Just in time for Cybersecurity Awareness Month, the National Institute of Standards and Technology (NIST) has released an update to its master IT security guidance document, Special Publication 800-53. This update, “Rev 5,” is the first major change to SP 800-53 in seven years, and a lot has changed in cybersecurity since 2013. The new guidelines will eventually form the foundation for the compliance programs – and requirements– in nearly every major US corporation with a security, privacy, and risk management focus.
Over the past few weeks, we’ve had the opportunity to fully review this 483-page document and its supplemental materials. NIST has referenced nearly 200 applicable laws, policies, directives, regulations, standards, and guidelines to bring together over 1,100 discrete controls. Read on to find out our top five observations on Rev 5, including a striking shift in its guidance on privacy.
1. Supply chain risks have finally been recognized
Supply Chain Risk Management is one of the two new control families included in this latest revision – a long overdue development. Nearly all organizations require external partners and components to carry out critical functions and are themselves part of the supply chains of other organizations. Having controls that recognize this coordinated and collaborative reality, and the inherent risks that come with this, is a major improvement from prior publications.
Previously, NIST did not provide sufficient guidance on how to control and verify these external dependencies. There are now comprehensive controls that can be more readily applied to external system services. These cover cloud-delivered services, 3rd party software developers, and anything that might be outsourced. Twelve new second-level controls (all with a short “SR-“ prefix) address areas such as creating a risk management plan, the process around critical supply chains, and matters like performing regular assessments and reviews of suppliers. Factors like provenance, detecting tampering, component authenticity, and inspections are entirely new concepts within the SP800-53 framework.
2. A focus on results
Prior versions of SP 800-53 focused on assigning responsibility for each control. Organizations implementing these controls in a strict fashion would be obligated to place the full burden of addressing a given control on a narrowly defined implementer (a person or team). In reality, good controls require broad cooperation and collaboration to achieve. Rev 5 shifts the focus of controls to desired outcomes – part of a broader recognition that SP 800-53 is used by non-government organizations that may not have the strict delineation of roles that government entities often do. The emphasis on achieved results aligns with a broad shift occurring across the landscape of IT. Governments and businesses alike have increased their demands on IT systems to deliver demonstrable outcomes.
3. Compliance assessment tools will show new gaps
Every new revision of SP 800-53 results in new machine-readable files following the Open Security Control Assessment Language (OSCAL)framework. These XML, JSON, or YAML files will be incorporated into various third-party tools, often translated into another open standard like SCAP or OVAL, to automate security and governance testing within organizations. These tools are crucial for demonstrating to stakeholders that best practices controls are in place or the implementation of controls is trending in a good direction. All organizations should consider revisiting their assessment tools in the near future and ensure that the new framework files are incorporated.
4. Privacy objectives have been integrated into all control sections
In Rev 4, privacy controls appeared to be “bolted on” via a separate control section devoted to the topic. In Rev 5, privacy controls are fully incorporated into the overall control guidance, with personal privacy controls taking on greater prominence. Personally Identifiable Information Processing and Transparency is one of two new Control Families. This likely represents the influence of both GDPR and CCPA, both of which increased legal protections and regulations for individual privacy.
More broadly, the relationship between security and privacy is very strong, and our frameworks need to recognize this. Eight new second-level controls (all with a short “PT-“ prefix) address matters such as determining authorization to process or store personal information, obtaining consent, giving sufficient privacy notice, and defining a purpose within the organization for handling this information.
5. More controls
Organizations face an ever-growing list of threats and attack vectors. The number of defined concepts/objectives that require controls grows along with these threats. When Rev 1 of SP 800-53 was released in 2005, it had close to 300 controls. Less than 10 years later, when Rev 4 was released, the number of controls had tripled to 965. Rev 5 appears to have more than 1,100 controls. Each control represents a business impact to identify, consider, implement, and iterate on.
Overall, we are left with a positive impression of the changes made in SP 800-53 rev 5. Beyond the significant content changes, the document is easier for security professionals to use. Controls now link to each other, and the document has become more compact and well-organized.
We understand the challenge organizations would have in attempting to respond to these changes without leveraging the expertise of 3rd parties who specialize in compliance, regulation, and governance frameworks. Most organizations will have no choice but to continue to rely on (or increase their reliance on) a blend of tools and professional service consultations to effectively adjust their security posture. This increased dependence on 3rd party tools and talent is not NIST’s fault. The complexity of Rev 5, and similar guidance from other authorities, is a reflection of the increased complexity of the cybersecurity challenges all organizations face today.