NIST SP 800-53 Rev. 5: Straightforward Changes with Complex Solutions

Written by Senior Information Technology Auditor Lucy Gardner 

As technology continues to advance, so must the controls that support the development of secure and resilient Federal information systems.  On September 23, 2020, the National Institute of Standards and Technology (NIST) updated the control guidelines (Special Publication [SP] 800-53 Revision (Rev.) 5 [hereafter referred to as Rev. 5], Security and Privacy Controls for Information Systems and Organizations) to align with the evolving nature of information security and cover areas including cloud computing, insider threats, application security, and supply chain security, seven years after the publication of SP 800-53 Rev. 4 (hereafter referred to as Rev. 4).  Rev. 4 will be officially withdrawn on September 23, 2021.

What does this mean for you?

After seven years, there may be many questions around the changes to the controls and their impacts to agencies.  Below are three key questions and answers that help start the process of digesting the changes so that agencies and system owners can start planning for compliance.

If I am fully compliant with Rev. 4, what is the impact of Rev. 5?

 

Although the key changes occur in the SR, PT, and PM families, these new controls only make up a portion of the changes to Rev. 5, as seen in the associated graphs, “NIST SP 800-53 Rev. 4 to Rev. 5 Changes to Moderate Baseline Controls” and “NIST SP 800-53 Rev. 4 to Rev. 5 Changes to High Baseline Controls.”  With the addition of 46 new controls and over 200 major and minor control changes at the Moderate baseline, along with 59 new controls and over 300 major and minor controls at the High baseline, agencies will face the burden to update agency-wide and system-specific control baselines, System Security Plans, and most existing policies and procedures to be fully compliant.

What is the significance of the new PT control family?

Privacy standards have been around for quite some time and, while not a “new” concept, the PT control family in Rev. 5 consolidates previously existing privacy controls into standard control baselines.  This diverges from the approach in Rev. 4 to place privacy controls in a separate appendix.  Rev. 5 also incorporates some privacy controls into the PM family.  These changes emphasize privacy as a bedrock of security and will require significant coordination between Security and Privacy Teams to ensure consistent processes and bring privacy governance into the spotlight.  Privacy is no longer a system-specific effort, but a foundational element of a strong security program.

What is the significance of the new SR control family?

Contrary to the “new” privacy controls, the SR control family exists of controls and concepts not previously seen in the control baselines.  Building on concepts established in NIST SP 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” NIST highlights the importance of supply chain security by incorporating supply chain controls into the PM family and creating the new SR family.  The establishment of a strong SR program, grounded in NIST guidance, will require strong coordination across agency security teams, as the topic has not historically played a role in the day-to-day activities of an agency.  Supply chain risk is no longer an enigmatic concept, but an urgent and real threat to organizational security that should be addressed.

Connect with us

This publication is for informational purposes only and does not constitute professional advice or services.  Readers should first consult with a professional before acting with regard to the subjects mentioned herein.  

Kearney & Company is a CPA firm that is focused on providing accounting and consulting services to the Federal Government. For more information about Kearney & Company, please visit us at www.kearneyco.com or contact Mr. Phil Moore, Partner, at (703) 931-5600 or via e-mail at [email protected].