Better late than never. Good things come to those who wait. Slow and steady wins the race.
Such sayings come to mind with NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations. NIST released its initial public draft back in 2017. But nearly three years later, we have yet to see the final publication. In fact, they only just closed the public comment period this May. Although it seems we're in a bit of a holding period, perhaps these delays are for good reason.
The public and private sector rely on NIST to help manage risk and threats from hostile attacks, natural disasters, structural failures, human errors and privacy incidents. Rev 5 will provide the latest guidance on security and privacy controls designed to address these risks and threats.
Let’s review the major changes in Rev. 5 and how this new guidance could be used to improve your program for managing the risks and threats mentioned above.
NIST adapts its venerable guidance
In SP 800-53 Rev. 5, NIST offers guidance on next-generation security and privacy controls. Major changes include:
- Make security and privacy controls more outcome-based
- Integrate privacy controls more fully in the security control catalog
- Separate control selection from the actual controls
- Foster greater integration with risk management and cybersecurity approaches
- Clarify the relationship between security and privacy
- Incorporate new controls based on threat intelligence and empirical attack data
The goal of these changes is summed up by the NIST joint force tasked with developing Rev. 5. “The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.”
Making privacy controls more outcome-based
One of the significant changes with NIST 800-53 Rev 5 is making security and privacy controls more outcome-based. This is welcome news on the privacy front, with many organizations struggling to comply with privacy regulations like GDPR and CCPA.
Heavyweight privacy regulations like GDPR come across as guidance rather than a compliance directive. If you don’t know exactly what a regulation calls for or there is a question if an action meets the requirement, guidance isn’t always definitive. It’s not just GDPR. The California Consumer Privacy Act (CCPA), also lacks concreteness in its requirements.
The fact that NIST 800-53 Rev 5 will bring more clarity around privacy controls is a promising development. Organizations will have a life raft to stay afloat, as well as guidance to manage the depths of privacy.
Applying NIST controls to risk management
Another key change with NIST 800-53 Rev 5 is greater integration with different risk management and cybersecurity approaches. It supports what we’ve been saying for a long time - an integrated approach to risk management streamlines processes, enables a holistic treatment of risk, improves decision-making and drives performance for a stronger, more resilient business.
To illustrate how this works together in a technology platform, consider the example of OpenMarket, a hyper-growth mobile messaging company with increasing security requirements imposed by contracts, laws and standards. OpenMarket’s framework of choice is NIST SP 800-53. In fact, OpenMarket uses all 18 control families in the NIST framework and added a 19th custom control family to comply with 173 contracts, 254 compliance mandates and 9700 contract obligations.
Having the NIST 800-53 controls framework, and custom frameworks tucked inside the company’s ISMS within the platform makes everything accessible. In turn, this makes processes and people at OpenMarket more efficient and effective.
For now, NIST 800-53 Rev. 5 doesn’t have an official release date. But when it comes, it will be a positive development for guidance on security and privacy controls. For public and private organizations, it is proof, once again, that good things come to those who wait.