What is NIST SP 800-53?

NIST SP 800-53 is the most comprehensive security and privacy control catalog published by any standards organization, providing detailed requirements that organizations can select based on risk assessment and system impact level. Revision 5, published in September 2020, made several significant changes: controls became outcome-based and applicable to any system (not just federal), a new Supply Chain Risk Management (SR) family was added, privacy controls were integrated throughout the catalog (previously in Appendix J), and control baselines were moved to a separate publication (SP 800-53B). The 20 control families cover Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Assessment, Authorization, and Monitoring (CA), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environmental Protection (PE), Planning (PL), Program Management (PM), Personnel Security (PS), PII Processing and Transparency (PT), Risk Assessment (RA), System and Services Acquisition (SA), System and Communications Protection (SC), System and Information Integrity (SI), and Supply Chain Risk Management (SR). Controls are selected using predefined baselines corresponding to system impact levels: Low (approximately 130 controls), Moderate (approximately 260 controls), and High (approximately 340 controls). FedRAMP adds specific parameter values and additional requirements on top of these baselines. NIST 800-53 maps extensively to other frameworks including NIST CSF, ISO 27001, SOC 2, and CIS Controls, making it valuable for multi-framework compliance programs.