Understanding the Changes with NIST 800-53 Revision 5
Right before the 2020 Cybersecurity Awareness month, NIST (National Institute of Standards and Technology) revealed several new developments in the Special Publication 800-53. Revision 5 is the updated version of the IT security guide. It’s the organization’s first major amendment in the document in seven years. And there have been significant changes in the cybersecurity space since 2013.
NIST’s new guidelines are expected to be the baseline for compliance requirements and programs in every company in the US. Focusing on privacy, security, as well as risk management. The 483-page document and the complementary materials reference 200 relevant policies, laws, directives, standards, guidelines, and regulations to merge more than 1,100 discrete controls.
NIST SP 800-53 Overview: The Godfather of Security Controls Structures
For years, NIST 800-53 has been the foundation of the United States government’s security controls. Healthcare providers and other crucial establishments in the private sector widely adopted it.
In April 2013, the National Institute of Standards and Technology released Rev 4. Then followed this up by establishing the NIST CsF (Cybersecurity Framework) in February 2014. This framework used a more business-friendly structure and language to allow seamless adoption within and outside federal entities.
NIST’s advanced Rev 5 controls were designed to align as well as integrate with the previous CsF framework. CSF was widely implemented in the healthcare sector. But healthcare providers who require more stringent security controls still use NIST SP 800-53.
The New Changes in Revision 5
Rev 5 comprises various significant updates that enable better alignment of the publication’s privacy as well as security controls. With its goal of protecting companies and information systems against vast risks and threats.
Recognition of Supply Chain Risks
The latest revision includes two new control families, and supply chain risk management is one of them. For most organizations, the development has been long overdue. Almost every company works with external components and partners to deliver critical functions. And most are also part of other entities’ supply chines.
The new revision offers controls that acknowledge the collaborative as well as coordinated reality and the associated risks. This is a crucial improvement from the previous publications that lacked sufficient guidance on the management and verification of external dependencies. Organizations can now apply more comprehensive controls to any outsourced services.
Rev 5 offers 12 advanced second-level controls. To help you process around vital supply, establish a risk management strategy, as well as to conduct regular reviews and assessments to suppliers. The new concepts in the framework include tampering detection, component authenticity, as well as inspections.
Greater Focus On Results
The previous SP 800-53 typically assigned responsibility for respective controls. Entities that implement the controls would be forced to place the entire burden of handling each control using narrowly defined implementers like a team or an individual. But in reality, you need broad collaboration and cooperation to achieve excellent controls.
The latest revision shifts the control focus to desired outcomes. It recognizes that SP 800-53 is also used by non-governmental entities lacking strict delineation of roles evident in government organizations. The greater focus on results goes hand in hand with a massive shift taking over the IT landscape. Businesses, as well as government agencies, now want their IT infrastructure to achieve demonstrable outcomes.
Advanced State-Of-The-Art Controls
Revision 5 incorporates new controls and complementary control discussions. To establish secure system designs and cyber resiliency and strengthen privacy and security governance.
One example is RA-10, a new control focused on addressing the dynamic threat landscape. It establishes threat handling features that monitor, identify, track, as well as disrupt cyber threats that may push through our controls.
Another crucial focus in Rev 5 is the additional controls to incorporate privacy requirements. Several new controls, including SI-19, SI-18, and CM-13, help you understand the PII (personal identifiable information) processed in your organization. And the existing security measures to protect the information’s integrity and privacy.
An Expanded Control Catalog
The new NIST 800 control catalog includes twenty control families, three more than the previous Rev 4 catalog. The three additions comprise of:
- Supply Chain Risk Management (SR) – This control family further expands the last revision’s Supply Chain Protection’s vital concepts.
- PIII Processing and transparency (PT) – The family focuses on privacy risk management, previously addressed in Rev 4’s Privacy Control Catalog (Appendix J).
- Program management (PM) – This addition covers Information Security Program Management Controls in the previous revision’s Appendix G.
Integrating the PM, PT, as well as SR control families in the new control catalog offers consolidated controls that you can leverage within your organization’s risk management strategy.
Compliance Assessment Tools to Identify New Gaps
Every new NIST 800-53 revision offers new machine-readable files that follow the OSCAL (Open Security Control Assessment Language) framework. You can incorporate these YAML, XML, or JSON files into different third-party tools to automate your organization’s governance and security testing. With these tools, you can demonstrate to your stakeholders that you’re implementing the best practices controls. You must consider reviewing your assessment tools to ensure they incorporate the new framework files.
Privacy and Security Consideration Integration
Rev 5’s chapter two has a new section called ‘Security and Privacy Controls,’ highlighting the relationship between privacy and security components. Furthermore, the control discussions and control descriptions sections in chapter three now incorporate specific considerations.
Organizations need to understand the nature of the information. This is to manage the specific controls that affect the relationship. Rev 5 integrates security and privacy considerations within the publication to clarify how the components relate. This helps you align your privacy and security goals with the risk associated with your data types.
Rev 5 achieves outcome-based controls by eliminating the entity that satisfies the controls from the control statement. Consequently, more focus will be on the protection outcome offered by the control application. Notably, the Control Summaries section in Appendix C now has an “implemented by [organization/system]” column.
The Bottom Line
The new changes in NIST 800-53 create an excellent positive impression. Apart from the significant content changes, the new document is also simplified for use by security professionals.
Is your organization located in Washington DC, Baltimore, Maryland Area, or Northern Virginia? Advantage Industries offers the right insights and trends to ensure you stay ahead of trends and remain competitive. Reach out to us for guidance on NIST 800-53 and other cybersecurity trends.