NIST SP 800-53 Rev 5 · 20 Control Families · RMF · FISMA

Master the Federal Security Catalog with Our NIST 800-53 Hub

NIST Special Publication 800-53 Rev 5 is the catalog of security and privacy controls for federal information systems and the backbone of FISMA, FedRAMP, CMMC, and most federal risk-management programs. Our hub organizes the 20 control families, baseline selection, and RMF integration into a navigable resource.

families

20 Families

rev5

Rev 5

baselines

Low/Mod/High

rmf

RMF Aligned

Book a Free 800-53 Baseline Assessment Download the Control Family Cheat Sheet

Free Assessment

Request NIST 800-53 Readiness Review

24h Response

4.9 rating 200+ audits supported

Full Name Required

Work Email Valid email required

Company Required

Stage

Message (optional)

SSL Encrypted No spam, ever 100% Confidential

What is NIST SP 800-53 Compliance?

NIST SP 800-53 is the authoritative catalog of security and privacy controls for US federal information systems and is widely adopted by state, local, and private-sector organizations. Revision 5 (September 2020, updates ongoing) expanded to 20 control families, merged privacy and security into a unified control set, and introduced outcome-based control language.

Why NIST 800-53 matters in 2026

NIST 800-53 powers FISMA compliance, FedRAMP authorizations, CMMC Level 3 (via 800-172), DoD CC SRG, StateRAMP, and many state privacy laws. For non-federal organizations, it's the most comprehensive catalog on Earth a gold-standard reference when you need to design a robust enterprise security program.

Who needs NIST 800-53

Federal agencies (required by FISMA). FedRAMP CSPs (required). DoD contractors (via 800-171 and 800-172). State and local governments via StateRAMP. Critical-infrastructure operators. Any enterprise that wants the most thorough control set available.

Business impact

For federal-facing businesses, 800-53 is non-negotiable. For private-sector enterprises, aligning to 800-53 (Moderate baseline) signals a world-class security posture useful in vendor questionnaires, insurance, and regulator engagement. It's also the base for ISO 27001 Annex A crosswalks when you need both.

Your learning path

Pick the depth that matches where you are today

Whether you’re evaluating NIST 800-53 for the first time, deep in implementation, or running a continuous program, start in the lane that matches your current maturity.

Beginner · Learn the Catalog

Start here — the foundation

Understand control families, baselines, and how 800-53 fits with FISMA and the Risk Management Framework.

What is NIST 800-53?
The 20 Control Families Explained
Low, Moderate, High Baselines
Privacy Overlay in Rev 5
800-53 vs 800-171 vs CSF

Intermediate · Tailor & Implement

Build your control set

Select and tailor controls, implement them, and document control inheritance.

Tailoring Controls to Your System
Control Parameter Values
Control Inheritance from Shared Services
Building the SSP for 800-53
Assessment Objectives & 800-53A

Advanced · Automate & Scale

Optimize and scale

Automate control monitoring, leverage OSCAL, and integrate 800-53 into enterprise risk management.

OSCAL Primer for 800-53
Continuous Monitoring Strategy
800-53 Rev 5 Assessment Procedures
Mapping 800-53 to ISO 27001 Annex A
Using 800-53 for State & Critical Infrastructure Programs

Section A

NIST SP 800-53 Rev 5: the federal controls catalogue

NIST SP 800-53 Rev 5 is the authoritative catalogue of security and privacy controls for federal information systems — and the backbone underneath FedRAMP, CMMC, and most state-level frameworks.

What is NIST SP 800-53?

A catalog of 1,189 controls (Rev 5) for protecting the confidentiality, integrity, and availability of information systems and individual privacy.

Control Families

20 families from Access Control (AC) to Supply Chain Risk Management (SR). Each family groups related controls.

Baselines

Pre-selected control subsets for Low, Moderate, and High impact systems. Published in NIST SP 800-53B.

Privacy Integration

Rev 5 removes the separate privacy appendix and embeds privacy controls into every family outcome-based and life-cycle-aligned.

Who It Applies To

Federal agencies, FedRAMP CSPs, contractors under 800-171 (tailored subset), state governments, and enterprises by choice.

Relationship to RMF

800-53 is step 3 (Select) and step 4 (Implement) of the NIST Risk Management Framework (SP 800-37).

Section B

Twenty control families and the Risk Management Framework

Twenty control families span access, audit, awareness, configuration, contingency, and more. The NIST Risk Management Framework (SP 800-37) defines how you categorize, select, implement, assess, authorize, and monitor them.

20 Control Families

AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT (new), RA, SA, SC, SI, SR.

Outcome-Based Language

Rev 5 controls state what must be achieved, not just what must be done enables flexibility and automation.

Control Enhancements

Each control has numbered enhancements for higher baselines enabling a single catalog to serve Low through High.

Overlays

Mission-specific tailored sets (Privacy, OT, Cloud, Cross-Domain, Space Systems, etc.) layered on top of baselines.

Assessment Procedures (800-53A)

Companion publication that defines assessment objectives, methods, and objects for each control.

OSCAL Support

NIST publishes 800-53 in machine-readable OSCAL format the foundation of FedRAMP 20x automation.

Section C

Tailoring, overlays, and baseline selection

Rev 5 fundamentally decoupled controls from baselines. SP 800-53B now holds the Low/Moderate/High baselines, giving you more deliberate control over tailoring and overlays for privacy, cloud, or mission-specific needs.

Step 1 · Categorize (FIPS 199)

Determine system impact level (Low, Moderate, High) based on CIA sensitivity.

Step 2 · Select Controls

Pick the applicable baseline from 800-53B. Add overlays for your mission (privacy, cloud, OT, etc.).

Step 3 · Tailor

Add, remove, substitute, scope, or parameter-value controls to match your environment. Document justifications.

Step 4 · Implement

Deploy technical, operational, and management safeguards. Capture inherited controls.

Step 5 · Assess (800-53A)

Independent assessor or internal team tests control effectiveness using 800-53A procedures.

Step 6 · Authorize

Risk-based acceptance by an authorizing official (FISMA) or agency ATO (FedRAMP).

Step 7 · Continuous Monitoring

Automated where possible. Quarterly, annual, and event-driven assessments.

Section D

Implementing 800-53 in a cloud or hybrid environment

Boundary definition, control inheritance, and responsibility matrices let you scale an 800-53 program without drowning in paperwork. These three artefacts drive every later conversation with assessors.

Baseline Selection

Most enterprise programs target Moderate as the enterprise-wide baseline. Mission systems may be High.

Readiness Checklist

SSP drafted, control inheritance mapped, assessment schedule, POA&M for unimplemented controls.

Documentation

SSP, Risk Assessment, POA&M, Contingency Plan, IR Plan, Config Mgmt Plan, Privacy Impact Assessment.

Control Inheritance

Identify controls inherited from IaaS/PaaS providers, corporate ITGCs, or shared services.

Overlay Application

Privacy, PII, cloud, OT, cross-domain layer based on mission and data types.

Assessor Selection

Federal: agency IGs or contracted assessors. FedRAMP: 3PAO. Enterprise: internal audit or 3rd-party assessor.

Section E

Automation: OSCAL, SSP tooling, and continuous control monitoring

OSCAL (Open Security Controls Assessment Language) is quickly becoming the common format for SSP, assessment plans, and POA&Ms — making automation across GRC platforms finally realistic.

Manual vs Automated 800-53

Manual: static SSPs, spreadsheet POA&Ms. Automated: OSCAL-native platforms, continuous-control monitoring.

Benefits of Automation

1,000+ controls are impractical to track manually. OSCAL enables machine-readable packages; ConMon gets real-time.

When to Invest

Always above Low. Moderate and High baselines demand GRC tooling.

Platforms to Consider

RegScale, Telos Xacta, Apptega, Eramba, ServiceNow GRC, Hyperproof. Pure 800-53 tools often pair with ISO/SOC modules.

Our Take

OSCAL is the most important automation lever pick tools that consume and produce OSCAL natively.

Section F

NIST 800-53 implementation resources

Control-family cheat sheets, SSP templates, and mapping guides to related frameworks like ISO 27001 and CSF 2.0.

Resource

Where NIST 800-53 moves the needle

Real business outcomes we see when clients adopt NIST 800-53 with the right implementation partner.

Federal Agencies

FISMA baseline. Agency-specific overlays (HVA, PII, cross-domain).

FedRAMP CSPs

Cloud services authorizing at Low, Moderate, or High.

State & Local Governments

StateRAMP leverages 800-53 Moderate as the default.

Enterprise Security Programs

Large private-sector enterprises adopting 800-53 Moderate as an internal baseline for maturity.

Pain points

What usually goes wrong and how to avoid it

Patterns we’ve seen across 200+ NIST 800-53 engagements. Spot these early and you’ll spare yourself months of rework.

Catalog size

1,189 controls + enhancements impossible without GRC tooling.

Tailoring debates

Endless cycles on which enhancements apply slows implementation.

Privacy integration

Rev 5's privacy overlays are unfamiliar to many security teams.

Inherited-control tracking

Documenting what you actually inherit vs implement is frequently wrong.

Explore further

Related frameworks, services & resources

Keep learning — or put NIST 800-53 into action with a team that has done it before.

NIST 800-53 Fundamentals

Control Families Deep Dives

Implementation & Assessment

Crosswalks & Automation

What Enterprise Clients Say

What Clients Say About Our AI Development Services

“ISpectra expertly guided us through every step of the SOC 2 certification process, turning complex regulatory requirements into practical, actionable steps. Their partnership-centric approach and responsiveness made all the difference. Achieving SOC 2 certification with their help has significantly enhanced our credibility and trustworthiness in the market.”

Irina Zakharchenko

Chief Operations and People Officer

DocsDNA

SOC 2 Certified

“ISpectra Technologies brought deep expertise in cybersecurity and DevSecOps to our projects, playing a crucial role in our EDR Tool implementations and SOC 2 compliance. Their solutions were tailored to our business and their proactive approach improved both our agility and security posture. ISpectra felt more like an extension of our team than an external vendor.”

Sam K

CEO

Office Hub Tech LLC

SOC 2 + EDR Implementation

“Our Accounts Receivables have started to plummet since implementing RCMEdge. It provides electronic AR follow-up and identifies claims needing extra attention so we don't exhaust valuable resources on claims processing as normal. As a result, we're much more productive and cash flow favorable. Highly recommended!”

Brian Reese

Director of Business Development

24/7 Medical Billing Services

AR Significantly Reduced

“The VAPT report was presented in a structured and professional manner with clear categorization of vulnerabilities by severity. The depth of technical findings, along with practical remediation suggestions, provided our team with valuable insights. The clarity of documentation made it easy for our internal teams to translate recommendations into actionable steps.”

Karthik Vadivel

Lead System Engineer

ICS Pvt Ltd

VAPT Security Strengthened

“The VAPT assessment was thorough and well-documented, providing a clear view of identified vulnerabilities with practical remediation guidance. The prioritization of risks and actionable recommendations enabled our teams to take corrective measures with clarity and confidence. We truly appreciate the expertise and professionalism your team brought to this engagement.”

Kayden Vincent

Cybersecurity Lead

247 Medical Billing Services

VAPT Risk Mitigated

“We have successfully secured our ISO 27001 certification through GLOCERT, and ISpectra Technologies was pivotal throughout. Your team's contribution was exceptional, not only in navigating the audit process but in the structural refinement of our internal policies and the practical application of ISMS best practices. The attention to detail ensured that our procedures are not just compliant, but operationally sound. We value the high standard of consultancy ISpectra has maintained and look forward to a continued professional association.”

Chandan P

Business Analyst

Infocruise Solutions Private Limited

ISO 27001 Certified

Trusted by 200+ Global Enterprise Clients

Free NIST 800-53 Consultation

Ready to
Protect Your Enterprise?

What Your Business Gets

Free AI use-case discovery workshop
Generative AI & LLM feasibility review
Model accuracy & cost benchmarks
MLOps maturity gap analysis
Responsible AI & governance roadmap
Pilot-to-production scaling plan

No obligation · Results in 48 hours · 100% confidential

Schedule a Call

Pick a time that works for you

Enable JavaScript to view the Calendly scheduler.

Open Calendly

Request Assessment

Our team responds within 24 hours

No spam. No obligations. We'll respond within 24 hours.

Encrypted & 100% confidential