In 2017, the National Institute for Standards and Technology (NIST) released an initial draft of the NIST SP 800-53 Rev. 5. Security and Privacy Controls for Information Systems and Organizations. Three years later, on September 23, 2020, the NIST finally published revision number 5. Both the public and private sectors rely on NIST guidance to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products/services. Specifically, this framework is key to achieving several certifications including FedRAMP, FISMA, CMMC, CMS EDE, and DE Pathway audits. It’s only a matter of time before all IT security and privacy compliance/certifications will incorporate this new guidance (e.g. HITRUST, GDPR, CCPA, etc.).
To set the tone, this revision (NIST SP 800-53 Rev. 5) is long overdue, as the last major update was over seven years ago in 2013. In fact, revision 5 should be renamed “The Renovation”, as both structural issues and technical content have been addressed within. The update represents a first-in-kind comprehensive catalog of privacy and security controls that is scalable to address organizations of all sizes and is as far-reaching to cover systems ranging from supercomputers to Internet of Things (IoT) devices. The controls are systematic in nature to ensure that critical systems, components, and services are not only secured but have the resilience to defend not only the United States’ interest in both economic and national security threats but all enterprises in all industries.
The following highlights the most significant changes to the framework:
- Controls are outcome-based (as opposed to impact-based): For those not familiar with revision 4, this may seem like wordsmithing. However, this change is by far the most impactful. The control statement is now removed from the entity responsible for satisfying the control (e.g., people, process, system) – thereby allowing the outcome of the control (i.e., ability to protect/secure) to demonstrate effectiveness. This is great news for organizations that struggle with privacy compliance (e.g. GDPR or CCPA). Typically, the regulation around those laws serves more as guidance, leaving a lot of ambiguity for individual organizations to interpret their control effectiveness. NIST 800-53 Rev. 5 provides substantially increased clarity around privacy controls. For continuity purposes, Appendix C, Control Summaries provides a map between the new guidance and revision 4 by adding the “implemented by [entity]” column.
- Integration of privacy controls with security controls: Privacy takes a starring role in revision 5, with the intent of integrating privacy considerations into the system design and implementation process. Whereas revision 4 contained a separate appendix for privacy controls, revision 5 integrates privacy control families into existing security controls, as well as newly-created joint security and privacy controls. The unified consolidated control catalog allows controls to serve security and privacy risks from both an assurance and functional perspective. Basically, the control catalog is more dynamic with the intent to reflect a holistic outcome of a single control that serves multiple purposes. The control catalog also provides a summary and mapping tables.
- Increase of controls in Program Management: The Program Management (PM) control family includes 16 new controls – almost doubled from revision 4. This increase is primarily driven by the promotion of developing privacy programs to incorporate new privacy controls.
- Integrating supply chain risk management: A new Supply Chain Risk Management (SR) control family has been added. Also, elements of supply chain risk management have been integrated with cybersecurity approaches. This change impacts the Cybersecurity Framework and throughout all other control families to protect the procurement of system components, products, and services that support critical infrastructure and networks.
- The separation between the control selection process and the controls: the consolidated control catalog allows controls to be used on a stand-alone basis by different “communities of interest” (e.g. system engineers, security architects, enterprise architects, software developers, business owners, etc.). The intention is to allow collaboration among various stakeholders where process intersects and select from a unified control catalog to consistently manage risk throughout the organization.
- Created a comprehensive set of security and privacy control baselines: Control baselines have been carved out into a separate document: NIST SP 800-53B, Control Baselines for Information Systems and Organizations. There are three security control baselines for low, moderate, and high impact. The privacy baseline is applied irrespective of the level of impact. Also, the guidance provides working assumptions to assist organizations with the control selection process. Finally, the guidance is designed to be scalable across various “communities of interest”, technologies, and various operating environments to promote widespread adoption.
- Enhanced content relationship descriptions: The description between requirements and controls as well as the difference between security and privacy controls have been enhanced to provide further clarification. The emphasis is on guiding the user on selecting versus implementing controls at the enterprise level or as part of the system development life-cycle.
- Incorporating new state-of-the-practice controls: To address the rapidly evolving cyber threats, new safeguards and countermeasures are added with a specific focus on protecting individuals’ privacy and personally identifiable information (PII). The new privacy controls focus on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).
- Assigning senior IT management to the entire control family: The intent of this mandate is to assign accountability and ownership to each control and specifically to the control outcome. However, in practice, especially in project-based organizations, assigning one individual to own control that impacts multiple disciplines, products and projects may not be feasible.
- Expanding the definition of “systems”: To be more comprehensive of all privacy and security threats, the term “systems” was expanded from information systems to all systems including industrial or process control systems, cyber-physical systems, weapons systems, and the internet of things (IoT) devices.
- Removal of the word “Federal” from the title for broader adoption of the private sector: In efforts to promote widespread adoption by both the public and private sector, the word “Federal” has been removed from the title. While only federal systems require the NIST framework, the intent is to promote broader adoption by the private sector.
Click here to get updates on additional supplemental NIST materials that will also be available soon, including:
- Security and privacy control collaboration index template.
- Comparison of SP 800-53 Revisions 4 and 5.
- Control mappings to the Cybersecurity and Privacy Frameworks.
- Control mappings to OMB Circular A-130 privacy requirements.
- Control keywords.
- Open Security Control Assessment Language (OSCAL) version of NIST SP 800-53 Rev. 5 controls.
- Spreadsheet of SP 800-53, Revision 5 controls.
Elevate has deep expertise in NIST SP 800-53 Rev. 5, Cybersecurity and Data Privacy best practices. We can guide you through your security risk management and control readiness assessments to ensure you get the best value for your efforts and most importantly that your high-value assets and critical information are protected.
