Control Baselines for Information Systems and Organizations: Draft NIST SP 800-53B Available for Comment


NIST seeks feedback on Draft NIST Special Publication (SP) 800-53B, Control Baselines for Information Systems and Organizations.  SP 800-53B provides three security control baselines for low-impact, moderate-impact, and high-impact federal systems, as well as a privacy control baseline for systems irrespective of impact level. The security and privacy control baselines have been updated with the controls described in SP 800-53, Revision 5; the content of control baselines reflects the results of a comprehensive interagency review conducted in 2017 and continuing input and analysis of threat and empirical cyber-attack data collected since the update to SP 800-53.

In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions to help guide and inform the control selection process for organizations. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation. The control baselines were previously published in NIST SP 800-53, but moved so that SP 800-53 could serve as a consolidated catalog of security and privacy controls that can be used by different communities of interest.

In addition to your feedback on the three security control baselines, NIST is also seeking your comments on the privacy control baseline and the privacy control baseline selection criteria.  Since the selection of the privacy control baseline is based on a mapping of controls and control enhancements in SP 800-53 to the privacy program responsibilities under OMB Circular A-130, suggested changes to the privacy control baseline must be supported by a reference to OMB A-130.  Alternatively, you may provide a description and rationale for new or modified privacy control baseline selection criteria.

Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers from the public and private sectors, nationally and internationally, to help shape NIST publications to ensure they meet the needs and expectations of our customers.

A public comment period for this document is open through September 11, 2020. See the publication details for a copy of the draft and instructions for providing comments (including a comment template spreadsheet for your use).

NOTE: A call for patent claims is included on page vi of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL Publications.