NIST SP 800-53r5 versus SP 800-53r4

Last updated November 10 2020 12:11 EST.

SP 800-53r5 controls

See https://github.com/usnistgov/oscal-content for input content.

The content used for this report was local copies of

usnistgov/oscal-content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FINAL_catalog.xml
NIST SP800-53 Revision 5 — last modified 2020-09-24T14:30:05.141-04:00
usnistgov/oscal-content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_LOW-baseline_profile.xml
SP800-53 LOW IMPACT BASELINE — last modified 2020-09-25T12:02:00.000-04:00
usnistgov/oscal-content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_MODERATE-baseline_profile.xml
SP800-53 MODERATE IMPACT BASELINE — last modified 2020-09-25T12:02:00.000-04:00
usnistgov/oscal-content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_HIGH-baseline_profile.xml
SP800-53 HIGH IMPACT BASELINE — last modified 2020-09-25T12:02:00.000-04:00
usnistgov/oscal-content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_PRIVACY-baseline_profile.xml
SP800-53 PRIVACY BASELINE — last modified 2020-09-25T12:02:00.000-04:00
usnistgov/oscal-content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml
NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations — last modified 2020-05-29T23:29:27.272-04:00
usnistgov/oscal-content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml
NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE — last modified 2020-05-29T23:29:27.272-04:00
usnistgov/oscal-content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml
NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE — last modified 2020-05-29T23:29:27.272-04:00
usnistgov/oscal-content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml
NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE — last modified 2020-05-29T23:29:27.272-04:00

Based on that content, SP 800-53r5 has 267 controls and control enhancements not in SP 800-53r4.

The following shows SP 800-53r5 controls and indicates (with Ⓛ, Ⓜ, Ⓗ, and Ⓟ) whether they appear in SP 800-53B (or SP 800-534r4) Low, Moderate, High, or Privacy control baselines.

Differences between r4 and r5, when easily perceptible, are noted.

7 SP 800-053r5 controls were withdrawn, but appear in a baseline. The controls are AU-3(2), AU-8(1), CM-5(3), IR-10, SI-2(1), SI-3(1), SI-8(1).

Rev	Control	Control Baselines	Title	Statement	Guidance
⑤④	AU-3(2)	r5: Withdrawn r5: Ⓗ r4: Ⓗ	Centralized Management of Planned Audit Record Content	Withdrawn — incorporated into PL-9 Revision 4 The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].	Withdrawn — incorporated into PL-9 Revision 4 This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system. Related controls: AU-6, AU-7
⑤④	AU-8(1)	r5: Withdrawn r5: Ⓜ Ⓗ r4: Ⓜ Ⓗ	Synchronization with Authoritative Time Source	Withdrawn — moved to SC-45(1) Revision 4 The information system: (a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and (b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].	Withdrawn — moved to SC-45(1) Revision 4 This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
⑤④	CM-5(3)	r5: Withdrawn r5: Ⓗ r4: Ⓗ	Signed Components	Withdrawn — moved to CM-14 Revision 4 The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.	Withdrawn — moved to CM-14 Revision 4 Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7
⑤④	IR-10	r5: Withdrawn r5: Ⓗ	r5: Incident Analysis r4: Integrated Information Security Analysis Team	Withdrawn — incorporated into IR-4(11) Revision 4 The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.	Withdrawn — incorporated into IR-4(11) Revision 4 Having an integrated team for incident response facilitates information sharing. Such capability allows organizational personnel, including developers, implementers, and operators, to leverage the team knowledge of the threat in order to implement defensive measures that will enable organizations to deter intrusions more effectively. Moreover, it promotes the rapid detection of intrusions, development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated security analysis team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing intelligence development. This enables the team to identify adversary TTPs that are linked to the operations tempo or to specific missions/business functions, and to define responsive actions in a way that does not disrupt the mission/business operations. Ideally, information security analysis teams are distributed within organizations to make the capability more resilient.
⑤④	SI-2(1)	r5: Withdrawn r5: Ⓗ r4: Ⓗ	Central Management	Withdrawn — incorporated into PL-9 Revision 4 The organization centrally manages the flaw remediation process.	Withdrawn — incorporated into PL-9 Revision 4 Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls.
⑤④	SI-3(1)	r5: Withdrawn r5: Ⓜ Ⓗ r4: Ⓜ Ⓗ	Central Management	Withdrawn — incorporated into PL-9 Revision 4 The organization centrally manages malicious code protection mechanisms.	Withdrawn — incorporated into PL-9 Revision 4 Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8
⑤④	SI-8(1)	r5: Withdrawn r5: Ⓜ Ⓗ r4: Ⓜ Ⓗ	Central Management	Withdrawn — incorporated into PL-9 Revision 4 The organization centrally manages spam protection mechanisms.	Withdrawn — incorporated into PL-9 Revision 4 Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls. Related controls: AU-3, SI-2, SI-7