The National Institute of Standards and Technology (NIST) released the finalized version of NIST Special Publication (SP) 800-53B on October 29, which updates the security baselines under SP 800-53’s Revision 5 process.
While the document is new, the guidance is familiar – NIST opted to break out its security control baselines and privacy baseline in a new document during the updates to SP 800-53. The low-impact, moderate-impact, and high-impact baselines remain the standards for security baselines, with additional guidance around tailoring controls to organizations.
“Every system is important in its own right, but some systems support functions that are more critical to the national and economic security interests of the United States, making them more attractive targets for our adversaries,” said Ron Ross, a NIST Fellow and one of the guide’s authors. “Whether you’re managing risk for a routine business system or one whose breach would compromise our nation’s critical infrastructure, we’ve got a baseline for you,” he added.
The new SP 800-53B also includes a new privacy baseline, aimed at “addressing privacy requirements and managing privacy risks that arise from processing PII based on privacy program responsibilities under OMB Circular A-130,” according to a NIST news release.
While the guidance may not be brand new, it comes as part of a broader effort by NIST to enhance its policies around cybersecurity.
“The publication of SP 800-53, Rev. 5 and SP 800-53B will have a cascading effect on other NIST publications as well as external programs that depend on the NIST controls and baselines,” tweeted Ross.