In an effort to strengthen the trustworthiness and resilience of the information systems, component products and services that the federal government depends on in every critical infrastructure sector and which support the economic and national security interests of the United states, NIST has released an up-dated version of the NIST SP 800-53, to wit, NIST SP 800-53 Rev 5. Changes are as follows:
- Creates security and privacy controls that are more outcome-based by changing the structure of controls
- Fully Integrating privacy controls into the security control catalog, creating a consolidated and unified set of controls
- Adding two new control families for privacy and supply chain risk management
- Integrating the Program Management control family into the consolidated catalog of controls
- Separating the control selection process from the controls—allowing controls to be used by different communities of interest
- Separating the control catalog from the control baselines
- Promoting alignment with different risk management and cybersecurity approaches and lexicons, including the NIST Cybersecurity and Privacy Frameworks
- Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks
- Incorporating new, state-of-the-practice controls based on threat intelligence, empirical attack data, and systems engineering and supply chain risk management best practices, including controls to:
- Strengthen security and privacy governance and accountability;
- Support secure system design; and
- Support cyber resiliency and system survivability.
The control structure is now outcome focused as you can see in the following example:
SC-10 Network Disconnect
(SP 800-53 Rev. 4)
Control: The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time-period] of inactivity.
SC-10 Network Disconnect
(SP 800-53 Rev. 5 FPD)
Control: Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time-period] of inactivity.
There exist new systems security engineering control enhancements. In Rev. 4 we have SA-8 Security and Privacy Engineering Principles. In Rev. 5 we have added Enhancements (1)-(6) as follows: (1) Clear Abstractions, (2) Least Common Mechanism, (3) Modularity and Layering, (4) Partially Ordered Dependencies, (5) Efficiently Mediated Access, and (6) Minimized Sharing. These new control enhancements link to security design in the NIST SP 800-160, Vol 1 (Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems).
Appendix J has been reorganized to A) align some privacy controls in previously existing control families and B) A new family, to wit, PII Processing and Transparency (PT). The PT family will consist of the following controls:
- PT-1 Policy and Procedures
- PT-2 Authority to Process Personally Identifiable Information
- PT-3 Personally Identifiable Information Processing Purposes
- PT-4 Minimalization
- PT-5 Consent
- PT-6 Privacy Notice
- PT-7 System of Records Notice
- PT-8 Specific Categories of Personally Identifiable Information
- PT-9 Computer Matching Requirements
The Program Management (PM) family of controls will have some added privacy controls at the program level. For example, as you know, PM-1 refers to the Information Security Program Plan. Rev. 5 introduces PM-18, Privacy Program Plan. PM-2 refers to the Information Security Program Leadership Role. PM-19 refers to the Privacy Leadership role. Rev 5 is baking in privacy specific controls at the program management level.
Additionally, there will be a new control family for Supply Chain Risk Management (SR). New controls will consist of SR-1 Policy and Procedures, SR-2 Supply Chain Risk Management and SR-4 Provenance. The remaining 8 controls in the family are repurposed from the SA family of controls already existing in Rev. 4.
One topic that NIST specifically wants feedback on is the Security and Privacy Collaboration Index. The idea here is that it will provide better guidance on control implementation collaboration between security and privacy programs. There are 2 options to choose from:
Option one is a 5-point scale, as follows:
- S–Controls are primarily implemented by security programs–minimal collaboration needed between security and privacy programs.
- SP–Controls are generally implemented by security programs–moderate collaboration needed between security and privacy programs.
- SP–Controls are implemented by security and privacy programs–full collaboration needed between security and privacy programs.
- PS–Controls are generally implemented by privacy programs–moderate collaboration needed between security and privacy programs.
- P–Controls are primarily implemented by privacy programs–minimal collaboration needed between security and privacy programs.
Option two is a 3-point scale, as follows:
- S–Security programs have primary responsibility for implementation–minimal collaboration needed between security and privacy programs.
- SP–Security and privacy programs both have responsibilities for implementation–more than minimal collaboration is needed between security and privacy programs.
- P–Privacy programs have primary responsibility for implementation–minimal collaboration needed between security and privacy programs.
Keep in mind this is the Final Public Draft. There will be not be a third public comment period. The current public comment period is 16 March to 29 May 2020. Comments can be submitted via email using the comment template (xls) provided under supplemental material (at https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft) to firstname.lastname@example.org