Article
NIST releases SP 800-53 Revision 5 and SP 800-53B
Nov. 3, 2020
On Sept. 23, 2020, the National Institute for Standards and Technology (NIST) released the final version of its risk management framework (RMF), Special Publication (SP) NIST 800-53 Revision 5. Revision 5 has numerous positive changes including:
- Outcome-based controls
- Improved descriptions and integration of new control areas
- Controls based on threat intelligence
Federal agencies, government contractors and vendors leveraging the NIST 800-53 RMF must understand the differences between Revision 4 and Revision 5 controls so that mandated changes are implemented and they are compliant by the Sept. 23, 2021, deadline.
What you need to know
The most common questions asked regarding the publication of SP NIST 800-53 Revision 5 include: ‘What has changed?’ and, ‘How does NIST 800-53B change things?’ Baker Tilly analyzed and summarized key changes within the 800-53 framework controls from Revision 4 to Revision 5:
- There is separation of control selection from the actual controls. NIST published the Control Baselines for Information Systems and Organizations NIST SP 800-53B document on Oct. 29, 2020 (in addition to the NIST SP 800-53 Revision 5).
- The NIST 800-53B security and privacy control baselines are predefined sets of controls to address the protection needs. The control baselines are a starting point to protect individuals’ privacy, information and information systems. The baselines can be tailored or customized to an organization’s mission, business functions, environment, specific and credible threat information and individuals’ privacy interests.
- An organization’s privacy control baseline is established separately from the security controls baseline. Determining the privacy control baseline begins with a privacy risk assessment. This assessment considers the nature of the personally identifiable information (PII) processing and its impact on individuals to guide tailoring of the privacy control baseline for programs and systems.
- Revision 5 integrates privacy within the security control language and supply chain controls.
- Program management (PM) controls were originally listed in the draft NIST 800-53B document within the various baselines. In the final NIST 800-53B document, PM controls were moved, and are not associated with the security controls baselines. These controls are deployed organization wide, independent of any system impact level and support the information security program. PM controls can now be selected with privacy baseline control decisions.
- In Revision 5, new controls are defined based on threat intelligence.
- Revision 5 control language is outcomes based versus impact based.
- There is a significant increase in the use of organizational-defined parameter values (ODVs) within the control language. For example, there were over 300 ODVs in the Revision 4 moderate baseline whereas there are now over 500 ODVs in the Revision 5 moderate baseline.
- The increased use of ODVs has also increased specificity within controls. This increase in specificity allows organizations to define specific responsibility, circumstances, media, systems, devices and response times.
- Policy and procedure controls have changed. These documents can now be defined to address the organization, business process or system. Further, language was added regarding document consistency with applicable laws, executive orders, directives, regulations, policies, standards and guidelines. Policy and procedure documents need to delineate a responsible organizational official. Policy and procedure documents can be reviewed and updated based on both frequency and organization defined events.
- The control count has increased in each baseline as illustrated in the table below.
