February 19, 2018

February 16, 2018

Subscribe to Latest Legal News and Analysis

NIST Releases Fifth Revision of Special Publication 800-53

The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53. NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 (“FISMA”). The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems. 

In its announcement of the draft revision, NIST explains that the update “responds to the need by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.” In particular, a key purpose of the update process was to assess the relevance and appropriateness of the current security controls and control enhancements designated for each baseline (low, moderate, and high) to ensure that protections are commensurate with the harm that would result from a compromise of applicable government data and systems. In addition, the revised guidelines recognize the need to secure a much broader universe of “systems,” including industrial control systems, IoT devices, and other cyber physical systems, than the “information systems” that were the focus of the prior iterations of SP 800-53. Relatedly, the revised publication also identifies those controls that are both security and privacy controls, as well as those controls that are the primary responsibility of privacy programs.

This stated purpose, and expanded scope of the updated guidelines, is evident in some of the key changes to NIST SP 800-53, which include:

  • Removing the term “federal” from the title and throughout the publication to deemphasize the federal focus of the publication and to encourage use of the guidelines by state, local, and tribal governments, as well as private sector organizations.

  • Replacing the term “information system” with “system” throughout the publication to expand the scope of the guidelines in recognition of the threats to all types of systems (e.g., industrial/process control systems, cyber physical systems, weapons systems, IoT devices, etc.).

  • Adding and integrating privacy controls directly into the existing security control catalog. For example, control CM-4 SECURITY IMPACT ANALYSIS, has been changed as follows:

Control: The organization aAnalyzes changes to the information system to determine potential security and privacy impacts prior to change implementation.

  • Changing the structure of the controls to make them more outcome-based by removing introductory term (such as “the organization” and “the information system”) from the controls to focus on the capabilities, provide greater alignment with other NIST guidance and the NIST Cybersecurity Framework, and to reduce ambiguity. For example, control IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATION USERS), has been changed as follows:

Control: The information system uUniquely identifyies and authenticates organizational users (or processes acting on behalf of organizational users).

  • Mapping the security and privacy controls of NIST SP 800-53 to international security and privacy standards, including ISO/IEC 27001 (Information Security Management Systems), ISO/IEC 15408 (Common Criteria), and OMB Circular A-130 for ease of use by public and private entities. (Appendix I contains the mapping)

  • Removing priority sequencing codes (i.e., P0, P1, P2, P3) to eliminate confusion about the priority code designations and provide flexibility in the implementation of security and privacy controls.

  • The revised guidelines also recognize that the controls and their applicability depend on specific technologies, environments, and business functions, and makes it easier for organizations to analyze the applicability of each control by: physically separating the control selection process from the catalog of controls; including tailoring considerations as a separate appendix (see Appendix G); adding control keywords to help users develop security and privacy plans and tailor the controls to their systems; and adding hyperlinks to help navigate through the document and access other related publications.

This update also represents a step in implementing OMB Circular A-130, which was issued by the Obama administration in July 2016 and requires all federal agencies to adopt a risk-based approach to managing information and networks. The Circular includes two appendices, one on data security and another on privacy protections, which together provide guidance to federal agencies on managing information resources and personally identifiable information (“PII”). The NIST SP 800-53 revisions are responsive to the requirements imposed by the Circular, including mapping the Circular’s privacy requirements to related controls in the publication.

Typically, contractors that operate information systems on behalf of the government are also required to implement protections on those systems consistent with SP 800-53. However, before agencies (and contractors) can implement the revised SP 800-53, NIST will need to update NIST SP 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations” to match the final SP 800-53 security controls adopted by NIST. The Department of Defense (“DoD”) will have a number of additional tasks including:

  • Publishing a revised edition of Committee on National Security Systems (“CNSS”) Instruction 1253, “Security Categorization and Control Selection for National Security Systems.” CNSS 1253 provides guidance on implementing (and tailoring) the security controls from NIST SP 800-53 for use in the DoD National Security System environment.

  • Incorporating the new/revised security controls into the eMASS database. The eMASS computer application is managed by the Defense Information Systems Agency (“DISA”) and is used as a tool when implementing the NIST Risk Management Framework (“RMF”) for DoD information systems.

NIST seeks customer feedback regarding the relevance and appropriateness of the current security controls and control enhancements designated in each baseline—that is, do the security controls and control enhancements in each baseline provide the appropriate starting point for tailoring that baseline. This draft revision is open for public comment until September 12, 2017.

© 2018 Covington & Burling LLP


About this Author

Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm

Susan Cassidy is a partner in the firm’s Washington, DC office and a member of the Government Contracts Practice Group.  Ms. Cassidy works with clients to navigate successfully the complex rules and regulations that govern federal procurement.  Her practice includes both counseling and litigation components. 

Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  She regularly counsels clients on...

Jennifer R. Martin, Covington, cyber incident response lawyer, forensics consulting attorney
Of Counsel

Jennifer Martin has worked at the intersection of law and cybersecurity for the past 15 years. Her expertise in this area has been uniquely honed through her experience managing cyber risks and responding to threats from a variety of perspectives: as the director of cyber incident response and operations, and as lead in-house internal investigations counsel at Symantec; as a managing director of a top cybersecurity and forensics consulting firm; and as a federal and local cybercrime prosecutor and policymaker.

As both in-house counsel and as a private consultant, Ms. Martin has managed and advised a multitude of organizations on cyber risk mitigation and information management, and has personally developed the people, processes, and holistic programs necessary for operational excellence, internal investigations, and crisis management. She has supervised countless cyber incident response matters, including data breaches, insider thefts of trade secrets, and intrusions, from initial detection through containment, notification, recovery and remediation. She is recognized for her skill in building effective cross-functional teams comprised critical stakeholders—impacted business units, and legal, technical, and communications departments. In addition, she has advised executive leadership on programmatic strategies for mitigating cyber risk, and on evolving legal, regulatory and ethical expectations and requirements.

212 841 1018
Catlin M. Meade, Government Contracts Attorney, Covington & Burling Law Firm

Catlin Meade is an associate in the firm’s Washington, DC office.  

Ms. Meade is a member of the Maryland Bar. She is currently not admitted in the District of Columbia, but is supervised by principals of the firm.

Representative Matters

  • Advised Fortune 100 financial services corporation on all aspects of federal novation and various state procurement restrictions on the transfer of assets in connection with the company's global reorganization of various business units.

  • Represented...