Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
NIST SP 800-53 Rev 5: Understanding, Preparing for Change
November 18, 2020
The National Institute of Standards and Technology (NIST) recently released Revision 5 (R.5) of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. This is the first update in seven years and 800-53 R.5 is a significant step forward, providing guidance on the next generation of the security and privacy controls framework, addressing a need for a more proactive and systematic approach to cybersecurity.
Version 5 provides many major changes to the structure and technical content in order to position the framework for a broader audience by developing what NIST describes as the “first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems – from supercomputers to industrial control systems to Internet of Things (IoT).” Revision 5 has deemphasized the federal focus to encourage greater adoption and use by non-federal organizations and promote greater international acceptance.
NIST claims 800-53 R.5 is the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size and all types of systems. R.5 includes two new security and one privacy control family sections increasing the control families from 17 in R.4 to 20 in R.5. The two security control families are Program Management (PM) and Supply Chain Risk Management (SR). PM features 33 supporting controls and three control enhancements with SR having 11 supporting controls and 14 control enhancements. The new privacy control, Processing and Transparency (PT), has nine controls and 12 control enhancements, which are assigned to the privacy control baseline. The PT family isn’t included in the security controls and as such is a standalone. Other integrated privacy controls include:
As threats, vulnerabilities and technologies continue to evolve rapidly, it’s critical that organizations maintain their defenses in the face of an ever-changing threat landscape. Systems need to be more resistant to attacks, limit the damage when they occur and ensure systems are resilient and recoverable. Therefore, controls need to be agile and updated to reflect the changing threat landscape. NIST removed the allocation of implementation responsibilities (i.e., information system, organization) from the control statements to focus the control set outcome.
A greater emphasis is being placed on defining the security and privacy control baseline in R.5 and a standalone publication has been developed to guide organizations through the control selection process. Special Publication 800-53B – Control Baselines for Information Systems and Organizations (Draft) is a key component for organizations to select and tailor appropriate security control baselines for organizational systems and facilitate control baseline customization for specific communities of interest, technologies and operational environments. NIST retained the three security control baselines for low-impact, moderate-impact and high-impact information systems and replaced the Privacy Controls Catalog with a Privacy Controls Baseline that’s applied to systems irrespective of impact level. Special Publication 800-53B provides a chart that assigns controls and control enhancement to the appropriate security and privacy control baseline; however, a large number of controls and control enhancements aren’t assigned to any baseline. These unassigned controls need to be reviewed by organizations in order to make their own determinations as to whether the controls and control enhancements are needed to meet applicable requirements or are useful for mitigating risks within their specific environments. This tailoring process will allow organizations greater flexibility in selecting controls and control enhancements that meet their specific risk management needs and changing threat landscape.
A summary of major changes to the publication include:
Revision 5 will take effect in September 2021, a year after its official release date. Organizations currently complying with the NIST 800-53 R.4 will have to start the challenging task of reviewing the new standard and identifying gaps and remediating any issues. Pay special attention to the inclusion of privacy controls into your program as well as the two new security control families addressing program and supply chain management.
As you work through tailoring your security and privacy control baseline, take time to review all new controls and evaluate the applicability of controls and enhancements that may be required to address specific threats to organizations. Conduct a risk assessment and supplement control baselines with additional controls or control enhancements to address specific organizational needs and document the organization’s justification for removing or adding controls to a baseline.
Optiv Security can work with you to bring your organization into compliance with the new standards. Our Risk Management practice offers a full range of consulting and assessment services to address your needs, including NIST-800-53 program development, readiness reviews and assessments. Optiv is ready to help clients with a smooth transition to NIST-800-53 R.5 through control baseline reviews and gap assessments.
March 04, 2020
NIST’s Privacy through Enterprise Risk Management helps organizations improve privacy practices.
November 07, 2019
With risk transformation, it can be difficult to bridge the gap between assessment and implementation.
July 16, 2020
This guide offers tips to assess requisite capabilities for modern security gateways.
Let us know what you need, and we will have an Optiv professional contact you shortly.