SP 800-53B (Draft)

Control Baselines for Information Systems and Organizations

Date Published: July 2020
Comments Due: September 11, 2020 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov

Planning Note (7/31/2020): We encourage you to use the comment template to record and submit your comments. 

Author(s)

Joint Task Force

Announcement

Draft SP 800-53B provides three security control baselines for low-impact, moderate-impact, and high-impact federal systems, as well as a privacy control baseline for systems irrespective of impact level. The security and privacy control baselines have been updated with the controls described in SP 800-53, Revision 5; the content of control baselines reflects the results of a comprehensive interagency review conducted in 2017 and continuing input and analysis of threat and empirical cyber-attack data collected since the update to SP 800-53.

In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions to help guide and inform the control selection process for organizations. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation. The control baselines were previously published in NIST SP 800-53, but moved so that SP 800-53 could serve as a consolidated catalog of security and privacy controls that can be used by different communities of interest.

In addition to your feedback on the three security control baselines, NIST is also seeking your comments on the privacy control baseline and the privacy control baseline selection criteria.  Since the selection of the privacy control baseline is based on a mapping of controls and control enhancements in SP 800-53 to the privacy program responsibilities under OMB Circular A-130, suggested changes to the privacy control baseline must be supported by a reference to OMB A-130.  Alternatively, you may provide a description and rationale for new or modified privacy control baseline selection criteria. 

Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers from the public and private sectors, nationally and internationally, to help shape NIST publications to ensure they meet the needs and expectations of our customers.

NOTE: A call for patent claims is included on page vi of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

assurance; impact level; privacy control; privacy control baseline; security control; security control baseline; tailoring; control selection; control overlays
Control Families

None selected

Documentation

Publication:
SP 800-53B (Draft) (DOI)
Local Download

Supplemental Material:
Comment template (xls)

Related NIST Publications:
SP 800-53 Rev. 5 (Draft)

Document History:
07/31/20: SP 800-53B (Draft)
10/29/20: SP 800-53B (Final)