In September 2020 the National Institute of Science and Technology (NIST) published the fifth revision to its flagship Special Publication 800-53 “Security and Privacy Controls for Information Systems and Organizations”.

As the abstract to the publication reads, “This publication provides a catalog of security and privacy controls for information systems and organizations to protect … from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.”

The controls described in the publication are technology-agnostic, flexible and customizable, and can be implemented in the framework of a corporate-wide risk management program. The purpose of these controls is to address a wide variety of requirements deriving from business objectives and goals, laws and regulations, Presidential Executive Orders, standards, and guidelines.

The publication contains a consolidated control catalog which addresses the concepts of security and privacy from two perspectives: functional and assurance. The functionality perspective defines the strength of functions and mechanisms provided by the controls, while the assurance perspective determines the degree of confidence in the security or privacy capability provided by the controls. Addressing both the functionality and the assurance perspectives helps organizations to ensure that their information systems and the services that depend on them are sufficiently trustworthy.

Revision 5 to the NIST SP 800-53 is the outcome of a multi-year effort by the Institute to develop the next generation of security and privacy controls needed to strengthen the security posture of all entities of critical infrastructure. The publication follows a proactive and holistic approach to system security to ensure that critical systems, components, and services are reliable and trustworthy and have the necessary resilience to withstand sophisticated cyber-attacks targeting them.

The most significant changes to SP 800-53, Revision 5 include:

  • A consolidated and seamless security and privacy control catalog
  • New supply chain risk management controls integrated throughout the publication
  • New state-of-the-practice controls based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability)
  • The controls are based on measurable outcomes rather than on pre-defined roles and responsibilities
  • Improved correlation between requirements descriptions and controls.
  • Clarified relationship between security and privacy controls
  • The control selection process is separated from the controls, allowing the controls to be used by different communities of interest
  • Incorporated Program Management control family in the consolidated catalog

Finally, a significant change is the development of NIST SP 800-53B, “Control Baselines for Information Systems and Organizations,” which now provides the security and privacy control baselines. The publication describes three security control baselines, one for each system impact level (low, moderate, and high) as well as a privacy baseline that is applied to all systems irrespective of impact level. In addition to the control baselines, the publication provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process.

In addition to these two publications, NIST has published a spreadsheet of all SP 800-53 Rev. 5 controls, and an Open Security Control Assessment Language (OSCAL) version of the controls.

How could organizations make use of this publication which covers everything from multifactor authentication to incident response? The important part is to select the controls that match your organization’s operating environment and the security and privacy programs that support your mission objectives

The best way to do that is to use the NIST Risk Management Framework (SP 800-37, Revision 2) which provides a structured risk-based approach for defining security and privacy requirements aligned with business functions and for selecting solutions and controls to satisfy these requirements.

The Risk Management Framework (RMF) defines two approaches for the selection of security and privacy controls:

  • Baseline control selection
  • Business-centric control selection

The baseline control selection approach uses the control baselines defined in NIST SP 800-53B. These are pre-defined sets of controls that serve as a starting point for the protection of data, corporate systems, and privacy. Organizations can then select the baseline that helps them satisfy the security requirements defined in various business-specific regulations, policies, and standards in accordance with the defined risk tolerance.

In the business-centric control selection approach the organization uses its own process to select controls. This approach is necessary in specialized and highly regulated business environments, such as the energy grid or the oil and gas industry. These sectors require protection from a specific set of threats which if they are exploited can heavily disrupt local societies and national economies.

In these situations, it may be more efficient and cost-effective for the organization to select the appropriate controls instead of starting with a pre-defined set of controls from a control baseline. The selection of these controls is guided by the system security categorization, risk assessment, and requirements derived from relevant regulations, policies, directives, and standards.

When selecting security and privacy control businesses need to demonstrate flexibility to adapt to emerging security and privacy risks. The control selection process should be based on a risk management program and should result in business resilience. ITEGRITI develops and implements programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor, and report ongoing program effectiveness. Our programs help companies avoid breaches and minimize business impact during a cybersecurity incident. To learn how you can benefit from our expertise, contact us.