NIST Special Publication 800-53 is a catalog of security and privacy controls for information systems and organisations. Revision 5 is current. It underpins US federal security (FISMA) and programmes like FedRAMP. Unlike the outcome-based CSF, 800-53 is a detailed control library — you select a baseline and tailor it to your system.
The 20 control families
| ID | Family | ID | Family |
|---|---|---|---|
| AC | Access Control | MP | Media Protection |
| AT | Awareness & Training | PE | Physical & Environmental Protection |
| AU | Audit & Accountability | PL | Planning |
| CA | Assessment, Authorization & Monitoring | PM | Program Management |
| CM | Configuration Management | PS | Personnel Security |
| CP | Contingency Planning | PT | PII Processing & Transparency |
| IA | Identification & Authentication | RA | Risk Assessment |
| IR | Incident Response | SA | System & Services Acquisition |
| MA | Maintenance | SC | System & Communications Protection |
| SI | System & Information Integrity | SR | Supply Chain Risk Management |
Control structure and baselines
- Each control has a base control plus optional control enhancements.
- Controls are selected via baselines defined in SP 800-53B: Low, Moderate and High impact.
- Impact level is determined by a FIPS 199 categorisation of confidentiality, integrity and availability.
- A separate privacy control baseline addresses PII processing.
The Risk Management Framework (RMF) — 7 steps
| Step | Activity |
|---|---|
| Prepare | Establish context and priorities for managing risk |
| Categorize | Categorise the system (FIPS 199 impact level) |
| Select | Select the 800-53 control baseline and tailor it |
| Implement | Implement the controls and document how |
| Assess | Assess controls (using SP 800-53A) for effectiveness |
| Authorize | Senior official accepts risk and authorises operation |
| Monitor | Continuously monitor controls and risk |
Tailoring
- Apply scoping guidance to remove controls that do not apply.
- Add compensating controls where a baseline control is not feasible.
- Assign organisation-defined parameters (e.g., timeframes, thresholds).
- Document all tailoring decisions and rationale in the system security plan (SSP).
Assessment (SP 800-53A)
- Develop a security assessment plan from the tailored control set.
- Assess each control using examine, interview and test methods.
- Determine control effectiveness and document findings.
- Produce the Security Assessment Report (SAR) and Plan of Action & Milestones (POA&M).
- Support the authorisation decision and continuous monitoring.
800-53 vs 800-171 vs FedRAMP
| Scope | Use | |
|---|---|---|
| SP 800-53 | Full federal control catalog | Government systems and rigorous private baselines |
| SP 800-171 | Subset (110 requirements) | Protecting Controlled Unclassified Information (CUI) in non-federal systems |
| FedRAMP | Programme using 800-53 baselines | Authorising cloud services for US government use |
Evidence checklist
- System categorisation (FIPS 199) and boundary definition.
- System Security Plan (SSP) with tailored controls and parameters.
- Implementation evidence per control family.
- Security Assessment Plan and Security Assessment Report (SAR).
- Plan of Action & Milestones (POA&M).
- Continuous-monitoring records and authorisation decision.
How CyberSigma helps
We help you categorise systems, select and tailor the 800-53 baseline, implement and assess controls, and build the SSP/SAR/POA&M artefacts — whether for a rigorous internal baseline or a FedRAMP-style authorisation.
Frequently asked questions
What is the difference between 800-53 and 800-171?
800-53 is the full federal control catalog for government systems; 800-171 is a subset (110 requirements) for protecting Controlled Unclassified Information (CUI) in non-federal systems.
Is 800-53 the same as FedRAMP?
No. FedRAMP uses 800-53 controls as its basis but adds a specific assessment and authorisation programme for cloud services used by the US government.
Official documents
CyberSigma resources
Need help with NIST 800-53?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
