[Fisma-project] SP 800-53 Rev 5 Proposed Changes

Oct 13

From: The NIST FISMA Implementation Project

Greetings All,

Thanks very much for the input we have received for the initial public draft of SP 800-53 Revision 5. We really appreciate all the valuable information from those “in the field” applying the guidelines and implementing the security and privacy controls. Our publications benefit greatly from your input.

NIST is considering some structural and formatting changes for SP 800-53 Rev 5 and we want to keep you informed about how the revision is shaping up. Please note that the proposed changes described below have no effect on the actual security controls, and organizations would not be expected to make updates to security plans, tools, or templates outside of the normal update schedule to accommodate these changes. Here are a few proposed changes that you will see:

  1. Removal of the term “federal” from the title and throughout the publication to the extent appropriate. This change facilitates inclusiveness for all types of organizations (e.g., state, local, and tribal governments, industry, academia) and promotes the view that security is a national problem not just a federal problem. At the same time, use of the guidelines by federal organizations (or any type of organization) is unaffected.
  2. Replacement of the term “information system” with “system” throughout the publication. This change facilitates inclusiveness for all types of technology (e.g., industrial/process control systems, cyber physical systems, weapons systems, IoT devices), while not affecting use within traditional “information systems.”
  3. Movement of the Program Management control family from Appendix G into Appendix F. This change helps streamline the catalog of controls for ease of use while changing nothing but the location of the Program Management controls within SP 800-53.
  4. Movement of the Privacy controls from Appendix J into a single family in Appendix F. This necessitates renumbering the Privacy controls using a new family name, tentatively the Privacy – PR – family. This change helps streamline the catalog of controls for ease of use and fosters a closer relationship between privacy and security. The closer relationship in turn facilitates more robust protection of information that is commensurate with risk.
  5. Removal of the P0, P1, P2, and P3 “Priority” designations. This change eliminates misinterpretation about the intent of the Priority designations and allows organizations complete flexibility on the implementation sequence of security controls.
  6. Removal of the introductory “entity” language (i.e., “The organization” and “The information system”) from security controls and control enhancements. This change offers several short- and long-term benefits:
  • Makes the controls outcome-based by focusing on the security capability (i.e., what needs to be done to protect the system or information and not which entity carries out the action);
  • Provides greater alignment and consistency with other NIST guidance (e.g., SPs 800-160 and 800-171, Cybersecurity Framework);
  • Gives organizations complete flexibility on how security controls and control enhancements are implemented and managed by removing perceived limits on responsibility;
  • Eliminates confusion and ambiguity about the specific organizational element or hierarchical level of an organization that is appropriate for implementation and management of security controls;
  • Fosters innovation by removing perceived limits on responsibility; and
  • Facilitates requirements engineering by providing an adaptable structure and content that can be used by systems and product developers, systems integrators, and information security personnel within organizations.

Examples:

Current (Rev 4):

SC-8

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.

 

Proposed (Rev 5):

SC-8

Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.

 

Current (Rev 4):

CP-6

The organization:

  1. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
  2. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

 

Proposed (Rev 5):

CP-6

  1. Establish an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
  2. Ensure that the alternate storage site provides information security safeguards equivalent to that of the primary site.

 

Please direct any questions or comments to sec-cert@nist.gov.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *