800-53 rev4 Changes

NIST periodically revises their catalog of security controls, “NIST SP 800-53 Recommended Security Controls for Federal Information Systems”. Rev 4 is the most recent version. Here are some of the changes:


  • A few existing controls have been re-assigned to new IMPACT level baselines
  • Many new controls have been added – some are not assigned to any baseline (making them optional)
  • Many existing control enhancements (CEs) have been re-assigned to new IMPACT level baselines
  • About two hundred new control enhancements (CEs) have been added – some are not assigned to any baseline (making them optional)
  • There are now around 450 or so optional controls and control enhancements that are not assigned to any baseline. These are all available to be used in the Tailoring process.
  • The family “class” labels have been eliminated (management, operational, technical)
  • New baseline tables added in Appendix D


  • Controls and Enhancements –
    • Some old controls (and CEs) withdrawn
    • Many new controls (and CEs) added
      [+privacy controls and control enhancements in Appendix J]
    • All Control Enhancements (CEs) now have names
  • Clarifications and Guidance
    • Many changes have been made to the “supplemental guidance” area, many new “related controls” are listed, there are many new additions to the control parameters that aid in customizing controls to a specific environment
    • The “CLASS” designations (Management, Operations, Technical) have been dropped.
  • PM Family – new controls = 12, 13, 14, 15, 16
  • AC Family – new controls = 23, 24, 25
  • AU Family – new controls = 15, 16
  • CA Family – new controls = 8, 9
  • CM Family – new controls = 10, 11
  • CP Family – new controls = 11, 12, 13
  • IA Family – new controls = 9, 10, 11
  • IR Family – new controls = 9, 10
  • MP Family – new controls = 7, 8
  • PE Family – new control = 20
  • PL Family – new controls = 7, 8, 9
  • RA Family – new control = 6
  • SA Family – new controls = 15, 16, 17, 18, 19, 20, 21, 22
  • SC Family – new controls = 35, 36, 37, 38, 39, 40, 41, 42, 43, 44
  • SI Family – new controls = 14, 15, 16, 17

TRUSTWORTHINESS – This involves a degree of confidence in the security capability of an information system that depends upon: its ability to preserve confidentiality, integrity and availability and its ability to operate with resilience within defined levels of risk. Security capability includes: prevention, limiting damage, response, and recovery. It is commonly measured by two factors:

  • Functionality – determined by the security features and functions employed within information systems and their operating environment.
  • Assurance – The measure of confidence that the security functions and features are effective. Assurance is provided both by actions taken during development and during normal operations (such as assessments, auditing, monitoring, remediation…) Assurance controls are existing 800-53 security controls that can be selected in addition to the normal baseline controls for the purpose of creating a needed assurance level. They have been designated for the LOW, MODERATE, HIGH impact level baselines and also for an ENHANCED level. There are 92 controls and 188 control enhancements in total for all four levels.

[NOTE – a section on Assurance (in the main body of 800-53) and Appendix E on assurance controls were present in rev3, and have been expanded in rev4]

Tailoring guidance allows customization of security controls to ensure that they provide good protection even when applied across varying operational environments. Tailoring was introduced in the previous version of 800-53 but has been expanded and changed:

  • Both assumptions that were made about baselines and assumptions that were not made about baselines are listed
  • Common Controls have been split out from the Scoping section, adding more emphasis to their utility
  • The Scoping considerations have been revised
  • Supplementary controls were previously a separate section, but now are including under the general umbrella of Tailoring (most scoping accomodates subtracting controls from baselines and supplementing allows controls to be added to baselines)

Overlays allow a commonly used set of tailoring changes to be applied across many areas. Similar communities of interest may find it useful to develop a collection of tailoring changes designed for their operational environment. Documenting this collection as an overlay allows the groups to share experience and knowledge and increase assurance when connections between systems are desired. Overlays can be developed for a wide variety of viewpoints:

  • cloud computing
  • mobile devices
  • industry sectors and missions
  • types of threats
  • specific regulatory requirements
  • interest groups/communities
  • unique operating environments

A new Appendix J has been added to discuss privacy and list the 35 new privacy controls and control enhancements.
They are divided into eight families:

  • Authority and Purpose (AP)
  • Accountability, Audit, and Risk Management (AR)
  • Data Quality and Integrity (DI)
  • Data Minimization and Retention (DM)
  • Individual Participation and Redress (IP)
  • Security (SE)
  • Transparency (TR)

Use Limitation (UL)

Appendix I on Industrial Control Systems has been deleted. An overlay can be used for ICS related controls.
More notes, tips, and explanations (gray boxes) have been added throughout the document.
A mapping of controls to Common Criteria (ISO 15408) has been added.

New OPSEC Controls in 800-53 rev4
New Insider Threat Controls in 800-53 rev4 DRAFT
800-53 rev3 FINAL

Comments are closed.