Users can reach the SP 800-53 Public Comment Site directly, or by browsing from the NIST Risk Management Framework (RMF) project page. 

Option 1: Access by Direct Link

Access the SP 800-53 Public Comment Site directly: https://csrc.nist.rip/Projects/risk-management/sp800-53-controls/public-comments. Figure 1 below shows the SP 800-53 Public Comments: Submit and View Site.

Option 2: Browse from NIST RMF Project Page

There are two ways to access the SP 800-53 Public Comment Site from the NIST RMF Project Page (also refer to Option 3, below). 
Users can reach the Comment site from the Public Comments: Submit and View link (accessible via the Additional Pages Navigation Bar on the right, highlighted by the red box in Figure 2).

Option 3: Browse from NIST RMF Project Page

Users can also reach the SP 800-53 Public Comment Site from the “Control Catalog Comments Overview” link (accessible via the Additional Pages Navigation Bar on the right, highlighted by the red box in Figure 3).

The SP 800-53 Control Comments Overview Page includes information about the Public Comment Website, including More Information about the background and process, How to Use the site, link to Submit a Comment on the current revision of SP 800-53 controls, and how to sign-up for notification about public comment periods.
To access the SP 800-53 Public Comment Site, click the “Submit a Comment” button or “Submit Comments on SP 800-53 Controls” image, as highlighted by the red boxes in Figure 4 below. 

A SP 800-53 control (also referred to as a base control) is a security and/or privacy outcome involving policy, oversight, supervision, processes to be implemented by systems or individuals. Examples of base controls include AC-2 Account Management, IA-5 Authenticator Management, PL-4 Rules of Behavior, and SR-2 Supply Chain Risk Management Plan.

Step 1: Navigate to New: Suggest a New Control

From the SP 800-53 Public Comments: Submit and View page, suggest a new control or control enhancement by, clicking “New,” indicated by the red box shown in Figure 5.

A new control proposal can either be for a new base control or a new control enhancement (Also see Suggest a New Control Enhancement).

Step 2: Select a New Base Control

Select the radio button for “New Base Control,” indicated by the red box, as shown in Figure 6.

For step-by-step instructions on how to propose a new control enhancement, see Suggest a New Control Enhancement.

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 7:

• Control Family (required)
• Control Name (required)
• Control Statement (required)
• Discussion
• Related Controls
• References
• Security Control Baseline
• Privacy Control Baseline
• Justification/Rationale (required)

Step 3: Select a Control Family and Enter New Control Name

Figure 8 below illustrates how to select a Control Family (required) from the existing SP 800-53 control families using the drop-down menu (marked with the red arrow). Additionally, the red box identifies where to enter text for the proposed Control Name (required).

Step 4: Add a New Control Statement

Figure 9 below shows how to add a New Control Statement (required) by clicking on the green “New Statement Required” button.

Upon clicking the green “New Statement Required” button, a pop-up window prompts the user to provide a control statement that can be entered in paragraph form or hierarchical, numbered list. To provide a control statement in paragraph form, enter the proposed control statement in the text box, as shown in Figure 10. 

• OPTIONAL: To add “Sub Text” to the control statement (i.e., to add another item to the list), click on the green “Sub Text” button, indicated by the red arrow shown below in Figure 11.
  
• The new list item “(a)” appears under the “Statement:” text box, indicated by the red arrow in Figure 12. 
  
• To add “Sub Text” to list item "(a)" of the control statement, click on the green “Sub Text” button, indicated by the red arrow, as shown in Figure 13 below.
  
• A new text box “(1)” displays as a sub-section of sub text “(a)”, indicated by the red arrow, as shown below in Figure 14.
  

To delete a section (sub text or sub-section) of a control statement, click on the red “Delete” button, indicated by the red arrow shown in Figure 15 below. 

Once all changes to the Control Statement are entered, click the blue “Save” button, as shown below in Figure 16. 

The pop-up window closes, and the new text input displays in the Control Statement text box as shown below in Figure 17. 

OPTIONAL Step 5: Provide Discussion

Figure 18 displays the text box to provide Discussion on the new base control. The information in the Discussion section assists organizations, as needed, when developing, tailoring, implementing, assessing, or monitoring controls, but does not extend the control. The information provides important considerations for implementing controls based on mission or business requirements, operational environments, or assessments of risk. The additional information can also explain the purpose of controls and often includes examples. This field can be left blank.

Note that if an invalid character is input or the minimum length requirement is not met, an error message (in red) appears under the text box requiring an update before allowing submission. The Discussion text box can also be resized by clicking and dragging on the lower right-hand corner. 

OPTIONAL Step 6: Add and Remove Related Controls

To assist with control implementation and assessment, users can add related controls. Related controls are other SP 800-53 controls that impact or support the implementation, address a related outcome, or are referenced in the Discussion section (if applicable). This field can be left blank. 

To add a related control:

• On the right-hand side of the screen, under “Related Controls,” select from the drop-down menu of existing SP 800-53 control families, indicated by the red box in Figure 19 below. Once an SP 800-53 control family is selected, the list of existing controls in that family populates in the field underneath. Highlight the control to select as a “Related Control,” as indicated by the red arrow shown in Figure 19 below. Note that only base controls are listed.
  
• After a related control is selected, click the left facing chevron button highlighted by the red box shown in Figure 20 below. The selected control then appears in the box on the left, as indicated by the red arrow.
  

To remove a related control:

• On the left-hand side of the screen, under the “Currently Assigned Related Controls” box, select the existing SP 800-53 control, as indicated by the red arrow in Figure 21 below. The selected control will display in grey. Click on the right facing chevron button, highlighted by the red box, in Figure 21 below. The control then no longer displays as a “Currently Assigned Related Controls” box on the left.
  

Repeat OPTIONAL Step 6 as necessary to add and/or remove all relevant related controls.

OPTIONAL Step 7: Add and Remove References

Add References to new or existing applicable laws, policies, standards, guidelines, websites, and other useful resources for the control. This field can be left blank.

To add a reference using an existing reference in SP 800-53:

• As shown in Figure 22 below, select the drop-down menu of “Select Existing Reference,” indicated by the red box.
  
• A drop-down menu of existing references used in the published version of SP 800-53 appears, as shown in Figure 23. Select the appropriate reference.
  
• Complete the selection by clicking the green “Add Existing Reference” button, indicated by the red arrow in Figure 24 below.
  
• The newly added reference appears underneath the green “Add Existing Reference” button, as indicated by the red box in Figure 25.
  

To add a new reference that is not used in SP 800-53:

• Click on the green “New Reference” button, highlighted by the red box shown in Figure 26 below.
  
• A new row displays in the Reference Table. The new row includes space for the Reference Title, URL, and option to delete the new reference. Click on “Edit” button next to the Reference Title and URL fields to update, as shown by the red arrow in Figure 27 below.
  

To remove a new reference (newly added or existing in SP 800-53), click “Delete” under “Action” on the right side of the row, as shown in Figure 28.

Repeat OPTIONAL Step 7 as necessary to include and/or remove new and existing references for the control.

OPTIONAL Step 8: Suggest Applicable Security Control Baseline(s)

Suggest Security Control Baseline(s) by clicking the corresponding check box(es) with Low, Moderate, and/or High security control baseline(s), or Not Selected, as shown below in Figure 29. Refer to SP 800-53B for additional guidance on the security control baselines. This field can be left blank. Note that the Security Control baselines are additive. Any control selected in the Low-Impact Baseline is also selected at Moderate and High.

OPTIONAL Step 9: Suggest Inclusion in Privacy Control Baseline

Suggest if the new control is included in the Privacy Control Baseline by selecting the radio button for “Yes” or “No,” as shown in Figure 30. Controls are selected in the Privacy Control Baseline if the proposed control addresses privacy requirements based on privacy program responsibilities under OMB Circular A-130. Refer to SP 800-53B for additional guidance on the privacy control baseline. This field can be left blank.

Step 10: Provide the Justification/Rationale for the Proposal

Include the gap(s) and/or threats addressed, risks that are managed, the rationale for inclusion in control baseline(s), and any additional information about the proposed new control. Figure 31 shows the text box to provide the Justification/Rationale. 

OPTIONAL Step 11: Include a New Control Enhancement with the Base Control 

To create a new control enhancement for the new base control, select the box to the right of the blue “Submit” button highlighted in Figure 32 below. 

• If proposing a new control enhancement, after clicking the blue “Submit” button, a pop-up message notifies that the user will automatically be directed to a new form to enter a new control enhancement (see Figure 33 below). Upon clicking “Ok,” a new form for a new control enhancement will display. Suggest a New Control Enhancement for additional guidance on how to propose a new control enhancement. 
  

Step 12: Review and Submit Proposal Submission 

To submit, all required fields in the form must be completed. Any incomplete fields are highlighted in red, and the proposal cannot be submitted until completed. A warning message in red appears below the “Submit” button stating all the required fields were not completed, indicated by the red arrow shown in Figure 34 below.

Once all the required fields are completed, the warning message disappears, and a summary of the proposal appears, as indicated by the red arrow in Figure 35 below. After reviewing the summary, click on the “Submit” button to complete your submission.

Step 13: Provide Confirmation Email Address 

Upon clicking the blue “Submit” button, a pop-up window appears requesting the submitter’s email address, as shown in Figure 36 below. 

Step 14: Success Message: Check Email for Confirmation Instructions

A pop-up message indicating the submission was successful, as shown in Figure 37.  However, the submission is not yet confirmed; please check the email address provided and refer to Confirm a Proposal Submission.

A control enhancement is an information security and/or privacy outcome that adds specificity, functionality, or increased strength to the base control. The control enhancements are numbered sequentially within each control so that the enhancements can be easily identified when selected to supplement the base control. Each control enhancement has a short subtitle to indicate the intended function or capability provided by the enhancement. The numerical designation of a control enhancement is used only to identify that enhancement within the control; the designation is not indicative of the strength of the control enhancement, level of protection, priority, degree of importance, or any hierarchical relationship among the enhancements. Control enhancements are not intended to be selected independently; if a control enhancement is selected, then the corresponding base control is also selected and implemented.

Step 1: Navigate to New: Suggest a New Control Enhancement

From the SP 800-53 Public Comments: Submit and View page, suggest a new control or control enhancement by, clicking “New.” A new control proposal can either be for a new base control or a new control enhancement.

Step 2: Select a New Control Enhancement

Select the radio button for “New Control Enhancement,” indicated by the red box in Figure 38.

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 39. Note that References for control enhancements are listed with the base control. To add a reference, please use the "Edit Existing Control." 

• Control Family (required)
• Control Name (required)
• Control Enhancement Name (required)
• Control Statement (required)
• Discussion
• Related Controls
• Security Control Baseline
• Privacy Control Baseline
• Justification/Rationale (required)

Step 3: Select Control Family and Control, Enter New Control Enhancement Name

Figure 40 below illustrates how to select a Control Family (required) and Control Name (required) from one of the existing SP 800-53 control families using the drop-down menu (marked with the red boxes). Enter the proposed Control Enhancement Name in text box indicated by the red arrow.

Complete the remainder of the “New Control Enhancement Proposal” form by following the step-by-step instructions for the following steps in Suggest a New Control: 

• Step 4: Add New Control Statement
• OPTIONAL Step 5: Provide Discussion
• OPTIONAL Step 6: Add and Remove Related Controls
• OPTIONAL Step 8: Suggest Applicable Security Control Baseline(s)
• OPTIONAL Step 9: Suggest Inclusion in Privacy Control Baseline
• Step 10: Provide the Justification/Rationale
• Step 12: Review and Confirm Proposal Submission
• Step 13: Provide Confirmation Email Address
• Step 14: Success Message: Check Email for Confirmation Instructions

Note that Suggest a New Control, OPTIONAL Step 7 Edit References, and OPTIONAL Step 11 Include a New Control Enhancement with Base Control do not apply to Editing an Existing Control Enhancement. 

Users can suggest changes to existing (published) SP 800-53 controls and control enhancements, including proposing the withdraw of a control/control enhancement. 

Step 1: Navigate to Edit: Suggest a Change to an Existing Control

From the SP 800-53 Public Comments: Submit and View page, suggest a change to an existing Control by clicking on the “Edit” button, indicated by the red box shown below in Figure 41. 

Step 2: Select Edit Base Control

Select the radio button for the “Edit Base Control,” indicated by the red box, as shown in Figure 42.

Step 3: Select a Control Family and Control to Edit

Figure 43 below illustrates how to select a control family (required) and control name (required) from the existing SP 800-53 control families and controls using the drop-down menu, as indicated by the red boxes. 

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 44:

• Control Family (required)
• Control Name (required)
• Edit Control Name
• Control Statement 
• Discussion
• Related Controls
• Security Control Baseline
• Privacy Control Baseline
• Justification/Rationale (required) 

OPTIONAL Step 4: Edit Control Name

Figure 45 below displays the input text box to suggest editing the control name, as shown by the red arrow. 

OPTIONAL Step 5: Edit Control Statement

To suggest edits to the control statement, click on the blue “Edit Statement” button, as shown by the red arrow in Figure 46 below.

Upon clicking the blue “Edit Statement button,” a pop-up window appears with the current control statement. To update any section of the current control statement, click the corresponding text box in the Edit Statement window, indicated by the red box in Figure 47. Users can also add new sub text (see Suggest a New Control, Step 4 for step-by-step instructions to add sub text). Note that in certain controls, due to the formatting, the control statement box may be empty.

Repeat OPTIONAL Step 5 as necessary to add/remove/edit the control statement. When complete, click the “Save” button.

After making proposed edits, the Current Published Values will display in green underneath the proposed edits (displayed under “Edit Statement” indicated by the red box in Figure 48 below). The Current Published Value displays the published control statement, as found in the current revision of SP 800-53. The user has an opportunity to review the proposed changes against the Current Published Values before submission.

OPTIONAL Step 6: Edit Discussion

Figure 49 below displays the text input box to suggest edits to the discussion on an existing base control. Make edits, additions, and deletions in the text box.

After making the proposed edits, the Current Published Values will display in green underneath the proposed edits. The Current Published Value displays the published discussion, as found in current revision of SP 800-53. The user has an opportunity to review the proposed changes against the Current Published Values before submission (displayed under “Discussion” indicated by the red box, as shown in Figure 50 below). 

OPTIONAL Step 7: Edit Related Controls

Users can add and remove related controls. See Suggest a New Control, Optional Step 6 for step-by-step instructions on adding and removing related controls.

After adding or removing a related control, the Changes from Current Published Values will appear underneath the selected Related Controls, indicated by the red box shown in Figure 51 below. The user has an opportunity to review the proposed changes against the Current Published Values before submission. 

Repeat OPTIONAL Step 7 as necessary to add/remove all relevant related controls. 

OPTIONAL Step 8: Edit References

References can be edited by adding a new reference (not currently used in SP 800-53), adding a new reference used in SP 800-53, editing a reference used in SP 800-53, or deleting a reference. See Suggest a New Control, Optional Step 7 for step-by-step instructions on adding, removing, and editing references. 

OPTIONAL Step 9: Edit Security Control Baseline(s)

Suggest Security Control Baseline(s) by clicking the corresponding check box(es) with Low, Moderate, and/or High security control baseline(s), or Not Selected, as shown below in Figure 52. Refer to SP 800-53B for additional guidance on the security control baselines. This field can be left blank. Note that the Security Control baselines are additive. Any control selected in the Low-Impact Baseline is also selected at Moderate and High.

After making the selection, the Current Published Values will appear in green underneath the selection, indicated by the red box in Figure 53. The Current Published Value is the original Security Control Baseline selection prior to the suggested change. The user has an opportunity to review the proposed changes against the Current Published Values before submission. 

OPTIONAL Step 10: Edit Privacy Control Baseline

Suggest if the new control is included in the Privacy Control Baseline by selecting the radio button for “Yes” or “No,” as shown in Figure 30. Controls are selected in the Privacy Control Baseline if the proposed control addresses privacy requirements based on privacy program responsibilities under OMB Circular A-130. Refer to SP 800-53B for additional guidance on the privacy control baseline. This field can be left blank.

After making a privacy control baseline selection, the Current Published Values will appear in green underneath the selection, indicated by the red box, as shown in Figure 55 below. The Current Published Value is the original determination for the inclusion of a Privacy Control Baseline prior to the suggested change. The user has an opportunity to review the proposed changes against the Current Published Values before submission.

Step 11: Provide Justification/Rationale for the Proposal

Include the gap(s) and/or threats addressed, risks that are managed, the rationale for inclusion in control baseline(s), and any additional information about the proposed new control. Figure 56 shows the text box to provide the Justification/Rationale. 

Step 12: Review and Submit Proposal Submission

To submit, all required fields in the form must be completed. Any incomplete fields are highlighted in red, and the proposal cannot be submitted until completed. A warning message in red appears below the “Submit” button stating all the required fields were not completed, indicated by the red arrow shown in Figure 57 below. Note that the "Submit" button cannot be clicked at this time because all Required fields are not completed.

Once all the required fields are completed, the warning message disappears, and the proposal is ready for submission. Click on the blue “Submit” button, indicated by the red arrow, as shown in Figure 58 below, to complete the submission.

Step 13: Provide Confirmation Email Address 

Upon clicking the blue “Submit” button, a pop-up window appears requesting the submitter’s email address, as shown in Figure 59 below. 

Step 14: Success Message: Check Email for Confirmation Instructions 

After the user enters their email address and submits, a pop-up message will display showing the submission was successful, as shown in Figure 60. At this time, the submission is not yet confirmed; please check the email address provided and refer to Confirm a Proposal Submission. 

Step 1: Navigate to Edit: Suggest a Change to an Existing Control Enhancement

From the SP 800-53 Public Comments: Submit and View page, suggest a change to an existing control enhancement by, clicking on the “Edit” button, indicated by the red box shown in Figure 61. 

Step 2: Select Edit Control Enhancement

Select the radio button for “Edit Control Enhancement,” indicated by the red box, as shown below in Figure 62. 

Step 3: Select Control Family, Control Family, and Control Enhancement Name to Edit

Select a control family (required), control name (required), and control enhancement name (required) from the existing SP 800-53 control families, controls, and control enhancements using the drop-down menu, as indicated by the red boxes in Figure 63 below.

• If the selected Control has no Existing Control Enhancements, a warning message will appear under the “Control Enhancement Name,” stating “Please use New Proposal to propose a new Control Enhancement for this Control,” indicated by the red arrow shown in Figure 64. 
  

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 65. Note that References for control enhancements are listed with the base control.

• Control Family (required)
• Control Name (required)
• Control Enhancement Name (required)
• Edit Control Enhancement Name
• Control Statement 
• Discussion
• Related Controls
• Security Control Baseline
• Privacy Control Baseline
• Justification/Rationale (required)

OPTIONAL Step 4: Edit Control Enhancement Name

The input text box to suggest an update to the edit control enhancement name is shown by the red arrow in Figure 66 below.

Complete the remainder of the “Edit an Existing Control Enhancement” form following the step-by-step instructions to Suggest a Change to an Existing Control:

• OPTIONAL Step 5, Edit Control Statement
• OPTIONAL Step 6, Edit Discussion
• OPTIONAL Step 7, Edit Related Controls
• OPTIONAL Step 9, Edit Security Control Baseline(s)
• OPTIONAL Step 10, Edit Privacy Control Baseline
• Step 11: Provide the Justification/Rationale
• Step 12: Review and Submit Proposal Submission
• Step 13: Provide Confirmation Email Address
• Step 14: Success Message: Check Email for Confirmation Instructions

Note that OPTIONAL Step 8 Edit References does not apply to Editing an Existing Control Enhancement.
 

When a control function or capability is incorporated into another control, the control is redundant to an existing control, or when a control is deemed no longer necessary, a control is withdrawn. 

Step 1: Navigate to Edit Suggest a Withdraw of a Base Control

From the SP 800-53 Public Comments: Submit and View page, suggest the withdraw of an existing Base Control by clicking on the “Edit” button, indicated by the red box in Figure 67. 

Step 2: Select Withdraw Base Control

Select the radio button for the “Withdraw Base Control,” indicated by the red box in Figure 68. 

Step 3: Select Control Family and Control to Withdraw

Figure 69 below illustrates how to select a control family (required) and control name (required) to withdraw from the existing SP 800-53 control families and controls using the drop-down menus, as indicated by the red boxes. 

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 70:

• Control Family (required)
• Control Name (required)
• Withdraw Type (required)
• Withdraw [Into/To] (required)
• Withdraw Description (required)
• Justification/Rationale (required) 

Step 4: Identify Withdraw Type

To suggest a withdraw of a base control the user determines the type of withdraw (required). 

• "Incorporated into” consolidates the suggested base control into one or more existing controls. 
• “Move to” relocates the suggested control to another existing control. 

Figure 71 below illustrates how to proceed with an “Incorporated into” withdraw proposal. Select the radio button for “Incorporated into,” indicated by the red arrow. 

Figure 72 below shows how to add control(s) in which to incorporate into. Click on the green “Add Control” button, indicated by the red arrow.

Upon hitting the green “Add Control” button, a drop-down menu appears beneath the Withdraw proposal. Click the drop-down option indicated by the red box in Figure 73 to see the list of base controls.  

Select a base control in which to incorporate into from the drop-down menu, as shown by the red arrow in Figure 74.

The base control in which to incorporate into appears above the green “Add Control” button, indicated by the red arrow shown in Figure 75 below. Note at least one control must be specified. 

Once control(s) in which to incorporate into is/are selected, the Withdraw Description is automatically populated with the type of withdraw and the selected control(s) to withdraw into, indicated by the red arrow in Figure 76 below. 

Repeat the actions, starting at Figure 72 through Figure 76, in Step 4 above to capture any additional controls for the withdrawn control to be incorporated into. 

Figure 77 below illustrates how to submit a “Moved to” withdraw request. Select the radio button for “Moved to,” indicated by the red arrow. 

Figure 78 below shows how to add an existing control to move to by clicking on the green “Add Control” button, indicated by the red arrow. Note that a control can only be moved to a single new location.

Upon hitting the green “Add Control” button, a drop-down menu appears beneath the Withdraw request. Select the drop down, indicated by the red box shown in Figure 79, to see the list of existing controls.

Select a base control in which to move to from the drop-down menu, as shown by the red arrow in Figure 80. 

Upon selecting the existing control in which to move to, the “Withdraw Description” appears in the text field, indicated by the red arrow shown in Figure 81. 

To remove a control selection to incorporate into or move to, click on the red “Remove” button, indicated by the red arrow shown in Figure 82.

After clicking the red “Remove” button, the selected control to incorporate into or move to will disappear, as shown below in Figure 83.

Step 5: Provide Justification/Rationale for Withdraw of Control

Provide the Justification/Rationale for the Withdraw (required). Include the rationale for incorporating or moving control, and any additional supporting information. Figure 84 shows the text box to provide the Justification/Rationale. 

To submit, all required fields in the form must be completed. Any incomplete fields are highlighted in red, and the proposal cannot be submitted until completed. A warning message in red appears below the blue “Submit” button stating all the required fields were not completed, as indicated by the red arrow seen in Figure 85 below. 

Step 6: Review and Submit Proposal

After completing the Justification/Rationale, click on the blue “Submit” button, indicated by the red arrow in Figure 86 below.

Step 7: Provide Confirmation Email Address

Upon clicking the blue “Submit” button, a pop-up window appears requesting the submitter’s email address, as shown in Figure 87 below. 

Step 8: Success Message: Check Email for Confirmation Instructions

A pop-up message showing the submission was successful, as shown in Figure 88. At this time, the submission is not yet confirmed; please check the email address provided and refer to Confirm a Proposal Submission. 

Step 1: Navigate to Edit: Suggest a Withdraw of a Control Enhancement

From the SP 800-53 Public Comments: Submit and View page, suggest the withdraw of an existing Base Control by, clicking on the “Edit” button, indicated by the red box in Figure 89. 

Step 2: Select Withdraw Control Enhancement

Select the radio button for the “Withdraw Control Enhancement,” indicated by the red box shown in Figure 90. 

Step 3: Select Control Family, Control Name, and Control Enhancement

Figure 91 below illustrates how to select a control family (required), control name (required), and control enhancement (required) to withdraw from the existing SP 800-53 control families, controls, and control enhancements using the drop-down menu, as indicated by the red boxes. 

The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 92:

• Control Family (required)
• Control Name (required)
• Control Enhancement (required)
• Withdraw Type (required)
• Withdraw [Into/To] (required)
• Withdraw Description (required)
• Justification/Rationale (required)

Complete the remainder of the “Withdraw an Existing Control Enhancement” form following the step-by-step instructions to Suggest a Withdraw of a Base Control:

• Step 4: Identify Withdraw Type
• Step 5: Provide the Justification/Rationale for Withdraw
• Step 6: Review and Submit Proposal Submission
• Step 7: Provide Confirmation Email Address
• Step 8: Success Message: Check Email for Confirmation Instructions
   

After submitting a proposal for a new control/control enhancement, to edit a control/control enhancement, or submitting a comment on a candidate (draft control available for public review/comment), the user receives an email from no-reply-800-53comments@nist.gov confirmation of the submission.

Confirmation by the user is required within 24 hours to complete the proposal submission process; proposal submissions not confirmed in 24 hours will be deleted. The confirmation email includes a unique verification link (intentionally hidden in Figure 93) and contains pertinent information about current status and next steps after the proposal submission.

Note: Figure 93 below provides an example of a confirmation email; the content of confirmation emails differs based on the type of proposal submitted.  

Upon clicking the confirmation link, the user is redirected to the SP 800-53 Public Comments: Submit and View page with a thank you message, as shown in Figure 94 below.

Candidates are proposed changes to the SP 800-53 Controls and SP 800-53B Control Baselines that are available for public comment. The SP 800-53 Public Comment Site provides an opportunity to view and provide comments on the candidates to be included in the next release.

Step 1: Navigate to View Candidates

From the SP 800-53 Public Comments: Submit and View page, view candidates (draft controls available for public comment) by clicking on the green “Candidates” button, indicated by the red box in Figure 95 below. 

OPTIONAL Step 2: Filter Candidates

See Figure 96 below for the Current SP 800-53 Candidate Proposals page. Users can filter candidates by control family, control, and/or submission date (on or after). Note that one or more filters can be used, each filter is additive.  For example, if you filter by control family and control name, only results that match both the control family and control name display.

Figure 98 below shows the “Filter By” options: (Control) Family, Control, and Submission Date. 

To filter candidates by Control Family, “click” on the drop-down menu, indicated by the red box in Figure 97. 

• Select from the drop-down menu of SP 800-53 control families, as shown in Figure 99. Note if no candidates meet the Filter criteria, an error message states, “None Found.”
  
• Upon selecting a Control Family, the candidates that meet the filter by criteria will display under the filter by box, as indicated by the red box in Figure 99 below.
  

To filter candidates by Control, “click” on the drop-down menu, indicated by the red box in Figure 100.

• Select from the drop-down menu of SP 800-53 controls, as shown in Figure 101. Note if no candidates meet the Filter criteria, an error message states, “None Found.”
  
• Upon selecting a Control, the candidates that meet the filter by criteria will display under the filter by box, as indicated by the red box in Figure 102 below.
  

To filter a candidate for a proposed change to an SP 800-53 control by Submission Date (On or After), “click” on the date field, indicated by the red box in Figure 103.

• The user can enter date (MM/DD/YYYY), indicated by the red arrow or by select the date using the calendar function, indicated by the red box in Figure 104 below. 
  
• Upon selecting a Submission Date, the candidates that meet the filter by criteria will display under the filter by box, as indicated by the red box in Figure 105 below.
  

Clear the “Filter By” by Clicking the “Clear Filter” button, as shown by the red arrow in Figure 106 below.

Step 3: View Candidate Detail

To view the details of a candidate, click the associated link in the Tracking Number column (right-most column), as shown by the red arrow in Figure 107 below.

The details of the Candidate display, and include additional information such as proposal type, tracking number, current status, comment period, and a detailed change of the control/control enhancement with proposed changes. Figure 108 shows a detailed view of a Candidate. If the candidate proposes a change to an existing control or control enhancement, the detailed view displays the “Current Published Value” in addition to the proposed change.

The SP 800-53 Public Comment Site provides an opportunity to provide comments on the candidates to the SP 800-53 controls and SP 800-53B control baselines to be included in the next release, and view comments submitted by other users. Note that comments do not include attribution (name or email of submitter) but display the date submitted.

Step 1: Navigate to Provide Comment on Candidate

From the SP 800-53 Public Comments: Submit and View page, provide comments on candidates by clicking on the green “Candidates” button, indicated by the red box in Figure 109.

Step 2: View All Candidates

Upon clicking on the green “Candidates” button, all the candidates available for comment will display. To filter candidates by control family, control, or submission date, and for a detailed view of a Candidate, see View Candidates. Select the “Tracking Number” of the candidate to review and provide a comment on. 

Step 3: Review A Candidate

To submit a comment on the candidate, click on the blue “Submit” button, indicated by the red arrow in Figure 110. Note, if other users submitted comments on the Candidate, comments are displayed under the “Public Comments” heading (directly above the “Submit” button). 

Step 4: Submit Comment on a Candidate

Upon clicking the blue “Submit Comment” button, a pop-up window will appear requesting the users email address (required) for verification and a field to submit a comment (required), indicated by the red box, in Figure 111. When complete, click “Send.”

Step 5: Success Message: Check Email for Confirmation Instructions

A pop-up message with a “Success” message displays, as shown in Figure 112. However, the submission is not yet confirmed. Refer to Confirm a Proposal Submission. 

After the public comment period on Candidates concludes and NIST adjudicates comments received, customers can preview the planned changes to controls, control enhancements, and control baselines, and can begin to prepare for implementation in advance of the release.  

Step 1: Navigate to View and Search Proposals Awaiting Release

From the SP 800-53 Public Comments: Submit and View page, view Proposed Changes Awaiting Release by clicking on the green “Awaiting” button, indicated by the red box in Figure 113 below. 

Users can filter Awaiting Proposals by control family, control, and/or submission date (on or after). 

OPTIONAL Step 2: Filter Proposals Awaiting Release

Refer to View Candidates, OPTIONAL Step 2 for step-by-step instructions on using the available filters. Note that one or more filters can be used, each filter is additive.  For example, if you filter by control family and control name, only results that match both the control family and control name display. 

Step 3: View Details on a Proposal Awaiting Release

Refer to View Candidates, Step 3 for step-by-step instructions to view the details of a proposal awaiting release.  

Step 1: Enter Tracking Number to Search

From the SP 800-53 Public Comments: Submit and View page, view the status of candidates and proposals awaiting release by entering the Tracking Number (provided in the confirmation email from no-reply-800-53comments@nist.gov) and clicking “Find,” as shown in the red box in Figure 114.

Step 2: View Candidate or Proposal

Upon clicking on the green “Find” button, the selected candidate or proposal awaiting release appears, as shown in the red box in Figure 115 below. To view a comment for a specific candidate in further detail, click on the “Tracking Number” (far right column), indicated by the red arrow in Figure 115.  

The SP 800-53 Release Search provides a searchable, browser-based version of the SP 800-53 controls and SP 800-53B control baselines. 

Step 1: Navigate to View Controls (Release Search)

From the SP 800-53 Public Comments: Submit and View page, view the SP 800-53 Release Search by clicking on the blue “Release Search” button, indicated by the red box, in Figure 116 below.

Alternatively, the release search can also be accessed from the shortcut menu at https://nist.gov/rmf or directly at: https://csrc.nist.rip/Projects/risk-management/sp800-53-controls/release-search#!/800-53

Step 2: Browse and Search Controls and Baselines Using SP 800-53 Release Search

Upon clicking on the blue “Release Search” button, users can browse and search the latest version of SP 800-53 and SP 800-53B. Other available versions appear at the bottom on the page. 

Users can download the SP 800-53 Controls and SP 800-53B Baselines for NIST SP 800-53, Revision 3, 4, and 5 in different derivative data formats.

Step 1: Navigate to the SP 800-53 Control Downloads

The SP 800-53 controls, SP 800-53B baselines, and SP 800-53A assessment procedures can be accessed at the SP 800-53 Release Search page under “Downloads,” as indicated by the red arrow in Figure 118 below.

Alternatively, the SP 800-53 derivative data formats can also be accessed from the shortcut menu at https://nist.gov/rmf or directly at: https://csrc.nist.rip/projects/risk-management/sp800-53-controls/downloads 

Step 2: Use the SP 800-53 Downloads Page

The SP 800-53 Downloads page includes multiple derivative data formats, including PDF, XML, CSV, Spreadsheet, and OSCAL for SP 800-53 Revision 5, SP 800-53B, Draft SP 800-53A Revision 5, SP 800-53 Revision 4, SP 800-53A Revision 5, SP 800-53 Revision 3, and SP 800-53A.

Control Family: Groupings of controls by topic area. Of the 20 control families in NIST SP 800-53, 17 are aligned with the minimum security requirements in FIPS 200. The Program Management (PM), PII Processing and Transparency (PT), and Supply Chain Risk Management (SR) families address enterprise-level program management, privacy, and supply chain risk considerations pertaining to federal mandates emergent since FIPS 200. 

Control Identifier: Unique short-hand reference to control family and control number.  The order of the controls and control enhancements does not imply any logical progression, level of prioritization or importance, or order in which the controls or control enhancements are to be implemented. Rather, it reflects the order in which they were included in the catalog. Control identifiers are not re-used when a control is withdrawn.

Control Name: A short phrase describing intended security and/or privacy outcome.

Base Control/Control Statement: Security and/or privacy outcome involving policy, oversight, supervision, processes to be implemented by systems or individuals.

Control Enhancement: Information security and/or privacy outcome that add specificity, functionality, or increase strength to the base control. The control enhancements are numbered sequentially within each control so that the enhancements can be easily identified when selected to supplement the base control. Each control enhancement has a short subtitle to indicate the intended function or capability provided by the enhancement.
The numerical designation of a control enhancement is used only to identify that enhancement within the control. The designation is not indicative of the strength of the control enhancement, level of protection, priority, degree of importance, or any hierarchical relationship among the enhancements. Control enhancements are not intended to be selected independently; if a control enhancement is selected, then the corresponding base control is also selected and implemented. 

Discussion: Additional information about a control / control enhancement.  The information in discussion assists organizations, as needed, when developing, tailoring, implementing, assessing, or monitoring controls, but does not extend the control or control enhancement. The information provides important considerations for implementing controls based on mission or business requirements, operational environments, or assessments of risk. The
additional information can also explain the purpose of controls and often includes examples. Control enhancements may also include a separate discussion section when the discussion information is applicable only to a specific control enhancement.

Related Controls: Other SP 800-53 controls that impact or support the implementation, address a related security or privacy capability, or are referenced in the discussion section. Note that control enhancements are inherently related to their base control. Thus, related controls that are referenced in the base control are not repeated in the control enhancements. However, there may be related controls identified for control enhancements that are not referenced in the base control (i.e., the related control is only associated with the specific control enhancement). Additionally, each control in a given family is inherently related to the -1 control (Policy and Procedures) in the same family.

References: List of applicable laws, policies, standards, guidelines, websites, and other useful references.  The list of references is not intended to be exhaustive.  

Organization-defined parameter: Assignment/selection statements to give organizations ability to customize controls based on organizational risk & requirements.

A control baseline is a collection of controls from SP 800-53 assembled to address the protection needs of a group, organization, or community of interest and manage information security and privacy risk. It provides a generalized set of controls that represents a starting point for the subsequent tailoring activities that are applied to the baseline to produce a targeted or customized security and privacy solution for the entity that the baseline is intended to serve. Control baselines are tailored based on a variety of factors, including threat information, mission or business requirements, types of systems, sector-specific requirements, specific technologies, operating environments, organizational assumptions and constraints, individuals’ privacy interests, laws, executive orders, regulations, policies, directives, standards, or industry best practices. 

SP 800-53B includes three security control baselines (Low, Moderate, and High) correspond with the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, or the Nation if there is a loss of confidentiality, integrity, or availability of the system or information.  The selection of the security control baseline is based on the FIPS 200 impact level of the system as determined by the RMF Categorize Step.  

In addition to the three security control baselines, SP 800-53B provides an initial privacy control baseline for federal agencies to address privacy requirements and manage privacy risks that arise from the processing of PII based on privacy program responsibilities under OMB Circular A-130. Not all controls or control enhancements that address privacy risk are assigned to the privacy control baseline. This approach provides a starting point from which controls or control enhancements may be removed, added, or specialized based on the tailoring guidance in SP SP 800-53B, Section 2.4. 

• Proposal – Any submission (comment on existing control/control enhancement or suggestion for a new control/control enhancement) from an end user. A proposal becomes a “candidate” when made available for public review by NIST.

• Candidate – Candidates are proposed changes based on user submissions (that have been reviewed and edited by NIST, as appropriate) to the SP 800-53 controls available for public review and comment for 30-90 days. Note that not all comments are substantive in nature; if changes are identified by an end user that do not change the technical content of a control/control enhancement, the NIST control manager(s) can skip the “Candidate” process.

• Awaiting or Sandbox – Proposed changes that have completed the candidate phase, with comments/suggestions received during the public review adjudicated by NIST. Customers are able to preview the projected, proposed, and planned changes and can begin to prepare for implementation in advance of the release.    
• Release – Further broken down into Major Release and Minor Release.  For additional information, see Major/Minor Release Criteria [add link]
  • Major Release is the equivalent to a new “SP 800-53 Revision" (e.g., NIST SP 800-53, Revision 6)  
  • Minor Release is the equivalent to an errata update of the existing SP 800-53 Revision.