NIST SP 800-53: Transitioning from Revision 4 to Revision 5

December 17, 2020 Matt Hungate

NIST SP 800-53: Transitioning from Revision 4 to Revision 5

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53: An Overview

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 (Rev5) is a catalog of security and privacy controls designed to protect information systems and organizations from the cybersecurity risks resulting from the ever-evolving threat landscape in today's digital world. The guidelines are designed to be flexible allowing an organization to implement applicable controls and manage risk based on their specific missions, processes, and technologies.  Since its publication in April 2013, both public and private sector organizations have been leveraging NIST SP 800-53 Revision 4 (Rev4) as a risk management framework for securing their information systems.  To account for the constantly evolving threat landscape, NIST recently released an updated version, SP 800-53 Rev5, on September 23, 2020, which provides organizations updated guidance on the next generation of security and privacy controls.  The intent of both versions is essentially the same, but Revision 5 is designed to deliver a control catalog that better aligns with the technology of today without losing sight of tomorrow's cyber threats and attack vectors.

Is NIST SP 800-53 Rev5 applicable to my organization?

NIST SP 800-53 is used as the set of standards and guidelines for the Federal Information Security Modernization Act (FISMA), which applies to all federal agencies, state agencies administering federal programs, and private sector organizations supporting federal contracts.  While NIST SP 800-53 Rev5 can be adopted by both public and private sector organizations as part of their risk management programs, it is a requirement that federal government agencies and their partners adhere to the publication.  Additionally, Cloud Service Providers (CSPs) that are part of the Federal Risk and Authorization Management Program (FedRAMP) process, as well as certain organizations that have contractual relationships to support the federal government, should begin to formulate a strategy to address the impact of NIST SP 800-53 Rev5.

The FedRAMP Program Management Office (PMO) is expected to issue guidance in the future regarding the specific Revision 5 controls and requirements that will make up the FedRAMP control baselines (e.g., Tailored, Low, Moderate, High).  Once this guidance is released, CSPs that are FedRAMP authorized or are seeking to pursue FedRAMP authorization should begin to understand the control implementation differences between Revision 4 and Revision 5, the overall level of effort required to meet the new control requirements, and the PMO requirements set forth for transitioning to Revision 5.

Federal government contractors that are bound by aspects of NIST SP 800-53 Rev4 will also need to be familiar with Revision 5 to meet specific contractual compliance requirements in accordance with FISMA.  Additionally, regulations such as the Defense Federal Acquisition Regulation Supplement (DFARS), NIST SP 800-171 Rev2, and the newly adopted Cybersecurity Maturity Model Certification (CMMC) are mandated cybersecurity standards designed for non-government information systems.  While NIST SP 800-53 Rev5 is not directly related to these non-government standards, there is some overlap that may affect how an organization maps and implements controls between the multiple compliance frameworks.  DFARS, NIST SP 800-171 Rev2, and CMMC often refer to NIST SP 800-53 Rev4 for additional guidance and are likely to continue to do so for Revision 5.  For more information about the transition from NIST SP 800-171 Rev2 to CMMC, reference our recent whitepaper on the topic.

What are some of the significant changes between Revision 4 and Revision 5?

Revision 5 includes some significant updates that are designed to better align the publication's security and privacy controls with its objective of protecting organizations and information systems against a diverse set of threats and risks.  The changes summarized below are not meant to be exhaustive in nature but are instead designed to give organizations a general idea of the significant differences between the two versions.

  • Expansion of the control catalog
    The Revision 5 control catalog encompasses a total of twenty control families, an increase of three families over the Revision 4 control catalog.  The three additions consist of the Supply Chain Risk Management (SR) control family, the Personally Identifiable Information Processing and Transparency (PT) control family, and the Program Management (PM) control family.  The SR control family expands on the concepts required as part of Revision 4’s high baseline control SA-12, Supply Chain Protection.  The PT control family addresses privacy risk management which was previously addressed in the Privacy Control Catalog, Appendix J of Revision 4, and the PM control family expands upon the Information Security Program Management controls that were previously addressed in Appendix G of Revision 4.  Integration of the SR, PT, and PM control families into the Revision 5 control catalog provides organizations with a consolidated set of controls they can leverage as part of their risk management programs.

  • Incorporation of new 'state-of-the-practice' controls
    New controls and accompanying control discussions are incorporated into Revision 5 to "support cyber resiliency, support secure systems design, and strengthen security and privacy governance…based on the latest threat intelligence and cyber-attack data."  For instance, RA-10 is a new control that addresses the evolving threat landscape through the establishment of a threat hunting capability that monitors, detects, tracks, and disrupts threats that evade existing controls.  The addition of new controls that incorporate privacy requirements is also a substantial focus in Revision 5.  New controls such as CM-13, SI-18, SI-19, among many other additions, focus on understanding what personally identifiable information (PII) is being processed and security measures in place for protecting the confidentiality and integrity of the PII throughout the data lifecycle.

  • Integration of security and privacy considerations
    A 'Security and Privacy Controls' section has been added to chapter two within Revision 5 to discuss the relationship between security and privacy components.  Additionally, the individual control descriptions and control discussion sections within chapter three have been expanded to incorporate specific security and privacy considerations.  Each organization must ultimately understand the types of data being stored and processed within their environment to manage the security and privacy controls affecting this relationship.  By integrating security and privacy considerations throughout the publication, Revision 5 aims to clarify the relationship between these components to help organizations align their security and privacy objectives with the risk that accompanies the data types within their environment.

  • Restructuring the controls to be outcome-based
    Revision 5 updates the control statements to focus on the outcome of the control instead of identifying a specific entity responsible for implementing the control(e.g., the information system or the organization).  As an example, the contrasts between the approaches can be seen below by comparing the IA-2 control descriptions for both versions.

NIST SP 800-53 Rev4

NIST SP 800-53 Rev5

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

  • Separation of the control selection process from the controls
    The intent of Revision 5 is to provide a unified security and privacy control catalog that can be leveraged by various stakeholders and communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners.  In doing so, Revision 5 has moved a significant amount of guidance that was previously included as part of Revision 4 to other NIST publications.  For instance, control baselines (e.g., Low, Moderate, High) and tailoring guidance will be transferred to NIST SP 800-53B Rev5.  The separation between the individual controls and control selection processes also promotes alignment with different cybersecurity frameworks, allowing organizations to integrate and streamline their risk management approach.

When does my organization need to transition to NIST SP 800-53 Rev5?

This is the most common question we receive from our clients, and unfortunately, we do not yet have a precise answer.  NIST's website states that Revision 4 will be withdrawn on September 23, 2021, but ultimately the implementation timeline for Revision 5 is going to vary based on the relationship each organization has with the federal government.  For instance, some federal agencies will likely be early adopters of Revision 5 thereby requiring their contractors to adopt the new version, while other agencies may delay the transition due to alternative priorities.

CSPs that are part of the FedRAMP process will be dependent on the guidance released by the FedRAMP PMO.  The transition to Revision 5 will certainly be a long-term process that requires extensive coordination between the FedRAMP PMO, Joint Authorization Board (JAB), Third Party Assessment Organizations (3PAOs), NIST, and other agency stakeholders.  In a recent blog post, the PMO has outlined a four-step transition plan for the FedRAMP program which includes updates to the FedRAMP baselines and documentation with ample opportunities for public comment.  It is also important to note that NIST is in the process of updating a complimentary publication, SP 800-53A Rev5 – Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans.  This publication provides the procedures for assessing the security and privacy controls outlined in SP 800-53 Rev5.  The PMO has stated that it cannot complete its transition plan until SP 800-53A Rev5 is finalized by NIST.  NIST is expected to release a draft version of SP 800-53A Rev5 with a public comment period in the next six to twelve months. This expected time frame should give CSPs comfort that the transition to Revision 5 is not going to happen overnight.  Once a final version of NIST SP 800-53A Rev5 is released, the PMO will develop and finalize the specific FedRAMP control baselines and update the applicable FedRAMP documentation to reflect both Revision 5 publications.  However, the FedRAMP PMO has yet to release specific public guidance on Revision 5 timeline and the implications for CSPs that have already achieved, or CSPs that are seeking, FedRAMP authorization.  CSPs that have already initiated the FedRAMP process or are seeking to achieve FedRAMP authorization soon should not delay their efforts as a result of the uncertainty surrounding Revision 5.  Until the FedRAMP PMO releases official guidance on the topic, CSPs can confidently proceed with implementing the controls in accordance with Revision 4.

Final Thoughts

We understand how the release of NIST SP 800-53 Rev5 can seem daunting for many organizations, however, it is important to understand the implications as they relate to your organization before rushing to a panic.  At this time, minimal guidance has been released on the official timeline and requirements for the implementation of Revision 5.  The sponsoring agency’s Authorizing Official (AO), JAB, and/or the FedRAMP PMO are the primary entities that establish the required FedRAMP control baselines for CSPs pursuing or maintaining FedRAMP authorization,  therefore, until official guidance is released by these entities, it is difficult to fully understand the new implementation requirements in relation to your organization.  At a minimum, it is recommended that all CSPs who are pursuing or maintaining FedRAMP authorization should begin to familiarize themselves with NIST SP 800-53 Revision 5.


Additional Resources

SP 800-53 Revision 5 – https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

  • SP 800-53 Revision 5 pdf version, SP 800-53 Revision 5 link to OSCAL version of controls in .xls format, collaboration index template

SP 800-53B – https://csrc.nist.gov/publications/detail/sp/800-53b/final

  • Security and privacy control baselines, link to the Security Control Overlay Repository, OSCAL & spreadsheet version of baselines (forthcoming)

Risk Management Framework – https://nist.gov/RMF

  • Program overview and links to additional resources, including Quick Start Guides, an updated online course on the RMF, and the Security Control Overlay Repository. Also contains the email addresses for the NIST points of contact.

OSCAL on GitHub – https://github.com/usnistgov/oscal-content

  • OSCAL content for SP 800-53 controls (Rev 4, Rev 5, and draft baselines)

About the Author

Matt Hungate

Matt Hungate is a Senior Associate with Schellman & Company, LLC based in Charlotte, NC. Prior to joining Schellman in 2019, Matt worked as a Cybersecurity Consultant for a large advisory firm where he specialized in strategy and assessment services for NIST SP 800-53 and FedRAMP. Matt also led and supported various other projects, including the development of an enterprise-wide cybersecurity strategy and cloud transition plan for a large federal agency. Matt has over 5 years of experience comprised of serving clients in both the private and public sectors, and his credentials include the CISSP, CISA, and CPA. Matt is now focused primarily on FedRAMP assessments for organizations across various industries.

More Content by Matt Hungate

No Previous Articles

Next Article
HIPAA Security Rule Risk Analysis: ONC/OCR SRA Tool
HIPAA Security Rule Risk Analysis: ONC/OCR SRA Tool

Schellman Principal Doug Kanney provides an overview of the ONC/OCR SRA tool which by design helps organiza...