It’s almost here - the looming trillion dollar defense budget.  For years, reporters and policy analysts have pondered when the U.S. military budget will surpass the unthinkable $1 trillion per year. The number carries huge symbolic importance and even stands as a goal for some defense hawks.  

The differences between NIST 800-53, Rev. 4 vs. Rev. 5 are considerable as NIST SP 800-53, Revision 5 adds 66 new base controls, 202 new control enhancements and 131 new parameters to existing controls. Furthermore, there are 90 newly withdrawn controls that have been incorporated into or moved to other controls, along with 92 previously withdrawn controls, resulting in a total of 1007 controls and enhancements in NIST SP 800-53, Revision 5.

Why does NIST SP 800-53, Rev. 5 contain so many additional controls or control enhancements beyond the required controls and enhancements contained in the control baselines for LOW, MOD, and HIGH?

The National Institute of Standards and Technology ("NIST") published a first public draft of revision 3 of NIST Special Publication ("SP") 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, on May 10, 2023. The document, despite being in draft form, offers crucial advice to federal government contractors and other businesses that are required to utilize NIST SP 800-171 as a baseline for cybersecurity compliance. NIST incorporated public comments into the draft Revision 3 and is still looking for feedback on this revision.

NIST 800-53 provides guidance on configuration management controls, which are essential for maintaining the security and integrity of information systems throughout their lifecycle. Configuration management involves establishing and maintaining a baseline configuration, managing changes, and ensuring proper configuration control and documentation. Here are key aspects of configuration management as addressed in NIST 800-53.

NIST 800-53 provides guidance on audit and accountability controls, which are crucial for maintaining the security and integrity of information systems. The audit and accountability controls outlined in NIST 800-53 help organizations monitor and track system activity, detect security incidents, and ensure compliance with security policies and regulations. Here are some key aspects of audit and accountability as addressed in NIST 800-53.

NIST SP 800-53, first released in 2005, is the underlying framework and the very fabric for which the entire National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is built upon.  The NIST RMF provides a flexible, holistic, and repeatable 7-step process to manage security and privacy risk and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).

NIST 800-53 provides guidance on contingency planning controls, which are essential for ensuring the availability and resiliency of information systems in the face of unexpected disruptions or incidents. Contingency planning involves preparing for and responding to incidents that could adversely affect the organization's ability to operate effectively. Here are key aspects of contingency planning as addressed in NIST 800-53:

NIST 800-53 provides guidance on identification and authentication controls, which are crucial for verifying and establishing the identities of users, devices, and processes accessing information systems. These controls help ensure that only authorized entities are granted access and protect against unauthorized access and identity-related security risks. Here are key aspects of identification and authentication as addressed in NIST 800-53: