NIST’s flagship security and privacy guidance document Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations makes major changes to the Security and Privacy Controls Catalog
NIST SP 800-53, Revision 5 provides important information on selecting both security and privacy control baselines for the Federal Government. This complete renovation provides the first comprehensive catalog of security and privacy controls for managing risk for organizations across sectors and systems ranging from HPCs to industrial control systems to Internet of Things (IoT) devices.
The goal is to provide government entities and the contractors they work with on projects to have a single source catalog of security and privacy controls. They are designed to work regardless of how those controls are used by different communities of interest.
Revision Overview
Anyone and everyone involved in the process of federal information systems from public organizations to agencies, contractors, subcontractors and consultants can broadly and specifically use this. While this is a significant revision with a lot of detail, the major points of changes to SP 800-53, Revision 5 include:
- Making controls outcome-based by changing the control structure
- Creating a consolidated and unified set of controls by integrating the privacy controls into the security control catalog
- Adding new privacy and supply chain risk management control families
- Transferring control baselines and tailoring guidance to a separate publication;
- Improving descriptions of content relationships
- Adding new state-of-the-practice controls.
- Integration of Program Management control family into the consolidated controls catalog
- Separation of control selection process and controls for use by different types of users groups
- security and privacy relationship clarification to enable better control selection in service to the full scope of security and privacy risks
- Incorporating the latest practice controls reflecting updated threat intelligence, attack data, and systems engineering and supply chain risk management best practices This includes controls for strengthening security and privacy governance and accountability; system design security, cyber resiliency, and system survivability.
By providing security control baselines for low, moderate, and high-impact systems in the guidance, it maximizes the control that contractors and consultants like EE Computing can have in managing the privacy risks associated with processing personally identifiable information (PII). In both small and large complex projects, this has been difficult to quantify and pinpoint responsibility and guidelines that can provide security structure based on a project-by-project need.
That all becomes infinitely possible on a very aggregate level with these guideline modifications. Making them part of specific control families makes it easier for everyone involved in a project to cite the guidelines and set up controls, procedures and even cost structures. PII Processing and Transparency along with Supply Chain Risk Management are now mapped out and organized within the 20 control families from SP 800-53 (Revision 5).
A Closer Look at Who Is impacted and How
There are more to these revisions than just making it easier for companies to put controls in place for security and privacy requirements based on specific needs. The guidelines make the process more cost effective while still maximizing security and privacy protections while minimizing risk.
This helps consultants and contractors like EE Computing support the needs of agencies, companies, and subcontractors for defining and implementing common controls and their parameters. The result is rigid accountability on all decisions being made since they must be justified and meet specific guidelines as each action in the security plan is recorded in the system.
These revisions go far beyond federal contractors, agencies, and consultants when it comes to privacy baselines applied to any federal information system used or operated by a contractor on an agency or other organization’s behalf. This will have far-reaching implications for the private sector as NIST guidance becomes the benchmark for security and privacy standards for businesses and organizations more broadly.
NIST provides a wealth of frameworks for controls selection and implementation, including the Risk Management Framework, Cybersecurity Framework, and Privacy Framework. Plans are already in place for NIST to launch automation initiatives to make consolidated control catalog available in different formats for delivery through h https://csrc.nist.gov.
At End-to-End Computing we offer the best IT security services in the industry, reducing the cost of investing in licensing, new technology, staff and training. We have over 50+ years of experience offering IT solutions to clients in both the private and public sector. Contact End-to-End Computing now to set up a free cybersecurity assessment and trial.
