NIST SP 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations

Current Version: Release 5.2.0 (August 27, 2025)
Original Publication: September 23, 2020
Authority: Federal Information Security Modernization Act (FISMA)

Overview

NIST SP 800-53 serves as the authoritative catalog of security and privacy controls for federal information systems and organizations. It provides a comprehensive framework to protect organizational operations, assets, individuals, and the Nation from diverse threats including hostile cyber attacks, human errors, natural disasters, and privacy risks.

Key Features

Unified Catalog

• 1,150+ controls consolidated into single comprehensive catalog


• 20 control families addressing security and privacy


• Integrated approach combining security and privacy controls


• Outcome-based allowing flexible implementation

Control Families (20 Total)

1. AC - Access Control


2. AT - Awareness and Training


3. AU - Audit and Accountability


4. CA - Assessment, Authorization, and Monitoring


5. CM - Configuration Management


6. CP - Contingency Planning


7. IA - Identification and Authentication


8. IR - Incident Response


9. MA - Maintenance


10. MP - Media Protection


11. PE - Physical and Environmental Protection


12. PL - Planning


13. PM - Program Management


14. PS - Personnel Security


15. PT - PII Processing and Transparency (NEW in Rev. 5)


16. RA - Risk Assessment


17. SA - System and Services Acquisition


18. SC - System and Communications Protection


19. SI - System and Information Integrity


20. SR - Supply Chain Risk Management (NEW in Rev. 5)

Major Updates in Revision 5

• Two new control families: Privacy (PT) and Supply Chain Risk Management (SR)


• Enhanced focus on supply chain security


• Integration of security and privacy controls


• Updated for modern threats and technologies


• Released in response to Executive Order 14306 (August 2025)

Control Baselines

Three Impact Levels (FIPS 199)

Low-Impact Baseline

• Limited adverse effects if compromised


• Minimum baseline controls


• Appropriate for low-risk systems

Moderate-Impact Baseline

• Serious adverse effects if compromised


• Most common (80% of federal systems)


• Standard for majority of federal information systems

High-Impact Baseline

• Severe or catastrophic adverse effects


• Most stringent controls


• Law enforcement, emergency services, national security systems

Privacy Baseline

• Applied to all systems regardless of impact level


• Addresses privacy-specific requirements


• Integrated with security baselines

Mandatory Compliance

Required For:

• All federal agencies (FISMA mandate)


• Federal contractors with system access


• FedRAMP cloud service providers (based on 800-53 baselines)

Voluntary but Strongly Recommended:

• Federal contractors handling CUI (typically use NIST SP 800-171 subset)


• Healthcare organizations (HIPAA compliance)


• Critical infrastructure sectors


• Organizations subject to Massachusetts 201 CMR 17.00

Relationship to Other Frameworks

NIST SP 800-171

• SP 800-171 is a subset of SP 800-53


• 110 controls derived from moderate baseline


• Tailored for CUI protection in nonfederal systems


• DoD contractors typically use 800-171 instead of full 800-53

NIST Cybersecurity Framework

• CSF provides high-level strategic framework


• SP 800-53 provides detailed implementation controls


• Official mapping: "CSFv2.0-to-SP-800-53-Rev-5-2-0"


• CSF for strategy, SP 800-53 for implementation

FedRAMP

• FedRAMP baselines based on NIST SP 800-53


• Three impact levels: Low, Moderate, High


• Additional cloud-specific controls


• 80% of FedRAMP systems at Moderate level

Risk Management Framework (RMF)

7-step process for implementing SP 800-53:

1. Prepare - Organization and system preparation


2. Categorize - System categorization (FIPS 199)


3. Select - Control selection from SP 800-53


4. Implement - Control implementation


5. Assess - Assessment using SP 800-53A


6. Authorize - Authorization decision


7. Monitor - Continuous monitoring

Enforcement

Federal Agencies

• OMB - Issues implementation directives


• CISA - Operational cybersecurity support


• Inspectors General - Compliance audits


• GAO - Program reviews

Consequences of Non-Compliance

• Authorization to Operate (ATO) denial/revocation


• System operation restrictions


• Audit findings requiring corrective actions


• Congressional oversight


• Budget implications

Federal Contractors

• Contract termination or non-renewal


• Loss of system access


• Financial penalties per contract terms


• Inability to bid on future contracts


• Potential debarment

Private Sector

• Enforcement through underlying regulations (HIPAA, state laws)


• FTC enforcement for deceptive practices


• State attorneys general actions


• Civil litigation for breaches

Massachusetts 201 CMR 17.00 Compliance

NIST SP 800-53 (Moderate baseline) is recognized as an acceptable framework for Massachusetts compliance:

• Demonstrates comprehensive written information security program (WISP)


• Satisfies technical, administrative, and physical safeguard requirements


• Maps to 201 CMR 17.00 requirements


• Massachusetts state agencies use NIST 800-53 for EOTSS policy alignment


• Can address both federal and state requirements simultaneously

Company Size Applicability

No size thresholds or exemptions

• Framework scalable for organizations of any size


• Outcome-based controls allow customization


• Tailoring guidance provided in SP 800-53B


• Small organizations may:

- Use NIST SP 800-171 (simplified subset)
- Focus on applicable baseline controls
- Leverage managed security services
- Implement controls incrementally

Implementation Resources

Supporting Publications:

• SP 800-53A Rev. 5 - Assessment procedures


• SP 800-53B - Control baselines


• FIPS 199 - Security categorization standards


• FIPS 200 - Minimum security requirements

Tools and Formats:

• OSCAL (Open Security Controls Assessment Language)


• Control baselines in JSON, XML, YAML


• Security Control Overlay Repository (SCOR)

Effective Date and Status

• Initial Publication: September 23, 2020


• Updated: December 10, 2020


• Latest Release: August 27, 2025 (Release 5.2.0)


• Status: Active and current


• Previous versions: Revision 4 and earlier withdrawn

Federal agencies transition based on OMB directives and system reauthorization schedules.

Key Implementation Points

1. Risk-Based Approach: Compliance is byproduct of robust security program, not checkbox exercise


2. Customizable: Baselines are starting points, not absolute minimums


3. Continuous Monitoring: Ongoing assessment of control effectiveness


4. Integration: Security and privacy addressed together


5. Flexibility: Outcome-based controls adapt to organizational context

Official Resources

• SP 800-53 Rev. 5 Publication


• PDF Download


• Control Search Tool


• Risk Management Framework


• FISMA Background