August 16, 2017. On August 15, 2017, the National Institute of Standards and Technology (NIST) announced publication of the Draft Fifth Revision of NIST Special Publication (SP) 800-53 in a news release entitled: “NIST Crafts Next-Generation Safeguards for Information Systems and the Internet of Things.” NIST encourages public comment on Draft NIST SP 800-53-5 during the comment period of August 15-September 12, 2017, with comments sent via email by September 12, 2017, to: sec-cert@NIST.gov, with the subject line: “’Comments on Draft SP 800-53 Rev.5.’”
The Abstract for Draft NIST SP 800-53-5 is:
“This publication provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, Executive Orders, directives, regulations, policies, standards, and guidelines. The publication describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions and business functions, technologies, environments of operation, and sector-specific applications. Finally, the consolidated catalog of controls addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms) and an assurance perspective (i.e., the measure of confidence in the security or privacy capability). Addressing both functionality and assurance ensures that information technology products and the information systems that rely on those products are sufficiently trustworthy.”
Keywords for Draft NIST SP 800-53-5 are:
“Assurance; availability; computer security; confidentiality; [Federal Information Security Modernization Act (FISMA) of 2014, Public Law (P.L. 113-283)]; information security; integrity; personally-identifiable information; Privacy Act; privacy controls; privacy functions; privacy requirements; Risk Management Framework; security controls; security functions; security requirements; system; system security.”
Note the keywords availability, confidentiality, and integrity, which are the foundational principles of the HIPAA Privacy and Security Rules, as are the controls in Chapter 3 that underpin standards and implementation specifications pertaining to those Rules:
- “Access Control
- Awareness and Training
- Audit and Accountability
- Assessment, Authorization, and Monitoring
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Individual Participation
- Incident Response
- Media Protection
- Privacy Authorization
- Physical and Environmental Protection
- Program Management
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity.”
Excluding 12 pages of introductory material, table of contents, and prologue, Draft NIST SP 800-53-5 comprises 3 chapters and Appendices A-I in 480 pages.
Be sure to download and carefully read the news release, referenced and linked above, from which we reproduce these excerpts:
“[T]he latest draft goes beyond both information security and the federal government to address ways all kinds of organizations can maintain security and privacy in their interconnected systems.
“Revision 5 ‘takes the guidance in new directions—we are crafting the next-generation catalog of controls that can also be applied to secure the Internet of Things,’ said Ron Ross, NIST fellow and team leader of the joint task force that wrote the updated publication. Controls are security and privacy safeguards—both technical and procedural—designed to protect systems, organizations and individuals.
“While previous versions targeted federal agencies, other organizations, particularly industry, are voluntarily adopting SP 800-53. The controls have been updated to address the needs of the more diverse user group, including enterprise-level security and privacy professionals, component product developers, and systems engineers who are now working on privacy and security.”
Draft NIST SP 800-53-5 is an important document for your organization to download and carefully study, with the opportunity to provide public comment to NIST as appropriate. Note that the news release concludes by stating that it is designed “so that organizations outside of the federal government can more easily use the NIST controls with the frameworks they currently use, such as ISO 27001 [information security management system] and the Framework for Improving Critical Infrastructure Cybersecurity, also known as the Cybersecurity Framework.