NIST SP 800-53 Controls | Cybersecurity Policy

Slide 1 of 14  |  CSP-W4-01  |  Week 4
NIST SP 800-53
Control Families, Baselines, Tailoring
Rev 5 • 20 Control Families • FISMA/FedRAMP • Baselines • Tailoring • Overlays • Assessment • Continuous Monitoring • Framework Crosswalk
NIST SP 800-53 is the most comprehensive catalog of security and privacy controls published by the U.S. federal government. It is the backbone of FISMA compliance, the foundation of FedRAMP authorization, and a reference catalog used by private-sector organizations worldwide. Understanding 800-53 is not optional for anyone working in cybersecurity policy -- it is the control catalog that every other U.S. framework references. This deck covers its structure, its 20 control families, how baselines work, how tailoring customizes controls to mission needs, how 800-53A drives assessments, and how it maps to other major frameworks.
14 Slides CSP-W4-01 Week 4 CIS2208 -- Cybersecurity Policy
Slide 2 of 14
What Is NIST SP 800-53?
Purpose, Revision 5, and the federal compliance ecosystem.
FISMA Federal law mandating agency security programs requires SP 800-53 Rev 5 1,189 controls 20 families Security + Privacy catalog Technology-neutral feeds FedRAMP Cloud authorization program for agencies Agency Authorization (ATO) Select baseline -- Tailor -- Implement -- Assess -- Authorize Rev 5 (Sept 2020): added supply chain + privacy controls
Purpose and Scope
SP 800-53 provides a catalog of security and privacy controls for federal information systems and organizations. It is mandated by FISMA for all federal agencies. Rev 5 (September 2020) consolidated privacy controls directly into the catalog, added the PT (PII Processing and Transparency) and SR (Supply Chain Risk Management) families, and made the controls technology-neutral -- applicable to any system type, not just traditional IT.
Key Relationships
FISMA is the law. FIPS 199 categorizes system impact. FIPS 200 sets minimum security requirements. SP 800-53 is the control catalog. SP 800-53A defines assessment procedures. SP 800-53B defines control baselines. SP 800-37 Rev. 2 is the RMF that ties them together. FedRAMP adds cloud-specific requirements on top of 800-53 Moderate/High baselines. Every federal authorization decision traces back to this stack.
Rev 5 Changes That Matter
Rev 5 removed the "federal" qualifier -- 800-53 is now explicitly designed for any organization. It added outcome-based language, integrated privacy controls (previously in 800-53 Appendix J), created the SR family for supply chain risk, and separated baselines into the companion document SP 800-53B. This makes 800-53 a universal reference catalog, not just a federal compliance checklist.
Slide 3 of 14
Control Structure
Family, control, enhancement, and parameter hierarchy.
CONTROL FAMILY AC -- Access Control (25 controls) CONTROL AC-2 Account Management CONTROL ENHANCEMENT AC-2(1) Automated Account Management CONTROL ENHANCEMENT AC-2(4) Automated Audit Actions PARAMETERS [Assignment: organization-defined time period] L1 L2 L3 L4 20 families 1,189 base controls Adds specificity Org fills in values
Reading a Control Identifier
AC-2(1) breaks down as: AC = family (Access Control), 2 = control number (Account Management), (1) = enhancement number (Automated Account Management). Parameters appear in brackets as [Assignment: ...] or [Selection: ...] -- the organization must fill these in during implementation. A control without its parameters defined is not implemented.
Control Components
Each control contains: a unique identifier, a descriptive title, the control statement (what must be done), supplemental guidance (context and clarification), related controls (cross-references), and references to external documents. Enhancements add capability or specificity -- they are not optional add-ons but required elements when included in a baseline.
Parameters Are Policy Decisions
When 800-53 says [Assignment: organization-defined frequency], the organization must decide: daily? weekly? quarterly? That decision is a policy choice documented in the system security plan. Different organizations filling the same parameter differently is expected -- a DoD system and a civilian agency have different risk profiles demanding different parameter values.
Slide 4 of 14
The 20 Control Families
Complete family listing with abbreviations and focus areas.
20 CONTROL FAMILIES -- SP 800-53 REV 5 AC Access Control AT Awareness & Training AU Audit & Accountability CA Assessment & Auth CM Config Management CP Contingency Planning IA Identification & Auth IR Incident Response MA Maintenance MP Media Protection PE Physical & Environ PL Planning PM Program Management PS Personnel Security PT PII Processing RA Risk Assessment SA System & Services Acq SC Sys & Comms Protect SI System & Info Integrity SR Supply Chain Risk New in Rev 5 (PT) New in Rev 5 (SR) 18 families carried from Rev 4 + 2 new = 20 total
Family Organization Logic
Families are grouped by security function, not by technology. AC (Access Control) is the largest family with 25 controls. PM (Program Management) contains organization-level controls that are not system-specific. The two Rev 5 additions -- PT (PII Processing and Transparency) and SR (Supply Chain Risk Management) -- reflect the evolving threat landscape: privacy regulation and supply chain attacks demanded dedicated control families rather than scattered references across existing families.
Slide 5 of 14
Access Control (AC) Deep Dive
25 controls governing who can access what, when, and how.
AC-1 Policy & Procedures
Requires a documented access control policy and procedures to facilitate implementation. Every family starts with a -1 control -- it is the policy foundation that every other control in the family depends on.
AC-2 Account Management
Defines, creates, enables, modifies, disables, and removes accounts. Includes 13 enhancements covering automation, role-based schemes, dynamic privilege management, and account monitoring. The most enhancement-heavy AC control.
AC-3 Access Enforcement
Enforces approved authorizations for logical access. Maps to DAC, MAC, RBAC, and ABAC models. Enhancement (3) adds mandatory access control. Enhancement (8) adds revocation. This is where access control models from theory become implementation requirements.
AC-4 Information Flow
Controls information flow between systems and within systems. Enhancements cover cross-domain solutions, content filtering, metadata validation, and data loss prevention. Critical for segmented networks and classified environments.
AC-6 Least Privilege
Employs the principle of least privilege. 10 enhancements address: privileged accounts, network access to sensitive functions, auditing of privilege use, non-privileged access for non-security functions, and preventing privileged accounts from running non-security software.
AC-17 Remote Access
Establishes usage restrictions and implementation guidance for remote access. Enhancements cover monitoring, encryption of remote sessions, managed access control points, and disconnecting remote connections after an organization-defined period of inactivity.
Why AC Is the Largest Family
Access control is the first line of defense and the most granular enforcement point. It spans identity (AC-2), authorization (AC-3), network boundaries (AC-4), session management (AC-11, AC-12), mobile devices (AC-19), and external systems (AC-20). Other families depend on AC -- you cannot audit (AU) what you cannot control access to, and you cannot protect (SC) channels that have no access restrictions.
Slide 6 of 14
Audit & Accountability (AU) Deep Dive
Logging, retention, review, and non-repudiation.
GENERATE AU-2 Events Define auditable events COLLECT AU-3 Content What, when, where, who STORE AU-4 Storage Capacity + AU-9 protect REVIEW AU-6 Analysis Correlate + investigate REPORT AU-6(5,6) Correlate across orgs AU-5 Response to Failures -- alerts when audit process fails -- closes the loop
Key AU Controls
AU-2 defines which events are auditable (logins, privilege escalation, object access). AU-3 specifies content (what, when, where, source, outcome, identity). AU-4 allocates storage capacity. AU-6 mandates review and analysis at an organization-defined frequency. AU-9 protects audit information from unauthorized modification or deletion -- this is the integrity control that makes logs legally defensible.
Retention and Non-Repudiation
AU-11 requires audit record retention consistent with records retention policy -- typically 1-7 years depending on regulatory requirements. AU-10 provides non-repudiation: linking actions to individuals with sufficient evidence to prevent denial. AU-12 ties it all together by requiring audit record generation capability across all system components. Without AU-12, the other AU controls are aspirational.
When AU Fails
AU-5 requires the system to alert appropriate personnel when audit storage reaches a defined threshold, and to take defined actions (overwrite oldest records, stop generating, shut down) when capacity is exhausted. A system that silently stops logging is a system that an attacker can operate within undetected. AU-5 is the difference between a blind spot and a detection gap.
Slide 7 of 14
System & Communications Protection (SC)
Encryption, boundary protection, and secure channels.
SC-7 Boundary Protection
Monitors and controls communications at external and key internal boundaries. Enhancements address: deny by default (SC-7(5)), split tunneling prohibition (SC-7(7)), route traffic through managed interfaces (SC-7(8)), and restrict external connections (SC-7(29)). This is the firewall control.
SC-8 Transmission Confidentiality
Protects the confidentiality and integrity of transmitted information. SC-8(1) requires cryptographic protection -- this is where TLS/IPsec mandates originate. SC-8(2) addresses pre/post-transmission handling. Without SC-8, data is protected at rest but exposed in transit.
SC-12 Cryptographic Key Mgmt
Establishes and manages cryptographic keys. SC-12(1) requires NIST-compliant key management. SC-12(2) requires symmetric keys using FIPS-compliant management. SC-12(3) requires asymmetric keys using approved PKI or pre-positioned keying material. The foundation for all other crypto controls.
SC-13 Cryptographic Protection
Requires FIPS-validated cryptography. This is where FIPS 140-2/140-3 validation matters -- not just using AES-256, but using a FIPS-validated implementation of AES-256. Federal systems must use validated modules. This control catches organizations using strong algorithms in unvalidated libraries.
SC-28 Protection of Info at Rest
Protects the confidentiality and integrity of information at rest. SC-28(1) requires cryptographic protection. Applies to databases, file systems, backup media, and any persistent storage. Pairs with SC-8 for complete data protection lifecycle: at rest + in transit = defense in depth.
SC-39 Process Isolation
Maintains separate execution domains for each executing process. This is memory isolation, containerization, and virtualization at the control level. Prevents one compromised process from accessing another's address space. Applied through hardware (MMU), OS (process isolation), or hypervisor (VM separation).
SC Family Pattern
The SC family follows a consistent pattern: protect the boundary (SC-7), protect the channel (SC-8), protect the data (SC-28), and protect the crypto that protects everything else (SC-12, SC-13). SC is the technical enforcement backbone of 800-53 -- it is where policy requirements become protocol and algorithm choices.
Slide 8 of 14
Control Baselines
Low, Moderate, High -- mapping FIPS 199 impact to control selection.
FIPS 199 Categorize by impact: Confidentiality Integrity | Availability High-water mark = system cat Select Baseline SP 800-53B LOW ~130 controls + enhancements Limited adverse effect. Basic hygiene: access control, audit logging, configuration management, awareness training, incident response basics. MODERATE ~325 controls + enhancements Serious adverse effect. Adds: automated account management, MFA, flaw remediation, contingency testing, system monitoring, encryption. HIGH ~421 controls + enhancements Severe/catastrophic effect. Adds: penetration testing, covert channel analysis, heterogeneous components, system partitioning, fail-secure. BASELINES ARE STARTING POINTS -- TAILORING ADJUSTS THEM TO MISSION NEEDS
Low Impact Example
A public-facing informational website with no PII. Loss of confidentiality, integrity, or availability causes limited adverse effect. Low baseline applies ~130 controls: basic access management, audit events, security awareness training, incident response planning.
Moderate Impact Example
A federal HR system containing PII. Breach causes serious adverse effect (identity theft, financial harm). Moderate baseline applies ~325 controls: multi-factor authentication, automated monitoring, encrypted transmission, flaw remediation timelines, contingency plan testing.
High Impact Example
A classified intelligence system or critical infrastructure control system. Compromise causes severe or catastrophic effect (loss of life, national security damage). High baseline applies ~421 controls: penetration testing, fault tolerance, trusted path, covert channel analysis.
High-Water Mark Rule
FIPS 199 evaluates confidentiality, integrity, and availability separately -- each gets Low, Moderate, or High. The system's overall categorization uses the highest individual rating. A system that is Low/Low/Moderate for C/I/A is categorized as Moderate overall. This high-water mark rule ensures the system is protected at the level of its most sensitive attribute.
Slide 9 of 14
Tailoring the Baseline
Scoping, compensating controls, and overlays.
1. SELECT Choose baseline (Low / Mod / High) from SP 800-53B 2. SCOPE Remove N/A controls No wireless? Remove AC-18, SC-40 3. PARAMETERIZE Fill in [Assignment] and [Selection] values 4. COMPENSATE Substitute controls when original can't be implemented 5. OVERLAY Apply community overlays (DoD, IC, Privacy, FedRAMP) TAILORED BASELINE Organization-specific control set documented in the System Security Plan (SSP)
Scoping Guidance
Scoping removes controls that do not apply to the system environment. A standalone system with no network connectivity can scope out AC-17 (Remote Access). A system with no removable media can scope out MP-7. Every scoping decision must be documented with rationale in the SSP -- you cannot silently drop controls. The authorizing official reviews and approves all scoping decisions.
Compensating Controls
When a required control cannot be implemented as stated, a compensating control provides equivalent protection through alternative means. Example: a legacy system that cannot enforce password complexity (IA-5) might compensate with network segmentation (SC-7) and enhanced monitoring (SI-4). The compensating control must address the same risk, be documented, and be approved by the authorizing official.
Overlays Add Community-Specific Requirements
Overlays are pre-built tailoring packages for specific communities or use cases. The DoD overlay adds STIG-level requirements. The Intelligence Community overlay adds controls for classified processing. The Privacy overlay strengthens PT-family controls for PII-intensive systems. FedRAMP defines its own parameter values and additional requirements for cloud systems. Overlays can add controls, increase parameter stringency, or add implementation guidance -- but they do not remove baseline controls.
Slide 10 of 14
SP 800-53A -- Assessment Procedures
Examine, interview, and test -- the three assessment methods.
EXAMINE Review documents, records, policies, procedures, logs SSP, audit logs, config files, network diagrams, SOPs INTERVIEW Question personnel to verify understanding Sys admins, ISSO, users, developers, management TEST Exercise mechanisms and activities to verify operation Vulnerability scans, pen tests, functional testing, red teams ASSESSMENT FINDINGS Satisfied | Other Than Satisfied
Assessment Depth
Each method has depth levels: basic, focused, and comprehensive. Basic checks for presence. Focused checks for correctness. Comprehensive checks for completeness and resilience. Higher-impact systems require deeper assessment. A Low system might get basic examination; a High system gets comprehensive testing with red team exercises.
Assessment Breadth
Coverage ranges from representative sample to complete coverage. A moderate system might test a representative sample of 25% of access control rules. A high system might require testing 100% of boundary protection rules. The assessor determines appropriate breadth based on system categorization and risk.
Findings and Determination
Each control receives a finding of "Satisfied" or "Other Than Satisfied." There is no partial credit. Unsatisfied findings become entries in the Plan of Action and Milestones (POA&M) with remediation timelines. The authorizing official uses the complete set of findings to make the risk-based authorization decision.
Assessment Is Not Audit
800-53A assessments determine whether controls are implemented correctly, operating as intended, and producing the desired outcome. This is broader than an audit, which typically checks compliance against a specific standard. An assessment evaluates effectiveness -- a control can be present but ineffective, which an audit might miss but an assessment should catch.
Slide 11 of 14
Continuous Monitoring
ISCM strategy, automation, and POA&M management.
ISCM SP 800-137 1. DEFINE Strategy + metrics + frequencies 2. ESTABLISH Program + tools + automation 3. IMPLEMENT Collect data + assess controls 4. ANALYZE Findings + risk determination 5. RESPOND Remediate + POA&M + mitigate 6. REVIEW Update strategy + adjust
ISCM Strategy Components
An Information Security Continuous Monitoring strategy (SP 800-137) defines: which controls to monitor, how frequently, what tools to use, how to analyze results, who reviews findings, and how responses are tracked. The strategy must cover all three tiers: organization, mission/business process, and information system. Automation is essential -- manual monitoring cannot scale to hundreds of controls across dozens of systems.
POA&M Management
The Plan of Action and Milestones tracks every known weakness. Each entry includes: the weakness description, the affected control, the planned remediation, the responsible party, the estimated completion date, and the current status. POA&Ms are living documents reviewed by the authorizing official. A stale POA&M with overdue milestones signals governance failure -- the organization knows its weaknesses but is not fixing them.
Automation Enables Ongoing Authorization
Traditional authorization was a point-in-time event every three years. Continuous monitoring enables ongoing authorization -- the AO receives real-time risk data and makes continuous risk acceptance decisions. Tools like SCAP (Security Content Automation Protocol), vulnerability scanners, SIEM platforms, and configuration compliance tools feed automated dashboards that replace the three-year reauthorization cycle with continuous risk visibility.
Slide 12 of 14
800-53 vs CIS Controls vs ISO 27002
Mapping and translation across major control frameworks.
NIST 800-53 Rev 5 1,189 controls 20 families Prescriptive catalog Federal mandate (FISMA) Baselines by impact level Audience: Federal agencies, contractors, critical infra Most comprehensive CIS Controls v8 153 safeguards 18 control groups Prioritized, actionable Voluntary / best practice IGs: IG1, IG2, IG3 Audience: All orgs, especially SMBs Most practical / fastest start ISO 27002:2022 93 controls 4 themes Implementation guidance Voluntary / certifiable (27001) Org/People/Physical/Tech Audience: Global orgs, B2B, compliance-driven Most internationally recognized
Dimension NIST 800-53 CIS Controls ISO 27002
Scope Comprehensive catalog -- every possible control Prioritized subset -- highest-impact actions first International standard -- implementation guidance
Structure Family > Control > Enhancement > Parameter Control Group > Safeguard > IG level Theme > Control > Purpose > Guidance
Mapping NIST provides official crosswalks to CIS + ISO CIS maps each safeguard to 800-53 controls Annex B maps to ISO 27001 + NIST CSF
Best For Federal compliance, deep control specification Quick wins, practical implementation, SMBs International compliance, certification, B2B trust
Crosswalk Strategy
Organizations rarely use a single framework. The most effective approach: use CIS Controls IG1 for immediate risk reduction, map to 800-53 controls for federal compliance, and demonstrate ISO 27002 alignment for international customers. NIST provides the SP 800-53 to CIS Controls mapping. CIS provides reverse mappings. A single implemented control (e.g., multi-factor authentication) can simultaneously satisfy 800-53 IA-2, CIS Safeguard 6.3, and ISO 27002 Control 8.5 -- but only if the organization explicitly documents the crosswalk.
Slide 13 of 14
Key Takeaways
NIST SP 800-53 distilled into policy-actionable principles.
1 SP 800-53 Rev 5 is the most comprehensive security and privacy control catalog available -- 1,189 controls across 20 families. It is mandated by FISMA for federal systems and used voluntarily by organizations worldwide as a reference catalog for control selection.
2 Controls follow a strict hierarchy: family, control, enhancement, parameter. Every control has a unique identifier (e.g., AC-2(1)). Parameters are where policy meets implementation -- the organization decides the specific values that reflect its risk posture.
3 The 20 control families cover every dimension of security: access (AC), audit (AU), configuration (CM), incident response (IR), physical (PE), communications (SC), and more. Rev 5 added PT (privacy) and SR (supply chain) to address modern threats.
4 FIPS 199 categorization drives baseline selection. Low (~130 controls), Moderate (~325), and High (~421) baselines from SP 800-53B provide starting points. The high-water mark rule ensures the system is protected at the level of its most sensitive attribute.
5 Tailoring transforms a generic baseline into an organization-specific control set through scoping, parameter assignment, compensating controls, and overlay application. Every tailoring decision must be documented and approved by the authorizing official.
6 SP 800-53A defines three assessment methods -- examine, interview, test -- each with variable depth and breadth. Controls are either satisfied or not. Unsatisfied findings drive POA&M entries with remediation milestones.
7 Continuous monitoring replaces the three-year reauthorization cycle with ongoing risk visibility. ISCM strategy, SCAP automation, and POA&M management enable authorizing officials to make continuous, data-driven risk acceptance decisions.
8 800-53 does not exist in isolation. Crosswalks to CIS Controls and ISO 27002 allow a single control implementation to satisfy multiple frameworks simultaneously -- reducing compliance burden while increasing coverage.
What Comes Next
800-53 is the catalog. The Risk Management Framework (SP 800-37 Rev. 2) is the process that selects, implements, assesses, and monitors these controls throughout the system lifecycle. Understanding the controls is prerequisite to applying them -- and applying them correctly is what separates a compliant system from a secure one.
Slide 14 of 14  |  Complete
Presentation
Complete
NIST SP 800-53 Controls -- 14 slides
Rev 5 • 20 Control Families • AC Deep Dive • AU Deep Dive • SC Deep Dive • Baselines • Tailoring • Assessment • Continuous Monitoring • Framework Crosswalk
CIS2208 Cybersecurity Policy Week 4