Generic filters

NIST 800-53 Rev. 5: Outcome-based vs. Impact-based Controls

December 7, 2020

NIST 800-53 Rev. 5: Outcome-based vs. Impact-based Controls

The standards set in NIST 800-53 can significantly impact your organization and how operations are conducted. These impacts are especially true when you have worked to be compliant with Rev. 4 of 800-53 and now must comply with Rev. 5. Below we will go over some key aspects of the differences between Rev. 4 And Rev. 5 and some things to keep in mind when digging into Rev. 5.

What has changed since Rev. 4?

The differences between Rev. 4 and Rev. 5 are primarily based on a couple of factors the changes are positive, by providing and allowing for greater detail.

The major factors that have changed are that controls are now outcome-based instead of impact-based. There are enhanced descriptions for controls with new control areas which are now more focused on threat intelligence and there is a new Supply Chain Risk Management control family. In addition to those factors, there is a dramatic increase in organization-defined values, which allows the company to define with greater specificity the responsibility, media, systems, response times, and circumstances of the controls.

What is NIST 800-53B?

Alongside releasing 800-53, NIST also released the NIST 800-53B documentation to help organizations develop a baseline of controls to implement. The difference between the two documents is that 800-53 defines the controls, whereas 800-53B is a subset of those controls to be used as a starting point for organizations to implement to protect federal information systems. In other words, if you are just starting your compliance journey, the information in NIST 800-53B should be at the top of your list.

CMMC and NIST 800-53

If your organization is gearing up for a CMMC certification, then reviewing NIST 800-53 Rev 5 will be a big part of your preparations. The CMMC guidelines reference the controls and baselines included with NIST 800-53. Although the controls referenced in the CMMC documentation come from NIST 800-53, being compliant with 800-53 does not mean the requirements for CMMC have been met as other standard documents are part of CMMC. For more information on CMMC and what is involved in obtaining the certification, the following link contains a FAQ page and information on the CMMC model.

Risk Management Framework

An important note about the NIST 800-53 publication is that it is part of a much larger recommendation developed by NIST known as the Risk Management Framework (RMF). NIST is a set of guidelines for developing and maintaining security and privacy best practices by instituting continuous monitoring of secured systems and providing tactical information based on the amount of risk an organization can accept. The framework provides a repeatable process for ensuring the protection of information systems throughout their lifecycle within acceptable risk limits.

For more information on RMF, see the following link,

Whether you’re just starting your compliance journey or well down the road, Rev. 5 of 800-53 will be a game-changer for everyone. But don’t panic; there are plenty of resources available and our team at SteelCloud is always available to help you along your journey. The best place to start is to get familiar with the resources on the 800-53 Rev. 5 home page.

About the author:

NIST 800-53 Rev. 5: Outcome-based vs. Impact-based Controls 1

Joe Montgomery

Joe recently joined SteelCloud as an Implementation Specialist, to assist customers with their implementation and automation needs in order to help them effectively utilize SteelCloud’s ConfigOS software. Joe has spent the bulk of his decade long career in the MSP field where he maintained infrastructure and innovated solutions for the SMB market as well as enterprise level businesses. Joe can be reached at:

Share This Resource:

Leave a comment