Guide to Understanding Security Controls: NIST SP 800-53 Rev 5 by Raymond RafaelsThis book enhances the original NIST SP 800-53 rev 5 Security and Privacy Controls for Information Systems publication. NIST SP 800-53 rev 5 is a reference publication that establishes controls for federal information systems and organizations. It is used as a key part in the process of protecting and assessing the security posture of information systems. The security controls protect the confidentiality, integrity, and availability (CIA) of the system and its information. The Publication is enhanced by making the following changes while maintaining the original content:1.Add Illustrations2.Explain Security Controls Purpose and Use in Plain Language (Enhanced Supplemental Guidance) 3.Document Formatting Improvements for Easier Reading 4.Remove Lesser Used Sections
NIST SP 800-53 Rev. 5 Coming This Summer
What does the initial public draft tell us about what we can expect in its final version? Even more importantly, what does it mean for organizations seeking to adopt the new guidelines? NIST SP Revision 5 is expected to deliver major updates to the existing fourth revision, which was originally published in Since its inception, this publication has been the de facto guideline for security control implementations, security assessments and Authorization to Operate ATO processes for government information systems. There are many draft changes in the fifth revision, but one of the most significant impacts is that it marks a departure from limiting the control sets to federal information systems.
Commerce Department, is responsible for developing and enabling information security standards and guidelines across federal agencies. NIST developed the voluntary risk-based Cybersecurity Framework following executive order issued by former President Obama in The framework is divided into five different functions: identify, protect, detect, respond, and recover. Following executive order issued May 11, , by President Donald J. The NIST SP includes a list over security controls to ensure minimum requirements for federal information systems. The 18 control families, categorized in three classes based on impact low, moderate, and high :.
NIST SP 800 53 Rev 4, Privileged Account Controls and APTs
The information security landscape is consistently changing. As new risks and mitigation strategies arise, frameworks must evolve or risk becoming irrelevant. The most recent revision to the framework—NISTRev-5—has been purposely revised to be more generally applicable to all types of businesses including state, local and tribal governments as well as the public and private sectors. The revision also addresses a broader scope of systems including industrial control systems, IoT devices, and other physical cyber devices and systems. NIST has changed the structure of controls to make them more easily readable—which seems to be an extension of the effort to make the framework more easily accessible to all types of organizations.
NIST Rev 5 is on the way, have you read the draft? We regularly use NIST as the criteria for controls assessment for both private and public-sector clients. With our guidance, many of our clients have successfully implemented an industry-appropriate risk management strategy, allowing them to manage their risk profile, make risk-informed strategic decisions, and intentionally select, tailor, and implement key security controls. We have helped private sector clients adopt and modify the NIST risk management framework and provided helpful guidance on how to build or improve an information security program and efficiently address security risk. However, it has now been over 5 years since the original release of NIST Rev 4, and over 3 years since the last major content update.