Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects NIST Risk Management Framework SP 800-53 Controls Control Catalog Public Comments Overview

NIST Risk Management Framework RMF

More Information: SP 800-53 Public Comment Site

The NIST SP 800-53 Controls Public Comment Site was developed to ensure that the SP 800-53 control catalog provides the most comprehensive and up-to-date set of controls/countermeasures to manage security, privacy, and supply chain risk. By modernizing the NIST comment process and moving to an online dataset instead of following a document-based update process, NIST can provide its stakeholders the most up-to-date controls in multiple data formats to manage risk while encouraging use of automation. 

Stakeholders can provide feedback on controls by:

  • submitting a "proposal" for a new control and/or control enhancement,
  • submitting a "proposal" for a change to an existing control and/or control enhancement,
  • reviewing and commenting on proposed updates to controls ("candidates") through this website,
  • previewing controls that are planned for inclusion in a future update to SP 800-53 ("awaiting publication").  

NIST will continue to accept comments from stakeholders using a comment matrix emailed to
800-53comments@list.nist.gov

Comments submitted using the comment matrix will be entered into the SP 800-53 Public Comment Site and adjudicated using the same process as comments submitted via the site. 

  • Proposal – Any submission (comment on existing control/control enhancement or suggestion for a new control/control enhancement) from an end user. A proposal becomes a “candidate” when made available for public review by NIST.

  • Candidate – Candidates are proposed changes based on user submissions (that have been reviewed and edited by NIST, as appropriate) to the SP 800-53 controls available for public review and comment for 30-90 days. Note that not all comments are substantive in nature; if changes are identified by an end user that do not change the technical content of a control/control enhancement, the NIST control manager(s) can skip the “Candidate” process.

  • Awaiting (Release) or Sandbox – Proposed changes that have completed the candidate phase, with comments/suggestions received during the public review adjudicated by NIST. Customers are able to preview the projected, proposed, and planned changes and can begin to prepare for implementation in advance of the release.    
  • Release – Further broken down into Major Release and Minor Release.  For additional information, see Major/Minor Release Criteria [add link]
    • Major Release is the equivalent to a new “SP 800-53 Revision" (e.g., NIST SP 800-53, Revision 6)  
    • Minor Release is the equivalent to an errata update of the existing SP 800-53 Revision. 
Release Schedule

Minor Releases are equivalent to a NIST SP 800-53 Errata Update. Minor releases/errata updates are consistent with NIST procedures and criteria for errata updates, whereby a new copy of a final publication is issued to include corrections that do not alter existing or introduce new technical information or requirements. Such corrections are intended to remove ambiguity and improve interpretation of the work, and may also be used to improve readability or presentation (e.g., formatting, grammar, spelling). 

NIST will issue a maximum of 2 minor releases per year.  

Major Releases are equivalent to a new NIST SP 800-53 Revision (e.g, Revision 6, Revision 7).  Planned major releases can be both time- and event-driven.  Time-driven (regularly scheduled) major releases will occur every 2 years. Event-driven releases will occur as necessary, but will be limited to address only critical issues. 

NIST will issue a major release every 2 years (in lieu of a Minor Release).

 
Release Criteria

Change Type

Minor Release

Major Release

Correct an error in punctuation, spelling, or grammar (Depending on the nature of the editorial correction, a public comment may not be required)

X

 

Correct an error not related to punctuation, spelling, or grammar that does not impact implementation of the control/control enhancement.

X

 

Add new control or control enhancement not in a baseline

X

 

Add control or control enhancement to baseline (existing or new control)

 

X

Remove control or control enhancement from a baseline

 

X

Change the title of a control or control enhancement

X

 

Withdraw a control or control enhancement not in a baseline (either complete withdrawal or incorporation into or move to another control or enhancement)

X

 

Withdraw a control or control enhancement in a baseline (either complete withdrawal or incorporation into or move to another control or enhancement)

 

X

Change a control or control enhancement not due to error (i.e., implementation is affected) – includes addition, removal, or change of an assignment and/or selection operation

 

X

Minor change in Discussion (e.g., reword for clarity, include additional examples)

X

 

Significant change in Discussion (e.g., change in intent, major rewording, addition or removal of entire sentences)

 

X

Addition of Discussion where there had been no guidance previously

 

X

Addition, removal, or change in References

X

 

Addition, removal, or change in Related Controls

X

 

Move control or control enhancement to a different family (with no other changes)

 

X
Public Comment Timeline

Candidates are proposed changes based on user submissions (that have been reviewed and edited by NIST, as appropriate) to the SP 800-53 controls and SP 800-53B control baselines that are available for public review and comment.

  • Semi-annual public comment periods for Minor Releases will begin in February and August[Minor releases will be published, if necessary, semi-annually in May and November]

  • A biennial public comment period for Major Releases will begin in May[Major releases will be published, if necessary, every 2 years in November in lieu of a Minor Release]

Comment Period Duration Criteria

Depending on the type of release (Minor or Major), the timeframe for the public comment will vary.

Type of Release

Comment Period Length

Minor

30 calendar days

Major

60 calendar days

 

All interested stakeholders are notified when candidates are available for comment and the comment period length.  See Stakeholder Notification Process for more information.  

Stakeholder Notification Process

As candidates are released for comment, subscribers to 800-53updates@list.nist.gov will receive a notification about candidates available for comment and the comment period length. The SP 800-53 Updates email list is open to any interested party to sign up and all comment period notifications are publicly accessible at https://groups.google.com/u/2/a/list.nist.gov/g/800-53updates; only NIST Team members are able to send notifications to the group.

 

Sign-up for SP 800-53 Comment Period Notifications

 

If your organization's firewall is preventing you from joining via the SP 800-53 Comment Period Notifications Google Group, please send an email to 800-53comments@list.nist.gov. A moderator will add you to the email list. Please note that you may not be able to access the Forum archives and update your own subscription settings if you cannot access the Google Group.  

Contacts

NIST Risk Management Framework Team
sec-cert@nist.gov

Created November 30, 2016, Updated April 10, 2024