Control Baselines for Information Systems and Organizations: NIST Publishes SP 800-53B
Brewer, Jeffrey (Fed)
NIST Special Publication (SP) 800-53B, Control Baselines for Information Systems and Organizations, provides security and privacy control baselines for the Federal Government. SP 800-53B is a companion publication to SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations.
Control baselines provide a starting point for organizations in the security and privacy control selection process. SP 800-53B includes three security control baselines (one for each system impact level: low-impact, moderate-impact, and high-impact), as well as a privacy control baseline that is applied to systems irrespective of impact level. The privacy control baseline supports federal agencies in addressing privacy requirements and managing privacy risks that arise from processing personally identifiable information based on privacy program responsibilities under OMB Circular A-130.
In addition to the control baselines, SP 800-53B provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process. By using the tailoring guidance and assumptions provided, organizations can customize their security and privacy control baselines to protect their critical and essential operations and assets, and protect individuals' privacy. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation. NIST has also developed the Security Control Overlay Repository (SCOR), providing stakeholders with a platform for voluntarily sharing security control overlays. See the SCOR page to learn more about the repository, including instructions on how to submit an overlay, and to obtain a list of published overlays.
(Coming soon) The control baselines in SP 800-53B will also be available in spreadsheet format and in the Open Security Assessment Language (OSCAL) format, linked as supplemental materials in the publication details.
Jeff Brewer
Management and Program Analyst
Information Technology Lab, Computer Security Division,
National Institute of Standards and Technology