NIST SP 800-53 Rev 5—Big Changes Coming?

By Lon Berman, CISSP of BAI Information Security

As you probably know, the “catalog” of security controls used in RMF is derived from NIST Special Publication (SP) 800- 53 Rev 4. What you may not know is that NIST is hard at work on SP 800-53 Rev 5.

The reaction to this news on the part of many people involved in the RMF process is likely to be concern … or even fear! Will extensive re-work need to be done to adapt our RMF packages to the new control set? Will new or revised documentation artifacts … or even system implementation changes … be required in order to comply? The more cynical among us may even be thinking “Just when we’re beginning to get our arms around this stuff, they’re going to change it and mess us up again!” The bottom line is we won’t know for sure until the document is published and we all get a chance to carefully analyze its contents. Until then, however, there are many factors that should lessen our concerns about the potential for major upheaval.

First of all, it’s important to understand the NIST publication process, and to do that we need to understand what NIST is all about. A key element of NIST’s mission is private sector outreach, and part of the way they achieve that mission is by engaging outsiders in the publication process. An Initial Public Draft (IPD) is published, followed by a period during which comments can be submitted, leading to the publication of additional drafts, and, ultimately, a final document. This stands in sharp contrast to most DoD publications that are close-held until final publication, at which time they are “lobbed over the wall” at an unprepared audience.

For NIST publications, it typically takes several months from the IPD to the final document. We have yet not even seen an IPD of SP 800-53 Rev 5. It was originally scheduled for release on 28 March 2017, but, according to a NIST announcement, that has now been delayed due to “internal review” (they hope to publish the IPD “in the very near future”). If we assume the IPD is released in April or May, it is likely the final document will not be published until November or December.

In order to fully utilize this revised SP 800-53, NIST also needs to publish a corresponding revision of SP 800-53A, with assessment procedures matching the new control set. The IPD of this document is currently slated for December of 2017, which would push final publication well into 2018.

Before the new 800-53 and 800-53A can be adopted by DoD, several additional steps must be completed, including:

  • Publication of a revised edition of CNSSI 1253. The level of effort for revision of CNSSI 1253 depends on the number of substantive changes to the controls in SP 800-53 Rev 5. Unfortunately there is no visibility into the CNSS publication process; we’ll only know the revised document is done when it appears on the CNSS website!
  • Incorporation of new/revised controls into the eMASS database. This would be DISA’s responsibility and would only occur once the NIST and CNSS documents have been finalized and published. In other words, we are probably looking at very late 2018, or beyond, before DoD system owners will need to address any of this in their RMF packages. In their announcement of SP 800-53 Rev 5, NIST gives some insight into the new content we can expect, and much of it will not materially affect the controls.

Here are some examples:

  • The phrase “information system” will be replaced by “system” in order to make the document applicable to a wider variety of systems, such as industrial and process control systems, cyber physical systems, weapon systems, and even “Internet of Things” (IoT) devices.
  • The wording (but not the intent) of the controls will change to make them more “outcome based”. For example, a control such as “The organization will implement multifactor authentication…” will now be stated-as “Implement multi-factor authentication…”.
  • The Program Management (PM) family of controls and the Privacy controls will be moved into a single Appendix along with the 17 primary security control families.
  • The “federal focus” of the document will be de-emphasized to encourage its use by non-federal organizations such as state and local governments, private industry and academia. As we learn more about SP 800-53 Rev 5, we will share our insights in future blog posts.

If you are interested in learning more about our RMF for DoD IT training course, please click here.