NIST Publishes Draft Fifth Revision of SP 800-53, Security and Privacy Controls for Information Systems and Organizations and Requests Public Comment


compliments of

August 16, 2017. On August 15, 2017, the National Institute of Standards and Technology (NIST) announced publication of the Draft Fifth Revision of NIST Special Publication (SP) 800-53 in a news release entitled: “NIST Crafts Next-Generation Safeguards for Information Systems and the Internet of Things.” NIST encourages public comment on Draft NIST SP 800-53-5 during the comment period of August 15-September 12, 2017, with comments sent via email by September 12, 2017, to:, with the subject line: “’Comments on Draft SP 800-53 Rev.5.’”


The Abstract for Draft NIST SP 800-53-5 is:

“This publication provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, Executive Orders, directives, regulations, policies, standards, and guidelines. The publication describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions and business functions, technologies, environments of operation, and sector-specific applications. Finally, the consolidated catalog of controls addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms) and an assurance perspective (i.e., the measure of confidence in the security or privacy capability). Addressing both functionality and assurance ensures that information technology products and the information systems that rely on those products are sufficiently trustworthy.”

Keywords for Draft NIST SP 800-53-5 are:

“Assurance; availability; computer security; confidentiality; [Federal Information Security Modernization Act (FISMA) of 2014, Public Law (P.L. 113-283)]; information security; integrity; personally-identifiable information; Privacy Act; privacy controls; privacy functions; privacy requirements; Risk Management Framework; security controls; security functions; security requirements; system; system security.”

Note the keywords availability, confidentiality, and integrity, which are the foundational principles of the HIPAA Privacy and Security Rules, as are the controls in Chapter 3 that underpin standards and implementation specifications pertaining to those Rules:



  • “Access Control
  • Awareness and Training
  • Audit and Accountability
  • Assessment, Authorization, and Monitoring
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Individual Participation
  • Incident Response
  • Maintenance
  • Media Protection
  • Privacy Authorization
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Personnel Security
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity.”


Excluding 12 pages of introductory material, table of contents, and prologue, Draft NIST SP 800-53-5 comprises 3 chapters and Appendices A-I in 480 pages.


Be sure to download and carefully read the news release, referenced and linked above, from which we reproduce these excerpts:

“[T]he latest draft goes beyond both information security and the federal government to address ways all kinds of organizations can maintain security and privacy in their interconnected systems.

“Privacy is now fully integrated throughout the new draft, a first for any control catalog. ‘This revision covers the overlap in security and privacy for systems, as well as the ways in which they are distinct,’ said NIST senior privacy policy advisor Naomi Lefkovitz. ‘It also enhances the ability for both professional teams to collaborate yet still maintain their respective authorities.’ [Draft NIST] SP 800-53 Revision 5 adds two new control families that focus solely on privacy; the remaining privacy controls are integrated throughout the rest of the control families….

“Revision 5 ‘takes the guidance in new directions—we are crafting the next-generation catalog of controls that can also be applied to secure the Internet of Things,’ said Ron Ross, NIST fellow and team leader of the joint task force that wrote the updated publication. Controls are security and privacy safeguards—both technical and procedural—designed to protect systems, organizations and individuals.

“While previous versions targeted federal agencies, other organizations, particularly industry, are voluntarily adopting SP 800-53. The controls have been updated to address the needs of the more diverse user group, including enterprise-level security and privacy professionals, component product developers, and systems engineers who are now working on privacy and security.”

Draft NIST SP 800-53-5 is an important document for your organization to download and carefully study, with the opportunity to provide public comment to NIST as appropriate. Note that the news release concludes by stating that it is designed “so that organizations outside of the federal government can more easily use the NIST controls with the frameworks they currently use, such as ISO 27001 [information security management system] and the Framework for Improving Critical Infrastructure Cybersecurity, also known as the Cybersecurity Framework.



  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)