The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53. NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 (“FISMA”). The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems. 

In its announcement of the draft revision, NIST explains that the update “responds to the need by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.” In particular, a key purpose of the update process was to assess the relevance and appropriateness of the current security controls and control enhancements designated for each baseline (low, moderate, and high) to ensure that protections are commensurate with the harm that would result from a compromise of applicable government data and systems. In addition, the revised guidelines recognize the need to secure a much broader universe of “systems,” including industrial control systems, IoT devices, and other cyber physical systems, than the “information systems” that were the focus of the prior iterations of SP 800-53. Relatedly, the revised publication also identifies those controls that are both security and privacy controls, as well as those controls that are the primary responsibility of privacy programs.

This stated purpose, and expanded scope of the updated guidelines, is evident in some of the key changes to NIST SP 800-53, which include:

  • Removing the term “federal” from the title and throughout the publication to deemphasize the federal focus of the publication and to encourage use of the guidelines by state, local, and tribal governments, as well as private sector organizations.
  • Replacing the term “information system” with “system” throughout the publication to expand the scope of the guidelines in recognition of the threats to all types of systems (e.g., industrial/process control systems, cyber physical systems, weapons systems, IoT devices, etc.).
  • Adding and integrating privacy controls directly into the existing security control catalog. For example, control CM-4 SECURITY IMPACT ANALYSIS, has been changed as follows:

Control: The organization aAnalyzes changes to the information system to determine potential security and privacy impacts prior to change implementation.

  • Changing the structure of the controls to make them more outcome-based by removing introductory term (such as “the organization” and “the information system”) from the controls to focus on the capabilities, provide greater alignment with other NIST guidance and the NIST Cybersecurity Framework, and to reduce ambiguity. For example, control IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATION USERS), has been changed as follows:

Control: The information system uUniquely identifyies and authenticates organizational users (or processes acting on behalf of organizational users).

  • Mapping the security and privacy controls of NIST SP 800-53 to international security and privacy standards, including ISO/IEC 27001 (Information Security Management Systems), ISO/IEC 15408 (Common Criteria), and OMB Circular A-130 for ease of use by public and private entities. (Appendix I contains the mapping)
  • Removing priority sequencing codes (i.e., P0, P1, P2, P3) to eliminate confusion about the priority code designations and provide flexibility in the implementation of security and privacy controls.
  • The revised guidelines also recognize that the controls and their applicability depend on specific technologies, environments, and business functions, and makes it easier for organizations to analyze the applicability of each control by: physically separating the control selection process from the catalog of controls; including tailoring considerations as a separate appendix (see Appendix G); adding control keywords to help users develop security and privacy plans and tailor the controls to their systems; and adding hyperlinks to help navigate through the document and access other related publications.

This update also represents a step in implementing OMB Circular A-130, which was issued by the Obama administration in July 2016 and requires all federal agencies to adopt a risk-based approach to managing information and networks. The Circular includes two appendices, one on data security and another on privacy protections, which together provide guidance to federal agencies on managing information resources and personally identifiable information (“PII”). The NIST SP 800-53 revisions are responsive to the requirements imposed by the Circular, including mapping the Circular’s privacy requirements to related controls in the publication.

Typically, contractors that operate information systems on behalf of the government are also required to implement protections on those systems consistent with SP 800-53. However, before agencies (and contractors) can implement the revised SP 800-53, NIST will need to update NIST SP 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations” to match the final SP 800-53 security controls adopted by NIST. The Department of Defense (“DoD”) will have a number of additional tasks including:

  • Publishing a revised edition of Committee on National Security Systems (“CNSS”) Instruction 1253, “Security Categorization and Control Selection for National Security Systems.” CNSS 1253 provides guidance on implementing (and tailoring) the security controls from NIST SP 800-53 for use in the DoD National Security System environment.
  • Incorporating the new/revised security controls into the eMASS database. The eMASS computer application is managed by the Defense Information Systems Agency (“DISA”) and is used as a tool when implementing the NIST Risk Management Framework (“RMF”) for DoD information systems.

NIST seeks customer feedback regarding the relevance and appropriateness of the current security controls and control enhancements designated in each baseline—that is, do the security controls and control enhancements in each baseline provide the appropriate starting point for tailoring that baseline. Comments should be sent to sec-cert@nist.gov with the Subject line “Comments on Draft SP 800-53 Rev. 5”. This draft revision is open for public comment until September 12, 2017.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.