NIST SP 800-53r4 now in draft

We finally have a draft NIST SP 800-53r4. My lord, this is taking forever. For good reason, but… still. It’s to be finalized in July, with comments on this draft due to sec-cert@nist.gov by April 6th.

Here are the highlights, in their words since I haven’t had a chance to read it myself:

  • Clarification of security control requirements and specification language;
  • New tailoring guidance including the introduction of overlays;
  • Additional supplemental guidance for security controls and enhancements;
  • New privacy controls and implementation guidance [ed: a new Appendix J];
  • Updated security control baselines;
  • New summary tables for security controls to facilitate ease-of-use; and
  • Revised minimum assurance requirements and designated assurance controls
But rather than make you read the whole thing over again (you read it, right?) NIST helpfully provided a markup version for the three most significant appendices: