Draft NIST Special Publication 800 -53 Revision 5 Security and Privacy Controls for Information Systems and Organizations JOINT TASK FORCE FINAL PUBLIC DRA FT This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800- 53r5 -draft This publication contains a consolidated catalog of security and privacy controls for information systems and organizations. Federal security and privacy control baselines will be published in NIST Special Publication 800 -53B. Draft NIST Special Publication 800 -53 Revision 5 Security and Privacy Controls for Information Systems and Organizations JOINT TASK FORCE This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800- 53r5 -draft March 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology NIST SP 800 -53 REV . 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORM ATION SYSTEMS AND ORGANIZATIONS _________________________________________________________________________________________________ PAGE i Authority 1 This publication has been developed by NIST to further its statutory responsibilities under the 2 Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq. , Public Law 3 (P.L.) 113 -283. NIST is responsible for developing information secu rity standards and guidelines, 4 including minimum requirements for federal information systems . Such information security 5 standards and guidelines shall not apply to national security systems without the express 6 approval of the appropriate federal officials exercising policy authority over such systems. This 7 guideline is consistent with the requirements of the Office of Management and Budget (OMB) 8 Circular A-130. 9 Nothing in this publication should be taken to contradict the standards and guidelines made 10 mand atory and binding on federal agencies by the Secretary of Commerce under statutory 11 authority. Nor should these guidelines be interpreted as altering or superseding the existing 12 authorities of the Secretary of Commerce, OMB Director, or any other federal of ficial. This 13 publication may be used by nongovernmental organizations on a voluntary basis and is not 14 subject to copyright in the United States. Attribution would, however, be appreciated by NIST. 15 National Institute of Standards and Techno logy Special Publication 800 -53, Revision 5 16 Natl. Inst. Stand. Technol. Spec. Publ. 800 -53, Rev. 5, 480 pages ( March 2020 ) 17 CODEN: NSPUE2 18 This publication is available free of charge from: 19 https://doi.org/10.6028/NIST.SP.800- 53r5 -draft 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 Public comment period: March 16 through May 15, 2020 35 National Institute of Standards and Technology 36 Attn: Computer Security Division, Information Technology Laboratory 37 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899 -8930 38 Email: [email protected] 39 All comments are subject to release under the Freedom of Information Act (FOIA) [FOIA96 ]. 40 Certain commercial entities, equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to i mply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibil ities. The information in this publication, includi