Table of Contents
- NIST 800-53 Controls: The Complete List and How They Work
- What Are NIST 800-53 Controls?
- How NIST 800-53 Controls Are Structured
- How Many Controls Are in NIST 800-53?
- NIST 800-53 Control Baselines: Low, Moderate, and High
- The Complete NIST 800-53 Control Reference
- Key Takeaways
-
NIST 800-53 Controls FAQs
- How many controls are in NIST 800-53?
- What is the difference between a control and a control enhancement?
- What are the NIST 800-53 control baselines?
- Is there a free NIST 800-53 controls spreadsheet?
- Do all 1,196 controls apply to every organization?
- What is the most common baseline?
- How often are NIST 800-53 controls updated?
NIST 800-53 Controls: The Complete List and How They Work
NIST 800-53 contains 1,196 security and privacy controls organized across 20 control families, making it one of the most comprehensive security control catalogs available. NIST 800-53 controls are central to Federal Information Security Modernization Act (FISMA) compliance, Federal Risk and Authorization Management Program (FedRAMP) authorization, and voluntary adoption by organizations aligning to the National Institute of Standards and Technology (NIST) framework.
For a foundational overview, start with the complete guide to NIST 800-53. This article dives deeper into the controls themselves: how they’re structured, how many there are, how baselines determine which ones apply, and how to navigate the full catalog.
What Are NIST 800-53 Controls?
An NIST 800-53 control is a specific safeguard or countermeasure that an organization implements to protect the confidentiality, integrity, and availability of its information systems and data. Controls serve as the building blocks of the entire NIST 800-53 framework, helping translate high-level security objectives into concrete, actionable requirements.
NIST 800-53 controls are the individual security and privacy safeguards defined in NIST Special Publication 800-53 Rev 5. The catalog contains 1,196 controls organized across 20 families, covering areas from access control to supply chain risk management. Organizations select controls based on their system’s impact level and relevant regulatory or contractual compliance requirements.
Each control has a unique identifier combining a two-letter family code with a sequential number. AC-2, for example, refers to Account Management within the Access Control (AC) family. Controls can also include enhancements, which are more specific requirements that build on a base control. AC-2(1), Automated Account Management, extends AC-2 by adding requirements for automated account provisioning and deprovisioning.
Controls sit within a three-level hierarchy. Families are the 20 top-level groupings that organize controls by domain, such as access control, audit, or incident response. Baselines are the predefined sets of controls NIST recommends based on a system’s impact level. Controls themselves are the individual requirements within those families that organizations select through the appropriate baseline.
How NIST 800-53 Controls Are Structured
The NIST 800-53 control catalog is organized into a four-level hierarchy. At the top is the full catalog. Beneath it are 20 control families. Within each family are base controls that establish specific requirements, and where applicable, those base controls include control enhancements.
Level 1: The Catalog
NIST Special Publication 800-53 Revision 5 (Rev 5) houses every security and privacy control. Published in September 2020 and most recently updated with NIST 800-53 Release 5.2.0 in August 2025, it is the authoritative source organizations reference when selecting, implementing, and assessing controls. SP 800-53A defines the companion assessment procedures for verifying control implementation.
Level 2: Control Families (20)
The catalog organizes controls into 20 NIST 800-53 control families, each identified by a two-letter code. These families group related controls by security or privacy domain. For example, AC represents Access Control, IR represents Incident Response, and the newer SR family represents Supply Chain Risk Management. Rev 5 introduced two families that did not exist in Rev 4: PT (PII Processing and Transparency) and SR (Supply Chain Risk Management).
Level 3: Base Controls
Base controls define the core security or privacy requirements within each family. Each has a unique identifier such as AC-1 or IR-4, a title, and formal control statement describing what the organization must implement. Supplemental guidance explains intent and references related controls elsewhere in the catalog.
Level 4: Control Enhancements
Control enhancements extend a base control by adding specificity or increasing rigor. They are numbered in parentheses beneath the base control such as AC-2(1) or AC-2(2). Enhancements are applied primarily to Moderate or High impact systems where additional safeguards are necessary. That said, not every base control has enhancements, and not every enhancement applies at every baseline level.
Control Structure Example
| Level | Example | Description |
|---|---|---|
| Catalog | NIST SP 800-53 Rev 5 | Full publication, 1,196 controls |
| Family | AC (Access Control) | One of 20 top-level groupings |
| Base Control | AC-2 (Account Management) | Specific requirement within AC |
| Enhancement | AC-2(1) (Automated Account Management) | Granular requirement within AC-2 |
How Many Controls Are in NIST 800-53?
NIST 800-53 Rev 5 contains 1,196 security and privacy controls, including both base controls and control enhancements, across 20 control families.
This represents an increase from Rev 4, which contained approximately 965 controls across 18 families. Rev 5 added two new control families — PT (PII Processing and Transparency) with 8 base controls and SR (Supply Chain Risk Management) with 12 base controls — and expanded requirements across existing families to address cloud, supply chain, and privacy risks.
The 1,196 figure includes both base controls and their enhancements. Base controls alone total far fewer. The AC family, for example, has 22 base controls, but multiple enhancements per control push the family’s total well beyond that.
Not all 1,196 controls apply to every organization. Applicability depends on a system’s impact level and associated risk. NIST defines three control baselines (Low, Moderate, and High) to establish the minimum set of required controls based on impact level. Most organizations implement a subset of the full catalog tailored to their risk profile and compliance requirements.
To understand how this works in practice, it is necessary to look more closely at the three baselines.
NIST 800-53 Control Baselines: Low, Moderate, and High
NIST SP 800-53B defines three control baselines: Low, Moderate, and High. Each specifies the minimum set of controls aligned to a system’s impact level. These baselines serve as the starting point for selecting required controls.
How Control Baselines Work
Baselines are published in a companion document, NIST SP 800-53B, which is maintained separately from the main 800-53 catalog. A system’s impact level is determined through security categorization under FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems), using information type mappings from SP 800-60 to evaluate the potential impact of a security breach across three objectives: confidentiality, integrity, and availability.
The three baselines correspond to three impact levels:
- Low baseline (149 controls). Applies to systems where a breach would cause limited adverse impact. Public-facing websites and internal systems handling routine, non-sensitive administrative data are a typical example of a low-impact system.
- Moderate baseline (287 controls). Applies to systems where a breach would cause serious adverse impact. This is the most common baseline for federal information systems, and is also used for FedRAMP Moderate authorizations. University research data systems and most agency operational systems fall within this category.
- High baseline (370 controls). Applies to systems where a breach would cause severe or catastrophic impact. National security systems (subject to additional overlay requirements under CNSSI 1253), critical infrastructure, and systems processing classified information generally fall within the High impact category.
Baseline Selection and Tailoring
Organizations select their baseline through the Risk Management Framework (RMF) process defined in NIST SP 800-37, as required by FISMA and OMB Circular A-130. From there, they tailor their control sets based on system-specific risks, either adding controls beyond the baseline or removing controls with documented justification supported by their risk assessment guide.
FedRAMP builds on the same NIST 800-53 control baselines but applies specific parameter values and additional requirements. A FedRAMP Moderate authorization, for example, starts with the 287 Moderate baseline controls and layers on FedRAMP-defined parameter values and additional requirements.
Baselines at a Glance
| Baseline | Impact Level | Controls | Example Use Case |
|---|---|---|---|
| Low | Limited | 149 | Public-facing websites, non-sensitive data |
| Moderate | Serious | 287 | Most federal systems, university research data |
| High | Severe/Catastrophic | 370 | National security, critical infrastructure |
Baseline Progression by Family (Sample)
The table below shows how control counts increase across baselines for five representative families. As impact level rises, more controls and enhancements are required in each domain.
| Family | Low | Moderate | High |
|---|---|---|---|
| AC (Access Control) | 11 | 39 | 46 |
| AU (Audit and Accountability) | 10 | 16 | 25 |
| IA (Identification and Authentication) | 16 | 24 | 26 |
| SC (System and Comms Protection) | 10 | 25 | 30 |
| SI (System and Information Integrity) | 6 | 18 | 28 |
The Complete NIST 800-53 Control Reference
The table below provides a summary reference of NIST 800-53 Rev 5 controls organized by family. Quickly identify how many base controls each family contains, how it aligns with the Low, Moderate or High baselines and where implementation effort is likely to concentrate.
| Family | Name | Range | Base Controls | In Low? | In Moderate? | In High? |
|---|---|---|---|---|---|---|
| AC | Access Control | AC-1 to AC-25 | 22 | Yes | Yes | Yes |
| AT | Awareness and Training | AT-1 to AT-6 | 5 | Yes | Yes | Yes |
| AU | Audit and Accountability | AU-1 to AU-16 | 15 | Yes | Yes | Yes |
| CA | Assessment, Auth, Monitoring | CA-1 to CA-9 | 8 | Yes | Yes | Yes |
| CM | Configuration Management | CM-1 to CM-14 | 14 | Yes | Yes | Yes |
| CP | Contingency Planning | CP-1 to CP-13 | 12 | Yes | Yes | Yes |
| IA | Identification and Auth | IA-1 to IA-12 | 12 | Yes | Yes | Yes |
| IR | Incident Response | IR-1 to IR-9 | 9 | Yes | Yes | Yes |
| MA | Maintenance | MA-1 to MA-7 | 7 | Yes | Yes | Yes |
| MP | Media Protection | MP-1 to MP-8 | 8 | Yes | Yes | Yes |
| PE | Physical and Env Protection | PE-1 to PE-23 | 22 | Yes | Yes | Yes |
| PL | Planning | PL-1 to PL-11 | 8 | Yes | Yes | Yes |
| PM | Program Management | PM-1 to PM-32 | 32 | Org-wide | Org-wide | Org-wide |
| PS | Personnel Security | PS-1 to PS-9 | 9 | Yes | Yes | Yes |
| PT | PII Processing | PT-1 to PT-8 | 8 | Privacy | Privacy | Privacy |
| RA | Risk Assessment | RA-1 to RA-10 | 9 | Yes | Yes | Yes |
| SA | System and Services Acq | SA-1 to SA-23 | 16 | Yes | Yes | Yes |
| SC | System and Comms Protection | SC-1 to SC-51 | 47 | Yes | Yes | Yes |
| SI | System and Info Integrity | SI-1 to SI-23 | 22 | Yes | Yes | Yes |
| SR | Supply Chain Risk Mgmt | SR-1 to SR-12 | 12 | Yes | Yes | Yes |
Three families warrant an extra look:
- The PM (Program Management) family applies organization-wide rather than at the system level, so it sits outside the Low/Moderate/High baseline structure.
- The PT (PII Processing and Transparency) family applies based on the organization’s privacy requirements, not system impact categorization.
- The SC (System and Communications Protection) family is the largest, with 47 base controls and numerous enhancements.
Key Takeaways
NIST 800-53 Rev 5 gives organizations a catalog of 1,196 security and privacy controls, organized across 20 families and filtered through three baselines: Low (149 controls), Moderate (287 controls), and High (370 controls). For many organizations, understanding the four-level hierarchy—catalog, families, base controls, and enhancements—is the first step toward effective implementation.
For a comprehensive introduction to the framework, explore the complete guide to NIST 800-53. Tools like Isora GRC are built specifically for security teams managing NIST 800-53 compliance.
NIST 800-53 Controls FAQs
How many controls are in NIST 800-53?
NIST 800-53 Rev 5 contains 1,196 security and privacy controls, including both base controls and control enhancements, organized across 20 control families. This is an increase from approximately 965 controls across 18 families in Rev 4.
What is the difference between a control and a control enhancement?
A base control is a specific requirement, such as AC-2 (Account Management). A control enhancement adds specificity or rigor to that base requirement. In this example, AC-2(1) (Automated Account Management) extends AC-2 by requiring automated mechanisms to support account management. Higher impact baselines typically require more enhancements.
What are the NIST 800-53 control baselines?
NIST SP 800-53B defines three control baselines: Low (149 controls), Moderate (287 controls), and High (370 controls). Organizations select the appropriate baseline based on the system’s impact level as determined through FIPS 199 security categorization.
Is there a free NIST 800-53 controls spreadsheet?
Yes. NIST provides an official interactive catalog with all 1,196 controls, including family, title, control text, and baseline assignments.
Do all 1,196 controls apply to every organization?
No. System categorization and baseline are determined using FIPS 199, followed by using NIST 800-53B to decide which controls apply based on their system’s impact level (Low, Moderate, or High). A Low-impact system requires 149 controls, a Moderate-impact system requires 287, and a High-impact system requires 370. Additional tailoring is allowed based on risk assessment.
What is the most common baseline?
Moderate, which requires 287 controls. Most federal information systems are categorized at the Moderate impact level. FedRAMP Moderate is also the most common cloud authorization level for service providers selling to federal agencies.
How often are NIST 800-53 controls updated?
NIST updates the 800-53 catalog periodically, though there is no fixed schedule. Rev 5 was published in September 2020, followed by incremental updates in Rev 5.2.0 in August 2025. Ongoing updates are published through the NIST Computer Security Resource Center (CSRC). For a full breakdown of what changed in Rev 5, see our NIST 800-53 Rev 4 vs Rev 5 guide.
This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.
Other Relevant Content 