NIST SP 800-53 Rev 5

What is NIST SP 800-53 Rev 5?

NIST Special Publication 800-53 Revision 5 is a catalog of security and privacy controls for information systems and organisations. Published in September 2020, it is the most granular and comprehensive control framework available, with over 1,000 individual controls and control enhancements organised into 20 families. It serves as the primary control catalog for US federal agencies under the Federal Information Security Modernization Act (FISMA) and forms the foundation for FedRAMP, the cloud security programme for federal systems.

What are the 20 control families?

NIST 800-53 organises controls into 20 families, each addressing a specific area of security or privacy:

• AC: Access Control and AU: Audit and Accountability cover who can access what and how access is logged
• AT: Awareness and Training and PS: Personnel Security address the human element of security
• CA: Assessment, Authorization and Monitoring and PL: Planning cover the governance lifecycle
• CM: Configuration Management and MA: Maintenance address system hardening and upkeep
• CP: Contingency Planning and IR: Incident Response cover resilience and recovery
• IA: Identification and Authentication and SC: System and Communications Protection address technical controls
• MP: Media Protection and PE: Physical and Environmental Protection cover physical security
• RA: Risk Assessment and SA: System and Services Acquisition address risk management in procurement
• SI: System and Information Integrity covers vulnerability management, monitoring, and software integrity
• PM: Program Management provides organisation-level security programme controls
• PT: PII Processing and Transparency and SR: Supply Chain Risk Management were added in Rev 5

How does NIST 800-53 relate to FedRAMP?

FedRAMP (Federal Risk and Authorization Management Program) uses NIST 800-53 as its control baseline. FedRAMP defines three impact levels: Low (125 controls), Moderate (325 controls), and High (421 controls), each drawn from the NIST 800-53 catalog. Cloud Service Providers seeking FedRAMP authorization must implement the applicable baseline and undergo assessment by a Third Party Assessment Organization (3PAO). Understanding NIST 800-53 is therefore essential for any CSP serving US government customers.

How does NIST 800-53 map to ISO 27001?

NIST 800-53 is significantly more granular than ISO 27001: over 1,000 controls versus 93 Annex A controls. However, the mapping is well-established. Most ISO 27001 controls map to multiple NIST 800-53 controls, while many NIST 800-53 controls (particularly the detailed enhancements) have no direct ISO 27001 equivalent. Our database contains 597 framework mappings for NIST 800-53, helping organisations understand which NIST controls are already covered by their existing ISO 27001 implementation.