NIST 800-53 provides cybersecurity guidance for a wide range of businesses across an ever-changing threat landscape.
NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, was first published in 2013. Long considered NIST’s flagship security and privacy document, Revision 5 was published in September 2020. Federal agencies, their contractors, and the wide range of other organizations that have based their security guidance processes on Rev. 4 are adjusting to the new Rev. 5 requirements.
SP 800-53 Rev. 5 is the result of NIST’s effort to develop the first comprehensive catalog of security and privacy controls that:
- Organizations of any size and sector can use to manage risks
- Are applicable to all types of systems—general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.
800-53 Rev. 5 offers guidance on customizing these controls to address the security requirements for protecting an organization’s specific missions, business operations, technologies, environments, and applications.
The primary objectives behind the changes from Rev. 4 to Rev. 5 are to make the information systems people depend on more penetration resistant, limit the damage from attacks when they occur, and ensure systems are resilient and recoverable. Rev. 5 also emphasizes the importance of protecting individuals’ privacy.
The major changes from Rev. 4 to Rev. 5 include:
- Changing the structure of the security and privacy controls to be more outcome-based
- Creating a unified and consolidated set of controls by fully integrating the privacy controls into the security control catalog and providing summary and mapping tables
- Separating the control selection process from the actual controls, enabling the controls to be used by different communities of interest
- Promoting integration with different risk management and cybersecurity approaches, including the NIST Cybersecurity Framework
- Clarifying the relationship between security and privacy to improve the selection of controls required to address the full scope of security and privacy risks
- Incorporating new controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability
Get Started with Cerberus Sentinel
Cerberus Sentinel’s team of experts has deep expertise and decades of experience working with federal agencies and public- and private-sector clients that adhere to NIST SP 800-53 guidance. We can help your organization transition from NIST SP 800-53 Rev. 4 to Rev. 5.