NIST Special Publication (SP) 800-53
The Ultimate Guide to

NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems

What is NIST SP 800-53?

Developed by computer security and privacy experts at the National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, is a collection of specific safeguarding measures that can be used to protect an organization’s operations and data and the privacy of individuals. In fact, NIST SP 800-53 is considered the gold standard for information security and is cross-referenced by many other industry-accepted security standards.

Any organization, regardless of its size, sector, or technology environment, can use NIST SP 800-53 security and privacy controls to maintain the security of its information systems and mitigate privacy risks. The controls can be customized and implemented as part of a firm-wide process to manage risks such as hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

Can NIST SP 800-53 improve my security system?

Yes. Although NIST SP 800-53 was originally designed for use by U.S. federal government agencies, it can help organizations in all industries improve the security of their information systems. NIST SP 800-53 contains a set of security and privacy safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud systems, mobile systems, industrial control systems, and Internet of Things (IoT) devices.

The consolidated control catalog addresses security and privacy from a functionality perspective and an assurance perspective. Addressing functionality and assurance helps an organization gain confidence that its information technology products and the systems that rely on those products are sufficiently trustworthy.

In many cases, implementing NIST SP 800-53 Rev 5 will help organizations ensure NIST 800-53 compliance with other regulations that deal with cyber risk and information security, such as HIPAA, FISMA, or SOX, because many other frameworks use NIST as the reference framework.

NIST SP 800-53 control families

According to NIST SP 800-53 Rev. 5, controls can be viewed as “descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders. Controls are selected and implemented by the organization in order to satisfy the system requirements.”

NIST SP 800-53 Rev. 5 lists 20 families of controls that provide operational, technical, and managerial safeguards to ensure the privacy, integrity, and security of information systems.

Each family holds controls that are related to the specific topic of the family. Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, and automated mechanisms that are implemented by systems. Below is a table that lists the security and privacy control families and their associated family identifiers.

TABLE 1: NIST SP 800-53 Security and Privacy Control Families
TABLE 1: Security and Privacy Control Families

Families of controls contain base controls and control enhancements, which are directly related to their base controls. Control enhancements either add functionality or specificity to a base control or increase the strength of a base control. Control enhancements should be used in systems and environments of operation that require greater protection than the protection provided by the base control. 

SP 800-53 Rev. 5 security and privacy controls follow a standardized structure: a base control section, a discussion section, a related controls section, a control enhancements section, and a references section. Figure 1 illustrates the structure of a typical control.

Illustration of a typical NIST SP 800-53 control structure

Many organizations have chosen to use NIST SP 800-53 controls as the baseline for their security and privacy controls because the controls in the catalog, with a few exceptions, are policy-, technology-, and sector-neutral; they focus on the fundamental measures necessary to protect information and the privacy of individuals across the information lifecycle. 

However, It is up to each organization to analyze each security and privacy control for its applicability to their specific technologies, environments of operation, mission, and business functions and tailor the controls that have variable parameters. To access the entire SP 800-53 controls catalog, you can visit the NIST SP 800-53 rev. 5 publication or sign up for Hyperproof

To help organizations figure out which specific controls from the SP 800-53 Rev. 5 catalog they should implement to suit their unique situation, NIST has published a companion publication, titled SP 800-53B.

5 control families to pay attention to

Since SP 800-53 Rev. 5 has 20 control families, it’s important that you prioritize your efforts based on the areas that will have the highest impact. In today’s environment, where many people are now working from home, potentially using unauthorized networks and applications and their personal devices, you’ll need to pay particular attention to five control families to ensure adequate protection of your systems: Access Control, Configuration Management, Control Assessments, Monitoring/Logging, and Training.

1. Access control family

This control family addresses who or what can view or use resources in a computing environment.

2. Awareness and training family

Organizations should provide foundational and advanced levels of awareness training to system users, including measures to test users’ knowledge level.

3. Audit and accountability family

To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time.

4. Control assessment (authorization and monitoring) family

Policies and procedures help provide security and privacy assurance.

5. Configuration management family

Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture.

Those control families cover the basics and will give you a minimal level of protection. From there, you can work on the other areas.

What are control baselines in NIST SP 800-53B?

NIST SP 800-53B, Control Baselines for Information Systems and Organizations, provides security and privacy control baselines for the Federal Government and private sector organizations. SP 800-53B is a companion publication to SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations. 

SP 800-53B includes three security control baselines (one for each system impact level: low-impact, moderate-impact, and high-impact), as well as a privacy control baseline that is applied to systems irrespective of impact level. The privacy control baseline supports federal agencies in addressing privacy requirements and managing privacy risks that arise from processing PII based on privacy program responsibilities under OMB Circular A-130.

Baselines are there to help organizations select a set of controls for their systems that is commensurate with their security and privacy risk. According to NIST guidance, the security baseline selected for systems should be “commensurate with the potential adverse impact on an organization’s operations, organizational assets, individuals, and other organizations if there is a loss of confidentiality, availability or integrity.” Here’s what the three levels mean: 

  • A low-impact system is defined as a system in which all three of the security objectives are low; 
  • A moderate-impact system is a system in which at least one of the security objectives is moderate and no security objective is high; 
  • A high-impact system is a system in which at least one security objective is high. 

Once an organization has selected an appropriate security baseline, they would tailor the controls to align them more closely with the specific security and privacy requirements identified by the organization. Control baselines are tailored based on a variety of factors, including threat information, mission or business requirements, types of systems, sector-specific requirements, specific technologies, operating environments, organizational assumptions and constraints, individual’s privacy interests, laws, executives, orders, policies, regulations, or industry best practices. 

Here are some ways in which controls can be tailored: 

  • Identify and designate common controls 
  • Apply scoping considerations 
  • Selecting compensating controls 
  • Assign values to organization-defined control parameters via explicit assignment and selection operations
  • Supplement baselines with additional controls and control enhancements

What’s the difference between NIST CSF and NIST 800-53?

NIST Cybersecurity Framework (CSF) is a subset of NIST SP 800-53 Rev 5. Given that NIST CSF is more limited in scope, starting with NIST CSF may be a reasonable choice for smaller companies that need a set of “best practices” to align to.

Exploring the structure of the NIST CSF framework core

At the core of the NIST Cybersecurity Framework (CSF) lies the Framework Core, a set of guidelines that outlines five critical cybersecurity functions necessary for a robust security program. These functions offer a high-level categorization of cybersecurity outcomes and are supported by more detailed levels of guidance: categories, subcategories, and informative references.

NIST Framework Core Structure broken into subcategories: identify, protect, detect, respond, and recover

Here’s a breakdown of the Framework Core’s elements:

  1. Functions: The primary functions serve as the foundational pillars for cybersecurity activities. These include Identify, Protect, Detect, Respond, and Recover.
  2. Categories: For more detailed organization, each primary function is broken down into categories. These are specific outcomes like “Asset Management,” “Access Control,” and “Incident Detection.”
  3. Subcategories: To drill down further, categories are divided into subcategories, describing precise security outcomes such as “Maintenance of an inventory of information systems” or “Protections against unauthorized access to data.”
  4. Informative References: These references provide concrete examples of how to achieve the desired outcomes described in the subcategories. They often refer to sections of established standards and guidelines, including but not limited to COBIT, ISO/IEC standards, CIS Controls, and other NIST publications.
Response Planning & Communication chart broken up into categories and subcategories and informative references

The accompanying visual, which can be found in Appendix A of the CSF, depicts the interplay between the functions, categories, subcategories, and informative references concerning the “Respond” function.

This appendix acts as a comprehensive checklist, allowing cybersecurity teams to verify their program against the Framework Core’s functions, ensuring that necessary categories and subcategories are in place and align with the associated informative references’ guidance.

Does NIST SP 800-53 overlap with other security frameworks?

Nearly all other frameworks and certification programs use NIST SP 800-53 or ISO 27001 as a baseline reference. In fact, NIST SP 800-53 has broad overlap with most security and privacy frameworks. For instance, the security controls from NIST SP 800-53 Rev.5 map to the ISO 27001:2013, a standard that specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS) within the context of business risks.

However, similar topics may be addressed in two security control sets that may be of different context, perspective, or scope. Each organization still needs to assess whether a control taken from NIST SP 800-53 would fully satisfy requirements of ISO 27001 without modification. 

What are the best practices for NIST SP 800-53 compliance?

To work your way towards full compliance, you’ll need to understand and work through some key steps:

Discover and classify sensitive data

Start by locating and securing all your sensitive data and then classifying it based on your business policy. You want to conclude this phase of discovery with knowledge of your sensitive data, the vulnerabilities within your system, and potential threats in your environment.

Map data and permissions

Here you want to establish an understanding of who can access what data. The critical action step is identifying all user, group, folder, and file permissions within your system.

Manage access control

Managing access starts with creating rules to govern who can access what information. These rules must be well known and strictly enforced. Action steps for improved access control involve inactivating stale user accounts, proactively managing user and group memberships, and working from a “least privilege” model, which involves giving users the least amount of access they need to do their job.

Monitor data, file activity, and user behavior

Start by keeping records of how users access systems and data files. Use these records to create a baseline of regular activity to help identify anomalies such as weird access locations, rapid access upgrades, and sudden mass movements of data. Be sure to install a set of controls designed to monitor and detect insider threats, malware, and misconfigurations. Any vulnerabilities, anomalies, or attempted breaches should be discovered and remediated quickly.

Educate all staff

It’s important to educate your employees on what they need to do (and what to avoid) to keep networks and company data secure. Management should provide employees with tactical knowledge on how to deal with the cyber threats organizations are most likely to face, such as email scams, malware, insecure passwords, unsafe internet browsing habits, removable media, etc.

Assess controls’ effectiveness

NIST SP 800-53 recommends organizations deploy security assessment tools to gauge their real-time security posture. These software tools, created by security experts, measure the effectiveness of all organizational security measures and suggest system improvements based on empirical evidence.

But once your team has installed the appropriate controls and implemented NIST SP 800-53 security and privacy controls, you’ll need to make sure that your controls are implemented correctly and produce the desired outcome for meeting your organization’s security requirements.

NIST Special Publication 800-53A establishes standard assessment procedures to assess security controls’ effectiveness in information systems, specifically those controls listed in NIST SP 800-53. These recommended assessment procedures provide a starting point for developing more specific procedures and can be supplemented by your organization if it’s deemed necessary according to your risk assessment. Keep in mind that your organization may create additional assessment procedures for those security controls not contained in NIST Special Publication 800-53.

FAQs for NIST 800-53 

How many controls are in NIST 800-53?

NIST 800-53 contains over 1,000 security controls organized into 20 different control families. It’s essential to focus specifically on five key control families to guarantee sufficient protection of your systems: Access Control, Configuration Management, Control Assessments, Monitoring/Logging, and Training.

How can you cite NIST 800-53?

To properly cite NIST Special Publication 800-53 in APA style, you can use the following format:

National Institute of Standards and Technology. (Year). NIST Special Publication 800-53 Revision X: Security and Privacy Controls for Information Systems and Organizations.

The key elements are:

  1. Author: National Institute of Standards and Technology
  2. Year: Year of publication
  3. Title: NIST Special Publication 800-53 Revision X: Security and Privacy Controls for Information Systems and Organizations
  4. DOI: The specific DOI for that revision

How do you implement NIST 800-53?

Getting started with NIST 800-53 and 800-171 is more complicated. NIST has listed nine steps an organization should undertake to assure compliance with FISMA, which are:

  • Categorize the information to be protected
  • Select minimum base controls
  • Refine controls using risk-assessment procedures
  • Document the controls in the system security plan
  • Implement security controls in the appropriate information systems
  • Assess the effectiveness of the security controls once they have been implemented
  • Determine the agency-level risk to the mission or business case
  • Authorize the information system for processing
  • Continually monitor the security controls

What is the difference between NIST 800-53 and 800-171?

NIST SP 800-53 (more commonly known as “NIST 800-53”) is a framework that specifically deals with information security and privacy. The current version of NIST 800-53 is Revision 5, which was adopted in 2020. 

NIST Special Publication 800-171 is another cybersecurity framework that applies specifically to organizations working on contracts with the U.S. Department of Defense. The current version is Revision 2, last updated in 2021.

Hyperproof for NIST SP 800-53 compliance

Organizations can reap significant benefits when they align their security and compliance programs with a recognized framework like NIST SP 800-53, but the comprehensive nature of the guidelines poses adoption challenges.

Hyperproof’s compliance operations software makes it much easier for organizations to adopt NIST SP 800-53 as their cybersecurity framework, along with other industry-leading cybersecurity frameworks. Sign up for a personalized demo to see how we can help you utilize NIST SP 800-53 controls to create an effective and efficiently-managed security program:

NIST SP 800-53

Track the results of organization-wide risk assessments and demonstrate how risks are managed on an ongoing basis.

Easily access NIST 800-53 Rev 5 security and privacy controls. Hyperproof provides separate templates for Low-Impact, Medium-Impact, and High-Impact levels.

Document your control tailoring decisions and generate system security and privacy plans with the click of a button.

Assign controls to owners throughout business units and automate control management tasks.

Collect evidence to verify the functionality and operating effectiveness of controls.

Efficiently map NIST SP 800-53 controls to other industry standards, laws, and regulations and streamline audit/compliance activities.

Monitor controls’ effectiveness through dashboards, automated user-defined health metrics, and notifications.

Use tasks and automated reminders to keep everyone on track.

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get NIST SP 800-53 ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader