What is a Control Family?

A control family is a group of related security controls categorized by function and purpose. In NIST 800-53 and NIST 800-171, controls are organized into families to provide a structured approach to control selection. Each family addresses a specific security and privacy topic, ensuring comprehensive protection of information systems.

The over one thousand controls in the NIST 800-53 catalog are organized into 20 control families:

• Access Control (AC)
• Awareness and Training (AT)
• Audit and Accountability (AU)
• Assessment, Authorization, and Monitoring (CA)
• Configuration Management (CM)
• Contingency Planning (CP)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Physical and Environmental Protection (PE)
• Planning (PL)
• Program Management (PM)
• Personnel Security (PS)
• PII Processing and Transparency (PT)
• Risk Assessment (RA)
• System and Services Acquisition (SA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
• Supply Chain Risk Management (SR)

NIST 800-171 controls are organized into 17 of these control families, excluding the ones that are less relevant to the nonfederal CUI protection requirements, like Program Management.