This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Industry:Draft NIST SP 800-53 Revision 3

Jump to: navigation, search

Return to Global Industry Committee

Activity Name Draft NIST SP 800-53 Revision 3
Short Description Provide response to "Draft NIST Special Publication 800-53 (Revision 3) Recommended Security Controls for Federal Information Systems and Organizations"
Related Projects None
Email Contacts & Roles Primary
Rex Booth
David Campbell
Mailing list
Please use the Industry Committee list
  • Review Draft SP - in particular issues relating to web application security
  • Where appropriate, draft a response for submission
  • Submit the response as an official OWASP statement
  • 3 Mar 2009 - Circulate to leaders list for assistance/input
  • 9 Mar 2009 - Initial meeting
  • 26 Mar 2009 - Complete final draft response
  • 27 Mar 2009 - Submit to NIST
  • Closed
Resources Call for responses, 5 Feb 2009

Full draft text

Marked up changes

Submit comments to sec-cert(at)

Review plan

The plan is:

  • 3/9: Project kickoff
  • 3/9-3/16: Perform Stage 1 review
  • 3/16: Status meeting
  • 3/16 - 3/23: Perform Stage 2 review
  • 3/23: Status meeting
  • 3/23 - 3/25: Stage 3 activities
  • 3/25: Compile comments
  • 3/26: Submit comments to NIST

Our review is being undertaken in three stages:

Stage 1

Activities: All participants perform a high-level, document-wide review to develop a familiarity with the document. Reviewers should note where rev 3 has introduced changes and where OWASP has the greatest potential for impact. Comment development is not required for this stage, but are a welcome side-effect.

Results: By the first status meeting, each participant should have three lists: 1) noted updates within the document 2) areas of the document most closely related to OWASP interests 3) initial draft comments (if appropriate).

Stage 2

Activities: Participants will be asked to perform a focused review on the sections of the document identified in Stage 1 as most relevant to OWASP. These "target sections" may be divided among project participants depending on project population and the number of target sections.

Results: By the second status meeting, each participant should develop a refined and detailed list of comments for their assigned sections.

Stage 3

Activities: Participants will revise comments as needed and project management will consolidate and format comments for submission to NIST.

Results: A final list of comments for submission to NIST.

Submission Response

Latest first

Final version


Identified Sections

The following parts have been identified for review:

(Section # / Page #) 3.3 / 20, AC-02, AC-03, AC-1 / F-3, AC-11 / F-10, AC-14 / F-11, AC-7 / F-8, AC-9 / F-9, AT-1, AT-3, AU-02, AU-3 / F-21, AU-3 / F-21, CM-7 / F-38, CM-8, I-0 / I-1, MA-1, MA-6, RA-5 / F-83, SC-18 / F-100, SC-2 / F-91, SC-25 / F-103, SC-19, SI-10 / F-114, SI-11 / F-113, SI-12 / F-113, SI-3, SI-3 / F-107

Return to Global Industry Committee