NIST SP 800-53r4 now in draft

We finally have a draft NIST SP 800-53r4. My lord, this is taking forever. For good reason, but… still. It’s to be finalized in July, with comments on this draft due to by April 6th.

Here are the highlights, in their words since I haven’t had a chance to read it myself:

  • Clarification of security control requirements and specification language;
  • New tailoring guidance including the introduction of overlays;
  • Additional supplemental guidance for security controls and enhancements;
  • New privacy controls and implementation guidance [ed: a new Appendix J];
  • Updated security control baselines;
  • New summary tables for security controls to facilitate ease-of-use; and
  • Revised minimum assurance requirements and designated assurance controls
But rather than make you read the whole thing over again (you read it, right?) NIST helpfully provided a markup version for the three most significant appendices: