By Kathryn Daily, CISSP, CAP, RDRP
Back in September of last year (2020), NIST finally published the final version of Special Publication 800-53 Revision 5. Most notably, this revision incorporated privacy considerations in the security controls themselves rather than having separate control families for the privacy controls (e.g., AR, AP, IP, etc.). This is a considerable change from Rev. 4 that completely reorganizes the control catalog. To help with the transition, NIST has provided some supplemental materials to make the transition easier to manage.
The first supplemental item is the analysis of updates between the 800- 53 Rev. 5 and Rev. 4. This Excel spreadsheet describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significant changes. The change notations are as follows:
- New base control indicates that the control did not exist in Rev. 4.
- New control enhancement indicates that it is a new enhancement either of a Rev. 4 base control or a new base control.
- Withdrawn indicates that the Rev. 4 control or control enhancement is no longer present in Rev. 5.
- Changes title indicates that a control title has been changed.
- Adds control text indicates that additional text has been added to the definition of the control, whether base control or enhancement.
- Adds parameter indicates that a new parameter has been added. Typically, the new parameter is quoted or characterized in the detail column.
- Changes control text refers to the definition of the control whether base control or enhancement.
- Change Parameter demonstrates that the text of an existing parameter has been modified.
- Removes parameter indicates a parameter that no loner exists in Rev. 5. Typically, the removed parameter is given in the detail column.
- Add discussion adds discussion text that previously did not exist in Rev. 4. This might be the benefit or advantage provided by the control, further definition, etc.
- Changes discussion indicates that the discussion text has been modified from what existed in Rev. 4. (e.g., “adds privacy references,” provides examples or advantages)
- Adds to Privacy Control Baseline (SP 800-53B) indicates that the control or control enhancement has been added to the NIST SP 800-53B Privacy Control Baseline As you can see from these change notations, Rev. 5 is a complete overhaul from the previous Rev. 4.
Analyzing these changes sooner, rather than later, will position you to quick(ish)ly transition from Rev. 4 to Rev. 5
In addition to the analysis of updates, NIST has provided a mapping of Appendix J Privacy controls. As noted earlier, the privacy controls are no longer separate families but are organized into an integrated control catalog for a more holistic approach from a privacy and security standpoint. The mapping provides a listing of all privacy controls in Rev. 4 alongside their new Rev. 5 control. For example, AP-1: Authority to collect has been moved into the new PT family (Personally Identifiable Information Processing and Transparency) as PT2 (Authority to Process Personally Identifiable Information). Some privacy controls have been cut up and placed into several new and existing controls. For example, AR-5 (Privacy Awareness and Training) has been incorporated into existing controls AT-1, AT-2, AT-3 and PL-4.
It is imperative that we get out in front of this major change and these supplemental materials will make that transition much easier. DoD likely will not adopt this new revision absent the implementation guidance (and your guess is as good as mine as to when that will come out) but the transition is coming. The old boy scout motto of “be prepared” is good advice here. Get prepared. It’s coming.