Notable Enhancements to the New Version of NIST SP 800-53
As an infosec professional, you’ve likely heard of the National Institute of Standards and Technology (NIST). If you are unfamiliar with NIST, it is an organization that produces many publications including the well-respected Special Publication SP 800-53r5 standard, titled “Security and Privacy Controls for Information Systems and Organizations.” Although intimidating in its initial appearance, this important manuscript provides a catalog of privacy and security guidance for most of the information systems within the federal government. Even though its primary audience is governmental bodies, the NIST advice is used extensively in non-government environments, as it should be. It contains seriously solid advice!
First introduced back in 2005, SP 800-53 has gone through five revisions since its initial release. The fourth revision, released in 2013, featured updated security controls and focused on topics such as insider threats, software security, mobile devices, supply chain security, and privacy. Revision four also gave us the now familiar “eighteen control families,” which have been adopted by numerous federal agencies as well as the private sector.
Now we have NIST 800-53 Rev 5
In late September 2020, NIST published the official release of NIST SP 800-53 Rev. 5. The purpose of this new release was to provide
a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud-based systems, mobile devices, Internet of Things (IoT) devices, weapons systems, space systems, communications systems, environmental control systems, super computers, and industrial control systems. Those safeguarding measures include implementing security and privacy controls to protect the critical and essential operations and assets of organizations and the privacy of individuals. The objectives are to make the information systems we depend on more penetration-resistant, limit the damage from attacks when they occur, make the systems cyber-resilient and survivable, and protect individuals’ privacy.
The most significant changes to the publication include:
- Make security and privacy controls to be more outcome-based by removing entity responsibility from the control statements
- Consolidate the security control catalog by integrating security and privacy controls
- Provide for a new supply chain risk management control family
- Separate the control selection process from the controls (Much of this content will be moved to other NIST publications such as SP 800-37 and SP 800-53B.)
- Clarify the relationship between security and relationship controls
- Incorporate new controls that support resiliency, secure design, and governance based on threat intelligence and attack data
The purpose of these updated security controls is to provide safeguards or countermeasures within an organization or system. This is intended to help protect system availability, confidentiality, and integrity as well as to help manage risk.
The new revision goes on to define privacy controls as administrative, technical, and physical safeguards to be used in an organization to manage risk for privacy requirements and to help ensure compliance. The list of security and privacy requirements were taken from different directives, executive orders, applicable laws, standards, policies, and regulations as well as mission needs. The integration into the Risk Management Framework (RMF) is evident in the call to ensure “confidentiality, integrity, and availability of information processed, stored, or transmitted and to manage risks to individual privacy.”
Revision 5 speaks specifically to RMF by asking questions. These include the following: What security and privacy controls are needed? Have selected controls been implemented? And what is the required level of assurance for those controls? (It goes on to ask organizations to consider their answers that help it to identify, assess, respond, and monitor their security and privacy controls on a continuous basis.)
Revision 5 also appeals to organizations to understand risks that could adversely affect assets, individuals, other organizations, and the nation. Of particular interest in the document was the following:
EVIDENCE OF CONTROL IMPLEMENTATION
During control selection and implementation, it is important for organizations to consider the evidence (e.g., artifacts, documentation) that will be needed to support current and future control assessments. Such assessments help to determine whether the controls are implemented correctly, operating as intended, and satisfying security and privacy policies—thus, providing essential information for senior leaders to make informed risk-based decisions.
Tripwire can help implement SP800-53r5
Tripwire can help your organization successfully implement and monitor the suggested system security controls offered in SP 800-53r5. For more information, be sure to check out Tripwire Enterprise here.
All in all, Revision 5 is a much needed and timely update to NIST 800-53. It goes a long way into incorporating the Risk Management Framework, and it provides wonderful guidance on privacy and security controls, not only for government systems but also for private and public organizations.