11/27/17 - NIST Readies Final Cybersecurity and Privacy Controls
Home > News & Insights > Insights & Publications

11/27/17 - NIST Readies Final Cybersecurity and Privacy Controls

The National Institute of Standards and Technology is working to finalize its comprehensive set of cybersecurity and privacy controls — which will become the standard for U.S. government agencies and organizations, but also prove highly useful to the private sector. On Aug. 15, 2017, NIST published the latest revised draft of the document, “NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations.” This update accounts for evolutions in technology and fully integrates cybersecurity and privacy controls, among other modifications to the previous draft. NIST plans to publish the final draft of the document no later than Dec. 29, 2017.

While SP 800-53 will be mandatory for U.S. agencies, firms seeking to avoid regulatory scrutiny or enforcement actions over information-security deficiencies, bolster and revamp controls, and keep customer data safe and secure will benefit from reviewing the latest version of the standards to determine which elements to incorporate into their own frameworks. Recent trends also demonstrate that companies are increasingly seeking cybersecurity risk assessments of third-party vendors, and applying appropriate components of the NIST controls can help quantify the cybersecurity posture of a vendor.

Private-Sector Applications of SP 800-53

While other frameworks and standards have their merits and remain useful to private companies, the revised NIST standards represent the most relevant, comprehensive, and up-to-date set of cybersecurity and privacy controls. The latest changes are designed to make SP 800-53 even more applicable to private organizations, whose enterprise-level security and privacy professionals, component product developers, and systems engineers use the same technologies and face the same threats as their public-sector counterparts.

Many private companies are already using the current version of SP 800-53 to improve controls. Firms have drawn on the NIST standards and supplemental guidance to implement new safeguards to protect the identities and manage digital access of their employees and customers — by using biometrics powered by new mobile technology to create NIST-compliant authentication techniques, for instance. Other firms have turned to SP 800-53 to design their security-control manuals, adapting the NIST controls to their unique needs and requirements.

The SP 800-53 standards also apply broadly to different technologies: not only to “information systems,” but to “systems” in general, including industrial-control systems, cyberphysical systems, and — notably — the internet of things. The IoT encompasses common household and business devices that are increasingly targeted by cybercriminals seeking access to the networks IoT devices connect to.

In sum, SP 800-53 offers wide-ranging standards that allow organizations to choose the controls that make the most sense for their businesses.

Cybersecurity and Privacy: Common Trends and Themes

NIST’s nearly final standards fully integrate privacy and security controls — “a first for any control catalog,” according to a press release on the NIST website. Organizations are increasingly focused on integrating their cybersecurity and privacy into common risk management structures. As they grapple with doing so, a number of trends and themes are emerging:

  • Cybersecurity and privacy regulations are becoming more onerous.
  • Many firms need help adapting and enhancing cybersecurity and privacy controls to comply with these evolving regulatory requirements.
  • The European Union’s General Data Protection Regulation, which was adopted in April 2016 and becomes enforceable in May 2018, is incentivizing firms that collect, store, or process the personal information of people in the EU to ensure their privacy practices are compliant (or risk a fine of up to 4% of a firm’s global turnover).
  • In the absence of reliable benchmarking data, firms are modeling their cybersecurity and data privacy risk management programs after industry best practices and standards.

Other Cybersecurity Frameworks, Standards, and Tools Remain Relevant

NIST’s SP 800-53 will supplement, rather than supplant, the other cybersecurity frameworks, tools, and standards that firms use to manage their cyber risks and maintain resiliency and security.

The oldest, most globally recognized information-security standards — ISO/IEC 27001:2013 and ISO/IEC 27002:2013 — were jointly published by the International Organization for Standardization and the International Electrotechnical Commission. The ISO/IEC documents specify requirements for creating, implementing, and maintaining an information-security management system, as well as provide guidance on selecting, implementing, and managing controls. Originally published as U.K. standards in the mid-1990s, these standards were partially derived from an information-security policy manual first developed by the Royal Dutch Shell Group.

In 2014, NIST published a comprehensive cybersecurity framework for the critical-infrastructure sectors, which include financial services, health care, information technology, and other sectors vital to the day-to-day well-being of the nation. The framework is high-level and applicable to a broad range of firms (including firms outside of the critical-infrastructure sectors). It incorporates controls from different standards, including ISO/IEC 27001:2013 and sector-specific standards, and uses tiers to describe the rigor and sophistication with which firms implement the framework components.

In 2015, the Federal Financial Institutions Examination Council published a cybersecurity-assessment tool to help financial institutions measure inherent risk and assess their preparedness for cyberattacks. The FFIEC and NIST cybersecurity guidelines are similar: Like the NIST framework for critical infrastructure, the FFIEC’s tool refrains from providing specific implementation requirements for controls (consequently, many firms can and will turn to NIST’s more detailed SP 800-53 to address the requirements of the FFIEC framework). The FFIEC also calls for maturity assessments of five functional areas: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependencies, and incident management and resilience.

Taken together, these initiatives represent real progress toward a consolidated platform for identifying security and privacy concerns and implementing appropriate controls. However, it should be noted that this is a complex field across international jurisdictions — with around 120 different privacy regimes alone, many with stringent additional requirements — and the challenge of integrating cybersecurity and data protection best practices should not be underestimated.


Cybersecurity and privacy are overlapping, complementary components of a comprehensive program for managing risk. To ensure programs prevent security breaches and address evolving regulatory requirements, firms will benefit from adopting standards-based frameworks and controls, and SP 800-53 is a useful starting point. Such measures can protect the personal data of employees and customers, help firms become more effective at identifying threats, and increase privacy and security in lockstep.

Effective controls will also help firms provide seamless connectivity, so that customers can access services across borders and devices with minimal disruption. As the ecosystem of connected and embedded devices evolves, organizations will not always be able to impose security measures on every device that their service touches. However, implementation of a standardized set of effective controls — such as those put forward in SP 800-53 — can help avoid, contain, and minimize issues.

How Promontory Can Help

Promontory has significant experience advising clients on security technologies, regulatory expectations, and industry best practices. Our cybersecurity and privacy professionals have worked at government organizations, financial services firms, and federal regulators. Our team’s policy, management, and technical skills help clients complete projects on tight deadlines. We help firms benchmark security programs; build robust plans for business continuity; design, implement, and test GDPR programs; and implement additional measures to augment resilience against evolving cybersecurity and privacy threats.

Please contact Promontory to discuss how our cybersecurity and privacy subject-matter experts can help your firm apply SP 800-53 and other frameworks to enhance your information-security controls.

Contact Us

Simon McDougall
Managing Director
+44 20 7997 3456

Dr. Phyllis Schneck
Managing Director and Global Leader of Cyber Solutions
+1 202 370 0601

Kevin Hayes
Senior Principal
+1 202 370 0458