NIST has released the Final Public Draft of Special Publication (SP) 800-53 Revision 5, "Security and Privacy Controls for Information Systems and Organizations," for public comment. Comments are due by May 15, 2020.
There is an urgent need to strengthen the trustworthiness and resilience of the information systems, component products, and services that we depend on in every critical infrastructure sector and which support the economic and national security interests of the United States.
This (final public draft) revision of NIST Special Publication 800-53 presents a proactive and systemic approach to developing comprehensive safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices. Those safeguarding measures include the security and privacy controls to protect the critical and essential mission and business operations of organizations, the organization’s high value assets, and the personal privacy of individuals. The objective is to manage mission, business, and system risks for organizations, making the systems we depend on more penetration-resistant to cyber-attacks; limiting the damage from those attacks when they occur; making the systems cyber-resilient and survivable; and protecting the security and privacy of information.
Revision 5 of this foundational NIST publication represents a multi-year effort to develop next-generation security and privacy controls. The major changes to the publication include:
The integration of security and privacy controls into one catalog recognizes the essential relationship between security and privacy objectives. This relationship requires security and privacy officials to collaborate across the system development life cycle. In particular, control implementation is one area in which collaboration is important. Because security and privacy objectives are aligned in many circumstances, the implementation of a particular control can support achievement of both sets of objectives. However, there are also circumstances when controls are implemented differently to achieve the respective objectives, or the method of implementation can impact the objectives of the other program. Thus, it is important that security and privacy programs collaborate effectively with respect to the implementation of controls to ensure that both programs’ objectives are met appropriately.
Reviewers should refer to the “Notes to Reviewers” that begins on page v of this draft. NIST requests feedback on: (1) the updates to the control catalog identified above; and (2) the concept of including a collaboration index for each control. The index is intended to indicate the degree of collaboration between security and privacy programs for each control. This collaboration index is a starting point to facilitate discussion between security and privacy programs since the degree of collaboration needed for control implementation for specific systems depends on many factors. For purposes of review and comment, three control families are identified as notional examples: Access Control (AC); Program Management (PM); and Personally Identifiable Information Processing and Transparency (PT). The notional examples are provided as a “Notes to Reviewers Supplemental Material” section at the end of the document, following Appendix D.
Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers. The very insightful comments from both the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our customers.
The public comment period for this draft is open through May 15, 2020. See the publication details for a copy of the draft and instructions for submitting comments.
NOTE: A call for patent claims is included on page ix of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.