls in an engineering process, they will use 800-53 R5 to select the individual security and privacy controls that meet their requirements.
“The controls should work for you,” said NIST fellow Ron Ross during NIST’s 800-53 R5 virtual event. “You shouldn’t have to do this just as a compliance exercise. We tried to build a catalog that is flexible and dynamic and can be used for whatever situation you may find yourself in, based on threats and vulnerabilities, the particular impact to your missions or your business operations if there is some kind of breach or an attack. And all of that comes together to make this your catalog of controls.”
A new supply chain risk management control family, (SR), that is is no longer a subset of the Service Acquisition control family and instead leverages and expands on concepts from the 800-53 R4 Supply Chain Protection control (SA-12).
Integration of Program Management as its own control family
New control enhancements for system security design principles and IPv6 transition
Control selection processes separated from the controls
The 800-171 tables tied to 800-53 controls
Control language updated to be more outcome focused
Aligning controls with different risk management and cybersecurity approaches, including NIST’s Cybersecurity and Privacy Frameworks
Supplemental resources on mapping ISO 27001 and 15408, NIST Cybersecurity and Privacy Frameworks, as well as control enhancement keywords
Because control selection guidance has been moved to 800-53B, different organizations can use controls without being tied to a specific selection process. Users can find selection guidance in NIST SP 800-37 R2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
Revision 5 is not yet final, but it’s a good idea to prepare for its publication and understand how to follow the new guidance. View the draft on NIST’s website.
Thomas Wolfe is head of strategic development for TalaTek, an integrated risk management firm in Washington, D.C.