When a security professional says “implement the appropriate controls,” the document that defines what a control actually is, how controls are organized, and which ones apply at which impact level is NIST Special Publication 800‑53. Revision 5 consolidates security and privacy into a single, unified catalog of over 1,000 controls organized across 20 families (Joint Task Force, 2020).
Document Background
SP 800‑53 has been the backbone of federal cybersecurity compliance since its first edition in 2005. It is the control catalog that FISMA (the Federal Information Security Modernization Act) relies on: every federal information system must implement a set of controls selected from this publication, tailored to the system’s risk profile. The document is maintained by the Joint Task Force, a collaborative group that includes NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems (Joint Task Force, 2020).
Revision 5, published in September 2020 with a minor errata update in December 2020, introduced several structural changes. The most significant is the integration of privacy controls directly into the catalog. Previous revisions kept privacy controls in a separate appendix; Rev. 5 weaves them into the same family structure so that organizations can address security and privacy in a coordinated manner. The revision also removed the word “federal” from its scope statement, signaling that the controls are designed to be useful to any organization, not just government agencies (Joint Task Force, 2020).
SP 800‑53 is the document that makes “control” a precise, auditable term rather than a vague aspiration. When an auditor asks whether you have implemented access control, they are asking about specific, numbered requirements from this catalog. When a risk assessor says a system needs controls at the moderate baseline, they mean a defined subset of this document. If you plan to work in federal cybersecurity, compliance, or audit, you will reference 800‑53 regularly.
What Is a Control?
NIST defines a security or privacy control as a safeguard or countermeasure prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information, or to manage privacy risk. In practical terms, a control is a specific, actionable requirement that an organization must implement, document, and verify (Joint Task Force, 2020).
Each control in SP 800‑53 has a structured format. It includes a unique identifier (such as AC‑2 for Account Management), a descriptive title, the control statement itself (what must be done), supplemental guidance (context and implementation advice), and, for many controls, a set of control enhancements that add more specific or advanced requirements. Control enhancements are numbered beneath their parent control: AC‑2(1), AC‑2(2), and so on (Joint Task Force, 2020).
Controls are intentionally written to be technology‑neutral. The catalog tells you what to achieve, not how to achieve it. For example, the control for access enforcement (AC‑3) requires that the system enforce approved authorizations for logical access, but it does not prescribe a specific technical mechanism. This abstraction allows the same control to apply to a mainframe, a cloud service, or an IoT device (Joint Task Force, 2020).
Students sometimes confuse controls with policies or procedures. A policy is a high‑level statement of intent (e.g., “The organization shall manage user accounts”). A control is a specific, auditable requirement (e.g., AC‑2: the organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts). A procedure is the step‑by‑step process for implementing that control in a particular environment.
The 20 Control Families
SP 800‑53 Rev. 5 organizes its controls into 20 families, each identified by a two‑letter abbreviation. The families group related controls together. Some families, like Access Control (AC), contain dozens of controls and enhancements; others, like Planning (PL), are smaller. The following table lists all 20 families (Joint Task Force, 2020).
| Abbreviation | Family Name | Description |
|---|---|---|
| AC | Access Control | Policies and mechanisms for controlling who can access what, including account management, access enforcement, and least privilege. |
| AT | Awareness & Training | Security and privacy awareness training for personnel, including role‑based training for those with significant responsibilities. |
| AU | Audit & Accountability | Generating, reviewing, and protecting audit logs so that actions can be traced to individual users. |
| CA | Assessment, Authorization & Monitoring | Security assessments, system authorization decisions, and continuous monitoring of controls. |
| CM | Configuration Management | Establishing and maintaining baseline configurations, managing changes, and restricting unauthorized software. |
| CP | Contingency Planning | Preparing for, responding to, and recovering from disruptions, including backup and recovery strategies. |
| IA | Identification & Authentication | Verifying the identity of users, devices, and processes before granting access. |
| IR | Incident Response | Detecting, reporting, and responding to security incidents, including incident handling and reporting. |
| MA | Maintenance | Performing timely maintenance on systems and controlling maintenance tools and personnel. |
| MP | Media Protection | Protecting, sanitizing, and disposing of media containing sensitive information. |
| PE | Physical & Environmental Protection | Controlling physical access to facilities, equipment, and media, plus environmental safeguards. |
| PL | Planning | Developing security and privacy plans that describe the controls in place and rules of behavior. |
| PM | Program Management | Organization‑wide information security and privacy program management, including risk strategy and insider threat programs. |
| PS | Personnel Security | Screening individuals prior to access, managing transfers and terminations, and enforcing access agreements. |
| PT | Personally Identifiable Information Processing & Transparency | New in Rev. 5. Controls for lawful processing of PII, consent, privacy notices, and data minimization. |
| RA | Risk Assessment | Identifying and evaluating risks to organizational operations, assets, individuals, and other organizations. |
| SA | System & Services Acquisition | Managing security throughout the system development life cycle, including supply chain risk management. |
| SC | System & Communications Protection | Protecting the boundaries and communications of systems, including encryption, separation of duties, and network segmentation. |
| SI | System & Information Integrity | Detecting and correcting flaws, monitoring for malicious code, and maintaining system integrity. |
| SR | Supply Chain Risk Management | New in Rev. 5. Controls specifically addressing supply chain risks, including acquisition strategies and component authenticity. |
Two families are new in Rev. 5: PT (PII Processing and Transparency) reflects the integration of privacy controls, and SR (Supply Chain Risk Management) addresses the growing threat of supply‑chain compromise. The PM (Program Management) family is also notable because its controls apply at the organizational level rather than the system level, making them relevant to CISOs and program directors rather than system administrators (Joint Task Force, 2020).
Control Baselines
Not every system needs every control. SP 800‑53 works in conjunction with a companion document, SP 800‑53B, which defines three control baselines corresponding to the FIPS 199 impact levels (Joint Task Force, 2020):
-
Low Baseline
Applied to systems where the loss of confidentiality, integrity, or availability would have a limited adverse effect on organizational operations, assets, or individuals. The low baseline includes the minimum set of controls that all federal systems must implement.
-
Moderate Baseline
Applied to systems where the loss of confidentiality, integrity, or availability would have a serious adverse effect. Most federal systems fall into this category. The moderate baseline adds controls and control enhancements beyond the low baseline, including stronger audit requirements, more granular access controls, and enhanced incident response capabilities.
-
High Baseline
Applied to systems where the loss of confidentiality, integrity, or availability would have a severe or catastrophic effect. Systems processing classified information or supporting critical national infrastructure typically operate at this level. The high baseline includes the most comprehensive set of controls and the most demanding implementation requirements.
After selecting the appropriate baseline, organizations tailor it by adding or removing controls based on their specific risk assessment, mission requirements, and threat environment. This process of selection, tailoring, and documentation is formalized in the Risk Management Framework (SP 800‑37), which is the subject of another reference in this series (Joint Task Force, 2020).
Mapping to Other Frameworks
One of the most powerful features of SP 800‑53 is that it maps to other widely used frameworks and standards. NIST provides official crosswalks that show the relationship between 800‑53 controls and the outcomes of other frameworks. These mappings allow organizations to implement one set of controls and demonstrate compliance with multiple standards simultaneously (Joint Task Force, 2020).
| Framework | Relationship to SP 800‑53 |
|---|---|
| NIST CSF 2.0 | The CSF functions and subcategories map directly to SP 800‑53 controls. NIST publishes an official mapping. The CSF tells you what outcomes to achieve; 800‑53 tells you which specific controls to implement to achieve them. |
| ISO/IEC 27001:2022 | NIST provides a crosswalk between 800‑53 controls and ISO 27001 Annex A controls. Organizations subject to both standards can use the mapping to avoid duplicating compliance effort. |
| CIS Critical Security Controls | The CIS Controls (v8) align with many 800‑53 families. CIS provides its own mapping, and organizations often use CIS Controls as a prioritized implementation guide for a subset of 800‑53. |
| FedRAMP | FedRAMP (Federal Risk and Authorization Management Program) baselines are directly derived from SP 800‑53. Cloud service providers seeking FedRAMP authorization implement 800‑53 controls at the low, moderate, or high baseline with additional FedRAMP‑specific parameters. |
Think of SP 800‑53 as a comprehensive catalog of every security and privacy control an organization might need. The baselines (low, moderate, high) are like pre‑built shopping lists for different levels of risk. The CSF provides the organizational structure to decide what your store needs. And the RMF (SP 800‑37) is the checkout process that gets your system authorized to operate. These documents work together as a system, not in isolation.
Citing This Document (APA 7)
SP 800‑53 Rev. 5 is authored by the Joint Task Force, which is a multi‑agency body. In APA 7, the group author is “Joint Task Force” and the publisher is NIST (as the issuing organization within the Department of Commerce). Because the Joint Task Force does not have a widely recognized abbreviation, spell it out in every citation.
- Reference list entry
- Joint Task Force. (2020). Security and privacy controls for information systems and organizations (NIST Special Publication 800‑53, Rev. 5). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800‑53r5
- First in‑text citation
- (Joint Task Force, 2020)
- Subsequent in‑text citations
- (Joint Task Force, 2020)
- Citation referencing a specific control
- (Joint Task Force, 2020, AC‑2)
- Narrative citation
- The Joint Task Force (2020) organized over 1,000 controls into 20 families in the fifth revision of SP 800‑53.
Note that when referencing a specific control, you can use the control identifier (e.g., AC‑2) in place of a section number. This is the convention most practitioners follow and is clear enough for a reader to locate the relevant text.
References
- Joint Task Force. (2020). Security and privacy controls for information systems and organizations (NIST Special Publication 800‑53, Rev. 5). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800‑53r5
- Joint Task Force. (2020). Control baselines for information systems and organizations (NIST Special Publication 800‑53B). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800‑53B
- National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). U.S. Department of Commerce. https://doi.org/10.6028/NIST.CSWP.29