What is NIST Special Publication 800-53?
NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53) Security and Privacy Controls for Information Systems and Organizations is a set of security and privacy controls for information systems. These controls are meant to help federal agencies and contractors meet the Federal Information Security Management Act (FISMA) requirements for all federal information systems.
| The connections between NIST, FIPS, and ITL |
| NIST is a non-regulatory agency of the U.S. Commerce Department that was established to encourage and assist innovation and science by promoting and maintaining a set of industry standards. Another official function of NIST is to develop Federal Information Processing Standards (FIPS) for FISMA. To help federal agencies meet these standards, the NIST publishes guidance documents under its Special Publications (SP) 800 series, which reports on the Information Technology Laboratory’s (ITL) research and guidelines. ITL is one of NIST’s six research laboratories. ITL focuses on IT measurements, testing, and standards. It is a globally recognized and trusted source of high-quality, independent, and unbiased research and data. |
The NIST 800-53 cybersecurity framework is continuously updated to include new controls recommended by ITL. The object is to flexibly define standards, controls, and assessments based on risk that seek to balance cost-effectiveness and capabilities.
NIST 800-53 controls address requirements derived from business needs, directives, executive orders, guidelines, laws, mission requirements, policies, regulations, and standards. The controls address security and privacy from two perspectives to ensure that information systems are reliable and can be trusted to protect sensitive data.
- Functionality perspective, which focuses on the strength of functions and mechanisms provided by the NIST 800-53 controls.
- Assurance perspective, which focuses on the level of confidence in the security and privacy protections provided by the NIST 800-53 controls.
NIST 800-53 provides specific directions that support the design, development, implementation, and maintenance of secure and resilient information systems.
NIST 800-53 controls include operational, technical, and management standards and guidelines for maintaining confidentiality, integrity, and availability. NIST 800-53 takes a multi-tiered approach to security and risk management through control compliance requirements. The controls provide a comprehensive framework for safeguarding sensitive data against various threats—from insider accidents and misconfigurations to natural disasters and malicious attacks.
The purpose of NIST SP 800-53
The purpose of NIST SP 800-53 is to ensure that the information systems utilized by the federal government and those they work with are optimally protected. NIST 800-53 is also designed to provide a flexible framework that remains applicable despite updates to technology, systems, organizational structure, and compliance requirements.
To support security and privacy requirements and improve risk management for any organization or system that processes, stores, or transmits information, NIST 800-53:
- Helps organizations develop a foundation for assessing techniques and processes for determining control effectiveness
- Improves communication across organizations via a common lexicon for discussion of risk management concepts
- Maintains the confidentiality, integrity, and availability (i.e., the CIA triad) of information systems
- Provides a comprehensive and flexible catalog of controls for current and future protection based on changing technology and threats
- Supports the development of secure and resilient information systems
NIST SP 800-53 compliance
NIST 800-53 does not specify which types of information must be protected. However, it does provide guidance on how organizations should classify the types of data that they create, store, and transmit.
Who must comply with NIST 800-53?
All U.S. federal government agencies and associated government contractors and departments that work with the government must comply with NIST SP 800‐53. NIST 800-53 is required for all U.S. federal information systems that store, process, or transmit federal information, except those related to national security. While it is not legally mandated, many other organizations adhere to the NIST 800-53 standards to ensure the security of their information systems.
NIST SP 800-53 compliance best practices
The following are commonly used best practices to facilitate selecting and implementing appropriate security and privacy controls for NIST SP 800-53 compliance.
Create an inventory of sensitive data.
- How the sensitive data is created or received, maintained, and transmitted
- What kinds of data the organization handles
- Where the sensitive data is stored
Classify sensitive data according to NIST 800-53 data classification guidelines.
- Categorize and tag sensitive data
- Assign an impact classification to sensitive data
- Use tools to automate data discovery and classification
Develop vulnerability remediation and security upgrade plans.
- Develop policies and procedures to address security deficiencies
- Select controls based on specific needs
- Save notes about how and why each control was selected
Enforce access controls.
- Develop identity and access management policies and strategies
- Establish access controls and administrator privileges
- Extend access controls to third-party vendors, applications, and systems
Measure and analyze results.
- Establish a baseline
- Regularly test the efficacy of NIST 800-53 controls implementations
- Analyze test results to find and prioritize areas for improvement
Perform a risk assessment to identify cybersecurity gaps.
- Identify risks
- Estimate the probability of their occurrence
- Calculate potential impact
Provide security awareness education.
- Implement an ongoing employee training program
- Educate all employees on access governance and cybersecurity best practices
- Test employees’ knowledge and awareness
Benefits of NIST SP 800-53
- Bridges the gap between stakeholders by providing a common platform for business and technical stakeholders to consider cybersecurity
- Covers the majority of risk factors all organizations face
- Ensures maximum flexibility, because it does not prescribe specific tools, companies, or vendors
- Enables long-term risk management
- Expedites swift and effective response to risk and threats
- Facilitates the development and continuous iteration of cybersecurity programs to address new regulations and vulnerabilities
- Helps prioritize risk management and cybersecurity program development and updates
- Offers a solid foundation for compliance with other regulations and programs, such as the California Consumer Privacy Act (CCPA), the Defense Federal Acquisition Regulation Supplement (DFARS), the Federal Risk and Authorization Management Program (FedRAMP), FISMA, General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes-Oxley Act (SOX)
- Promotes consistent cybersecurity across information systems
- Provides a baseline for developing a secure information systems infrastructure
- Represents the collective experience of thousands of cybersecurity professionals
- Supports an adaptive and responsive posture toward managing cyber risk
- Takes a risk-based, outcomes-driven approach to cybersecurity
NIST 800-53 vs other frameworks
Elements of NIST 800-53 are used in a number of other frameworks and standards. The following is a summary of NIST 800-53 vs. several widely adopted frameworks.
| NIST 800-53 | SOC 2 Type 2 |
| Publication | Framework |
| NIST 800-53 | NIST Cybersecurity Framework (CSF) |
| A set of guidelines to help organizations protect information and information systems from potential threats | A set of guidelines, best practices, and standards to help organizations manage and enhance cybersecurity |
| NIST 800-53 | ISA/IEC 62443 |
| Aimed at supporting federal government information systems and critical infrastructure | Aimed at reducing security vulnerabilities in industrial automation and control systems |
| NIST 800-53 | ISO 27001 |
| Addresses information flow control broadly in terms of approved authorizations for controlling access between source and destination objects | Addresses information flow more narrowly as it applies to interconnected network domains |
| NIST 800-53 | FedRAMP & FISMA |
| Basis for FedRAMP & FISMA | Controls based on NIST 800-53 |
Security and access control families in NIST 800-53
NIST 800-53 has twenty families of controls comprised of more than 1,000 separate controls. Each family is related to a specific topic, such as access control.
NIST 800-53 controls are meant to be implemented based on the protection requirements of different content types, which are determined based on a risk assessment and analysis of the impact of incidents on different data and information systems.
Federal Information Processing Standard (FIPS) 199 defines three impact levels. NIST 800-53 controls are broken into three classes based on FIPS impact as related to confidentiality, integrity, and availability. The table below summarizes the potential impact definitions.
Potential impact of data loss—NIST 800-53 guidance
| Security objective | Low | Moderate | High |
| Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. | The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
| Integrity Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. | The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
| Availability Ensuring timely and reliable access to and use of information. | The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
NIST 800-53 Data Classification Guidelines
SOURCE: FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION: Standards for Security Categorization of Federal Information and Information Systems
| NIST SP 800-53 security control families | |
| Access Control (C) | Account management and monitoring, enforcing the least privilege policies, and implementing separation of duties |
| Awareness and Training (AT) | Providing awareness and security training for all employees and elevated technical training for more privileged users |
| Audit and Accountability (A.U.) | Auditing content of records, retaining records, and providing associated analysis and reporting |
| Assessment, Authorization, and Monitoring (C.A.) | Monitoring connections to public networks and external systems and using penetration testing |
| Configuration Management (CM) | Implementing configuration change controls and establishing authorized software policies |
| Contingency Planning (C.P.) | Establishing alternate processing and storage sites and developing and testing business continuity strategies |
| Identification and Authentication (I.A.) | Creating and enforcing authentication policies for users, devices, and services and managing credentials |
| Individual Participation (I.P.) | Obtaining consent and authorizing privacy policies and practices |
| Incident Response (I.R.) | Implementing incident response training and setting up associated monitoring and reporting systems |
| Maintenance (M.A.) | Putting processes in place for system, personnel, and tool maintenance |
| Media Protection (M.P.) | Creating protocols for the secure access, storage, transport, sanitization, and use of media |
| Privacy Authorization (P.A.) | Establishing and enforcing policies for the collection, use, and sharing of personally identifiable information (PII) |
| Physical and Environment Protection (P.E.) | Securing physical access, planning for emergency power, implementing fire protection, maintaining temperature control |
| Planning (P.L.) | Establishing policies and protections to enforce social media and networking restrictions, deploying a defense-in-depth security architecture |
| Program Management (PM) | Developing and implementing a risk management strategy and insider threat program as part of the enterprise architecture |
| Personnel Security (P.S.) | Creating processes for internal and external personnel screening, termination, and transfer, as well as for using sanctions |
| Risk Assessment (R.A.) | Performing risk assessments, vulnerability scans, and privacy impact assessments |
| System and Services Acquisition (S.A.) | Developing and implementing security programs for system development lifecycle, acquisition processes, and supply chain risk management |
| System and Communications Protection (S.C.) | Partitioning applications, protecting boundaries, and implementing a cryptographic key management system |
| System and Information Integrity (S.I.) | Implementing system monitoring and alerting, as well as flaw remediation |
NIST 800-53: A roadmap for information systems cybersecurity
Although NIST 800-52 is mandatory for all federal agencies and those that work with these groups, it is far more than an onerous requirement. NIST 800-53 is a powerful tool for finding and implementing the right cybersecurity to safeguard all types of information and computing systems and products. Systems include:
- Cloud computing
- Computing systems
- Healthcare systems
- Internet of Things (IoT) devices
- Mobile systems
The adoption of the NIST 800-53 framework by non-government organizations and the fact that it is used as the foundation for so many other standards and frameworks is a testament to its content and structure. NIST 800-53 balances specificity and flexibility, making it applicable to a broad range of organizations. Using NIST 800-53 protects information systems and enables compliance with many regulations.
