NIST SP 800-53 Revision 4 vs. 5: What’s the Difference?

CSF Tools logo

NIST Special Publication 800-53 Revision 5 was released recently and it includes a substantial number of changes. While NIST did outline many of the changes in their release notes, there are a few other things they left out.

1. There are a lot of new controls

NIST has added a huge number of new controls, as well as enhancements to existing controls. In total, 63 controls got 149 new enhancements. The biggest gains were made by AC-4: Information Flow Enforcement (10 new enhancements) and SA-8: Security and Privacy Engineering Principles (33 new enhancements). The rest of the new enhancements are spread pretty evenly across existing controls.

There were also 66 new controls added, including two new control families: Personally Identifiable Information Processing and Transparency and Supply Chain Risk Management. Both are discussed in further detail below. The Program Management family also doubled in size due to new controls being added to it.

2. No more priorities

Special Publication 800-53 revision 4 had a prioritization concept for controls. After a baseline was selected for an information system, the priority of the controls for that baseline could be used to determine what order to develop the controls in. The concept was helpful for organizations that were just starting to develop and apply a control catalog. However, the concept was dropped in revision 5 and now organizations will need to develop their own prioritization for control application.

3. A new Privacy family and baseline was added 

The privacy measures previously outlined in Appendix J of revision 4 have now been incorporated into the main body of controls. Many of the controls are part of a new family, Personally Identifiable Information Processing and Transparency, but a Privacy baseline has been added to identify privacy-enhancing controls across the entire control set.

Also of note is that the privacy baseline is different from other baselines in two significant ways:

  1. The baseline is not “cumulative” with another baseline; it does not contain all of the controls of any other baseline, such as how Moderate adds to the controls of Low.
  2. The privacy baseline directly incorporates control enhancements, while omitting some base controls. The “standard” baselines of Low, Moderate, and High include base controls first and add enhancements as more restrictive baselines are selected. As a result, it was always true that if an enhancement was selected as part of a baseline, the base control was also guaranteed to be part of the baseline. That is not the case with the Privacy baseline.

4. Supply Chain Risk Management controls added

Threats to the supply chain of government agencies and critical infrastructure are a significant and growing concern. Version 1.1 of the Cybersecurity Framework added supply chain risk management as a category and now NIST has grouped the supply chain risk management functions into their own family. Revision 5 also adds a new base control, SR-4: Provenance, to address country of origin risks.

Leave a Comment

Your email address will not be published. Required fields are marked *