NIST released Special Publication 800-53 Revision 5 earlier this month. In my mind it is actually different enough from previous releases to be considered version 1 of a new way to think about digital security controls. Revision 5 is a radical shift from the previous revisions. Not surprising since Revision 4 was released in 2013, and a lot has happened in the digital world during those 7 years. In 2013 Nokia Lumia was a popular phone, Apple released iPhone 5S, GDPR didn’t exist, and Internet Explorer was the dominant browser. On the other hand there is a 2012 CVE still in the top 10 exploits for 2020 ( CVE-2012-0158) – but more on that another time.
I predict Revision 5 will have profound impact on the rest of the NIST security frameworks as well as regulatory compliance frameworks over the next few years. Revision 5 is a significantly different approach than previous versions. Revision 5 is moving NIST control definitions towards “control objectives” instead of trying to proscribe a specific mechanism or entity for satisfying the control.
I see control objectives as the domain specific language used by different technical security and privacy communities of interest – e.g. systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers. These will be tied via security policy to executive mission or business owners. A shared ubiquitous language reenforces the move towards making digital security risk based rather than threat based. It provides for separating control selection processes from the controls themselves, enabling better measurement of inherent digital risk vs. residual risk. Such a ubiquitous language for digital security and privacy will complement the shared threat language defined by Mitre ATT&CK.
A language of security and privacy control objectives also brings us another step closer to standardising Orchestra’s executable policy approach to digital security, compliance and privacy.