National Institute of Standards and Technology (NIST) documents sometimes appear daunting and complex, but they contain invaluable information for standardizing and safeguarding the technologies on which both our government and nation rely. Agency leaders and managers are wise to become familiar with new and forthcoming guidance in order to leverage it when appropriate.
NIST created Special Publication (SP) 800-53 to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA). Revision 5, or “Security and Privacy Controls for Information Systems and Organizations,” provides a major update that addresses the evolving cyber threat to information systems.
The threat “is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries,” according to the Defense Science Board.
Through Revision 5, NIST intends to develop “a proactive and systematic approach" to U.S. cyber deterrence, according to the agency. It expands security and privacy controls established in previous revisions, specifically addressing organizational systems--such as transportation, health care, financial systems and energy--through which a successful major attack could cripple the nation.
While Revision 5 contains a broad variety of information you should explore to help your agency address cyber threats, pay close attention to the following key changes:
- Significant additions to the numbers of controls;
- New wording for the controls to provide an outcome-based focus;
- A new supply chain risk management (SR) control family incorporating risk management to address supply chain vulnerabilities;
- A new family of privacy controls (PT).
Since Revision 5 is targeted to wider communities of interest, it acknowledges that different organizations may want to use different methods when selecting applicable controls for their systems. A different document, NIST SP 800-37, Revision 2, describes the Risk Management Framework (RMF) that can help with this selection.
Four steps to Revision 5
NIST will replace Revision 4 with Revision 5 on September 23, 2021. NIST has outlined a four-step process for this transition to Revision 5:
- Underway since December 2020, NIST is developing an implementation guide for Cloud Service Providers (CSPs), while also reviewing and updating baselines, parameters and control guidance.
- NIST will open a public comment period lasting from 90 to 120 days.
- NIST will review public comments, and update FedRAMP baselines and templates accordingly.
- NIST will release the final Revision 5 documentation updates, provide training forums on the updates and answer questions.
The advent of OSCAL
Although not directly part of Revision 5, NIST is also developing the Open Security Controls Assessment Language (OSCAL) in collaboration with industry. OSCAL will play a significant role in successfully implementing Revision 5, changing the way that federal agencies generate system security plans (SSPs) and security packages for systems processing federal government data in the cloud, as overseen by FedRAMP. OSCAL will enable agencies to digitize and standardize the generation of security packages. This will expedite the reviews of security packages and make possible a faster route to authorization, while cutting the costs and improving quality.
Revision 5 provides guidance for NIST’s next generation of security and privacy controls framework. It addresses the need for a more proactive and systematic approach to cybersecurity, creating resilience needed to withstand sophisticated cyber attacks.
Learn more about NIST 800-53 Rev. 5
This team has developed a detailed white paper to help federal agency leaders understand Revision 5 in greater detail.