NIST believes that robust, widely understood, and participatory development processes produce the strongest, most effective, most trusted, and broadly accepted standards and guidelines. The following principles guide NIST's standards and guidelines development:
NIST accepts and encourages stakeholders to provide feedback on any aspect of our publications. The SP 800-53 Comment Website is focused on getting feedback on the controls and control enhancements and allows for submission of:
To provide feedback on other aspects of NIST SP 800-53, please use the Comment Matrix and submit to 800-53comments@list.nist.gov.
See More Information for Terminology. See Users Guide and Tutorial to learn more about the SP 800-53 Controls, SP 800-53B Control Baselines and Terminology.
Learn more about the SP 800-53 controls and SP 800-53B control baselines by reviewing:
Stakeholders can provide input (a "Proposal") to NIST at any time. Note that submission of a proposal does not guarantee that NIST will include the proposal in a future comment period (as a “Candidate”) or release of SP 800-53. Only proposals in Candidate (available for public comment) or Awaiting Publication (“sandbox”) are visible and searchable by tracking number.
Stakeholders can view and provide comments on "Candidates" (draft controls available for public comment) during defined comment periods. Comments on "Candidates" are reviewed by NIST prior to posting.
See More Information for Terminology and more information about the comment submission process.
A "Proposal" is a new control/control enhancement idea or an edit to an existing control/control enhancement. Note that submission of a proposal does not guarantee that NIST will include the proposal in a future comment period (as a “Candidate”) or release of SP 800-53.
A "Candidate" is a new or updated draft control/control enhancement that is available for public comment. Stakeholders can review the draft control/control enhancement and provide feedback.
See More Information for Terminology and more information about the comment submission process.
Once your submission ("Proposal" or Comment) is reviewed by NIST, you will receive a system generated e-mail from no-reply-800-53comments@nist.gov with the updated status of your submission.
If the "Proposal" is in a publicly-viewable status (i.e., "Candidate" or "Awaiting" status), you can also search for the Proposal on the SP 800-53 Comment Website using the tracking number provided in the system generated e-mail.
At this time, the SP 800-53 Comment Website does not offer the ability for users to update previously submitted comments. Please submit a new "Proposal" and include a Tracking Number (TM000000XX) of your original submission in the "Justification" section.
See More Information for Terminology and more information about the comment submission process.
If the "Proposal" is in a publicly-viewable status (i.e., "Candidate" or "Awaiting" status), you can also search for the Proposal on the SP 800-53 Comment Website using the tracking number provided in the system generated e-mail.
See Additional Background for more information about the comment submission process and workflow.
Depending on the nature of the comment and change, accepted updates will be included in the next Major or Minor release.
See More Information for Terminology and Major and Minor Release Schedule and Criteria.
Stakeholder input is critical to the development of NIST Special Publications and guidance. Stakeholder comments are considered throughout the SP 800-53 research and development process - from inception of an idea for a control/control enhancement to providing comments on draft ("Candidate") controls/control enhancements. Although each comment submitted may not result in a change, the NIST team reviews and adjudicates each and every comment received.
To get specific feedback on a submitted comment, please contact and have the system-generated tracking number available: 800-53comment-help@list.nist.gov. Please allow up to 5 business days for a response to email inquiries.
NIST will continue to accept comments from stakeholders using a comment matrix emailed to 800-53comments@list.nist.gov.
Comments submitted using the comment matrix will be entered into the SP 800-53 Comment Site and adjudicated using the same process as comments submitted via the site.
If your organization's firewall is preventing you from joining via the SP 800-53 Comment Period Notifications Google Group, please send an email to 800-53comment-help@list.nist.gov.
A moderator will add you to the email list. Please note that you may not be able to access the Forum archives and update your own subscription settings if you cannot access the Google Group.
Minor Releases are equivalent to a NIST SP 800-53 Errata Update. Minor releases/errata updates are consistent with NIST procedures and criteria for errata updates, whereby a new copy of a final publication is issued to include corrections that do not alter existing or introduce new technical information or requirements. Such corrections are intended to remove ambiguity and improve interpretation of the work, and may also be used to improve readability or presentation (e.g., formatting, grammar, spelling).
NIST will issue a maximum of 2 minor releases per year.
Major Releases are equivalent to a new NIST SP 800-53 Revision (e.g, Revision 6, Revision 7). Planned major releases can be both time- and event-driven. Time-driven (regularly scheduled) major releases will occur every 2 years. Event-driven releases will occur as necessary, but will be limited to address only critical issues.
NIST will issue a major release every 2 years (in lieu of a Minor Release).
Stakeholder input is critical to the development of NIST Special Publications and guidance. Stakeholder comments are considered throughout the SP 800-53 research and development process - from inception of an idea for a control/control enhancement to providing comments on draft ("Candidate") controls/control enhancements. Although each comment submitted may not result in a change, the NIST team reviews and adjudicates each and every comment received.
To download the normative versions of NIST SP 800-53, NIST SP 800-53B, and NIST SP 800-53A (Revision 4), please see CSRC Publications.
To download alternative data formats of NIST SP 800-53, NIST SP 800-53B, and NIST SP 800-53A (Revision 4), please see the SP 800-53 Downloads Website.
Note that NIST Special Publication (SP) 800-53, 800-53A, and SP 800-53B contain additional background, scoping, and implementation guidance in addition to the controls, assessment procedures, and baselines. This NIST SP 800-53 database represents the derivative format of controls defined in NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Derivative data formats of the forthcoming SP 800-53A, Revision 5 controls will be available when the publication is finalized (anticipated by winter 2021).
To view the SP 800-53 Controls in your web browser, please see the NIST SP 800-53 Controls Release Search.
To download different the SP 800-53 controls, SP 800-53B control baselines, and SP 800-53A control assessment procedures, please see our SP 800-53 Downloads Website.
Note that NIST Special Publication (SP) 800-53, 800-53A, and SP 800-53B contain additional background, scoping, and implementation guidance in addition to the controls, assessment procedures, and baselines. This NIST SP 800-53 database represents the derivative format of controls defined in NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Derivative data formats of the forthcoming SP 800-53A, Revision 5 controls will be available when the publication is finalized (anticipated by winter 2021).
Security and Privacy: general security & privacy, privacy, risk management, security measurement, security programs & operations
Laws and Regulations: E-Government Act, Federal Information Security Modernization Act