Governance Briefing — NIST releases public draft of SP 800-53 Revision 5 security and privacy controls

Executive briefing: NIST released the public draft of SP 800-53 Revision 5 on 16 March 2020, proposing updates to the security and privacy control catalog to make controls outcome-based and address modern supply chain, cloud, and DevSecOps practices.

What changed

• Introduces dedicated supply chain risk management controls and integrates privacy controls directly into the main catalog.
• Recasts controls with outcome-focused language to improve applicability across technologies and deployment models.
• Aligns control families with modern threat areas including insider risk, mobile code, and resilience.
• Seeks public comments ahead of issuing final Revision 5 baselines.

Why it matters

• Federal contractors and regulated industries will need to map existing baselines to the revised control statements once finalized.
• Privacy requirements are embedded with security controls, affecting system security plans and assessment procedures.
• New supply chain expectations increase due diligence demands on vendors and open-source dependencies.

Action items for operators

• Review control changes against current SSPs and POA&Ms to identify potential scope increases, especially in supply chain and privacy controls.
• Engage governance and architecture teams to evaluate how outcome-based controls map to cloud services and DevSecOps pipelines.
• Prepare comments or internal gap assessments to accelerate transition when Revision 5 is finalized.