Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

NIST 800-53 Controls

NIST 800-53 includes a set of controls designed to enhance the resilience and security of federal information systems. These controls encompass operational, technical, and management standards that information systems utilize to uphold privacy and security measures.

These controls are categorized into three classes, which reflect the potential impact of each risk. These broad classes are:

  • High impact
  • Medium impact
  • Low impact

How many NIST 800-53 controls are there?

The NIST 800-53 includes 20 different control families within its framework. Across the entire range of NIST 800-53 control families, there are 322 controls. Each NIST 800-53 control family has its own controls, which may or may not be applicable to any given organisation. Therefore, organisations using NIST 800-53 can choose the controls that are most applicable to them.

NIST 800-53 control families

AC – Access Control

25 controls covering activities such as policies and procedures, account management, separation of duties and the policy of least privilege.

AT – Awareness and Training

6 controls covering awareness and security training across all employees, as well as more technical training for privileged users.

AU – Audit and Accountability

16 controls addressing the auditing and retention of records, as well as associated analysis, review and reporting.

CA – Assessment, Authorisation and Monitoring

9 controls relating to penetration testing, monitoring of network connections and monitoring of external systems.

CM – Configuration Management

14 controls covering configuration change, data action mapping and setting software policies.

CP – Contingency Planning

13 controls relating to the creation, testing and implementation of business continuity strategies, as well as alternative solutions for data processing and storage.

IA – Identification and Authentication

12 controls addressing the management of credentials, implementation of authentication policies and creation of systems for users, devices and services.

IR – Incident Response

10 controls for establishing incident response education and training, as well as associated monitoring systems and reporting processes.

MA – Maintenance

7 controls relating to the ongoing maintenance of systems, personnel and tools.

MP – Media Protection

8 controls on securing and protecting the access, use, storage and transportation of media.

PE – Physical and Environmental Protection

23 controls relating to protection against physical risk and damage, including access to emergency power and securing physical access in an incident.

PL – Planning

11 controls for putting strategies in place to maintain a comprehensive security architecture, including impact assessments, activity planning and rules of behaviour.

PM – Programme Management

32 controls dedicated to defining strategies for risk management and insider threats, as well as scaling architecture.

PS – Personnel Security

9 controls for addressing the requirements for screening personnel (both internal and external), transferring personnel and terminating personnel, as well as position risk designation.

PT – Personally Identifiable Information Processing and Transparency

8 controls addressing the creation of privacy notices, achieving consent and processing personally identifiable information.

RA – Risk Assessment

10 controls relating to vulnerability scanning, risk assessments and ongoing privacy impact.

SA – System and Services Acquisition

23 controls for the acquisition processes, allocation of resources and system development lifecycle, among others.

SC – System and Communications Protection

51 controls addressing activities such as the partition of applications, securing passwords and cryptographic key management.

SI – System and Information Integrity

23 controls relating to the implementation of system monitoring, alerting systems, spam protection and flaw remediation processes.

SR – Supply Chain Risk Management

12 controls covering supplier assessments and reviews, risk management plans notification agreements and the inspection of systems or components.

Implementing NIST 800-53 Controls

Between 20 families and over 300 controls, implementing the necessary control families may seem daunting. However, the Hicomply platform enables organisations to prioritize activities with greater accuracy and visibility. Easily establish your baseline controls and monitor control performance to ensure continued compliance.

Learn more about the NIST 800-53 framework in our NIST 800-53 Information Hub.