Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

NIST Seeks Comments on Final Public Draft of SP 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations
March 16, 2020

There is an urgent need to strengthen the trustworthiness and resilience of the information systems, component products, and services that we depend on in every critical infrastructure sector and which support the economic and national security interests of the United States.

This (final public draft) revision of NIST Special Publication 800-53 presents a proactive and systemic approach to developing comprehensive safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices. Those safeguarding measures include the security and privacy controls to protect the critical and essential mission and business operations of organizations, the organization’s high value assets, and the personal privacy of individuals. The objective is to manage mission, business, and system risks for organizations, making the systems we depend on more penetration-resistant to cyber-attacks; limiting the damage from those attacks when they occur; making the systems cyber-resilient and survivable; and protecting the security and privacy of information.

  • Please see the "Supplemental Materials" section of the publication details for a summary of changes and newly added resources, including the draft controls in the machine-readable Open Security Controls Assessment Language (OSCAL) format.
  • See the Feedback Requested section below for instructions on submitting comments before the May 15, 2020 deadline.
  • NIST is planning a webcast to provide an overview of the changes in Revision 5. More information to come.

 

Summary of Changes in Revision 5

Revision 5 of this foundational NIST publication represents a multi-year effort to develop next-generation security and privacy controls. The major changes to the publication include:

  • Creating security and privacy controls that are more outcome-based by changing the structure of the controls;
  • Fully integrating privacy controls into the security control catalog, creating a consolidated and unified set of controls;
  • Adding two new control families for privacy and supply chain risk management;
  • Integrating the Program Management control family into the consolidated catalog of controls;
  • Separating the control selection process from the controls—allowing controls to be used by different communities of interest;
  • Separating the control catalog from the control baselines;
  • Promoting alignment with different risk management and cybersecurity approaches and lexicons, including the NIST Cybersecurity and Privacy Frameworks;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state-of-the-practice controls based on threat intelligence, empirical attack data, and systems engineering and supply chain risk management best practices, including controls to:
    • Strengthen security and privacy governance and accountability;
    • Support secure system design; and
    • Support cyber resiliency and system survivability.

The integration of security and privacy controls into one catalog recognizes the essential relationship between security and privacy objectives. This relationship requires security and privacy officials to collaborate across the system development life cycle. In particular, control implementation is one area in which collaboration is important. Because security and privacy objectives are aligned in many circumstances, the implementation of a particular control can support achievement of both sets of objectives. However, there are also circumstances when controls are implemented differently to achieve the respective objectives, or the method of implementation can impact the objectives of the other program. Thus, it is important that security and privacy programs collaborate effectively with respect to the implementation of controls to ensure that both programs’ objectives are met appropriately.

Feedback Requested

Reviewers should refer to the “Notes to Reviewers” that begins on page v of this draft. NIST requests feedback on: (1) the updates to the control catalog identified above; and (2) the concept of including a collaboration index for each control. The index is intended to indicate the degree of collaboration between security and privacy programs for each control. This collaboration index is a starting point to facilitate discussion between security and privacy programs since the degree of collaboration needed for control implementation for specific systems depends on many factors. For purposes of review and comment, three control families are identified as notional examples: Access Control (AC); Program Management (PM); and Personally Identifiable Information Processing and Transparency (PT). The notional examples are provided as a “Notes to Reviewers Supplemental Material” section at the end of the document, following Appendix D.

Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers. The very insightful comments from both the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our customers.

The public comment period for this draft is open through May 15, 2020. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included on page ix of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Parent Project

See: FISMA Implementation Project
Created January 17, 2020, Updated March 16, 2020