Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

SP 800-53 Rev. 5 (Draft)

Security and Privacy Controls for Information Systems and Organizations (Final Public Draft)

Date Published: March 2020
Comments Due: May 29, 2020 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov

Planning Note (4/28/2020):

  • The comment period has been extended to May 29, 2020.
  • See the current publication schedule proposed by NIST; it may be subject to change. 
  • NIST has posted a spreadsheet (.xlsx) version of the controls, linked under “Supplemental Material.”
  • Frequently Asked Questions (FAQ) are now posted under "Supplemental Material" and on the FISMA Implementation Project FAQ page

Author(s)

Joint Task Force

Announcement

There is an urgent need to strengthen the trustworthiness and resilience of the information systems, component products, and services that we depend on in every critical infrastructure sector and which support the economic and national security interests of the United States.

This (final public draft) revision of NIST Special Publication 800-53 presents a proactive and systemic approach to developing comprehensive safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices. Those safeguarding measures include the security and privacy controls to protect the critical and essential mission and business operations of organizations, the organization’s high value assets, and the personal privacy of individuals. The objective is to manage mission, business, and system risks for organizations, making the systems we depend on more penetration-resistant to cyber-attacks; limiting the damage from those attacks when they occur; making the systems cyber-resilient and survivable; and protecting the security and privacy of information.

  • Please see the "Supplemental Materials" section for a summary of changes and newly added resources, including the draft controls in the machine-readable Open Security Controls Assessment Language (OSCAL) format.
  • NIST is planning a webcast to provide an overview of the changes in Revision 5. More information to come.

Summary of Changes in Revision 5

Revision 5 of this foundational NIST publication represents a multi-year effort to develop next-generation security and privacy controls. The major changes to the publication include:

  • Creating security and privacy controls that are more outcome-based by changing the structure of the controls;
  • Fully integrating privacy controls into the security control catalog, creating a consolidated and unified set of controls;
  • Adding two new control families for privacy and supply chain risk management;
  • Integrating the Program Management control family into the consolidated catalog of controls;
  • Separating the control selection process from the controls—allowing controls to be used by different communities of interest;
  • Separating the control catalog from the control baselines;
  • Promoting alignment with different risk management and cybersecurity approaches and lexicons, including the NIST Cybersecurity and Privacy Frameworks;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state-of-the-practice controls based on threat intelligence, empirical attack data, and systems engineering and supply chain risk management best practices, including controls to:
    • Strengthen security and privacy governance and accountability;
    • Support secure system design; and
    • Support cyber resiliency and system survivability.

The integration of security and privacy controls into one catalog recognizes the essential relationship between security and privacy objectives. This relationship requires security and privacy officials to collaborate across the system development life cycle. In particular, control implementation is one area in which collaboration is important. Because security and privacy objectives are aligned in many circumstances, the implementation of a particular control can support achievement of both sets of objectives. However, there are also circumstances when controls are implemented differently to achieve the respective objectives, or the method of implementation can impact the objectives of the other program. Thus, it is important that security and privacy programs collaborate effectively with respect to the implementation of controls to ensure that both programs’ objectives are met appropriately.

Feedback Requested

Reviewers should refer to the “Notes to Reviewers” that begins on page v of this draft. NIST requests feedback on: (1) the updates to the control catalog identified above; and (2) the concept of including a collaboration index for each control. The index is intended to indicate the degree of collaboration between security and privacy programs for each control. This collaboration index is a starting point to facilitate discussion between security and privacy programs since the degree of collaboration needed for control implementation for specific systems depends on many factors. For purposes of review and comment, three control families are identified as notional examples: Access Control (AC); Program Management (PM); and Personally Identifiable Information Processing and Transparency (PT). The notional examples are provided as a “Notes to Reviewers Supplemental Material” section at the end of the document, following Appendix D.

Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers. The very insightful comments from both the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our customers.

The public comment period for this draft is open through May 15, 2020 May 29, 2020. We encourage reviewers to use the comment template for organizing and submitting comments.

NOTE: A call for patent claims is included on page ix of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

assurance; availability; computer security; confidentiality; control; cybersecurity; FISMA; information security; information system; integrity; personally identifiable information; Privacy Act; privacy controls; privacy functions; privacy requirements; Risk Management Framework; security controls; security functions; security requirements; system; system security
Control Families

Access Control; Audit and Accountability; Awareness and Training; Configuration Management; Contingency Planning; Security Assessment and Authorization; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; Planning; Risk Assessment; System and Services Acquisition; System and Information Integrity; System and Communications Protection; Program Management