NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has released updated guidance on Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5).

This is the first time that NIST has updated the guidance since 2013 and is a complete renovation rather than a minor update. NIST explained that the updated guidance will “provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21st century.”

The updated guidance is the result of years of effort “to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices.”

This is the first control catalog to be released worldwide that includes privacy and security controls in the same catalog. The guidance will help to protect organizations from diverse threats and risks, including cyberattacks, human error, natural disasters, privacy risks, structural failures, and attacks by foreign intelligence agencies. The controls detailed in the guidance will help organizations take a proactive and systematic approach to protecting critical systems, components and services and will ensure they have the necessary resilience to protect the economic and national security interests of the United States.

The guidance is intended to help government agencies and their third-party contractors meet the requirements of the Federal Information Security Management Act and it will be mandatory for government agencies to implement the new provisions detailed in the updated guidance. The guidelines are voluntary for private sector organizations, although the private sector is being encouraged to adopt the new guidelines to tackle privacy and security issues.

There have been several major updates to the guidance, which include:

  • New, ‘state-of-the-practice’ controls to protect critical and high value assets. The revisions have been based on the latest threat intelligence and cyber attack data and will improve cyber resiliency, support secure system design, security and privacy governance and accountability.
  • Information security and privacy controls have been integrated into a seamless, consolidated control catalog for systems and organizations.
  • Controls are now outcome-based, with the entity responsible for implementing the controls removed from the document. The guidance now focuses on the protection outcome from implementing the controls.
  • Standards have been incorporated for supply chain risk management with guidance provided on how to integrate those standards throughout an organization.
  • The guidance incorporates next generation privacy and security controls, and includes guidelines for how to use them.
  • Control selection processes have been separated from the controls to make it easier for the controls to be used by different communities of interest.
  • Descriptions of content relationships have been improved, clarifying the relationship between requirements and controls and the relationship between security and privacy controls.

“The controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States,” explained Ron Ross, NIST Fellow and co-author of the document.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.