May 21, 2022

Volume XII, Number 141


May 20, 2022

Subscribe to Latest Legal News and Analysis

May 19, 2022

Subscribe to Latest Legal News and Analysis

NIST Issues Long-Awaited Final Guidance on Security and Privacy Controls – SP 800-53

After many years of being in draft form, NIST recently released its final version of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations to address a need for a more proactive and systematic approach to cybersecurity. With the release of Revision 5, NIST hopes to provide updated security and privacy controls that will make information systems more penetration resistant, limit damages from cyber-attacks, make systems more cyber-resilient, and protect individuals’ privacy. NIST intends this update to be usable by a more diverse set of consumer groups than previous iterations of the document permitted.

The following are the most significant updates provided by Revision 5:

  • Removal of assignment of control responsibility to either the organization or information system to make the controls more outcome-based.
  • Integration of the information security and privacy controls into a consolidated control catalogue for organizations and information systems.
  • Establishment of a supply chain risk management control family.
  • Separation of control selection processes from the controls to allow the controls to be used by different communities of interest.
  • Removing control baselines and tailoring guidance and transferring that information to NIST SP 800-53B, Control Baselines for Information Systems and Organizations.
  • Clarifying the relationship between requirements and controls and the relationship between security and privacy controls.
  • Incorporating new, state-of-the-practice controls based on the latest threat intelligence and cyber-attack data.

These controls are mandatory for federal information systems, which include any information system used or operated by an agency or by a contractor on behalf of an agency. Companies will want to review these controls carefully and consider implementing where appropriate, as NIST controls are often used as a baseline for industry standards in security and privacy and are likely to be seen as “reasonable” for purposes of compliance with broader data security laws.

NIST is also releasing supplemental materials that will be available in the near future. Among these materials will be a comparison of Revision 5 with Revision 4 and control mappings to the Cybersecurity and Privacy Frameworks.

Putting it Into Practice: Federal contractors should review these guidelines closely as these updated controls will be applied to any federal information system used or operated by a contractor on behalf of an agency. Other organizations in the private sector should pay attention as NIST guidance often influences industry standards in security and privacy.


Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 281

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Jonathan E. Meyer, Sheppard Mullin, International Trade Lawyer, Encryption Technology Attorney

Jon Meyer is a partner in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Mr. Meyer was most recently Deputy General Counsel at the United States Department of Homeland Security, where he advised the Secretary, Deputy Secretary, General Counsel, Chief of Staff and other senior leaders on law and policy issues, such as cyber security, airline security, high technology, drones, immigration reform, encryption, and intelligence law. He also oversaw all litigation at DHS,...

Elfin Noce Business Trial Attorney

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.


  • Litigation


  • Communications


  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000


  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri