The National Institute of Standards and Technology (NIST) provides guidance for information security implementations that inspire such programs as the Federal Risk and Authorization Management Program (FedRAMP) and Federal Information Security Management Act (FISMA), which are standards that government entities and their third parties must adhere to. In the last 7 years, there has not been an update to Special Publication (SP) 800‐53, one of NIST’s most recognized publications. This publication focuses on security and privacy controls for information systems and organizations.
The newest revisions (categorized under SP 800‐53 revision 5) are more than just simple updates. They are a complete overhaul that provides a multi‐year effort to manage risks to organizations of any size, and focuses on issues ranging from Industrial Control Systems to the Internet‐of‐Things (IOT), which we know has been making the rounds through Senate with the recent passing of the IOT Cybersecurity Bill. Revision 5 contains numerous significant updates, including focus on the protection outcome by removing the responsible entity for satisfying the control. This allows for practitioners to focus on what outcome will be achieved by the application of the control. The control catalog was also consolidated, which makes following the guidance more efficient.
Another interesting revision comes in the way of integrating supply‐chain risk management throughout the other control families. According to the Director of National Intelligence's (DNI) National Counterintelligence and Security Center (NCSC), software supply‐chain infiltration is a threat to critical infrastructure and actors ranging from run‐of‐the‐mill cybercriminals to advanced threats are known to target the supply‐chain. This addition allows organizations to apply NIST guidance to the supply chain throughout all control families, reinforcing recommendations that organizations need robust processes to protect the supply chain from threats ranging from traditional threats (such as supplier bankruptcy) to cyber attacks.
In total, there are now 20 main control families, up from 18 in revision 4, which can be found in NIST’s supplemental material, or in the following spreadsheet: https://csrc.nist.gov/CSRC/media/ Publications/sp/800‐53/rev‐5/final/documents/sp800‐53r5‐controls.xlsx. If you are interested in learning more about the great information coming from revision 5, please refer to the NIST’s reference found here: https://csrc.nist.gov/publications/detail/sp/800‐53/rev‐5/final.