Date Published: March 2020
Comments Due: May 29, 2020 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov
Planning Note (4/28/2020):
There is an urgent need to strengthen the trustworthiness and resilience of the information systems, component products, and services that we depend on in every critical infrastructure sector and which support the economic and national security interests of the United States.
This (final public draft) revision of NIST Special Publication 800-53 presents a proactive and systemic approach to developing comprehensive safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices. Those safeguarding measures include the security and privacy controls to protect the critical and essential mission and business operations of organizations, the organization’s high value assets, and the personal privacy of individuals. The objective is to manage mission, business, and system risks for organizations, making the systems we depend on more penetration-resistant to cyber-attacks; limiting the damage from those attacks when they occur; making the systems cyber-resilient and survivable; and protecting the security and privacy of information.
Summary of Changes in Revision 5
Revision 5 of this foundational NIST publication represents a multi-year effort to develop next-generation security and privacy controls. The major changes to the publication include:
The integration of security and privacy controls into one catalog recognizes the essential relationship between security and privacy objectives. This relationship requires security and privacy officials to collaborate across the system development life cycle. In particular, control implementation is one area in which collaboration is important. Because security and privacy objectives are aligned in many circumstances, the implementation of a particular control can support achievement of both sets of objectives. However, there are also circumstances when controls are implemented differently to achieve the respective objectives, or the method of implementation can impact the objectives of the other program. Thus, it is important that security and privacy programs collaborate effectively with respect to the implementation of controls to ensure that both programs’ objectives are met appropriately.
Feedback Requested
Reviewers should refer to the “Notes to Reviewers” that begins on page v of this draft. NIST requests feedback on: (1) the updates to the control catalog identified above; and (2) the concept of including a collaboration index for each control. The index is intended to indicate the degree of collaboration between security and privacy programs for each control. This collaboration index is a starting point to facilitate discussion between security and privacy programs since the degree of collaboration needed for control implementation for specific systems depends on many factors. For purposes of review and comment, three control families are identified as notional examples: Access Control (AC); Program Management (PM); and Personally Identifiable Information Processing and Transparency (PT). The notional examples are provided as a “Notes to Reviewers Supplemental Material” section at the end of the document, following Appendix D.
Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers. The very insightful comments from both the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our customers.
The public comment period for this draft is open through May 15, 2020 May 29, 2020. We encourage reviewers to use the comment template for organizing and submitting comments.
NOTE: A call for patent claims is included on page ix of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Access Control; Audit and Accountability; Awareness and Training; Configuration Management; Contingency Planning; Assessment, Authorization and Monitoring; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; Planning; Risk Assessment; System and Services Acquisition; System and Information Integrity; System and Communications Protection; Program Management
Publication:
SP 800-53 Rev. 5 (Draft) (DOI)
Local Download
Supplemental Material:
Comment template (xls)
Summary: Significant Changes from Rev. 4 (pdf)
Comparison of Revs. 4 and 5, authored by MITRE Corp. for ODNI (xls)
OSCAL version of 800-53 FPD controls (other)
Spreadsheet version of 800-53 FPD controls (xls)
NIST news article (other)
Frequently Asked Questions (pdf)
Frequently Asked Questions (other)
Related NIST Publications:
Document History:
02/23/16: SP 800-53 Rev. 5 (Draft)
08/15/17: SP 800-53 Rev. 5 (Draft)
03/16/20: SP 800-53 Rev. 5 (Draft)
09/23/20: SP 800-53 Rev. 5
Security and Privacy
acquisition; audit & accountability; authentication; awareness training & education; contingency planning; incident response; maintenance; planning; privacy controls
Applications
communications & wireless
Laws and Regulations
E-Government Act; Federal Information Security Modernization Act; Homeland Security Presidential Directive 12; Homeland Security Presidential Directive 7; OMB Circular A-11; OMB Circular A-130