The planned release of NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Systems and Organizations (Initial Public Draft), on March 28 has been delayed. The publication is still undergoing internal review. We hope to be able to release the publication in the very near future. Here are a few highlights from the Notes to Reviewers that will give you a preview of what to expect in Revision 5--

" …This update to NIST Special Publication 800-53 embarks on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of systems, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and IoT devices. Those safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The ultimate objective is to make the systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.

Revision 5 of this foundational NIST publication represents a one-year effort to develop the next generation security and privacy controls that will be needed to accomplish the above objectives. It includes significant changes to make the controls more consumable by diverse groups including, for example, enterprises conducting mission and business operations; engineering organizations developing systems and systems-of-systems; and industry partners building system components, products, and services. The major changes to the publication include:

• Making the security and privacy controls more outcome-based by changing the structure of the controls;
• Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for systems and organizations;
• Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
• Eliminating the term information system and replacing it with the term system so the controls can be applied to any type of system including, for example, general purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices;
• Deemphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
• Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
• Incorporating new, state of the practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability…"

We will continue to keep you updated on the progress of the internal review and the anticipated release date.