Intro and summary of changes (ABSTRACT)
The National Institute of Standards and Technology has introduced a new revision of the Special Publication 800-53, revision 5. As with any document change of this scope there are minor and major changes. This paper will provide a high level overview of the significant changes, addressing a redefined focus in control families, accountability, governance, as well as a discussion of new control families, privacy transparency and supply chain risk management. The overall theme of the changes are increasing trust, transparency, governance, risk and benefit management, along with accountability and responsibility.
As with previous editions of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53, protecting integrity, confidentiality and availability of information and systems is present; however, what is novel in revision 5 (r5) is how these topics are addressed within the doctrine. Many of the controls have been renamed by primarily removing the ‘security’ or ‘information’ from the title, and taking a more holistic approach. While the confidentiality, integrity, and availability of systems and services was implied through the definition of ‘security’ according to NIST glossaries (NISTa, 2003). The new control titles are simply business processes (system) that an organization should be doing to continuously improve outcomes. Again, within NIST Doctrine, a system is broad in definition, however, when used only as ‘information system’ the context is viewed as only applying to information systems and/or information services. NIST defines a system as:
“An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.”(NISTc, 2023)
To this end, the system encompasses the organization, its people, processes and technology. As an example,the title of control SI-4 was changed from “information system monitoring” to “system monitoring” (Joint Task Force, 2023). The Rev4 control text was focused only on information gathered from intrusion monitoring tools, whereas Rev5 now focuses on monitoring systems as a whole. The updated control establishes that the organization now needs to analyze detected events and identify anomalies in business processes, software, data, applications, communications, and people.
While SI-4 was used as an example, there are key differences in other controls where the title has changed or control language has changed. The definitions of key words and changes to the control sets will be paramount to ensuring a successful transition from r4 to r5. For organizations that are beginning to implement NIST within their operating environment, it is encouraged to have an understanding of the NIST definitions for control analysis and implementation
Accountability and Governance
In alignment with the aforementioned broad approach of defining security and system, the significance of accountability and governance is added to the control language. Each of the control families now includes a requirement for the appointment of an official or senior official responsible for a control or control set, as well as requirements for reviewing and approving items within the control processes. Of note, is the joint responsibility for authorizing a system to proceed to an operational level within the Certification and Accreditation control enhancements 1 and 2, (CA(1), CA(2), respectively). The updated control sets establish that multiple internal authorizing officials from the same organization and an authorizing official from an external organization are also required to approve the system to become operational.
Referencing the NIST dictionary, an authorizing official is:
“Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority”(NISTa, 2023)
In that same vein, the controls also establish that individuals responsible for confidentiality, integrity, and availability of information and systems have appropriate training and skills necessary to achieve desired results.
The updated controls also make reference to reviewing and approving items from within the process. This approach ensures alignment with governance as being interwoven within business processes and becoming a part of the organizational culture (Martinez, 2015).
New Control families
Lastly, new control families were added to rev 5. Namely Supply Chain Risk Management, and Privacy Transparency. As organizations are relying heavily on outsourced services, such as cloud services providers, or support contracts. Some organizations may have viewed outsourcing as a risk transfer. In that the acquired services would be responsible for any negative outcomes, rather than the owning organization. Additionally, as the systems and services that store, process, transmit privacy information and breaches regarding personal information are increasing, additional controls specific to privacy, consent, notice have been added.
Supply Chain Risk Management
Supply chain risk management is the concept of ensuring that availability, confidentiality, and integrity of information and information systems is maintained while using services from outside the organization’s direct control. Software as Service, outsourced network support, or software development, etc would be included in the cyber supply chain. Of note is the concept that “regardless of who performs the services, the contract owner of the system or service is ultimately responsible and accountable for the risk to the enterprise’s systems and data that result from the use of these services,” (Boyens et al., 2022). In short, the responsibility and accountability cannot be delegated. These additional controls tie back to the appointment of the authorizing officials within the organization, and ensuring that the individual is aware of the benefits and risks associated with the outsourced service, and a joint review of the acquisition, capabilities, objectives, testing, needed to operationalize the outsourced service or solution. The controls align with providing governance of the supply chain solution, controlling access, performing risk assessments, and related controls specific to the outsourced solution.
Privacy Transparency (PT) is the concept where the organization that handles and manages the personal information of an individual, will be required to share when the information has been shared, with whom and for what purpose and allowing the individual to remove and/or restrict the sharing of information (Bradley, 2023). Will need to describe the current environment and how the individuals currently lack the ability to remove or restrict the sharing of personally identifiable information. The limitation in this context is that processing purpose, or data classification markings within data sets are not present. As such, the specific controls within the PT control family are designed to enhance automation and customer consent decisions. Authority to Process Personally Identification, Data-tagging, and automation are contained in both the Authority to Process PII (PT-2, PT-2(1), and PT-2(2), respectively), and the control set ‘Personally Identifiable Information Processing Purposes” (PT-3, PT-3(1), PT3(2), respectively) support this change in philosophy.
Another prime example is the controls surrounding consent, which allows the individuals to make decisions about the sharing of their information. While processes exit currently, most organizations still require the individual to send notice to restrict information via mail, in writing. However, due to how the individual’s data may be maintained within the company’s systems, the organization might not be able to control all flows, or might not even know where all the data is stored or flowing.
As organizations are adopting this control set, the planners and architects should develop a data and information flow of different intakes, processing areas, systems, and external organizations that use the data should be documented. This will help identify the processes and systems that will require the controls contained in the rev5 update.
The National Institute of Standards and Technology has introduced a new revision of the Special Publication 800-53, revision 5. As with any document change of this scope there are minor and major changes. This paper provided a high level overview of the significant changes, addressing a redefined focus in control families, accountability, governance, as well as a discussion of new control families, privacy transparency and supply chain risk management. It will be necessary to have a deep dive into the specific control families and understand the changes as well as how items are defined according to NIST. The overall theme of the changes are increasing trust, transparency, governance, risk and benefit management, along with accountability and responsibility, and reducing errors associated with confidentiality, integrity and availability to an acceptable level.
Boyens, J., Smith, A., Bartol, N., Winkler, K., Holbrook, A., & Fallon, M. (2022). Cybersecurity supply chain risk management for systems and organizations. https://doi.org/10.6028/NIST.SP.800-161r1
Bradley, T. (2023, August 1). Enhancing data privacy and transparency. Forbes.com. https://www.forbes.com/sites/tonybradley/2023/08/01/enhancing-data-privacy-and-transparency/?sh=2cb40c4c8aaf
Joint Task Force. (2023). SP800 53r4 to r5 comparison workbook. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
Martinez, A. M. (2015). Antecedents of Employee Participation in Internal Control Design and Intent to Comply with Information System Security Policies (Issue August). (Doctoral dissertation). Available from ProQuest Dissertations and Theses Database. (UMI No. 3728641).
NIST. (2023a). Authorizing Official. Glossary. https://csrc.nist.gov/glossary/term/authorizing_official
NIST. (2023b). Information Security. Glossary. https://csrc.nist.gov/glossary/term/information_securityNIST. (2023c). System. Glossary. https://csrc.nist.gov/glossary/term/system