Updated U.S. Guidance for Security and Privacy Controls Given as NIST Publishes Final Draft of Revision 5 to Special Publication 800-53

Updated U.S. Guidance for Security and Privacy Controls Given as NIST Publishes Final Draft of Revision 5 to  Special Publication 800-53
7 minute read

In March 2020, The National Institute of Standards and Technology released the latest draft of its fifth major revision to Special Publication 800-53 (common abbreviation: NIST SP 800-53 Rev. 5 Draft). First published in 2005, each iteration reflects the ever-changing landscape of technology trends, security best practices, and adversarial threats that organizations have endured over the last 15 years. NIST’s latest draft publication signals the near completion of its much-anticipated update, giving federal security practitioners and auditors alike a nearly complete picture of what will be included in the soon-to-be finalized publication. Though the document previously included the word “federal” in its title, it is removed in Revision 5 to reflect its applicability to a broader audience. To read the document and related announcements in full, visit the official Revision 5 webpage hosted by NIST.

Not an expert in federal security standards and need a quick primer? The National Institute for Standards and Technology (NIST) is an agency of the United States Department of Commerce. Its mission, in part, is to advance innovation and develop standard reference materials across a wide-array of science and technology subject areas including cybersecurity. Many government agencies are bound by federal law, e.g., through The Federal Information Security Management Act (FISMA) and/or The Federal Risk and Authorization Management Program (FedRAMP), to comply with security and privacy guidelines issued by NIST, including those defined by NIST SP 800-53.

Federal agencies have gone longer than usual between updates, and—when the final version is released—the duration of time between the publication of Revisions 4 and 5 will be longer than any other two consecutive versions. For publication dates, see the NIST SP 800-53 entry on Wikipedia. This is due, in part, to the integration of security controls alongside privacy controls in SP 800-53—a first, since previously privacy controls were added to the standard by appendix, requiring major changes to the document’s organization and review process.

NIST’s document heralds an exciting collection of updates and additions to help organizations better protect themselves from a variety of threats. Its pages continue to address some of the most common enterprise risks like malware and data theft, but the new draft release also has an expanded scope, including timely guidance for identifying and mitigating digital risk, incorporating cyber threat intelligence, and running a security operation center. 

With an eye towards these newer topics, we reviewed the latest draft to identify and evaluate its most salient excerpts. In particular, we’ll cover changes to (or the addition of) the following security and privacy controls:

  • Audit and Accountability: Monitoring for Information Disclosure (AU-13)
  • Awareness and Training: Security Awareness Training (AT-2)
  • Planning: Rules of Behavior (PL-4)
  • Program Management: Threat Awareness Program (PM-16)
  • Risk Assessment: Threat Hunting (RA-10)

Other controls we are excited about but have omitted for space include Incident Response: Incident Handling (IR-4) and its Supply Chain Coordination and Security Operations Center control enhancements, Incident Monitoring (IR-5) and its Automated Tracking, Data Collection, and Analysis enhancement, and the Predictive Cyber Analytics enhancement of Risk Assessment (RA-3).

The goal of this article is to provide readers with an overview of areas that have additional changes as it relates to the impact of digital risk, threat intelligence, and threat hunting, all very critical in the mission of securing digital platforms from the increasing cyber threats that exist.

Evolving Topics in Revision 5

Since the language of security evolves quickly, we counted the appearance of terms in our key areas of focus, contrasting the counts between the new revision of the document and its last. These values highlight shifting priorities and new or trending topics since the last major release in April 2013 and last updated in January 2015.

  • 🆕Security Operations Center (or SOC) is mentioned 11 times
  • 🆕Threat Hunting is mentioned 7 times
  • 🆕Machine Learning is mentioned 3 times
  • 🆕(Digital) Impersonation is mentioned 2 times
  • ⬆︎ Threat Intelligence is now mentioned 10 times, up from once previously
  • ⬆︎ Open Source Information is now mentioned 9 times, up from 4
  • ⬆︎ Social Media (or Social Networking) is now mentioned 16 times, up from 11 
  • ➡︎ Reputation is mentioned 18 times in both versions  
  • ⬇︎ Information Leakage is now mentioned 6 times, down from 10 previously

For readers familiar with the last decade of broad technology trends and the cybersecurity industry, we suspect you’ll find these numbers reflect in parallel wider shifts of popularity in practices, threats, and areas of interest as organizations work to establish stronger security policies, technologies, and practice.

Revision 5 Change Highlights

Audit and Accountability: Monitoring for Information Disclosure (AU-13)

Revision 4 Guidance: Monitor

The baseline guidance for this control was relatively thin in Revision 4, simply advising organizations to monitor data sources (e.g., social networking sites) for evidence of information disclosure with some set frequency. 

Control enhancements include (1) automating the process with a tool or service, and (2) periodically re-evaluating the relevant set of data sources. 

Revision 5 Guidance: Monitor, notify, respond!

In Revision 5, NIST advises organizations to additionally (1) choose and notify designated personnel when evidence of information disclosure is discovered and (2) define and follow some course of action in response. And, code sharing platforms and repositories are now listed alongside social networking sites as additional data source examples, reflecting the growth in the area of public attack surfaces since the publication of Revision 4. 

The existing control enhancements from Revision 4 remain, though advice is now given to incorporate threat intelligence in the selection and maintenance process for evaluating relevant data sources to monitor.

Revision 5 includes a new control enhancement as well, encouraging organizations to identify any unauthorized replication of information. In including this enhancement to the control, NIST introduces a topic to SP 800-53 that was never addressed before: digital impersonation. In turn, this provides organizations clear guidance and a new mandate to prioritize the programmatic identification of replicated, pirated, private, or prohibited content of all kinds across various domains (e.g., DNS, web, social, email).

Key Takeaway
Government organizations increasingly rely on third-party digital platforms to engage with citizens, provide services, and fulfill their purpose. Attackers exploit these same public-facing platforms to launch attacks and profit from fraud and scams. Develop a playbook to proactively identify, manage, and remediate these threats to protect your data, community, and reputation.

Learn More
Related webinar: Watch our on-demand webinar, Identify Impersonators and Protect Digital Presence”, to learn more about digital impersonation

Related blog post: Protect Yourself and Your Organization Against The Weaponization of Social Media

Awareness and Training: Security Awareness Training (AT-2)

Supporting the common refrain that human behavior is one of the largest contributing factors to organizational risk, NIST’s Security Awareness Training control has grown significantly since the document’s last revision. It now includes 8 control enhancements, from just 2 previously. A complete list of the enhancements is provided below:

Security Awareness Training: Control Enhancements

  1. Practical Exercises
  2. Insider Threat
  3. 🆕Social Engineering and Mining
  4. 🆕Suspicious Communications and Anomalous System Behavior
  5. 🆕Breach
  6. 🆕Advanced Persistent Threat
  7. 🆕Cyber Threat Environment
  8. 🆕Training Feedback

The new enhancements add valuable guidance for maintaining a relevant and effective training program and suggest training to cover numerous threats previously unmentioned, including some of the most common digital threats organizations face today, e.g., (digital) impersonation, thread-jacking, and social media exploitation.

Key Takeaway
Organizations must establish a fundamental understanding of key threat topics today and establish formalized programs to educate staff on ways to automate controls.

Learn More
Related blog post: Taxonomy of Digital Threats: Defining the Four Categories of Risk

Related webinar: The First Cyber Intelligence Capability You Should Invest In

Planning: Rules of Behavior (PL-4)

By and large, the Rules of Behavior control language is mostly the same between the most recent Revisions; however, its one-and-only control enhancement regarding social media and networking sites is now expanded to include any type of external site or application. Why? Threats can and do come from just about anywhere, and this is especially true in the age of SaaS products dominating our operational tech stacks. 

Additionally, the latest revision of SP 800-53 prompts organizations to define expected behavior and restrictions in the use of organization-provided (and presumably, personal) credentials for creating accounts on external sites or for use with third-party applications. 

Key Takeaway
This guidance will encourage organizations to proactively define policies that mitigate the risk of tying personal accounts too closely to an organization’s digital properties, i.e, agency Twitter or Facebook accounts. Too often, organizations scramble when the employees who first created these properties change roles or leave their place of employment.

Program Management: Threat Awareness Program (PM-16)

New to Revision 5 is a control enhancement for threat awareness programs, encouraging the use of automation. It is not outrageous to assume that the introduction in recent years of specifications like Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII), or platforms like MISP (Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing) and their subsequent adoption and success inspired or influenced the inclusion of this enhancement.

Key Takeaway
An effective cyber threat intelligence program can help organizations thwart attacks and proactively mature their security posture and understanding on an on-going basis. Given the diversity and volume of threats, automation can make the difference between preventing a breach or acting too late. If your security organization doesn’t leverage threat intelligence data or hasn’t operationalized its use, it’s time to revisit the topic.

Learn More
Related blog post: Establishing an Intelligence Requirements Process

Revision 5 Additions

Risk Assessment: Threat Hunting (RA-10)

Completely new to SP 800-53, Revision 5 defines a control for threat hunting. Among other details, its inclusion calls for the establishment, maintenance, and deployment of capabilities to search for indicators of compromise (IOCs) and identify threats that evade other controls. In tandem with this guidance, the control language also encourages organizations to incorporate threat intelligence and threat-sharing resources into the hunt, and additionally, suggests participation in peer sharing groups, e.g., Information Sharing and Analysis Centers (ISACs). 

Key Takeaway
This control is a welcome addition to the document, reflecting the growth and popularity of threat hunting activities since the publication of Revision 4. Though the control language only suggests searching for IOCs among “organizational systems”, ZeroFox would propose that comprehensive threat hunting should not be limited by this designation. In practice, hunting activities often include hunting among third and fourth-party systems across open, deep, and dark web resources. Such activities are consistent and in line with the guidance provided by one of our previously reviewed controls from the Audit and Accountability family: Monitoring for Information Disclosure (AU-13, see above).

Is your organization adopting the latest NIST guidelines? ZeroFox can help.

Whether you’re a government agency pursuing compliance or a private organization adopting the NIST guidelines for good measure, ZeroFox can help. The ZeroFox Platform provides the critical visibility, compliance reporting, and automated protection necessary to defend against the diverse collection of modern external threats organizations face today. By using diverse data sources, artificial intelligence-based analysis, and automated remediation, the ZeroFox Platform reduces risk by identifying malicious or non-compliant content, removing impersonation artifacts (i.e., takedowns), and protecting your assets from targeted cyber attacks. And with our managed service, ZeroFox OnWatch™, you can rest assured that our team of experts will do what they do best: protect your organization from social and digital threats—all while you focus on your day job.

Want to know more? Contact us to book a demo or speak with one of our experts.


Subscribe to our Blog

Best practices, the latest research, and breaking news, delivered right to your inbox.