U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

NIST Risk Management Framework RMF

SP 800-53 Comment Site FAQ

 General Questions and Background

NIST believes that robust, widely understood, and participatory development processes produce the strongest, most effective, most trusted, and broadly accepted standards and guidelines. The following principles guide NIST's standards and guidelines development:

  • Transparency: All interested and affected parties have access to essential information regarding standards and guidelines-related activities throughout the development process.
  • Openness: Participation is open to all interested parties. All stakeholders – including security professionals, researchers, standards developing organizations (SDOs), and users – have an opportunity to be meaningfully involved in the standards and guidelines development process.
  • Balance: NIST solicits input from a wide range of stakeholders representing government, industry and academia to ensure that its standards are strong and practical, and meet the needs of the Federal Government as well as the broader user community. 
  • Integrity: NIST serves as an impartial technical authority when it is developing standards and guidelines.
  • Technical Merit: NIST’s decisions during the development of standards and guidelines are based on the technical merit of a proposal while being mindful of security, privacy, policy and business considerations.
  • Global Acceptability: While the statutory basis for NIST’s work in risk management is the need for protection of non-national security federal information systems, NIST standards are the foundation of many information technology products and services that are developed and sold globally.
  • Usability: NIST aims to develop risk management guidelines that help implementers create secure and useable systems that support business needs and better manage risk for systems and organizations.  
  • Continuous Improvement: NIST strives for ongoing engagement with the cybersecurity and privacy community to continuously improve our standards and guidelines.
  • Innovation: As a scientific bureau within the U.S. Department of Commerce, NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 
The NIST SP 800-53 Public Comment Website was developed to ensure that the SP 800-53 Control Catalog provides the most comprehensive and up-to-date set of controls/countermeasures to manage security, privacy, and supply chain risk. By modernizing our comment process and moving to an online dataset instead of following the current document-based update process, NIST can provide its stakeholders the most up-to-date controls to manage risk while encouraging use of automation. In addition to “automating” the NIST publication process, the website allows for real-time and rolling comments to be submitted by stakeholders, increases transparency in the comment process, and allows stakeholders to preview controls and control enhancements slated for future revisions of the controls. 

NIST accepts and encourages stakeholders to provide feedback on any aspect of our publications. The SP 800-53 Comment Website is focused on getting feedback on the controls and control enhancements and allows for submission of:

  • new controls and control enhancements
  • edits to existing controls and control enhancements
  • comments on candidate proposals 
  • view comments from other stakeholders on candidate proposals
  • view controls awaiting publication 

To provide feedback on other aspects of NIST SP 800-53, please use the Comment Matrix and submit to 800-53comments@list.nist.gov

See More Information for Terminology.  See Users Guide and Tutorial to learn more about the SP 800-53 Controls, SP 800-53B Control Baselines and Terminology. 

Learn more about the SP 800-53 controls and SP 800-53B control baselines by reviewing:

 

Submitting Comments

Please refer to the User's Guide and Video Tutorials to learn about how to submit a comment. 

Stakeholders can provide input (a "Proposal") to NIST at any time.  Note that submission of a proposal does not guarantee that NIST will include the proposal in a future comment period (as a “Candidate”) or release of SP 800-53. Only proposals in Candidate (available for public comment) or Awaiting Publication (“sandbox”) are visible and searchable by tracking number.

Stakeholders can view and provide comments on "Candidates" (draft controls available for public comment) during defined comment periods.  Comments on "Candidates" are reviewed by NIST prior to posting.  

See More Information for Terminology and more information about the comment submission process.

"Proposal" is a new control/control enhancement idea or an edit to an existing control/control enhancement. Note that submission of a proposal does not guarantee that NIST will include the proposal in a future comment period (as a “Candidate”) or release of SP 800-53.

A "Candidate" is a new or updated draft control/control enhancement that is available for public comment. Stakeholders can review the draft control/control enhancement and provide feedback. 

See More Information for Terminology and more information about the comment submission process.

Once your submission ("Proposal" or Comment) is reviewed by NIST, you will receive a system generated e-mail from no-reply-800-53comments@nist.gov with the updated status of your submission. 

If the "Proposal" is in a publicly-viewable status (i.e., "Candidate" or "Awaiting" status), you can also search for the Proposal on the SP 800-53 Comment Website using the tracking number provided in the system generated e-mail.  

At this time, the SP 800-53 Comment Website does not offer the ability for users to update previously submitted comments.  Please submit a new "Proposal" and include a Tracking Number (TM000000XX) of your original submission in the "Justification" section.

See More Information for Terminology and more information about the comment submission process.

See Additional Background for more information about the comment submission process and workflow. 

If the "Proposal" is in a publicly-viewable status (i.e., "Candidate" or "Awaiting" status), you can also search for the Proposal on the SP 800-53 Comment Website using the tracking number provided in the system generated e-mail.  

See Additional Background for more information about the comment submission process and workflow. 

Depending on the nature of the comment and change, accepted updates will be included in the next Major or Minor release.

See More Information for Terminology and Major and Minor Release Schedule and Criteria.

Stakeholder input is critical to the development of NIST Special Publications and guidance. Stakeholder comments are considered throughout the SP 800-53 research and development process - from inception of an idea for a control/control enhancement to providing comments on draft ("Candidate") controls/control enhancements. Although each comment submitted may not result in a change, the NIST team reviews and adjudicates each and every comment received.

To get specific feedback on a submitted comment, please contact and have the system-generated tracking number available: 800-53comment-help@list.nist.gov. Please allow up to 5 business days for a response to email inquiries.  

NIST will continue to accept comments from stakeholders using a comment matrix emailed to 800-53comments@list.nist.gov

Comments submitted using the comment matrix will be entered into the SP 800-53 Comment Site and adjudicated using the same process as comments submitted via the site.

Stakeholder Notification

Yes. As candidates are released for comment, subscribers to 800-53updates@list.nist.gov will receive a notification about candidates available for comment and the comment period length. The SP 800-53 Updates email list is open to any interested party to sign up; only NIST Team members are able to send notifications to the group.
Stakeholders can sign up for SP 800-53 Comment Period Notifications at: https://groups.google.com/u/1/a/list.nist.gov/g/800-53updates 

If your organization's firewall is preventing you from joining via the SP 800-53 Comment Period Notifications Google Group, please send an email to 800-53comment-help@list.nist.gov.

A moderator will add you to the email list. Please note that you may not be able to access the Forum archives and update your own subscription settings if you cannot access the Google Group.  

NIST SP 800-53 Major and Minor Releases

Minor Releases are equivalent to a NIST SP 800-53 Errata Update. Minor releases/errata updates are consistent with NIST procedures and criteria for errata updates, whereby a new copy of a final publication is issued to include corrections that do not alter existing or introduce new technical information or requirements. Such corrections are intended to remove ambiguity and improve interpretation of the work, and may also be used to improve readability or presentation (e.g., formatting, grammar, spelling). 

NIST will issue a maximum of 2 minor releases per year in May and November.  

Major Releases are equivalent to a new NIST SP 800-53 Revision (e.g, Revision 6, Revision 7).  Planned major releases can be both time- and event-driven.  Time-driven (regularly scheduled) major releases will occur every 2 years. Event-driven releases will occur as necessary, but will be limited to address only critical issues. 

NIST will issue a major release every 2 years in November (in lieu of a Minor Release)

Stakeholder input is critical to the development of NIST Special Publications and guidance. Stakeholder comments are considered throughout the SP 800-53 research and development process - from inception of an idea for a control/control enhancement to providing comments on draft ("Candidate") controls/control enhancements. Although each comment submitted may not result in a change, the NIST team reviews and adjudicates each and every comment received. 

 

NIST SP 800-53 Downloads

If there are any discrepancies noted in the content between these NIST SP 800-53 Downloads page and the latest published NIST SP 800-53, Revision 5 (normative) and NIST SP 800-53B (normative), please contact sec-cert@nist.gov and refer to the official published documents.

To download the normative versions of NIST SP 800-53, NIST SP 800-53B, and NIST SP 800-53A (Revision 4), please see CSRC Publications.

To download alternative data formats of NIST SP 800-53, NIST SP 800-53B, and NIST SP 800-53A (Revision 4), please see the SP 800-53 Downloads Website

Note that NIST Special Publication (SP) 800-53, 800-53A, and SP 800-53B contain additional background, scoping, and implementation guidance in addition to the controls, assessment procedures, and baselines. This NIST SP 800-53 database represents the derivative format of controls defined in NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Derivative data formats of the forthcoming SP 800-53A, Revision 5 controls will be available when the publication is finalized (anticipated by winter 2021). 

To view the SP 800-53 Controls in your web browser, please see the NIST SP 800-53 Controls Release Search

 

 

 

To download different the SP 800-53 controls, SP 800-53B control baselines, and SP 800-53A control assessment procedures, please see our SP 800-53 Downloads Website

Note that NIST Special Publication (SP) 800-53, 800-53A, and SP 800-53B contain additional background, scoping, and implementation guidance in addition to the controls, assessment procedures, and baselines. This NIST SP 800-53 database represents the derivative format of controls defined in NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Derivative data formats of the forthcoming SP 800-53A, Revision 5 controls will be available when the publication is finalized (anticipated by winter 2021). 

 

Troubleshooting and Feedback

Please send an email to: 800-53comment-help@list.nist.gov.  Please allow for 5 business days for a response.   
NIST welcomes feedback on the SP 800-53 Public Comment Website and suggestions for additional features.  Please submit your feedback using the SP 800-53 Public Comment Website Feedback form

 

Created November 30, 2016, Updated November 01, 2021