NIST SP 800-53 Rev. 5 – One Ring to Rule Them All

Steve Horvath
Stephen Horvath
April 9, 2020 • 4 min read

Since good news is desperately needed, let’s take a moment and offer a distraction from the current COVID-19 news cycle. In the world of compliance, some very good news was announced by NIST related to their consolidated and comprehensive control catalog, Special Publication 800-53.  Revision 5 (Rev. 5), which has been in the works for a couple of years now, was released as a Final Public Draft last month, which means any changes from this point forward until final publication should be minor.  Rev. 5 brings some important updates and changes, which NIST was kind enough to summarize here.  Let’s discuss a few of the most impactful changes and what they mean to professionals in risk management and compliance.

Formal Incorporation of Privacy and Supply Chain into the Catalog

Rev. 5 has a few new control families, two of the most important being Privacy (PT) and Supply Chain (SR).  The acknowledgement that both privacy and supply chain play integral roles in security, risk management and compliance activities is a big step forward for NIST as well as for practitioners.  Each of these new families contains new controls (9 and 11 respectively) that are directly related to an organization accounting for personally identifiable information (PII) and supply chain risk.  These two elements of security are gaining considerable notoriety lately, and for good reason – they are critical and impossible to separate from the core of information security and risk management activities.  Both privacy and supply chain weigh heavily in almost any calculus involving enterprise, organization, mission, business unit, and system risks.

Pulling the Baselines out of the Control Catalog

For some time, NIST’s famous soothsayer and practitioner, Dr. Ron Ross, has stated that not every organization needs to follow the default Low, Moderate and High baselines.  He has largely advocated for organizations, both public and private, to adopt their own tailored baselines informed by their business, industry and maturity.  Rev. 5 removes the default baselines from SP 800-53 altogether, choosing rather to publish the default baselines that pertain to federal information systems in NIST SP 800-53B (currently under development).

Alignment with NIST Cybersecurity and Privacy Frameworks (and Mappings)

I’ve been writing and speaking about the virtues of the NIST Cybersecurity Framework (CSF) for years.  The CSF can serve as a much needed lexicon that facilitates informed discussions about cyber risk management from the security operations team all the way to the board room.  It also lays out how organizations can pick a current and target state to help drive investment and risk decisions.  NIST’s intentional alignment between the control catalog in Rev. 5 and the CSF and the NIST Privacy Framework enables a next-level risk management strategy for organizations.  The CSF especially integrates well with the new Prepare step (“Step 0”) in the updated NIST Risk Management Framework (SP 800-37 Rev. 2).  Bringing these elements together and ensuring they can purposely work together is a considerable leap forward for the infosec and compliance world.  Let’s not forget that NIST also plans to  provide mappings to not only the CSF and Privacy Frameworks, but also to ISO 27001 and ISO 15408.  NIST has been excited by the adoption of NIST RMF and CSF internationally, and this is them putting their money where their mouth is.

Enabling a State of Automation and Simplified Risk Management and Compliance

These changes, along with the adoption of Open Security Controls Assessment Language (OSCAL), used to support automated control-based assessment, have set up a future in which we can automate the entire compliance and risk management process, which once buried teams of hundreds under pallets of paper evidence. This capability, paired with the power of control mapping, results in the ability to test once and comply with many other frameworks.

With the recent changes and conscious effort made by NIST, the new 800-53 control catalog can be used by any organization, small or large, public or private, to manage and track risk and compliance activities in a comprehensive fashion.  From a risk management and compliance perspective, the future is bright.

Steve Horvath
Stephen Horvath
Vice President, Strategy and Cloud
Stephen Horvath is the vice president of strategy and cloud at Telos Corporation.
Read full bio

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.