NIST Invites Comment on Controls for Federal Information Systems and Organizations

States and utilities are invited to provide review and comment on National Institute of Standards & Technology’s Special Publication 800-53 latest revision titled Security and Privacy Controls for Federal Information Systems and Organizations. Comments are being accepted through March 1, 2013.

The proposed changes included in Special Publication 800-53, Revision 4, support the federal information security strategy of “Build It Right, Then Continuously Monitor” and are directly linked to the current threat space (i.e., capabilities, intentions, and targeting of adversaries) as well as the attack data collected and analyzed over a substantial period of time. In this update, there is renewed emphasis on security controls that can be implemented to increase the reliability, trustworthiness, and resiliency of information systems, system components, and information system services—especially in those systems, components, and services supporting critical organizational missions and business operations (including, for example, critical infrastructure applications).

In particular, the major changes in Revision 4 include:

  • New security controls and control enhancements addressing the advanced persistent threat (APT), supply chain, insider threat, application security, distributed systems, mobile and cloud computing, and developmental and operational assurance;
  • Clarification of security control language;
  • New tailoring guidance including the fundamental assumptions used to develop the security control baselines;
  • Significant expansion of supplemental guidance for security controls and enhancements;
  • Streamlined tailoring guidance to facilitate customization of baseline security controls;
  • New privacy controls and implementation guidance based on the internationally recognized  Fair Information Practice Principles;
  • Updated security control baselines;
  • New summary tables for security controls and naming convention for control enhancements to facilitate ease-of-use;
  • New mapping tables for ISO/IEC 15408 (Common Criteria);
  • The concept of overlays, allowing organizations and communities of interest to develop specialized security plans that reflect specific missions/business functions, environments of operation, and information technologies; and
  • Designation of assurance-related controls for low-impact, moderate-impact, and high-impact information systems and additional controls for responding to high assurance requirements.

The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, information security programs—capable of addressing sophisticated threats.

To support the final public review process, NIST will publish a markup version of Appendices D, F, and G (i.e., baseline allocations and the catalog of security controls for information systems and organizations) on or about February 8th to show the changes from the initial public draft. There will not be any markups provided for the main chapters or other appendices. A markup showing changes from Revision 3 to Revision 4 for the aforementioned appendices will be provided upon final publication of Special Publication 800-53, anticipated forApril 2013Comments can be sent

Direct link to 800-53 Rev 4, (Final Public Draft):

CSRC website:


Comments are closed.