Understanding NIST Special Publication (SP) 800-53
Every so often, a road needs to be repaved.
New potholes and other hazards emerge all the time, and to keep drivers safe, the pavement needs to fill any potentially dangerous gaps so as to maintain the best road possible.
The same is true for security guidelines like NIST Special Publication (SP) 800-53.
Back when NIST SP 800-53 Revision 4 was first released in April 2013, its intent was to serve as a catalog of security and privacy controls designed to protect information systems and organizations from cybersecurity risks.
But in today’s digital world, the threat landscape is ever-evolving, and as such, SP 800-53 has since been revised to keep up. Still, with many different frameworks out there, it can be hard for an organization to do the same when it comes to the latest iterations of things.
SP 800-53 Revision 5 is the latest iteration, having been released on September 23, 2020, and we want to help you understand it as fully as possible. As an approved Third Party Assessment Organization, our federal compliance practice deals a lot with this publication and how it can map to other compliance options.
In this article, we’ll break down SP 800-53 Revision 5’s updated guidance on the next generation of security and privacy controls. We’ll also address the types of organizations where these controls might be applicable.
When you’re driving down a road, you trust the municipality to make sure it’s safe to drive so you don’t wreck your car. Let us simplify this latest revision for you so that you understand better what’s in it and whether or not it affects you.
What are the Most Recent Changes to SP 800-53?
As we mentioned, Revision 5 delivers a control catalog that better supports the technology of today without losing sight of tomorrow's cyber threats and attack vectors.
It does include some significant updates designed to better align those controls with its objective of protecting organizations and information systems against a diverse set of threats and risks.
Here’s a general overview of what those updates and changes from the last revision are.
Expansion of the Control Catalog
The control catalog now encompasses a total of twenty control families, which is an increase of three from Revision 4. Those three additional families are:
- Supply Chain Risk Management (SR) Controls: Expands on the concepts required as part of Revision 4’s high baseline control SA-12, Supply Chain Protection.
- Personally Identifiable Information Processing and Transparency (PT) Controls: Addresses privacy risk management as was previously done in the Privacy Control Catalog, Appendix Jof Revision 4.
- Program Management (PM) Controls: Expands upon the Information Security Program Managementcontrols that were previously addressed in Appendix G of Revision 4.
Together, these control families provide a consolidated set that can be leveraged as part of an organization’s risk management program.
Incorporation of New “State-of-the-Practice” Controls
It wasn’t just new control families— also included in Revision 5 are new controls and accompanying control discussions to "support cyber resiliency, support secure systems design, and strengthen security and privacy governance…based on the latest threat intelligence and cyber-attack data."
- RA-10 is a new control that establishes a threat-hunting capability that monitors, detects, tracks, and disrupts threats that evade existing controls
- SC-7 (24), SI-18, and SI-19 are new controls with privacy requirements. Among the many other additions, these focus on understanding what personally identifiable information (PII) is being processed and security measures in place for protecting the confidentiality and integrity of the PII throughout the data lifecycle.
Integration of Security and Privacy Considerations
In fact, an entire 'Security and Privacy Controls' section has been added to chapter two within Revision 5 to discuss the relationship between security and privacy components.
Not only that, the individual control descriptions and control discussion sections within chapter three have been expanded to incorporate specific security and privacy considerations. Now, each organization must ultimately understand the types of data being stored and processed within their environment to manage the security and privacy controls affecting this relationship.
By integrating security and privacy considerations throughout the publication, Revision 5 aims to help organizations align their security and privacy objectives with the risk that accompanies the data types within their environment.
Restructure of Controls to be Outcome-Based
Instead of identifying a specific entity responsible for implementing the control (e.g., the information system or the organization), Revision 5 focuses on the outcome. Using the IA-2 control descriptions, you can see the contrast between the approach in the previous Revision 4 and this one:
- NIST SP 800-53 Rev4: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
- NIST SP 800-53 Rev5: Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
Separation of the Control Selection Process
Revision 5 is meant to provide a unified security and privacy control catalog that can be leveraged by various stakeholders and communities of interest, including:
- Systems engineers;
- Security architects;
- Software developers;
- Enterprise architects;
- Systems security and privacy engineers; and
- Mission or business owners.
To do that, the publication moved a significant amount of guidance that was previously included as part of Revision 4 to other NIST publications. This separation between the individual controls and control selection processes also promotes alignment with different cybersecurity frameworks, allowing organizations to integrate and streamline their risk management approach.
Is NIST SP 800-53 Rev5 Applicable to Your Organization?
So, do you even need to worry about these changes? What organizations should pay attention?
- All federal agencies, state agencies administering federal programs, and private sector organizations supporting federal contracts.
- Cloud service providers (CSPs) that are part of the Federal Risk and Authorization Management Program (FedRAMP) process—or wish to be—as well as organizations that have contractual relationships to support the federal government, must eventually follow NIST SP 800-53 Rev5.
- The FedRAMP Program Management Office (PMO) is expected to issue guidance in the future regarding the specific Revision 5 controls and requirements that will make up the FedRAMP control baselines (e.g., Tailored, Low, Moderate, High). As of April 2022, the PMO was in Step 3 (out of 4) of their Rev5 transition. The PMO is currently in the process of finalizing the control baselines and documentation based on responses from the public comment period, so more to come there.
- Once this guidance is released, CSPs that are FedRAMP authorized or are seeking to pursue FedRAMP authorization should begin to understand the control implementation differences, the overall level of effort required to meet the new control requirements, and the PMO requirements set forth for transitioning to Revision 5.
- Organizations following regulations such as the Defense Federal Acquisition Regulation Supplement (DFARS), NIST SP 800-171 Rev2, and the newly adopted Cybersecurity Maturity Model Certification (CMMC).
- While NIST SP 800-53 Rev5 is not directly related to these non-government standards, there is some overlap that may affect how an organization maps and implements controls between the multiple compliance frameworks. All the aforementioned regulations often refer to NIST SP 800-53 Rev4 for additional guidance and are likely to continue to do so for Revision 5.
- For more information about the transition from NIST SP 800-171 Rev2 to CMMC, read our latest on the topic.
Should you so choose, NIST SP 800-53 Rev5 can also be adopted by both public and private sector organizations as part of your risk management programs.
Next Steps Regarding NIST SP 800-53
This publication—including its latest revision—marks a significant change from previous versions. NIST, with its interest in keeping its requirements airtight against the latest cyber threats, “repaved this road” for businesses seeking to protect themselves.
And now, with this high-level overview of the updates, as well as details on who should look further into this framework, you are more oriented in understanding whether this framework applies to your organization.
For more information on federal compliance or other NIST publications, check out our other content that can help point you further in the right direction for you:
- Which of the NIST SP 800-Series Publications Should You Follow?
- Finding Your FedRAMP Consultant: What to Ask and When
- What Is the FedRAMP Ready Assessment? Should You Get FedRAMP Ready?
If you find that you have more organizationally specific concerns regarding compliance—federal or not—please also feel free to reach out to us. Though we do not provide consulting services ourselves, we will do our best to answer any questions you may have.
Risk Management Framework - Program overview and links to additional resources, including Quick Start Guides, an updated online course on the RMF, and the Security Control Overlay Repository. Also contains the email addresses for the NIST points of contact.
OSCAL on GitHub - OSCAL content for SP 800-53 controls (Rev 4, Rev 5, and draft baselines).
About Matt Hungate
Matt Hungate is a Senior Manager with Schellman based in Charlottesville, VA. Prior to joining Schellman in 2019, Matt worked as a Cybersecurity Consultant for a large advisory firm where he specialized in strategy and assessment services for NIST SP 800-53 and FedRAMP. Matt also led and supported various other projects, including the development of an enterprise wide cybersecurity strategy and cloud transition plan for a large federal agency. Matt has over 5 years of experience comprised of serving clients in both the private and public sectors, and his credentials include the CISSP, CISA, and CPA. Matt is now focused primarily on FedRAMP assessments for organizations across various industries.