Public Comment Open for NIST SP 800-53 Security and Privacy Controls Update
The National Institute of Science and Technology (NIST) has opened for comment the final public draft of revision 5 of the “Special Publication 800-53 Security and Privacy Controls for Information Systems and Organizations”. The purpose of SP 800-53 is to provide a catalog of security and privacy controls to protect federal information systems and organizations against threats such as attacks and natural disasters. SP 800-53 has been around since 2005 with Privacy controls being incorporated for the first time in 2013 under Revision 4. The latest revision is a response to the call by the Defense Science Board and its 2017 Task force on Cyber Deterrence. Changes include a focus on “outcome based” controls, incorporating State-of-the-Practice, and clarification of the relationship between security and privacy. In order to increase adaptability among different communities of interest “Control selection process” has been separated from “controls” as has the “control catalog” from the “control baseline”. Control baselines will be moved to SP 800-53B. Additionally, revision 5 looks to add of two new control families:
- Personally, Identifiable Information Processing and Transparency
- Supply Chain Risk Management
A summary of the changes from Rev. 4 to Rev. 5 is available from NIST in this PDF as there will not be a redline version indicating changes from rev.4 to rev.5.