Skip to content

Menu

ChannelsPublishersSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
ProductsSub-MenuBlogsPortalsTwentySyndicationMicrositesResource Center
Join
Search
Close
Join the Movement. Blog 4 Good

NIST Issues Long-Awaited Final Guidance on Security and Privacy Controls – SP 800-53

By Elfin Noce, Jonathan E. Meyer & Townsend Bourne
October 29, 2020
EmailTweetLikeLinkedIn
GovCon-Blog-Image_Cyber-Security-2-660x283

After many years of being in draft form, NIST recently released its final version of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations to address a need for a more proactive and systematic approach to cybersecurity. With the release of Revision 5, NIST hopes to provide updated security and privacy controls that will make information systems more penetration resistant, limit damages from cyber-attacks, make systems more cyber-resilient, and protect individuals’ privacy. NIST intends this update to be usable by a more diverse set of consumer groups than previous iterations of the document permitted.

The following are the most significant updates provided by Revision 5:

  • Removal of assignment of control responsibility to either the organization or information system to make the controls more outcome-based.
  • Integration of the information security and privacy controls into a consolidated control catalogue for organizations and information systems.
  • Establishment of a supply chain risk management control family.
  • Separation of control selection processes from the controls to allow the controls to be used by different communities of interest.
  • Removing control baselines and tailoring guidance and transferring that information to NIST SP 800-53B, Control Baselines for Information Systems and Organizations.
  • Clarifying the relationship between requirements and controls and the relationship between security and privacy controls.
  • Incorporating new, state-of-the-practice controls based on the latest threat intelligence and cyber-attack data.

These controls are mandatory for federal information systems, which include any information system used or operated by an agency or by a contractor on behalf of an agency. Companies will want to review these controls carefully and consider implementing where appropriate, as NIST controls are often used as a baseline for industry standards in security and privacy and are likely to be seen as “reasonable” for purposes of compliance with broader data security laws.

NIST is also releasing supplemental materials that will be available in the near future. Among these materials will be a comparison of Revision 5 with Revision 4 and control mappings to the Cybersecurity and Privacy Frameworks.

Putting it Into Practice: Federal contractors should review these guidelines closely as these updated controls will be applied to any federal information system used or operated by a contractor on behalf of an agency. Other organizations in the private sector should pay attention as NIST guidance often influences industry standards in security and privacy.

Photo of Elfin Noce Elfin Noce

Elfin Noce is an associate in the Business Trial Practice Group in the firm’s Washington, D.C. office. He also is a member of the Privacy and Cybersecurity Team.

Read more about Elfin NoceEmail
Photo of Jonathan E. Meyer Jonathan E. Meyer

Jonathan Meyer is a partner in the Government Contracts, Investigations and International Trade Practice Group in the firm’s Washington, D.C. office.

Read more about Jonathan E. MeyerEmail
Photo of Townsend Bourne Townsend Bourne

Townsend Bourne is a partner in the Government Contracts, Investigations and International Trade Practice Group in the firm’s Washington, D.C. office. She also is Leader of the firm’s Aerospace, Defense & Government Services Team.

Read more about Townsend BourneEmail
  • Posted in:
    Administrative
  • Blog:
    Government Contracts & Investigations Blog
  • Organization:
    Sheppard, Mullin, Richter & Hampton LLP
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Products

  • Products
  • Blogs
  • Portals
  • Twenty
  • Syndication
  • Microsites

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The Law of Order
  • The HB Blog
  • The Tax Trotter
  • The Westchester Litigator
  • Data Privacy + Cybersecurity Insider
Copyright © 2021, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog