NIST 800-53: The Complete Guide to Security and Privacy Controls

NIST 800-53 Rev 5 contains 1,189 individual controls organized across 20 control families, and is widely considered one of the most comprehensive security and privacy control catalogs available today. Originally intended for U.S. federal agencies, NIST SP 800-53 shapes how many organizations protect their information systems in 2026. Beyond the government, NIST 800-53 influences healthcare, financial services, and the private sector.

To help security and risk practitioners get started with implementation, this guide explains what NIST 800-53 is, how the control catalog is structured, who must comply, and how it relates to other frameworks like NIST CSF, NIST 800-171, CMMC, and ISO 27001.

What Is NIST SP 800-53?

NIST Special Publication 800-53 is a catalog of security and privacy controls published by the National Institute of Standards and Technology (NIST). It defines how U.S. federal agencies and government contractors are expected protect information systems under the Federal Information Security Modernization Act (FISMA) and serves as the basis for FedRAMP, CMMC and many private-sector security programs.

Instead of a framework, maturity model, or compliance checklist, NIST 800-53 is a structured library of individual security and privacy requirements. Organizations can select and implement the controls they need from this catalog based on their risk profile and system categorization.

As of 2026, the catalog contains 1,189 security and privacy controls organized into 20 control families covering technical, operational and management requirements. That makes it one of the most comprehensive information security control libraries publicly available today. Published in September 2020 and updated in August 2025, Revision 5 introduces integrated privacy controls and makes every control technology-neutral. As a result, the catalog now applies to any type of system — not just traditional federal IT.

Organizations preparing for authorization, pursuing federal contracts, or aligning with government security requirements must implement, document, and monitor NIST 800-53 controls to demonstrate compliance and manage system risk.

A Brief History of NIST 800-53

NIST 800-53 was first published in 2005 as part of the FISMA Implementation Project to give federal agencies a standardized set of security controls for protecting information systems across missions and environments. Since then, NIST has released multiple versions to expand coverage and keep pace with modern systems and threats.

Initial Release (2005): Establishes the first standardized control catalog for federal systems
Revision 1 (2006): Expands controls and adds supplemental guidance
Revision 2 (2007): Refines control structure and adds application-level guidance
Revision 3 (2009): Major expansion with priority codes and baseline allocations
Revision 4 (2013): Adds privacy controls in Appendix J and introduces overlays
Revision 5 (2020): Integrates privacy controls into the main catalog, adds supply chain and PII families and makes controls outcome-based and technology-neutral

NIST 800-53 Rev 5.2.0

In August 2025, NIST SP 800-53 Rev 5.2 emerged to support more secure software development and deployment processes. Published in response to EO 14306, the update addresses software and system resiliency by design, developer testing, deployment and management of updates, and software integrity and validation. It also introduces three entirely new controls:

Logging Syntax (SA-15): Defines an electronic format for recording security-related events to support better incident response
Root Cause Analysis (SI-02(07)): Specifies conducting a review to find the root cause of an issue or failure with the software update, forming an action plan, and implementing it
Design for Cyber Resiliency (SA-24): Recommends designing systems for survivability, or the ability to anticipate, withstand, respond, and recover from attacks while maintaining critical functions

For an updated version of NIST SP 800-53 with the complete set of changes in Revision 5.2, check out the Cybersecurity and Privacy Reference Tool (CPRT).

Most Current Version of NIST 800-53: Revision 5

NIST 800-53 Revision 5 is the current and most comprehensive version of the control catalog. Published in September 2020, it was the first major update since Rev 4 was released in 2013, introducing significant changes that would reshape how organizations approach security and privacy compliance.

Today, NIST continues to maintain the catalog through periodic updates to reflect evolving threats, technologies and implementation practices.

Key Changes from Rev 4 to Rev 5

The transition from Rev 4 to Rev 5 brought five major changes:

Privacy controls integrated into the main catalog. Privacy controls were moved out of Appendix J and woven throughout the catalog, giving them equal standing with security controls. This eliminated the siloed approach where privacy was treated as an afterthought.
Two new control families added. PT (PII Processing and Transparency) provides specific requirements for handling personally identifiable information. SR (Supply Chain Risk Management) addresses the growing threat of third-party and supply chain compromise.
Control baselines moved to NIST SP 800-53B. The Low, Moderate, and High baselines are now maintained in a separate publication, allowing NIST to update baseline selections without revising the entire control catalog.
Controls made outcome-based and technology-neutral. Rev 5 removed references to specific technologies and federal-only language, making controls applicable to any type of system — cloud, on-premises, IoT, industrial control systems, or hybrid environments. This broadened the catalog’s applicability beyond traditional federal IT.
State-of-practice controls added. New controls were introduced for areas including cyber resiliency, secure systems design, and governance. These reflect the evolving threat landscape and modern security architectures.

Why the New Version Matters

The Rev 5 designation is not just a label. Organizations undergoing audits, pursuing FedRAMP authorization, or mapping controls for FISMA compliance should confirm they are working from Revision 5. While some legacy systems may still reference Rev 4 controls, all new authorizations and assessments should align with the current version.

Security AND Privacy Controls

NIST 800-53 Rev 5 combines both security and privacy controls into a single, integrated catalog — eliminating the separate privacy appendix that existed in NIST 800-53 Rev 4. This change reflects a fundamental shift in how the federal government approaches information protection.

In previous versions, privacy controls lived in Appendix J, treated as supplementary guidance rather than core requirements. Rev 5 elevated privacy to first-class status, placing privacy controls alongside security controls throughout the catalog. This integration was driven by the growing convergence of security and privacy obligations: the influence of the EU’s General Data Protection Regulation (GDPR), the rise of state-level privacy laws in the United States, and updated OMB guidance requiring agencies to address both disciplines together.

The unified catalog now addresses three dimensions of information protection:

Confidentiality, integrity, and availability — the traditional security triad
Individual privacy protections — ensuring that personally identifiable information (PII) is collected, used, and shared responsibly

Two new control families were added in Rev 5 to support this integration:

PT (PII Processing and Transparency) addresses how organizations handle personal information, including consent mechanisms and data minimization.
SR (Supply Chain Risk Management) addresses risks introduced by third-party suppliers, an increasingly critical concern given the prevalence of supply chain attacks.

Program Management (PM) was also significantly expanded to include privacy governance requirements, covering privacy impact assessments, privacy roles and responsibilities, and privacy reporting. Now, with these additions, organizations can address both security and privacy requirements from a single, authoritative source.

Who Must Comply with NIST 800-53?

Compliance with NIST SP 800-53 is mandatory for all U.S. federal agencies, organizations that operate information systems on behalf of the federal government, and contractors that handle federal data. Yet many cloud service providers, private contractors, and organizations voluntarily align with 800-53 guidelines to meet contractual obligations or to satisfy broader security and risk management expectations.

For organizations evaluating whether NIST SP 800-53 applies to their environment, additional context on building an information security risk management program is available in this complete ISRM guide. But most of the time, an organization’s NIST 800-53 scope will be shaped by one of three drivers: mandatory compliance, contractual requirements or voluntary adoption.

Mandatory Compliance

The following organizations are legally or contractually required to implement NIST 800-53 controls:

All U.S. federal agencies must comply under FISMA. Every executive branch agency must categorize its information systems and implement the appropriate baseline controls.
Federal contractors and subcontractors handling federal information are bound by contract clauses (including DFARS and FAR provisions) that often require implementation or alignment with NIST 800-53 controls.
Cloud service providers seeking FedRAMP authorization must implement 800-53 controls at the relevant baseline level (Low, Moderate, or High) to receive an Authority to Operate (ATO).
Department of Defense (DoD) contractors are subject to DFARS requirements that trace back to NIST 800-53.

Effectively Required

Some organizations are not directly mandated to use NIST 800-53, but regulatory, funding or contractual conditions make alignment practically necessary:

State and local government agencies receiving federal funding often must demonstrate security controls consistent with federal standards.
Higher education institutions handling federal research data or Controlled Unclassified Information (CUI) must comply with NIST 800-171. And because NIST 800-171 derives its controls from NIST 800-53, understanding the parent catalog helps institutions build more comprehensive security programs.
Healthcare organizations subject to HIPAA can map NIST 800-53 controls to HIPAA Security Rule requirements.

Voluntary Adoption

Private-sector organizations have no legal obligation to implement NIST 800-53, but many adopt it voluntarily because it provides one of the most thorough and well-documented control catalogs available. Organizations preparing for ISO 27001 certification often find significant overlap, and companies in regulated industries like financial services and energy use 800-53 for prescriptive guidance that other frameworks lack.

NIST 800-53 Applicability by Organization Type

Organization Type	Requirement Level	Key Driver
Federal agencies	Mandatory	FISMA
Federal contractors	Mandatory	Contract clauses (DFARS, FAR)
FedRAMP cloud providers	Mandatory	FedRAMP authorization
DoD contractors	Mandatory	DFARS / CMMC
Higher education (federal data)	Effectively required	NIST 800-171 / CUI requirements
Healthcare	Recommended	HIPAA Security Rule mapping
Private sector	Voluntary	Risk management best practice

Regardless of whether compliance is mandatory or voluntary, most organizations encounter NIST 800-53 alongside other frameworks. Understanding how they relate is key.

For the step-by-step compliance process, see our NIST 800-53 risk assessment guide.

How NIST 800-53 Controls Are Structured

NIST SP 800-53 organizes its 1,189 security and privacy controls into a three-tier hierarchy: 20 control families, 325 base controls, and control enhancements that add specificity.

Tier 1: Control Families

The 20 control families are the top-level groupings. Each family addresses a broad security or privacy domain and is identified by a two-letter code.

For example, AC stands for Access Control, AU stands for Audit and Accountability, and IR stands for Incident Response. Families range in size from 6 controls (Awareness and Training) to 51 controls (System and Communications Protection).

Tier 2: Individual Controls

Within each family, individual controls define specific security or privacy requirements. Each control has a unique identifier combining the family code and a sequential number.

For example, AC-2 is the Account Management control within the Access Control family. AC-2 requires organizations to define, create, enable, modify, disable, and remove accounts in accordance with policy.

Tier 3: Control Enhancements

Control enhancements extend a base control with additional requirements or specificity. They are identified by the base control number followed by a parenthetical number.

For example, AC-2(1) adds automated system account management to the base AC-2 control, requiring organizations to use automated mechanisms to support the management of information system accounts. Not every base control has enhancements, and not every enhancement applies at every baseline level.

The 20 Control Families

The complete list of NIST 800-53 Rev 5 control families is as follows:

ID	Family Name	Number of Base Controls
AC	Access Control	25
AT	Awareness and Training	6
AU	Audit and Accountability	16
CA	Assessment, Authorization, and Monitoring	9
CM	Configuration Management	14
CP	Contingency Planning	13
IA	Identification and Authentication	13
IR	Incident Response	10
MA	Maintenance	7
MP	Media Protection	8
PE	Physical and Environmental Protection	23
PL	Planning	11
PM	Program Management	32
PS	Personnel Security	9
PT	PII Processing and Transparency	8
RA	Risk Assessment	10
SA	System and Services Acquisition	23
SC	System and Communications Protection	51
SI	System and Information Integrity	23
SR	Supply Chain Risk Management	12

Control Baselines

In addition to the control catalog itself, NIST defines three predefined baselines (Low, Moderate, and High) that specify which controls to apply based on how serious the impact would be if its confidentiality, integrity or availability were compromised.

Organizations use guidance from FIPS 199 to evaluate the potential impact if a system were compromised and select the appropriate baseline. A Low-baseline system requires fewer controls, while a High-baseline system requires the most extensive set. In NIST 800-53:

Low baseline: ~ 139 controls
Moderate baseline: ~ 287 controls
High baseline: ~ 370 controls

In Revision 5, the predefined baselines were relocated to a separate companion document: NIST SP 800-53B. By keeping the baselines separate, NIST can update which controls apply at each impact level as risks evolve, without having to revise the entire control catalog.

NIST 800-53 vs Other Frameworks

NIST 800-53 connects to, overlaps with, and feeds into several other major security and compliance frameworks. For organizations managing multiple compliance requirements, understanding these relationships helps avoid duplicated effort and clarifies where 800-53 fits in the broader landscape.

NIST CSF (Cybersecurity Framework)

The NIST Cybersecurity Framework is a voluntary, outcome-based risk management framework that describes security functions at a high level: Govern, Identify, Protect, Detect, Respond, and Recover. NIST 800-53 provides the detailed, prescriptive controls that map to CSF subcategories. Many organizations use CSF as the “what” (what outcomes do we need?) and 800-53 as the “how” (how do we achieve those outcomes?).

NIST 800-171

NIST 800-171 is derived directly from NIST SP 800-53 and includes a tailored set of 110 controls designed to protect Controlled Unclassified Information (CUI) in non-federal systems. DoD contractors or research institutions handling federally funded data are often required to implement 800-171.

CMMC (Cybersecurity Maturity Model Certification)

CMMC is built on the requirements defined in NIST 800-171, also derived from NIST 800-53. In addition to technical safeguards, CMMC introduces maturity levels and requires independent third-party assessments for DoD contractors. This lineage reflects how many of the practices assessed under CMMC can be traced back to controls originally defined in NIST SP 800-53.

ISO 27001

ISO/IEC 27001 is an internationally recognized standard for establishing an Information Security Management System (ISMS), and its Annex A controls often align in intent with those found in NIST 800-53. However, the two serve distinct purposes. While ISO 27001 supports certification through an audit process, NIST 800-53 is designed to help organizations select and implement controls based on system impact and risk exposure.

To map ISO/IEC 27001 requirements to NIST SP 800-53 controls directly, organizations can use the official crosswalk.

RMF (NIST 800-37)

The Risk Management Framework, defined in RMF (NIST 800-37), is a six-step process for selecting, implementing, assessing, authorizing, and monitoring 800-53 controls. RMF answers “how do I use the catalog?” while 800-53 answers “what controls are available?”

Other Frameworks vs NIST 800-53

Framework	Relationship to 800-53	Scope	Mandatory For
NIST CSF	Complementary (CSF maps to 800-53)	Risk management framework	Voluntary (widely adopted)
NIST 800-171	Derived from 800-53 (subset)	CUI protection in non-federal systems	DoD contractors, federal subcontractors
CMMC	Built on 800-171 (which derives from 800-53)	DoD supply chain security	DoD contractors
ISO 27001	Overlapping but independent	International ISMS standard	Voluntary (certification-based)
NIST 800-37 (RMF)	Process for implementing 800-53	Risk management process	Federal agencies

Simplify NIST 800-53 with Isora GRC

Managing 1,189 controls across 20 families is complex, especially when multiple departments, systems, and compliance timelines are involved. NIST 800-53 compliance software gives security teams one shared workspace purpose-built for assessments, risk management, and compliance reporting. With solutions like Isora GRC, organizations can simplify:

Assessment Management: Organize assessments by compliance goal and distribute NIST 800-53 questionnaires to unit-level owners across your organization. Track completion rates in real time — across departments, campuses, or business units — instead of chasing responses through email chains and spreadsheets.

Questionnaires & Surveys: Use pre-built questionnaires for NIST 800-53 or customize question sets to match your organization’s specific baseline and tailoring decisions. Unit owners attach evidence directly within their responses, building an audit trail without scattered files or manual coordination.

Reports & Scorecards: Generate compliance scorecards and status reports for leadership, auditors, and federal oversight bodies. Automated scoring and category comparisons give your team the documentation needed for FISMA audits, FedRAMP assessments, or internal governance reviews.

Isora GRC is the collaborative GRC Assessment Platform™ for structure, clarity and real-time visibility into how security teams manage NIST SP 800-53 compliance.

NIST 800-53 FAQs

What is NIST 800-53?

NIST 800-53 is a security and privacy controls catalog published by the National Institute of Standards and Technology. Organized into 20 control families, it provides the standard control set for protecting federal information systems under FISMA. The most current version, Revision 5, was published in September 2020, integrating both security and privacy controls in a single catalog.

How many controls are in NIST 800-53?

NIST 800-53 Rev. 5 contains 1,189 individual controls organized across 20 control families. Because each control can have multiple enhancements that add specificity or tailor the requirement to particular environments, the actual number of controls an organization should implement will depends on the selected baseline. Whether a system qualifies as Low, Moderate or High is determined by its impact level, as defined in NIST SP 800-53B.

Is NIST 800-53 mandatory?

Under FISMA, NIST 800-53 is mandatory for all U.S. federal agencies as well as for organizations that process, store or transmit federal information systems or data. This includes FedRAMP cloud service providers and DoD contractors subject to DFARS requirements. Private-sector organizations often adopt 800-53 voluntarily as a best-practice framework for managing security and privacy risks.

What is the difference between NIST 800-53 and 800-171?

NIST 800-171 defines a tailored subset of 110 controls designed to protect Controlled Unclassified Information (CUI) in non-federal systems. NIST 800-53 contains 1,189 controls for federal information systems from which the curated selection of 800-171 controls was derived.

What is the difference between NIST 800-53 and NIST CSF?

The NIST Cybersecurity Framework is a voluntary risk management framework that describes desired security outcomes at a high level. NIST 800-53, on the other hand, is a prescriptive catalog of specific, implementable controls. Organizations often use NIST CSF to identify what security outcomes they need to achieve and then use 800-53 to determine exactly which specific control implementations to achieve them.

What are the 20 control families in NIST 800-53?

The 20 control families in 800-53 are: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Assessment, Authorization, and Monitoring (CA), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environmental Protection (PE), Planning (PL), Program Management (PM), Personnel Security (PS), PII Processing and Transparency (PT), Risk Assessment (RA), System and Services Acquisition (SA), System and Communications Protection (SC), System and Information Integrity (SI) and Supply Chain Risk Management (SR).

What changed in NIST 800-53 Rev 5?

NIST 800-53 Rev. 5 was published on September 23, 2020, and introduced five major changes. Privacy controls were integrated into the main body of NIST SP 800-53 rather than maintained in a separate appendix, and two new control families were added: PT (PII Processing and Transparency) and SR (Supply Chain Risk Management). Control baselines were moved to a separate publication, NIST SP 800-53B, and all controls were revised to be outcome-based and technology-neutral. The revision also introduced new state-of-practice controls to support cyber resiliency and secure systems design.

Does NIST 800-53 apply to cloud environments?

Yes, NIST 800-53 applies to all federal information systems regardless of where they are hosted, whether on-premises, in the cloud, across hybrid or multi-cloud environments. FedRAMP specifically requires cloud service providers to implement 800-53 controls at the appropriate baseline level (Low, Moderate, or High) to receive an Authority to Operate (ATO). The technology-neutral language in Rev. 5 also makes the controls directly applicable to modern cloud architectures.

How do I implement NIST 800-53?

NIST SP 800-53 implementation follows the Risk Management Framework (RMF) defined in NIST SP 800-37. The process involves categorizing an information system, selecting the appropriate control baseline, implementing the selected controls, assessing their effectiveness, obtaining authorization to operate and continuously monitoring.

For many teams, the first step is identifying which baseline (Low, Moderate, or High) applies to their system and conducting a gap analysis to understand how their existing safeguards align with the selected requirements.

What is the latest version of NIST 800-53?

As of 2026, the latest version is NIST SP 800-53 Revision 5, published on September 23, 2020. More recently, NIST also released Rev. 5.2.0, and continues to maintain the catalog through periodic updates to reflect evolving threats, technologies and implementation practices. New system authorizations, FedRAMP assessments and FISMA audits are expected to reference Rev. 5 along with its subsequent updates, which are made available through the NIST Computer Security Resource Center.

Conclusion

NIST 800-53 is the one of the most comprehensive security and privacy control catalogs available, with 1,189 controls across 20 families in its current Rev 5 release. It serves as the foundational reference point for FISMA, FedRAMP and DoD compliance, while its technology-neutral, outcome-based design also makes it an equally valuable for private-sector organizations seeking a more structured security baseline.

Whether NIST 800-53 is mandatory for your organization or something you’re considering adopting as a best practice, taking the time to understand its structure, scope and relationship to other frameworks can help you make a more informed decision about next steps.

Ready to simplify NIST 800-53 compliance? Learn how Isora GRC can help you implement and track controls at scale.

This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.

Learn More

Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.