NIST issues SP 800-53 Release 5.1.1 in Cybersecurity and Privacy Reference Tool

NIST has issued SP 800-53 Release 5.1.1 and SP 800-53A Release 5.1.1 in the Cybersecurity and Privacy Reference Tool (CPRT). This inaugural patch release includes minor grammatical edits and clarifications that do not impact the implementation or outcome of the controls, as well as one new control and three supporting control enhancements to address recent vulnerabilities related to identity and access management systems, and corresponding assessment procedures. A two-week, expedited public comment period on the new control and supporting control enhancements was held in October 2023 using the SP 800-53 Public Comment site. This release is available via the CPRT in JSON, spreadsheet, and in OSCAL formats.

This patch release marks the first time NIST has issued controls and assessment procedures in this way; and NIST will use this approach to ensure that the catalog of security and privacy controls, assessment procedures, and control baselines stay up to date to address the evolving threat landscape while allowing for user feedback, review, and transparency in our development process.

Organizations that already use and implement SP 800-53r5 (Revision 5) have the option to defer implementing the changes in the patch release until SP 800-53 Release 6.0.0 is issued. Refer to the SP 800-53 Release 5.1.1 FAQ for more information.

Additional questions and comments can be directed to 800-53comments [at] list.nist.gov (800-53comments[at]list[dot]nist[dot]gov).