Products
PostureIQRiskCommandClioComplianceGuardVigil VRMCompassVigil Platform
Solutions
For CISOs & Security LeadersFor vCISO PracticesFor Cyber Insurance BrokersFor IT & GRC ConsultanciesFor Regulated Industries
Company
PricingResourcesAboutContact
Request a DemoStart Free Trial
← Vigil Insights·Framework Updates

NIST SP 800-53 Rev 5.2.0: What Changed in August 2025 and What It Means for Your Controls Library

V
Vigil Research
March 10, 2026 · 8 min read

The August 2025 update to SP 800-53 introduced significant changes to the Supply Chain Risk Management (SR) family and new overlays for AI systems.

NIST released Special Publication 800-53 Revision 5.2.0 in August 2025. While not a comprehensive rewrite, the update introduces meaningful changes that directly affect control libraries for any organization aligned to the NIST framework — particularly those managing supply chain risk and AI systems.

What Changed

Supply Chain Risk Management (SR) Family — 7 New Controls

The SR control family received the most significant expansion. Seven new controls address gaps identified in post-SolarWinds and post-MOVEit supply chain incident analyses:

  • SR-11(4): Provenance Tracking for Software Componentsr all third-party software components, including open-source libraries. Software Bills of Materials (SBOMs) are explicitly referenced as an acceptable implementation mechanism.
  • SR-12: Notification and Transparencyng organizations of known or suspected compromise of any delivered product or service within defined timeframes.

AI System Overlay — New in Rev 5.2.0

For the first time, SP 800-53 includes an AI System Overlay — a set of tailored control baselines for systems that incorporate machine learning models. Key additions include:

  • Model documentation and transparency requirements (AC family extension)
  • Adversarial input testing procedures (SI-10 expansion)
  • Model drift monitoring as a continuous monitoring requirement (CA-7 extension)

Access Control (AC) — 3 Modified Controls

AC-2, AC-3, and AC-17 were updated to explicitly address non-human identities — service accounts, API keys, and machine identities — which were addressed implicitly in Rev 5.1 but are now formally scoped.

What You Need to Update

If your control library is mapped to SP 800-53:

  1. 1**Review your SR control assessments** — any existing SR-10 (Inspection of Systems or Components) assessments should be supplemented with the new SR-11(4) provenance requirements.
  2. 2**Add SBOM requirements to vendor contracts** — SR-12 creates a contractual notification requirement that should flow down to your critical suppliers.
  3. 3**Assess AI System Overlay applicability** — if your organization uses ML-based tools (e.g., AI-assisted threat detection, LLM-powered applications), the overlay applies.
  4. 4**Update non-human identity inventories** — AC-2, AC-3, and AC-17 now formally require service accounts and API keys to be in scope for access reviews.

Impact on PostureIQ

PostureIQ's control library was updated to reflect Rev 5.2.0 on September 1, 2025. Customers on active subscriptions will see the updated controls automatically. If you have an existing CSF 2.0 mapping, the SR family additions primarily affect the **GV.SC (Cybersecurity Supply Chain Risk Management)** subcategory scores.

Vigil Platform

See how Vigil automates this.

Start a free 14-day trial or book a demo to see how PostureIQ, Clio, and ComplianceGuard handle this automatically for your organization.

Start Free TrialRequest a Demo
← Back to Vigil Insights