More Details on the NIST SP800-53 Revision 5 Finalized Security and Privacy Framework


The National Institute of Security and Technology (NIST), recently released Revision 5 of the SP800-53 Security and Privacy Framework, on September 23, 2020.  It is an important update, since SP800-53 hasn’t been updated since Revision 4 was released in April of 2013. While much of the press around this update has been around the privacy controls that have been updated, there are two important new additions to the framework in the area of application security that are important for enterprises and Federal government organizations to understand.  Two new security items added to the framework, are in:

  • SI-7 Software, Firmware and Information Integrity – Section 17: Runtime Application Self-Protection
  • SA-11 Developer Testing and Evaluation – Section 9: Interactive Application Security Testing.

As indicated by the abstract, “this publication provides security and privacy control baselines for the Federal Government.” In addition, it is estimated anywhere from 30 to 50 percent of enterprises also use this framework for their security architecture. NIST calls this an historic update to its security and privacy controls catalog.

These 2 updates give a new boost to the importance of application security. The new updates include references to the inclusion and need for interactive application security testing (IAST) and runtime application self-protection (RASP) tools. With these updates, application security gets new focus as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched. If you are wondering how this new framework might affect you or your organization, here’s a recommendation from a recent article in the National Law Review:

Putting it Into Practice: Federal contractors should pay close attention to these guidelines as these new security and privacy baselines will be applied to any federal information system used or operated by a contractor on behalf of an agency, or another organization on behalf of an agency. Companies in the private sector should pay attention as well, as NIST guidance is often used as a basis for industry standards in security and privacy.

In this document we will be focusing on the…