March 27, 2023

Volume XIII, Number 86


March 24, 2023

Subscribe to Latest Legal News and Analysis

NIST Issues Draft Guidance on Security and Privacy Control Baselines – SP 800-53B

NIST’s news draft guidance, Special Publication 800-53B, Control Baselines for Information Systems and Organizations, provides important information on selecting both security and privacy control baselines for the Federal Government. These control baselines are from NIST Special Publication 800-53 and have been moved to this separate publication “so the SP 800-53 [can] serve as a consolidated catalog of security and privacy controls regardless of how those controls [are] used by different communities of interest.”   The new guidance addresses federal information systems and is applicable to information systems used or operated by an agency, a contractor on behalf of an agency, or another organization on behalf of an agency.

This guidance provides security control baselines for low, moderate, and high-impact systems and an initial privacy baseline for meeting and managing privacy risks that arise from processing personally identifiable information. These control baselines are organized and mapped out to 20 control families from SP 800-53 (Revision 5), including Personally Identifiable Information Processing and Transparency and Supply Chain Risk Management. It also outlines a tailoring process in which companies can align their controls to more closely address the specific security and privacy requirements required by their specific circumstances. The goal of this process is to provide cost-effective solutions to support organizational missions and business needs along with adequate security and privacy protections commensurate with risk.

Companies can tailor the control baselines through use of common controls, applying scoping considerations, selecting compensating controls, assigning control parameter values, supplementing control baselines, or providing specification information for control implementation.

When making tailoring decisions, companies need to address every control in the selected baseline and document the rationale of the tailoring decisions. In particular, if a control is determined not to be needed, the rationale must be recorded in the system and in the security plans, which must be subsequently approved by responsible individuals within the company.

NIST is soliciting comments on this draft guidance through the end of the public comment period on September 11, 2020.

Putting it Into Practice: Federal contractors should pay close attention to these guidelines as these new security and privacy baselines will be applied to any federal information system used or operated by a contractor on behalf of an agency, or another organization on behalf of an agency. Companies in the private sector should pay attention as well, as NIST guidance is often used as a basis for industry standards in security and privacy.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 219

About this Author

Elfin Noce Business Trial Attorney

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.


  • Litigation


  • Communications


  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000


  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Jonathan E. Meyer, Sheppard Mullin, International Trade Lawyer, Encryption Technology Attorney

Jon Meyer is a partner in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Mr. Meyer was most recently Deputy General Counsel at the United States Department of Homeland Security, where he advised the Secretary, Deputy Secretary, General Counsel, Chief of Staff and other senior leaders on law and policy issues, such as cyber security, airline security, high technology, drones, immigration reform, encryption, and intelligence law. He also oversaw all litigation at DHS,...