The Computer Science Division of the National Institute of Standards and Technology has released another draft to the “Security and Privacy Controls for Information Systems and Organizations” for public comment and review.

The publication is an ongoing effort to produce a unified security framework throughout the government. This fifth revision incorporates two new control families focused completely on privacy and integrates other privacy controls throughout the draft — a first for any control catalog. This integration clarifies the relationship of security and privacy, improving overall control selection, and allowing agencies to address security and privacy risks in their entirety.

In addition, the new revision addresses the needs of not only the federal government but also industry and other organizations who have volunteered to take on the control catalog to increase security measures.

For example, the separation of the control selection process from the control catalog and its integration in the NIST Risk Management Framework. This action allows organizations outside the federal government to easily use NIST controls with frameworks they use, like the Cybersecurity Framework.

This newfound diversity includes the needs of groups previously left out, such as system engineers working on privacy and security, component product developers, and other industry professionals concerned with security and privacy.

Other major changes in this draft include:

  • A focus on creating outcome-based structures for privacy and security controls;
  • The integration of risk management and cybersecurity approaches and language, and;
  • The incorporation of new, state-of-practice controls derived from empirical attack data and threat intelligence information.

Anyone with system development responsibilities, security and privacy responsibilities, oversight and risk management responsibilities and other commercial entities are encouraged to provide feedback on the new draft before Sept. 12. The final draft is set to be released in Oct. and the final version to be published no later than the end of 2017.

To read the fifth revision in full, visit