NIST SP 800-53 Rev. 5 Coming This Summer

Better late than never. Good things come to those who wait. Slow and steady wins the race.

Such sayings come to mind with NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations. The new version is scheduled for publication this summer after months of delays and perhaps for good reason. It’s a significant update.

The public and private sector rely on NIST to help manage risk and threats from hostile attacks, natural disasters, structural failures, human errors and privacy incidents. Rev 5 will provide the latest guidance on security and privacy controls designed to address these risks and threats.

In this blog, we’ll review the major changes with Rev. 5 and share how this new guidance can be used to improve your program for managing the risks and threats mentioned above.

NIST adapts its venerable guidance
In SP 800-53 Rev. 5, NIST offers guidance on next-generation security and privacy controls. Major changes include:

  • Make security and privacy controls more outcome-based
  • Integrate privacy controls more fully in the security control catalog
  • Separate control selection from the actual controls
  • Foster greater integration with risk management and cybersecurity approaches
  • Clarify the relationship between security and privacy
  • Incorporate new controls based on threat intelligence and empirical attack data

The goal of these changes is summed up by the NIST joint force tasked with developing Rev. 5. “The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.”

Making privacy controls more outcome-based
One of the significant changes with NIST 800-53 Rev 5 is making security and privacy controls more outcome-based. This is welcome news on the privacy front with many organizations either struggling to comply with privacy regulations or still in the planning phase.

Heavyweight privacy regulations like GDPR come across as guidance rather than a compliance directive. If you don’t know exactly what a regulation calls for or there is a question if an action meets the requirement, guidance isn’t always definitive. It’s not just GDPR. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020 also lacks concreteness in its requirements.

The fact that NIST 800-53 Rev 5 will bring more clarity around privacy controls is a promising development. Organizations will have a life raft to stay afloat, as well as guidance to manage the depths of privacy.

Putting NIST controls to work managing risk
Another key change with NIST 800-53 Rev 5 is greater integration with different risk management and cybersecurity approaches. It supports what we’ve been saying for a long time. An integrated approach to risk management streamlines processes, enables a holistic treatment of risk, improves decision-making and drives performance for a stronger, more resilient business.

To illustrate how this works together in a technology platform, consider the example of OpenMarket, a hyper-growth mobile messaging company with increasing security requirements imposed by contracts, laws and standards. OpenMarket’s framework of choice is NIST SP 800-53. In fact, OpenMarket uses all 18 control families in the NIST framework and added a 19th custom control family to comply with 173 contracts, 254 compliance mandates and 9700 contract obligations.

Having the NIST 800-53 controls framework, and custom frameworks tucked inside the company’s ISMS within the platform makes everything accessible. In turn, this makes processes and people at OpenMarket more efficient and effective.

NIST 800-53 Rev. 5 is scheduled for release this summer. It’s a positive development for guidance on security and privacy controls. For public and private organizations, it’s proof, once again, that good things come to those who wait.

Related Articles