What is NIST SP 800-53?
NIST Special Publication 800-53 is a comprehensive catalogue of security and privacy controls for information systems and organisations. Published by the National Institute of Standards and Technology, it is the most detailed and authoritative security controls framework available — containing over 1,000 individual controls and control enhancements organised into 20 control families.
While NIST CSF 2.0 tells organisations what outcomes to achieve, SP 800-53 tells them exactly how to achieve them. It is the technical backbone of US federal government information security and is widely adopted by defence contractors, critical infrastructure operators and any organisation seeking the most rigorous security controls framework available.
Learn more about NIST and its publications →
What is NIST SP 800-53 Rev 5?
Revision 5, published in September 2020, was the most significant update to SP 800-53 since its original publication. The key change in Rev 5 was the integration of privacy controls alongside security controls — previously privacy was addressed in a separate publication (SP 800-53A). Rev 5 also expanded the applicability of the framework beyond US federal agencies to all organisations regardless of type or size.
| Standard Body | NIST — National Institute of Standards and Technology |
| Current Version | Revision 5 (September 2020) |
| Mandatory or Voluntary | Mandatory for US federal agencies · Voluntary for all others |
| Geography | USA (widely referenced globally) |
| Total controls | 1,000+ controls and control enhancements across 20 families |
| Official Resource | csrc.nist.gov |
Key Changes in Revision 5
| Area | Rev 4 | Rev 5 |
|---|---|---|
| Privacy controls | Separate appendix | Fully integrated alongside security controls |
| Applicability | Federal agencies only | All organisations regardless of type or size |
| Control families | 18 families | 20 families (added Supply Chain Risk Management and Program Management updates) |
| Supply chain | Limited coverage | Dedicated Supply Chain Risk Management (SR) family with 12 controls |
| Outcomes focus | Implementation focused | Outcome-based — organisations determine how to achieve control objectives |
The 20 Control Families
SP 800-53 organises all controls into 20 families, each identified by a two-letter code. Controls within each family are numbered sequentially (e.g. AC-1, AC-2, AC-3). Each control may also have enhancements — more specific or stringent implementations — denoted by a number in parentheses (e.g. AC-2(1)).
| Code | Family | Key controls covered |
|---|---|---|
| AC | Access Control | Account management, access enforcement, least privilege, remote access, wireless access, separation of duties |
| AT | Awareness and Training | Security awareness, role-based training, insider threat awareness, practical exercises |
| AU | Audit and Accountability | Audit event logging, log content, log storage, log review, audit reduction and report generation |
| CA | Assessment, Authorisation and Monitoring | Security assessments, system authorisation (ATO), continuous monitoring, penetration testing |
| CM | Configuration Management | Baseline configuration, configuration change control, security impact analysis, software usage restrictions |
| CP | Contingency Planning | Contingency plan, training, testing, backup, recovery and reconstitution, alternate processing and storage sites |
| IA | Identification and Authentication | User identification and authentication, device identification, authenticator management, MFA, identifier management |
| IR | Incident Response | Incident response policy, training, testing, handling, monitoring, reporting and information sharing |
| MA | Maintenance | Controlled maintenance, maintenance tools, remote maintenance, timely maintenance |
| MP | Media Protection | Media access, marking, storage, transport, sanitisation and disposal |
| PE | Physical and Environmental Protection | Physical access authorisation and control, monitoring, visitor control, power and environmental controls |
| PL | Planning | System security and privacy plans, rules of behaviour, security and privacy architectures |
| PM | Program Management | Information security programme, risk management strategy, enterprise architecture, critical infrastructure plan |
| PS | Personnel Security | Position risk designation, personnel screening, termination and transfer, access agreements, external personnel |
| PT | PII Processing and Transparency | Authority to process PII, purpose specification, information sharing, consent, privacy notice, individual access |
| RA | Risk Assessment | Risk assessment policy, security categorisation, risk assessment process, vulnerability monitoring and scanning |
| SA | System and Services Acquisition | Allocation of resources, system development lifecycle, acquisition process, outsourced services, developer security |
| SC | System and Communications Protection | Application partitioning, network segmentation, denial of service protection, boundary protection, cryptographic key management |
| SI | System and Information Integrity | Flaw remediation, malicious code protection, security alerts, software and firmware integrity, spam protection, memory protection |
| SR | Supply Chain Risk Management | Supply chain risk management plan, acquisition strategies, supplier assessments, notification agreements, tamper resistance |
Impact Levels and Baselines
SP 800-53 uses a tiered approach based on the potential impact of a security breach. Each system is categorised as Low, Moderate or High impact — and a corresponding baseline set of controls is applied. Higher impact systems require more controls and more stringent implementations.
| Impact level | Definition | Approximate controls | Typical systems |
|---|---|---|---|
| Low | Limited adverse effect on operations, assets or individuals | ~125 controls | Public-facing websites, non-sensitive administrative systems |
| Moderate | Serious adverse effect on operations, assets or individuals | ~325 controls | Most federal systems, financial systems, systems processing PII |
| High | Severe or catastrophic adverse effect on operations, assets or individuals | ~420 controls | National security systems, critical infrastructure, classified systems |
How SP 800-53 Relates to Other Frameworks
| Framework | Relationship to SP 800-53 |
|---|---|
| NIST CSF 2.0 | CSF subcategories map directly to SP 800-53 controls — CSF is the strategic framework, SP 800-53 is the technical implementation catalogue |
| ISO 27001 | NIST maintains a crosswalk between SP 800-53 and ISO 27001 Annex A controls — many organisations use both together, with ISO 27001 providing the certifiable management system and SP 800-53 providing granular technical controls |
| FedRAMP | FedRAMP (Federal Risk and Authorisation Management Program) uses SP 800-53 controls as its foundation — cloud providers seeking FedRAMP authorisation must implement SP 800-53 controls at Low, Moderate or High baselines |
| CMMC | The Cybersecurity Maturity Model Certification for US defence contractors draws heavily from SP 800-53 and NIST SP 800-171 |
Securitora Assessment
NIST SP 800-53 Rev 5 is the most comprehensive security controls framework in existence. For US federal agencies and their contractors it is mandatory — for everyone else it is the gold standard for organisations that want the most rigorous, well-documented approach to security controls. The challenge is its complexity — with 1,000+ controls, implementation requires significant expertise and resources. Most non-federal organisations use SP 800-53 selectively, applying relevant control families rather than the full catalogue, or use it as a reference to validate that their existing controls are comprehensive.
| Recommended for | US federal agencies (mandatory), defence contractors, critical infrastructure, organisations seeking maximum rigour |
| Difficulty to implement | Very High — 1,000+ controls requires dedicated programme and significant resources |
| Best used with | NIST CSF 2.0 · NIST SP 800-37 (Risk Management Framework) · FedRAMP |
| Official resource | csrc.nist.gov → |