NIST SP 800-53
6 min read

NIST SP 800-53 Control Families: Complete Guide to All 20 Families

NIST Special Publication 800-53 Revision 5 is the most comprehensive catalog of security and privacy controls published by the U.S. government. It contains over 1,000 controls organized into 20 families, serving as the foundation for federal information system security (required by FISMA) and the control baseline for FedRAMP cloud authorizations. Private sector organizations increasingly adopt NIST 800-53 as a rigorous alternative to less prescriptive frameworks. This guide provides an overview of all 20 control families with practical implementation guidance.

Table of Contents

Overview of the 20 Control Families

NIST 800-53 Rev 5 organizes its controls into 20 families, each designated by a two-letter identifier. The families span the full spectrum of security and privacy requirements: AC (Access Control), AT (Awareness and Training), AU (Audit and Accountability), CA (Assessment, Authorization, and Monitoring), CM (Configuration Management), CP (Contingency Planning), IA (Identification and Authentication), IR (Incident Response), MA (Maintenance), MP (Media Protection), PE (Physical and Environmental Protection), PL (Planning), PM (Program Management), PS (Personnel Security), PT (PII Processing and Transparency), RA (Risk Assessment), SA (System and Services Acquisition), SC (System and Communications Protection), SI (System and Information Integrity), and SR (Supply Chain Risk Management). Each family contains base controls and control enhancements that add specificity or rigor. Controls are selected based on a risk-based approach using predefined baselines (Low, Moderate, High) that correspond to the potential impact of a system compromise.
  • NIST 800-53 Rev 5 contains over 1,000 controls across 20 families
  • Each family is designated by a two-letter identifier (AC, AU, CA, etc.)
  • Controls are selected using predefined baselines: Low, Moderate, and High impact
  • Control enhancements add specificity and rigor to base controls
  • The framework is mandatory for federal systems under FISMA and FedRAMP

Access Control (AC) and Identification and Authentication (IA)

The Access Control (AC) family is the largest in NIST 800-53 with 25 base controls and numerous enhancements. It covers account management (AC-2), access enforcement (AC-3), information flow enforcement (AC-4), separation of duties (AC-5), least privilege (AC-6), unsuccessful logon attempts (AC-7), session controls (AC-11, AC-12), remote access (AC-17), and wireless access (AC-18). The Identification and Authentication (IA) family complements AC by addressing how users and devices prove their identity before access is granted. Key controls include identification and authentication policies (IA-1), user identification and authentication (IA-2) including multi-factor authentication enhancements, device identification (IA-3), authenticator management (IA-5), and cryptographic module authentication (IA-7). Together, these families form the foundation of zero-trust architecture by ensuring that every access request is authenticated, authorized, and continuously validated. Organizations implementing these families should prioritize AC-2 (Account Management), AC-3 (Access Enforcement), AC-6 (Least Privilege), IA-2 (Identification and Authentication with MFA enhancements), and IA-5 (Authenticator Management).
  • AC is the largest control family with 25 base controls covering all aspects of access
  • IA complements AC by addressing identity verification before access is granted
  • Together these families form the foundation for zero-trust architecture
  • AC-6 (Least Privilege) and IA-2 (MFA) are critical controls for all impact levels
  • Federal systems must implement MFA for privileged and network access at Moderate baseline

Audit and Accountability (AU) and System and Information Integrity (SI)

The Audit and Accountability (AU) family ensures organizations can detect, record, and respond to security-relevant events. Key controls include audit events (AU-2) defining which events to log, content of audit records (AU-3), audit storage capacity (AU-4), response to audit processing failures (AU-5), audit review, analysis, and reporting (AU-6), audit reduction and report generation (AU-7), and time stamps (AU-8). The System and Information Integrity (SI) family addresses the detection and correction of flaws and unauthorized changes. Critical controls include flaw remediation (SI-2) requiring timely patching, malicious code protection (SI-3), security alerts and advisories (SI-5), software and firmware integrity (SI-7), spam protection (SI-8), and information input validation (SI-10). These families work together: AU controls generate the evidence that SI controls use to detect integrity violations. Organizations should establish centralized log management (AU-6 enhancement), automate vulnerability scanning and patching (SI-2), and implement continuous monitoring dashboards that correlate audit data with integrity metrics.
  • AU family defines what to log, how to store logs, and how to review them
  • SI family addresses vulnerability management, malware protection, and system integrity
  • AU-6 (Audit Review) and SI-2 (Flaw Remediation) are essential for continuous monitoring
  • Centralized log management is a practical priority for AU control implementation
  • AU and SI controls work together to detect and respond to security events

Risk Assessment (RA) and Assessment, Authorization, and Monitoring (CA)

The Risk Assessment (RA) family establishes the risk-based foundation that drives control selection. Key controls include risk assessment policy (RA-1), security categorization (RA-2), risk assessment execution (RA-3), vulnerability monitoring and scanning (RA-5), and technical surveillance countermeasures (RA-6). RA-5 (Vulnerability Monitoring and Scanning) is particularly important as it requires regular automated vulnerability scanning with remediation timelines based on risk severity. The Assessment, Authorization, and Monitoring (CA) family governs the system authorization process. Key controls include assessment policy (CA-1), control assessments (CA-2), system authorization (CA-6 — the Authority to Operate or ATO process), and continuous monitoring (CA-7). For FedRAMP, the CA family is especially critical because CA-6 governs the ATO process that agencies must complete before using cloud services. CA-7 (Continuous Monitoring) requires ongoing assessment of control effectiveness, security status reporting, and active management of system risk posture. Organizations should integrate RA and CA processes into a continuous risk management lifecycle rather than treating them as periodic compliance activities.
  • RA family drives risk-based control selection through categorization and assessment
  • RA-5 (Vulnerability Scanning) requires automated scanning with risk-based remediation timelines
  • CA-6 governs the Authority to Operate (ATO) process critical for FedRAMP
  • CA-7 (Continuous Monitoring) transforms compliance from periodic to ongoing
  • RA and CA should be integrated into a continuous risk management lifecycle

Contingency Planning (CP) and Incident Response (IR)

The Contingency Planning (CP) family addresses business continuity and disaster recovery. Key controls include contingency plan development (CP-2), contingency training (CP-3), contingency plan testing (CP-4), system backup (CP-9), and system recovery and reconstitution (CP-10). CP-2 requires a comprehensive contingency plan that identifies essential missions and business functions, recovery objectives, restoration priorities, and roles and responsibilities. CP-9 (System Backup) requires backups of system-level and user-level information at defined frequencies with tested recovery procedures. The Incident Response (IR) family establishes the organizational capability to detect, analyze, contain, eradicate, and recover from security incidents. Key controls include incident response policy (IR-1), incident response training (IR-2), incident response testing (IR-3), incident handling (IR-4), incident monitoring (IR-5), incident reporting (IR-6), and incident response plan (IR-8). For federal systems, IR-6 requires reporting incidents to US-CERT within specified timeframes. Organizations should test both contingency plans (CP-4) and incident response plans (IR-3) at least annually through tabletop exercises, functional tests, or full-scale exercises.
  • CP family covers business continuity, disaster recovery, and backup requirements
  • CP-9 requires backups at defined frequencies with tested recovery procedures
  • IR family establishes detection, analysis, containment, eradication, and recovery capabilities
  • IR-6 requires incident reporting to US-CERT for federal systems
  • Both CP and IR plans must be tested at least annually through exercises

Supply Chain Risk Management (SR) and Configuration Management (CM)

Supply Chain Risk Management (SR) is a family added in Rev 5 reflecting the growing importance of supply chain security. Key controls include supply chain risk management policy (SR-1), supply chain risk management plan (SR-2), supply chain controls and processes (SR-3), provenance (SR-4), acquisition strategies and tools (SR-5), supplier assessments and reviews (SR-6), supply chain operations security (SR-7), and notification agreements (SR-8). These controls require organizations to identify, assess, and mitigate risks associated with the supply chain for systems, components, and services. Configuration Management (CM) addresses the secure configuration and change management of information systems. Key controls include configuration management policy (CM-1), baseline configuration (CM-2), configuration change control (CM-3), impact analysis for changes (CM-4), access restrictions for change (CM-5), configuration settings (CM-6), and least functionality (CM-7). CM-6 (Configuration Settings) is particularly important for FedRAMP, requiring systems to be configured according to government-approved security configuration checklists such as CIS Benchmarks or DISA STIGs. Organizations should implement automated configuration scanning to detect deviations from approved baselines.
  • SR family was added in Rev 5 to address growing supply chain security threats
  • SR controls require identification, assessment, and mitigation of supply chain risks
  • CM family governs secure configuration baselines and change management processes
  • CM-6 requires adherence to approved security configuration checklists (CIS, DISA STIGs)
  • Automated configuration scanning is essential for detecting baseline deviations

Key Takeaways

  • NIST 800-53 Rev 5 contains over 1,000 controls across 20 families covering security and privacy
  • Controls are selected based on impact level baselines: Low (~130 controls), Moderate (~260), High (~340)
  • AC, AU, IA, and SC families form the technical core of most implementations
  • The SR family was added in Rev 5 to address supply chain risk management
  • FedRAMP uses NIST 800-53 as its control baseline, making familiarity essential for cloud providers
  • Continuous monitoring (CA-7) transforms compliance from a periodic activity into an ongoing program

Related Resources

nist 800 53 access controlnist 800 53 incident responsenist 800 53 risk assessmentnist 800 53fedramprisk assessmentaccess control

Other Compliance Guides

NIST SP 800-53

NIST 800-53 vs NIST CSF

NIST SP 800-53

NIST 800-53 for FedRAMP Authorization

HIPAA

HIPAA Violation Examples

HIPAA

HIPAA Business Associate Agreement (BAA) Guide

Frequently Asked Questions

Who is required to implement NIST 800-53?

NIST 800-53 is mandatory for U.S. federal agencies and their contractors under FISMA. Cloud service providers seeking FedRAMP authorization must also implement NIST 800-53 controls. While not mandatory for the private sector, many organizations adopt it voluntarily as a comprehensive security framework, particularly those in defense, healthcare, and financial services.

What is the difference between Low, Moderate, and High baselines?

The three baselines correspond to the potential impact of a system compromise on organizational operations, assets, or individuals. Low baseline includes approximately 130 controls for systems where a breach would have limited adverse effect. Moderate baseline includes approximately 260 controls for systems where a breach would have serious adverse effect. High baseline includes approximately 340 controls for systems where a breach would have severe or catastrophic effect.

How does NIST 800-53 relate to FedRAMP?

FedRAMP uses NIST 800-53 as its control baseline for authorizing cloud service providers to handle federal data. FedRAMP adds specific parameter values, additional requirements, and continuous monitoring expectations on top of the standard 800-53 controls. Cloud providers pursuing FedRAMP authorization must implement the relevant 800-53 baseline plus FedRAMP-specific enhancements.

How long does it take to implement NIST 800-53?

Implementation timelines vary significantly based on scope, current maturity, and the target baseline. A Low baseline implementation might take 6-12 months, Moderate baseline 12-18 months, and High baseline 18-24 months. FedRAMP authorization typically takes 12-18 months including the 3PAO assessment and JAB or agency review process.

What changed in NIST 800-53 Rev 5?

Rev 5 (published September 2020) made several significant changes: controls are now outcome-based and applicable to any system (not just federal), a new Supply Chain Risk Management (SR) family was added, privacy controls were integrated throughout (previously in Appendix J), the Program Management (PM) family was expanded, and control baselines were moved to a separate publication (SP 800-53B).

Can I use NIST 800-53 for SOC 2 or ISO 27001 compliance?

Yes. NIST 800-53 controls map extensively to both SOC 2 Trust Services Criteria and ISO 27001 Annex A controls. Organizations implementing NIST 800-53 will find significant overlap with these frameworks. NIST provides mapping tools and crosswalks to help organizations identify equivalent controls across frameworks, reducing duplication for multi-framework compliance programs.

What tools help with NIST 800-53 implementation?

GRC platforms like RSAM, Archer, and ServiceNow GRC provide control tracking and assessment workflows. Compliance automation platforms like Vanta and Drata offer NIST 800-53 modules. NIST provides free resources including the SP 800-53A assessment procedures and the OSCAL (Open Security Controls Assessment Language) machine-readable format. PoliWriter generates policy documents aligned with NIST 800-53 control families.

NIST SP 800-53 OverviewRequirements GuidesCompliance GlossaryCompare Frameworks

Generate NIST SP 800-53 policies automatically

PoliWriter creates all the policies you need for NIST SP 800-53 compliance, customized to your organization. AI-powered, audit-ready, hours not months.

Get Started Free