Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Notable Enhancements to the New Version of NIST SP 800-53
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

Notable Enhancements to the New Version of NIST SP 800-53

5 years ago Steven Tipton
Notable Enhancements to the New Version of NIST SP 800-53

As an infosec professional, you’ve likely heard of the National Institute of Standards and Technology (NIST). If you are unfamiliar with NIST, it is an organization that produces many publications including the well-respected Special Publication SP 800-53r5 standard, titled “Security and Privacy Controls for Information Systems and Organizations.”  Although intimidating in its initial appearance, this important manuscript provides a catalog of privacy and security guidance for most of the information systems within the federal government.  Even though its primary audience is governmental bodies, the NIST advice is used extensively in non-government environments, as it should be. It contains seriously solid advice!

First introduced back in 2005, SP 800-53 has gone through five revisions since its initial release. The fourth revision, released in 2013, featured updated security controls and focused on topics such as insider threats, software security, mobile devices, supply chain security, and privacy. Revision four also gave us the now familiar “eighteen control families,” which have been adopted by numerous federal agencies as well as the private sector.

Now we have NIST 800-53 Rev 5

In late September 2020, NIST published the official release of NIST SP 800-53 Rev. 5. The purpose of this new release was to provide

a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud-based systems, mobile devices, Internet of Things (IoT) devices, weapons systems, space systems, communications systems, environmental control systems, super computers, and industrial control systems. Those safeguarding measures include implementing security and privacy controls to protect the critical and essential operations and assets of organizations and the privacy of individuals. The objectives are to make the information systems we depend on more penetration-resistant, limit the damage from attacks when they occur, make the systems cyber-resilient and survivable, and protect individuals’ privacy.

The most significant changes to the publication include:

  • Make security and privacy controls to be more outcome-based by removing entity responsibility from the control statements
  • Consolidate the security control catalog by integrating security and privacy controls
  • Provide for a new supply chain risk management control family
  • Separate the control selection process from the controls (Much of this content will be moved to other NIST publications such as SP 800-37 and SP 800-53B.)
  • Clarify the relationship between security and relationship controls
  • Incorporate new controls that support resiliency, secure design, and governance based on threat intelligence and attack data

The purpose of these updated security controls is to provide safeguards or countermeasures within an organization or system. This is intended to help protect system availability, confidentiality, and integrity as well as to help manage risk. 

The new revision goes on to define privacy controls as administrative, technical, and physical safeguards to be used in an organization to manage risk for privacy requirements and to help ensure compliance. The list of security and privacy requirements were taken from different directives, executive orders, applicable laws, standards, policies, and regulations as well as mission needs. The integration into the Risk Management Framework (RMF) is evident in the call to ensure “confidentiality, integrity, and availability of information processed, stored, or transmitted and to manage risks to individual privacy.” 

Revision 5 speaks specifically to RMF by asking questions. These include the following: What security and privacy controls are needed? Have selected controls been implemented? And what is the required level of assurance for those controls? (It goes on to ask organizations to consider their answers that help it to identify, assess, respond, and monitor their security and privacy controls on a continuous basis.)

Revision 5 also appeals to organizations to understand risks that could adversely affect assets, individuals, other organizations, and the nation. Of particular interest in the document was the following:

EVIDENCE OF CONTROL IMPLEMENTATION

During control selection and implementation, it is important for organizations to consider the evidence (e.g., artifacts, documentation) that will be needed to support current and future control assessments. Such assessments help to determine whether the controls are implemented correctly, operating as intended, and satisfying security and privacy policies—thus, providing essential information for senior leaders to make informed risk-based decisions.

Tripwire can help implement SP800-53r5

Tripwire can help your organization successfully implement and monitor the suggested system security controls offered in SP 800-53r5. For more information, be sure to check out Tripwire Enterprise here.

All in all, Revision 5 is a much needed and timely update to NIST 800-53. It goes a long way into incorporating the Risk Management Framework, and it provides wonderful guidance on privacy and security controls, not only for government systems but also for private and public organizations.

The post ” Notable Enhancements to the New Version of NIST SP 800-53″ appeared first on TripWire

Source:TripWire – Steven Tipton

Tags: Cloud, Compliance, Critical Severity, Goverment, Privacy, TripWire

Continue Reading

Previous Spotify Wrapped 2020 Rollout Marred by Pop Star Hacks
Next How to Protect Your Business From Multi-Platform Malware Systems

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

5 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

6 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

17 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

18 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns

21 hours ago [email protected] (The Hacker News)
  • Data Breach

Orchid Security Introduces Continuous Identity Observability for Enterprise Applications

23 hours ago [email protected] (The Hacker News)

Recent Posts

  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows
  • Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign
  • Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models
  • DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files
  • China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT