The NIST SP 800-53 Controls Public Comment Site was developed to ensure that the SP 800-53 control catalog provides the most comprehensive and up-to-date set of controls/countermeasures to manage security, privacy, and supply chain risk. By modernizing the NIST comment process and moving to an online dataset instead of following a document-based update process, NIST can provide its stakeholders the most up-to-date controls in multiple data formats to manage risk while encouraging use of automation.
Stakeholders can provide feedback on controls by:
NIST will continue to accept comments from stakeholders using a comment matrix emailed to
800-53comments@list.nist.gov.
Comments submitted using the comment matrix will be entered into the SP 800-53 Public Comment Site and adjudicated using the same process as comments submitted via the site.
Proposal – Any submission (comment on existing control/control enhancement or suggestion for a new control/control enhancement) from an end user. A proposal becomes a “candidate” when made available for public review by NIST.
Candidate – Candidates are proposed changes based on user submissions (that have been reviewed and edited by NIST, as appropriate) to the SP 800-53 controls available for public review and comment for 30-90 days. Note that not all comments are substantive in nature; if changes are identified by an end user that do not change the technical content of a control/control enhancement, the NIST control manager(s) can skip the “Candidate” process.
Minor Releases are equivalent to a NIST SP 800-53 Errata Update. Minor releases/errata updates are consistent with NIST procedures and criteria for errata updates, whereby a new copy of a final publication is issued to include corrections that do not alter existing or introduce new technical information or requirements. Such corrections are intended to remove ambiguity and improve interpretation of the work, and may also be used to improve readability or presentation (e.g., formatting, grammar, spelling).
NIST will issue a maximum of 2 minor releases per year.
Major Releases are equivalent to a new NIST SP 800-53 Revision (e.g, Revision 6, Revision 7). Planned major releases can be both time- and event-driven. Time-driven (regularly scheduled) major releases will occur every 2 years. Event-driven releases will occur as necessary, but will be limited to address only critical issues.
NIST will issue a major release every 2 years (in lieu of a Minor Release).
Change Type |
Minor Release |
Major Release |
Correct an error in punctuation, spelling, or grammar (Depending on the nature of the editorial correction, a public comment may not be required) |
X |
|
Correct an error not related to punctuation, spelling, or grammar that does not impact implementation of the control/control enhancement. |
X |
|
Add new control or control enhancement not in a baseline |
X |
|
Add control or control enhancement to baseline (existing or new control) |
|
X |
Remove control or control enhancement from a baseline |
|
X |
Change the title of a control or control enhancement |
X |
|
Withdraw a control or control enhancement not in a baseline (either complete withdrawal or incorporation into or move to another control or enhancement) |
X |
|
Withdraw a control or control enhancement in a baseline (either complete withdrawal or incorporation into or move to another control or enhancement) |
|
X |
Change a control or control enhancement not due to error (i.e., implementation is affected) – includes addition, removal, or change of an assignment and/or selection operation |
|
X |
Minor change in Discussion (e.g., reword for clarity, include additional examples) |
X |
|
Significant change in Discussion (e.g., change in intent, major rewording, addition or removal of entire sentences) |
|
X |
Addition of Discussion where there had been no guidance previously |
|
X |
Addition, removal, or change in References |
X |
|
Addition, removal, or change in Related Controls |
X |
|
Move control or control enhancement to a different family (with no other changes) |
|
X |
Candidates are proposed changes based on user submissions (that have been reviewed and edited by NIST, as appropriate) to the SP 800-53 controls and SP 800-53B control baselines that are available for public review and comment.
A biennial public comment period for Major Releases will begin in May. [Major releases will be published, if necessary, every 2 years in November in lieu of a Minor Release]
Depending on the type of release (Minor or Major), the timeframe for the public comment will vary.
Type of Release |
Comment Period Length |
Minor |
30 calendar days |
Major |
60 calendar days |
All interested stakeholders are notified when candidates are available for comment and the comment period length. See Stakeholder Notification Process for more information.
As candidates are released for comment, subscribers to 800-53updates@list.nist.gov will receive a notification about candidates available for comment and the comment period length. The SP 800-53 Updates email list is open to any interested party to sign up and all comment period notifications are publicly accessible at https://groups.google.com/u/2/a/list.nist.gov/g/800-53updates; only NIST Team members are able to send notifications to the group.
Sign-up for SP 800-53 Comment Period Notifications
If your organization's firewall is preventing you from joining via the SP 800-53 Comment Period Notifications Google Group, please send an email to 800-53comments@list.nist.gov. A moderator will add you to the email list. Please note that you may not be able to access the Forum archives and update your own subscription settings if you cannot access the Google Group.
Security and Privacy: general security & privacy, privacy, risk management, security measurement, security programs & operations
Laws and Regulations: E-Government Act, Federal Information Security Modernization Act