January 15, 2019

January 15, 2019

Subscribe to Latest Legal News and Analysis

January 14, 2019

Subscribe to Latest Legal News and Analysis

NIST Releases Fifth Revision of Special Publication 800-53

The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53. NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 (“FISMA”). The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems. 

In its announcement of the draft revision, NIST explains that the update “responds to the need by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.” In particular, a key purpose of the update process was to assess the relevance and appropriateness of the current security controls and control enhancements designated for each baseline (low, moderate, and high) to ensure that protections are commensurate with the harm that would result from a compromise of applicable government data and systems. In addition, the revised guidelines recognize the need to secure a much broader universe of “systems,” including industrial control systems, IoT devices, and other cyber physical systems, than the “information systems” that were the focus of the prior iterations of SP 800-53. Relatedly, the revised publication also identifies those controls that are both security and privacy controls, as well as those controls that are the primary responsibility of privacy programs.

This stated purpose, and expanded scope of the updated guidelines, is evident in some of the key changes to NIST SP 800-53, which include:

  • Removing the term “federal” from the title and throughout the publication to deemphasize the federal focus of the publication and to encourage use of the guidelines by state, local, and tribal governments, as well as private sector organizations.

  • Replacing the term “information system” with “system” throughout the publication to expand the scope of the guidelines in recognition of the threats to all types of systems (e.g., industrial/process control systems, cyber physical systems, weapons systems, IoT devices, etc.).

  • Adding and integrating privacy controls directly into the existing security control catalog. For example, control CM-4 SECURITY IMPACT ANALYSIS, has been changed as follows:

Control: The organization aAnalyzes changes to the information system to determine potential security and privacy impacts prior to change implementation.

  • Changing the structure of the controls to make them more outcome-based by removing introductory term (such as “the organization” and “the information system”) from the controls to focus on the capabilities, provide greater alignment with other NIST guidance and the NIST Cybersecurity Framework, and to reduce ambiguity. For example, control IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATION USERS), has been changed as follows:

Control: The information system uUniquely identifyies and authenticates organizational users (or processes acting on behalf of organizational users).

  • Mapping the security and privacy controls of NIST SP 800-53 to international security and privacy standards, including ISO/IEC 27001 (Information Security Management Systems), ISO/IEC 15408 (Common Criteria), and OMB Circular A-130 for ease of use by public and private entities. (Appendix I contains the mapping)

  • Removing priority sequencing codes (i.e., P0, P1, P2, P3) to eliminate confusion about the priority code designations and provide flexibility in the implementation of security and privacy controls.

  • The revised guidelines also recognize that the controls and their applicability depend on specific technologies, environments, and business functions, and makes it easier for organizations to analyze the applicability of each control by: physically separating the control selection process from the catalog of controls; including tailoring considerations as a separate appendix (see Appendix G); adding control keywords to help users develop security and privacy plans and tailor the controls to their systems; and adding hyperlinks to help navigate through the document and access other related publications.

This update also represents a step in implementing OMB Circular A-130, which was issued by the Obama administration in July 2016 and requires all federal agencies to adopt a risk-based approach to managing information and networks. The Circular includes two appendices, one on data security and another on privacy protections, which together provide guidance to federal agencies on managing information resources and personally identifiable information (“PII”). The NIST SP 800-53 revisions are responsive to the requirements imposed by the Circular, including mapping the Circular’s privacy requirements to related controls in the publication.

Typically, contractors that operate information systems on behalf of the government are also required to implement protections on those systems consistent with SP 800-53. However, before agencies (and contractors) can implement the revised SP 800-53, NIST will need to update NIST SP 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations” to match the final SP 800-53 security controls adopted by NIST. The Department of Defense (“DoD”) will have a number of additional tasks including:

  • Publishing a revised edition of Committee on National Security Systems (“CNSS”) Instruction 1253, “Security Categorization and Control Selection for National Security Systems.” CNSS 1253 provides guidance on implementing (and tailoring) the security controls from NIST SP 800-53 for use in the DoD National Security System environment.

  • Incorporating the new/revised security controls into the eMASS database. The eMASS computer application is managed by the Defense Information Systems Agency (“DISA”) and is used as a tool when implementing the NIST Risk Management Framework (“RMF”) for DoD information systems.

NIST seeks customer feedback regarding the relevance and appropriateness of the current security controls and control enhancements designated in each baseline—that is, do the security controls and control enhancements in each baseline provide the appropriate starting point for tailoring that baseline. This draft revision is open for public comment until September 12, 2017.

© 2019 Covington & Burling LLP


About this Author

Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm

Susan Cassidy advises clients on the complex rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. She combines a sophisticated knowledge of the FAR and DFARS with the practical insight gained from senior in-house positions at both dedicated defense and commercial item contractors.

Ms. Cassidy conducts internal investigations for clients on wide array of government contracts and national security compliance issues. She regularly advises on FAR mandatory disclosure obligations and represents...

Catlin Meade, Cybersecurity lawyer, Covington

Catlin Meade advises clients across a broad range of cybersecurity and government contracts matters, including government and internal investigations, compliance with cybersecurity and data breach regulations, and SAFETY Act applications.

Representative Matters

  • Counsel to multiple companies in responding to data and cybersecurity incidents.
  • Advised a leading defense contractor on a multi-million-dollar prime-subcontractor dispute in connection with a NATO contract.
  • Key member of team that successfully represented a large government contractor in proceedings before a military department Suspending and Debarring Official, resulting in a determination of present responsibility.
  • Advised Fortune 100 financial services corporation on all aspects of federal contracting, including legal review of solicitations, contract administration, and novation of existing contracts in connection with the company's global reorganization of various business units.
  • Represented three large sports stadiums during their successful efforts to obtain SAFETY Act protection for their respective security programs.
  • Advised top software company on compliance with newly-promulgated cybersecurity regulations.