Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-100 Rev. 1 (Initial Preliminary Draft)

PRE-DRAFT Call for Comments | Information Security Handbook: A Guide for Managers

Date Published: January 9, 2024
Comments Due: February 23, 2024 (public comment period is CLOSED)
Email Questions to:



NIST plans to update Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers, and is issuing this Pre-Draft Call for Comments to solicit feedback from users. The public is invited to provide input by February 23, 2024


Since SP 800-100 was published in October of 2006, NIST has developed new frameworks for cybersecurity and risk management and released major updates to critical resources and references. This revision would focus the document’s scope for the intended audience and ensure alignment with other NIST guidance. Before revising, NIST would like to invite users and stakeholders to suggest changes that would improve the document’s effectiveness, relevance, and general use with regard to cybersecurity governance and the intersections between various organizational roles and information security.

NIST welcomes feedback and input on any aspect of SP 800-100 and additionally proposes a list of non-exhaustive questions and topics for consideration:

  • What role do you fill in your organization?
  • How have you used or referenced SP 800-100?
  • What specific topics in SP 800-100 are most useful to you?
  • What challenges have you faced in applying the guidance in SP 800-100?
  • Is the document’s current level of specificity appropriate, too detailed, or too general? If the level of specificity is not appropriate, why?
  • How can NIST improve the alignment between SP 800-100 and other frameworks and publications?
  • What new cybersecurity capabilities, challenges, or topics should be addressed?
  • What current topics or sections in the document are out of scope, no longer relevant, or better addressed elsewhere?
  • Are there other substantive suggestions that would improve the document?
  • Specific topics to consider for revision or improvement:
    • Cybersecurity governance
    • Role of information security in the software development life cycle (e.g., agile development)
    • Contingency planning and the intersection of roles across organizations
    • Risk management
      • Enterprise risk management
      • Supply chain risk management and acquisitions
      • Metrics development and cybersecurity scorecard
    • System authorizations
    • Relationship between privacy and information security programs

The comment period is open through February 23, 2024. Please submit comments to with "Comments on Information Security Handbook: A Guide for Managers” in the subject field. We encourage you to use this comment template.


Control Families

None selected


See SP 800-100 (pdf)

Supplemental Material:
Comment template (xlsx)

Document History:
01/09/24: SP 800-100 Rev. 1 (Draft)