Proposed NIST Revision 5 Changes

NIST has reviewed input from a number of organizations and business and has published some of their proposed changes for Revision 5. The good news is that these changes do not impact the actual security controls, and organizations would not be required to make updates to security documentation including the System Security Plan, outside of the normal update schedule. Here are a few of the current proposed changes that are likely coming:

  • Removal of the term “federal” from the title and throughout the publication to the extent appropriate. The purpose is to stress that security is a national issue not just a federal one and that the standard can apply to all types of organizations both government and commercial.
  • Replacement of the term “information system” with the term “system” throughout the document. This change is meant to stress that the NIST standard applies to all types of systems and the term information systems is more of a subset of the larger population of systems that are now using the standards to achieve compliance with the standard including the DOD
    adoption of the standard as part of their Risk Management Framework.
  • Movement of the Program Management control family from Appendix G into Appendix F is simply a formatting issue to improve readability and none of the controls have changed.
  • Movement of the Privacy controls from Appendix J into a single family in Appendix F. This involves renumbering the Privacy controls and assigning a new family name, tentatively the Privacy – PR – family. Like item 3, this is more of a readability improvement.
  • Removal of the P0, P1, P2, and P3 “Priority” designations. These designations were confusing to some organizations and generally unnecessary since organizations are going to implement changes based on criticality and once they are implemented and in the Security Plan the priority is not as relevant. These priorities would make more sense as part of a Plan of Action and Milestones/Corrective Action Plan.

Removal of the introductory “entity” language (i.e., “The organization” and “The information system”) from security controls and control enhancements. This change provides more consistency with other NIST Standards (SP 800-160 and 800-171 specifically) and improves clarity, flexibility, readability, and applicability to all types of organizations. In addition, there was an attempt to rephrase controls to make them more action oriented and outcome-based by focusing on the security capability (i.e., what needs to be done to protect the system or information and not which entity carries out the action). This is simply the way the control is phrased and does not change the intent of the control.