November 7, 2023: NIST issues SP 800-53 Release 5.1.1 in the Cybersecurity and Privacy Reference Tool (CPRT). The corresponding assessment procedures in SP 800-53A have also been updated , and the SP 800-53A assessment procedures and SP 800-53B control baselines are also now available in the CPRT. For more information, see: CSRC News Article and the SP 800-53 Release 5.1.1 FAQ (updated). A detailed listing of the changes is also available for SP 800-53 and SP 800-53A.
Thank you to those who submitted comments using the NIST SP 800-53 Public Comment Website.
November 1, 2023: The expedited 2-week public comment period is closed. NIST is adjudicating comments and plans to issue SP 800-53 Release 5.1.1 in November 2023.
October 17, 2023: NIST opens a 2-week expedited public comment period on draft controls for October 17–31, 2023, and plans to issue SP 800-53 Patch Release 5.1.1 in November 2023. Please review and submit comments on the proposed new control, control enhancements and corresponding assessment procedures using the NIST SP 800-53 Public Comment Website. For more information, see: CSRC News Article and the SP 800-53 Release 5.1.1 FAQ.
Please direct questions and comments to: email@example.com.
The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
|Essential activities to prepare the organization to manage security and privacy risks
|Categorize the system and information processed, stored, and transmitted based on an impact analysis
|Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
|Implement the controls and document how controls are deployed
|Assess to determine if the controls are in place, operating as intended, and producing the desired results
|Senior official makes a risk-based decision to authorize the system (to operate)
|Continuously monitor control implementation and risks to the system