Updated Security and Privacy Controls Guidance for Data Systems and Organizations Issued by NIST

The National Institute of Standards and Technology (NIST) just published the updated guidance about Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5).

Since 2013, NIST updated the guidance for the first time. It is a total redevelopment instead of just a minimal update. NIST mentioned that the new guidance is going to give a solid framework for securing companies and systems – which include the personal privacy of men and women – in the 21st century.

Years of effort had been put in the development of the updated guidance. It is the first detailed list of security and privacy settings that could be utilized to control risk for establishments of any industry and size, and all varieties of systems – including industrial control systems, supercomputers, and Internet of Things (IoT) devices.

This is the very first catalog to be published around the world that consists of privacy and security controls. The guidance can help safeguard companies from different threats and risks, such as cyberattacks, natural disasters, human error, privacy risks, infrastructure failures, and foreign intelligence agencies attacks. The controls specified in the guidance can help companies take a proactive and organized approach to secure very important systems, resources and services and will ascertain having the required toughness to secure the national and economic security interests of America.

The guidance is designed to assist government institutions and third-party contractors to satisfy the specifications of the Federal Information Security Management Act and it is going to be compulsory for government institutions to execute the new specifications included in the new guidance. The guidelines are not mandatory for private sector companies, however, NIST is encouraging the private sector to use the new recommendations to deal with privacy and security concerns.

The following lists a number of key updates to the new guidance:

  • New, ‘state-of-the-practice’ controls to secure critical and top-grade assets. The updates were determined by the most recent information on threat intelligence and cyber-attack and are going to enhance cyber resiliency, develop a protected system design, security and privacy control and responsibility.
  • Data security and privacy controls were incorporated into a seamless, blended control catalog for systems and companies.
  • Controls are currently based on the outcome, with the entity in charge of carrying out the controls taken out from the document. The updated guidance centers on the security outcome from employing the controls.
  • Requirements were incorporated for supply chain risk management with the advice given on the integration of those standards all through an organization.
  • The guidance features next-generation privacy and security controls and includes how-to-use guidelines.
  • Control selection procedures were segregated from the controls so that different communities of interest can find it easier to use the controls.
  • Information of content relationships was enhanced, making clear the relationship between controls and requirements and the connection between privacy and security
    controls.
  • NIST Fellow and co-author of the guidance Ron Ross explained that the controls give a practical and organized approach to making sure that critical systems, elements, and services are adequately dependable and have the required resilience to protect the national security and economic
    interests of America.

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.