The final version of the National Institute of Standard and Technology (NIST)’s Special Publication (SP) 800-53 Revision 5 is on the horizon for 2019. What does the initial public draft tell us about what we can expect in its final version? Even more importantly, what does it mean for organizations seeking to adopt the new guidelines?

NIST SP 800-53 Revision 5 is expected to deliver major updates to the existing fourth revision, which was originally published in 2013. Since its inception, this publication has been the de facto guideline for security control implementations, security assessments and Authorization to Operate (ATO) processes for government information systems. There are many draft changes in the fifth revision, but one of the most significant impacts is that it marks a departure from limiting the control sets to federal information systems. The framework is now recommended for all systems in all industries.

In addition to control baseline updates, other major changes NIST anticipates will be in the final version include:

  • Organizations must now designate a senior management official responsible for managing the security policies and procedures associated with each control family.
  • Changing the structure of the controls to be more outcome-based, which leads to increased clarity, consistency and understanding.
  • Full integration of privacy controls into the security control catalog to create a consolidated view of all controls.
  • The addition of two new privacy control families: Individual Participation (IP) and Privacy Authorization (PA).
  • Program Management (PM) control family nearly doubles in scope (includes additional emphasis on privacy and data management).
  • New appendices to detail the relationship between security and privacy controls.

What Will NIST 800-53 Rev. 5 Mean For Organizations?

The changes expected in the fifth revision touch on a variety of subjects and affect a wide range of business and security functions. Below are some areas that will be particularly affected and considerations that will have a significant impact on how organizations manage their security programs.

Senior Management Ownership

First and foremost, leadership accountability is given much greater emphasis across the framework. Organizations will need to identify key senior management personnel to own specific policy efforts and oversight actions for the life of each system. By driving accountability from the top down, organizations stand to benefit from executive sponsorship of security policies and gain better visibility into the effectiveness of governance controls and the organization’s overall security status.

Data Privacy

Dedicated privacy control families and new privacy guidance woven into existing controls drive greater focus on privacy and sensitive data management. Privacy needs to be ingrained into all aspects of cybersecurity now and in the future, especially with new regulations in place to protect personal data. Organizations may need to review their org chart to ensure it provides the most effective strategic alignment between C-suite, security and privacy teams. Ownership of control implementations between security and privacy will be a key decision point when transitioning to the final release of Revision 5 in the near future.

Third-Party Assessments

NIST SP 800-53A will undergo a fifth revision in conjunction with the updates to SP 800-53. This is the companion document third-party assessors use as part of the ATO process to determine the effectiveness of control implementations and evaluate risk posture. Implementing and adapting the updated controls will be crucial to new or existing ATO renewals in the long term.

How Can Business Leaders Enhance Security Over Time?

Chief information officers (CIOs), chief information security officers (CISOs) and other organizational leaders need to start thinking about how to advance security and privacy initiatives in unison to achieve business goals and manage risk effectively. The update to NIST 800-53 will affect each organization differently. It’s still important to perform due diligence to determine how the final changes apply in each unique situation; however, as a whole, adopting recommended guideline serves to unify security standards and help all organizations strengthen their security posture as the threat and regulatory landscapes evolve.

Additional information and the full list of changes in the NIST 800-53 Revision 5 draft can be found on the NIST website, along with the publication schedule.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today