What NIST 800-53 Revision 5 Means to Cybersecurity?

What is NIST 800-53 Revision 5?

NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen and support the federal government and every sector of critical infrastructure. These next-generation controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States.

NIST 800-53 is a set of guidelines recommending how U.S. government agencies and private sector organizations supporting federal contracts should manage and protect information systems and the data within those systems. The security controls within NIST 800-53 are organized into different categories ranging from Access Control to Contingency Planning, Media Protection, Risk Assessment, and more. These categories contain more than 1,000 individual control elements.

Now that Revision 4 has been superseded by Revision 5, what does it mean for you?

What is Changing?

The most significant changes to SP 800-53, Revision 5 include:

• Information security and privacy controls are now integrated into a seamless, consolidated control catalog for information systems and organizations.

• Rev. 5 establishes a new supply chain risk management (SCRM) control family and integrates SCRM aspects throughout the catalog.

• State-of-the-practice controls that are based on the latest threat intelligence and cyberattack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).

• Making controls outcome-based. Revision 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement.

• Revision 5 clarifies the relationship between requirements and controls as well as the relationship between security and privacy controls.

• Separating the control selection processes from the controls allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners.

• Transferring control baselines and tailoring guidance to NIST SP 800-53B

Emphasis on Privacy

Revision 5 incorporates a greater emphasis on privacy — part of a larger effort to integrate privacy into all Federal Information Security Management Act (FISMA) regulations. As such, privacy controls that were previously detailed in an appendix to the main catalog of NIST 800-53 Revision 4 have evolved and moved into a new privacy control family called Personally Identifiable Information Processing and Transparency.

This was to be expected. There’s been an increasing emphasis on privacy over the last few years, with the introduction of regulations like GDPR. NIST even came out with its own privacy framework early in 2020.

Making Sense of the Changes

In addition to the significant changes mentioned above, Revision 5 also incorporates a variety of new controls to strengthen security and privacy governance and accountability, support secure system design, and support cyber resilience and system survivability. The amount of changes may seem overbearing, but partnering with Wilson Consulting Group will help you ensure that your organization stays in step when complying with these revised guidelines.