Date Published: September 2020 (includes updates as of Dec. 10, 2020)
Supersedes: SP 800-53 Rev. 5 (09/23/2020)
Planning Note (12/19/2023): (12/19/23) Updated the "Mappings and crosswalks" text below and the link to the ISO/IEC 27001:2022 OLIR crosswalk.
On November 7, 2023, NIST issued a patch release of SP 800-53 (Release 5.1.1) that includes:
- minor grammatical edits and clarification;
- the introduction of “leading zeros” to the control identifiers (e.g., instead of AC-1, the control identifier will be updated to AC-01); and
- one new control and three supporting control enhancements related to identity providers, authorization servers, the protection of cryptographic keys, the verification of identity assertions and access tokens, and token management.
A list of all the changes in the patch release is available under Supplemental Material.
***
Summary of supplemental files:
- Control Catalog Spreadsheet
The entire security and privacy control catalog in spreadsheet format. Note: For a spreadsheet of control baselines, see the SP 800-53B details.
- Analysis of updates between 800-53 Rev. 5 and Rev. 4 (Updated 1/07/22)
Describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significance of the changes. Note that this comparison was authored by The MITRE Corporation for the Director of National Intelligence (DNI) and is being shared with permission by DNI.
- Mappingof Appendix J Privacy Controls (Rev. 4)to Rev. 5
Supports organizations using the privacy controls in Appendix J of SP 800-53 Rev. 4 that are transitioning to the integrated control catalog in Rev. 5.
- Mappings and crosswalks between 800-53 Rev. 5 and other frameworks and standards (NIST Cybersecurity Framework and NIST Privacy Framework; ISO/IEC 27001:2022[updated 12/19/23])
Mappings and crosswalks provide a general indication of SP 800-53 control coverage with respect to other frameworks and standards. When leveraging these relationships, consider the scope and intended use of each publication. Do not assume equivalency based solely on relationship tables; mappings and crosswalks are not always one-to-one and relationship analysis can be subjective.
Also available:
- Security and Privacy Control Collaboration Index Template (Excel & Word)
The collaboration index template supports information security and privacy program collaboration to help ensure that the objectives of both disciplines are met and that risks are appropriately managed. It is an optional tool for information security and privacy programs to identify the degree of collaboration needed between security and privacy programs with respect to the selection and/or implementation of controls in Rev. 5.
- OSCAL version of 800-53 Rev. 5 controls
Rev. 5 controls are provided using theOpen Security Controls Assessment Language (OSCAL); currently available in JSON, XML, and YAML.
Author(s)
Joint Task Force
Abstract
This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.
This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural... See full abstract
Keywords
assurance; availability; computer security; confidentiality; control; cybersecurity; FISMA; information security; information system; integrity; personally identifiable information; Privacy Act; privacy controls; privacy functions; privacy requirements; Risk Management Framework; security controls; security functions; security requirements; system; system security
Control Families
Access Control; Awareness and Training; Audit and Accountability; Assessment, Authorization and Monitoring; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Physical and Environmental Protection; Planning; Program Management; Personnel Security; PII Processing and Transparency; Risk Assessment; System and Services Acquisition; System and Communications Protection; System and Information Integrity; Supply Chain Risk Management
FAQs
This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural ...
What are NIST 800-53 controls? ›
The NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, is a set of recommended security and privacy controls for federal information systems and organizations to help meet the Federal Information Security Management Act (FISMA) requirements.
What is NIST SP 800-53 and describe what this publication covers? ›
NIST SP 800-53 is a set of standards and guidelines to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). Another part of NIST's remit is to develop Federal Information Processing Standards (FIPS) alongside FISMA.
Which NIST special publication details about security and privacy controls? ›
NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems.
What is the difference between NIST and NIST 800-53? ›
NIST CSF is a high-level framework focused on risk management, while NIST SP 800-53 is a detailed set of security controls. 3. NIST CSF provides a comprehensive set of best practices for organizations to follow, while NIST SP 800-53 provides specific security controls that must be implemented.
What is a NIST special publication? ›
A type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
Is NIST 800-53 mandatory? ›
While it is not mandatory for private businesses to follow the NIST SP 800-53 (unless you have government contracts), many choose to do so to ensure that their information systems are secure.
What does NIST SP 800-53 provide security controls primarily for? ›
The goal of NIST SP 800-53 is to protect operations, assets, individuals, organizations and the United States from a diverse set of cyber threats such as hostile attacks, human error and natural disasters. The controls are written to be flexible and customizable to aid organizations in implementation.
How do you use NIST controls? ›
NIST Recommends a 7-step Process to Establish a Cybersecurity Program:
- Prioritize and Scope.
- Orient.
- Create a Current Profile.
- Conduct a Risk Assessment.
- Create a Target Profile.
- Determine, Analyze and Prioritize Gaps.
- Implement Action Plan.
What does NIST 800-53 request in terms of data classification? The data classification standard for NIST involves three categories — low impact, moderate impact and high impact.
SP 800-53 Rev. 4 includes many changes from SP 800-53 Rev. 3 – 295 controls and control enhancements were added while approximately 100 controls and control enhancements were withdrawn or incorporated into others. Of the eighteen security control families in SP 800-53 Rev.
What are the NIST 800-53 password requirements? ›
NIST 800-53 (Moderate Baseline)
- A minimum of eight characters and a maximum length of at least 64 characters.
- The ability to use all special characters but no special requirements to use them.
- Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa).
Rev 5 adds 66 new base controls, 202 new control enhancements and 131 new parameters to existing controls. There are 90 newly withdrawn controls that have been incorporated into or moved to other controls, along with 92 previously withdrawn controls, resulting in a total of 1007 controls and enhancements in Rev 5.
What is the purpose of NIST SP 800 53R5? ›
This publication provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human ...
What is the NIST 800-53 system security plan? ›
NIST SP 800-53 contains the management, operational, and technical safeguards or countermeasures prescribed for an information system. The controls selected or planned must be documented in a system security plan.
What NIST special publication covers the incident response process? ›
Within NIST, the Information Technology Laboratory (ITL) is responsible for developing standards and measurement methods for IT, including information security. ITL developed an influential model for incident response (IR), the Computer Security Incident Handling Guide (Special Publication 800-61).
What are the benefits of NIST 800-53? ›
Benefits of the NIST SP 800-53
The NIST SP 800-53 standards can help organizations comply with legal and regulatory requirements, avoid breaches, and protect their reputation.
What is the NIST special publication for passwords? ›
NIST Special Publication (SP) 800-63B provides requirements, recommendations, and guidance for the use of memorized secrets (i.e., PINs, passwords) in authentication of digital identity. This guidance for memorized secrets is exclusively for human users.
What is the NIST special publication document that defines cloud computing? ›
NIST SP 800-145, The NIST Definition of Cloud Computing.
