NIST Special Publication (SP) 800-53
The Ultimate Guide to

NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems

What is NIST SP 800-53?

Developed by computer security and privacy experts at the National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, is a collection of specific safeguarding measures that can be used to protect an organization’s operations and data and the privacy of individuals. In fact, NIST SP 800-53 is considered the gold standard for information security and is cross-referenced by many other industry-accepted security standards.

Any organization, regardless of its size, sector, or technology environment, can use NIST SP 800-53 security and privacy controls to maintain the security of its information systems and mitigate privacy risks. The controls can be customized and implemented as part of a firm-wide process to manage risks such as hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

Can NIST SP 800-53 improve my security system?

Yes. Although NIST SP 800-53 was originally designed for use by U.S. federal government agencies, it can help organizations in all industries improve the security of their information systems. NIST SP 800-53 contains a set of security and privacy safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud systems, mobile systems, industrial control systems, and Internet of Things (IoT) devices.

The consolidated control catalog addresses security and privacy from a functionality perspective and an assurance perspective. Addressing functionality and assurance helps an organization gain confidence that its information technology products and the systems that rely on those products are sufficiently trustworthy.

In many cases, implementing NIST SP 800-53 Rev 5 will help organizations ensure NIST 800-53 compliance with other regulations that deal with cyber risk and information security, such as HIPAA, FISMA, or SOX, because many other frameworks use NIST as the reference framework.

NIST SP 800-53 control families

According to NIST SP 800-53 Rev. 5, controls can be viewed as “descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders. Controls are selected and implemented by the organization in order to satisfy the system requirements.”

NIST SP 800-53 Rev. 5 lists 20 families of controls that provide operational, technical, and managerial safeguards to ensure the privacy, integrity, and security of information systems.

Each family holds controls that are related to the specific topic of the family. Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, and automated mechanisms that are implemented by systems. Below is a table that lists the security and privacy control families and their associated family identifiers.

TABLE 1: NIST SP 800-53 Security and Privacy Control Families
TABLE 1: Security and Privacy Control Families

Families of controls contain base controls and control enhancements, which are directly related to their base controls. Control enhancements either add functionality or specificity to a base control or increase the strength of a base control. Control enhancements should be used in systems and environments of operation that require greater protection than the protection provided by the base control. 

SP 800-53 Rev. 5 security and privacy controls follow a standardized structure: a base control section, a discussion section, a related controls section, a control enhancements section, and a references section. Figure 1 illustrates the structure of a typical control.

Illustration of a typical NIST SP 800-53 control structure

Many organizations have chosen to use NIST SP 800-53 controls as the baseline for their security and privacy controls because the controls in the catalog, with a few exceptions, are policy-, technology-, and sector-neutral; they focus on the fundamental measures necessary to protect information and the privacy of individuals across the information lifecycle. 

However, It is up to each organization to analyze each security and privacy control for its applicability to their specific technologies, environments of operation, mission, and business functions and tailor the controls that have variable parameters. To access the entire SP 800-53 controls catalog, you can visit the NIST SP 800-53 rev. 5 publication or sign up for Hyperproof

To help organizations figure out which specific controls from the SP 800-53 Rev. 5 catalog they should implement to suit their unique situation, NIST has published a companion publication, titled SP 800-53B.

5 control families to pay attention to

Since SP 800-53 Rev. 5 has 20 control families, it’s important that you prioritize your efforts based on the areas that will have the highest impact. In today’s environment, where many people are now working from home, potentially using unauthorized networks and applications and their personal devices, you’ll need to pay particular attention to five control families to ensure adequate protection of your systems: Access Control, Configuration Management, Control Assessments, Monitoring/Logging, and Training.

1. Access control family

This control family addresses who or what can view or use resources in a computing environment.

2. Awareness and training family

Organizations should provide foundational and advanced levels of awareness training to system users, including measures to test users’ knowledge level.

3. Audit and accountability family

To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time.

4. Control assessment (authorization and monitoring) family

Policies and procedures help provide security and privacy assurance.

5. Configuration management family

Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture.

Those control families cover the basics and will give you a minimal level of protection. From there, you can work on the other areas.

What are control baselines in NIST SP 800-53B?

NIST SP 800-53B, Control Baselines for Information Systems and Organizations, provides security and privacy control baselines for the Federal Government and private sector organizations. SP 800-53B is a companion publication to SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations. 

Webinar
How to use NIST SP 800-53 to protect your information systems and resist attacks

To learn more about these five important control families, watch this video from Dr.Kenneth Cooper.

Watch Now

SP 800-53B includes three security control baselines (one for each system impact level: low-impact, moderate-impact, and high-impact), as well as a privacy control baseline that is applied to systems irrespective of impact level. The privacy control baseline supports federal agencies in addressing privacy requirements and managing privacy risks that arise from processing PII based on privacy program responsibilities under OMB Circular A-130.

Baselines are there to help organizations select a set of controls for their systems that is commensurate with their security and privacy risk. According to NIST guidance, the security baseline selected for systems should be “commensurate with the potential adverse impact on an organization’s operations, organizational assets, individuals, and other organizations if there is a loss of confidentiality, availability or integrity.” Here’s what the three levels mean: 

  • A low-impact system is defined as a system in which all three of the security objectives are low; 
  • A moderate-impact system is a system in which at least one of the security objectives is moderate and no security objective is high; 
  • A high-impact system is a system in which at least one security objective is high. 

Once an organization has selected an appropriate security baseline, they would tailor the controls to align them more closely with the specific security and privacy requirements identified by the organization. Control baselines are tailored based on a variety of factors, including threat information, mission or business requirements, types of systems, sector-specific requirements, specific technologies, operating environments, organizational assumptions and constraints, individual’s privacy interests, laws, executives, orders, policies, regulations, or industry best practices. 

Here are some ways in which controls can be tailored: 

  • Identify and designate common controls 
  • Apply scoping considerations 
  • Selecting compensating controls 
  • Assign values to organization-defined control parameters via explicit assignment and selection operations
  • Supplement baselines with additional controls and control enhancements

What’s the difference between NIST CSF and NIST 800-53?

NIST Cybersecurity Framework (CSF) is a subset of NIST SP 800-53 Rev 5. Given that NIST CSF is more limited in scope, starting with NIST CSF may be a reasonable choice for smaller companies that need a set of “best practices” to align to.

Exploring the structure of the NIST CSF framework core

At the core of the NIST Cybersecurity Framework (CSF) lies the Framework Core, a set of guidelines that outlines five critical cybersecurity functions necessary for a robust security program. These functions offer a high-level categorization of cybersecurity outcomes and are supported by more detailed levels of guidance: categories, subcategories, and informative references.

NIST Framework Core Structure broken into subcategories: identify, protect, detect, respond, and recover

Here’s a breakdown of the Framework Core’s elements:

  1. Functions: The primary functions serve as the foundational pillars for cybersecurity activities. These include Identify, Protect, Detect, Respond, and Recover.
  2. Categories: For more detailed organization, each primary function is broken down into categories. These are specific outcomes like “Asset Management,” “Access Control,” and “Incident Detection.”
  3. Subcategories: To drill down further, categories are divided into subcategories, describing precise security outcomes such as “Maintenance of an inventory of information systems” or “Protections against unauthorized access to data.”
  4. Informative References: These references provide concrete examples of how to achieve the desired outcomes described in the subcategories. They often refer to sections of established standards and guidelines, including but not limited to COBIT, ISO/IEC standards, CIS Controls, and other NIST publications.
Response Planning & Communication chart broken up into categories and subcategories and informative references

The accompanying visual, which can be found in Appendix A of the CSF, depicts the interplay between the functions, categories, subcategories, and informative references concerning the “Respond” function.

This appendix acts as a comprehensive checklist, allowing cybersecurity teams to verify their program against the Framework Core’s functions, ensuring that necessary categories and subcategories are in place and align with the associated informative references’ guidance.

Does NIST SP 800-53 overlap with other security frameworks?

Nearly all other frameworks and certification programs use NIST SP 800-53 or ISO 27001 as a baseline reference. In fact, NIST SP 800-53 has broad overlap with most security and privacy frameworks. For instance, the security controls from NIST SP 800-53 Rev.5 map to the ISO 27001:2013, a standard that specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS) within the context of business risks.

However, similar topics may be addressed in two security control sets that may be of different context, perspective, or scope. Each organization still needs to assess whether a control taken from NIST SP 800-53 would fully satisfy requirements of ISO 27001 without modification. 

Webinar

To learn more about how to use NIST SP 800-53 to protect your organization from cyber attacks, check out our on-demand webinar.

Watch Now

What are the best practices for NIST SP 800-53 compliance?

To work your way towards full compliance, you’ll need to understand and work through some key steps:

Discover and classify sensitive data

Start by locating and securing all your sensitive data and then classifying it based on your business policy. You want to conclude this phase of discovery with knowledge of your sensitive data, the vulnerabilities within your system, and potential threats in your environment.

Map data and permissions

Here you want to establish an understanding of who can access what data. The critical action step is identifying all user, group, folder, and file permissions within your system.

Manage access control

Managing access starts with creating rules to govern who can access what information. These rules must be well known and strictly enforced. Action steps for improved access control involve inactivating stale user accounts, proactively managing user and group memberships, and working from a “least privilege” model, which involves giving users the least amount of access they need to do their job.

Monitor data, file activity, and user behavior

Start by keeping records of how users access systems and data files. Use these records to create a baseline of regular activity to help identify anomalies such as weird access locations, rapid access upgrades, and sudden mass movements of data. Be sure to install a set of controls designed to monitor and detect insider threats, malware, and misconfigurations. Any vulnerabilities, anomalies, or attempted breaches should be discovered and remediated quickly.

Educate all staff

It’s important to educate your employees on what they need to do (and what to avoid) to keep networks and company data secure. Management should provide employees with tactical knowledge on how to deal with the cyber threats organizations are most likely to face, such as email scams, malware, insecure passwords, unsafe internet browsing habits, removable media, etc.

Assess controls’ effectiveness

NIST SP 800-53 recommends organizations deploy security assessment tools to gauge their real-time security posture. These software tools, created by security experts, measure the effectiveness of all organizational security measures and suggest system improvements based on empirical evidence.

But once your team has installed the appropriate controls and implemented NIST SP 800-53 security and privacy controls, you’ll need to make sure that your controls are implemented correctly and produce the desired outcome for meeting your organization’s security requirements.

NIST Special Publication 800-53A establishes standard assessment procedures to assess security controls’ effectiveness in information systems, specifically those controls listed in NIST SP 800-53. These recommended assessment procedures provide a starting point for developing more specific procedures and can be supplemented by your organization if it’s deemed necessary according to your risk assessment. Keep in mind that your organization may create additional assessment procedures for those security controls not contained in NIST Special Publication 800-53.

NIST 800-53 : Frequently Asked Questions

NIST SP 800-53 generally applies to all United States federal government agencies and some contractors, as well as organizations that are contractually obligated to implement NIST SP 800-53 and those that deliberately choose to. This can include organizations that handle federal information systems and data, ensuring they adhere to stringent security and privacy controls to protect sensitive information.

NIST SP 800-53 has around 1,000 security controls. These security controls are organized into the following  20 control families. 

  1. Access Control (AC)
  2. Awareness and Training (AT)
  3. Audit and Accountability (AU)
  4. Assessment, Authorization, and Monitoring (CA)
  5. Configuration Management (CM)
  6. Contingency Planning (CP)
  7. Identification and Authentication (IA)
  8. Incident Response (IR)
  9. Maintenance (MA)
  10. Media Protection (MP)
  11. Physical and Environmental Protection (PE)
  12. Planning (PL)
  13. Program Management (PM)
  14. Personnel Security (PS)
  15. Personally Identifiable Information (PII) Processing and Transparency (PT)
  16. Risk Assessment (RA)
  17. System and Services Acquisition (SA)
  18. System and Communications Protection (SC)
  19. System and Information Integrity (SI)
  20. Supply Chain Risk Management (SR)

The specific NIST SP 800-53 controls that organizations must comply with are determined based on various factors, including the organization’s industry, the type of federal information systems they manage, and specific requirements set by the federal government. 

Organizations conduct risk assessments and tailor controls to their unique operational environments, ensuring they address relevant threats and vulnerabilities.

ISO 27001 is an international standard that provides a framework for Information Security Management Systems (ISMS) with a focus on maintaining the confidentiality, integrity, and availability of information by applying a risk management process. The standard is globally recognized and used by organizations across diverse industries.

NIST SP 800-53, on the other hand, is a U.S. standard specifically developed for federal information systems and organizations that is also used by some private sector organizations. It provides a catalog of security and privacy controls to protect federal information systems against a range of threats. While ISO 27001 offers a high-level framework, NIST SP 800-53 provides more detailed and prescriptive controls, often requiring organizations to implement specific technical and procedural safeguards.

The primary goal of NIST SP 800-53 is to protect information systems against cybersecurity incidents, privacy breaches, malicious attacks, and mistakes or human error. 

It aims to ensure the confidentiality, integrity, and availability of federal information systems by providing a comprehensive set of controls that address a wide range of security and privacy risks.

NIST SP 800-53 Revision 5 introduces several significant changes designed to improve the security and privacy posture of organizations. The integration of privacy controls, emphasis on outcome-based controls, consolidation and clarification of controls, increased flexibility, modernization, and baseline changes reflect a comprehensive update aimed at addressing contemporary security and privacy challenges.

Integration of privacy controls

Privacy controls are now integrated into the main control catalog rather than being a separate appendix. This integration ensures that privacy considerations are addressed alongside security requirements, enhancing the protection of Personally Identifiable Information (PII) and other sensitive data.

Outcome-based controls

NIST SP 800-53 rev. 5 placed an emphasis on achieving specific security and privacy outcomes rather than prescribing how to implement controls. This allows organizations to adopt a more flexible and results-oriented approach, tailoring their security measures to their unique environments and risk profiles.

Consolidation and clarification

Controls have been streamlined to reduce redundancy and improve clarity. This involves merging similar controls and clarifying their descriptions to make them easier to understand and implement. The goal is to enhance usability and ensure that organizations can efficiently apply the controls.

Increased flexibility

The revision provides organizations with greater flexibility to tailor controls to their specific needs. This includes selecting and prioritizing controls based on their risk environment, operational requirements, and the specific threats they face. This flexibility is crucial for organizations with diverse operational contexts and varying levels of risk.

Modernization of controls

Controls have been updated to address modern and emerging threats, technologies, and practices. This includes considerations for cloud computing, mobile devices, Internet of Things (IoT), and other advancements in technology. The modernization ensures that the controls remain relevant and effective in the face of evolving cyber threats.

Baseline changes
Privacy Baseline

Controls such as “Policy and Procedures” (AC-1) and “Account Management” (AC-2) are marked as relevant for the privacy baseline. This indicates a stronger emphasis on privacy in foundational policies and procedures.

Enhancements such as “Automated System Account Management” (AC-2(1)) and “Disable Accounts” (AC-2(3)) are not included in the privacy baseline, suggesting a more focused approach on privacy-specific controls.

Security Control Baselines (Low, Moderate, High)

Core controls like “Policy and Procedures” (AC-1) are consistently included across all security baselines (low, moderate, and high), highlighting their fundamental importance.

More advanced controls, such as “Automated System Account Management” (AC-2(1)) and “Automated Temporary and Emergency Accounts” (AC-2(2)), appear in moderate and high baselines, reflecting the need for more stringent measures in higher-risk environments.

The differentiation across baselines allows organizations to implement controls that are proportional to their risk levels, enhancing the overall flexibility and effectiveness of the framework.

Want to learn more? Dive in deeper on NIST SP 800-53 rev 5 with this resource from NIST

The final version of NIST SP 800-53 rev 5 was released on September 23, 2020 after several years of research and iteration.

NIST SP 800-53 is designed to protect all types of federal information and information systems, including but not limited to:

The comprehensive controls in NIST SP 800-53 ensure robust protection across diverse data types and information systems, mitigating risks and enhancing the overall security posture of federal agencies and their contractors.

NIST SP 800-53, NIST CSF, and NIST 800-171 are all interrelated cybersecurity frameworks from NIST.

NIST SP 800-53 provides comprehensive controls to protect federal information systems.

NIST CSF offers a flexible, voluntary control framework to help organizations manage and reduce cybersecurity risks.

NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) in non-federal systems, particularly for defense contractors.

These frameworks collectively enhance an organization’s cybersecurity posture by offering structured, scalable approaches to managing security and compliance requirements.

For more detailed information, refer to Hyperproof’s complete guide to NIST compliance

CUI stands for “controlled unclassified information” and is defined as information that requires safeguarding or dissemination of controls pursuant to and consistent with applicable law, regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. CUI includes information that is sensitive but unclassified, which could harm national security, government operations, or the privacy of individuals if disclosed without proper authorization. The CUI program standardizes the way the executive branch handles this type of information and ensures consistent protection across federal agencies.

Learn more about CUI

NIST SP 800-53 maps to nearly all modern cybersecurity frameworks, many of which are inspired by or partially based on NIST 800-53:

The time it takes to become NIST SP 800-53 compliant varies from several months to years, depending on the size and complexity of the organization and its current security posture. For small to medium-sized organizations, it might take a year or more. Larger organizations with more complex systems could take longer. Federal agencies, on the other hand, are already required to maintain this compliance level, and often face challenges in maintaining compliance as NIST 800-53 is updated.

The process involves assessing current security controls, identifying gaps, implementing necessary controls, and performing continuous monitoring and assessment. A detailed plan and commitment from all stakeholders are crucial for timely compliance.

If you don’t currently have any other controls defined, it’s recommended that you start small with an easier control framework and then work up to NIST SP 800-53 if required.

The NIST Special Publication (SP) 800-53 provides security and privacy controls for federal information systems and organizations. These controls are designed to protect the security and privacy of federal information systems. NIST SP 800-53 defines three control baselines:

1. Low impact

This baseline applies to information systems where the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Examples of controls in the Low baseline include basic access control policies, basic audit logging, and basic incident response procedures.

2. Moderate impact

This baseline applies to information systems where the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The Moderate baseline includes all controls in the Low baseline, with additional requirements for more robust access controls, more comprehensive audit logs, and more detailed incident response plans.

3. High impact

This baseline applies to information systems where the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

The High baseline includes all controls in the Low and Moderate baselines, with further enhancements to ensure the highest level of security, such as multi-factor authentication, more rigorous encryption standards, and continuous monitoring of the system.

The Privacy Baseline

NIST SP 800-53 rev. 5 also provides a privacy control baseline to address privacy requirements and manage privacy risks arising from the processing of PII:

This baseline provides a starting point for federal agencies to meet privacy requirements under relevant regulations such as OMB A-130. This includes controls that specifically address privacy risks associated with PII processing.

Tailoring the Privacy Baseline

Organizations can tailor the privacy baseline to their needs by conducting risk assessments to determine the specific controls needed. Controls can be added or removed based on legal and policy requirements, and the nature of the PII processing.

Collaboration between Privacy and Security Programs

Security and privacy programs must work together to manage risks that affect both areas. Some controls are shared between security and privacy baselines to ensure comprehensive risk management.

These baselines and guidelines help organizations ensure the confidentiality, integrity, and availability of their information systems while also protecting individual privacy in accordance with applicable laws and regulations.

Hyperproof for NIST SP 800-53 compliance

Organizations can reap significant benefits when they align their security and compliance programs with a recognized framework like NIST SP 800-53, but the comprehensive nature of the guidelines poses adoption challenges.

Hyperproof’s compliance operations software makes it much easier for organizations to adopt NIST SP 800-53 as their cybersecurity framework, along with other industry-leading cybersecurity frameworks. Sign up for a personalized demo to see how we can help you utilize NIST SP 800-53 controls to create an effective and efficiently-managed security program:

Request a Demo
NIST SP 800-53

Track the results of organization-wide risk assessments and demonstrate how risks are managed on an ongoing basis.

Easily access NIST 800-53 Rev 5 security and privacy controls. Hyperproof provides separate templates for Low-Impact, Medium-Impact, and High-Impact levels.

Document your control tailoring decisions and generate system security and privacy plans with the click of a button.

Assign controls to owners throughout business units and automate control management tasks.

Collect evidence to verify the functionality and operating effectiveness of controls.

Efficiently map NIST SP 800-53 controls to other industry standards, laws, and regulations and streamline audit/compliance activities.

Monitor controls’ effectiveness through dashboards, automated user-defined health metrics, and notifications.

Use tasks and automated reminders to keep everyone on track.

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get NIST SP 800-53 ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader