cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

NIST SP 800-53 REV 5 - Final Published

The most significant changes to NIST SP 800-53, Revision 5 include:

 

  • Consolidating the control catalog: Information security and privacy controls are now integrated into a seamless, consolidated control catalog for information systems and organizations.
  • Integrating supply chain risk management: Rev. 5 establishes a new supply chain risk management (SCRM) control family and integrates SCRM aspects throughout the catalog.
  • Adding new state-of-the-practice controls: These are based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).
  • Making controls outcome-based: Rev. 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement.
  • Improving descriptions of content relationships: Rev. 5 clarifies the relationship between requirements and controls as well as the relationship between security and privacy controls.
  • Separating the control selection processes from the controls: This allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners.
  • Transferring control baselines and tailoring guidance to NIST SP 800-53B: This content has moved to the new (draft) Control Baselines for Information Systems and Organizations.

In addition to the control updates, additional supplemental materials will be available immediately or in the near future, including:

 

  • Security and privacy control collaboration index template (now available)
  • Comparison of Revisions 4 and 5 of SP 800-53 (available soon)
  • Control mappings to the Cybersecurity Framework and Privacy Framework (available soon)
  • Control mappings to OMB Circular A-130 privacy requirements (available soon)
  • Open Security Control Assessment Language (OSCAL) version of SP 800-53 controls (available soon)
  • Spreadsheet of SP 800-53 controls (available soon)
2 Replies
emb021
Advocate I

And with SP 800-53 R5 out, several other items will follow along.

 

We'll be getting a revised 53A and the new 53B.

 

Other updates for FISMA documents should follow.

 

And as SP800-171 is based on 53, I would expect we'd see an update of that as well.

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Budoka
Contributor II

Can I share this post on my social media feed? I would credit it to ”AppDefects”?