Since NIST 800-53 has over one thousand controls, it can be challenging for organizations to select the controls that are most appropriate to their mission, business functions, and risks.
To help address this challenge, NIST published NIST SP 800-53B, Control Baselines for Information Systems and Organizations. This document defines baselines, or predefined sets of security and privacy controls that can help guide federal agencies and private sector organizations in the control selection process.
Let’s take a closer look at the NIST 800-53 baselines below.
NIST 800-53 baselines
NIST 800-53 baselines are minimum sets of controls selected from NIST SP 800-53 that organizations can implement to manage information security and privacy risk and meet legal and policy requirements in FISMA, the Privacy Act of 1974, OMB policies, and designated Federal Information Processing Standards (FIPS).
In NIST 800-53B, there are three security control baselines and one privacy control baseline.
NIST 800-53 Security Baselines
The three security control baselines align to three impact levels of a potential security breach: low-impact, moderate-impact, and high-impact. Impact level is determined by the criticality and sensitivity of the information of the system and the potential adverse impact of the loss of confidentiality, integrity, or availability of that information.
The organization’s level of concern and potential impact values for the three security objectives—confidentiality, integrity, and availability—may vary. For example, if the unauthorized disclosure of information is expected to have a limited adverse effect, then the potential impact value for the security objective confidentiality would be low. But if the unauthorized
modification or destruction of that same information is expected to have a serious adverse effect, then the potential impact value for the security objective integrity would be moderate.
Since the potential impact for each security objective may differ in this way, organizations can use the high water mark concept introduced in FIPS 199. This means that the highest values from among the three security categories determines the system impact level.
- If at least one of the security objectives is high, the system is defined as high-impact.
- If at least one of the security objectives is moderate and no security objective is high, the system is defined as moderate-impact.
- If all three of the security objectives are low, the system is defined as low-impact.
After determining the impact level of the system, the organization can select the applicable security control baseline. It’s also recommended to verify your required baseline with any federal contract owners or customers, if applicable.
Each baseline specifies controls from 18 of 20 control families in the extensive NIST 800-53 catalog.
Starting with Low, the rigor and scope of security controls in each baseline increases to correspond with the impact level of the system. Since high-impact systems present the most severe risk, the High baseline has the most controls (370 in total) and is considered the most stringent. Low-impact systems present a limited risk so the Low baseline has the least amount of controls (149 controls) and is considered the least stringent. The Moderate falls in the middle at 287 controls.
We’ll discuss the three security control baselines in more depth in the next article. Now that we have a general understanding of these baselines, let’s look at what the privacy baseline is.
NIST 800-53 Privacy Baseline
There is only one privacy control baseline that is applied to systems processing Personally Identifiable Information (PII) irrespective of their security impact level. This baseline is made up of privacy controls that supplement security controls to address the unique risks associated with handling PII.
This baseline specifies 96 controls from 16 of 20 control families.
The table below shows exactly which control families allocate controls to all three security control baselines and the privacy baseline.
| Control Family ID | Control Family Name | All Security Baselines | Privacy Baseline |
|---|---|---|---|
| AC | Access Control | ✓ | ✓ |
| AT | Awareness and Training | ✓ | ✓ |
| AU | Audit and Accountability | ✓ | ✓ |
| CA | Assessment, Authorization, and Monitoring | ✓ | ✓ |
| CM | Configuration Management | ✓ | ✓ |
| CP | Contingency Planning | ✓ | |
| IA | Identification and Authentication | ✓ | |
| IR | Incident Response | ✓ | ✓ |
| MA | Maintenance | ✓ | |
| MP | Media Protection | ✓ | ✓ |
| PE | Physical and Environmental Protection | ✓ | ✓ |
| PL | Planning | ✓ | ✓ |
| PM | Program Management | ✓ | |
| PS | Personnel Security | ✓ | ✓ |
| PT | PII Processing and Transparency | ✓ | |
| RA | Risk Assessment | ✓ | ✓ |
| SA | System and Services Acquisition | ✓ | ✓ |
| SC | System and Communications Protection | ✓ | ✓ |
| SI | System and Information Integrity | ✓ | ✓ |
| SR | Supply Chain Risk Management | ✓ |
Do the NIST 800-53 Control Baselines contain all the NIST 800-53 controls?
Looking at the totals listed for each baseline above, you may have already noticed that not all one thousand plus NIST 800-53 controls are allocated to the security and privacy control baselines.
For example, the Incident Response (IR) family consists of 9 controls and 31 control enhancements in NIST SP 800-53B in total. As you can see in the table below, organizations do not have to implement all 40 controls and control enhancements to meet their respective security and privacy control baselines.
| Baseline | No. of controls | No. of control enhancements | Total |
|---|---|---|---|
| Low security | 7 | 0 | 7 |
| Moderate security | 8 | 5 | 13 |
| High security | 8 | 10 | 18 |
| Privacy | 8 | 2 | 10 |
NIST SP 800-53B Chapter 3 indicates the controls and control enhancements that are assigned to baselines in the low, moderate, or high columns by an “x” in Tables 3-1 through 3-20. That means you’d have to count these x’s up manually to find totals as shown above for the IR family.
To save you from that manual effort, we calculated the totals. You can download the sheet below for a complete breakdown of how many controls and control enhancements from each family are in each security and privacy control baseline.
NIST 800-53 Baselines Control Allocation Spreadsheet
To get a sense of how comprehensive each baseline is in relation to each other and to the different areas of cybersecurity represented by each family name, we've broken down the number of controls per family in each baseline.
Tailoring NIST 800-53 Control Baselines
You may be wondering why the security and privacy control baselines don’t contain all the controls and control enhancements in the NIST 800-53 catalog. This is because control baselines only provide a starting point for organizations when selecting controls to manage the security and privacy risks specific to their organization. After selecting an appropriate control baseline, organizations must tailor this generalized set of controls to align them more closely to their identified security and privacy requirements.
Many factors may be considered in the tailoring process, including:
- Organizational mission
- Business needs
- Stakeholder protection needs
- Risk assessments
- Specific and credible threat information
- The operating environment
- Individuals’ privacy interests
- Types of systems
- Sector-specific requirements
- Specific technologies
- Organizational assumptions and constraints
- Laws, executive orders, regulations, policies, or directives
- Industry standards and best practices.
The goal of the tailoring process is to produce a customized security and privacy solution for the organization. To do this, organizations may conduct a range of activities as part of the tailoring process, such as:
- Identifying and designating common controls (ie. controls inherited from another internal or external entity like a cloud service provider)
- Applying scoping considerations eliminate unnecessary controls from the initial control baselines
- Selecting compensating controls in lieu of specific controls in the control baselines
- Assigning values to organization-defined control parameters via explicit assignment and selection operations to support specific organizational requirements
- Supplementing baselines with additional controls and control enhancements to address
- threats, risks, and requirements specific to the organization
- Providing additional specification information for control implementation to fully define the intent of a control and ensure that requirements related to that control are satisfied.
To avoid organizations arbitrarily removing security and privacy controls from baselines, tailoring decisions must be documented in the system security and privacy plans (SSPs) for organizational systems. These decisions must be justified based on mission and business needs and risks.
When done correctly, the tailoring process enables organizations to achieve a cost-effective solution that supports organizational mission and business needs and provides security and privacy protections commensurate with risk.
FAQs
Are NIST 800-53 Rev 5 baselines different from Rev 4?
Yes, NIST 800-53 Rev 5 introduces significant updates to the baselines compared to Rev 4. Key differences include:
- Greater integration of privacy controls to address modern data protection needs, including the addition of the Personally Identifiable Information Processing and Transparency (PT) and Supply Chain Risk Management (SR) families.
- A focus on outcomes rather than prescriptive controls, providing more flexibility.
- New controls and control enhancements to address emerging important control areas like processing integrity supply chain risks.
These enhancements make Rev 5 baselines more adaptable and effective in managing contemporary cybersecurity challenges.
Can private companies use NIST 800-53 baselines?
Yes. While originally designed for federal agencies, private companies across industries can adopt NIST 800-53 baselines to strengthen their security posture and demonstrate their commitment to industry best practices.
Which control families are not part of any of the security control baselines?
Controls from the Program Management (PM) and Personally Identifiable Information Processing and Transparency (PT) families are not allocated to any security control baseline.
Which control families are not part of the privacy control baseline?
Controls from the following families are not allocated to the privacy control baseline:
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Maintenance (MA)
- Supply Chain Risk Management (SR)
Which NIST 800-53 baseline applies to me?
NIST SP 800-53B includes three security control baselines, one for each system impact level. The control baselines for systems are commensurate with the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, or the Nation if there is a loss of confidentiality, integrity, or availability. Select the one that best matches your impact level:
- Low: Suitable for systems where the loss of confidentiality, integrity, or availability would have a limited adverse effect.
- Moderate: Suitable for systems where a breach could cause a serious adverse impact.
- High: Suitable for systems where a compromise could have severe or catastrophic consequences.
The privacy control baseline generally applies to your system if it processes Personally Identifiable Information (PII), regardless of its impact level.
