NIST 800-53 Rev 5: Federal Security Controls Guide

Overview of NIST SP 800-53 Rev 5

NIST Special Publication 800-53 Revision 5, released in September 2020, is the definitive catalog of security and privacy controls for federal information systems. It contains over 1,000 controls organised into 20 control families. Revision 5 decoupled the controls from federal-specific language, integrated privacy controls alongside security controls, and introduced a new Supply Chain Risk Management (SR) family.

The 20 Control Families

The control families cover the full spectrum of security and privacy: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Assessment and Authorization (CA), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environmental Protection (PE), Planning (PL), Program Management (PM), Personnel Security (PS), PII Processing and Transparency (PT), Risk Assessment (RA), System and Services Acquisition (SA), System and Communications Protection (SC), System and Information Integrity (SI), and Supply Chain Risk Management (SR).

Understanding Control Baselines

NIST SP 800-53B defines three control baselines corresponding to FIPS 199 impact levels:

• Low Baseline: Minimum controls for systems where loss would have limited adverse effect
• Moderate Baseline: Controls for systems where loss would have serious adverse effect. This is the most commonly applied baseline.
• High Baseline: Controls for systems where loss would have severe or catastrophic adverse effect

Each baseline is a starting point that organisations tailor to their specific environment.

The Tailoring Process

Tailoring transforms a generic baseline into controls appropriate for your specific system. The process involves:

• Identifying common controls inherited from other systems
• Applying scoping considerations based on system characteristics
• Selecting compensating controls when baseline controls cannot be implemented as specified
• Assigning specific parameter values, such as defining frequency for audit log reviews
• Supplementing with additional controls based on risk assessment findings

Document all tailoring decisions in the system security plan with clear justifications.

FISMA Compliance Connection

The Federal Information Security Modernization Act (FISMA) requires federal agencies to implement information security programs. NIST 800-53 controls form the backbone of FISMA compliance. The cycle involves categorising systems using FIPS 199, selecting and tailoring baselines, implementing and documenting controls, assessing effectiveness using NIST SP 800-53A, authorizing systems to operate, and continuously monitoring.

Practical Implementation Tips

For organisations working with NIST 800-53:

• Use the NIST SP 800-53 control catalog tool to search and filter controls efficiently
• Map controls to existing frameworks to identify overlaps and reduce duplicate effort
• Prioritise controls based on risk assessment rather than implementing everything simultaneously
• Leverage automated tools for continuous monitoring of technical controls
• Establish clear roles for control ownership, implementation, and assessment

While NIST 800-53 was designed for federal systems, its comprehensive nature makes it valuable for any organisation seeking a robust control catalog. The controls map well to ISO 27001, CIS Controls, and other frameworks, facilitating integrated compliance approaches.