The Latest News On NIST 800-53 Revision 5

As always, we like to keep you up to date on the latest federal government security requirements. The planned release of NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations has been delayed and is still in internal review.

The key objectives of this standard are to provide a comprehensive set of safeguarding measures that make our systems more resistant to attacks; limit the damage from any attacks that occur and increase the systems survivability. The following includes the latest information from the NIST Computer Security Resource Center regarding the changes expected in Revision 5.

“Revision 5 of this foundational NIST publication represents a one-year effort to develop the next generation security and privacy controls that will be needed to accomplish the above objectives. It includes significant changes to make the controls more consumable by diverse groups including, for example, enterprises conducting mission and business operations; engineering organizations developing systems and systems-of-systems; and industry partners building system components, products, and services. The major changes to the publication include:

  • Making the security and privacy controls more outcome-based by changing the structure of the controls;
  • Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for systems and organizations;
  • Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
  • Eliminating the term information system and replacing it with the term system so the controls can be applied to any type of system including, for example, general purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices;
  • Deemphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
  • Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state of the practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability…”

We will keep you updated as to any changes to the Revision 5 schedule via future newsletters and our web site.  Keep in mind that the version that was due to be released in March was still a draft version for outside review.  Any changes based on revision 5 do not need to be fully implemented by your organization until one year after the final version of the standard is released.  But as we all know if it makes your systems more secure, the sooner they are implemented, the better.