Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
NIST SP 800-53 Rev. 5 represents a significant restructuring vs. Rev. 4, including a new focus on privacy. This detailed how-to provides a structured
plan to help organizations successfully transition from NIST SP 800-53 Rev. 4 to Rev. 5 controls within their security and privacy management programs.
SP 800-53 Rev. 5 is not simply an update to Rev. 4; it is a major restructuring of this important information security (and now privacy) controls document. To support a successful transition from Rev. 4 to Rev. 5, it is helpful to understand the primary,
substantial changes that were made. These include:
Controls are rewritten to be outcome-based. Those using Rev. 4 and earlier versions will quickly notice this change. Prior versions framed the control by responsibility, but the new version instead describes the outcome of the control.
Figure 1 provides an example using verbatim content language from control RA-1, “RISK ASSESSMENT POLICY AND PROCEDURES,” with the key changes in the Rev. 5 update in orange.
Figure 1: Comparing Control RA-1 in Rev. 4 and Rev. 5
a. Develop, document and disseminate to [Assignment: organization-defined personnel or roles]:
b. Designate an [Assignment: organization-defined official] to manage the development, documentation and dissemination of the risk assessment policy and procedures; and
c. Review and update the current risk assessment:
Source: IANS, 2021
In effect, this expanded the management activities, scope of applicability and frequency of risk assessments. Also, by dropping the entity that performs the controls, it removes the implication the risk assessment must be performed by the organization
itself; contracted entities can perform this control. Organizations moving from Rev. 4 to Rev. 5 will need to review their risk assessment policies and procedures, and update them to reflect these changes, if they have not already been doing these
Similar impacts also resulted in the other updated controls. And because of the change from organization-based controls to outcome-based controls, generally every existing Rev. 4 control was updated, withdrawn or incorporated into another control in the
Rev. 5 catalog.
In addition to the changes detailed above, Rev. 5 also:
In addition, organizations transitioning from Rev. 4 to Rev. 5 should find NIST’s analysis of the Rev. 4 to Rev. 5 updates beneficial.
The following steps should help your organization transition from Rev. 4 to Rev. 5 efficiently and effectively.
SP 800-53 uses 20 different control families (see Figure 2).
Figure 2: NIST SP 800-53’s 20 Security and Privacy Control Families
Physical and Environmental Protection
Awareness and Training
Audit and Accountability
Assessment, Authorization, and Monitoring
PII Processing and Transparency
Identification and Authentication
System and Services Acquisition
System and Communications Protection
System and Information Integrity
Supply Chain Risk Management
Source: IANS and NIST, 2021
Assign specific review responsibilities for all 20 families to team members. Include team members who have worked in some way with meeting the Rev. 4 controls compliance, and who also have expertise in the families they will be reviewing. For example,
designating team members from the human resources (HR) area to review the personnel security controls will be beneficial, since they should have good insights about that topic. Similarly, key stakeholders from the privacy or compliance department
should be able to provide insights for all the new privacy- and personal data-specific controls.
Organizations should provide each member of the transition team with:
Each team member should:
Once you’ve followed these steps, you should have the action plan necessary to ensure complete transition from Rev. 4 to Rev. 5.
Figure 3 provides an excerpt from the NIST spreadsheet listing all the new base controls and control enhancements. The excerpt shows only the new base controls and new enhancement controls sorted into those two topics.
Moving from NIST SP 800-53 Rev. 4 to Rev. 5 requires attention to detail. To increase your chances of success:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 7, 2023
By IANS Research
Learn how to create an actionable CISO dashboard with meaningful security metrics using the three C’s principle that supports informed decision-making.
December 5, 2023
By Bryson Bort
As the year draws to a close, IANS Faculty provide their 2024 Cyber Predictions. Watch our video with Bryson Bort for tips on planning your 2024 IT/OT security strategy.
November 30, 2023
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.