NIST SP 800-53 Requirements: Guide to Key Control Families

The AC family governs all aspects of access to information systems including account management, access enforcement, separation of duties, least privilege, session controls, remote access, and wireless access. AC-2 (Account Management) and AC-6 (Least Privilege) are foundational controls required at all impact levels.

The IA family ensures users and devices prove their identity before gaining access. Key controls include multi-factor authentication (IA-2 enhancements), device identification (IA-3), authenticator management (IA-5), and re-authentication requirements (IA-11). MFA is required at the Moderate baseline for privileged and network access.

The PS family addresses security requirements for personnel including position risk designation (PS-2), personnel screening and background checks (PS-3), personnel termination and transfer procedures (PS-4, PS-5), access agreements (PS-6), and personnel sanctions (PS-8). These controls ensure trusted individuals operate systems.

The AU family requires organizations to define auditable events, capture detailed audit records, protect audit information from unauthorized modification, review and analyze audit logs, and generate reports. Centralized log management and automated audit review are essential for effective implementation.

The CA family governs the system authorization lifecycle including control assessments (CA-2), system interconnection agreements (CA-3), the Authority to Operate process (CA-6), and continuous monitoring (CA-7). For FedRAMP, CA-6 is the control that governs the ATO process agencies must complete.

The RA family establishes requirements for categorizing systems by impact level (RA-2), conducting risk assessments (RA-3), performing vulnerability scanning (RA-5), and monitoring for new threats. RA-5 requires automated vulnerability scanning with remediation timelines based on risk severity.

The SC family is the second-largest family covering boundary protection (SC-7), transmission confidentiality and integrity (SC-8), cryptographic protection (SC-12, SC-13), session authenticity (SC-23), and protection of information at rest (SC-28). SC-7 (Boundary Protection) requires monitoring and controlling communications at the system boundary.

The CM family requires establishing baseline configurations (CM-2), controlling configuration changes (CM-3), analyzing the security impact of changes (CM-4), enforcing configuration settings (CM-6), and restricting system functionality to the minimum necessary (CM-7). Systems must be configured according to approved security checklists.

The CP family addresses business continuity and disaster recovery including contingency plan development (CP-2), training (CP-3), testing (CP-4), alternate processing and storage sites (CP-6, CP-7), system backups (CP-9), and system recovery (CP-10). Plans must be tested at least annually.

The IR family requires an incident response policy and plan (IR-1, IR-8), training (IR-2), testing (IR-3), incident handling procedures (IR-4), monitoring (IR-5), reporting (IR-6), and assistance mechanisms (IR-7). Federal systems must report incidents to US-CERT within specified timeframes.