The National Institute of Science and Technology (NIST) have been busy updating their SP 800-53 Security and Privacy Controls Catalog (Revision 5). On August 15, 2017, NIST released their public draft for comments. They intend to release their final draft in October 2017, and final version by December 29, 2017. Here are some of the changes they have made from SP 800-53 Revision 4. The FedRAMP program for cloud computing services accreditation is based on NIST SP 800-53 and likely require cloud service providers to begin migrating to the new standard.
In Revision 4 and earlier versions, each control and control enhancement was prefixed by ‘The Information System…’ or ‘The organization…’. The intent being to identify the entity responsible for implementing the control. In this public draft, NIST has removed these prefixes and asks if this is a beneficial change or not. They ask if a change such as this would provide greater emphasis on the purpose of the control, better reflect the intended outcome of the control in providing security, and/or provide organizations with greater flexibility regarding control implementations. In the table outlining which controls and enhancements apply to which baseline, a new column has been added to indicate whether the control is typically aligned with the Organization or the System. However, in keeping with NISTs intentions, this is likely just guidance and not a requirement.
The Privacy Controls catalog has been removed and incorporated into the existing controls and control enhancements. The only exception is the Individual Participation (IP) privacy control family, which has remained independent and added to the main control catalog. In the table outlining which controls and enhancements apply to which baseline, a new column has been added to indicate whether the control is privacy related on not. In addition, Appendix F outlines which of these privacy controls are fully under the purview of the agency’s privacy program, and which are under joint purview of the privacy program and the security program. Lastly, the controls are also either ‘Required, Situationally Required, or Discretionary.’ Discretionary controls are optional, while situationally required depends on the laws, regulations, or policy guiding the organization.
Per OMB Circular A-130, federal agencies and organizations are required to use the NIST Risk Management Framework (RMF) to select the necessary security controls. However, with no authority over state, local, and tribal governments, as well as private sector organizations, NIST can only encourage the use of this guide as appropriate. Therefore, in Revision 5, NIST aims to be more inclusive of these other organizations and has removed the control selection process from the actual controls. For federal agencies and organizations, tailoring guidance and informative material will be moved into SP 800-37, and can also be found in SP 800-53 Revision 4 until the next update cycle for SP 800-37.
Updates to control and supplemental guidance in SP 800-53 revision 5 has incorporated lexicon from other frameworks like the “Framework for Improving Critical Infrastructure Cybersecurity” Version 1.0 dated February 12, 2014. Making controls more outcome based also aligns with this change.
As is typical with each revision of SP 800-53, controls have been updated, added, and removed from the baseline. Some of the notable additions include controls in the Risk Assessment (RA), Program Management (PM), Planning (PL), Incident Response (IR), and Identification and Authentication (IA) control families.