NIST 800-53 is the cornerstone of many government cybersecurity policies in the United States, including how security shapes partnerships between federal agencies and IT and cloud providers. Understandably, it has gone through several revisions since its initial publication in 2005 to meet evolving security threats.
Here, we’ll discuss the latest revision of NIST 800-53, Revision 5. This revision will go into full effect for all providers on September 23, 2021, with the withdrawal of Revision 4.
What is NIST 800-53?
Special Publication 800-53, titled “Security and Privacy Controls for Federal Information Systems and Organization, was created to elevate the existing security measures in place for federal agencies. More specifically, 800-53 outlines the security controls that government agencies and contractors should implement, depending on the circumstances of their work and the information that they manage.
These families of controls are broken down into (as of 2021) 53 categories:
- Access Control (AC)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Assessment, Authorization and Monitoring (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Personally, Identifiable Information Processing and Transparency (PT)
- Program Management (PM)
- Risk Assessment (RA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- System and Services Acquisition (SA)
- Supply Chain Risk Management (SR)
It isn’t the case that every organization will have to adhere to every single control in the framework. That’s why NIST 800-53 further divides controls into different security baselines of Low-, Moderate- and High-Impact levels.
- A Low Impact Level applies to organizations and agencies where the loss or theft of data would have no significant effect on the operation of that agency or its constituents. This level includes 131 of all the 800-53 controls.
- A Moderate Impact Level speaks to situations where the loss or theft of data would have a significant impact on the operation of the agency or the livelihood of its constituents, including potential financial loss or bodily harm. At Moderate Impact Level, your IT infrastructure will implement up to 325 distinct security controls.
- A High Impact Level includes contexts where data loss or theft could catastrophically impact agencies and their constituents, including significant financial loss, disclosure of Private Health Information (PHI), or serious bodily harm up to and including death. This level includes up to 421 distinct security controls.
This document carries a lot of weight in terms of defining security requirements on its own, and it additionally serves as the basis for some other government compliance frameworks, including FedRAMP for Cloud Service Providers (CSPs). Just as important, NIST 800-53 addresses security controls as laid out in the NIST Risk Management Framework (RMF).
What are the Different Versions of NIST 800-53?
The original NIST SP 800-53 was released as version 1 in February 2005 and laid out the basic controls and families relevant to the security landscape during that time. Over the following 16 years, the document saw a total of 5 revisions to the core document to address changes in cybersecurity and risk management. These revisions include:
- Revision 1: Released in December 2006, Revision 1 restructured some requirements in the original document to help focus on a “larger strategic initiative [for] enterprise-wide, near real-time risk management”. That is, to scale risk management and security in evolving enterprise environments.
- Revision 2: Released December 2007, Revision 2 adds guidance for implementing security controls for Industrial Control Systems (ICSs), namely for those with distributed or networked controls.
- Revision 3: A major overhaul released in August 2009, implemented wide-ranging changes such as adjusting the controls required for Low Impact systems, new application controls, a method for demonstrating security fitness of existing cybersecurity infrastructure against NIST standards and new prioritization and structures for control implementation. Perhaps most importantly, this revision also includes a simple six-step risk management framework.
- Revision 4: Released February 2012, Revision 4 includes input from the intelligence community and the Department of Defense (DoD) to address security issues like persistent threats, supply chain threats, application security, mobile and social media threats and insider threats.
Revision 4 has long been the standard for compliance, up to the release of Revision 5 in 2020.
What’s New in NIST 800-53 Version 5?
With the release of Revision 5, NIST is turning to even more modern risk management and threat mitigation features. Some major changes in Revision 5 are:
- An expanding list of controls, including the addition of three new families like Supply Chain Risk Management, Personally Identifiable Information Processing and Transparency and Program Management.
- A de-emphasizing of terms like “information systems” and “federal” agencies to expand the reach and applicability of the document.
- Integrating privacy controls into overall security measures to consolidate their application.
- Restructuring cybersecurity control families to move away from responsibility for implementation to outcome-based goals.
- Separation from control selection (along with Low, Moderate and High Levels) from the control families. Now, the family designation is moved into the associated 800-53B document. This helps streamline risk management.
- Including controls that address ongoing best practices aligned with risk, threat detection and threat tracking.
There are also, smaller changes that fit into these larger items that may or may not impact specific organizations.
According to NIST, Revision 4 will be withdrawn in September 2021, at which time compliance with Revision 5 will be enforced. However, depending on the needs of partner agencies in the federal government, providers and contractors may need to adhere to Revision 5 standards at an earlier date.
NIST 800-53 applies to several agencies and compliance frameworks, but we’ve found that it will most immediately impact FedRAMP-compliant CSPs working with government agencies. In this context, both 3PAOs and CSPs are going to prepare for the transition, if they have not already done so.
Your organization needs to get ready for the transition. After 2021, Revision 5 of NIST 800-53 will be the law of the land. More importantly, it will reflect the most up-to-date take on modern security threats and cybersecurity best practices.
Fortunately, a solid audit and automation program can make assessing and updating your IT infrastructure for Revision 5 easier and faster. With proper automation through the Continuum GRC ITAM platform, you can take an audit process that would normally take weeks or months and complete it within days or even hours.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.