NIST SP 800-53 Rev 5: Understanding, Preparing for Change

November 18, 2020

  • NIST recently released Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations.
  • This update provides guidance on the next generation of the security and privacy controls framework, addressing a need for a more proactive and systematic approach to cybersecurity.
  • Organizations currently complying with the NIST 800-53 R.4 should begin reviewing the new standard and identifying gaps and remediating any issues.

 


The National Institute of Standards and Technology (NIST) recently released Revision 5 (R.5) of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. This is the first update in seven years and 800-53 R.5 is a significant step forward, providing guidance on the next generation of the security and privacy controls framework, addressing a need for a more proactive and systematic approach to cybersecurity.

 

Version 5 provides many major changes to the structure and technical content in order to position the framework for a broader audience by developing what NIST describes as the “first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems – from supercomputers to industrial control systems to Internet of Things (IoT).” Revision 5 has deemphasized the federal focus to encourage greater adoption and use by non-federal organizations and promote greater international acceptance.

 

NIST claims 800-53 R.5 is the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size and all types of systems. R.5 includes two new security and one privacy control family sections increasing the control families from 17 in R.4 to 20 in R.5. The two security control families are Program Management (PM) and Supply Chain Risk Management (SR). PM features 33 supporting controls and three control enhancements with SR having 11 supporting controls and 14 control enhancements. The new privacy control, Processing and Transparency (PT), has nine controls and 12 control enhancements, which are assigned to the privacy control baseline. The PT family isn’t included in the security controls and as such is a standalone. Other integrated privacy controls include:

 

  1. PM-25 Minimization of PII Used in Testing, Training, and Research
  2. MP-6 Media Sanitization
  3. PL-4 Rules of Behavior
  4. IR-4 Incident Handling
  5. IR-7 Incident Response Assistance

 

As threats, vulnerabilities and technologies continue to evolve rapidly, it’s critical that organizations maintain their defenses in the face of an ever-changing threat landscape. Systems need to be more resistant to attacks, limit the damage when they occur and ensure systems are resilient and recoverable. Therefore, controls need to be agile and updated to reflect the changing threat landscape. NIST removed the allocation of implementation responsibilities (i.e., information system, organization) from the control statements to focus the control set outcome.

 

A greater emphasis is being placed on defining the security and privacy control baseline in R.5 and a standalone publication has been developed to guide organizations through the control selection process. Special Publication 800-53B – Control Baselines for Information Systems and Organizations (Draft) is a key component for organizations to select and tailor appropriate security control baselines for organizational systems and facilitate control baseline customization for specific communities of interest, technologies and operational environments. NIST retained the three security control baselines for low-impact, moderate-impact and high-impact information systems and replaced the Privacy Controls Catalog with a Privacy Controls Baseline that’s applied to systems irrespective of impact level. Special Publication 800-53B provides a chart that assigns controls and control enhancement to the appropriate security and privacy control baseline; however, a large number of controls and control enhancements aren’t assigned to any baseline. These unassigned controls need to be reviewed by organizations in order to make their own determinations as to whether the controls and control enhancements are needed to meet applicable requirements or are useful for mitigating risks within their specific environments. This tailoring process will allow organizations greater flexibility in selecting controls and control enhancements that meet their specific risk management needs and changing threat landscape.

 

A summary of major changes to the publication include:

 

  1. Complete integration of privacy elements into the control frameworks. Privacy is no longer consigned to an appendix but is included as part of the unified catalog. There are 86 privacy controls, 26 of which are standalone and 60 of which are integrated into the security controls. The guidance incorporates next-generation privacy and security controls and includes guidelines for how to use them.
  2. Making the security and privacy controls outcome-based by changing the structure of the controls.
  3. Adding new standards for SR with guidance provided on integrating those standards throughout an organization. Previous editions had a single supply chain control, but Revision 5 has an entire dedicated control family.
  4. New, state-of-the-practice controls, such as those that support cyber resilience and secure systems design based on threat intelligence and cyber attack data. Controls are based on the latest threat intelligence and cyber attack data (e.g., controls to support cyber resilience, secure systems design, security and privacy governance and accountability).
  5. Transferring control baselines and tailoring guidance to NIST SP 800-53B. This content has moved to the new (Draft) Control Baselines for Information Systems and Organizations.
  6. Control selection processes have been separated from the controls to make them easier to use by different communities of interest, including systems engineers, software developers, enterprise architects and mission/business owners.
  7. Descriptions of content relationships have been improved, clarifying the relationship between requirements and controls and the relationship between security and privacy controls.
  8. The term “information system” has been eliminated and replaced with the term “system” so the controls can be applied to any type of system including general purpose systems, cyber-physical systems, industrial/process control systems and IoT devices.
  9. De-emphasizing the federal focus of the publication to encourage greater use by the public sector and international organizations.
  10. Improving descriptions of content relationships by clarifying the relationship between requirements and controls as well as the relationship between security and privacy controls.
  11. Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework.

 

Revision 5 will take effect in September 2021, a year after its official release date. Organizations currently complying with the NIST 800-53 R.4 will have to start the challenging task of reviewing the new standard and identifying gaps and remediating any issues. Pay special attention to the inclusion of privacy controls into your program as well as the two new security control families addressing program and supply chain management.

 

As you work through tailoring your security and privacy control baseline, take time to review all new controls and evaluate the applicability of controls and enhancements that may be required to address specific threats to organizations. Conduct a risk assessment and supplement control baselines with additional controls or control enhancements to address specific organizational needs and document the organization’s justification for removing or adding controls to a baseline.

 

Optiv Security can work with you to bring your organization into compliance with the new standards. Our Risk Management practice offers a full range of consulting and assessment services to address your needs, including NIST-800-53 program development, readiness reviews and assessments. Optiv is ready to help clients with a smooth transition to NIST-800-53 R.5 through control baseline reviews and gap assessments.

Keith Forrester
Practice Manager - Strategy and Risk | Optiv
As a Practice Manager in Optiv’s Strategy and Risk Practice and responsible for Healthcare Service delivery, Keith leads a team of security professionals in the delivery of cybersecurity strategy, technology, and information risk management projects. He has over 25 years of information security governance and risk management experience supporting various industry sectors, including health care, technology, government, utility, and banking. His general background includes extensive experience delivering risk and regularity assessments, developing governance and compliance programs, and supporting vCISO engagements.

Keith is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), PCI-DSS Qualified Security Assessor (QSA), HITRUST Certified CSF Practitioner (CCSFP), Certified HITRUST Quality Professional (CHQP) and Lean Six Sigma – Greenbelt.