NIST 800-53 Rev. 5 Update is Coming Soon…

NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations

NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations is under final review which was just extended to May 29, 2020. The draft version is available at https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft. We recommended that you start reviewing it now so you can predict how the new standard will impact your current implementation and documentation. We project the final to be released by Fall 2020. BSC is monitoring the status and will post an update as soon as the final is released.

The key objectives of this standard are to provide a comprehensive set of safeguarding measures that enhance your systems’ resistance to attacks; limit the damage from any attacks that occur and increase the systems survivability. The following includes the latest information from the NIST Computer Security Resource Center regarding the changes expected in Revision 5.

Revision 5 of this foundational NIST publication represents a multi-year effort to develop next-generation security and privacy controls. The major changes to the publication include:

  • Creating security and privacy controls that are more outcome-based by changing the structure of the controls;
  • Fully integrating privacy controls into the security control catalog, creating a consolidated and unified set of controls;
  • Adding two new control families for privacy and supply chain risk management;
  • Integrating the Program Management control family into the consolidated catalog of controls;
  • Separating the control selection process from the controls—allowing controls to be used by different communities of interest;
  • Separating the control catalog from the control baselines – a separate special publication (NIST 800-53B) will recommend controls for “low, moderate, and high” impact applications;
  • Promoting alignment with different risk management and cybersecurity approaches and lexicons, including the NIST Cybersecurity and Privacy Frameworks;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state-of-the-practice controls based on threat intelligence, empirical attack data, and systems engineering and supply chain risk management best practices, including controls to:
      • Strengthen security and privacy governance and accountability;
      • Support secure system design; and
      • Support cyber resiliency and system survivability.