The Next Generation Security and Privacy Controls—Protecting the Nation’s Critical Assets

It has been seven years since the last major update to NIST’s flagship security and privacy guidance document Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. Since 2013, the publication has been accessed or downloaded from the NIST web site millions of times. This month, NIST unveiled an historic update to its security and privacy controls catalog that will provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21^st century.

NIST SP 800-53, Revision 5 is not just a minor update but rather a complete renovation—addressing both structural issues and technical content. The update represents a multi-year effort to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices. The controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States.

The most significant changes to SP 800-53, Revision 5 include:

Making controls outcome-based: Revision 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement—thus focusing on the protection outcome to be achieved by the application of the control. Note that for historical continuity, Appendix C, Control Summaries now includes an “implemented by [system/organization]” column.
Consolidating the control catalog: Information security and privacy controls are now integrated into a seamless, consolidated control catalog for systems and organizations. The privacy controls in Appendix J of Revision 4 have been incorporated into a new privacy family and the existing Program Management family. Some of the privacy controls were also incorporated into current security controls—allowing the controls to serve both the security and privacy communities as well as achieving more efficient control implementation.
Integrating supply chain risk management: Revision 5 establishes a new Supply Chain Risk Management (SCRM) control family and integrates supply chain risk management aspects throughout the other control families to help protect system components, products, and services that are part of critical systems and infrastructures. The SCRM controls help ensure that security and privacy requirements, threats, and other concerns are addressed throughout the system development life cycle and the national and international supply chains.
Separating the control selection process from the controls: Having a consolidated, stand-alone control catalog allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners. These communities of interest can now better collaborate on points of intersection or use an individualized process as needed for selecting controls to manage risk consistent with their mission and business needs as well as internal organizational policies and procedures.
Transferring control baselines and tailoring guidance to a separate publication: Control baselines have been moved to the new NIST SP 800-53B, Control Baselines for Information Systems and Organizations. The three security baselines and one privacy baseline are applicable to federal agencies and reflect specific requirements under the Federal Information Security Modernization Act and the Office of Management and Budget (OMB) Circular A-130. Other organizations may choose to develop their own customized baselines in accordance with their mission or business needs and organizational risk tolerance.
Improving descriptions of content relationships: Revision 5 clarifies the relationship between requirements and controls as well as the relationship between security and privacy controls. These relationships are important to understand whether you are selecting and implementing controls at the enterprise level or as part of a life cycle-based systems engineering process.
Adding new state-of-the-practice controls: As cyber threats evolve rapidly, new safeguards and countermeasures are needed to protect the critical and high value assets of organizations including individual’s privacy and personally identifiable information. The new controls in Revision 5 are based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).

Additional supplemental materials will also be available immediately or in the near future, including:

Security and privacy control collaboration index template.
Comparison of SP 800-53 Revisions 4 and 5.
Control mappings to the Cybersecurity and Privacy Frameworks.
Control mappings to OMB Circular A-130 privacy requirements.
Control keywords.
Open Security Control Assessment Language (OSCAL) version of SP 800-53, Revision 5 controls.
Spreadsheet of SP 800-53, Revision 5 controls.

In addition to the world’s first consolidated security and privacy control catalog, NIST has a variety of frameworks available to help select and implement the controls. These include the Risk Management Framework, Cybersecurity Framework, and Privacy Framework. And to make all of the security and privacy frameworks and controls more efficient and cost-effective for our customers, NIST is launching a new automation initiative to provide the content of its consolidated control catalog in different formats and to deliver the content through https://csrc.nist.gov.

Exciting times ahead—we encourage you to take a look at the latest update to SP 800-53, use the content to build or improve your security, privacy, and supply chain risk management programs, and share your feedback to help us continuously improve the controls and supplemental materials.

About the author

Ron Ross

Ron Ross is a computer scientist and Fellow at the National Institute of Standards and Technology. He specializes in cybersecurity, risk management, and systems security engineering. Ron is a retired Army officer who, when not defending cyberspace, follows his passion for NASCAR and takes care of his adopted rescue dog, Sophie.

Victoria Yan Pillitteri

Victoria Yan Pillitteri is a supervisory computer scientist at the National Institute of Standards and Technology. She leads the Federal Information Security Modernization Act (FISMA) Team that develops the suite of risk management guidance used for managing information security risk in the federal government. Outside of work, she enjoys teaching group exercise classes, baking, and traveling.

Naomi Lefkovitz

Naomi Lefkovitz is the Senior Privacy Policy Advisor in the Information Technology Lab at the National Institute of Standards and Technology, U.S. Department of Commerce. Her portfolio includes work on the National Strategy for Trusted Identities in Cyberspace (NSTIC), privacy engineering, privacy-enhancing technologies, cybersecurity and standards development.

FierceGovernmentIT named Ms. Lefkovitz on their 2013 “Fierce15” list of the most forward-thinking people working within government information technology, and she is a 2014 Federal 100 Awards winner.

Before joining NIST, she was the Director for Privacy and Civil Liberties in the Cybersecurity Directorate of the National Security Staff in the Executive Office of the President. Her portfolio included the NSTIC as well as addressing the privacy and civil liberties impact of the Obama Administration’s cybersecurity initiatives and programs.

Prior to her tenure at the White House, Ms. Lefkovitz was a senior attorney with the Division of Privacy and Identity Protection at the Federal Trade Commission. Her responsibilities focused primarily on policy matters, including legislation, rulemakings, and business and consumer education in the areas of identity theft, data security and privacy.

At the outset of her career, she was Assistant General Counsel at CDnow, Inc., an early online music retailer.

Ms. Lefkovitz holds a B.A. with honors in French Literature from Bryn Mawr College and a J.D. with honors from Temple University School of Law.

Comments

Very insightful

Reply

Great post and summary of the significant changes between Rev4->Rev5. I will definitely use this reference information in my efforts to continue to educate and collaborate with my colleagues in my company and industry on Security and Privacy controls.

Reply

When will there be a NIST web page like https://nvd.nist.gov/800-53/Rev4 ? We use this all of the time and is a very handy tool.

Thank you for helping to keep us safe.

Reply

Fantástico!!!!!

Reply

Add new comment

Your name

CAPTCHA

What code is in the image? *

Enter the characters shown in the image.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.

Cybersecurity Insights