News of a new version of NIST SP 800-53 is enough to make many information security professionals want to cry. The truth is, this upgrade process can be painful when performed manually via spreadsheets, and is magnified based on the number of systems that need to be upgraded.
Since it was first introduced in February 2005, SP 800-53 has undergone five significant changes. Rev 5 of 800-53 is in the final stages of drafting and public comment and will be released soon. When it was introduced in 2005, SP 800-53 contained less than 300 controls. The current SP 800-53 revision contains nearly 1,000 controls. The forthcoming SP 800-53 Rev 5 will be expanded to have two additional control families (20 control families, compared to the current 18) and a total of 1,000 to 1,050 controls.
Here is a table showing the progression of SP 800-53 and associated controls over time:
Rev Release Date # Controls
Rev 0 Feb 2005 268
Rev 1 Dec 2006 315
Rev 2 Dec 2007 317 (+2 ICS)
Rev 3 Aug 2009 628
Rev 4 Apr 2013 928 (965 w/ Privacy)
Rev 5 Dec 2017 (est.) 1,000 – 1,050 (est.)
Those who are in the business of conducting assessments and authorizations (A&A) understand that NIST 800-53 security controls are required to assess the security of systems before they are authorized for use, and compliance with these controls must be continuously assessed thereafter. Compliance with applicable 800-53 controls helps an organization make risk-based decisions about authorizing a system for use. That is, based on compliance with required controls, is the system secure enough to be authorized-for-use, or not?
Great effort goes into categorizing your system and selecting appropriate controls (RMF steps 1 and 2), defining control implementation (RMF Step 3), and assessing effectiveness of controls (RMF Step 4). It is not uncommon for there to be 450 controls or more associated with a system. Within each organization, there can be many systems, and each system must undergo this system categorization, control selection, control implementation, and control assessment process prior to being approve to operate.
Each time there is an update to 800-53, the system test plan must be updated to reflect changes, which can be significant from one 800-53 revision to the next.
Organizations that conduct their A&A processes manually and build their test plans using spreadsheets and Word documents struggle to implement these changes. Sometimes new controls are added to existing control families, sometimes new control families with new controls are added, and other times existing controls are edited or modified. When preformed manually, this 800-53 upgrade process can be quite tedious; we are told it can take four to six weeks per system. All of this effort just to understand what, if any, additional work needs to be performed as defined by the new version 800-53.
One of the many benefits that Xacta 360 offers is an automated way to upgrade your A&A projects in just minutes. To achieve this, the Xacta product development team manages all NIST content needed to operationalize the entire RMF process. For example, as new revisions to SP 800-53 are released the Xacta product team maps old version of 800-53 to newer versions to make these upgrades painless and fast using automation. This automated upgrade process updates your test plan to reflect any new or modified controls that are introduced in the new version of 800-53 and are pertinent to your A&A project as defined by NIST SP 800-60.
Here is a brief video showing how simple this upgrade process is with Xacta 360:
Xacta 360 automates many time-consuming, manual activities associated with the RMF process. Upgrading your projects to reflect the most current version of 800-53 is just one example. Have you migrated all of your projects to NIST 800-53 Rev 4 yet? What is your plan to upgrade to Rev 5? Maybe it’s time to consider Xacta 360 to reduce the manual effort associated with many RMF-related tasks like upgrading your project to new versions of NIST SP 800-53.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.