In its 2017 report, the Department of Defense Task Force on Cyber Deterrence provided this sobering assessment of the vulnerabilities in the U.S. critical infrastructure and information systems that support mission-essential operations and assets in the public and private sectors:
“…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing
efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…”
In response to these findings, the National Institute of Standards and Technology (NIST) began a three-year effort to strengthen and modernize the security and privacy controls included in its Special Publication (SP) 800-53, which guides federal agencies and contractors in meeting the requirements set by the Federal Information Security Management Act (FISMA).
On September 23, 2020, after an extensive review and comment period, NIST published the final version of Revision 5 (Rev 5) of SP 800-53 . This is the first new release since Rev 4 was published over seven years ago, and it represents a major overhaul that takes a more proactive and systematic approach to cybersecurity. This significant release adds 45 new base controls, 150 control extensions, and approximately 100 new parameters to existing controls.
We believe NIST has done a commendable job with this update and that it significantly raises the bar for security and privacy. But with this substantial change comes a fair amount of work for businesses wishing to remain compliant with SP 800-53.
NIST describes the most significant changes being introduced with Rev 5 as follows:
- Making the controls more outcome-based by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement.
- Integrating information security and privacy controls into a seamless, consolidated control catalog for information systems and organizations.
- Establishing a new supply chain risk management control family.
- Separating control selection processes from the controls, thereby allowing the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners.
- Removing control baselines and tailoring guidance from the publication and transferring the content to NIST SP 800-53B, Control Baselines for Information Systems and Organizations.
- Clarifying the relationship between requirements and controls and the relationship between security and privacy controls.
- Incorporating new, state-of-the-practice controls (e.g., controls to support cyber resiliency, support secure systems design, and strengthen security and privacy governance and accountability) based on the latest threat intelligence and cyber-attack data.
In addition to these major changes, there are many smaller modifications. Notably, “blacklisted software” and “whitelisted software” are now “blocked software” and “authorized software,” respectively.
When Do the Changes Take Effect?
We anticipate the NIST SP 800-53 Rev 5 changes will go into effect in September of 2021, which would allow a one-year adoption period following the September 2020 publication of Rev 5.
Who Do the Changes Apply To?
Any organization or system that processes, stores, or transmits information on behalf of a federal agency will need to be compliant with NIST SP 800-53 Rev 5 by the end of the adoption period. If you expect to bid on FISMA or FedRAMP contracts, be sure to factor this into your planning.
Rev 5 makes changes to structure and technical content to position it for use by a broader audience as well. Its federal focus has been de-emphasized to encourage greater adoption and use by non-federal organizations and promote greater international acceptance. While it is not mandated for these organizations, it will likely be adopted by many businesses that do not handle federal information.
NIST describes Rev 5 as the “first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems – from supercomputers to industrial control systems to Internet of Things (IoT).”
What Should You Do To Prepare?
If you haven’t already started your effort to become compliant with NIST SP 800-53 Rev 5, we recommend starting now as it’s likely to take the better part of a year. Here are the steps we recommend:
- Perform a gap assessment to identify areas that must be addressed to comply with Rev 5. Consider using an independent party with in-depth knowledge of NIST 800-53 to help you with this. If you are already Rev 4-compliant, the Supplemental Materials section of the Rev 5 publication provides detailed information on the differences between Rev 4 and Rev 5.
- Refresh existing policies, procedures, and controls—and create new ones—to align with Rev 5.
- Update your System Security Plan (SSP) to align with Rev 5.
- Remediate any remaining gaps identified in the gap assessment.
- Conduct a pre-assessment to confirm your Rev 5 compliance in all areas.
- Engage a qualified third-party assessor to formally assess and attest to your compliance with Rev 5.
Stay tuned for Tevora’s upcoming white paper that will do a deep dive on the Rev 5 changes and provide recommendations and insights for implementing them in your organization.
We Can Help
If you have questions about NIST SP 800-53 or would like help implementing changes in your environment to ensure Rev 5 compliance, Tevora’s team of data privacy and security specialists can help. We can also perform a gap assessment, a pre-assessment, or a formal assessment and compliance attestation. Just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.
About the Author
Kaitlyn Bestenheider is a Senior Information Security Analyst at Tevora.