by Lon J. Berman, CISSP, RDRP
Those of us who have worked with government information systems for a number of years have come to realize the wheels of change turn very slowly – but they do turn! Case in point – DoD adoption of NIST Special Publication (SP) 800-53 Rev 5.
As you probably know, SP 800-53 is the source of the security controls upon which the RMF process is based. NIST released Revision 5 of this publication way back in 2020, yet DoD is still relying on Revision 4 as the official source of RMF security controls. Why the long delay?
It turns out it’s not as simple as DoD saying “Well, there’s an updated version of SP 800-53. Everyone start using it now.” There are several key dependencies, to wit:
- An updated version of NIST SP 800-53A to provide assessment procedures to match the controls in the updated SP 800-53.
- An updated version of CNSSI 1253 with security controls matching the updated SP 800-53.
- A policy specifying when existing RMF packages need to transition from SP 800-53 Rev 4 to Rev 5.
- An updated version of eMASS with security controls matching the updated SP 800-53 along with a process for transitioning an RMF package from Rev 4 to Rev 5.
Slowly but surely, NIST and DoD have been working to address these dependencies.
- NIST SP 800-53A (Assessment Procedures) has been published.
- CNSSI 1253 has been updated accordingly.
- DoD will soon release a transition policy and an updated version of eMASS supporting the SP 800-53 Rev 5 controls, as well as transition of existing RMF packages from Rev 4 to Rev 5. DoD expects formal adoption of SP 800-53 Rev 5 as soon as April, 2023 (i.e. NOW).
DoD realizes they cannot “magically” throw a switch and have tens of thousands of RMF packages updated to SP 800-53 Rev 5. Instead, they plan on adopting a more realistic phased approach to this transition. Here are some of the highlights:
- New systems or those without existing authorization will transition to the new SP 800-53 and CNSSI 1253 within six months of DoD adoption.
- Systems in the midst of RMF activities will continue using the existing versions of SP 800-53 and CNSSI 1253, but will also develop a plan for transition to the new versions, and have said plan approved by their Authorizing Official (AO).
- Systems with a current Authorization to Operate (ATO) will develop a transition plan and have said plan approved by the AO.
- In all cases, transition to the new SP 800-53 and CNSSI 1253 must take place before the next system re-accreditation date.
So that’s it, right? Welllll … not quite. Once DoD has everything in place, it will be up to each DoD component (Air Force, Army, Marine Corps, Navy, etc.) to adopt these changes as part of their information security policies and procedures. For some DoD components, adoption will come very quickly, but for others, it might take weeks … or even months! At this point we can safely say it will be happening “soon”, but just how soon is still a matter of speculation. Those of us who were around for the DIACAP to RMF transition (15 or so years ago) will readily affirm the possibility of further delays at the component level.
Regardless of the specific timing within your DoD component, there are some things you can do now to prepare yourself. The most important of these is to familiarize yourself with NIST SP 800-53 Rev 5. Also, take a look at NIST SP 800-53A Rev 5, the new 800-53B, and the recent update of CNSSI 1253. That ought to keep you busy until the other shoe drops.