NIST SP 800 53 Rev 4
NIST SP 800-53 Rev. 5 represents a significant restructuring vs. Rev. 4, including a new focus on privacy. This detailed how-to provides a structured plan to help organizations successfully transition from NIST SP 800-53 Rev. 4 to Rev. 5 controls within their security and privacy management programs. Show
NIST SP 800-53 Rev 4 vs. Rev. 5 ComparisonSP 800-53 Rev. 5 is not simply an update to Rev. 4; it is a major restructuring of this important information security (and now privacy) controls document. To support a successful transition from Rev. 4 to Rev. 5, it is helpful to understand the primary, substantial changes that were made. These include:
Controls are rewritten to be outcome-based. Those using Rev. 4 and earlier versions will quickly notice this change. Prior versions framed the control by responsibility, but the new version instead describes the outcome of the control. Figure 1 provides an example using verbatim content language from control RA-1, “RISK ASSESSMENT POLICY
AND PROCEDURES,” with the key changes in the Rev. 5 update in orange.
In effect, this expanded the management activities, scope of applicability and frequency of risk assessments. Also, by dropping the entity that performs the controls, it removes the implication the risk assessment must be performed by the organization itself; contracted entities can perform this control. Organizations moving from Rev. 4 to Rev. 5 will need to review their risk assessment policies and procedures, and update them to reflect these changes, if they have
not already been doing these activities. Similar impacts also resulted in the other updated controls. And because of the change from organization-based controls to outcome-based controls, generally every existing Rev. 4 control was updated, withdrawn or incorporated into another control in the Rev. 5 catalog. Additional NIST SP 800-53 Rev. 5 ChangesIn addition to the changes detailed above, Rev. 5 also:
In addition, organizations transitioning from Rev. 4 to Rev. 5 should find NIST’s analysis of the Rev. 4 to Rev. 5 updates beneficial. Steps to Transition from NIST SP 800-53 Rev. 4 to Rev. 5The following steps should help your organization transition from Rev. 4 to Rev. 5 efficiently and effectively. Step 1: Understand the Control FamiliesSP 800-53 uses 20 different control families (see
Figure 2).
Step 2: Establish a Transition Work TeamAssign specific review responsibilities for all 20 families to team members. Include team members who have worked in some way with meeting the Rev. 4 controls compliance, and who also have expertise in the families they will be reviewing. For example, designating team members from the human resources (HR) area to review the personnel security controls will be beneficial, since they should have good insights
about that topic. Similarly, key stakeholders from the privacy or compliance department should be able to provide insights for all the new privacy- and personal data-specific controls. Organizations should provide each member of the transition team with:
Step 3: Get to WorkEach team member should:
Once you’ve followed these steps, you should have the action plan necessary to ensure complete transition from Rev. 4 to Rev. 5. Figure 3 provides an excerpt from the NIST spreadsheet listing all the new base controls and control enhancements. The excerpt shows only the new base controls and new enhancement controls sorted into those two topics. NIST SP 800-53 Rev. 4 to Rev. 5 Transition TipsMoving from NIST SP 800-53 Rev. 4 to Rev. 5 requires attention to detail. To increase your chances of success:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. What is NIST 800This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations.
What are the controls in NIST 800These controls include physical access authorizations, monitoring, visitor records, emergency shutoff, power, lighting, fire protection, and water damage protection.
What is the current version of NIST 800NIST has released Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations.
What are the NIST 800 standards?The NIST 800 series is a technical standard set of publications that details U.S. government procedures, policies, and guidelines on information systems - developed by the National Institute of Standards and Technology.
|