Standards and Frameworks

    NIST SP 800-53

    National Institute for Standards and Technology (NIST)

    NIST Special Publication 800-53 Recommended Security Controls for Federal Information System belongs to NIST SP 800 series and provides a catalog of security controls for all U.S. federal information systems (except those related to national security, which requires express approval of appropriate federal officials).

    Last Updated: July 30, 2019

  • General

    NIST SP 800 Series

    NIST SP 800 series were created in 1990. It is a series of reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in computer security, and ITL’s collaborative activities with industry, government, and academic organizations. NIST develops SP 800 series which provides standards and guidelines to help U.S. federal agencies and contractors meet the standards under Federal Information Security Modernization Act (FISMA).

    NIST SP 800-53

    The purpose of NIST 800-53 is to provide guidelines for selecting and specifying security controls for federal information systems and organizations. These controls contains the technical, and organizational safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems. It applies to any component of an information system that stores, processes, or transmits federal information.

    NIST intends to use SP 800-53 alongside SP 80–37, which  provides federal agencies and contractors with guidance on implementing risk management programs. SP 800-53 addresses the controls which can be used with the risk management framework under SP 800-37.

    Specifically, NIST 800-53 guidelines adopt a multi-layered approach to risk management through control compliance. It breaks organizations’ information systems into three classes and split the controls into 18 families.

    Three Classes

    NIST SP 800-53 applies the categorization method in Federal Information Processing Standard (FIPS) breaking organizations information systems into three classes: low-impact, moderate-impact, or high-impact, for the security objectives of confidentiality, integrity, and availability. NIST SP 800-53 also introduces the concept of security control baselines as a starting point for the security control selection process under these categories.

    18 Control Families

    SP 800-53 guidelines set 18 different families of security controls for ease of use in the control selection and specification process. The NIST SP 800-53 security control families are:

    • Access Control
    • Audit and Accountability
    • Awareness and Training
    • Configuration Management
    • Contingency Planning
    • Identification and Authentication
    • Incident Response
    • Maintenance
    • Media Protection
    • Personnel Security
    • Physical and Environmental Protection
    • Planning
    • Program Management
    • Risk Assessment
    • Security Assessment and Authorization
    • System and Communications Protection
    • System and Information Integrity
    • System and Services Acquisition

    NIST 800-53 guidelines provides a tailoring process to help organizations select only those controls appropriate to the requirements of the information systems in use within their environment.


    Federal Government statues (FISMA 2014), regulations, and policies (Office of Management and Budget (OMB) Circular A-130) may specify whether federal agencies are required, or encouraged, to comply with NIST’s SP 800-series publications.  Regardless of whether they are mandatory for federal agencies, an individual SP 800 publication may use document conventions to state any requirements, recommended options, or permissible actions within the publication (e.g., shallshouldmay). However,  by using “shall”, an SP 800 publication does not indicate whether that publication is required to be implemented by a federal statute, regulation, or policy. Rather, federal agencies and other interested parties should look in the documents text for any such relevant statement about document terminology.

    Entities outside of the U.S. Federal Government may voluntarily adopt NIST’s SP 800-series publications, unless they are contractually obligated to do so.


    The most recent update to the guidelines was Revision 5 (DRAFT), which was published in August, 2017. Revision 5 (DRAFT) removed the word “federal” to indicate that these guidelines may be applied to any organizations, not just Federal Government agencies.

    The final publication date is now scheduled for Summer 2019 according to NIST Computer Security Resource Center (CSRC) website. Major changes to the publication include:

    • Making the security and privacy controls more outcome-based by changing the structure of the controls;
    • Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
    • Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
    • Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
    • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
    • Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.