After many years of being in draft form, NIST recently released its final version of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations to address a need for a more proactive and systematic approach to cybersecurity. With the release of Revision 5, NIST hopes to provide updated security and privacy controls that will make information systems more penetration resistant, limit damages from cyber-attacks, make systems more cyber-resilient, and protect individuals’ privacy. NIST intends this update to be usable by a more diverse set of consumer groups than previous iterations of the document permitted.

The following are the most significant updates provided by Revision 5:

  • Removal of assignment of control responsibility to either the organization or information system to make the controls more outcome-based.
  • Integration of the information security and privacy controls into a consolidated control catalogue for organizations and information systems.
  • Establishment of a supply chain risk management control family.
  • Separation of control selection processes from the controls to allow the controls to be used by different communities of interest.
  • Removing control baselines and tailoring guidance and transferring that information to NIST SP 800-53B, Control Baselines for Information Systems and Organizations.
  • Clarifying the relationship between requirements and controls and the relationship between security and privacy controls.
  • Incorporating new, state-of-the-practice controls based on the latest threat intelligence and cyber-attack data.

These controls are mandatory for federal information systems, which include any information system used or operated by an agency or by a contractor on behalf of an agency. Companies will want to review these controls carefully and consider implementing where appropriate, as NIST controls are often used as a baseline for industry standards in security and privacy and are likely to be seen as “reasonable” for purposes of compliance with broader data security laws.

NIST is also releasing supplemental materials that will be available in the near future. Among these materials will be a comparison of Revision 5 with Revision 4 and control mappings to the Cybersecurity and Privacy Frameworks.

Putting it Into Practice: Federal contractors should review these guidelines closely as these updated controls will be applied to any federal information system used or operated by a contractor on behalf of an agency. Other organizations in the private sector should pay attention as NIST guidance often influences industry standards in security and privacy.