The National Institute of Standards and Technology’s Draft Special Publication 800-53B provides three security control baselines for low-impact, moderate-impact, and high-impact federal systems, as well as a privacy control baseline for systems regardless of impact level.
NIST officials said the security and privacy control baselines were updated with the controls described in SP 800-53, Revision 5; the content of control baselines reflects the results of a comprehensive interagency review conducted in 2017 and continuing input and analysis of threat and empirical cyber-attack data collected since the update to SP 800-53.
In addition to the control baselines, the draft publication provides tailoring guidance and a set of working assumptions to help guide and inform the control selection process for organizations.
Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation. The control baselines were previously published in NIST SP 800-53, but moved so that SP 800-53 could serve as a consolidated collection of security and privacy controls that can be used by different communities of interest.
In addition to feedback on the three security control baselines, NIST is also seeking your comments on the privacy control baseline and the privacy control baseline selection criteria. Since the selection of the privacy control baseline is based on a mapping of controls and control enhancements in SP 800-53 to the privacy program responsibilities under OMB Circular A-130, “Managing Information as a Strategic Resource,” suggested changes to the privacy control baseline must be supported by a reference to OMB A-130. Alternatively, you may provide a description and rationale for new or modified privacy control baseline selection criteria.
Feedback on this draft publication is important, NIST said.
“We appreciate each contribution from our reviewers from the public and private sectors, nationally and internationally, to help shape NIST publications to ensure they meet the needs and expectations of our customers.”
Comments are due Sept. 11, 2020. Email comments to: firstname.lastname@example.org. Please use the comment template to record and submit your comments.
SP 800-53B (Draft) (DOI)