National Institute of Standards and Technology (NIST) announced the Final Release of Special Publication (SP) 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations” on April 30, 2013. The new revision replaces SP 800-53, Revision 3, which has been in use since 2009. Unlike other early standards, which were primarily used by the civilian agencies to comply with FISMA, Revision 4 provides a framework that will apply to the civilian agencies, the Department of Defense (DoD), and the Intelligence Community (IC). It was drafted based on the federal information security strategy of “Build It Right, Then Continuously Monitor.”

Revision 4 addresses new cyber security threats that merged over the years. It ensures the systems that are under continuous monitoring are trustworthy to begin with. New security controls and enhancements have been developed to address many areas like, mobile and cloud computing, insider threats, and supply chain security.

Some major changes and enhancements of Revision 4 include:

  • New controls and control enhancements, with more descriptive language. The number of controls and enhancements has increased from over 600 to well over 800.
  • New privacy controls and implementation guidance based on “Fair Information Practice Principles”.
  • Creation of overlay that allows agencies to tailor security control baselines and to develop their specialized security plan based on their missions/environments.