The final version of the National Institute of Standard and Technology (NIST)’s Special Publication (SP) 800-53 Revision 5 is on the horizon for 2019. What does the initial public draft tell us about what we can expect in its final version? Even more importantly, what does it mean for organizations seeking to adopt the new guidelines?
NIST SP 800-53 Revision 5 is expected to deliver major updates to the existing fourth revision, which was originally published in 2013. Since its inception, this publication has been the de facto guideline for security control implementations, security assessments and Authorization to Operate (ATO) processes for government information systems. There are many draft changes in the fifth revision, but one of the most significant impacts is that it marks a departure from limiting the control sets to federal information systems. The framework is now recommended for all systems in all industries.
In addition to control baseline updates, other major changes NIST anticipates will be in the final version include:
- Organizations must now designate a senior management official responsible for managing the security policies and procedures associated with each control family.
- Changing the structure of the controls to be more outcome-based, which leads to increased clarity, consistency and understanding.
- Full integration of privacy controls into the security control catalog to create a consolidated view of all controls.
- The addition of two new privacy control families: Individual Participation (IP) and Privacy Authorization (PA).
- Program Management (PM) control family nearly doubles in scope (includes additional emphasis on privacy and data management).
- New appendices to detail the relationship between security and privacy controls.
What Will NIST 800-53 Rev. 5 Mean For Organizations?
The changes expected in the fifth revision touch on a variety of subjects and affect a wide range of business and security functions. Below are some areas that will be particularly affected and considerations that will have a significant impact on how organizations manage their security programs.
Senior Management Ownership
First and foremost, leadership accountability is given much greater emphasis across the framework. Organizations will need to identify key senior management personnel to own specific policy efforts and oversight actions for the life of each system. By driving accountability from the top down, organizations stand to benefit from executive sponsorship of security policies and gain better visibility into the effectiveness of governance controls and the organization’s overall security status.
Dedicated privacy control families and new privacy guidance woven into existing controls drive greater focus on privacy and sensitive data management. Privacy needs to be ingrained into all aspects of cybersecurity now and in the future, especially with new regulations in place to protect personal data. Organizations may need to review their org chart to ensure it provides the most effective strategic alignment between C-suite, security and privacy teams. Ownership of control implementations between security and privacy will be a key decision point when transitioning to the final release of Revision 5 in the near future.
NIST SP 800-53A will undergo a fifth revision in conjunction with the updates to SP 800-53. This is the companion document third-party assessors use as part of the ATO process to determine the effectiveness of control implementations and evaluate risk posture. Implementing and adapting the updated controls will be crucial to new or existing ATO renewals in the long term.
How Can Business Leaders Enhance Security Over Time?
Chief information officers (CIOs), chief information security officers (CISOs) and other organizational leaders need to start thinking about how to advance security and privacy initiatives in unison to achieve business goals and manage risk effectively. The update to NIST 800-53 will affect each organization differently. It’s still important to perform due diligence to determine how the final changes apply in each unique situation; however, as a whole, adopting recommended guideline serves to unify security standards and help all organizations strengthen their security posture as the threat and regulatory landscapes evolve.