NIST 800-53 Revision 5: Preparing for Transition and Ensuring Compliance

April 28, 2021 Jay Ryan

NIST 800-53

After years of anticipation, Revision 5 (Rev 5) of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, “Security and Privacy Controls for Information Systems and Organizations,” is finally here. SP 800-53 Rev 5, a key framework for federal information system security controls, was released on September 23, 2020.

It is a significant update to the standard, designed to protect organizations and systems, including the personal privacy of individuals, well into the 21st century.

Government agencies, contractors, and FedRAMP certified vendors responsible for complying with SP 800-53 Rev. 4 should be working now to review the new standard, identify gaps, and remediate any issues based on the latest revision. According to OMB Circular A-130 (2016), such agencies are expected to be compliant with NIST standards within one year of the publication dates.

What is the NIST SP 800-53 Rev. 5 about?

SP 800-53 Rev. 5 represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen and support the U.S. federal government. 

These next generation controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the U.S.

SP 800-53 directly applies to any organization that must comply with FISMA and obtain an ATO certificate, including: 

  • Federal agencies and departments with applications that process or store federal data.
  • Any state agencies or contractors partnered with the federal government.
  • Any private sector company that has a contractual relationship with the government, whether to provide services, support a federal program, or receive grant money.
  • Cloud Service Providers (CSPs) authorized under a FedRAMP program.
  • Non-federal businesses required to comply with Defense Federal Acquisition Regulations (DFARS).

NIST 800-53 has 18 control families with over 900 security controls. Each layer within a software application must be assessed for compliance with these 900 controls. And the process must be repeated when technology changes or new applications are added to a layer. 

Demonstrating compliance with 800-53 for FISMA and obtaining ATO can take 9 to 12 months to complete and cost as much as $1 million dollars due to the large number of controls and multiple application layers.

Streamline compliance with SP 800-53

SD Elements can help your organization streamline compliance with the latest version of SP 800-53, demonstrate FISMA compliance, and obtain ATO faster.

Most developers are not application security experts, nor are they experts on the NIST 800-53 standard. SD Elements gives developers what they need to be successful to deliver applications that meet NIST 800-53 security standards. Developers responsible for coding applications required to meet the new NIST 800-53 Rev. 5 standard can start thinking about security upfront, either when they first start coding an application or making updates to existing applications. 

SD Elements enables NIST 800-53 compliance and speeds up the ATO process by: 

  • Generating NIST 800-53 security requirements for baselines (High, Moderate, Low, Privacy).
  • Delivering detailed requirements, code samples, and short, relevant training modules relevant for 800-53 Rev. 5 compliance to DevSecOps teams right within issue trackers, like Jira.
  • Tracking and monitoring security control status for each application layer.
  • Importing results from code scanners to automatically validate security activities.
  • Creating NIST 800-53 Rev. 5 reports for compliance management.

SD Elements is used today within several Department of Defense and other federal government agencies, including the U.S. Air Force, the U.S. Navy, and the U.S. Securities and Exchange Commission. For example, a U.S. Department of Defense DevSecOps software factory recently used SD Elements to reduce the time required to achieve ATO from 12 months to two weeks.

Learn more

Information security is at the heart of every software application within the U.S. federal government. Federal agencies, departments, and contractors with applications that process or store federal data must follow the NIST 800-53 Rev. 5 standard in order to comply with FISMA and obtain ATO.

Now is the time to start updating your applications to the latest version of the standard.

Ready to learn how SD Elements can help you obtain ATO faster? Contact us today.

 

About the Author

Jay Ryan

Jay is an avid technologist with nearly 20 years of experience leading operations in support of the federal and commercial security community. He has supported security programs for Fortune 500 companies, as well as various commands within the Department of Defense (DoD), and agencies of the U.S. Intelligence Community. In his role with Security Compass as the U.S. Federal Program Manager, he leads the cross-functional federal team for delivering on the growing adoption of SD Elements within the federal government customer base.

Follow on Linkedin More Content by Jay Ryan
Previous Article
How the Financial Industry Can Prepare for Cyber Threats of the Future
How the Financial Industry Can Prepare for Cyber Threats of the Future

Learn about the latest cybersecurity threats to the financial sector and the importance of implementing new...

Next Article
Building the Next Generation of Cybersecurity Consultants: An Interview with Manny Mand
Building the Next Generation of Cybersecurity Consultants: An Interview with Manny Mand

What does it take to grow the next generation of cybersecurity consultants? Manny Mand discusses his cybers...

Equilibrium Conference | June 24, 2021. Virtually Meet DevSecOps Leaders & Professionals

Register Now