NIST 800-53: What is it and How is it used? (+Control families)

Art Clomera,

CTO, Federal Services –

Ensuring the security of information systems is a complex but necessary task that virtually every modern organization must undertake to some degree or another. One effective method of tackling information system security is to use the Risk Management Framework (RMF) developed by the National Institute of Standard and Technology (NIST). Though this framework will help an organization walk through the critical steps in the process of establishing controls to mitigate information system risks, it does not directly instruct on what controls should be used to mitigate these risks. This is where NIST’s Special Publication 800-53 (also referred to as NIST 800-53) comes in. NIST 800-53 is a catalog published by NIST that provides security and privacy controls to mitigate risks to information systems. In this article we’ll describe why NIST 800-53 is important, explore the control systems outlined in NIST 800-53, and illustrate how federal agencies can leverage this catalog to protect their information systems. 

What is NIST 800-53? 

NIST 800-53 is a catalog of security and privacy controls with the purpose of protecting information systems. This catalog is published by NIST and all U.S federal information systems (aside from those related to national security) are required to be compliant with NIST standards and guidelines.  NIST 800-53 works with the NIST RMF (NIST SP 800-37 rev 2) to support the steps in the process pertaining to the selection of initial baseline security controls, tailoring baseline security controls to specific risks, and supplementing security controls based on risk assessments.  

Who is NIST 800-53 Mandatory for? 

In accordance with the provisions of the Federal Information Security Modernization Act (FISMA) and Office of Management and Budget (OMB) Circular A-130, all U.S. federal information systems must be compliant with NIST security standards and guidelines (including NIST 800-53). The only exception to this is information systems that have been designated as national security systems (NSS), which are governed by Committee on National Security Systems (CNSS) Instruction No. 1253. CNSS 1253 is a companion document to NIST SP 800-53. Therefore, NIST 800-53 is mandatory for federal information systems and NSS. NIST 800-171 mandates the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations.  NIST 800-171 security requirements are derived primarily from the security controls in NIST 800-53. The NIST 800-53 Rev 5 regulations included the removal of the term “federal”, as an indication that these regulations may be utilized by non-federal organizations. The clear direction forward will be that NIST 800-53 will be mandatory for any organization or system that processes, stores, and/or transmits CUI or provides protection for such components. 

4 Reasons Why NIST 800-53 Matters 

Aside from mandatory compliance for federal organizations, there are a number of additional benefits to complying with NIST 800-53 that make it an attractive standard for information system security. In light of these benefits, even non-federal organizations may consider voluntarily complying with NIST 800-53 to secure their organization’s information systems.  Below are 4 of the main benefits to any organization when utilizing NIST 800-53 in securing their information systems:  

1. Increase Information System Security 

Increasing the security of information systems and organizations is the most obvious benefit of utilizing NIST 800-53. This increase in security will protect organizations operations and assets, individuals, other organizations, and the Nation from diverse set of security threats and risks. A key step in the NIST RMF is the “Select” step, which selects controls to mitigate risks that were identified and categorized in previous steps. Leveraging the NIST 800-53 catalog in this step will not only provide robust baseline controls but the ability to supplement and tailor those controls to meet specific organizational needs. The controls outlined in the catalog are proven through practice, and proper implementation will undoubtedly improve the security of an organization’s information systems.  

2. Save Time and Resources 

Mitigating risks to information systems is not a trivial task. Designing, implementing, and monitoring the RMF process requires dedicated resources both for initial setup and ongoing maintenance and support. There may be a variety of methods available to mitigate a given risk, which can make selecting effective and efficient controls a significant challenge. By consulting the NIST 800-53 catalog, an organization can utilize predefined profiles, reciprocity from similar systems/assets and advise from  the authorization official’s (AO’s) for tailoring the controls for the organization’s risk tolerance. This will ultimately save time not only in the control selection process but will also reduce the potential re-work required during assessment and continuous monitoring phases.  

3. Work towards FISMA Compliance 

Beyond the primary benefit of securing information systems and organizations, a well-implemented RMF process can also increase customer confidence in working with an organization. Additionally, as FISMA compliance is a U.S. federal requirement, it follows that federal organizations, as well as non-federal organizations that wish to do business with federal agencies, must also be compliant with all relevant FISMA requirements IAW NIST 800-171. One of the requirements for FISMA compliance is that security controls must be implemented in accordance with NIST 800-53. Therefore, by following NIST 800-53 for securing information systems, an organization is proactively working towards FISMA and NIST 800-171 compliance.  

4. Trustworthy and Updated Source 

The tools and processes used in modern information systems are quickly changing as technology advances. This rapid change also includes changing risks to information systems. Keeping up with the latest risks and associated control strategies is a challenging task. By utilizing NIST 800-53, an organization can leverage well-thought-out controls from a trustworthy source. Additionally, the NIST 800-53 catalog and profiles are regularly updated and is currently on its 5th revision. These updates ensure the controls an organization implements are well suited to tackle current risks.  

NIST 800-53 Security Controls and Control Families 

NIST 800-53 organizes the security and privacy controls outlined in the catalog into groups by relation to specific topics or the type of control strategy. There are a total of 20 groups or “families” in the current catalog version (Rev. 5). This is an increase of 3 groups (PM, PT, & SR) from 17 groups in Rev.4. The new control families are highlighted below in bold. These families include base controls along with potential enhancements to these base controls. Table 1 shows the family ID, family name, and a few examples of the controls found within each family. Note that the examples shown in the table are just a few of the controls found within the families, as the catalog contains over 1100 controls (including baseline and enhancement controls).  

ID 

Family Name 

Examples 

AC  Access Control  Policy and Procedures, Account Management, Access Enforcement 
AT  Awareness and Training  Literacy Training and Awareness, Role-base Training 
AU  Audit and Accountability  Event Logging, Audit Record Review, Analysis, and Reporting 
CA  Assessment, Authorization, and Monitoring  Control Assessments, Information Exchange, Continuous Monitoring 
CM  Configuration Management  Baseline Configuration, Configuration Change Control 
CP  Contingency Planning  Contingency Training, Alternate Storage Site, System Recovery and Reconstitution 
IA  Identification and Authentication  Identifier Management, Cryptographic Module Authentication 
IR  Incident Response  Incident Response Training, Incident Handling, Incident Response Assistance 
MA  Maintenance  Controlled Maintenance, Maintenance Tools, Timely Maintenance 
MP  Media Protection  Media Access, Media Storage, Media Downgrading 
PE  Physical and Environmental Protection  Physical Access Control, Access Control for Transmission, Monitoring Physical Access 
PL  Planning  System Security and Privacy Plans, Rules of Behavior, Concept of Operations 
PM  Program Management  Plan of Action and Milestones Process, System Inventory, Measures of Performance 
PS  Personnel Security  Position Risk Designation, Personnel Screening, Personnel Transfer 
PT  PII Processing and Transparency  Personally Identifiable Information Processing Purposes, Consent 
RA  Risk Assessment  Security Categorization, Risk Assessment, Vulnerability Monitoring and Scanning 
SA  System and Services Acquisition  Allocation of Resources, Acquisition Process, System Documentation 
SC  System and Communications Protection  Separation of System and User Functionality, Security Function Isolation, Boundary Protection 
SI  System and Information Integrity  Flaw Remediation, Malicious Code Protection, System Monitoring 
SR  Supply Chain Risk Management  Supply Chain Controls and Processes, Provenance, Notification Agreements 
Table 1: NIST 800-53 rev 5 Control Families and Examples 

Make Smarter Cybersecurity Decisions with IPKeys Technologies  

IPKeys Technologies can improve your cybersecurity programs with our innovative products and services, all designed to help you defeat modern cybersecurity threats. Our core competencies are developed under DoD-specific NIST Cybersecurity Risk Management Framework guidance. ICyber-Lab-as-a-Service (CLaaS) is our unified, AI-fueled RMF automation analytics and reporting platform that will help you make better cybersecurity decisions while staying NIST compliant. 

More from IPKeys

What is a POAM? (Plus a Free Template)

Art Clomera, CTO, Federal Services – Wouldn’t perfection be great?   Everyone, every organization, every system working exactly the way they should with inexhaustible, flawless precision

Read Story

Want IPKeys insights and news delivered directly to your email?

We'll notify you when new content is published at the email below (and you can opt-out any time)

Thank you! Your submission has been received!

We will never share your information with any third-parties without your permission, nor will we ever spam you. We take privacy very seriously and you can read our full privacy policy here.