NIST Risk Management Framework | CSRC

August 27, 2025: In response to Executive Order 14306, NIST SP 800-53 Release 5.2.0 has been finalized and is now available on the Cybersecurity and Privacy Reference Tool. Release 5.2.0 includes changes to SP 800-53 and SP 800-53A, there are no changes to the baselines in SP 800-53B. A summary of the changes is available, and replaces the "preview version" issued on August 22 (no longer available). 

August 22, 2025: A preview of the updates to NIST SP 800-53 (Release 5.2.0) is available on the Public Comment Site. This preview will be available until NIST issues Release 5.2.0 through the Cybersecurity and Privacy Reference Tool. SP 800-53 Release 5.2.0 will include:

• New Control/Control Enhancements and Assessment Procedures: SA-15(13), SA-24, SI-02(07)
• Revisions to Existing Controls: SI-07(12)
• Updates to Control Discussion: SA-04, SA-05, SA-08, SA-08(14), SI-02, SI-02(05)
• Updates to Related Controls: All -01 Controls, AU-02, AU-03, CA-07, IR-04, IR-06, IR-08, SA-15, SI-02, SI-07

August 14, 2025: The NIST SP 800-53 Control Overlays for Securing AI Systems Concept Paper is available for comment, and we welcome stakeholders to join the NIST Overlays Securing AI Systems Slack Collaboration to engage in facilitated discussions with the NIST principal investigators and other subgroup members, share ideas, provide real-time feedback, and contribute to overlay development.

August 6, 2025: The expedited public comment period on the NIST SP 800-53 controls is closed.  Thank you for your feedback!  We expect to issue SP 800-53 Release 5.2.0 through the Cybersecurity and Privacy Reference Tool in the coming weeks.

July 22, 2025: Proposed updates to the NIST SP 800-53 controls addressing secure and reliable patches available for comment through August 5, 2025 on the NIST SP 800-53 Public Comment Site. See more detail about the changes, view the changes and submit your feedback on the NIST SP 800-53 Public Comment Site.  

June 4, 2025: NIST invites comments on the initial public draft of SP 800-18r2, Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems. The public is invited to provide input by July 30, 2025.