NIST 800-53 Rev. 5 Adopts a Strategic Compliance Approach, Puts Privacy at a Premium

The National Institute of Standards and Technology’s (NIST) latest version of Special Publication 800-53 places an enhanced focus on privacy controls and supply chain risk management.

The publication – commonly referred to as NIST 800-53 Revision 5 – has also adopted a more strategic approach to compliance, with a consolidated control catalog, outcome-based controls, and a separate publication for baseline and tailoring guidance. As a result, NIST 800-53 Rev. 5 is a much more robust framework, with modernized controls and a streamlined compliance process.

Privacy has become a major trend in compliance during the past few years. Requirements such as GDPR, CCPA and the recently introduced ISO 27701 certification have forced organizations to take stock of their privacy management systems. For example, ISO 27701 provides guidance for implementing a Privacy Information Management System (PIMS) as an extension to the Information Security Management System (ISMS) outlined in ISO 27001.

NIST 800-53 Rev. 5 follows suit with its updated privacy controls. Many of these controls will be familiar to NIST practitioners, as they were previously included in the appendix of NIST 800-53 Rev. 4. These privacy controls have been incorporated into a new privacy family and existing security controls to encourage cross-functional control implementation. They also complement the NIST standalone privacy framework released in January 2020.

The most frequent concerns I’ve heard from our clients center on timing; namely, when companies need to incorporate the new controls. The short answer is that your organization probably has about a year. However, there is no reason to delay starting the work required to address the changes, because it will take some time to get caught up. NIST 800-53 Rev. 5 essentially adds two new control families and approximately 20 new controls.

Historically, there is almost always a grace period during the transition from one revision to the next. This is particularly the case since the control baselines for NIST 800-53 Rev. 5 was released October 29, 2020. Ultimately, the decision of when and how the transition from Rev 4 to Rev 5 as a requirement for a company to meet is at the discretion of each federal agency.

Another focus of NIST 800-53 Rev. 5 is to secure the supply chain to protect critical infrastructure. This follows in the footsteps of another recent government security framework, the Cybersecurity Maturity Model Certification (CMMC),which will soon be required for Defense Industrial Base (DIB) contractors. NIST 800-53 Rev. 5 introduces a new Supply Chain Risk Management (SCRM) family to ensure that hardware and software vendors are applying appropriate security and privacy controls throughout the development of their products and supply chain.

In addition to these new privacy and supply chain controls, NIST 800-53 Rev. 5 also introduces a new approach to compliance that should streamline the process. First, the controls have been re-written as “outcome-based,” using strong action verbs to clearly define the goal of each control. Next, the control baselines and tailoring guidance have been moved to a separate publication to eliminate superfluous information.

Working with a qualified security assessor like A-LIGN has a lot of benefits. In addition to helping enable a strategic approach to compliance, A-LIGN can also help organizations make sense of these evolving compliance regulations. There are a lot of complex and nuanced relationships between FISMA and the NIST frameworks—the A-LIGN value add is making sense of these relationships.

Here at A-LIGN, we live and breathe the minutiae of these constantly changing compliance frameworks, so you don’t have to.

If you have any questions about NIST 800-53 Rev. 5 or need help with your federal compliance program, please don’t hesitate to contact A-LIGN today.