NIST recently provided significant updates to the September 2020 update of SP-800-53 Rev 5 Security and Privacy Controls for Information Systems and Organizations.

In this blog today, we will highlight the key changes to the documents and discuss how organizations can best prepare themselves to implement these changes.

1. Control Catalog Spreadsheet

As with prior updates, NIST has provided the entire security and privacy control catalog in excel format. This enables organizations with GRC platforms such as Archer GRC to utilize the spreadsheet to prepare their organization-defined control catalog and import that into such platforms. Zero Friction can help organizations with this readiness as we have multiple past performance with past transition from Rev. 3 and Rev. 4, along with preparing export files for various GRC platforms.

2. Baseline Controls in Rev. 5

You may find from the recent update that the control baselines are not listed. This is the case because NIST has placed the three security and privacy control baselines (Low, Moderate and High) into a new separate document as NIST 800-53B. In addition, the document also provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation. Zero Friction utilizes the appropriate overlays when we test certain classes of systems such as an HVA (high-value asset) system or an industrial controller such as a PLC or a SCADA system.

3. Analysis of Updates between 800-53 Rev. 5 and Rev. 4

Provided a comparative analysis of control changes between Security and Privacy Controls for Information Systems and Organizations NIST SP 800-53 Revision 4 published in April 2013 (with 15 January 2014 updates) and Revision 5 published in September 2020. 59% or 698 records of changes are more than just editorial or administrative changes. Specifically, the changes involve:

• Adding new parameters

• Removing parameters

• Adding control text

• Changes discussion

• Adding new base control or new control enhancement (268 new base controls and control enhancements were added; 18 was applicable to low baseline, 28 was applicable to moderate baseline, and 33 was applicable to high baseline.)

• Adding Privacy Control Baseline (SP 800-53B)

The changes highlighted impact how your organization's policies and procedures are to be updated and communicated to end users. Zero Friction can provide domain expertise to help organizations to shape and transition these changes with minimal interruptions.

4. Appendix J Privacy Controls from NIST 800-53 Rev. 4

Privacy and security controls are now combined. On the surface, it may appear just a paper exercise, however, the reality is that the integrated structure between security and privacy will be a significant implementation challenge for most organizations and potentially represents the greatest risk in the implementation of NIST 800-53 Rev. 5.

5. Mappings between 800-53 Rev. 5 and other Frameworks and Standards

NIST also provided mappings of NIST 800-53 controls to NIST Cyber Security Framework and ISO 27001. What seems to be missing from these mappings are mapping to other industry standards such as PCI DSS, Critical Security Controls, or CSA Cloud Controls.

6. Collaboration Index Tool

NIST has also provided a template that identifies controls that require collaboration between privacy and security teams. Unfortunately NIST has left to the organizations to determine the extent of the collaboration. Controls and control enhancements that do not require collaboration are simply grayed out in column A.

Zero Friction has outlined some high-level guidance for organizations to successfully plan for their NIST 800-53 Rev. 5 transition. Specifically, organizations should consider the following:

• Plan early as it will take more time than expected. We estimate based on our past experience with Rev. 3 to Rev. 4 transition that the total process will take from 9 to 12 months.

• Draft the updated policies and procedures and use the update as the basis to refine or define the integration structure between privacy and security teams.

• Review your privacy and security team integration structure. Outline the part and the degree of the controls where both security and privacy teams work to implement and assess, and whom to be responsible for which portion.

• Update security control catalog and map out a transition plan for how existing and new systems to be tested or evaluated against the updated control catalog. Don't forget to update the supporting GRC systems.

• Communicate the transition plan to organizational personnel.