NIST releases 800-53 revision 4
The National Institute of Standards and Technology (NIST) has released the final version of its Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. The 800-53 framework, which is required for all federal agencies under Federal Information Processing Standard (FIPS) 200 and more generally under the provisions of the Federal Information Security Management Act of 2002 (FISMA), specifies security controls to be implemented for federal information systems. This most recent update, the first major revision in nearly four years, includes many newly added controls and implementation standards intended to address access control, identity management, configuration management, data protection, and newer hosting models such as cloud computing. It also for the first time includes a set of controls and enhancements specifically focuses on privacy, and expands the set of program management controls first introduced with Revision 3 in 2009.
Federal agencies are not likely to move quickly to migrate their internal security practices from Revision 3 to Revision 4, in part because the corresponding NIST guidance on security control assessment (Special Publication 800-53A) has not yet been updated to match the revised control framework. It may be a year or more before the assessment guidance is updated, giving many agencies a justification for sticking with the prior version of 800-53. The adoption of Revision 4 is likely to be driven in part by a separate but parallel effort of the Joint Task Force Transformation Initiative Working Group (which includes representatives from civilian, defense, and intelligence agencies) to unify security control frameworks with 800-53 and system assessment and authorization procedures prescribed in Special Publication 800-37 Revision 1. Over the past 5 years, revisions to 800-53 have been strongly influenced by requirements and preferences coming from military and intelligence communities, so as these non-civilian agencies transition to government-wide processes and standards they will presumably use the latest version of 800-53 to guide their activities.