The National Institute of Science and Technology published its latest revision to Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, in September 2020 and both private and federal organizations will move toward using the updated guidelines beginning in September 2021. Though specific public guidance for the timeline of Rev 5 has not yet been released, it will likely unfold and be implemented over the next six to twelve months. Now is the time to familiarize yourself with the updated changes so you can incorporate relevant information into your current framework and be prepared to meet compliance standards.

Since its last publication in 2013, NIST SP 800-53 has been providing both a controlled and integrated approach to security and privacy controls. The publication implements guidelines that strengthen critical infrastructure and ensure systems are able to withstand complex and variegated cyberattacks.

While these guidelines are flexible enough to allow organizations to implement processes and controls specific to their needs, both public and private sector companies must be familiar with these particular cybersecurity standards. Doing so will ensure your organization can meet FIMSA contractual client compliance and that private companies can cross-reference the overlap that exists between this and other non-government compliance frameworks.

Changes to Rev 5

Here are a couple highlights to be familiar with regarding the updated SP 800-53:

  1. Addition of new control families: Rev 4 contains 17 different control families, along with Appendix J (the extensive privacy guidelines). In Rev 5 this design has been overhauled, now containing 18 control families, with privacy guidelines included within each section, rather than presented in one comprehensive Appendix. In addition to including privacy controls throughout the new baseline, NIST has also added the PII Processing & Transparency (PT) control family focused on protecting individual personally identifiable information (PII).
  2. A shift in approach to supply chain risk management: There has been a shift in perspective on compliance and how it will be implemented and evaluated going forward. Within the previous iterations of 800-53, the System Acquisitions (SA) control family covered most of the requirements around vendors and software/hardware procurement. Now, NIST has developed the Supply Chain Risk Management (SR) control family as a concentrated effort to discuss and address supply chain.

We realize that changes to publications like SP 800-53 can be intimidating, but you don’t have to navigate these waters alone—we’re here to help! We all know threats are continually evolving, so the importance of maintaining and utilizing the appropriate risk management tools cannot be overemphasized. Now is the time to get prepared, be prepared, and stay prepared. Reach out to us for assistance and we’ll help you establish your mission readiness for the Rev 5 rollout.