By Greg Kent, Senior Vice President, CTO
NIST SP 800-53 is a catalog of security and privacy controls designed to protect US federal information systems and organizations from cybersecurity risks. Addressing the requirements stated in the NIST 800-53 Rev 5 controls requires organizations to improve their cybersecurity, a top priority for passage of the Federal Information Security Modernization Act (FISMA). These guidelines pertain to federal agencies, state agencies administering federal programs, and private sector organizations with federal contracts.
It is imperative that information systems serving the government at all levels comply with the latest guidelines in NIST SP 800-53 Rev 5. All organizations entrusted to maintain these systems are expected to be compliant with the newly revised NIST 800-53 controls in the Fall of 2021.
Successfully Transitioning from Revision 4 to Revision 5
One of the changes to 800-53 included pulling out the control baseline into its own distinct publication, 800-53B. The 800-53r3 control catalog and the 800-53B baselines take effect in October 2021, one year after official announcement. Organizations need to review the new standards and understand where gaps exist in order to properly size remediation efforts. It is just as important to identify changes that do not apply to your organization to minimize unnecessary effort. If you haven’t started transition efforts, the most important task at hand should be to quickly assess gaps, initiate remediation efforts and communicate status with government agency and contractor partners.
NIST’s update to the companion publication to guide assessments of controls (800-53Ar5) is still in process. A draft for public comment was released in August, and the final publication may be released by the end of the calendar year. This is significant because organizations should expect assessments of controls for Federal agencies to begin adopting the new baseline and assessment techniques defined in 800-53Ar5 shortly after it has been published. Acting now is key to avoiding poor results in that first assessment of rev 5 controls when it comes.
As noted in a recent blog (see FedRAMP NIST Rev5 Transition Plan), the FedRAMP PMO has been working to revise the control baselines for Federal systems that run in the cloud to ensure consistency with NIST 800-53r5. The FedRAMP PMO, in coordination with the Joint Authorization Board (JAB), plans to soon release the revised FedRAMP baselines for 90 days (or more) of public comment. After making final revisions to the FedRAMP baselines for cloud systems, the PMO will then update the FedRAMP templates and other guidance (including the test cases workbook used by 3PAO assessors) to account for the rev5 changes. Although the PMO has indicated that they will allow sufficient time for cloud service providers to adopt the changes into their cybersecurity controls and documentation, it is still not clear exactly how much time CSPs will have to become compliant with the new requirements. Organizations should act now to familiarize themselves with the changes made by NIST during the SP 800-53 revision. This will prepare them to implement the 800-53 Rev5 changes to their cloud-based systems in a timely manner.
Change Highlights for 800-53 Revision 4 to Revision 5
The complete control catalog in 800-53 includes over 1000 controls and enhancements, including new families for addressing Supply Chain Risk Management (SR) and Personally Identifiable Information Privacy and Transparency (PT). Along with the new catalog of controls, NIST’s 800-53r5 web page contains to an analysis performed by MITRE detailing all of the changes to the 800-53B baselines. (See Analysis of updates between 800-53r5 and r4 by MITRE Corp) The rev5 moderate baseline includes 47 new controls, including 28 controls that are new to the catalog and 19 existing controls that have been added to the baseline. In addition, the MITRE analysis indicates that 138 other controls in the moderate baseline involve a material change to the control wording or parameters. In total, the rev5 moderate baseline contains 185 new or substantially revised controls. This means that about 2/3rd of the controls and enhancements in the 800-53r5 moderate baseline involve changes that organizations need to implement within the cybersecurity protections in place for Federal systems and to incorporate into control documentation like System Security Plans (SSPs) and continuous monitoring procedures.
A few examples of controls that contain material changes will help provide some context for the extent of the r5 changes. IA-5(1) removes control elements related to password changes (min/max age, reuse, and minimum character changes between versions). In their place, the new control requires Federal systems to maintain lists of “common, expected, or compromised passwords” and to verify that such passwords are not used. It also requires using password strength meters that help users select stronger passwords. Systems must also support very long passwords (e.g., up to 64 characters per 800-63b) and the use of any printable character (including spaces) within passwords. These are non-trivial changes that could take time to design, implement, and document in the SSP and procedures. Changes to non-technical controls may also require a significant investment of time to address. For example, AT-3 requires that role-based training address privacy concerns in addition to security. The control has also been changed to require organizations to make periodic updates to the training at regular intervals or when certain events occur. Such updates are now required to incorporate “lessons learned” from security incidents or breaches that have occurred. As a result of these changes, organizations will need to make substantial revisions to their role-based training and define several new processes and procedures in order to maintain the training going forward.
In short, the transition to 800-53r5 is not an easy one. Organizations should be prepared to make significant changes to their cybersecurity programs and have significant changes to their security and procedural documentation. Now is the time to start assessing and identifying gaps that need to be addressed so that remediation efforts can be properly designed, planned, and scheduled to allow sufficient time for implementation. Large organizations with specialized cybersecurity experts and compliance professionals with NIST expertise may be able to address the Rev 5 transition internally. However, most organizations will need to engage cybersecurity and NIST compliance expertise to serve as trusted advisors during the transition.
SecureIT has two decades of cybersecurity and NIST compliance experience providing advisory and 3rd party assessment for commercial and government organizations. As an accredited FedRAMP 3PAO, we offer gap assessment and a range of advisory services for every phase of a successful rev 5 transition initiative, as well as a NIST 800-53r5 compliance software to ensure sustained compliance.
SecureIT provides thoughtful, practical advice along with detailed assessment recommendations that organizations can follow in order to succeed in their NIST SP 800-53r5 transitions. SecureIT’s team of experts ensure that your rev 5 compliance initiatives are completed effectively and on time so you can focus on the core business of fulfilling and growing your government contracts. Interested in seeing how SecureIT can increase certainty in your 800-53r5 transition? We’d love to learn more about your situation and explain how we can help. Please contact us today.