NIST is in the process of finalizing updates for two important information security standards: NIST 800-53 Rev. 5 (\u201cSecurity and Privacy Controls for Federal Information Systems and Organizations\u201d) and NIST 800-37 Rev. 2 (\u201cGuide for Applying the Risk Management Framework (RMF) to Federal Information Systems\u201d). These updates will be familiar for anyone who has to comply with FISMA, but in this post I want to summarize the implications for private industry. In summary, NIST is trying to make its standards broadly applicable outside the federal space; as a result these standards represent the most current \u201cbest practices\u201d we have on managing security risks.I was inspired to write this post by the recent webinar, hosted by Tripwire, in which Dr. Ron Ross of NIST summarized the intentions of the standards updates. I recommend you listen to it here. For users outside the federal government, the changes in these revisions represent updated \u201cbest practices\u201d that you can apply. I\u2019m going to note both high level and detailed changes that caught my attention.So what are the changes? At a high level, SP 800-53 now has removed most of the references to \u201cfederal.\u201d The goal is to make it easier for private industry to use this control catalog. Many in industry are already using the NIST CSF; this maps to the 800-53 controls. A second big change is the incorporation of privacy controls on an equal footing with security controls. This will make it easier for privacy professionals and security professionals to collaborate on risk management. Hopefully we will end up with a common controls language, not today\u2019s tower of babel. A third significant change is that 800-53 removed references to the NIST 800-37 document. The goal was to enable private industry to use the control catalog, without having to use the NIST RMF.High level changes to 800-37 include adding a new risk management phase:\u00a0 \u201cpreparation.\u201d This could help implement the concepts of \u201cbuild security in.\u201d It also may serve a similar function to \u201cContext Establishment\u201d in ISO 27005, \u201cInformation Security Risk Management.\u201d At this point, I don\u2019t have further details on 800-37 Revision 2, since it has not been released for comments.But going back to the draft Revision 5 version of 800-53, several detailed changes caught my eye. I regard these as controls you should be already using or considering for your security program. I\u2019m going to look at changes that apply to \u201cmoderate\u201d impact system, which account for most systems deployed. I\u2019ll look at the privacy controls in a separate post. You can read the entire new draft here.\u00a0Awareness Training (AT-2):\u00a0Added mandatory training on social engineering.\u00a0 Since this is probably the biggest attack vector you should be doing this.Continuous Monitoring (CA-7):\u00a0Added a control for continuous risk monitoring, including control effectiveness monitoring, compliance monitoring and change monitoring. Right now everyone does regular monitoring of logs. This control goes further and is looking for continuous compliance.Least Functionality (CM-7):\u00a0Added a control requiring application whitelisting.\u00a0 According to the Australian Signals Directorate (ASD) this is the top control of four, to prevent cybersecurity breaches.Information Location (CM-12):\u00a0This one may seem obvious, but is a new control for Rev. 5. With most people thinking about systems and software, it is a good addition.Identity Proofing (IA-12):\u00a0Another new control, requiring organizations to set up identify assurance levels and verify identity evidence.Baseline Selection and Baseline Tailoring (PL-11 and PL-10):\u00a0Both are new controls that align with the language in the NIST CSF. CSF recommends selecting a target profile after determining the current profile. These profiles then can be mapped to the corresponding 800-53 controls.Risk Assessment (RA-3):\u00a0Added specific control to require supply chain risk assessment.Criticality Analysis (RA-9):\u00a0Added the requirement to identify critical system components and functions. Not all parts of all systems need equal protection.Supply Chain Risk Management (SA-12):\u00a0You should already be doing this.Based on my experience many of these are being done in industry already. But the Revision 5 document forms a good reminder for everyone. The best thing is to review the markup, so you can see changes that might affect you. The most significant change, in my mind, is continuous monitoring. When we get to continuous risk monitoring and continuous compliance, then we will be an order of magnitude more secure.