NIST 800-53 Revision 5 is Hot off the Press!

NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations

As we have continually reported on our BSC Security Blog, it has been many years since the last update to NIST 800-53.  NIST 800-53 revision 5 is a major update to the security standard, both technically and structurally.  The big question most of you likely have is when do I need to be compliant?  You should start preparing now, but you have until September 21st 2021 to be fully compliant.  Of course, your client may have different ideas, so there is always the chance the timeline could change.  Different agencies are known for having their own security requirements based on their specific security concerns, as they should.

The first major change to the structure of the control families is that there are now twenty Controls families, up from seventeen. Among the three new control families that have been added to the mix, one was long overdue: Supply Chain Risk Management. Security is a team effort, and if your suppliers and vendors lack the same level of due diligence as your organization it can negate all of your efforts.  In addition, the previous privacy guidance from revision 4 has been updated, clarified and integrated into the security control catalog, and a new privacy family has been established: the PII Processing and Transparency family of controls. Finally, the Program Management controls that were in revision 4, but which were separated from the actual families and treated as guidance, are now a full-blown family of controls all their own. The table below shows the new control family structure.

AC Access Control PE Physical and Environmental Protection
AT Awareness and Training PL Planning
AU Audit and Accountability PM Program Management
CA Assessement, Authorization, and Monitoring PS Personnel Security
CM Configuration Management PT PII Processing Transparency
CP Contingency Planning RA Risk Assessment
IA Identification and Authentication SA System and Services Acquisition
IR Indicent Response SC System and Communications Protection
MA Maintenance SI System and Information Integrity
MP Media Protection SR Supply Chain Risk Management
  • Another major change is that control baseline selection has been transferred to a separate publication: NIST 800-53B, Control Baselines for Information Systems and Organizations. We still use FIPS PUB 199 to determine whether an organization must be compliant with the High, Moderate or Low security control baseline, but instead of the reference tables being included in NIST 800-53 you need to reference the new standard NIST 800-53B. The goal is to separate the control selection process from the controls—allowing controls to be used by different communities of interest.  While this standard is currently in draft mode, we project the final will be released soon since the comment window is closed.  But keep in mind that any agency can and will select additional controls to establish their own customized baseline, so the guidance from your client should be the main determinant of your selection.

Other changes include:

  • Making controls outcome-based: Revision 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement—thus focusing on the protection outcome to be achieved by the application of the control. Note that for historical continuity, Appendix C, Control Summaries, now includes an “implemented by [system/organization]” column.
  • Separating the control selection process from the controls: Having a consolidated, stand-alone control catalog allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners. These communities of interest can now better collaborate on points of intersection or use an individualized process as needed for selecting controls to manage risk consistent with their mission and business needs as well as internal organizational policies and procedures.
  • Improving descriptions of content relationships: Revision 5 clarifies the relationship between requirements and controls as well as the relationship between security and privacy controls. These relationships are important to understand whether you are selecting and implementing controls at the enterprise level or as part of a life cycle-based systems engineering process.
  • Adding new state-of-the-practice controls: As cyber threats evolve rapidly, new safeguards and countermeasures are needed to protect the critical and high value assets of organizations including individuals’ privacy and personally identifiable information. The new controls in Revision 5 are based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).

We encourage you to review the new standard and prepare for September 2021.  BSC already has templates and processes in place to support the new requirements, including a comprehensive vendor review process.  Give us a call if you have any questions or would like a gap analysis to see what you need to do to be compliant with the new requirements.

All referenced standards are available at the NIST web site but for your convenience we have attached the documents below.