What is the Difference Between NIST 800-53 Revision 4 and Revision 5?

Auditor working on a compliance assessment

What is the Difference Between NIST 800-53 Revision 4 and Revision 5?

The National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) is a set of guidelines recommending how U.S. government agencies and private sector organizations supporting federal contracts should manage and protect information systems and the data within those systems.

The security controls within NIST SP 800-53 are organized into different categories ranging from Access Control to Contingency Planning, Media Protection, Risk Assessment, and more. In total, these categories house more than 1,000 individual control elements.

NIST 800-53 has been through multiple rounds of revisions since it was first introduced to accommodate changes in technological innovations and data management best practices. The final version of the most recent revision — NIST 800-53 Revision 5 — was initially introduced in 2020 and was open to public comment through October 1, 2021.

Now, Revision 4 has been superseded by Revision 5. Let’s review a few key differences between the two.

A Greater Emphasis on Privacy

At a high level, Revision 5 incorporates a greater emphasis on privacy — part of a larger effort to integrate privacy into all Federal Information Security Management Act (FISMA) regulations. As such, privacy controls that were previously detailed in an appendix to the main catalog of NIST 800-53 Revision 4 have evolved and moved into a new privacy control family called Personally Identifiable Information Processing and Transparency.

We’re not surprised by this change. There’s been an increasing emphasis on privacy over the last few years, with the introduction of regulations like the EU’s GDPR and China’s PIPL. NIST even came out with its own privacy framework early in 2020.

Additional Control Categories

Personally Identifiable Information Processing and Transparency isn’t the only new control category in Revision 5. Supply Chain Risk Management and Program Management categories are also present in this newest revision. The Supply Chain Risk Management control family expands on concepts that were previously outlined in the Supply Chain Protection control within Revision 4, and the Program Management family expands on the Information Security Program Management controls that were addressed in Appendix G of Revision 4.

We expect supply chain risk to remain top of mind and are tracking a published timeline from NIST that states the organization “will issue guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria” in February 2022. From there, additional guidelines are expected to be published in May 2022.

A Focus on Outcomes

In addition to new and updated controls, Revision 5 also incorporates a greater emphasis on outcomes. Control statements within the updated version of NIST 800-53 have been rewritten to focus on the goal of the action instead of identifying a specific entity responsible for implementing the control. This is meant to acknowledge the fact that broad cooperation and collaboration is often required to achieve results. It is also meant to clarify the controls for non-government organizations, like private entities fulfilling government contracts, that often don’t have the same delineation of roles that we see within government organizations. With this change, NIST 800-53 is clearer and more adaptable for non-government entities seeking compliance.

Introduction of Separate Control Baselines

Revision 5 also separates the control baselines from the control catalog with a supplementary publication called NIST SP 800-53B. This supplementary publication outlines the three security control baselines — low-impact, moderate-impact, and high-impact — and provides guidance for tailoring control baselines to specific communities based on an organization’s technologies and environments of operation. NIST has stated that this change was made to further support the use of NIST 800-53 Revision 5 by different communities of interest and so the controls can be used “to support other cybersecurity lexicons and risk management approaches.”

Making Sense of All These Changes

In addition to the significant changes mentioned above, Revision 5 also incorporates a variety of new controls to strengthen security and privacy governance and accountability, support secure system design, and support cyber resilience and system survivability. The amount of changes may seem daunting, but partnering with an assessor firm that is familiar with NIST, like A-LIGN, will help you ensure that your organization doesn’t miss a beat in complying with these revised guidelines.

Whether this is your first attempt to comply with NIST 800-53, or you previously complied with Revision 4 of the guidance, A-LIGN can help you implement and update procedures to meet Revision 5 standards. And since Revision 5 officially replaced Revision 4 at the end of September 2021 — there’s no more time to waste.