All articles

10 September 2025

HOW ACSC ISM ROADMAP IS FOLLOWING NIST 800–52 REV 2

HOW ACSC ISM ROADMAP IS FOLLOWING NIST 800–52 REV 2 1. March 2025 ISM Update Key Changes (based on available context and trends): Strengthened Secure by Design principles, emphasizing secure software development and supp…

HOW ACSC ISM ROADMAP IS FOLLOWING NIST 800–52 REV 2

1. March 2025 ISM Update

Key Changes (based on available context and trends):

  • Strengthened Secure by Design principles, emphasizing secure software development and supply chain risk management (SCRM).
  • Updated Govern (GOV) principles to clarify risk ownership and governance structures.
  • Enhanced Identify (IDE) controls for asset discovery and classification, particularly for operational technology (OT).
  • Introduced initial AI security considerations (e.g., data handling for AI systems).
  • Expanded physical security controls for data centers.

Mapping to NIST 800–53 Rev 2:

  • CM-8 (System Component Inventory): ISM’s IDE updates (asset discovery/classification) align with NIST’s requirement for comprehensive system inventories, critical for risk categorization (RMF Step 1).
  • SA-3 (System Development Life Cycle): Secure by Design principles map to NIST’s focus on integrating security into development processes.
  • RA-3 (Risk Assessment): GOV updates for risk ownership align with NIST’s risk assessment controls, supporting RMF Step 2 (Select).
  • PE-2/3 (Physical Access Authorizations/Control): Enhanced physical security controls map to NIST’s physical and environmental protection family.
  • SC-28 (Protection of Information at Rest): Initial AI data handling aligns loosely with NIST’s data protection controls, though Rev 2 lacks AI-specificity.

Roadmap Alignment: March 2025 emphasizes RMF Steps 1–2 (Categorize, Select), focusing on asset visibility and governance to build risk-aware baselines. It sets the stage for implementing controls, aligning with NIST’s roadmap for structured risk management.

2. June 2025 ISM Update

Key Changes (per prior context):

  • Major overhaul with 40+ new controls (ISM-2020 to ISM-2068) targeting software development lifecycle security.
  • New controls for software bill of materials (SBOM), issue tracking, and malicious code scanning.
  • Rewrote GOV and IDE principles to embed Secure by Design/Secure by Default.
  • Strengthened data minimization and personnel oversight in development.
  • Introduced AI-specific considerations (e.g., ISM-1924 for generative AI behavior).

Mapping to NIST 800–53 Rev 2:

  • SA-4 (Acquisition Process): SBOM and supply chain controls align with NIST’s acquisition security requirements, ensuring third-party software integrity.
  • SI-3 (Malicious Code Protection): Controls for scanning malicious code in artifacts map directly to NIST’s system integrity controls.
  • SA-8 (Security Engineering Principles): Secure by Design/Secure by Default principles strongly align with NIST’s focus on engineering secure systems.
  • PS-4 (Personnel Termination): Personnel oversight controls map to NIST’s personnel security family, ensuring developer accountability.
  • SC-28 (Protection of Information at Rest): AI controls (e.g., ISM-1924) loosely map to data protection, though Rev 2 lacks AI granularity.
  • RA-5 (Vulnerability Scanning): Issue tracking controls align with NIST’s vulnerability management requirements.

Roadmap Alignment: June 2025 aligns with RMF Steps 3–4 (Implement, Assess), emphasizing actionable controls for software security and continuous monitoring. The focus on SBOM and AI reflects NIST’s roadmap goal of adapting to emerging risks, though Rev 2 requires interpretation for modern tech.

3. September 2025 ISM Update

Key Changes (per prior context):

  • Added shorthand descriptors for all principles (GOV, IDE, Protect, Detect, Respond, Recover).
  • New IDE-01 (Asset Identification) for IT/OT asset and supply chain documentation.
  • Updated Protect principles (e.g., “trustworthy” vs. “trusted” for suppliers/systems, least privilege for services).
  • New REC (Recover) category with REC-01 (post-incident risk acceptance, ex-RES-05).
  • 5–7 new controls, e.g., ISM-2069/2070 (physical security for devices), ISM-2071 (personnel training on suspicious requests), ISM-2072 (AI model storage), ISM-2073 (post-quantum cryptography transition).
  • Expanded ISM-1924 for generative AI safeguards and ASD-endorsed Protection Profiles for crypto assurance.

Mapping to NIST 800–53 Rev 2:

  • CM-8 (System Component Inventory): IDE-01 for asset/supply chain documentation maps to NIST’s inventory requirements.
  • AC-6 (Least Privilege): Updated Protect principles (least privilege for services) align with NIST’s access control family.
  • PE-2/3 (Physical Access Authorizations/Control): ISM-2069/2070 (device security) map to NIST’s physical protection controls.
  • PS-6 (Access Agreements): ISM-2071 (personnel training) aligns with NIST’s personnel security training requirements.
  • SC-12 (Cryptographic Key Management): ISM-2073 (post-quantum crypto) maps loosely to NIST’s crypto controls, though Rev 2 lacks quantum-specificity.
  • SC-28 (Protection of Information at Rest): ISM-2072 (AI model storage) and expanded ISM-1924 (AI safeguards) align with data protection.
  • IR-4 (Incident Handling): New REC category (REC-01) maps to NIST’s incident response and recovery controls.
  • CA-7 (Continuous Monitoring): Detect principle updates (DET-01/02 for logging/analysis) align with NIST’s monitoring requirements.

Roadmap Alignment: September 2025 aligns with RMF Steps 4–6 (Assess, Authorize, Monitor), focusing on operational resilience, recovery, and emerging tech (AI, quantum). It advances NIST’s roadmap by refining implementation and monitoring, adapting to modern threats absent in Rev 2.

Trends and Future Direction

  • ISM Evolution: The ISM is progressively aligning with NIST’s risk management philosophy but modernizing faster to address AI, post-quantum cryptography, and OT security. March 2025 laid governance foundations, June 2025 operationalized software security, and September 2025 refined implementation with recovery and emerging tech focus.
  • NIST Roadmap Gaps: NIST 800–53 Rev 2 (pre-2010) lacks controls for AI, quantum risks, or modern supply chain threats, so ISM updates extend beyond Rev 2’s scope. September’s post-quantum and AI controls anticipate NIST’s post-Rev 5 roadmaps (e.g., NIST’s 2023 quantum preparedness guidelines).
  • Future Alignment: Expect future ISM updates (e.g., December 2025) to deepen Zero Trust integration, expand AI/OT controls, and align with NIST’s RMF evolution (e.g., continuous authorization, hybrid cloud security). Organizations should prioritize asset visibility, SBOM adoption, and quantum transition planning to bridge ISM-NIST compliance.