NIST SP 800-53 Rev 5 Released

At the end of September, the National Institute of Standards and Technology (NIST) delivered the Fifth revision of Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations.  This revision continues the evolution of the 800-series publications toward a more universal applicability that can be implemented by Federal and Private entities through their most effective risk management processes rather than forcing a top-down bureaucracy on everyone.  This is great news for anyone who has wanted to implement the best all-around cybersecurity framework but was reluctant to embrace the complexities of the Risk Management Framework (RMF) before they addressed more fundamental security topics.

Whether you’re in the “reluctant” category, or you are chomping at the bit to implement a full suite of security controls, you are in luck with the new SP 800-53 Rev 5.  Read on for a brief summary of the updates to this document and an introduction to implementing the controls within your organization.


What’s new in Rev 5?

NIST SP 800-53 Rev 5 moves toward improved usability and provides multiple ways to select and implement the controls within any network.  The primary changes, as highlighted by NIST’s release note include:

Consolidating the control catalog: Information security and privacy controls are now integrated into a seamless, consolidated control catalog for information systems and organizations.

Integrating supply chain risk management: Rev. 5 establishes a new supply chain risk management (SCRM) control family and integrates SCRM aspects throughout the catalog.

Adding new state-of-the-practice controls: These are based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).

Making controls outcome-based: Rev. 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement.

Improving descriptions of content relationships: Rev. 5 clarifies the relationship between requirements and controls as well as the relationship between security and privacy controls.

Separating the control selection processes from the controls: This allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners.

Transferring control baselines and tailoring guidance to NIST SP 800-53B: This content has moved to the new (draft) Control Baselines for Information Systems and Organizations.


What do these changes do for us?

As mentioned at the beginning of this article, NIST wants to make the security controls more accessible and functional within every environment.  The controls are mandatory for Federal agencies, who have been following the full RMF process for years.  They are also the best set of security controls available, and now they are easier for everyone to implement in a streamlined manner. 

If you are weighing the pros and cons of adopting a formal risk management framework or just thinking about improving your current level of cybersecurity, take a look at our Risk Management Framework / NIST SP800-53 Starter Guide.


If you have questions or would like to discuss your security requirements, please contact us.

Contact Us

Phone: (540) 409-7476

  • LinkedIn Social Icon