It has been seven years since the last major update to NIST’s flagship security and privacy guidance document Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. Since 2013, the publication has been accessed or downloaded from the NIST web site millions of times. This month, NIST unveiled an historic update to its security and privacy controls catalog that will provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21st century.
NIST SP 800-53, Revision 5 is not just a minor update but rather a complete renovation—addressing both structural issues and technical content. The update represents a multi-year effort to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices. The controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States.
The most significant changes to SP 800-53, Revision 5 include:
Making controls outcome-based: Revision 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement—thus focusing on the protection outcome to be achieved by the application of the control.Note that for historical continuity, Appendix C, Control Summaries now includes an “implemented by [system/organization]” column.
Consolidating the control catalog: Information security and privacy controls are now integrated into a seamless, consolidated control catalog for systems and organizations. The privacy controls in Appendix J of Revision 4 have been incorporated into a new privacy family and the existing Program Management family. Some of the privacy controls were also incorporated into current security controls—allowing the controls to serve both the security and privacy communities as well as achieving more efficient control implementation.
Integrating supply chain risk management: Revision 5 establishes a new Supply Chain Risk Management (SCRM) control family and integrates supply chain risk management aspects throughout the other control families to help protect system components, products, and services that are part of critical systems and infrastructures. The SCRM controls help ensure that security and privacy requirements, threats, and other concerns are addressed throughout the system development life cycle and the national and international supply chains.
Separating the control selection process from the controls: Having a consolidated, stand-alone control catalog allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners. These communities of interest can now better collaborate on points of intersection or use an individualized process as needed for selecting controls to manage risk consistent with their mission and business needs as well as internal organizational policies and procedures.
Improving descriptions of content relationships: Revision 5 clarifies the relationship between requirements and controls as well as the relationship between security and privacy controls. These relationships are important to understand whether you are selecting and implementing controls at the enterprise level or as part of a life cycle-based systems engineering process.
Adding new state-of-the-practice controls: As cyber threats evolve rapidly, new safeguards and countermeasures are needed to protect the critical and high value assets of organizations including individual’s privacy and personally identifiable information. The new controls in Revision 5 are based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).
In addition to the world’s first consolidated security and privacy control catalog, NIST has a variety of frameworks available to help select and implement the controls. These include the Risk Management Framework, Cybersecurity Framework, and Privacy Framework. And to make all of the security and privacy frameworks and controls more efficient and cost-effective for our customers, NIST is launching a new automation initiative to provide the content of its consolidated control catalog in different formats and to deliver the content through https://csrc.nist.gov.
Exciting times ahead—we encourage you to take a look at the latest update to SP 800-53, use the content to build or improve your security, privacy, and supply chain risk management programs, and share your feedback to help us continuously improve the controls and supplemental materials.
Ron Ross is a computer scientist and Fellow at the National Institute of Standards and Technology. He specializes in cybersecurity, risk management, and systems security engineering. Ron is a retired...
Great post and summary of the significant changes between Rev4->Rev5. I will definitely use this reference information in my efforts to continue to educate and collaborate with my colleagues in my company and industry on Security and Privacy controls.