NIST SP 800-53

Last updated

NIST Special Publication 800-53
NIST logo.svg
StatusPublished
Year startedFebruary 2005
Latest version5th revision
Organization National Institute of Standards and Technology
Domain Information security
Copyright Public domain (U.S. government)
Website csrc.nist.gov

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems. [1]

Contents

Two related documents are 800-53A and 800-53B which provide guidance, and baselines based on 800-53.

Purpose

NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory's (ITL) research, guidelines, and outreach efforts in information system security, and on ITL's activity with industry, government, and academic organizations. [2]

Specifically, NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. [3] The security rules cover 20 areas including access control, incident response, business continuity, and disaster recovery. [4]

A key part of the assessment and authorization (formerly certification and accreditation) process for federal information systems is selecting and implementing a subset of the controls (safeguards) from the Security Control Catalog (NIST 800-53, Appendix F). These controls are the management, operational, and technical safeguards (or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. To implement the needed safeguards or controls, agencies must first determine the security category of their information systems in accordance with the provisions of FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems.” The security categorization of the information system (low, moderate or high) determines the baseline collection of controls that must be implemented and monitored. Agencies have the ability to adjust these controls and tailor them to fit more closely with their organizational goals or environments. [1]

Compliance

Although any private organization can adopt the use of NIST 800-53 as a guiding framework for their security practice, all U.S. federal government agencies and contractors are required to comply with the framework in order to protect their critical data.

Agencies are expected to be compliant with NIST security standards and guidelines within one year of the publication date (February 2005) unless otherwise directed. Information systems that are under development are expected to be compliant upon deployment. [1]

Collaboration with the Cybersecurity Framework

CSF (Cybersecurity Framework) and 800-53 covered each others weaknesses with CSF having more of a top-down decision-making process and NIST SP 800-53 having a bottom-up approach. The combination provided an easier approach for developers to create a new platform and software. Usage of Extensible Markup Language (XML) helped ease the combination of CSF and 800-53 and eventually led to the creation of Baseline Tailor to help use the two security catalogs together. [6]

The two relied on five primary functions: [6]

Control Baseline Levels

NIST 800-53 Low

NIST 800-53 Moderate

NIST 800-53 High

Revisions

Initial release

NIST Special Publication 800-53 was initially released in February 2005 as "Recommended Security Controls for Federal Information Systems." [8]

First revision

NIST Special Publication 800-53 Revision 1 was initially released in December 2006 as "Recommended Security Controls for Federal Information Systems."

Second revision

NIST Special Publication 800-53 Revision 2 was initially released in December 2007 as "Recommended Security Controls for Federal Information Systems."

Third revision

The third version of NIST's Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," incorporates several recommendations from people who commented on previously published versions, who recommended a reduction in the number of security controls for low-impact systems, a new set of application-level controls and greater discretionary powers for organizations to downgrade controls. Also included in the final draft is language that allows federal agencies to keep their existing security measures if they can demonstrate that the level of security is equivalent to the standards being proposed by NIST. [9] The third version also represents an effort to harmonize security requirements across government communities and between government and non-government systems. In the past, NIST guidance has not applied to government information systems identified as national security systems. The management, operational, and technical controls in SP 800-53 Revision 3 provide a common information security language for all government information systems. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures to address advanced cyber threats and exploits. Significant changes in this revision of the document include

Fourth revision

As part of the ongoing cyber security partnership among the United States Department of Defense, the intelligence community, and the federal civil agencies, NIST has launched its biennial update to Special Publication 800‐53, "Security and Privacy Controls for Federal Information Systems and Organizations," with an initial public draft released on February 28, 2012. The 2011–12 initiative will include an update of current security controls, control enhancements, supplemental guidance and an update on tailoring and supplementation guidance that form key elements of the control selection process. Key focus areas include, but are not limited to:

Revision 4 is broken up into 18 control families, [11] including:

Information on these control families and the controls contained within can be found on the NIST website at the following link: https://nvd.nist.gov/800-53/Rev4

Network Access Control (NAC) is a tool that was utilized to help reach NIST 800-53 standards, and used the Access Control resources to help authorize devices that wished to access the network. NAC also provided an easy and adaptable control to meet any organization security needs. [12]

Fifth revision

NIST SP 800-53 Revision 5 removes the word "federal" to indicate that these regulations may be applied to all organizations, not just federal organizations. The first public draft was published on August 15, 2017. A final draft release was set for publication in December 2018, with the final publication date set for March 2019." [13] Per the NIST Computer Security Resource Center (CSRC), [14] major changes to the publication include:

As of September 2019, Revision 5 was delayed due to a potential disagreement among the Office of Information and Regulatory Affairs (OIRA) and other U.S. agencies. [15]

The final version of Revision 5 was released on September 23, 2020 [16] and is available on the NIST website at the following link: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Revision 5 Control Families

The control families became a larger factor after Revision 5 and have the purpose of providing safeguards and protection for accomplishing security objectives. Every control is involved in a different policy and processes used by the systems security measures. After the upgrade to Revision 5 from Revision 4, the number of control families increased from 18 to 20 with the inclusion of Personally Identifiable Information Processing and Transparency (PT) and Supply Chain Risk Management (SR). [17]

NIST offers the power of controls to the government, but the ability to operate an ATO is required first. The usage of an ATO determines which controls are activated and utilized for the system automatically. Systems that involve greater risks to the framework, will be issued an increased number of controls to defend against outside threats. One term that is used for the controls is labeled as topics, or in other cases, Control Families. [18]

The development of Revision 5 allows the public and private sectors to use NIST in order to control major growing threats of hostile attacks and natural disasters, reducing as much damage from attacks the moment they occur. [19]

Controls

A main overview of the controls were to provide protective measures for the system and regulate risks that are taken and the solutions in order to comply with different standards. The main goal of the system is to protect the information of different users and encourages companies to take different measures in improving the security and protection of the frameworks within the supervision of Revision 5. Controls are not expected to be sustained over time, but the process of withdrawing controls from different revisions will be utilized and replaced with existing or new controls in order to replicate its place in the system. Controls are expected to take its place until they are pronounced as not necessary, or ineffective to the current state. [20]

Revision 5 built SP 800-53 to a new height after the past seven years since the last major update to NIST's security guidelines. Further enhanced to comply with the security interests of the United States and the millions of downloads it has procured since 2013. [21]

Revision 5 was tested in a scenario that involved 42 different risks in order to test the reliability of the frame work and success of the new revision. Out of the 42 different scenarios, 12 were accepted and 30 different scenarios were mitigated by the system. [22]

800-53A

NIST Special Publication 800-53A provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security control assessments and privacy control assessments that support organizational risk management processes and that are aligned with the stated risk tolerance of the organization. Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results. [23]

Revision 1

NIST Special Publication 800-53A is titled “Guide for Assessing Security Controls in Federal Information Systems and Organizations." This version will describe testing and evaluation procedures for the 17 required control families. [4] These assessment guidelines are designed to enable periodic testing and are used by federal agencies to determine what security controls are necessary to protect organizational operations and assets, individuals, other organizations, and the nation. [3] According to Ron Ross, senior computer scientist and information security researcher at NIST, these guidelines will also allow federal agencies to assess "if mandated controls have been implemented correctly, are operating as intended, and are... meeting the organization's security requirements."

To do this, version A describes assessment methods and procedures for each of the security controls mandated in Special Publication 800-53. These methods and procedures are to be used as guidelines for federal agencies. These guidelines are meant to limit confusion and ensure that agencies interpret and implement the security controls in the same way. [4]

Revision 4

NIST SP 800-53A Revision 4 is Assessing Security and Privacy Controls in Federal Information Systems and Organizations. The Revision number went from Revision 1 to Revision 4 in order to better reflect the NIST Special Publication 8002005-53 it is meant to be used with.

800-53B

NIST Special Publication 800-53B provides a set of baseline security controls and privacy controls for information systems and organizations. The baselines establish default controls based on FISMA rates (Privacy, Low, Moderate, and High) and can be easily tailored to organizational risk management processes.

Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results. [24]

Initial release

NIST Special Publication 800-53B was initially released in September 2020 as "Control Baselines for Information Systems and Organizations." [25]

Latest Release

NIST released SP 800-53 version 5.2.0 on August 27, 2025, to improve security and reliability of existing software to align with Executive Order 14306. Release 5.2.0 improves system and software resilience and assists in security measures. Releases 5.2.0 provides updates to SP 800-53A but no additional updates to SP 800-53B. [26] Release 5.2.0 brought new Control Enhancements and Revisions to existing controls such as (SA-15(13), SA-24, SI-02(07) and SI-07(12)). [27]

Expansion into Companies

Amazon Web Services

NIST SP 800-53 Revision 5 is one of the main frameworks provided towards AWS's systems. Provides a vast list of security measures and privacy requirements that every company must comply with. Revision 5 is automated within the systems to provide guidelines and system checks. [28]

Within AWS's system, the service also provides the details behind Revision 5 and its framework. Uses prebuilt features and controls that comply with NIST standards and further grouped into control sets in order to sort out different audits within the system. The service utilizes a total of 132 automated control , 875 Manual control, and 20 control sets. [29]

Google Cloud Services

NIST provides its services of Revision 5 to GCS and outlines its guidelines for security. SP 800-53 is built to lay out responsibilities in the Federal Information Security Management Act (FISMA). Further controls were accessed and utilized in the Google Workspace services alongside the Google Cloud Services. [30]

Microsoft Azure

NIST provides its services in compliance with Microsoft Azure and regulates the framework to a standard. Azure utilizes the Revision 5 domains and controls within the Azure policies and security. [31]

TCCE

The Technical Control Compliance Evaluation checklist was created to check the reliability and validity of a framework which included NIST 800-53's framework. Utilized a combination of 55 steps and 66 shell commands to test NIST 800-53's 48 different controls. Ended up failing 17 controls that did not reach the standard requirement of TCCE and was left off for major improvements. NIST 800-53 was eventually used to create future security basics and different frameworks that utilized 800-53's reliability. [32]

See also

References

  1. 1 2 3 Ross, et al., p. 4
  2. Ross, et al., p. 2
  3. 1 2 Ross, et al., p. 8
  4. 1 2 3 Vijayan, Jaikumar (2005). "Security Guidelines for U.S. agencies due in July". Computerworld. Retrieved February 23, 2011.
  5. Hoang, Tony; Qu, Yanzhen (March 15, 2024). "Creating A Security Baseline and Cybersecurity Framework for the Internet of Things Via Security Controls". European Journal of Electrical Engineering and Computer Science. 8 (2): 9–16. doi: 10.24018/ejece.2024.8.2.609 . ISSN   2736-5751.
  6. 1 2 "Balisage: Integrating Top-down and Bottom-up Cybersecurity Guidance using XML". www.balisage.net. Retrieved December 1, 2025.
  7. "NIST 800-53 Security Control Baselines: Low vs Moderate vs High". Secureframe. Retrieved December 1, 2025.
  8. "Recommended Security Controls for Federal Information Systems". NIST Publications. February 19, 2017. Retrieved June 13, 2021.
  9. Vijayan, Jaikumar (2005). "Feds look to finalize IT security controls". Computerworld. Retrieved February 23, 2011.
  10. Jackson, William (2009). "NIST releases 'historic' final version of Special Publication 800-53". Government Computer News. Retrieved February 23, 2011.
  11. "NIST Risk Management Framework". NIST. March 3, 2022. Retrieved May 27, 2022.
  12. "A Closer Look at NIST SP 800 53 Access Control Requirements". Portnox. Retrieved October 29, 2025.
  13. "Schedule - Risk Management CSRC". NIST Computer Security Resource Center. Retrieved November 9, 2018.
  14. Force, Joint Task (August 15, 2017). "SP 800-53, Rev. 5 (DRAFT)". NIST Computer Security Resource Center. Retrieved March 12, 2018.
  15. Miller, J. (September 3, 2019). "OMB's regulatory review is creating a backlog of cyber standards". Federal News Network - Reporter's Notebook. Hubbard Radio Washington DC, LLC. Retrieved December 19, 2019.
  16. thelma.allen@nist.gov (September 22, 2020). "The Next Generation Security and Privacy Controls—Protecting the Nation's Critical Assets". NIST. Retrieved September 25, 2020.
  17. "NIST SP 800-53". Hyperproof. Retrieved December 1, 2025.
  18. "An introduction to security and privacy controls – Digital.gov". digital.gov. October 16, 2023. Retrieved December 1, 2025.
  19. "NIST SP 800-53 Rev. 5: What You Need To Know | NAVEX". www.navex.com. June 1, 2020. Retrieved December 1, 2025.
  20. nvlpubs.nist.gov http://web.archive.org/web/20251004064255/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf. Archived from the original (PDF) on October 4, 2025. Retrieved December 1, 2025.{{cite web}}: Missing or empty |title= (help)
  21. Ross, Ron (September 23, 2020). "The Next Generation Security and Privacy Controls—Protecting the Nation's Critical Assets". NIST.
  22. Amiruddin, Amiruddin; Afiansyah, Hafizh Ghozie; Nugroho, Hernowo Adi (October 28, 2021). "Cyber-Risk Management Planning Using NIST CSF v1.1, NIST SP 800-53 Rev. 5, and CIS Controls v8". 2021 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS. pp. 19–24. doi:10.1109/ICIMCIS53775.2021.9699337. ISBN   978-1-6654-2733-3.
  23. Ross, Ronald S. (2014). "NIST Special Publication 800-53A Revision 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans". NIST Publications. doi: 10.6028/NIST.SP.800-53Ar4 .
  24. Pillitteri, Victoria (2020). "NIST Special Publication 800-53B Control Baselines for Information Systems and Organizations". NIST Publications. doi: 10.6028/NIST.SP.800-53B .
  25. Force, Joint Task (December 10, 2020). "Control Baselines for Information Systems and Organizations". NIST Publications. doi: 10.6028/NIST.SP.800-53B . Retrieved November 10, 2021.
  26. Computer Security Division, Information Technology Laboratory (August 26, 2025). "NIST Releases Revision to SP 800-53 Controls | CSRC". CSRC | NIST. Retrieved November 30, 2025.
  27. Force, Joint Task (December 10, 2020). Security and Privacy Controls for Information Systems and Organizations (Report). National Institute of Standards and Technology.
  28. "NIST SP 800-53 Revision 5 in Security Hub CSPM - AWS Security Hub". docs.aws.amazon.com. Retrieved December 1, 2025.
  29. "NIST SP 800-53 Rev 5 - AWS Audit Manager". docs.aws.amazon.com. Retrieved December 1, 2025.
  30. "NIST 800-53 - Compliance". Google Cloud. Retrieved December 1, 2025.
  31. rmcmurray. "Regulatory Compliance details for NIST SP 800-53 Rev. 5 - Azure Policy". learn.microsoft.com. Retrieved December 1, 2025.
  32. Hoang, Tony; Qu, Yanzhen (March 15, 2024). "Creating A Security Baseline and Cybersecurity Framework for the Internet of Things Via Security Controls". European Journal of Electrical Engineering and Computer Science. 8 (2): 9–16. doi: 10.24018/ejece.2024.8.2.609 . ISSN   2736-5751.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.