On Sept. 23, 2020, the National Institute for Standards and Technology (NIST) released the final version of its risk management framework (RMF), Special Publication (SP) NIST 800-53 Revision 5. Revision 5 has numerous positive changes including:
Federal agencies, government contractors and vendors leveraging the NIST 800-53 RMF must understand the differences between Revision 4 and Revision 5 controls so that mandated changes are implemented and they are compliant by the Sept. 23, 2021, deadline.
The most common questions asked regarding the publication of SP NIST 800-53 Revision 5 include: ‘What has changed?’ and, ‘How does NIST 800-53B change things?’ Baker Tilly analyzed and summarized key changes within the 800-53 framework controls from Revision 4 to Revision 5:
NIST SP 800-53 applies to all U.S. government agencies, contractors, vendors and their government partners. There is a considerable amount of work to be done to understand the changes Revision 5 creates and how it affects agencies and organizations. Planning and implementing those changes in less than a year is a significant undertaking that may require additional resources.
Organizations need to understand the differences across the risk management framework and at a control level between Revisions 4 and 5. System security plans, policies and procedures need to be revised. Controls will require change; modification to existing controls, integration of new controls and elimination of those no longer required. In addition, the increase use of ODVs requires definition.
Baker Tilly has completed detailed analysis of the risk management framework and control language for each NIST 800-53 baseline. We are ready to assist your organization in understanding the Revision 5 changes and the actions needed for your organization to comply.
For more information on this topic, or to learn how Baker Tilly specialists can help you with understanding the changes to the NIST 800-53 RMF or to conduct a NIST examination, contact our team.