Cyber risk management framework in a virtual environment

On Sept. 23, 2020, the National Institute for Standards and Technology (NIST) released the final version of its risk management framework (RMF), Special Publication (SP) NIST 800-53 Revision 5.  Revision 5 has numerous positive changes including:

  • Outcome-based controls
  • Improved descriptions and integration of new control areas
  • Controls based on threat intelligence

Federal agencies, government contractors and vendors leveraging the NIST 800-53 RMF must understand the differences between Revision 4 and Revision 5 controls so that mandated changes are implemented and they are compliant by the Sept. 23, 2021, deadline.

What you need to know

The most common questions asked regarding the publication of SP NIST 800-53 Revision 5 include:  ‘What has changed?’ and, ‘How does NIST 800-53B change things?’ Baker Tilly analyzed and summarized key changes within the 800-53 framework controls from Revision 4 to Revision 5:

  • There is separation of control selection from the actual controls. NIST published the Control Baselines for Information Systems and Organizations NIST SP 800-53B document on Oct. 29, 2020 (in addition to the NIST SP 800-53 Revision 5).
  • The NIST 800-53B security and privacy control baselines are predefined sets of controls to address the protection needs. The control baselines are a starting point to protect individuals’ privacy, information and information systems. The baselines can be tailored or customized to an organization’s mission, business functions, environment, specific and credible threat information and individuals’ privacy interests.
  • An organization’s privacy control baseline is established separately from the security controls baseline. Determining the privacy control baseline begins with a privacy risk assessment. This assessment considers the nature of the personally identifiable information (PII) processing and its impact on individuals to guide tailoring of the privacy control baseline for programs and systems.
  • Revision 5 integrates privacy within the security control language and supply chain controls.
  • Program management (PM) controls were originally listed in the draft NIST 800-53B document within the various baselines. In the final NIST 800-53B document, PM controls were moved, and are not associated with the security controls baselines. These controls are deployed organization wide, independent of any system impact level and support the information security program. PM controls can now be selected with privacy baseline control decisions.
  • In Revision 5, new controls are defined based on threat intelligence.
  • Revision 5 control language is outcomes based versus impact based.
  • There is a significant increase in the use of organizational-defined parameter values (ODVs) within the control language. For example, there were over 300 ODVs in the Revision 4 moderate baseline whereas there are now over 500 ODVs in the Revision 5 moderate baseline. 
  • The increased use of ODVs has also increased specificity within controls. This increase in specificity allows organizations to define specific responsibility, circumstances, media, systems, devices and response times.
  • Policy and procedure controls have changed. These documents can now be defined to address the organization, business process or system. Further, language was added regarding document consistency with applicable laws, executive orders, directives, regulations, policies, standards and guidelines. Policy and procedure documents need to delineate a responsible organizational official. Policy and procedure documents can be reviewed and updated based on both frequency and organization defined events.
  • The control count has increased in each baseline as illustrated in the table below.

Why this is important

NIST SP 800-53 applies to all U.S. government agencies, contractors, vendors and their government partners. There is a considerable amount of work to be done to understand the changes Revision 5 creates and how it affects agencies and organizations. Planning and implementing those changes in less than a year is a significant undertaking that may require additional resources.

Steps to take now

Organizations need to understand the differences across the risk management framework and at a control level between Revisions 4 and 5.  System security plans, policies and procedures need to be revised. Controls will require change; modification to existing controls, integration of new controls and elimination of those no longer required. In addition, the increase use of ODVs requires definition.

Baker Tilly has completed detailed analysis of the risk management framework and control language for each NIST 800-53 baseline.  We are ready to assist your organization in understanding the Revision 5 changes and the actions needed for your organization to comply. 

For more information on this topic, or to learn how Baker Tilly specialists can help you with understanding the changes to the NIST 800-53 RMF or to conduct a NIST examination, contact our team.

Woman at a computer analyzing data

NIST 800-53 Revision 4 to Revision 5 comparison tool

Tree-lined campus sidewalk with lights
Next up

Clery Act update: rescission of and replacement for the 2016 Handbook