Knowledge Center / NIST 800-53
NIST · Global

NIST SP 800-53

A comprehensive catalog of security and privacy controls for information systems.

NIST Special Publication 800-53 is a catalog of security and privacy controls for information systems and organisations. Revision 5 is current. It underpins US federal security (FISMA) and programmes like FedRAMP. Unlike the outcome-based CSF, 800-53 is a detailed control library — you select a baseline and tailor it to your system.

The 20 control families

IDFamilyIDFamily
ACAccess ControlMPMedia Protection
ATAwareness & TrainingPEPhysical & Environmental Protection
AUAudit & AccountabilityPLPlanning
CAAssessment, Authorization & MonitoringPMProgram Management
CMConfiguration ManagementPSPersonnel Security
CPContingency PlanningPTPII Processing & Transparency
IAIdentification & AuthenticationRARisk Assessment
IRIncident ResponseSASystem & Services Acquisition
MAMaintenanceSCSystem & Communications Protection
SISystem & Information IntegritySRSupply Chain Risk Management

Control structure and baselines

  • Each control has a base control plus optional control enhancements.
  • Controls are selected via baselines defined in SP 800-53B: Low, Moderate and High impact.
  • Impact level is determined by a FIPS 199 categorisation of confidentiality, integrity and availability.
  • A separate privacy control baseline addresses PII processing.

The Risk Management Framework (RMF) — 7 steps

StepActivity
PrepareEstablish context and priorities for managing risk
CategorizeCategorise the system (FIPS 199 impact level)
SelectSelect the 800-53 control baseline and tailor it
ImplementImplement the controls and document how
AssessAssess controls (using SP 800-53A) for effectiveness
AuthorizeSenior official accepts risk and authorises operation
MonitorContinuously monitor controls and risk

Tailoring

  • Apply scoping guidance to remove controls that do not apply.
  • Add compensating controls where a baseline control is not feasible.
  • Assign organisation-defined parameters (e.g., timeframes, thresholds).
  • Document all tailoring decisions and rationale in the system security plan (SSP).

Assessment (SP 800-53A)

  1. Develop a security assessment plan from the tailored control set.
  2. Assess each control using examine, interview and test methods.
  3. Determine control effectiveness and document findings.
  4. Produce the Security Assessment Report (SAR) and Plan of Action & Milestones (POA&M).
  5. Support the authorisation decision and continuous monitoring.

800-53 vs 800-171 vs FedRAMP

ScopeUse
SP 800-53Full federal control catalogGovernment systems and rigorous private baselines
SP 800-171Subset (110 requirements)Protecting Controlled Unclassified Information (CUI) in non-federal systems
FedRAMPProgramme using 800-53 baselinesAuthorising cloud services for US government use

Evidence checklist

  • System categorisation (FIPS 199) and boundary definition.
  • System Security Plan (SSP) with tailored controls and parameters.
  • Implementation evidence per control family.
  • Security Assessment Plan and Security Assessment Report (SAR).
  • Plan of Action & Milestones (POA&M).
  • Continuous-monitoring records and authorisation decision.
How CyberSigma helps
We help you categorise systems, select and tailor the 800-53 baseline, implement and assess controls, and build the SSP/SAR/POA&M artefacts — whether for a rigorous internal baseline or a FedRAMP-style authorisation.

Frequently asked questions

What is the difference between 800-53 and 800-171?
800-53 is the full federal control catalog for government systems; 800-171 is a subset (110 requirements) for protecting Controlled Unclassified Information (CUI) in non-federal systems.
Is 800-53 the same as FedRAMP?
No. FedRAMP uses 800-53 controls as its basis but adds a specific assessment and authorisation programme for cloud services used by the US government.

Need help with NIST 800-53?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.