CyberGrind · Orange Book Published March 27, 2026
Framework Deep Dive

NIST SP 800-53
Revision 5

The comprehensive security and privacy control catalog that underpins federal cybersecurity — what it is, why it exists, how its 20 control families are structured, and how organizations of all types can use it.

Current VersionRevision 5 (Sept. 2020)
Published ByNIST (Dept. of Commerce)
Federal StatusMandatory under FISMA
Total Controls~1,189 across 20 families
Contents
  1. What Is NIST SP 800-53?
  2. The Legislative Origin — FISMA
  3. Revision History
  4. What's New in Revision 5?
  5. The 20 Control Families
  6. Security Control Baselines
  7. SP 800-53 and the Risk Management Framework
  8. Who Must — and Who Should — Use It
  9. Limitations & Uncertainty
  10. References

What Is NIST SP 800-53?

NIST Special Publication 800-53 is a comprehensive catalog of security and privacy controls for information systems and organizations. Published by the National Institute of Standards and Technology, it provides the specific, prescriptive controls that organizations can implement to protect their systems, data, and operations against a broad range of threats: hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

If NIST CSF 2.0 is the strategic map — telling you what outcomes you need to achieve — then SP 800-53 is the toolbox. It contains more than 1,100 individual controls organized into 20 control families, each addressing a specific domain of information security or privacy. Organizations use SP 800-53 to select, implement, assess, and monitor controls appropriate for their systems and risk environment.

Core Purpose

SP 800-53 provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the nation from a diverse set of threats and risks. The controls are flexible and customizable, implemented as part of an organization-wide process to manage risk.

SP 800-53 is part of NIST's Special Publication 800-series, which covers information technology security research, guidelines, and outreach. The publication has companion documents: SP 800-53A provides procedures for assessing the effectiveness of controls, and SP 800-53B defines the three security control baselines (Low, Moderate, High) that serve as starting points for control selection.

The Legislative Origin — FISMA

SP 800-53's existence is rooted in law. The Federal Information Security Management Act (FISMA) was passed on December 17, 2002, as part of the E-Government Act. FISMA directed NIST to develop security standards and guidelines to help federal agencies implement information security programs and protect federal information and information systems.

In response, NIST launched the FISMA Implementation Project, which produced a suite of foundational publications: FIPS 199 (security categorization standards), FIPS 200 (minimum security requirements), SP 800-37 (risk management framework guidance), and SP 800-53 (the security control catalog). The first version of SP 800-53 was published in February 2005.

FISMA was subsequently updated by the Federal Information Security Modernization Act of 2014, which strengthened requirements around continuous monitoring and incident reporting while affirming NIST's role in developing standards and guidelines for non-national-security systems.

The Compliance Obligation

All U.S. federal agencies and their contractors are required to comply with SP 800-53 under FISMA. Agencies are expected to be compliant within one year of a major publication update. SP 800-53 also forms the basis of FedRAMP authorization requirements for cloud service providers doing business with the federal government.

Revision History

SP 800-53 has been revised five times since its initial publication. Each revision has responded to the evolving threat landscape and expanding technology environments that federal systems operate in.

2005
Revision 1 — Initial Publication
First version published as part of the FISMA Implementation Project. Established the foundational catalog of security controls for federal information systems, building on concepts from FIPS 199 and FIPS 200.
2007
Revision 2
Refined control definitions and added enhancements. Continued alignment with the Risk Management Framework (RMF).
2009
Revision 3
Expanded scope to include national security systems. Introduced application security, insider threats, and external service provider considerations. Harmonized security requirements across government communities.
2013
Revision 4
Major update addressing mobile and cloud computing, insider threats, advanced persistent threats, supply chain risks, and application security. Added Appendix J — privacy controls as a separate appendix (later integrated in Rev. 5).
Sept. 2020
Revision 5 — Current Version
Multi-year effort to develop next-generation controls. Extended scope to all organizations (not just federal). Integrated privacy controls into the main catalog. Added two new control families (PT and SR). Shifted language from role-based to outcome-based. Expanded coverage to IoT, OT, cloud, mobile, and cyber-physical systems.

What's New in Revision 5?

Revision 5, published in September 2020 (with updates through December 2020), is the most significant overhaul in the publication's history. Several changes deserve particular attention:

🌐
Extended Scope Beyond Federal Agencies
For the first time, SP 800-53 explicitly positions itself as applicable to any organization — not just federal agencies. The language shifts from "federal information systems" to simply "systems," making the controls applicable to general-purpose computing, IoT, cloud, mobile, industrial control systems, cyber-physical systems, and more.
🔒
Integrated Privacy Controls
In Revision 4, privacy controls were a separate appendix (Appendix J). Revision 5 integrates privacy controls into the main catalog alongside security controls, reflecting the recognition that cybersecurity and privacy are deeply interrelated disciplines. The new PT (PII Processing and Transparency) family is the primary vehicle for this.
🔗
New Supply Chain Risk Management Family (SR)
Supply chain risk management was already a concern before 2020, but the landscape of supply chain attacks had accelerated dramatically. Revision 5 created a dedicated SR family with controls specifically targeting the management of cybersecurity risks from suppliers, vendors, and third-party components.
🎯
Outcome-Based Language
Revision 5 shifts control statements from specifying who is responsible (e.g., "the organization shall...") to describing outcomes. This makes the catalog more broadly applicable across different organizational structures, roles, and contexts — and aligns better with the outcome-based approach of NIST CSF.
📦
Separation of Controls and Baselines
Control selection guidance and baselines were moved from SP 800-53 into the companion publication SP 800-53B. This streamlines the main catalog and makes it easier for a broader range of organizations to use the controls without being overwhelmed by federal-specific guidance.
🛡️
New State-of-the-Practice Controls
Revision 5 incorporates new controls to support cyber resiliency, secure system design, and stronger governance and accountability — informed by the latest threat intelligence and empirical attack data available at the time of publication.

The 20 Control Families

SP 800-53 Revision 5 organizes its controls into 20 families, each identified by a two-character identifier and addressing a specific domain of security or privacy. Two families — PT and SR — are new in Revision 5.

IDFamily NameWhat It Addresses
ACAccess ControlWho can access which systems and data, under what conditions. Account management, least privilege, remote access, session controls.
ATAwareness & TrainingSecurity training programs for all personnel. Role-based training, records, and security awareness initiatives.
AUAudit & AccountabilityLogging, audit trail generation and protection, audit log review, and accountability mechanisms for system events.
CAAssessment, Authorization & MonitoringSecurity assessments, system authorization to operate, plans of action, continuous monitoring programs, and system interconnections.
CMConfiguration ManagementBaseline configurations, change control, software usage restrictions, and system component inventory.
CPContingency PlanningBackup and recovery procedures, alternate processing sites, contingency plan development, testing, and maintenance.
IAIdentification & AuthenticationIdentity verification, multi-factor authentication, credential management, and authenticator lifecycle.
IRIncident ResponseIncident response policy, planning, training, testing, handling procedures, monitoring, and reporting.
MAMaintenanceControlled maintenance of organizational systems, maintenance tools, remote maintenance, and maintenance personnel.
MPMedia ProtectionProtection, marking, storage, transport, sanitization, and disposal of system media containing sensitive information.
PEPhysical & Environmental ProtectionPhysical access controls, monitoring, visitor records, emergency power/shutoff, fire protection, water damage protection.
PLPlanningSystem security and privacy plans, rules of behavior, privacy impact assessments, and concept of operations.
PMProgram ManagementOrganization-wide information security and privacy program management, including governance, risk strategy, and enterprise architecture.
PSPersonnel SecurityPosition risk designations, personnel screening, termination and transfer processes, access agreements, and personnel sanctions.
PTPII Processing & Transparency NEW Rev.5Privacy-specific controls for processing personally identifiable information. Consent, transparency, data minimization, and privacy notices.
RARisk AssessmentRisk assessment policy and procedures, vulnerability monitoring and scanning, risk response, and criticality analysis.
SASystem & Services AcquisitionSecurity in procurement, software development lifecycle, developer security testing, and supply chain protections for acquired systems.
SCSystem & Communications ProtectionNetwork boundary protection, encryption, denial-of-service protection, collaborative computing, and cryptographic key management.
SISystem & Information IntegrityMalicious code protection, system monitoring, security alerts, software and firmware integrity, and spam protection.
SRSupply Chain Risk Management NEW Rev.5Managing cybersecurity risks across the supply chain: supplier assessments, acquisition strategies, tamper resistance, component authenticity.

Security Control Baselines

Not every organization needs to implement every control. SP 800-53 defines three security control baselines — documented in the companion publication SP 800-53B — that serve as starting points for control selection based on a system's potential impact level. Organizations then "tailor" the baseline to their specific environment, adding or removing controls as appropriate.

The impact level is determined using FIPS 199 and FIPS 200 — federal standards that define how to categorize information and information systems based on the potential adverse effects of a security breach on organizational operations, assets, and individuals.

Low Impact
~149
Controls Required
A breach would have limited adverse effects. Appropriate for systems where loss of confidentiality, integrity, or availability causes minimal harm to operations, assets, or individuals.
Moderate Impact
~287
Controls Required
A breach would have serious adverse effects — significant degradation of mission capability, financial loss, or harm to individuals. The most commonly applied baseline across federal agencies.
High Impact
~370
Controls Required
A breach could cause severe or catastrophic harm — major mission failure, significant financial loss, or serious injury or death. Applies to critical national security, public safety, or infrastructure systems.

There is also a privacy control baseline in SP 800-53B, which applies to systems that process personally identifiable information (PII), regardless of impact level.

SP 800-53 and the Risk Management Framework

SP 800-53 does not operate in isolation. It is a core component of NIST's Risk Management Framework (RMF), documented in SP 800-37. The RMF provides a six-step process for managing security and privacy risks to information systems: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

SP 800-53 enters the picture at the Select step — after a system has been categorized using FIPS 199, the organization selects the appropriate baseline of controls from SP 800-53 and tailors it to the system's specific environment and risk profile. Controls are then implemented, assessed for effectiveness (using procedures from SP 800-53A), and continuously monitored throughout the system's lifecycle.

"SP 800-53 brought together the rules-based and risk-based approaches to risk management by specifying a common set of recommended security outcomes for each system, while allowing adjustments to take into account each system's unique characteristics and risk." — NIST Computer Security Resource Center

Who Must — and Who Should — Use It

Required For

All U.S. federal agencies and their contractors are required to comply with SP 800-53 under FISMA. This includes civilian executive branch agencies, and the framework also forms the basis of FedRAMP, which cloud service providers must satisfy to offer services to federal agencies. Department of Defense contractors operating under CMMC (Cybersecurity Maturity Model Certification) also find significant overlap with SP 800-53 controls.

Beneficial For

Beyond mandatory use, SP 800-53 is widely adopted voluntarily by organizations in healthcare, finance, defense contracting, and other regulated industries. Its comprehensiveness makes it a rigorous security program baseline that can help organizations satisfy multiple regulatory requirements simultaneously — controls in SP 800-53 map to HIPAA, GDPR, PCI DSS, and others.

AspectNIST CSF 2.0NIST SP 800-53
NatureOutcome-based frameworkPrescriptive control catalog
ComplianceVoluntary for mostMandatory (federal agencies)
Level of DetailHigh-level outcomesSpecific, granular controls
AudienceAll levels incl. executivesSecurity engineers & architects
Role"What to achieve""How to implement"
Number of Items6 functions, 106 subcategories20 families, ~1,189 controls

Limitations & Uncertainty

Transparency note: The following reflects genuine limitations and areas where confirmation is not possible from available sources.

Control counts vary by source: Different publications cite slightly different total control counts for SP 800-53 Rev. 5 (ranging from ~1,007 to ~1,189 depending on whether control enhancements are counted separately). We use "approximately 1,189" as a commonly cited figure but note this varies. Consult the primary NIST publication or the NIST CPRT web portal for authoritative counts.

Baseline control counts are approximate: The figures cited (~149 Low, ~287 Moderate, ~370 High) are approximate and come from SP 800-53B. These counts changed between Revision 4 and Revision 5 as the framework was restructured. Always reference SP 800-53B directly for compliance purposes.

Revision 6 status: As of the time of writing (March 2026), we are not aware of a confirmed public release date for SP 800-53 Revision 6. NIST periodically updates its publications. Check csrc.nist.gov for current status.

This is not compliance advice: If your organization has FISMA, FedRAMP, CMMC, or other regulatory obligations tied to SP 800-53, consult qualified professionals and the authoritative NIST publications directly. Nothing here constitutes legal or compliance guidance.

References

  1. NIST. (2020). Security and Privacy Controls for Information Systems and Organizations. NIST SP 800-53 Rev. 5 (updated Dec. 2020). https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
  2. NIST. (2020). Control Baselines for Information Systems and Organizations. NIST SP 800-53B. https://csrc.nist.gov/publications/detail/sp/800-53b/final
  3. NIST Computer Security Resource Center. Risk Management — NIST Cyber History. https://csrc.nist.gov/nist-cyber-history/risk-management/chapter
  4. CSF Tools. NIST SP 800-53, Revision 5 — Reference. https://csf.tools/reference/nist-sp-800-53/r5/
  5. Secureframe. (2025). What is NIST SP 800-53 & Why Is It a Benchmark for Cybersecurity? https://secureframe.com/hub/nist-800-53/special-publication
  6. Drata. (2025). NIST SP 800-53 Control Families, Explained. https://drata.com/blog/nist-sp-800-53-control-families
  7. Hyperproof. (2026). NIST SP 800-53: Controls, Families, and Implementation Tips. https://hyperproof.io/nist-800-53/
  8. Fortinet. What is NIST 800-53? https://www.fortinet.com/resources/cyberglossary/nist-800-53
  9. Wikipedia. (2026). NIST SP 800-53. (Used for historical revision timeline only; factual claims cross-referenced against primary NIST sources.) https://en.wikipedia.org/wiki/NIST_SP_800-53
  10. Secureframe. (2025). NIST SP 800-53 Control Families: All 20 Families Explained. https://secureframe.com/hub/nist-800-53/control-families