NIST 800-53 Rev 5 is on the way, have you read the draft? We regularly use NIST 800-53 as the criteria for controls assessment for both private and public-sector clients. With our guidance, many of our clients have successfully implemented an industry-appropriate risk management strategy, allowing them to manage their risk profile, make risk-informed strategic decisions, and intentionally select, tailor, and implement key security controls. We have helped private sector clients adopt and modify the NIST risk management framework and provided helpful guidance on how to build or improve an information security program and efficiently address security risk.

NIST 800-53 Rev 5 – Why is it so important?

One of the flagship tools included in our security assessment approach is NIST 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations. NIST 800-53 Rev 4 provides a detailed security controls catalog as part of the NIST Risk Management Framework (RMF), and has been adapted, tailored, and modified for use countless times. However, it has now been over 5 years since the original release of NIST 800-53 Rev 4, and over 3 years since the last major content update. According to the current schedule, NIST will release the much-anticipated final public draft of NIST 800-53 Rev 5 in October 2018, with a planned final publication in December 2018.

While the controls in the current version are still of great value and effectiveness, there has been significant change to use of technology, attack vectors, and the threat landscape. With the widespread adoption of the NIST Cybersecurity Framework, private sector organizations are looking to NIST SP 800-53 for supplemental guidance and as a best practice security controls framework. To help these organizations best utilize their often-constrained security resources and budgets, it is critical that  NIST update this catalog to maintain relevance, address aforementioned changes, and adhere to new best practices.

Updates are coming

In recognition of this changing landscape, NIST has spent significant time and effort working with key public and private sector stakeholders to revise the current document. The latest draft of NIST 800-53 Rev 5, released August 2017, includes some significant changes. the key changes summarized below:

  1. The first major change is in the title, where NIST has removed the word “Federal”, in recognition and promotion of widespread private sector use of the document and associated controls. This change makes it clearer that these controls are suitable for both public and private sector use.
  2. There is significant additional background context in Chapter 2, including thought provoking statements, and explanations of terms, concepts, and application of the document. These provide significant value to organizations first reading the document and evaluating its use.
  3. The security and privacy controls are now consolidated into Chapter 3, resulting in two new control families, Individual Participation (IP), and Privacy Authorization (PA). The Individual Participation (IP) control family includes controls for:
    • User-facing privacy controls including consent
    • Redress (data accuracy and corrections)
    • Access to one’s information
    • Privacy notices
  1. The Privacy Authorization (PA) control family includes controls for:
  • Verifying legal authority to collect, use, maintain, and share Personally Identifiable Information (PII)
  • Supporting documentation for use cases
  • Development and communication of privacy notices
  • Development of guidelines for sharing of PII, and more.
  1. New references in controls to address both privacy and security. More detailed explanations of the relationship between security and privacy in the document introduction.
  2. NIST has introduced the concept of “joint controls” between privacy and security.
  3. Appendix F has been created to illustrate the decision points and shared responsibility between Security and Privacy programs, controls, and control ownership.
  4. Additional appendices have been created to support understanding of this relationship. Of note, Appendix E, a table of the controls that NIST has defined as “joint controls” for reference.
  5. Creation of Appendix H, a list of privacy keywords that are referenced in security controls that have not been designated as “joint controls”. In addition to the general consolidation, these unique control families will help promote the appropriate integration of privacy and security programs. As a result, this will help address privacy gaps that aren’t inherently or sufficiently addressed through the security controls in previous revisions.
  6. Clarification of the System and Services Acquisition (SA) control family. Additionally, clarification of applicability to both internal and external developers of systems, components, and services.
  7. Modification of control baselines for several control families
  8. Addition of new controls to existing control families to address identified gaps
  9. Additional control detail, clarification, and rewording. This helped reduce ambiguity and increase the applicability and flexibility of control implementation.

The current publication release date schedule is as follows:

  • Final Public Draft:  October 2018
  • Final Publication:  December 2018

*Dates are subject to change, information current as of May 16, 2018

If you’re interested in reviewing the detailed changes of NIST 800-53 Rev 5, you can find the source documents here:

If you want to keep track of the NIST Risk Management documentation publication schedule, you can find that information here:

NuHarbor Security will be actively monitoring for future drafts and will revisit this topic in coming months with a more detailed analysis of specific changes.

Want to chat NIST 800-53? Have concerns? Feel free to reach out! Curious about our NIST related services? Click here


Mark Brisson
Information Assurance Manager