On Sept. 23, the National Institute of Standards and Technology (NIST) released a “historic” update to its flagship security and privacy guidance, Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations.
The update, according to NIST, is one that “will provide a solid foundation for protecting organizations and systems—including personal privacy of individuals—well into the 21st century.”
NIST describes this revision as not being just a minor update, but rather an entire renovation of the SP to address structural issues and technical content. Since 2013, SP 800-53 has been accessed or downloaded from the NIST website “millions of times.” Among the most significant changes to SP 800-53, Revision 5 include:
- Making controls outcome-based;
- Consolidating the control catalog;
- Integrating supply chain risk management;
- Separating the control selection process from the controls;
- Transferring control baselines and tailoring guidance to a separate publication;
- Improving descriptions of content relationships; and
- Adding new state-of-the-practice controls.
“The update represents a multi-year effort to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things devices,” NIST said.
NIST has also provided a variety of supplemental materials including a comparison of this revision to Revision 4 and a security and privacy control collaboration index template.