Each topic area below includes a step-by-step guide demonstrating how to:
Users can reach the SP 800-53 Public Comment Site directly, or by browsing from the NIST Risk Management Framework (RMF) project page.
Access the SP 800-53 Public Comment Site directly: https://csrc.nist.rip/Projects/risk-management/sp800-53-controls/public-comments. Figure 1 below shows the SP 800-53 Public Comments: Submit and View Site.
There are two ways to access the SP 800-53 Public Comment Site from the NIST RMF Project Page (also refer to Option 3, below).
Users can reach the Comment site from the Public Comments: Submit and View link (accessible via the Additional Pages Navigation Bar on the right, highlighted by the red box in Figure 2).
Users can also reach the SP 800-53 Public Comment Site from the “Control Catalog Comments Overview” link (accessible via the Additional Pages Navigation Bar on the right, highlighted by the red box in Figure 3).
The SP 800-53 Control Comments Overview Page includes information about the Public Comment Website, including More Information about the background and process, How to Use the site, link to Submit a Comment on the current revision of SP 800-53 controls, and how to sign-up for notification about public comment periods.
To access the SP 800-53 Public Comment Site, click the “Submit a Comment” button or “Submit Comments on SP 800-53 Controls” image, as highlighted by the red boxes in Figure 4 below.
A SP 800-53 control (also referred to as a base control) is a security and/or privacy outcome involving policy, oversight, supervision, processes to be implemented by systems or individuals. Examples of base controls include AC-2 Account Management, IA-5 Authenticator Management, PL-4 Rules of Behavior, and SR-2 Supply Chain Risk Management Plan.
From the SP 800-53 Public Comments: Submit and View page, suggest a new control or control enhancement by, clicking “New,” indicated by the red box shown in Figure 5.
A new control proposal can either be for a new base control or a new control enhancement (Also see Suggest a New Control Enhancement).
Select the radio button for “New Base Control,” indicated by the red box, as shown in Figure 6.
For step-by-step instructions on how to propose a new control enhancement, see Suggest a New Control Enhancement.
The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 7:
Figure 8 below illustrates how to select a Control Family (required) from the existing SP 800-53 control families using the drop-down menu (marked with the red arrow). Additionally, the red box identifies where to enter text for the proposed Control Name (required).
Figure 9 below shows how to add a New Control Statement (required) by clicking on the green “New Statement Required” button.
Upon clicking the green “New Statement Required” button, a pop-up window prompts the user to provide a control statement that can be entered in paragraph form or hierarchical, numbered list. To provide a control statement in paragraph form, enter the proposed control statement in the text box, as shown in Figure 10.
To delete a section (sub text or sub-section) of a control statement, click on the red “Delete” button, indicated by the red arrow shown in Figure 15 below.
Once all changes to the Control Statement are entered, click the blue “Save” button, as shown below in Figure 16.
The pop-up window closes, and the new text input displays in the Control Statement text box as shown below in Figure 17.
Figure 18 displays the text box to provide Discussion on the new base control. The information in the Discussion section assists organizations, as needed, when developing, tailoring, implementing, assessing, or monitoring controls, but does not extend the control. The information provides important considerations for implementing controls based on mission or business requirements, operational environments, or assessments of risk. The additional information can also explain the purpose of controls and often includes examples. This field can be left blank.
Note that if an invalid character is input or the minimum length requirement is not met, an error message (in red) appears under the text box requiring an update before allowing submission. The Discussion text box can also be resized by clicking and dragging on the lower right-hand corner.
To assist with control implementation and assessment, users can add related controls. Related controls are other SP 800-53 controls that impact or support the implementation, address a related outcome, or are referenced in the Discussion section (if applicable). This field can be left blank.
To add a related control:
To remove a related control:
Repeat OPTIONAL Step 6 as necessary to add and/or remove all relevant related controls.
Add References to new or existing applicable laws, policies, standards, guidelines, websites, and other useful resources for the control. This field can be left blank.
To add a reference using an existing reference in SP 800-53:
To add a new reference that is not used in SP 800-53:
To remove a new reference (newly added or existing in SP 800-53), click “Delete” under “Action” on the right side of the row, as shown in Figure 28.
Repeat OPTIONAL Step 7 as necessary to include and/or remove new and existing references for the control.
Suggest Security Control Baseline(s) by clicking the corresponding check box(es) with Low, Moderate, and/or High security control baseline(s), or Not Selected, as shown below in Figure 29. Refer to SP 800-53B for additional guidance on the security control baselines. This field can be left blank. Note that the Security Control baselines are additive. Any control selected in the Low-Impact Baseline is also selected at Moderate and High.
Suggest if the new control is included in the Privacy Control Baseline by selecting the radio button for “Yes” or “No,” as shown in Figure 30. Controls are selected in the Privacy Control Baseline if the proposed control addresses privacy requirements based on privacy program responsibilities under OMB Circular A-130. Refer to SP 800-53B for additional guidance on the privacy control baseline. This field can be left blank.
Include the gap(s) and/or threats addressed, risks that are managed, the rationale for inclusion in control baseline(s), and any additional information about the proposed new control. Figure 31 shows the text box to provide the Justification/Rationale.
To create a new control enhancement for the new base control, select the box to the right of the blue “Submit” button highlighted in Figure 32 below.
To submit, all required fields in the form must be completed. Any incomplete fields are highlighted in red, and the proposal cannot be submitted until completed. A warning message in red appears below the “Submit” button stating all the required fields were not completed, indicated by the red arrow shown in Figure 34 below.
Once all the required fields are completed, the warning message disappears, and a summary of the proposal appears, as indicated by the red arrow in Figure 35 below. After reviewing the summary, click on the “Submit” button to complete your submission.
Upon clicking the blue “Submit” button, a pop-up window appears requesting the submitter’s email address, as shown in Figure 36 below.
A pop-up message indicating the submission was successful, as shown in Figure 37. However, the submission is not yet confirmed; please check the email address provided and refer to Confirm a Proposal Submission.
A control enhancement is an information security and/or privacy outcome that adds specificity, functionality, or increased strength to the base control. The control enhancements are numbered sequentially within each control so that the enhancements can be easily identified when selected to supplement the base control. Each control enhancement has a short subtitle to indicate the intended function or capability provided by the enhancement. The numerical designation of a control enhancement is used only to identify that enhancement within the control; the designation is not indicative of the strength of the control enhancement, level of protection, priority, degree of importance, or any hierarchical relationship among the enhancements. Control enhancements are not intended to be selected independently; if a control enhancement is selected, then the corresponding base control is also selected and implemented.
From the SP 800-53 Public Comments: Submit and View page, suggest a new control or control enhancement by, clicking “New.” A new control proposal can either be for a new base control or a new control enhancement.
Select the radio button for “New Control Enhancement,” indicated by the red box in Figure 38.
The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 39. Note that References for control enhancements are listed with the base control. To add a reference, please use the "Edit Existing Control."
Figure 40 below illustrates how to select a Control Family (required) and Control Name (required) from one of the existing SP 800-53 control families using the drop-down menu (marked with the red boxes). Enter the proposed Control Enhancement Name in text box indicated by the red arrow.
Complete the remainder of the “New Control Enhancement Proposal” form by following the step-by-step instructions for the following steps in Suggest a New Control:
Note that Suggest a New Control, OPTIONAL Step 7 Edit References, and OPTIONAL Step 11 Include a New Control Enhancement with Base Control do not apply to Editing an Existing Control Enhancement.
Users can suggest changes to existing (published) SP 800-53 controls and control enhancements, including proposing the withdraw of a control/control enhancement.
From the SP 800-53 Public Comments: Submit and View page, suggest a change to an existing Control by clicking on the “Edit” button, indicated by the red box shown below in Figure 41.
Select the radio button for the “Edit Base Control,” indicated by the red box, as shown in Figure 42.
Figure 43 below illustrates how to select a control family (required) and control name (required) from the existing SP 800-53 control families and controls using the drop-down menu, as indicated by the red boxes.
The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 44:
Figure 45 below displays the input text box to suggest editing the control name, as shown by the red arrow.
To suggest edits to the control statement, click on the blue “Edit Statement” button, as shown by the red arrow in Figure 46 below.
Upon clicking the blue “Edit Statement button,” a pop-up window appears with the current control statement. To update any section of the current control statement, click the corresponding text box in the Edit Statement window, indicated by the red box in Figure 47. Users can also add new sub text (see Suggest a New Control, Step 4 for step-by-step instructions to add sub text). Note that in certain controls, due to the formatting, the control statement box may be empty.
Repeat OPTIONAL Step 5 as necessary to add/remove/edit the control statement. When complete, click the “Save” button.
After making proposed edits, the Current Published Values will display in green underneath the proposed edits (displayed under “Edit Statement” indicated by the red box in Figure 48 below). The Current Published Value displays the published control statement, as found in the current revision of SP 800-53. The user has an opportunity to review the proposed changes against the Current Published Values before submission.
Figure 49 below displays the text input box to suggest edits to the discussion on an existing base control. Make edits, additions, and deletions in the text box.
After making the proposed edits, the Current Published Values will display in green underneath the proposed edits. The Current Published Value displays the published discussion, as found in current revision of SP 800-53. The user has an opportunity to review the proposed changes against the Current Published Values before submission (displayed under “Discussion” indicated by the red box, as shown in Figure 50 below).
Users can add and remove related controls. See Suggest a New Control, Optional Step 6 for step-by-step instructions on adding and removing related controls.
After adding or removing a related control, the Changes from Current Published Values will appear underneath the selected Related Controls, indicated by the red box shown in Figure 51 below. The user has an opportunity to review the proposed changes against the Current Published Values before submission.
Repeat OPTIONAL Step 7 as necessary to add/remove all relevant related controls.
References can be edited by adding a new reference (not currently used in SP 800-53), adding a new reference used in SP 800-53, editing a reference used in SP 800-53, or deleting a reference. See Suggest a New Control, Optional Step 7 for step-by-step instructions on adding, removing, and editing references.
Suggest Security Control Baseline(s) by clicking the corresponding check box(es) with Low, Moderate, and/or High security control baseline(s), or Not Selected, as shown below in Figure 52. Refer to SP 800-53B for additional guidance on the security control baselines. This field can be left blank. Note that the Security Control baselines are additive. Any control selected in the Low-Impact Baseline is also selected at Moderate and High.
After making the selection, the Current Published Values will appear in green underneath the selection, indicated by the red box in Figure 53. The Current Published Value is the original Security Control Baseline selection prior to the suggested change. The user has an opportunity to review the proposed changes against the Current Published Values before submission.
Suggest if the new control is included in the Privacy Control Baseline by selecting the radio button for “Yes” or “No,” as shown in Figure 30. Controls are selected in the Privacy Control Baseline if the proposed control addresses privacy requirements based on privacy program responsibilities under OMB Circular A-130. Refer to SP 800-53B for additional guidance on the privacy control baseline. This field can be left blank.
After making a privacy control baseline selection, the Current Published Values will appear in green underneath the selection, indicated by the red box, as shown in Figure 55 below. The Current Published Value is the original determination for the inclusion of a Privacy Control Baseline prior to the suggested change. The user has an opportunity to review the proposed changes against the Current Published Values before submission.
Include the gap(s) and/or threats addressed, risks that are managed, the rationale for inclusion in control baseline(s), and any additional information about the proposed new control. Figure 56 shows the text box to provide the Justification/Rationale.
To submit, all required fields in the form must be completed. Any incomplete fields are highlighted in red, and the proposal cannot be submitted until completed. A warning message in red appears below the “Submit” button stating all the required fields were not completed, indicated by the red arrow shown in Figure 57 below. Note that the "Submit" button cannot be clicked at this time because all Required fields are not completed.
Once all the required fields are completed, the warning message disappears, and the proposal is ready for submission. Click on the blue “Submit” button, indicated by the red arrow, as shown in Figure 58 below, to complete the submission.
Upon clicking the blue “Submit” button, a pop-up window appears requesting the submitter’s email address, as shown in Figure 59 below.
After the user enters their email address and submits, a pop-up message will display showing the submission was successful, as shown in Figure 60. At this time, the submission is not yet confirmed; please check the email address provided and refer to Confirm a Proposal Submission.
From the SP 800-53 Public Comments: Submit and View page, suggest a change to an existing control enhancement by, clicking on the “Edit” button, indicated by the red box shown in Figure 61.
Select the radio button for “Edit Control Enhancement,” indicated by the red box, as shown below in Figure 62.
Select a control family (required), control name (required), and control enhancement name (required) from the existing SP 800-53 control families, controls, and control enhancements using the drop-down menu, as indicated by the red boxes in Figure 63 below.
The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 65. Note that References for control enhancements are listed with the base control.
The input text box to suggest an update to the edit control enhancement name is shown by the red arrow in Figure 66 below.
Complete the remainder of the “Edit an Existing Control Enhancement” form following the step-by-step instructions to Suggest a Change to an Existing Control:
Note that OPTIONAL Step 8 Edit References does not apply to Editing an Existing Control Enhancement.
When a control function or capability is incorporated into another control, the control is redundant to an existing control, or when a control is deemed no longer necessary, a control is withdrawn.
From the SP 800-53 Public Comments: Submit and View page, suggest the withdraw of an existing Base Control by clicking on the “Edit” button, indicated by the red box in Figure 67.
Select the radio button for the “Withdraw Base Control,” indicated by the red box in Figure 68.
Figure 69 below illustrates how to select a control family (required) and control name (required) to withdraw from the existing SP 800-53 control families and controls using the drop-down menus, as indicated by the red boxes.
The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 70:
To suggest a withdraw of a base control the user determines the type of withdraw (required).
Figure 71 below illustrates how to proceed with an “Incorporated into” withdraw proposal. Select the radio button for “Incorporated into,” indicated by the red arrow.
Figure 72 below shows how to add control(s) in which to incorporate into. Click on the green “Add Control” button, indicated by the red arrow.
Upon hitting the green “Add Control” button, a drop-down menu appears beneath the Withdraw proposal. Click the drop-down option indicated by the red box in Figure 73 to see the list of base controls.
Select a base control in which to incorporate into from the drop-down menu, as shown by the red arrow in Figure 74.
The base control in which to incorporate into appears above the green “Add Control” button, indicated by the red arrow shown in Figure 75 below. Note at least one control must be specified.
Once control(s) in which to incorporate into is/are selected, the Withdraw Description is automatically populated with the type of withdraw and the selected control(s) to withdraw into, indicated by the red arrow in Figure 76 below.
Repeat the actions, starting at Figure 72 through Figure 76, in Step 4 above to capture any additional controls for the withdrawn control to be incorporated into.
Figure 77 below illustrates how to submit a “Moved to” withdraw request. Select the radio button for “Moved to,” indicated by the red arrow.
Figure 78 below shows how to add an existing control to move to by clicking on the green “Add Control” button, indicated by the red arrow. Note that a control can only be moved to a single new location.
Upon hitting the green “Add Control” button, a drop-down menu appears beneath the Withdraw request. Select the drop down, indicated by the red box shown in Figure 79, to see the list of existing controls.
Select a base control in which to move to from the drop-down menu, as shown by the red arrow in Figure 80.
Upon selecting the existing control in which to move to, the “Withdraw Description” appears in the text field, indicated by the red arrow shown in Figure 81.
To remove a control selection to incorporate into or move to, click on the red “Remove” button, indicated by the red arrow shown in Figure 82.
After clicking the red “Remove” button, the selected control to incorporate into or move to will disappear, as shown below in Figure 83.
Provide the Justification/Rationale for the Withdraw (required). Include the rationale for incorporating or moving control, and any additional supporting information. Figure 84 shows the text box to provide the Justification/Rationale.
To submit, all required fields in the form must be completed. Any incomplete fields are highlighted in red, and the proposal cannot be submitted until completed. A warning message in red appears below the blue “Submit” button stating all the required fields were not completed, as indicated by the red arrow seen in Figure 85 below.
After completing the Justification/Rationale, click on the blue “Submit” button, indicated by the red arrow in Figure 86 below.
Upon clicking the blue “Submit” button, a pop-up window appears requesting the submitter’s email address, as shown in Figure 87 below.
A pop-up message showing the submission was successful, as shown in Figure 88. At this time, the submission is not yet confirmed; please check the email address provided and refer to Confirm a Proposal Submission.
From the SP 800-53 Public Comments: Submit and View page, suggest the withdraw of an existing Base Control by, clicking on the “Edit” button, indicated by the red box in Figure 89.
Select the radio button for the “Withdraw Control Enhancement,” indicated by the red box shown in Figure 90.
Figure 91 below illustrates how to select a control family (required), control name (required), and control enhancement (required) to withdraw from the existing SP 800-53 control families, controls, and control enhancements using the drop-down menu, as indicated by the red boxes.
The website automatically populates a blank form that contains the following fields for user input (indicated by the red boxes), as shown below in Figure 92:
Complete the remainder of the “Withdraw an Existing Control Enhancement” form following the step-by-step instructions to Suggest a Withdraw of a Base Control:
After submitting a proposal for a new control/control enhancement, to edit a control/control enhancement, or submitting a comment on a candidate (draft control available for public review/comment), the user receives an email from no-reply-800-53comments@nist.gov confirmation of the submission.
Confirmation by the user is required within 24 hours to complete the proposal submission process; proposal submissions not confirmed in 24 hours will be deleted. The confirmation email includes a unique verification link (intentionally hidden in Figure 93) and contains pertinent information about current status and next steps after the proposal submission.
Note: Figure 93 below provides an example of a confirmation email; the content of confirmation emails differs based on the type of proposal submitted.
Upon clicking the confirmation link, the user is redirected to the SP 800-53 Public Comments: Submit and View page with a thank you message, as shown in Figure 94 below.
Candidates are proposed changes to the SP 800-53 Controls and SP 800-53B Control Baselines that are available for public comment. The SP 800-53 Public Comment Site provides an opportunity to view and provide comments on the candidates to be included in the next release.
From the SP 800-53 Public Comments: Submit and View page, view candidates (draft controls available for public comment) by clicking on the green “Candidates” button, indicated by the red box in Figure 95 below.
See Figure 96 below for the Current SP 800-53 Candidate Proposals page. Users can filter candidates by control family, control, and/or submission date (on or after). Note that one or more filters can be used, each filter is additive. For example, if you filter by control family and control name, only results that match both the control family and control name display.
Figure 98 below shows the “Filter By” options: (Control) Family, Control, and Submission Date.
To filter candidates by Control Family, “click” on the drop-down menu, indicated by the red box in Figure 97.
To filter candidates by Control, “click” on the drop-down menu, indicated by the red box in Figure 100.
To filter a candidate for a proposed change to an SP 800-53 control by Submission Date (On or After), “click” on the date field, indicated by the red box in Figure 103.
Clear the “Filter By” by Clicking the “Clear Filter” button, as shown by the red arrow in Figure 106 below.
To view the details of a candidate, click the associated link in the Tracking Number column (right-most column), as shown by the red arrow in Figure 107 below.
The details of the Candidate display, and include additional information such as proposal type, tracking number, current status, comment period, and a detailed change of the control/control enhancement with proposed changes. Figure 108 shows a detailed view of a Candidate. If the candidate proposes a change to an existing control or control enhancement, the detailed view displays the “Current Published Value” in addition to the proposed change.
The SP 800-53 Public Comment Site provides an opportunity to provide comments on the candidates to the SP 800-53 controls and SP 800-53B control baselines to be included in the next release, and view comments submitted by other users. Note that comments do not include attribution (name or email of submitter) but display the date submitted.
From the SP 800-53 Public Comments: Submit and View page, provide comments on candidates by clicking on the green “Candidates” button, indicated by the red box in Figure 109.
Upon clicking on the green “Candidates” button, all the candidates available for comment will display. To filter candidates by control family, control, or submission date, and for a detailed view of a Candidate, see View Candidates. Select the “Tracking Number” of the candidate to review and provide a comment on.
To submit a comment on the candidate, click on the blue “Submit” button, indicated by the red arrow in Figure 110. Note, if other users submitted comments on the Candidate, comments are displayed under the “Public Comments” heading (directly above the “Submit” button).
Upon clicking the blue “Submit Comment” button, a pop-up window will appear requesting the users email address (required) for verification and a field to submit a comment (required), indicated by the red box, in Figure 111. When complete, click “Send.”
A pop-up message with a “Success” message displays, as shown in Figure 112. However, the submission is not yet confirmed. Refer to Confirm a Proposal Submission.
After the public comment period on Candidates concludes and NIST adjudicates comments received, customers can preview the planned changes to controls, control enhancements, and control baselines, and can begin to prepare for implementation in advance of the release.
From the SP 800-53 Public Comments: Submit and View page, view Proposed Changes Awaiting Release by clicking on the green “Awaiting” button, indicated by the red box in Figure 113 below.
Users can filter Awaiting Proposals by control family, control, and/or submission date (on or after).
Refer to View Candidates, OPTIONAL Step 2 for step-by-step instructions on using the available filters. Note that one or more filters can be used, each filter is additive. For example, if you filter by control family and control name, only results that match both the control family and control name display.
Refer to View Candidates, Step 3 for step-by-step instructions to view the details of a proposal awaiting release.
From the SP 800-53 Public Comments: Submit and View page, view the status of candidates and proposals awaiting release by entering the Tracking Number (provided in the confirmation email from no-reply-800-53comments@nist.gov) and clicking “Find,” as shown in the red box in Figure 114.
Upon clicking on the green “Find” button, the selected candidate or proposal awaiting release appears, as shown in the red box in Figure 115 below. To view a comment for a specific candidate in further detail, click on the “Tracking Number” (far right column), indicated by the red arrow in Figure 115.
The SP 800-53 Release Search provides a searchable, browser-based version of the SP 800-53 controls and SP 800-53B control baselines.
From the SP 800-53 Public Comments: Submit and View page, view the SP 800-53 Release Search by clicking on the blue “Release Search” button, indicated by the red box, in Figure 116 below.
Alternatively, the release search can also be accessed from the shortcut menu at https://nist.gov/rmf or directly at: https://csrc.nist.rip/Projects/risk-management/sp800-53-controls/release-search#!/800-53
Upon clicking on the blue “Release Search” button, users can browse and search the latest version of SP 800-53 and SP 800-53B. Other available versions appear at the bottom on the page.
Users can download the SP 800-53 Controls and SP 800-53B Baselines for NIST SP 800-53, Revision 3, 4, and 5 in different derivative data formats.
The SP 800-53 controls, SP 800-53B baselines, and SP 800-53A assessment procedures can be accessed at the SP 800-53 Release Search page under “Downloads,” as indicated by the red arrow in Figure 118 below.
Alternatively, the SP 800-53 derivative data formats can also be accessed from the shortcut menu at https://nist.gov/rmf or directly at: https://csrc.nist.rip/projects/risk-management/sp800-53-controls/downloads
The SP 800-53 Downloads page includes multiple derivative data formats, including PDF, XML, CSV, Spreadsheet, and OSCAL for SP 800-53 Revision 5, SP 800-53B, Draft SP 800-53A Revision 5, SP 800-53 Revision 4, SP 800-53A Revision 5, SP 800-53 Revision 3, and SP 800-53A.
Learn More About the SP 800-53 Controls, SP 800-53B Control Baselines and terminology:
Control Family: Groupings of controls by topic area. Of the 20 control families in NIST SP 800-53, 17 are aligned with the minimum security requirements in FIPS 200. The Program Management (PM), PII Processing and Transparency (PT), and Supply Chain Risk Management (SR) families address enterprise-level program management, privacy, and supply chain risk considerations pertaining to federal mandates emergent since FIPS 200.
Control Identifier: Unique short-hand reference to control family and control number. The order of the controls and control enhancements does not imply any logical progression, level of prioritization or importance, or order in which the controls or control enhancements are to be implemented. Rather, it reflects the order in which they were included in the catalog. Control identifiers are not re-used when a control is withdrawn.
Control Name: A short phrase describing intended security and/or privacy outcome.
Base Control/Control Statement: Security and/or privacy outcome involving policy, oversight, supervision, processes to be implemented by systems or individuals.
Control Enhancement: Information security and/or privacy outcome that add specificity, functionality, or increase strength to the base control. The control enhancements are numbered sequentially within each control so that the enhancements can be easily identified when selected to supplement the base control. Each control enhancement has a short subtitle to indicate the intended function or capability provided by the enhancement.
The numerical designation of a control enhancement is used only to identify that enhancement within the control. The designation is not indicative of the strength of the control enhancement, level of protection, priority, degree of importance, or any hierarchical relationship among the enhancements. Control enhancements are not intended to be selected independently; if a control enhancement is selected, then the corresponding base control is also selected and implemented.
Discussion: Additional information about a control / control enhancement. The information in discussion assists organizations, as needed, when developing, tailoring, implementing, assessing, or monitoring controls, but does not extend the control or control enhancement. The information provides important considerations for implementing controls based on mission or business requirements, operational environments, or assessments of risk. The
additional information can also explain the purpose of controls and often includes examples. Control enhancements may also include a separate discussion section when the discussion information is applicable only to a specific control enhancement.
Related Controls: Other SP 800-53 controls that impact or support the implementation, address a related security or privacy capability, or are referenced in the discussion section. Note that control enhancements are inherently related to their base control. Thus, related controls that are referenced in the base control are not repeated in the control enhancements. However, there may be related controls identified for control enhancements that are not referenced in the base control (i.e., the related control is only associated with the specific control enhancement). Additionally, each control in a given family is inherently related to the -1 control (Policy and Procedures) in the same family.
References: List of applicable laws, policies, standards, guidelines, websites, and other useful references. The list of references is not intended to be exhaustive.
Organization-defined parameter: Assignment/selection statements to give organizations ability to customize controls based on organizational risk & requirements.
A control baseline is a collection of controls from SP 800-53 assembled to address the protection needs of a group, organization, or community of interest and manage information security and privacy risk. It provides a generalized set of controls that represents a starting point for the subsequent tailoring activities that are applied to the baseline to produce a targeted or customized security and privacy solution for the entity that the baseline is intended to serve. Control baselines are tailored based on a variety of factors, including threat information, mission or business requirements, types of systems, sector-specific requirements, specific technologies, operating environments, organizational assumptions and constraints, individuals’ privacy interests, laws, executive orders, regulations, policies, directives, standards, or industry best practices.
SP 800-53B includes three security control baselines (Low, Moderate, and High) correspond with the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, or the Nation if there is a loss of confidentiality, integrity, or availability of the system or information. The selection of the security control baseline is based on the FIPS 200 impact level of the system as determined by the RMF Categorize Step.
In addition to the three security control baselines, SP 800-53B provides an initial privacy control baseline for federal agencies to address privacy requirements and manage privacy risks that arise from the processing of PII based on privacy program responsibilities under OMB Circular A-130. Not all controls or control enhancements that address privacy risk are assigned to the privacy control baseline. This approach provides a starting point from which controls or control enhancements may be removed, added, or specialized based on the tailoring guidance in SP SP 800-53B, Section 2.4.
Proposal – Any submission (comment on existing control/control enhancement or suggestion for a new control/control enhancement) from an end user. A proposal becomes a “candidate” when made available for public review by NIST.
Candidate – Candidates are proposed changes based on user submissions (that have been reviewed and edited by NIST, as appropriate) to the SP 800-53 controls available for public review and comment for 30-90 days. Note that not all comments are substantive in nature; if changes are identified by an end user that do not change the technical content of a control/control enhancement, the NIST control manager(s) can skip the “Candidate” process.
Security and Privacy: general security & privacy, privacy, risk management, security measurement, security programs & operations
Laws and Regulations: E-Government Act, Federal Information Security Modernization Act