Why were the PT and SR control families added in NIST 800-53 Rev. 5?

NIST SP 800-53 Revision 5 added two new control families, PT and SR, to address risk areas that had become both more important and more complex than earlier revisions treated explicitly.

PT: Personally Identifiable Information Processing and Transparency

The PT family (Personally Identifiable Information Processing and Transparency) was introduced to:

• Separate PII-specific obligations from general security and privacy controls, so organizations can clearly see which controls apply when they collect, process, or share PII.
• Reflect modern privacy practices such as transparency, notice, purpose specification, consent handling, and individual participation, which were not cleanly covered by the earlier PM/AP/SI style controls.
• Address regulatory evolution (for example, GDPR-like expectations, sector privacy rules, and data-subject rights) in a way that could be mapped into existing risk and control frameworks.

For industrial and regulated environments, PT matters when you have HR data, customer data, or service-related telemetry that contains PII (for example, connected equipment services that capture operator identifiers or support logs). It is not focused on process IP or product design data, but rather the handling of information about identifiable individuals.

In practice, the PT family gives you a clear control set to point to in risk assessments, internal audits, and data protection impact assessments, instead of trying to infer PII controls indirectly from other families.

SR: Supply Chain Risk Management

The SR family (Supply Chain Risk Management) was added because ICT and OT supply chains had become a primary risk vector, and prior revisions only addressed this piecemeal. Key drivers included:

• Increased dependency on third-party components (hardware, firmware, software, cloud services, and managed services), often deeply embedded in systems used in plants and regulated operations.
• Emerging threats in the supply chain such as counterfeit components, malicious or compromised firmware, untrusted code in libraries, and opaque vendor maintenance practices.
• Need for structured, lifecycle-based SCRM practices, from requirements and acquisition through deployment, maintenance, and disposal of systems and components.

The SR family makes supply chain risk management a first-class control objective, aligning with broader federal and critical-infrastructure focus on SCRM. For industrial environments with complex vendor ecosystems, this helps make supplier and integrator controls auditable rather than informal expectations scattered across policies, contracts, and engineering practices.

How PT and SR fit with existing control families

Both PT and SR were added to clarify and strengthen coverage, not to replace existing families:

• PT complements security and privacy controls in other families (for example, AC, AU, SC, and the privacy-focused AP/AR families) by isolating controls that are specifically about how PII is collected, used, and disclosed.
• SR builds on and references existing controls around acquisition, configuration management, system development, and incident response, but it focuses them on suppliers, integrators, and external dependencies.

In brownfield environments, this typically means:

• Mapping existing practices (for example, supplier qualification, IT/OT procurement checks, HR data handling) to PT and SR controls, rather than starting from zero.
• Identifying gaps where past controls assumed trusted suppliers or informal privacy processes that are no longer adequate given current regulatory and threat landscapes.
• Coexisting with legacy systems where replacing a vendor or technology stack is not realistic due to validation burden, qualification requirements, or downtime constraints, so you emphasize compensating controls, enhanced monitoring, and contractual requirements instead.

Implications for regulated industrial and manufacturing environments

For plants and regulated operations, the addition of PT and SR has several practical consequences:

• More explicit scrutiny of vendor and integrator risk (SR): OT hardware vendors, MES/ERP/QMS providers, system integrators, and cloud service providers for manufacturing data are now clearly in scope for structured SCRM controls. This often requires updating supplier qualification, contracts, and ongoing performance reviews.
• More traceable handling of PII (PT): HR systems, training records, access control logs, remote support arrangements, and connected asset data that include operator identifiers now need clearly documented processing purposes, notices, and governance.
• Greater emphasis on traceability and documented decisions: Both families expect traceable risk-based decisions, not just technical safeguards. That includes who approved a supplier, why certain PII is collected, and how risks are monitored over time.
• Challenges in full replacement strategies: For SR in particular, NIST does not assume you can simply replace nonconforming suppliers or systems in critical OT or aerospace-grade contexts. Validation cost, qualification requirements, long equipment lifecycles, and downtime risks often mean you adopt layered mitigations rather than rip-and-replace.

Adopting PT and SR effectively in these environments usually requires coordination between operations, engineering, quality, procurement, and IT/OT security, with careful change control and validation where controls touch qualified processes or validated systems.