Welcome to 2022! It’s now been well over a year since the release of NIST SP 800-53 Rev 5, yet Rev 4 remains the DoD standard. When DoD first adopted RMF … back in 2014! …they expressed their commitment to “keeping up” with the NIST publications. So why the long delay in this case? When can we expect DoD to finally adopt Rev 5?
In a previous edition of RMF Today … and Tomorrow we provided a summary of the new and revised material in Rev 5, and also listed out the many “moving parts” that will need to
change in order to accommodate the transition from Rev 4 to Rev 5. Prime among these is the publication of a revised CNSSI 1253, which is the governing document for selection of
security controls and CCIs based on the system categorization. Until the Committee on National Security Systems (CNSS) releases a revised 1253 document, DoD will be unable to proceed with adoption of NIST SP 800-53 Rev 5. So, at least for the time being, DoD can “hide behind” CNSS as the reason for the delay.
Allegedly work is “underway” on the 1253 revision, but, again, no idea when this will actually happen. Unlike NIST, which regularly releases publication schedules and draft documents for public comment, DoD and CNSS tend to do their document development “in the dark”, so to speak, before finally lobbing new publications “over the wall” and making them official. In other works, it could happen tomorrow, or it could happen in twelve months … or something in between.
Even after a new CNSSI 1253 is available, there are still numerous obstacles to overcome. First and foremost, eMASS needs to be revised to include the Rev 5 security controls
and CCIs. This is a major undertaking that will involve extensive development and quality assurance work. Changes to controls and CCIs may also entail corresponding changes to DISA STIGs. The RMF Knowledge Service content will also need to be revised, particularly the Security Controls Explorer.
Finally, a “transition plan” will need to be worked out. It’s clearly unrealistic to expect every DoD system to transition “overnight” to the Rev 5 control set, so some sort of phased
approach will be needed. The most reasonable assumption is that each system will be expected to make the transition on its next “ATO cycle”. So if your system just got its new three year ATO, you would not be expected to make the transition for another three years. So far so good. If your ATO expires in six or nine months, you would need to get cracking on
making the transition ASAP. Well, OK. But, what about a system whose ATO expires in three or four months? The system owner is probably already deep in the throes of working the new
ATO. What will they be expected to do? As usual, the devil is in the details, and all of this will need to be worked out before DoD can officially begin the transition.
All that said, I believe it’s reasonable to expect some sort of movement on the part of DoD this year. My recommendation is to get yourself as ready as you can. Get yourself a copy of
NIST SP 800-53 Rev 5 and start reading!