NIST releases DRAFT SP800-53R5

Recently NIST finally releases the DRAFT of SP800-53R5.  800-53 is entitled Security and Privacy Controls for Federal Information Systems and Organizations and is the set of controls used in FISMA, the mandated set of infosec controls used in federal systems (tho many others use it as well, often times state and local governments, as well as government contractors).

This has been in the works for awhile now, and many expected this draft to come out several months ago.  The due date for comments is September 17, 2017.  They want to put out the final draft (second draft) in October, with the final version by the end of the year.

They note several changes.  They have incorporated privacy controls into this.  They have separated out the control selection process from the controls.  The Risk Management Framework is that control selection process.  By doing this, it more easily allows others to use the controls as is.  With the NIST CSF referencing the controls in SP800-53, it makes it easier for those using the CSF to use these controls.  This is actually called out that SP800-53 can be used with the RMF, CSF, and Systems Engineering Processes.

One big change was the striking out “federal” from the title within the document, again as part of making the controls more accessible to non-federal users.

There is work going on to update SP800-37, which covers the Risk Management Framework.  From the summary report out of the NIST CSF Workshop (see my prior posting on that), it will be updated to help show how the NIST CSF & RMF can work together, but the control selection material that used to be in SP800-53 will be incorporated there.  No idea on when we will see the initial draft of this update.

As to specific changes between R4 and R5?  R5 clocks in at about 500 pages!  There are a total of 20 families of controls, up from 18 in the prior.  New families are IP- Individual Participation and PA- Privacy Authorization.  Total controls?  No idea.  R4 had over 400.

This is a Security Bloggers Network syndicated blog post authored by Michael R. Brown. Read the original post at: Michael on Security