January 27, 2022 - After more than a year in the work, NIST releases the final SP 800-53a Rev 5.

According to NIST, the publication provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5.

Analysis of updates between Rev. 4 to Rev. 5 can be obtained here.

Now the real work starts for the agencies to adopt and implement this guidance. How much time does an agency have to implement this guidance? The general consensus is that agencies have one year after the NIST guidance has been finalized to adopt the guidance for their agencies. Exceptions may exist but should be handled using the agency's own risk management and acceptance process. Other challenges agencies must also consider include as part of their implementation include:

1. Implement of updated control catalog, This may require loading GRC solutions to support the updated SP 800-53 Rev. 5 and the 800-53a Rev 5 as it does not make sense to do one without the other.

2. Establish new/updated organizational minimum values.

3. Update organizational policies and procedures to ensure proper alignment to new guidance.

4. Migrate legacy systems from Rev 4 to Rev 5.

5. Update control implementation to address Rev 5 requirements.

6. Conduct annual control testing of migrated systems from NIST 800-53a Rev 5.

Our experience in helping agencies transitioned from Rev 3 to Rev 4 for both SP 800-53 and 53a will be valuable as you plan your transition. Feel free to contact us should you have any questions.