On Sept. 23, 2020, the National Institute of Standards and Technology (NIST) released an update to its flagship security and privacy guidance, NIST 800-53 V5 Security and Privacy Controls for Information Systems and Organizations.
NIST 800-53 V5 is official
The update, according to NIST, is one that “will provide a solid foundation for protecting organizations and systems—including personal privacy of individuals—well into the 21st century.”
NIST describes this revision as not just a minor update, but rather an entire renovation of the SP to address structural issues and technical content. Since 2013, SP 800-53 has been accessed or downloaded from the NIST website “millions of times.”
The most significant changes to NIST 800-53, Revision 5 include:
- Making controls outcome-based: Revision 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement—thus focusing on the protection outcome to be achieved by applying the control. Note that Appendix C, Control Summaries, now includes an “implemented by [system/organization]” column for historical continuity.
- Consolidating the control catalog: Information security and privacy controls are now integrated into a seamless, consolidated control catalog for systems and organizations. The privacy controls in Appendix J of Revision 4 have been incorporated into a new privacy family and the existing Program Management family. Some privacy controls were also incorporated into current security controls—allowing the controls to serve both the security and privacy communities and achieving more efficient control implementation.
- Integrating supply chain risk management: Revision 5 establishes a new Supply Chain Risk Management (SCRM) control family and combines supply chain risk management aspects throughout the other control families to help protect system components, products, and services of critical systems and infrastructures. The SCRM controls to ensure that security and privacy requirements, threats, and other concerns are addressed throughout the system development life cycle and the national and international supply chains.
- Separating the control selection process from the controls: Having a consolidated, stand-alone control catalog allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security, and privacy engineers, and mission or business owners. These communities of interest can now better collaborate on points of intersection or use an individualized process as needed to select controls to manage risk consistent with their mission and business needs and internal organizational policies and procedures.
- Transferring control baselines and tailoring guidance to a separate publication: Control baselines have been moved to the new NIST SP 800-53B, Control Baselines for Information Systems, and Organizations. The three security baselines and one privacy baseline apply to federal agencies and reflect specific requirements under the Federal Information Security Modernization Act and the Office of Management and Budget (OMB) Circular A-130. Other organizations may choose to develop their customized baselines by their mission or business needs and organizational risk tolerance.
- Improving descriptions of content relationships: Revision 5 clarifies the relationship between requirements and controls and the relationship between security and privacy controls. These relationships are essential to understand whether you are selecting and implementing controls at the enterprise level or as part of a lifecycle-based systems engineering process.
- Adding new state-of-the-practice controls: As cyber threats evolve rapidly, new safeguards and countermeasures are needed to protect the critical and high-value assets of organizations, including the individual’s privacy and personally identifiable information. The new controls in Revision 5 are based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).
Whom Does NIST 800-53 V5 Apply To?
NIST 800-53 V5 directly applies only to federal agencies. However, the publication is used as the basis for many other programs and should be referred to by anyone they apply. This includes:
- Cloud Service Providers (CSPs) authorized under a FedRAMP program are required to use SP 800-53 controls to secure their services and facilities
- State agencies and any contractors partnered with the federal government will also have to comply, since SP 800-53 is used as the basis for FISMA
- Defense Federal Acquisition Regulations (DFARS) – while SP 800-171[BS2] initially imported security controls from SP 800-53, the controls have since been adjusted to protect better controlled unclassified information (CUI) specifically. Nevertheless, SP 800-53 is recommended as a useful reference for non-federal businesses required to comply with DFARS. It is more and more being used as a reference for non-Federal security programs, such as to form a baseline for the protection of Industrial Control Systems (ICS) in some industries.
In general, it is safe to assume that as an organization conducting any business with the U.S. government, SP 800-53, or some portion of it will apply to information systems used during the contract.
Continuum GRC is already rolling out NIST 800-53 V5 automation to our clients.
If you are a cloud service provider, you are undoubtedly seeking FedRAMP certification, or NIST 800-53 attestation. You may have already guessed that between the preparation costs to get ready for a NIST 800-53 audit as well as the 3PAO to audit and issue your attestation report, security assessment report (SAR), and system security plan (SSP), the expenses begin piling up.
“While the NIST 800-53 was designed for companies that manage the nation’s critical infrastructure, a wide variety of private and public-sector enterprises utilize it,” said Michael Peters, CEO of Continuum GRC. “Continuum GRC has supported all versions of NIST 800-53 for years, we also auto map to other frameworks like NIST 800-171, HIPAA NIST 800-66, ISO 27001, and so many others.” Peters noted.
Continuum GRC ITAM NIST 800-53 assessment and compliance management software solutions are designed to eliminate complexity and the high costs to achieve a NIST 800-53 assessment attestation.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.
Want to learn more?