Tag: NIST 800-53 Rev. 5

How Commercial Enterprises Benefit from Updates to NIST Special Publications


In a recent webinar on the upcoming final release of NIST SP 800-53 Rev. 5, NIST Fellow Dr. Ron Ross mentioned an interesting fact: private sector and international adoption of the NIST standards is on the rise.

Why might that be?

Personally, I think it has to do with an evolution of the mindset of the CIOs and CISOs at international and private sector organizations. Traditionally, cybersecurity was reactionary and focused on threats targeting the holy grail of an organization’s business model.  For financial services, this was transaction or payment card data.  For healthcare organizations, this was predominantly related to data privacy.  Each sector has its “castle key” data and was usually pretty good at protecting it from an outside attack.

We’ve learned the hard way that cybersecurity is like a chain, only as strong as its weakest link.  The stronger the firewalls and security policies became, the more the enemy learned about spear-phishing (thanks, social media) and lateral movement.  In my mind’s eye, I’m conjuring the cartoon of a sailor plugging holes in the boat with all their fingers until they run out of fingers and the holes continue to spew out water…

We have also learned that educating our user base is critical to successfully defending the castle… but there is more (so much more).  In come the requirements and regulations that are meant to help keep your organization and data secure, but can be difficult to understand and interpret.  To make matters worse, private sector organizations, especially in heavily regulated sectors, are beholden to multiple standards that must be adhered to.

Simplifying risk and compliance for the commercial and international enterprise.

I’ve advocated numerous times in the past that the new NIST SP 800-53 is a Rosetta Stone for managing risk and compliance across all business types. This latest revision, Rev. 5, simplifies adoption for the international and private sectors thanks to more easily interpretable IA controls and fewer references to U.S. government-focused processes and terms.

What’s also important for commercial organizations to recognize is the value of leveraging the NIST SP 800-37, or the Risk Management Framework (RMF), as a methodology to manage risk and compliance activities within an organization.  What commercial organizations can glean from the RMF and its updated controls catalog is an unmatched, comprehensive playbook in managing risk and compliance activities that span all levels within an organization.

“Why?” you may ask.  “I’m happy checking boxes.”

NIST’s methodology moves organizations away from the checkbox mentality by forcing interpretation and applicability within the context of the organization adopting it.  It also allows for “test once, comply with many” – meaning that control validations from the NIST catalog can be mapped to other compliance regimes and thus provide ample evidence of due diligence against multiple standards at once.

The fact is, security compliance doesn’t work out of the box that way.  However, when due diligence is applied to building a strong foundation for an organization-wide risk management program, the opacity of risk is greatly diminished.  Likewise, when an organizational risk management program is created and adhered to, the costs of compliance decreases, especially those costs typically unforeseen at the bottom line, like audit fatigue and attrition within the security operations staff.  While cybersecurity risk and compliance programs are not easy, spending the time and energy up front pays significant dividends.  It simplifies audits and audit response, reduces costs, lowers probability of compromise, accelerates response reaction times, and, in commercial organizations, establishes a plan for crisis management and communications activities.

Some commercial organizations will continue to push their heads deep in the sand, or wish for a magic button to make it all go away (or maybe some slick new product that uses artificial intelligence and machine learning to do all the work for them).  They’ll spend plenty of money and spin their tires, while others in the private sector utilize the high bar of risk management and security compliance, seriously adopt it, and reach the finish line.


How the Latest NIST Updates Help You Build a More Robust Cyber Risk Management Program

A look back on my recent conversation with Dr. Ron Ross.


A few weeks ago, I had the opportunity to host an interview with renowned computer scientist and NIST Fellow, Dr. Ron Ross.  The majority of our discussion centered around the implications of the upcoming final release of NIST SP 800-53, Rev. 5.  In discussing the path that NIST took in updating Special Publication 800-53 this time around, we discussed some interesting changes that impact both public and private sector use.

Organizations that are essentially required to use the NIST RMF along with Rev. 5 will notice more flexibility in applying the controls.  For instance, the Low, Moderate and High baselines have been removed from Rev. 5, and will be updated and placed within a new document called SP 800-53 “Bravo.”  Additionally, updated guidance suggests that certain organizations and circumstances may see greater value from driving security requirements from the top down, via an engineering-based lifecycle, instead of using baselines that utilize specific controls mapped from 800-53 Rev. 5.

Considerable voluntary adoption of the RMF amongst the private sector, especially internationally, has also caused NIST to evolve Rev. 5 to be more approachable.  The final public draft contains more easily interpretable IA controls and fewer references to U.S. government-focused processes and terms.  In the end, the removal of the formalized baselines along with the addition of the “Prepare” step to the RMF significantly lower the barrier to entry for private organizations seeking to use NIST’s guidance and controls catalog as the high bar for risk and compliance activities.

However, a problem the new updated guidance has uncovered is the “taken at face value” adoption of the previous versions.  In the past, adoption was usually forced as the letter of the law, with individual departments managing compliance by security checklist.  What’s becoming clear is that a fair amount of work at the organizational level needs to occur to be successful with the RMF.  Paraphrasing Dr. Ross, building a risk management program requires analytical thought.

Other topics we touched on included the incorporation of privacy controls throughout the catalog with a focus on both ensuring authorized use of PII and protecting against its unauthorized use — a subtle but very important difference.  Furthermore, Dr. Ross sees the great value that both inheritance and DevOps pipelines can offer to drive down cost and maximize efficiency with the security, risk, and compliance process.

I leave you with one important thought from our discussion that our community of interest has been espousing for decades: we must continue to press the concepts of risk and compliance as far left in the system development lifecycle as possible, focusing on the integration of security at the earliest possible state.  Risk, compliance, and security activities can’t be skipped or overlooked.  Understanding their value and embracing them early has the greatest impact in reducing costs, timelines, and resources leading to successful deployments of assured systems and capabilities.


A Fresh Start for Enterprise Security and Privacy: Dr. Ron Ross Explains the Latest NIST Revisions.

Last week, Dr. Ron Ross, National Institute of Standards and Technology fellow, joined Telos’ own Steve Horvath for a webinar to discuss the upcoming release of NIST Special Publication 800-53 Rev. 5, its relationship with the NIST RMF Rev. 2, as well as other prevalent cybersecurity topics. I’d like to thank Dr. Ross for giving us all a better understanding of the latest versions of these publications, why these changes were made, and expectations for the future.

This webinar dealt with a number of topics that allowed Dr. Ross to provide some insight into the NIST way of thinking, in addition to how and why perspectives and requirements have changed over the years. It was very helpful to hear the reasoning behind these updates.

A common thread throughout the webinar was that security and privacy are paramount to any organization. Thankfully, it’s becoming more common to think about security as an on-going process, rather than a one-and-done, set-the-binder-on-the-shelf activity. That’s why I especially liked when Steve brought up continuous monitoring, with Dr. Ross deeming it “the only way to operate… [as] those who are tied to a checklist-based approach [are] not going to survive in the dynamic world that we face today.” Telos recognized this problem and we designed our cyber risk management solution, Xacta, to help lessen the workload by automating the continuous monitoring of systems, networks, and resources.

Steve noted that NIST SP 800-53, Rev. 5 has a clear applicability to the private sector. That’s huge. Commercial organizations have increasingly been embracing the NIST frameworks and controls, with the prediction that 50% of U.S. companies will adopt the NIST Cybersecurity Framework (CSF) in some form by the end of this year. The original purpose of the CSF was to help U.S. critical infrastructure manage risk. However, commercial and international adoption of NIST frameworks shows how important it is to any organization to have a common language and process for cyber risk management.

NIST SP 800-53 Rev. 5 also addresses the cloud and continuous integration/continuous delivery (DevSecOps), which many argue remove the need for assessment and authorization (A&A). When Steve asked Dr. Ross his thoughts, he said, “It doesn’t do away with the [A&A] process, it just makes it more efficient… so [government] can do security at the speed of commercial industry.” That resonated with me because, for years, I have been an avid supporter of cloud and the need for the government to move at the speed of commercial organizations. A coalition that I’m proud to be a part of, the Alliance for Digital Innovation (ADI), includes innovative, cloud-forward companies that advocate for the acceleration of government IT modernization.

Again, thank you, Dr. Ross, for speaking on our platform and for clarifying the changes that will make a huge difference in the efficiency of cyber risk management for organizations, both government and commercial. I urge you all to watch the webinar recording, if you haven’t already, to hear directly from Telos VP Steve Horvath and NIST Fellow Dr. Ron Ross about the topics I’ve mentioned, and much more: https://www.telos.com/reserved/webinar-nist-special-publication-800-53-revision-5/.

NIST SP 800-53 Rev. 5 – One Ring to Rule Them All

Since good news is desperately needed, let’s take a moment and offer a distraction from the current COVID-19 news cycle. In the world of compliance, some very good news was announced by NIST related to their consolidated and comprehensive control catalog, Special Publication 800-53.  Revision 5 (Rev. 5), which has been in the works for a couple of years now, was released as a Final Public Draft last month, which means any changes from this point forward until final publication should be minor.  Rev. 5 brings some important updates and changes, which NIST was kind enough to summarize here.  Let’s discuss a few of the most impactful changes and what they mean to professionals in risk management and compliance.

Formal Incorporation of Privacy and Supply Chain into the Catalog

Rev. 5 has a few new control families, two of the most important being Privacy (PT) and Supply Chain (SR).  The acknowledgement that both privacy and supply chain play integral roles in security, risk management and compliance activities is a big step forward for NIST as well as for practitioners.  Each of these new families contains new controls (9 and 11 respectively) that are directly related to an organization accounting for personally identifiable information (PII) and supply chain risk.  These two elements of security are gaining considerable notoriety lately, and for good reason – they are critical and impossible to separate from the core of information security and risk management activities.  Both privacy and supply chain weigh heavily in almost any calculus involving enterprise, organization, mission, business unit, and system risks.

Pulling the Baselines out of the Control Catalog

For some time, NIST’s famous soothsayer and practitioner, Dr. Ron Ross, has stated that not every organization needs to follow the default Low, Moderate and High baselines.  He has largely advocated for organizations, both public and private, to adopt their own tailored baselines informed by their business, industry and maturity.  Rev. 5 removes the default baselines from SP 800-53 altogether, choosing rather to publish the default baselines that pertain to federal information systems in NIST SP 800-53B (currently under development).

Alignment with NIST Cybersecurity and Privacy Frameworks (and Mappings)

I’ve been writing and speaking about the virtues of the NIST Cybersecurity Framework (CSF) for years.  The CSF can serve as a much needed lexicon that facilitates informed discussions about cyber risk management from the security operations team all the way to the board room.  It also lays out how organizations can pick a current and target state to help drive investment and risk decisions.  NIST’s intentional alignment between the control catalog in Rev. 5 and the CSF and the NIST Privacy Framework enables a next-level risk management strategy for organizations.  The CSF especially integrates well with the new Prepare step (“Step 0”) in the updated NIST Risk Management Framework (SP 800-37 Rev. 2).  Bringing these elements together and ensuring they can purposely work together is a considerable leap forward for the infosec and compliance world.  Let’s not forget that NIST also plans to  provide mappings to not only the CSF and Privacy Frameworks, but also to ISO 27001 and ISO 15408.  NIST has been excited by the adoption of NIST RMF and CSF internationally, and this is them putting their money where their mouth is.

Enabling a State of Automation and Simplified Risk Management and Compliance

These changes, along with the adoption of Open Security Controls Assessment Language (OSCAL), used to support automated control-based assessment, have set up a future in which we can automate the entire compliance and risk management process, which once buried teams of hundreds under pallets of paper evidence. This capability, paired with the power of control mapping, results in the ability to test once and comply with many other frameworks.

With the recent changes and conscious effort made by NIST, the new 800-53 control catalog can be used by any organization, small or large, public or private, to manage and track risk and compliance activities in a comprehensive fashion.  From a risk management and compliance perspective, the future is bright.