There is an urgent need to strengthen the trustworthiness and resilience of the information systems, component products, and services that we depend on in every critical infrastructure sector and which support the economic and national security interests of the United States.
The National Institute of Standards and Technology (NIST), an agency of the United States Department of Commerce, finally released much anticipated update to its recommended security control baselines used as a gold security standard across federal government agencies, as well as state/local agencies and private companies.
NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, represents a multi-year coordinated effort to develop the next generation of security and privacy controls needed to strengthen and support the Federal Government and every sector of critical infrastructure. The multi-agency taskforce to revise the new controls involve complex coordination between members of NIST, DHS and DoD agencies, as well as feedback from the public to arrive at a finalized control baseline acceptable to most stakeholders.
These next generation controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States.
This revision of NIST Special Publication 800-53 presents a proactive and systemic approach to developing comprehensive safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices. Those safeguarding measures include the security and privacy controls to protect the critical and essential mission and business operations of organizations, the organization’s high value assets, and the personal privacy of individuals. The objective is to manage mission, business, and system risks for organizations, making the systems we depend on more penetration-resistant to cyber-attacks; limiting the damage from those attacks when they occur; making the systems cyber-resilient and survivable; and protecting the security and privacy of information.
Summary of Changes in Revision 5
Revision 5 major changes include:
- Creating security and privacy controls that are more outcome-based by changing the structure of the controls;
- Fully integrating privacy controls into the security control catalog, creating a consolidated and unified set of controls;
- Adding two new control families for privacy and supply chain risk management;
- Integrating the Program Management control family into the consolidated catalog of controls;
- Separating the control selection process from the controls—allowing controls to be used by different communities of interest;
- Separating the control catalog from the control baselines;
- Promoting alignment with different risk management and cybersecurity approaches and lexicons, including the NIST Cybersecurity and Privacy Frameworks;
- Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
- Incorporating new, state-of-the-practice controls based on threat intelligence, empirical attack data, and systems engineering and supply chain risk management best practices, including controls to:
- Strengthen security and privacy governance and accountability;
- Support secure system design; and
- Support cyber resiliency and system survivability.
Unlike prior releases, the new NIST Special Publication (SP) 800-53, Revision 5 Security and Privacy Controls for Information Systems and Organizations contains new planned supplemental materials to ease the burden of analyzing and adopting the recommended controls. Of note the release of the new controls in the Open Security Control Assessment Language (OSCAL). The OSCAL XML, JSON, and YAML variants are all equivalent in their information content and are provided to support tooling and automation on different format-specific implementation stacks. These OSCAL files are intended to represent the control-related content from the published documents in machine-readable formats.
Accelerate to the cloud with GovDataHosting
GovDataHosting provides simple, swift, and government-certified cloud hosting bundles for Federal, state, and local agencies. As a division of IT-CNP, Inc., we leverage decades of expertise and nationwide service to deliver cloud solutions that meet the specific NIST 800-53 control requirements of the U.S. government. By offering our own fully managed FedRAMP-certified cloud infrastructure, we empower agencies with faster cloud migrations/deployments, reduced implementation risk, higher uptimes, lower operating costs, and full-service support. What can we do for you? Speak with our NIST cloud security control expert today about your unique government cloud solution requirements.