NIST Special Publication (SP) 800-53 provides a comprehensive catalog of security and privacy controls designed to protect federal information systems and organizations. These one thousand plus controls are categorized into families, which group similar controls together.

This article explains the NIST 800-53 control families in the latest version of NIST 800-53, how they are organized, and their role in the control selection process.

What are the NIST 800-53 Rev 5 control families?

NIST 800-53 Rev 5 organizes controls into 20 distinct control families, each identified by a unique two-character identifier. These families cover a wide range of security and privacy topics, helping organizations to select and specify the controls that satisfy the security and privacy requirements and manage risks unique to their organization.

1. Access Control (AC)

Access Control is about making sure that only the right people can get into specific systems, applications, and data. It enforces who can access what and under what conditions. This includes things like requiring multi-factor authentication, setting least privilege access, and controlling remote access to ensure outsiders don’t get in.

2. Awareness and Training (AT)

Security is only as strong as the people using the system. Think about a company where employees don’t know what a phishing email looks like — they click the wrong link, and now the entire network is compromised. Awareness and Training ensures that everyone in the organization understands cybersecurity risks and knows how to handle sensitive data safely. This includes general security training for employees, specialized training for IT staff, and even making sure executives understand their role in security.

3. Audit and Accountability (AU)

Audit and Accountability is all about keeping track of who did what, when, and where in your systems. It ensures that logs are collected, analyzed, and protected so that security teams can spot suspicious activity, investigate incidents, and prove compliance if auditors come knocking.

4. Assessment, Authorization, and Monitoring (CA)

This is about making sure your security is actually working. It’s like doing routine health checkups for your IT systems. You don’t just set up security once and forget it — you need to regularly assess risks, authorize systems before they go live, and continuously monitor for vulnerabilities.

5. Configuration Management (CM)

A single misconfigured setting can be the difference between being secure and getting hacked. Configuration Management ensures that all systems are set up securely and stay that way. This includes things like using secure baseline configurations, enforcing software updates, and restricting unnecessary features that could be exploited.

6. Contingency Planning (CP)

Hope for the best, but prepare for the worst. What happens if your company is hit by a cyberattack, a natural disaster, or a system failure? Contingency Planning is about disaster recovery, backup strategies, and business continuity — ensuring that even if something goes wrong, your organization can recover quickly and with minimal damage.

7. Identification and Authentication (IA)

Identification and Authentication ensures that users are who they say they are before granting access. This includes password security, multi-factor authentication (MFA), and biometric verification. In short, it stops unauthorized users from sneaking into systems.

8. Incident Response (IR)

No matter how strong your security is, something will eventually go wrong. And when it does, you need a solid response plan. Incident Response is about detecting, handling, and recovering from security incidents. It ensures that organizations have a structured process for responding to breaches, including reporting incidents, investigating threats, and improving defenses after an attack.

9. Maintenance (MA)

Imagine you buy a car but never take it in for an oil change or a tune-up. Eventually, it’s going to break down. Maintenance is the same concept for IT systems, ensuring that regular, secure maintenance is performed without introducing new security risks. This includes tracking maintenance activities, ensuring only authorized personnel perform updates, and securing remote maintenance connections.

10. Media Protection (MP)

Media Protection is all about ensuring that sensitive data on physical and digital media is handled properly. Whether it's encrypting USB drives, securely disposing of old hard disks, or protecting printed documents, the goal is to prevent unauthorized access to stored data.

11. Physical and Environmental Protection (PE)

Physical and Environmental Protection ensures that data centers, offices, and other critical locations are secure from unauthorized access, theft, and even environmental threats like fires or floods. Think locked doors, security cameras, and badge access systems.

12. Planning (PL)

Planning is about being intentional and strategic with your approach to information security, developing and documenting security policies, procedures, and strategies so that everyone knows what to do. It includes creating security roadmaps, defining acceptable use policies, and ensuring security is built into new IT projects from the start.

13. Program Management (PM)

Think of this as security at the organizational level. Instead of focusing on individual systems, Program Management ensures that security is aligned with business goals. It includes assigning security leadership roles, monitoring overall security performance, and integrating security into enterprise risk management.

14. Personnel Security (PS)

Personnel Security ensures that employees and contractors are properly vetted, trained, and managed. It includes background checks, security training, and procedures for handling employee terminations to prevent insider threats.

15. PII Processing and Transparency (PT)

If a company is collecting personally identifiable information (PII), they need to be transparent about how it’s used and protected. This control family ensures that organizations handle PII responsibly, obtain user consent, and protect personal data from misuse.

16. Risk Assessment (RA)

Before implementing security controls, you need to identify risks, analyze potential threats, and determine the best approach to mitigating them. This includes running regular vulnerability scans, assessing emerging threats, and evaluating privacy risks.

17. System and Services Acquisition (SA)

When you buy new software or work with vendors, how do you know they’re secure? System and Services Acquisition ensures that security is built into procurement and development. It covers supply chain security, secure software development practices, and vetting third-party vendors.

18. System and Communications Protection (SC)

Cybercriminals often target networks and communications to steal data or launch attacks. System and Communications Protection ensures that data is protected during storage and transmission, requiring encryption, network segmentation, firewalls, and secure protocols.

19. System and Information Integrity (SI)

This control family ensures systems can detect, prevent, and recover from security threats. It includes anti-malware, intrusion detection, system monitoring, and patch management.

20. Supply Chain Risk Management (SR)

Every organization relies on external vendors for hardware, software, and services. But what if a supplier has weak security? Supply Chain Risk Management ensures that third-party vendors are properly vetted, security requirements are included in contracts, and third-party risks are minimized.

NIST SP 800-53 provides a list of the security and privacy control families along with their identifiers as well as the controls related to that specific topic. However, it does not provide descriptions. Below you can find the NIST 800-53 control families along with their identifiers and descriptions to better understand what the topic covers. 

NIST 800-53 Rev 5 vs NIST 800-53 Rev 4 control families​

There were some major changes in NIST 800-53 Rev 5, particularly to the control families. 

Most notably, two new families were introduced: 

• PII Processing and Transparency (PT): Addressing privacy-specific risks and compliance requirements.
• Supply Chain Risk Management (SR): Focusing on managing cybersecurity risks in supply chains.

These new families reflect the increasing importance of privacy protection and supply chain security. 

Also, the CA family, which had been titled “Security Assessment and Authorization” in Revision 4, was changed to “Assessment, Authorization, and Monitoring” to emphasize continuous monitoring. 

The NIST SP 800-53 control family list explained

As previously stated, NIST 800-53 control families are identified using a two-character identifier (e.g., AC for Access Control, RA for Risk Assessment). The families are arranged in alphabetical order based on these identifiers. 

Each control family contains controls and control enhancements related to the topic of the family.

• Controls: Base controls that prescribe a security or privacy capability to be implemented. 
• Control enhancements: Related controls that augment the base control in some way, by either adding functionality or specificity to or increasing the strength of a base control.

Controls and control enhancements are arranged within each family in numerical order. 

The order of control families and the order of the controls and control enhancements within each family is not indicative of any logical progression, level of protection, priority, degree of importance, or order in which the controls are to be implemented. Meaning, the AC control family isn’t the “most important” family and it shouldn’t necessarily be implemented before the RA family. 

Instead, organizations must select, tailor, and implement the controls and control enhancements across the 20 control families based on their specific security and privacy requirements and risks. 

Organizing the over one thousand controls into families is simply meant to help facilitate this process of identifying and implementing relevant security and privacy controls.