Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

SP 800-53 Rev. 5 (DRAFT)

PRE-DRAFT Call for Comments: Security and Privacy Controls for Federal Information Systems and Organizations

Date Published: February 23, 2016
Comments Due: April 1, 2016 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov

Withdrawn: August 15, 2017

Announcement

NIST Special Publication 800-53 Revision 5, Pre-Draft Call for Comments

Recognizing the importance of maintaining the relevance and currency of Special Publication (SP) 800-53, NIST will update Revision 4 to Revision 5 during calendar year 2016 beginning with this pre-draft request for comments. NIST seeks the input of SP 800-53 customers to ensure Revision 5 will continue to deliver a comprehensive security and privacy control set that addresses current threats, technologies, and environments of operation while remaining functional and usable. Listed below are the specific areas in which NIST seeks comments, but any constructive feedback will be considered.


Security Control Baseline Normalization

The low, moderate, and high security control baselines in SP 800-53 Appendix D were developed to ensure consistency with Federal Information Processing Standards (FIPS) 199 and FIPS 200 along with NIST SP 800-60 and the assumptions detailed in SP 800-53 Revision 4, Section 3.1. In accordance with the Federal Information Security Management/Modernization Acts of 2002/2014, the security control baselines provide a starting point for a tailoring process that results in an agreed upon set of security controls that are intended to provide protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.

NIST seeks customer feedback regarding the relevance and appropriateness of the current security controls and control enhancements designated in each baseline—that is, do the security controls and control enhancements in each baseline provide the appropriate starting point for tailoring that baseline? Specifically, NIST requests input on the following: 

  • Security controls or control enhancements currently designated in baselines that customers believe are not appropriate for a given baseline, along with a rationale for the removal of the controls or enhancements. Why are the particular security controls or control enhancements notneeded to protect the information and information system at the level of a particular baseline?  

    Example:  Remove CP-4, Contingency Plan Testing from the Low Impact Baseline because it should not be necessary to expend resources on testing contingency plans for low impact systems due to the limited adverse effect of the loss of a low impact system to the organization’s mission.
     
  • Security controls or control enhancements not currently designated in a baseline that customers believe are appropriate for a given baseline, along with a rationale for the addition of the controls or enhancements. Why are the particular security controls or control enhancements needed to protect information and information system at the level of a particular baseline?  

    Example:  Add AC-11, Session Lock to the Low Impact Baseline because if an attacker has physical access to a low impact system that has not been locked, the system could be used to attack other, potentially higher impact systems on the same network. 

Security Control Format

Currently, each security control and control enhancement begins with an indication of the entity within which or by which the control/enhancement is to be implemented, for example: “the information system provides a warning...” or “the organization reviews and updates the audited events…” NIST seeks input regarding a proposed change in the existing format such that each security control and control enhancement would be stated in an outcome-based manner, for example: “a warning is provided...” or “the audited events are reviewed and updated...”

Example:

Current—
AU-14  SESSION AUDIT

Control:  The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

Proposed—
AU-14  SESSION AUDIT

Control:  The capability for authorized users to select a user session to capture/record or view/hear is provided.

Example:

Current—
MA-6  TIMELY MAINTENANCE

Control:  The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.

Proposed—
MA-6  TIMELY MAINTENANCE

Control:  Maintenance support and/or spare parts are obtained for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.

This change is being considered to keep the focus on the substance of the security control or control enhancement rather than on the entity implementing the control/enhancement. Would such a change provide greater emphasis on the purpose of the control and better reflect the intended outcome of the control in providing security that is commensurate with risk? Or provide organizations with greater flexibility regarding specific control implementations? Please note that this change, if adopted, would not alter the current content of any security control or control enhancement.

Addition of hyperlinks

NIST is considering the inclusion of hyperlinks throughout the document to make the guidance easier to navigate. For example, each security control in the left hand column in the Appendix D tables could be hyperlinked to the actual control in Appendix F. Would this type of change be a constructive addition or would such a change add complexity and clutter while not contributing any real benefit?

Addition of key words

NIST is considering the inclusion of keywords for each security control and control enhancement. This addition would facilitate searching when developing or using automated tools. The addition of keywords may promote greater consistency in search results since automated tool developers would use the same keywords for each security control or control enhancement. Would the addition of keywords be a constructive addition or would the addition of keywords add unnecessary complexity without sufficient benefit? The relevant keywords could be included after the References as in the example below.

Example:

IA-6  AUTHENTICATOR FEEDBACK

Control:  The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

Supplemental Guidance:  The feedback from information systems does not provide information that would allow unauthorized individuals to compromise ... Related control: PE-18.

Control Enhancements:  None.

References:  None.

Keywords:   access; confidentiality; output device; physical.

Priority and Baseline Allocation:

 

P2

LOW IA-6

MOD IA-6

HIGH IA-6

 

Comments or suggestions for additional information

NIST seeks input regarding the comprehensiveness of the current publication including security and privacy controls; control enhancements; supplemental guidance; informative text in Chapters 1-3; and supporting appendices. Are there any security or privacy controls or control enhancements needed but not addressed by the control sets in Appendices F, G, and J? Is additional supplemental guidance needed for any control or control enhancement? Is further informative text needed in Chapters 1-3? Is there any information missing from the supporting appendices or are additional appendices needed? Please be specific and include the rationale for any proposed additions.

Comments or suggestions for clarification of information

NIST seeks input regarding the clarity of the current publication including security and privacy controls; control enhancements; supplemental guidance; informative text in Chapters 1-3; and supporting appendices. Is the intent of any security or privacy control or enhancement unclear or confusing? Does the associated supplemental guidance explain the intent of the control or control enhancement clearly and unambiguously? Are there sufficient examples? Is the informative text in Chapters 1-3 and the supporting appendices presented with sufficient clarity? Please be specific and include the rationale for any proposed clarifications.

Comments or suggestions for removal of information 

NIST seeks input regarding the need to remove material from the current publication including security and privacy controls; control enhancements; supplemental guidance; informative text in Chapters 1-3; and supporting appendices. Are there any security or privacy controls in Appendices F, G, and J that are outdated, unneeded, or unusable? Is there supplemental guidance for security or privacy controls or control enhancements that is not helpful or is extraneous? Is there information in Chapters 1-3 or the supporting appendices that is irrelevant or not useful? Is information in any of the appendices ineffective or immaterial? Please be specific and include the rationale for any proposed deletions.

Abstract

Control Families

None selected

Documentation

Publication:
None available

Supplemental Material:
None available

Related NIST Publications:
SP 800-53 Rev. 5 (DRAFT)