NIST 800-53 Compliance: What Is It & How to Achieve It [+ Checklist]

  • May 23, 2024
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Fortuna Gyeltsen

Product Team

To help protect sensitive information and critical infrastructure, the US government has created several information security standards and frameworks for reducing risk and improving data security. One such crucial framework is NIST 800-53. 

NIST 800-53 serves as a blueprint for implementing security and privacy controls to assure the confidentiality, integrity, and availability of federal information and systems and privacy of individuals. It offers a structured approach to managing cybersecurity risks in order to protect U.S. critical infrastructure and the information systems that support mission-essential operations and assets in the public and private sectors.

In this blog post, we will delve into the intricacies of NIST 800-53 compliance, discussing its fundamentals, control families, password requirements, certification, risk assessment template, and more.

What is NIST 800-53?

National Institute of Standards and Technology (NIST) 800-53 is a security compliance standard and framework created by the US government to help organizations properly architect and manage their information security systems and comply with the Federal Information Security Modernization Act (FISMA).

Since it contains security and privacy control baselines for federal information systems and organizations, NIST 800-53 is mandatory for federal agencies. Additionally, any organization that works with the federal government or carries federal data may be required to comply with NIST 800-53 or NIST CSF to maintain the relationship. However, NIST 800-53 is designed to be applicable to a broad base of public and private sector organizations.

NIST 800-53 Rev 5

Published in September 2020, NIST 800-53 Rev. 5 is the latest major release of the framework. This revision was designed to provide the “next generation” of security and privacy controls that would 1) apply to all types of computing platforms, including cloud-based systems, mobile devices, Internet of Things (IoT) devices, and more and 2) help federal information systems become more penetration-resistant and cyber-resilient, limit the damage from attacks when they do occur, and protect individuals’ privacy.

Here are some of the most significant changes to Revision 5:

  • Controls were rephrased to be more outcome-based.
  • Information security and privacy controls were consolidated into one control catalog.
  • A new supply chain risk management control family was established.
  • Control selection processes were separated from the controls so different groups, including systems engineers, software developers, business owners, and more, can use them. 
  • Control baselines and tailoring guidance was removed and transferred to a separate document, NIST SP 800-53B, Control Baselines for Information Systems and Organizations.
  • New controls were added based on the latest threat intelligence and cyber attack data, including controls to support cyber resiliency. 

NIST 800-53 control families

NIST 800-53 has over 1000 controls. These are organized into 20 families, each addressing a specific aspect of cybersecurity and privacy, in order to simplify the security and privacy control selection and specification process. 

The 20 NIST 800-53 control families are listed below, along with their two-character identifier.

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Assessment, Authorization, and Monitoring (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Program Management (PM)
  • Personnel Security (PS)
  • PII Processing and Transparency (PT)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Supply Chain Risk Management (SR)

Please note that the families are arranged in alphabetical order according to their identifiers, not in order of importance or an order in which the controls within each family should be implemented. 

NIST 800-53 controls

Within each control family, NIST 800-53 outlines specific controls designed to manage information security and privacy risks and meet security and privacy requirements imposed on an organization. These requirements include both legal and policy requirements as well as stakeholder needs derived from a variety of sources, including laws, executive orders, directives, regulations, policies, standards, mission and business needs, or risk assessments.

Controls are the safeguards and protection capabilities an organization puts in place in order to achieve their unique information security and privacy requirements. These include

  • technical safeguards such as encryption and network segmentation;
  • administrative safeguards like security awareness training and incident response planning; and 
  • physical safeguards such as physical access controls like controlled areas, screenings at entry points, guards, and locks. 

There are over 1,000 controls in the NIST 800-53 framework. Organizations are challenged with selecting the most appropriate controls that can protect their mission and business functions and manage security and privacy risk. To help in their selection process, NIST 800-53 defines baselines, or a generalized set of controls that an organization can start with and then tailor to create a more targeted solution. Let’s take a closer look at the concept of baselines below.

NIST 800-53 control baselines

In total, NIST 800-53 provides four control baselines, three for security and one for privacy. 

The three security control baselines are sets of minimum controls for federal information systems based on their impact level: Low, Moderate, or High. This impact level is determined by:

  • the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems, and
  • the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, or the Nation if there is a loss of confidentiality, integrity, or availability.

All organizations must implement controls assigned to their respective security control baseline. The amount of controls in each baseline are consummate with risks arising from the loss of confidentiality, integrity, and availability. Since low-impact systems present a limited risk, the Low baseline has the least amount of controls and can be considered the least stringent. High-impact systems present the most severe risk, so the High baseline has the most controls and can be considered the most stringent. However, not all controls in NIST 800-53 that address security are assigned to this baseline. 

There is only one privacy control baseline in NIST 800-53. This is applied to any system that processes PII, regardless of impact level. Meaning, if a system processes PII, the organization must implement controls assigned to the privacy control baseline. Just as with the security baselines, not all controls that address privacy risk are assigned to the privacy control baseline.

To understand how control baselines affect what controls an organization may implement, let’s take a look at examples of specific control families.

Take the Access Control (AC) family, for example. Say an organization selects the Low security baseline. Then, it must implement the following controls:

  • AC-1 Policy and Procedures
  • AC-2 Account Management
  • AC-3 Access Enforcement
  • AC-7 Unsuccessful Login Attempts
  • AC-8 System Use Notification
  • AC-14 Permitted Actions without Identification or Authentication
  • AC-17 Remote Access
  • AC-18 Wireless Access
  • AC-19 Access Control for Mobile Devices
  • AC-20 Use of External Systems
  • AC-22 Publicly Accessible Content

If an organization selected the Moderate security baseline, they must implement the controls above as well as AC-4 Information Flow Enforcement, AC-5 Separation of Duties, AC-6 Least Privilege, AC-11 Device Lock, AC-12 Session Termination, and AC-21 Information Sharing.

If an organization selected the High security baseline, they must implement all the controls above and the AC-10 Concurrent Session Control. 

Take the Incident Response family for another example. Say an organization selects the Low security baseline. Then, it must implement the following controls:

  • IR-1 Policy and Procedures
  • IR-2 Incident Response Training
  • IR-4 Incident Handling
  • IR- 5 Incident Monitoring
  • IR-6 Incident Reporting
  • IR-7 Incident Response Assistance
  • IR-8 Incident Response Plan

If an organization that selects the Low security baseline also processes PII, then it must implement the IR-3 Incident Response Testing control as well as the controls above to meet both the Low security and privacy baselines.

Failure to implement controls to meet NIST 800-53 requirements can lead to loss of federal business, issues reported to Congress, and fines. 

NIST 800-171 vs 800-53

Since NIST 800-53 is considered the gold standard for federal data security, there have been several derivatives designed for different purposes and audiences, including NIST 800-171, FedRAMP, and CJIS.

NIST 800-171 is designed for federal contractors, vendors, and service providers to help them manage controlled unclassified information (CUI) to protect federal information systems. NIST 800-53 is designed for federal agencies, contractors, and any organization carrying federal data to help them develop secure and resilient federal information systems.

The Ultimate Guide to Federal Frameworks

Get an overview of the most common federal frameworks, who they apply to, and what their requirements are.

How to achieve NIST 800-53 compliance

The steps below can help guide you through the NIST 800-53 compliance process. 

1. Define your ​​information security and privacy requirements.

To inform the NIST 800-53 control selection and specification process, you must first understand and define what information security and privacy obligations are imposed on your organization. 

These may include legal and policy requirements in FISMA, the Privacy Act of 1974, OMB policies, and designated Federal Information Processing Standards (FIPS) as well as stakeholder needs that are derived from laws, executive orders, directives, regulations, policies, standards, mission and business needs, or risk assessments.

2. Determine your security control baseline and if the privacy control baseline is applicable.

Next, you want to select a security control baseline based on the system impact level. 

To assess the impact level of your information system, you’ll need to compile an inventory of 

  • The types of information transmitted, stored, or processed and the associated information system components categorized according to the level of security risk
  • All information system components with necessary tracking information
  • All information system components within the authorization boundary depicted in a network architecture diagram
  • All data flows between information system components depicted in a data flow diagram

Once you’ve compiled this inventory, you can categorize the information system into an impact level according to the potential adverse impact on the confidentiality, integrity, and availability of information systems and information (referencing FIPS 199). From there, you can select the associated security control baseline.

The table below outlines the relationships between impact levels and control baselines. 

Potential adverse impact on security outcomes FIPS 199 impact levels NIST 800-53 security control baselines
Limited Low-impact Low
Serious Medium-impact Medium
Severe High-impact High

At this stage, you should also determine whether the privacy control baseline applies to your organization. Generally speaking, this baseline applies if your organization processes personally identifiable information (PII).

3. Tailor your security control baseline (and privacy if applicable).

As mentioned above, the security and privacy control baselines are just a starting point. Organizations can add controls in order to specialize or customize the set of baseline controls based on a number of factors, including their specific mission and business functions, the environments where their systems operate, and the threats and vulnerabilities that can affect their systems.

The tailoring process involves multiple actions, such as:

  • identifying and designating common controls, or controls whose implementation results in a protection capability that is inheritable by multiple systems or programs
  • supplementing baselines with additional security controls based on identified risks
  • selecting compensating security controls, or controls that provide equivalent or comparable protection for a system or organization than controls in the baseline
  • assigning specific values to organization-defined security control parameters
  • applying scoping considerations, like scalability or technological infrastructure, on the applicability and implementation of baseline controls
  • providing additional specification information for control implementation

4. Implement the selected controls or put a plan in place to do so.

Now, it’s time to begin implementing your tailored control baseline. 

To start, document how each control will be implemented in a system security and privacy plan according to the corresponding control baseline (referencing NIST 800-18).

This plan should include:

  • Any tailoring activities above
  • Responsibilities for control development, implementation, assessment, and monitoring 
  • Responsibilities and rules of behavior of all individuals with access to the information system
  • Control family policy and procedures
  • Any system specific information, such as information processed, relevant roles, and/or any control specific/relevant policy/procedures
  • Any other required policies or procedures, such as a continuous monitoring policy, contingency plan, maintenance plan, supply chain risk management policy or plan

The purpose of this plan is to sufficiently describe the intended application of each selected control in the context of the system so that the control can be correctly implemented and subsequently assessed to ensure it’s effective. 

5. Perform risk assessments.

Managing information security and privacy risk requires due diligence. So having a comprehensive risk management program is critical for NIST 800-53 compliance. Establishing one requires you to:

  • Establish the risk model, assessment approach, and analysis approach you will be using as part of the risk assessment process (referencing NIST 800-30)
  • Map implemented controls to identified risks
  • Determine if additional processes need to be implemented to meet all baseline controls
  • Determine if tailored controls need to be added to address risks. 

6. Assess the effectiveness of your controls.

Now, it’s time to test your information systems against the tailored set of baseline security controls to assess their effectiveness. You may do this internally or engage a third-party auditor if necessary.

Control assessments are critical, and help ensure that your organization

  • Meets information security and privacy requirements
  • Identifies weaknesses in the system design and development process
  • Has essential information needed to make risk-based decisions as part of authorization processes
  • Complies with vulnerability mitigation procedures

7. Establish a continuous monitoring program. 

NIST 800-53 compliance requires ongoing dedication and vigilance to maintain the effectiveness of security controls and adapt to evolving threats and regulations.

Continuous monitoring is essential for maintaining compliance. The most effective continuous monitoring programs should include:

  • Metrics that best convey the security posture of your information, information systems, and organizational resilience and are monitored over time
  • A plan of action and milestones (POAM) for tracking open and closed risks, vulnerabilities, audit findings, and/or any other issues
  • Automated tools to make the process of continuous monitoring more cost-effective, consistent, and efficient (i.e. compliance scanning can often help ensure that configurations and security settings are consistently in place and operating effectively)

NIST 800-53 checklist

A compliance checklist can be a valuable tool for organizations to assess their adherence to a framework's requirements and controls. Use this NIST 800-53 checklist as a structured approach for evaluating your compliance readiness and overall cybersecurity posture.

Download it here.

NIST 800-53 compliance checklist

With over a thousand controls, NIST 800-53 is a strict and comprehensive information security framework. This checklist breaks down NIST 800-53 compliance into clear, actionable steps.

How Secureframe can help streamline NIST 800-53 compliance

Secureframe can streamline the process for complying with NIST 800-53, helping organizations save time, reduce costs, and improve their security and compliance posture. 

With Secureframe, you’ll get:

  • Federal compliance expertise: A dedicated support team with former FISMA, FedRAMP, and CMMC auditors and consultants who can guide you through federal readiness, audits, and compliance updates
  • Integrations to federal clouds: Automatic evidence collection from existing tech stack, including government cloud variants like AWS GovCloud.
  • Prebuilt and custom policies and templates: Templated policies, procedures, and SSPs customizable to meet needs and additional templates including Separations of Duties Matrix, POA&M documents, Impact Assessments, and readiness checklists
  • In-platform training: Proprietary employee training that meets federal requirements and is reviewed and updated annually by compliance experts
  • Role-based access controls: Data access controls based on roles and need-to-know basis
  • Custom controls and tests: Support for organizationally-defined implementations for NIST 800-53 and other frameworks
  • Trusted partner network: Relationships with certified Third Party Assessment Organizations (3PAOs) and CMMC 3PAOs (C3PAOs) supporting various federal audits
  • Cross-mapping across frameworks: Automated mapping of compliance efforts across multiple frameworks for efficiency so you’re never starting from scratch
  • Continuous monitoring: 24/7 monitoring to alert you of non-conformities, and risk Register and vulnerability scanning support for continuous monitoring and POA&M maintenance

To learn more about how Secureframe can help you comply with NIST 800-53, schedule a demo.

FAQs

Is NIST 800-53 mandatory?

NIST 800-53 is mandatory for federal agencies and contractors as well as any organization that carries federal data.

How many controls are in NIST 800-53?

NIST 800-53 encompasses over a thousand security and privacy controls across multiple control families.

How many control families are in NIST 800-53 Rev 5?

NIST 800-53 Rev 5 consists of twenty control families that address various aspects of cybersecurity and privacy.

Is there NIST 800-53 certification?

Unlike security frameworks like ISO 27001 and PCI DSS, there is no certification for NIST 800-53. However, federal agencies must implement applicable NIST 800-53 controls and provide evidence of compliance as part of their annual FISMA reporting requirements.

What is the difference between NIST CSF and NIST 800-53?

The NIST Cybersecurity Framework (CSF) provides a high-level framework for improving cybersecurity posture, focusing on risk management and mitigation strategies. In contrast, NIST 800-53 offers detailed security and privacy controls tailored for federal information systems and organizations.

What is the difference between NIST 800-53 and 800-171?

The key difference is that NIST 800-53 is mandatory for federal agencies as well as federal contractors and other organizations carrying federal data, whereas NIST 800-171 is mandatory for non-federal agencies that store or share controlled unclassified information for the Department of Defense. 

What is the overlap between CMMC/NIST 800-171 and NIST 800-53?

All of the controls in CMMC/NIST 800-171 are part of NIST 800-53, but not vice versa. CMMC/NIST 800-171 only makes up around 30-40% of the NIST 800-53 controls.

What is the overlap between SOC 2 and NIST 800-53?

There is approximately 30-40% overlap between SOC 2 and NIST 800-53 but the exact percentage would depend on which baseline (Low, Moderate, High) is selected. A lot of the standard SOC 2 requirements (access controls, network security, contingency plan, incident response, etc.) are part of each of the NIST 800-53 baselines.

Use trust to accelerate growth

Request a demoangle-right
cta-bg