On August 15, 2017, NIST published the initial public draft (IPD) of NIST SP 800-53 Revision 5 (Security and Privacy Controls for Information Systems and Organizations.) It was originally scheduled for release on March 28, 2017, but was delayed by internal review and rework.
This post details my first initial impressions on this public draft revision of this SP (Special Publication.) It is not intended to be a comprehensive list of the differences between the initial draft revision and NIST SP 800-53 Revision 4.
Revision 5 of this key NIST SP apparently represents a one-year effort to develop the next generation of security and privacy controls. Major changes to the publication include:
- Making the security and privacy controls more outcome-based by changing the structure of the controls
- Integrating the privacy controls (Appendix J) into the security control catalog (Appendix F), while still providing summary and mapping tables for the privacy-related controls. Two new control families were created that focus solely on privacy. The remaining privacy controls were integrated throughout the rest of the control families
- Integrating the program management controls (Appendix G) into the security control catalog (Appendix F)
- Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest – not just RMF
- Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework (CSF)
- Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks
- Providing new controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability
- A significant amount of tailoring guidance and other informative material was eliminated from the publication. That content is planned to be moved to other publications such as NIST SP 800-37 (Risk Management Framework) during the next update cycle for that document
The following two diagrams show the Revision 4 and draft Revision 5 control families. Two new security and privacy control families (IP and PA) have been added in draft Revision 5 and one of the family names, CA, have been modified.
Draft Revision 5
Chapter 3, rather than an appendix, is now the security and privacy controls catalog. The following are some examples of the tables contained in this chapter. Note the extensive use of hyperlinks.
Here is an example of the full test associated with a control, e.g. CA-6 Authorization:
A key element of the NIST document development process is to engage the public in the publication process. An IPD is published, followed by a formal comment period during which comments can be submitted by anybody, leading to the publication of one of more additional drafts, and, ultimately, a final published document. Typically, it takes at least six or more months to progress from the IPD to the final published document.
What about alignment with NIST SP 800-37, NIST SP 800-53A and CNSSI 1253? My understanding is that SP 800-37 is currently being revised by a working group. Currently NIST SP 800-53A rev 5 is scheduled for final publication mid-2018 but I suspect this schedule will slip also. CNSSI 1253 currently is aligned with NIST SP 800-53 Rev 3 (unfortunately). Hopefully, a new revision will be published some time in 2018 which will align with NIST SP 800-53 Rev 5.
UPDATE: October 12th, 2017. NIST recently published the first discussion draft of SP 800-37 Rev 2. To quote from the CSRC webpage: “This draft responds to the call by the Defense Science Board, the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and the Office of Management and Budget Memorandum M-17-25 (implementation guidance for the Cybersecurity Executive Order.)”