[IPP] Fwd: [sw.assurance] Security and Privacy Controls for Information Systems and Organizations: NIST Publishes SP 800-53, Revision 5

[IPP] Fwd: [sw.assurance] Security and Privacy Controls for Information Systems and Organizations: NIST Publishes SP 800-53, Revision 5

Ira McDonald blueroofmusic at gmail.com
Wed Sep 23 20:29:10 UTC 2020 

FYI - significant update of a base NIST standard very widely referenced in
other SDOs
and other NIST standards.

---------- Forwarded message ---------
From: 'Brewer, Jeffrey (Fed)' via sw.assurance <sw.assurance at list.nist.gov>
Date: Wed, Sep 23, 2020 at 4:21 PM
Subject: [sw.assurance] Security and Privacy Controls for Information
Systems and Organizations: NIST Publishes SP 800-53, Revision 5
To: sec-cert <sec-cert at nist.gov>


NIST Special Publication (SP) 800-53, Revision 5, *Security and Privacy
Controls for Information Systems and Organizations*
<https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final>*,*
represents a multi-year effort to develop the next generation of security
and privacy controls needed to strengthen and support the Federal
Government and every sector of critical infrastructure. These next
generation controls offer a proactive and systematic approach to ensuring
that critical systems, components, and services are sufficiently
trustworthy and have the necessary resilience to defend the economic and
national security interests of the United States.

The most significant changes to SP 800-53, Revision 5 include:

   - *Consolidating the control catalog:* Information security and privacy
   controls are now integrated into a seamless, consolidated control catalog
   for information systems and organizations.
   - *Integrating supply chain risk management:* Rev. 5 establishes a new
   supply chain risk management (SCRM) control family and integrates SCRM
   aspects throughout the catalog.
   - *Adding new state-of-the-practice controls:* These are based on the
   latest threat intelligence and cyber-attack data (e.g., controls to support
   cyber resiliency, secure systems design, security and privacy governance,
   and accountability).
   - *Making controls outcome-based:* Rev. 5 accomplishes this by removing
   the entity responsible for satisfying the control (i.e., information
   system, organization) from the control statement.
   - *Improving descriptions of content relationships:* Rev. 5 clarifies
   the relationship between requirements and controls as well as the
   relationship between security and privacy controls.
   - *Separating the control selection processes from the controls:* This
   allows the controls to be used by different communities of interest,
   including systems engineers, security architects, software developers,
   enterprise architects, systems security and privacy engineers, and mission
   or business owners.
   - *Transferring control baselines and tailoring guidance to NIST SP
   800-53B:* This content has moved to the new (draft) *Control Baselines
   for Information Systems and Organizations.*

Additional supplemental materials
<https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final> will be
available immediately or in the near future, including:

   - Security and privacy control collaboration index template *(now
   available)*
   - Comparison of Revisions 4 and 5 of SP 800-53 *(available soon)*
   - Control mappings to the Cybersecurity Framework
   <https://doi.org/10.6028/NIST.CSWP.04162018> and Privacy Framework
   <https://doi.org/10.6028/NIST.CSWP.01162020> *(available soon)*
   - Control mappings to OMB Circular A-130 privacy requirements *(available
   soon)*
   - Open Security Control Assessment Language (OSCAL)
   <https://github.com/usnistgov/oscal-content/tree/master/nist.gov/SP800-53>
   version of SP 800-53 controls *(available soon)*
   - Spreadsheet of SP 800-53 controls *(available soon)*

Publication details for SP 800-53, Revision 5:
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final



For questions, comments and feedback on the catalog or the supplemental
materials, contact: sec-cert at nist.gov.



Jeff Brewer

Management and Program Analyst

Information Technology Lab, Computer Security Division,

National Institute of Standards and Technology

301-975-2489

Jeffrey.brewer at nist.gov





-- 
To unsubscribe from this group, send email to
sw.assurance+unsubscribe at list.nist.gov
View this message at https://list.nist.gov/sw.assurance
---
To unsubscribe from this group and stop receiving emails from it, send an
email to sw.assurance+unsubscribe at list.nist.gov.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20200923/bf148007/attachment.html>

More information about the ipp mailing list