New supplemental materials for NIST Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, are available for download to support the December 10, 2020 errata release of SP 800-53 and SP 800-53B, Control Baselines for Information Systems and Organizations. Errata updates to SP 800-53 Rev. 5 and SP 800-53B address errors, omissions, and clarifications based on internal review and stakeholder feedback—they do not fundamentally change the underlying technical specifications. Each document includes an errata table that identifies the updates.
New resources are intended to support organizations transitioning from SP 800-53 Revision 4 to Revision 5; they are posted in the Supplemental Material section of the SP 800-53 publication details. These include an analysis of the changes from Revision 4 to Revision 5 of SP 800-53 and a mapping of the Appendix J Privacy Controls (Revision 4) to Revision 5. Control mappings to the NIST Cybersecurity Framework, Privacy Framework, and ISO 27001 are also provided.
Specifically, the supplemental materials include:
The spreadsheet describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significance of the changes. Note that this comparison was authored by The MITRE Corporation for the Director of National Intelligence (DNI) and is being shared with permission by DNI.
The spreadsheet supports organizations using the privacy controls in Appendix J of SP 800-53 Revision 4 that are transitioning to the integrated control catalog in Revision 5.
The mappings provide organizations a general indication of SP 800-53 control coverage with respect to other frameworks and standards. When leveraging the mappings, it is important to consider the intended scope of each publication and how each publication is used; organizations should not assume equivalency based solely on the mapping tables because mappings are not always one-to-one and there is a degree of subjectivity in the mapping analysis.
The Open Security Control Assessment Language (OSCAL) version of the SP 800-53 Revision 5 controls and SP 800-53B control baselines and spreadsheet versions of controls/baselines will be available soon.
For questions, comments, and feedback, please contact sec-cert [at] nist.gov (sec-cert[at]nist[dot]gov).