U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

NIST Risk Management Framework RMF

User Guide

  Each topic area below includes a step-by-step guide demonstrating how to:

Users can reach the SP 800-53 Public Comment Site directly, or by browsing from the NIST Risk Management Framework (RMF) project page

Option 1: Access by Direct Link

Access the SP 800-53 Public Comment Site directly: https://csrc.nist.rip/Projects/risk-management/sp800-53-controls/public-comments. Figure 1 below shows the SP 800-53 Public Comments: Submit and View Site.

Figure 1 – Accessing the SP 800-53 Public Comments and View Site by Direct Link

Option 2: Browse from NIST RMF Project Page

There are two ways to access the SP 800-53 Public Comment Site from the NIST RMF Project Page (also refer to Option 3, below). 
Users can reach the Comment site from the Public Comments: Submit and View link (accessible via the Additional Pages Navigation Bar on the right, highlighted by the red box in Figure 2).

Figure 2 – Navigating to the SP 800-53 Public Comment Site from the NIST RMF Project Page

Option 3: Browse from NIST RMF Project Page

Users can also reach the SP 800-53 Public Comment Site from the “Control Catalog Comments Overview” link (accessible via the Additional Pages Navigation Bar on the right, highlighted by the red box in Figure 3).

Figure 3 – Navigating to the Public Comment: Submit and View page from the Control Catalog Comments Overview Page

The SP 800-53 Control Comments Overview Page includes information about the Public Comment Website, including More Information about the background and process, How to Use the site, link to Submit a Comment on the current revision of SP 800-53 controls, and how to sign-up for notification about public comment periods.
To access the SP 800-53 Public Comment Site, click the “Submit a Comment” button or “Submit Comments on SP 800-53 Controls” image, as highlighted by the red boxes in Figure 4 below. 

Figure 4 – Clicking on “Submit a Comment” button or” Submit Comments on the SP 800-53 Controls” Image

 

A SP 800-53 control (also referred to as a base control) is a security and/or privacy outcome involving policy, oversight, supervision, processes to be implemented by systems or individuals. Examples of base controls include AC-2 Account Management, IA-5 Authenticator Management, PL-4 Rules of Behavior, and SR-2 Supply Chain Risk Management Plan.

Step 1: Navigate to New: Suggest a New Control

From the SP 800-53 Public Comments: Submit and View page, suggest a new control or control enhancement by, clicking “New,” indicated by the red box shown in Figure 5.

A new control proposal can either be for a new base control or a new control enhancement (Also see Suggest a New Control Enhancement).

Figure 5 – Suggesting a New Base Control on the SP 800-53 Public Comments: Submit and View page

Step 2: Select a New Base Control

Select the radio button for “New Base Control,” indicated by the red box, as shown in Figure 6.

For step-by-step instructions on how to propose a new control enhancement, see Suggest a New Control Enhancement.

Figure 6 – Selecting a New Base Control

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 7:

  • Control Family (required)
  • Control Name (required)
  • Control Statement (required)
  • Discussion
  • Related Controls
  • References
  • Security Control Baseline
  • Privacy Control Baseline
  • Justification/Rationale (required)

Figure 7 –Suggest a New NIST SP 800-53 Control Blank Form

Step 3: Select a Control Family and Enter New Control Name

Figure 8 below illustrates how to select a Control Family (required) from the existing SP 800-53 control families using the drop-down menu (marked with the red arrow). Additionally, the red box identifies where to enter text for the proposed Control Name (required).

Figure 8 – Selecting a Control Family and Entering the New Control Name for a New Base Control

Step 4: Add a New Control Statement

Figure 9 below shows how to add a New Control Statement (required) by clicking on the green “New Statement Required” button.

Figure 9 – Adding a New Control Statement to a New Base Control

Upon clicking the green “New Statement Required” button, a pop-up window prompts the user to provide a control statement that can be entered in paragraph form or hierarchical, numbered list. To provide a control statement in paragraph form, enter the proposed control statement in the text box, as shown in Figure 10. 
Figure 10 – Entering a Control Statement in the Text Box for a New Base Control

  • OPTIONAL: To add “Sub Text” to the control statement (i.e., to add another item to the list), click on the green “Sub Text” button, indicated by the red arrow shown below in Figure 11.
    Figure 11 – Adding Sub Text to a Control Statement for a New Base Control
  • The new list item “(a)” appears under the “Statement:” text box, indicated by the red arrow in Figure 12. 
    Figure 12 – Entering Sub Text to the Control Statement
  • To add “Sub Text” to list item "(a)" of the control statement, click on the green “Sub Text” button, indicated by the red arrow, as shown in Figure 13 below.
    Figure 13 – Adding a Sub-Section to the Sub Text
  • A new text box “(1)” displays as a sub-section of sub text “(a)”, indicated by the red arrow, as shown below in Figure 14.
    Figure 14 – Entering a Sub-Section to the Sub Text

To delete a section (sub text or sub-section) of a control statement, click on the red “Delete” button, indicated by the red arrow shown in Figure 15 below. 

Figure 15 – Deleting Sub Text

Once all changes to the Control Statement are entered, click the blue “Save” button, as shown below in Figure 16. 

Figure 16 – Saving New Control Statement

The pop-up window closes, and the new text input displays in the Control Statement text box as shown below in Figure 17. 

Figure 17 – Reviewing the Control Statement for the New Base Control

OPTIONAL Step 5: Provide Discussion

Figure 18 displays the text box to provide Discussion on the new base control. The information in the Discussion section assists organizations, as needed, when developing, tailoring, implementing, assessing, or monitoring controls, but does not extend the control. The information provides important considerations for implementing controls based on mission or business requirements, operational environments, or assessments of risk. The additional information can also explain the purpose of controls and often includes examples. This field can be left blank.

Note that if an invalid character is input or the minimum length requirement is not met, an error message (in red) appears under the text box requiring an update before allowing submission. The Discussion text box can also be resized by clicking and dragging on the lower right-hand corner. 

Figure 18 – Providing Discussion for a New Base Control

OPTIONAL Step 6: Add and Remove Related Controls

To assist with control implementation and assessment, users can add related controls. Related controls are other SP 800-53 controls that impact or support the implementation, address a related outcome, or are referenced in the Discussion section (if applicable). This field can be left blank. 

To add a related control:

  • On the right-hand side of the screen, under “Related Controls,” select from the drop-down menu of existing SP 800-53 control families, indicated by the red box in Figure 19 below. Once an SP 800-53 control family is selected, the list of existing controls in that family populates in the field underneath. Highlight the control to select as a “Related Control,” as indicated by the red arrow shown in Figure 19 below. Note that only base controls are listed.
    Figure 19 – Selecting a Related Control Family and Control
  • After a related control is selected, click the left facing chevron button highlighted by the red box shown in Figure 20 below. The selected control then appears in the box on the left, as indicated by the red arrow.
    Figure 20 – Adding a Related Control to a New Base Control

To remove a related control:

  • On the left-hand side of the screen, under the “Currently Assigned Related Controls” box, select the existing SP 800-53 control, as indicated by the red arrow in Figure 21 below. The selected control will display in grey. Click on the right facing chevron button, highlighted by the red box, in Figure 21 below. The control then no longer displays as a “Currently Assigned Related Controls” box on the left.
    Figure 21 – Removing a Related Control from a New Base Control

Repeat OPTIONAL Step 6 as necessary to add and/or remove all relevant related controls.

OPTIONAL Step 7: Add and Remove References

Add References to new or existing applicable laws, policies, standards, guidelines, websites, and other useful resources for the control. This field can be left blank.

To add a reference using an existing reference in SP 800-53:

  • As shown in Figure 22 below, select the drop-down menu of “Select Existing Reference,” indicated by the red box.
    Figure 22 – Adding an Existing Reference to New Base Control
  • A drop-down menu of existing references used in the published version of SP 800-53 appears, as shown in Figure 23. Select the appropriate reference.
    Figure 23 – List of Existing References
  • Complete the selection by clicking the green “Add Existing Reference” button, indicated by the red arrow in Figure 24 below.
    Figure 24 – Adding an Existing Reference to a New Base Control
  • The newly added reference appears underneath the green “Add Existing Reference” button, as indicated by the red box in Figure 25.
    Figure 25 – Reviewing the Existing Reference Added to the New Base Control

To add a new reference that is not used in SP 800-53:

  • Click on the green “New Reference” button, highlighted by the red box shown in Figure 26 below.
    Figure 26 – Adding a New Reference to a New Base Control
  • A new row displays in the Reference Table. The new row includes space for the Reference Title, URL, and option to delete the new reference. Click on “Edit” button next to the Reference Title and URL fields to update, as shown by the red arrow in Figure 27 below.
    Figure 27 – Updating the New Reference Title and URL fields for a New Base Control

To remove a new reference (newly added or existing in SP 800-53), click “Delete” under “Action” on the right side of the row, as shown in Figure 28.

Figure 28 – Deleting a Reference from a New Base Control

Repeat OPTIONAL Step 7 as necessary to include and/or remove new and existing references for the control.

OPTIONAL Step 8: Suggest Applicable Security Control Baseline(s)

Suggest Security Control Baseline(s) by clicking the corresponding check box(es) with Low, Moderate, and/or High security control baseline(s), or Not Selected, as shown below in Figure 29. Refer to SP 800-53B for additional guidance on the security control baselines. This field can be left blank. Note that the Security Control baselines are additive. Any control selected in the Low-Impact Baseline is also selected at Moderate and High.

Figure 29 – Suggesting a Security Control Baseline(s) for a New Base Control

OPTIONAL Step 9: Suggest Inclusion in Privacy Control Baseline

Suggest if the new control is included in the Privacy Control Baseline by selecting the radio button for “Yes” or “No,” as shown in Figure 30. Controls are selected in the Privacy Control Baseline if the proposed control addresses privacy requirements based on privacy program responsibilities under OMB Circular A-130. Refer to SP 800-53B for additional guidance on the privacy control baseline. This field can be left blank.

Figure 30 – Suggesting Inclusion in the Privacy Control Baseline for a New Base Control

Step 10: Provide the Justification/Rationale for the Proposal

Include the gap(s) and/or threats addressed, risks that are managed, the rationale for inclusion in control baseline(s), and any additional information about the proposed new control. Figure 31 shows the text box to provide the Justification/Rationale. 

Figure 31 – Providing a Justification/Rationale for the New Base Control

OPTIONAL Step 11: Include a New Control Enhancement with the Base Control 

To create a new control enhancement for the new base control, select the box to the right of the blue “Submit” button highlighted in Figure 32 below. 

Figure 32 – Submitting a Control Enhancement with a New Base Control

  • If proposing a new control enhancement, after clicking the blue “Submit” button, a pop-up message notifies that the user will automatically be directed to a new form to enter a new control enhancement (see Figure 33 below). Upon clicking “Ok,” a new form for a new control enhancement will display. Suggest a New Control Enhancement for additional guidance on how to propose a new control enhancement. 
    Figure 33 – Pop-up message redirecting to Create a Control Enhancement
Step 12: Review and Submit Proposal Submission 

To submit, all required fields in the form must be completed. Any incomplete fields are highlighted in red, and the proposal cannot be submitted until completed. A warning message in red appears below the “Submit” button stating all the required fields were not completed, indicated by the red arrow shown in Figure 34 below.

Figure 34 – Warning Message “All Required fields must be properly filled out before submitting”

Once all the required fields are completed, the warning message disappears, and a summary of the proposal appears, as indicated by the red arrow in Figure 35 below. After reviewing the summary, click on the “Submit” button to complete your submission.

Figure 35 – Reviewing the Proposal Summary and Submitting

Step 13: Provide Confirmation Email Address 

Upon clicking the blue “Submit” button, a pop-up window appears requesting the submitter’s email address, as shown in Figure 36 below. 

Figure 36 – Requesting email address for confirmation

Step 14: Success Message: Check Email for Confirmation Instructions

A pop-up message indicating the submission was successful, as shown in Figure 37.  However, the submission is not yet confirmed; please check the email address provided and refer to Confirm a Proposal Submission.

Figure 37 –Successful Proposal Submission

 

 

A control enhancement is an information security and/or privacy outcome that adds specificity, functionality, or increased strength to the base control. The control enhancements are numbered sequentially within each control so that the enhancements can be easily identified when selected to supplement the base control. Each control enhancement has a short subtitle to indicate the intended function or capability provided by the enhancement. The numerical designation of a control enhancement is used only to identify that enhancement within the control; the designation is not indicative of the strength of the control enhancement, level of protection, priority, degree of importance, or any hierarchical relationship among the enhancements. Control enhancements are not intended to be selected independently; if a control enhancement is selected, then the corresponding base control is also selected and implemented.

Step 1: Navigate to New: Suggest a New Control Enhancement

From the SP 800-53 Public Comments: Submit and View page, suggest a new control or control enhancement by, clicking “New.” A new control proposal can either be for a new base control or a new control enhancement.

Step 2: Select a New Control Enhancement

Select the radio button for “New Control Enhancement,” indicated by the red box in Figure 38.

Figure 38 – Selecting a New Control Enhancement

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 39. Note that References for control enhancements are listed with the base control. To add a reference, please use the "Edit Existing Control." 

  • Control Family (required)
  • Control Name (required)
  • Control Enhancement Name (required)
  • Control Statement (required)
  • Discussion
  • Related Controls
  • Security Control Baseline
  • Privacy Control Baseline
  • Justification/Rationale (required)

Figure 39 – Completing the NIST SP 800-53 New Control Enhancement Proposal Blank Form

Step 3: Select Control Family and Control, Enter New Control Enhancement Name

Figure 40 below illustrates how to select a Control Family (required) and Control Name (required) from one of the existing SP 800-53 control families using the drop-down menu (marked with the red boxes). Enter the proposed Control Enhancement Name in text box indicated by the red arrow.

Figure 40 – Selecting a Control Family and Control Name while inputting a New Control Enhancement Name.

Complete the remainder of the “New Control Enhancement Proposal” form by following the step-by-step instructions for the following steps in Suggest a New Control: 

  • Step 4: Add New Control Statement
  • OPTIONAL Step 5: Provide Discussion
  • OPTIONAL Step 6: Add and Remove Related Controls
  • OPTIONAL Step 8: Suggest Applicable Security Control Baseline(s)
  • OPTIONAL Step 9: Suggest Inclusion in Privacy Control Baseline
  • Step 10: Provide the Justification/Rationale
  • Step 12: Review and Confirm Proposal Submission
  • Step 13: Provide Confirmation Email Address
  • Step 14: Success Message: Check Email for Confirmation Instructions

Note that Suggest a New Control, OPTIONAL Step 7 Edit References, and OPTIONAL Step 11 Include a New Control Enhancement with Base Control do not apply to Editing an Existing Control Enhancement. 


 

 

 

Users can suggest changes to existing (published) SP 800-53 controls and control enhancements, including proposing the withdraw of a control/control enhancement. 

Step 1: Navigate to Edit: Suggest a Change to an Existing Control

From the SP 800-53 Public Comments: Submit and View page, suggest a change to an existing Control by clicking on the “Edit” button, indicated by the red box shown below in Figure 41. 

Figure 41 – Suggesting an Edit to a Control on the SP 800-53 Public Comments: Submit and View page

Step 2: Select Edit Base Control

Select the radio button for the “Edit Base Control,” indicated by the red box, as shown in Figure 42.

Figure 42 – Selecting Edit Base Control

Step 3: Select a Control Family and Control to Edit

Figure 43 below illustrates how to select a control family (required) and control name (required) from the existing SP 800-53 control families and controls using the drop-down menu, as indicated by the red boxes. 

Figure 43 – Selecting a Control Family and Control Name

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 44:

  • Control Family (required)
  • Control Name (required)
  • Edit Control Name
  • Control Statement 
  • Discussion
  • Related Controls
  • Security Control Baseline
  • Privacy Control Baseline
  • Justification/Rationale (required) 

Figure 44 – Completing the NIST 800-53 Edit Base Control Blank Form

OPTIONAL Step 4: Edit Control Name

Figure 45 below displays the input text box to suggest editing the control name, as shown by the red arrow. 

Figure 45 – Suggesting an Edit to the Control Name for an Existing Base Control

OPTIONAL Step 5: Edit Control Statement

To suggest edits to the control statement, click on the blue “Edit Statement” button, as shown by the red arrow in Figure 46 below.

Figure 46 – Editing an Existing Control Statement for an Existing Base Control

Upon clicking the blue “Edit Statement button,” a pop-up window appears with the current control statement. To update any section of the current control statement, click the corresponding text box in the Edit Statement window, indicated by the red box in Figure 47. Users can also add new sub text (see Suggest a New Control, Step 4 for step-by-step instructions to add sub text). Note that in certain controls, due to the formatting, the control statement box may be empty.

Figure 47 – Suggesting an Edit to the Control Statement language for an Existing Base Control

Repeat OPTIONAL Step 5 as necessary to add/remove/edit the control statement. When complete, click the “Save” button.

After making proposed edits, the Current Published Values will display in green underneath the proposed edits (displayed under “Edit Statement” indicated by the red box in Figure 48 below). The Current Published Value displays the published control statement, as found in the current revision of SP 800-53. The user has an opportunity to review the proposed changes against the Current Published Values before submission.

Figure 48 – Reviewing the Suggested edits with the Current Published Values

OPTIONAL Step 6: Edit Discussion

Figure 49 below displays the text input box to suggest edits to the discussion on an existing base control. Make edits, additions, and deletions in the text box.

Figure 49 – Editing Discussion on an Existing Base Control

After making the proposed edits, the Current Published Values will display in green underneath the proposed edits. The Current Published Value displays the published discussion, as found in current revision of SP 800-53. The user has an opportunity to review the proposed changes against the Current Published Values before submission (displayed under “Discussion” indicated by the red box, as shown in Figure 50 below). 

Figure 50 – Reviewing the Current Published Values with Suggested Discussion

OPTIONAL Step 7: Edit Related Controls

Users can add and remove related controls. See Suggest a New Control, Optional Step 6 for step-by-step instructions on adding and removing related controls.

After adding or removing a related control, the Changes from Current Published Values will appear underneath the selected Related Controls, indicated by the red box shown in Figure 51 below. The user has an opportunity to review the proposed changes against the Current Published Values before submission. 

Figure 51 – Reviewing the Current Published Value with suggested changes for Adding and Removing a Related Control

Repeat OPTIONAL Step 7 as necessary to add/remove all relevant related controls. 

OPTIONAL Step 8: Edit References

References can be edited by adding a new reference (not currently used in SP 800-53), adding a new reference used in SP 800-53, editing a reference used in SP 800-53, or deleting a reference. See Suggest a New Control, Optional Step 7 for step-by-step instructions on adding, removing, and editing references. 

OPTIONAL Step 9: Edit Security Control Baseline(s)

Suggest Security Control Baseline(s) by clicking the corresponding check box(es) with Low, Moderate, and/or High security control baseline(s), or Not Selected, as shown below in Figure 52. Refer to SP 800-53B for additional guidance on the security control baselines. This field can be left blank. Note that the Security Control baselines are additive. Any control selected in the Low-Impact Baseline is also selected at Moderate and High.

Figure 52 – Selecting a Security Control Baseline

After making the selection, the Current Published Values will appear in green underneath the selection, indicated by the red box in Figure 53. The Current Published Value is the original Security Control Baseline selection prior to the suggested change. The user has an opportunity to review the proposed changes against the Current Published Values before submission. 

Figure 53 – Reviewing the Current Published Values with the suggested changes to the Security Control Baseline

OPTIONAL Step 10: Edit Privacy Control Baseline

Suggest if the new control is included in the Privacy Control Baseline by selecting the radio button for “Yes” or “No,” as shown in Figure 30. Controls are selected in the Privacy Control Baseline if the proposed control addresses privacy requirements based on privacy program responsibilities under OMB Circular A-130. Refer to SP 800-53B for additional guidance on the privacy control baseline. This field can be left blank.

Figure 54 – Proposing the Inclusion of the Privacy Control Baseline for an Existing Base Control

After making a privacy control baseline selection, the Current Published Values will appear in green underneath the selection, indicated by the red box, as shown in Figure 55 below. The Current Published Value is the original determination for the inclusion of a Privacy Control Baseline prior to the suggested change. The user has an opportunity to review the proposed changes against the Current Published Values before submission.

Figure 55 – Reviewing the Current Published Values for the suggested Privacy Control Baseline

Step 11: Provide Justification/Rationale for the Proposal

Include the gap(s) and/or threats addressed, risks that are managed, the rationale for inclusion in control baseline(s), and any additional information about the proposed new control. Figure 56 shows the text box to provide the Justification/Rationale. 

Figure 56 – Providing a Justification/Rationale for a Proposed change to an Existing Base Control

Step 12: Review and Submit Proposal Submission

To submit, all required fields in the form must be completed. Any incomplete fields are highlighted in red, and the proposal cannot be submitted until completed. A warning message in red appears below the “Submit” button stating all the required fields were not completed, indicated by the red arrow shown in Figure 57 below. Note that the "Submit" button cannot be clicked at this time because all Required fields are not completed.

Figure 57 – Warning Message stating “All Required fields must be properly filled out before submitting”

Once all the required fields are completed, the warning message disappears, and the proposal is ready for submission. Click on the blue “Submit” button, indicated by the red arrow, as shown in Figure 58 below, to complete the submission.

Figure 58 - Submitting Proposed Edit to an Existing Base Control

Step 13: Provide Confirmation Email Address 

Upon clicking the blue “Submit” button, a pop-up window appears requesting the submitter’s email address, as shown in Figure 59 below. 

Figure 59 – Requesting email address for confirmation

Step 14: Success Message: Check Email for Confirmation Instructions 

After the user enters their email address and submits, a pop-up message will display showing the submission was successful, as shown in Figure 60. At this time, the submission is not yet confirmed; please check the email address provided and refer to Confirm a Proposal Submission. 

Figure 60 – Proposal Submission Successful Message
 

Step 1: Navigate to Edit: Suggest a Change to an Existing Control Enhancement

From the SP 800-53 Public Comments: Submit and View page, suggest a change to an existing control enhancement by, clicking on the “Edit” button, indicated by the red box shown in Figure 61. 

Figure 61 – Suggesting an edit to an Existing Control Enhancement on the SP 800-53 Public Comments: Submit and View page

Step 2: Select Edit Control Enhancement

Select the radio button for “Edit Control Enhancement,” indicated by the red box, as shown below in Figure 62. 

Figure 62 – Selecting Edit Control Enhancement

Step 3: Select Control Family, Control Family, and Control Enhancement Name to Edit

Select a control family (required), control name (required), and control enhancement name (required) from the existing SP 800-53 control families, controls, and control enhancements using the drop-down menu, as indicated by the red boxes in Figure 63 below.

Figure 63 – Selecting a Control Family, Control Name and Control Enhancement Name

  • If the selected Control has no Existing Control Enhancements, a warning message will appear under the “Control Enhancement Name,” stating “Please use New Proposal to propose a new Control Enhancement for this Control,” indicated by the red arrow shown in Figure 64. 
    Figure 64 –Warning Message Instructing to Use “New Proposal to propose a New Control Enhancement”

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 65. Note that References for control enhancements are listed with the base control.

  • Control Family (required)
  • Control Name (required)
  • Control Enhancement Name (required)
  • Edit Control Enhancement Name
  • Control Statement 
  • Discussion
  • Related Controls
  • Security Control Baseline
  • Privacy Control Baseline
  • Justification/Rationale (required)

Figure 65 – Edit Control Enhancement Form

OPTIONAL Step 4: Edit Control Enhancement Name

The input text box to suggest an update to the edit control enhancement name is shown by the red arrow in Figure 66 below.

Figure 66 – Editing the Control Enhancement Name for an Existing Control Enhancement

Complete the remainder of the “Edit an Existing Control Enhancement” form following the step-by-step instructions to Suggest a Change to an Existing Control:

  • OPTIONAL Step 5, Edit Control Statement
  • OPTIONAL Step 6, Edit Discussion
  • OPTIONAL Step 7, Edit Related Controls
  • OPTIONAL Step 9, Edit Security Control Baseline(s)
  • OPTIONAL Step 10, Edit Privacy Control Baseline
  • Step 11: Provide the Justification/Rationale
  • Step 12: Review and Submit Proposal Submission
  • Step 13: Provide Confirmation Email Address
  • Step 14: Success Message: Check Email for Confirmation Instructions

Note that OPTIONAL Step 8 Edit References does not apply to Editing an Existing Control Enhancement.
 


 

When a control function or capability is incorporated into another control, the control is redundant to an existing control, or when a control is deemed no longer necessary, a control is withdrawn. 

Step 1: Navigate to Edit Suggest a Withdraw of a Base Control

From the SP 800-53 Public Comments: Submit and View page, suggest the withdraw of an existing Base Control by clicking on the “Edit” button, indicated by the red box in Figure 67. 

Figure 67 – Suggesting an Edit to Withdraw a Base Control on the SP 800-53 Public Comments: Submit and View page

Step 2: Select Withdraw Base Control

Select the radio button for the “Withdraw Base Control,” indicated by the red box in Figure 68. 

Figure 68 – Selecting Withdraw Base Control

Step 3: Select Control Family and Control to Withdraw

Figure 69 below illustrates how to select a control family (required) and control name (required) to withdraw from the existing SP 800-53 control families and controls using the drop-down menus, as indicated by the red boxes. 

Figure 69 – Selecting a Control Family and Control Name to Withdraw

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 70:

  • Control Family (required)
  • Control Name (required)
  • Withdraw Type (required)
  • Withdraw [Into/To] (required)
  • Withdraw Description (required)
  • Justification/Rationale (required) 

Figure 70 – Completing the NIST 800-53 Withdraw Base Control Blank Form

Step 4: Identify Withdraw Type

To suggest a withdraw of a base control the user determines the type of withdraw (required). 

  • "Incorporated into” consolidates the suggested base control into one or more existing controls. 
  • “Move to” relocates the suggested control to another existing control. 

Figure 71 below illustrates how to proceed with an “Incorporated into” withdraw proposal. Select the radio button for “Incorporated into,” indicated by the red arrow. 

Figure 71 – Selecting the “Incorporated into” Withdraw Type

Figure 72 below shows how to add control(s) in which to incorporate into. Click on the green “Add Control” button, indicated by the red arrow.

Figure 72 – Adding a Control to Incorporate Into

Upon hitting the green “Add Control” button, a drop-down menu appears beneath the Withdraw proposal. Click the drop-down option indicated by the red box in Figure 73 to see the list of base controls.  

Figure 73 – Selecting a Base Control to Incorporate Into

Select a base control in which to incorporate into from the drop-down menu, as shown by the red arrow in Figure 74.

Figure 74 – Selecting an Existing Control in which to Incorporate Into

The base control in which to incorporate into appears above the green “Add Control” button, indicated by the red arrow shown in Figure 75 below. Note at least one control must be specified. 

Figure 75 – Reviewing the Suggested Control in which to Incorporate Into

Once control(s) in which to incorporate into is/are selected, the Withdraw Description is automatically populated with the type of withdraw and the selected control(s) to withdraw into, indicated by the red arrow in Figure 76 below. 

Figure 76 – Withdraw Description Automatically Populated

Repeat the actions, starting at Figure 72 through Figure 76, in Step 4 above to capture any additional controls for the withdrawn control to be incorporated into. 

Figure 77 below illustrates how to submit a “Moved to” withdraw request. Select the radio button for “Moved to,” indicated by the red arrow. 

Figure 77 – Selecting the “Moved To” Withdraw Type

Figure 78 below shows how to add an existing control to move to by clicking on the green “Add Control” button, indicated by the red arrow. Note that a control can only be moved to a single new location.

Figure 78 – Adding a Control to Move To

Upon hitting the green “Add Control” button, a drop-down menu appears beneath the Withdraw request. Select the drop down, indicated by the red box shown in Figure 79, to see the list of existing controls.

Figure 79 – Selecting an Existing Control to Move To

Select a base control in which to move to from the drop-down menu, as shown by the red arrow in Figure 80. 

Figure 80 – Selecting an Existing Base Control in which to Move To

Upon selecting the existing control in which to move to, the “Withdraw Description” appears in the text field, indicated by the red arrow shown in Figure 81. 

Figure 81 – Withdraw Description Automatically Populated

To remove a control selection to incorporate into or move to, click on the red “Remove” button, indicated by the red arrow shown in Figure 82.

Figure 82 – Removing an Existing Control to Withraw Into/To

After clicking the red “Remove” button, the selected control to incorporate into or move to will disappear, as shown below in Figure 83.

Figure 83 – Existing Control to Withdraw Into/To Removed

Step 5: Provide Justification/Rationale for Withdraw of Control

Provide the Justification/Rationale for the Withdraw (required). Include the rationale for incorporating or moving control, and any additional supporting information. Figure 84 shows the text box to provide the Justification/Rationale. 

Figure 84 – Entering a Justification/Rationale for suggesting the Withdraw of an Existing Base Control

To submit, all required fields in the form must be completed. Any incomplete fields are highlighted in red, and the proposal cannot be submitted until completed. A warning message in red appears below the blue “Submit” button stating all the required fields were not completed, as indicated by the red arrow seen in Figure 85 below. 

Figure 85 –Warning Message stating”All the required fields not completed”

Step 6: Review and Submit Proposal

After completing the Justification/Rationale, click on the blue “Submit” button, indicated by the red arrow in Figure 86 below.

Figure 86 – Submitting a Suggested Withdraw of a Existing Base Control

Step 7: Provide Confirmation Email Address

Upon clicking the blue “Submit” button, a pop-up window appears requesting the submitter’s email address, as shown in Figure 87 below. 

Figure 87 – Message Requesting Email Address for Confirmation

Step 8: Success Message: Check Email for Confirmation Instructions

A pop-up message showing the submission was successful, as shown in Figure 88. At this time, the submission is not yet confirmed; please check the email address provided and refer to Confirm a Proposal Submission. 

Figure 88 – Proposal Submission Successful Message

 

 

Step 1: Navigate to Edit: Suggest a Withdraw of a Control Enhancement

From the SP 800-53 Public Comments: Submit and View page, suggest the withdraw of an existing Base Control by, clicking on the “Edit” button, indicated by the red box in Figure 89. 

Figure 89 – Suggesting an Edit to Withdraw a Control Enhancement on the SP 800-53 Public Comments: Submit and View page

Step 2: Select Withdraw Control Enhancement

Select the radio button for the “Withdraw Control Enhancement,” indicated by the red box shown in Figure 90. 

Figure 90 – Selecting Withdraw Control Enhancement

Step 3: Select Control Family, Control Name, and Control Enhancement

Figure 91 below illustrates how to select a control family (required), control name (required), and control enhancement (required) to withdraw from the existing SP 800-53 control families, controls, and control enhancements using the drop-down menu, as indicated by the red boxes. 

Figure 91 – Selecting a Control Family, Control Name and Control Enhancement to Withdraw

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 92:

  • Control Family (required)
  • Control Name (required)
  • Control Enhancement (required)
  • Withdraw Type (required)
  • Withdraw [Into/To] (required)
  • Withdraw Description (required)
  • Justification/Rationale (required)

Figure 92 – Completing the NIST 800-53 Withdraw Control Enhancement Blank Form

Complete the remainder of the “Withdraw an Existing Control Enhancement” form following the step-by-step instructions to Suggest a Withdraw of a Base Control:

  • Step 4: Identify Withdraw Type
  • Step 5: Provide the Justification/Rationale for Withdraw
  • Step 6: Review and Submit Proposal Submission
  • Step 7: Provide Confirmation Email Address
  • Step 8: Success Message: Check Email for Confirmation Instructions
     

 

After submitting a proposal for a new control/control enhancement, to edit a control/control enhancement, or submitting a comment on a candidate (draft control available for public review/comment), the user receives an email from no-reply-800-53comments@nist.gov confirmation of the submission.

Confirmation by the user is required within 24 hours to complete the proposal submission process; proposal submissions not confirmed in 24 hours will be deleted. The confirmation email includes a unique verification link (intentionally hidden in Figure 93) and contains pertinent information about current status and next steps after the proposal submission.

Note: Figure 93 below provides an example of a confirmation email; the content of confirmation emails differs based on the type of proposal submitted.  

Figure 93 – Email requesting confirmation of submitted proposal

Upon clicking the confirmation link, the user is redirected to the SP 800-53 Public Comments: Submit and View page with a thank you message, as shown in Figure 94 below.

Figure 94 – SP 800-53 Public Comments: Proposal Submission Confirmation Page

 

Candidates are proposed changes to the SP 800-53 Controls and SP 800-53B Control Baselines that are available for public comment. The SP 800-53 Public Comment Site provides an opportunity to view and provide comments on the candidates to be included in the next release.

Step 1: Navigate to View Candidates

From the SP 800-53 Public Comments: Submit and View page, view candidates (draft controls available for public comment) by clicking on the green “Candidates” button, indicated by the red box in Figure 95 below. 

Figure 95 – Viewing SP 800-53 Candidates

OPTIONAL Step 2: Filter Candidates

See Figure 96 below for the Current SP 800-53 Candidate Proposals page. Users can filter candidates by control family, control, and/or submission date (on or after). Note that one or more filters can be used, each filter is additive.  For example, if you filter by control family and control name, only results that match both the control family and control name display.

Figure 96 – View Current SP 800-53 Candidate Proposals

Figure 98 below shows the “Filter By” options: (Control) Family, Control, and Submission Date. 

To filter candidates by Control Family, “click” on the drop-down menu, indicated by the red box in Figure 97. 

Figure 97 – Filtering Current 800-53 Candidates by Control Family

  • Select from the drop-down menu of SP 800-53 control families, as shown in Figure 99. Note if no candidates meet the Filter criteria, an error message states, “None Found.”
    Figure 98 – Selecting a Control Family to Filter By
  • Upon selecting a Control Family, the candidates that meet the filter by criteria will display under the filter by box, as indicated by the red box in Figure 99 below.
    Figure 99 – Displaying Candidates Filtered by Control Family

To filter candidates by Control, “click” on the drop-down menu, indicated by the red box in Figure 100.
Figure 100 – Filtering Current 800-53 Candidates by Control Name

  • Select from the drop-down menu of SP 800-53 controls, as shown in Figure 101. Note if no candidates meet the Filter criteria, an error message states, “None Found.”
    Figure 101 – Selecting a Candidate by the Control Name
  • Upon selecting a Control, the candidates that meet the filter by criteria will display under the filter by box, as indicated by the red box in Figure 102 below.
    Figure 102 – Displaying Candidate Filtered by Control Name

To filter a candidate for a proposed change to an SP 800-53 control by Submission Date (On or After), “click” on the date field, indicated by the red box in Figure 103.

Figure 103 – Filtering SP 800-53 Candidates by Submission Date (On or After)

  • The user can enter date (MM/DD/YYYY), indicated by the red arrow or by select the date using the calendar function, indicated by the red box in Figure 104 below. 
    Figure 104 – Filter Candidates by Submission Date (On or After)
  • Upon selecting a Submission Date, the candidates that meet the filter by criteria will display under the filter by box, as indicated by the red box in Figure 105 below.
    Figure 105– Filtering Candidate Proposal by Submission Date (On or After)

Clear the “Filter By” by Clicking the “Clear Filter” button, as shown by the red arrow in Figure 106 below.

Figure 106– Clearing Selected Filter(s)

Step 3: View Candidate Detail

To view the details of a candidate, click the associated link in the Tracking Number column (right-most column), as shown by the red arrow in Figure 107 below.

Figure 107 – Selecting a Candidate proposed by Tracking Number

The details of the Candidate display, and include additional information such as proposal type, tracking number, current status, comment period, and a detailed change of the control/control enhancement with proposed changes. Figure 108 shows a detailed view of a Candidate. If the candidate proposes a change to an existing control or control enhancement, the detailed view displays the “Current Published Value” in addition to the proposed change.

Figure 108 – Detailed View of a Candidate

The SP 800-53 Public Comment Site provides an opportunity to provide comments on the candidates to the SP 800-53 controls and SP 800-53B control baselines to be included in the next release, and view comments submitted by other users. Note that comments do not include attribution (name or email of submitter) but display the date submitted.

Step 1: Navigate to Provide Comment on Candidate

From the SP 800-53 Public Comments: Submit and View page, provide comments on candidates by clicking on the green “Candidates” button, indicated by the red box in Figure 109.

Figure 109 – Viewing Candidates

Step 2: View All Candidates

Upon clicking on the green “Candidates” button, all the candidates available for comment will display. To filter candidates by control family, control, or submission date, and for a detailed view of a Candidate, see View Candidates. Select the “Tracking Number” of the candidate to review and provide a comment on. 

Step 3: Review A Candidate

To submit a comment on the candidate, click on the blue “Submit” button, indicated by the red arrow in Figure 110. Note, if other users submitted comments on the Candidate, comments are displayed under the “Public Comments” heading (directly above the “Submit” button). 
Figure 110 – Reviewing a Candidate

Step 4: Submit Comment on a Candidate

Upon clicking the blue “Submit Comment” button, a pop-up window will appear requesting the users email address (required) for verification and a field to submit a comment (required), indicated by the red box, in Figure 111. When complete, click “Send.”

Figure 111 – Submitting Comments on a Candidate

Step 5: Success Message: Check Email for Confirmation Instructions

A pop-up message with a “Success” message displays, as shown in Figure 112. However, the submission is not yet confirmed. Refer to Confirm a Proposal Submission. 

Figure 112 – Proposal Submission Successful

After the public comment period on Candidates concludes and NIST adjudicates comments received, customers can preview the planned changes to controls, control enhancements, and control baselines, and can begin to prepare for implementation in advance of the release.  

Step 1: Navigate to View and Search Proposals Awaiting Release

From the SP 800-53 Public Comments: Submit and View page, view Proposed Changes Awaiting Release by clicking on the green “Awaiting” button, indicated by the red box in Figure 113 below. 

Figure 113 – Viewing Proposed Changes Awaiting Release

Users can filter Awaiting Proposals by control family, control, and/or submission date (on or after). 

OPTIONAL Step 2: Filter Proposals Awaiting Release

Refer to View Candidates, OPTIONAL Step 2 for step-by-step instructions on using the available filters. Note that one or more filters can be used, each filter is additive.  For example, if you filter by control family and control name, only results that match both the control family and control name display. 

Step 3: View Details on a Proposal Awaiting Release

Refer to View Candidates, Step 3 for step-by-step instructions to view the details of a proposal awaiting release.  

 

Step 1: Enter Tracking Number to Search

From the SP 800-53 Public Comments: Submit and View page, view the status of candidates and proposals awaiting release by entering the Tracking Number (provided in the confirmation email from no-reply-800-53comments@nist.gov) and clicking “Find,” as shown in the red box in Figure 114.

Figure 114 – Searching by Tracking Number

Step 2: View Candidate or Proposal

Upon clicking on the green “Find” button, the selected candidate or proposal awaiting release appears, as shown in the red box in Figure 115 below. To view a comment for a specific candidate in further detail, click on the “Tracking Number” (far right column), indicated by the red arrow in Figure 115.  

Figure 115 – Viewing Proposed Changes awaiting release by the Tracking Number

 

The SP 800-53 Release Search provides a searchable, browser-based version of the SP 800-53 controls and SP 800-53B control baselines. 

Step 1: Navigate to View Controls (Release Search)

From the SP 800-53 Public Comments: Submit and View page, view the SP 800-53 Release Search by clicking on the blue “Release Search” button, indicated by the red box, in Figure 116 below.

Alternatively, the release search can also be accessed from the shortcut menu at https://nist.gov/rmf or directly at: https://csrc.nist.rip/Projects/risk-management/sp800-53-controls/release-search#!/800-53

Figure 116 – Accessing the SP 800-53 Release Search

Step 2: Browse and Search Controls and Baselines Using SP 800-53 Release Search

Upon clicking on the blue “Release Search” button, users can browse and search the latest version of SP 800-53 and SP 800-53B. Other available versions appear at the bottom on the page. 

Figure 117 – Navigating the SP 800-53 Release Search

 

Users can download the SP 800-53 Controls and SP 800-53B Baselines for NIST SP 800-53, Revision 3, 4, and 5 in different derivative data formats.

Step 1: Navigate to the SP 800-53 Control Downloads

The SP 800-53 controls, SP 800-53B baselines, and SP 800-53A assessment procedures can be accessed at the SP 800-53 Release Search page under “Downloads,” as indicated by the red arrow in Figure 118 below.

Alternatively, the SP 800-53 derivative data formats can also be accessed from the shortcut menu at https://nist.gov/rmf or directly at: https://csrc.nist.rip/projects/risk-management/sp800-53-controls/downloads 

Figure 118 – Accessing the SP 800-53 Downloads Page

Step 2: Use the SP 800-53 Downloads Page

The SP 800-53 Downloads page includes multiple derivative data formats, including PDF, XML, CSV, Spreadsheet, and OSCAL for SP 800-53 Revision 5, SP 800-53B, Draft SP 800-53A Revision 5, SP 800-53 Revision 4, SP 800-53A Revision 5, SP 800-53 Revision 3, and SP 800-53A.

Figure 119 – Viewing the SP 800-53 Downloads

Download User Guide (PDF)

 

Learn More About the SP 800-53 Controls, SP 800-53B Control Baselines and terminology:

SP 800-53 Control Structure

Control Family: Groupings of controls by topic area. Of the 20 control families in NIST SP 800-53, 17 are aligned with the minimum security requirements in FIPS 200. The Program Management (PM), PII Processing and Transparency (PT), and Supply Chain Risk Management (SR) families address enterprise-level program management, privacy, and supply chain risk considerations pertaining to federal mandates emergent since FIPS 200. 

Control Identifier: Unique short-hand reference to control family and control number.  The order of the controls and control enhancements does not imply any logical progression, level of prioritization or importance, or order in which the controls or control enhancements are to be implemented. Rather, it reflects the order in which they were included in the catalog. Control identifiers are not re-used when a control is withdrawn.

Control Name: A short phrase describing intended security and/or privacy outcome.

Base Control/Control Statement: Security and/or privacy outcome involving policy, oversight, supervision, processes to be implemented by systems or individuals.

Control Enhancement: Information security and/or privacy outcome that add specificity, functionality, or increase strength to the base control. The control enhancements are numbered sequentially within each control so that the enhancements can be easily identified when selected to supplement the base control. Each control enhancement has a short subtitle to indicate the intended function or capability provided by the enhancement.
The numerical designation of a control enhancement is used only to identify that enhancement within the control. The designation is not indicative of the strength of the control enhancement, level of protection, priority, degree of importance, or any hierarchical relationship among the enhancements. Control enhancements are not intended to be selected independently; if a control enhancement is selected, then the corresponding base control is also selected and implemented. 

Discussion: Additional information about a control / control enhancement.  The information in discussion assists organizations, as needed, when developing, tailoring, implementing, assessing, or monitoring controls, but does not extend the control or control enhancement. The information provides important considerations for implementing controls based on mission or business requirements, operational environments, or assessments of risk. The
additional information can also explain the purpose of controls and often includes examples. Control enhancements may also include a separate discussion section when the discussion information is applicable only to a specific control enhancement.

Related Controls: Other SP 800-53 controls that impact or support the implementation, address a related security or privacy capability, or are referenced in the discussion section. Note that control enhancements are inherently related to their base control. Thus, related controls that are referenced in the base control are not repeated in the control enhancements. However, there may be related controls identified for control enhancements that are not referenced in the base control (i.e., the related control is only associated with the specific control enhancement). Additionally, each control in a given family is inherently related to the -1 control (Policy and Procedures) in the same family.

References: List of applicable laws, policies, standards, guidelines, websites, and other useful references.  The list of references is not intended to be exhaustive.  

Organization-defined parameter: Assignment/selection statements to give organizations ability to customize controls based on organizational risk & requirements.

A control baseline is a collection of controls from SP 800-53 assembled to address the protection needs of a group, organization, or community of interest and manage information security and privacy risk. It provides a generalized set of controls that represents a starting point for the subsequent tailoring activities that are applied to the baseline to produce a targeted or customized security and privacy solution for the entity that the baseline is intended to serve. Control baselines are tailored based on a variety of factors, including threat information, mission or business requirements, types of systems, sector-specific requirements, specific technologies, operating environments, organizational assumptions and constraints, individuals’ privacy interests, laws, executive orders, regulations, policies, directives, standards, or industry best practices. 

SP 800-53B includes three security control baselines (Low, Moderate, and High) correspond with the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, or the Nation if there is a loss of confidentiality, integrity, or availability of the system or information.  The selection of the security control baseline is based on the FIPS 200 impact level of the system as determined by the RMF Categorize Step.  

In addition to the three security control baselines, SP 800-53B provides an initial privacy control baseline for federal agencies to address privacy requirements and manage privacy risks that arise from the processing of PII based on privacy program responsibilities under OMB Circular A-130. Not all controls or control enhancements that address privacy risk are assigned to the privacy control baseline. This approach provides a starting point from which controls or control enhancements may be removed, added, or specialized based on the tailoring guidance in SP SP 800-53B, Section 2.4. 

  • Proposal – Any submission (comment on existing control/control enhancement or suggestion for a new control/control enhancement) from an end user. A proposal becomes a “candidate” when made available for public review by NIST.

  • Candidate – Candidates are proposed changes based on user submissions (that have been reviewed and edited by NIST, as appropriate) to the SP 800-53 controls available for public review and comment for 30-90 days. Note that not all comments are substantive in nature; if changes are identified by an end user that do not change the technical content of a control/control enhancement, the NIST control manager(s) can skip the “Candidate” process.

  • Awaiting or Sandbox – Proposed changes that have completed the candidate phase, with comments/suggestions received during the public review adjudicated by NIST. Customers are able to preview the projected, proposed, and planned changes and can begin to prepare for implementation in advance of the release.    
  • Release – Further broken down into Major Release and Minor Release.  For additional information, see Major/Minor Release Criteria [add link]
    • Major Release is the equivalent to a new “SP 800-53 Revision" (e.g., NIST SP 800-53, Revision 6)  
    • Minor Release is the equivalent to an errata update of the existing SP 800-53 Revision. 

Created November 30, 2016, Updated November 01, 2021