NIST Special Publication 800-53

NIST Special Publication 800-53 is the U.S. federal “control catalog” for security and privacy. It defines a comprehensive set of safeguards organizations can select and implement to protect systems and data against cyberattacks, human error, and disruptions. 800-53 pairs with NIST SP 800-37 (RMF) for risk management and with SP 800-53B for baseline selection.

At Filament Information Security, we help schools, governments, and nonprofits right-size 800-53 controls to their risk, budget, and regulatory drivers—and map them to frameworks they already use (NIST CSF, CIS Controls, HIPAA, etc.).

Who uses 800-53?

  • Federal agencies (FISMA).
  • Cloud Service Providers pursuing FedRAMP authorization.
  • Contractors and state/local entities that interconnect with federal systems.
  • Any organization wanting a deep, prescriptive control set aligned to U.S. federal best practice.

If you only need strategy and outcomes language, start with NIST CSF. If you need detailed, testable controls, use 800-53 (often alongside CSF).

 

Revisions At A Glance

  • Rev. 4 (2013): Major expansion; added privacy considerations and early supply-chain focus.
  • Rev. 5 (2020): Overhaul to outcome-based controls, tighter security–privacy integration, explicit Supply Chain Risk Management (SR) family, and separation of baselines to SP 800-53B. Also clarified that use is not limited to federal environments.

 

Control Families Overview

800-53 Rev. 5 spans 20 families (over 1,000 controls/enhancements). Examples:

  • AC – Access Control (least privilege, session mgmt)
  • AT – Awareness & Training
  • AU – Audit & Accountability
  • CA – Assessment, Authorization & Monitoring
  • CM – Configuration Management
  • CP – Contingency Planning
  • IA – Identification & Authentication
  • IR – Incident Response
  • MP – Media Protection
  • PE – Physical & Environmental Protection
  • PL – Planning
  • PM – Program Management (org-level)
  • PS – Personnel Security
  • PT – PII Processing & Transparency (privacy)
  • RA – Risk Assessment
  • SA – System & Services Acquisition
  • SC – System & Communications Protection
  • SI – System & Information Integrity
  • SR – Supply Chain Risk Management (new in Rev. 5)

Agencies typically implement the full baseline applicable to their impact level; others select a subset based on risk and obligations.

 

Baselines & Impact Levels

Baselines are chosen using FIPS 199 impact ratings (confidentiality/integrity/availability): Low, Moderate, High.

SP 800-53B provides the official Low/Moderate/High baselines and tailoring guidance (add/withdraw controls by documented risk rationale).

 

Control Implementation Approaches

  • Common Controls: Organization-wide safeguards (e.g., security awareness training, facility controls).
  • System-Specific Controls: Tailored to a single system’s risks.
  • Hybrid Controls: Common foundation with system-specific parameters.

Embed these in your SDLC so security is designed-in, not bolted-on.

 

How Filament Implements 800-53

  • Scoping & Tailoring: Map laws/contracts to a right-sized control set (often 53B Moderate as a starting point for public sector).
  • Gap & Risk Assessment: Evaluate current state; prioritize by likelihood/impact.
  • Policy & Procedure Build-out: Draft/refresh control-aligned policies and SOPs.
  • Evidence & Monitoring: Stand up sustainable evidence collection and continuous monitoring.
  • Audit Readiness: Package artifacts for internal/external assessors; brief leadership.

 

Quick Start: Practical Steps

  1. Define boundary & data types (systems, interfaces, CUI/PII/PHI).
  2. Pick a baseline (53B Low/Moderate/High) and tailor it.
  3. Assess & prioritize gaps (risk-based plan, 90-day actions).
  4. Implement & document (policies, procedures, technical configs).
  5. Monitor continuously (logs, POA&Ms, metrics, control owners).
  6. Report to leadership (status, risks, resourcing needs).

Frequently Asked Questions

What’s the purpose of NIST 800-53?
To provide a comprehensive, testable catalog of controls that organizations can select and implement to manage risk and meet federal (and other) expectations.

How many controls are there?
Rev. 5 includes 20 families with 1,000+ controls and enhancements (exact counts change with updates and tailoring).

What’s the difference between 800-53 and 800-171?
800-171 is a subset of 800-53 controls tailored to Controlled Unclassified Information (CUI) in non-federal systems (common for federal contractors). 800-53 is broader and used to build baselines for federal systems (and beyond).

800-53 vs. ISO 27001?
800-53 is a detailed U.S. control catalog; ISO 27001 is a global management standard (ISMS). Many orgs run an ISO ISMS and use 800-53 for control depth—or map between them.

How do we implement 800-53?
Select a 53B baseline, tailor by risk, assign control owners, implement policies/tech controls, collect evidence, and monitor continuously (aligned to RMF from 800-37).

Is there a certification for 800-53?
No single “800-53 certificate.” FedRAMP and FISMA authorizations use 800-53 controls; auditors/assessors evaluate your implementation against those baselines.

What’s the most current version?
Revision 5 (with periodic updates/errata). Baselines live in SP 800-53B. (We track updates and reflect them in our programs and documentation.)

What is FISMA and how does it relate?
The Federal Information Security Modernization Act requires federal agencies to implement information security programs. 800-53 provides the control set used to meet FISMA requirements.

Our Services

vCISO and Fractional Security Analysts

vCISO and Fractional Security Analysts

Enhance security leadership and strategy with experienced professionals through one-time projects or continued engagements.
Learn More
Gap and Risk Assessments

Gap and Risk Assessments

Identify vulnerabilities and gaps in your security posture with our comprehensive assessments designed to not disrupt your operations.

Learn More
Framework Deployment Programs

Framework Deployment Programs

Establish security frameworks through a comprehensive year-long assessment and training program, either individually or with a cohort of your peers.

Learn More
GRC Platform

Apptega GRC Platform

Make the most of Apptega’s powerful Governance, Risk, and Compliance (GRC) tool to effectively manage and maintain your security program utilizing its user-friendly interface.

Learn More
Implementation Support

Implementation Support

Certified assistance in planning and implementing best practices and solutions to mature your security posture.
Learn More
Penetration Testing

Penetration Testing

A security analyst will attempt to find and exploit vulnerabilities in your systems to identify where in your defenses attackers could target
Learn More
Penetration Testing

Vulnerability Scanning

Identify security vulnerabilities in your systems and networks then generating reports to prioritize and remediate potential threats.
Learn More

The Team

Art Provost
Art Provost
Keri Kunkle
Art Provost
Art Provost
Art Provost
Art Provost
Art Provost
Learn About Our Experts

Expert Help is On the Way

Schedule a Free Discovery Call

Explore your organization’s future with a quick conversation with Filament Information Security services.

Contact us today to learn more about how we can help you achieve your security goals.