Continue your mission
NIST SP 800-53 is the comprehensive catalog of over 1,000 security and privacy controls used as the baseline for FISMA, FedRAMP, and federal cybersecurity.
NIST Special Publication 800-53, 'Security and Privacy Controls for Information Systems and Organizations,' is the most comprehensive catalog of security and privacy controls published by the National Institute of Standards and Technology. Currently in Revision 5, the publication provides over 1,000 controls organized into 20 families. It serves as the control baseline for FISMA compliance, FedRAMP authorization, and is referenced by numerous other frameworks worldwide. Unlike prescriptive standards, 800-53 is a catalog from which organizations select controls appropriate to their risk profile. The publication applies to all federal information systems and is widely adopted by the private sector as a security benchmark.
Controls are organized into 20 families: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Assessment Authorization and Monitoring (CA), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environmental Protection (PE), Planning (PL), Program Management (PM), Personnel Security (PS), PII Processing and Transparency (PT), Risk Assessment (RA), System and Services Acquisition (SA), System and Communications Protection (SC), System and Information Integrity (SI), and Supply Chain Risk Management (SR). Organizations select a control baseline (Low, Moderate, or High) from NIST SP 800-53B based on FIPS 199 categorization, then tailor it by adding or removing controls based on risk assessment. Each control has a base requirement and optional control enhancements that add specificity. Revision 5 made controls outcome-based rather than entity-specific and integrated privacy controls.
NIST SP 800-53 is the foundational control catalog for federal cybersecurity and has global influence. FedRAMP, FISMA, and numerous agency-specific requirements derive their control baselines from 800-53. Organizations pursuing government contracts at any level will encounter 800-53 requirements. The framework's comprehensive nature also makes it valuable for private sector organizations seeking a thorough security control framework. Understanding 800-53 is essential for any cybersecurity professional working in or with the government sector.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.