Dear All,

Most software needs updating after its initial release to address bugs, newly identified vulnerabilities, and revisions to features and functionality. But software patches and other changes can introduce new cybersecurity and privacy risks and can impair operations if not managed effectively. To support successful, secure software updates and patches, the National Institute of Standards and Technology (NIST) has finalized modifications to its catalog of security and privacy safeguards to assist both the developers who create patches and the organizations that receive and implement them in their own systems.

Many IT professionals will instantly recognize this catalog as one of NIST’s flagship risk management publications: Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication (SP) 800-53). It is a comprehensive catalog of security and privacy safeguards, called controls, for strengthening the systems, products and services that underlie the nation’s businesses, government and critical infrastructure.

On August 27, 2025, NIST issued a minor release of SP 800-53 (Release 5.2.0) that includes:

New Control/Control Enhancements: SA-15(13), SA-24, SI-02(07)
Revisions to Existing Controls: SI-07(12)
Updates to Control Discussion: SA-04, SA-05, SA-08, SA-08(14), SI-02, SI-02(05)
Updates to Related Controls: All -01 Controls, AU-02, AU-03, CA-07, IR-04, IR-06, IR-08, SA-15, SI-02, SI-07

A list of all the changes in the patch release is available under Supplemental Material.

https://www.nist.gov/news-events/news/2025/08/nist-revises-security-and-privacy-control-catalog-impr...

https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home