NIST SP 800-53 Rev 5: Complete Guide

NIST SP 800-53 has 1,196 individual controls organized across 20 control families and is widely considered one of the most comprehensive security and privacy control catalogs available in 2026.

NIST 800-53 Rev 5, the most current version, has a widespread influence beyond the federal government into healthcare, financial services, and the private sector. Today, NIST 800-53 shapes how most organizations protect their information systems, from federal agencies to cloud service providers pursuing FedRAMP authorization, and universities managing federal research data.

To help security and risk practitioners get started with implementation, this guide explains what NIST 800-53 is, how the control catalog is structured, who must comply, and how it relates to other frameworks like NIST CSF, NIST 800-171, CMMC, and ISO 27001.

What Is NIST SP 800-53?

NIST Special Publication 800-53 is a catalog of security and privacy controls published by the National Institute of Standards and Technology (NIST). Specifically, it defines how U.S. federal agencies and government contractors should protect information systems under the Federal Information Security Modernization Act (FISMA). It also serves as the basis for FedRAMP, CMMC, and many private-sector security programs.

NIST SP 800-53 is a security and privacy catalog that defines how to protect information systems under FISMA, FedRAMP, CMMC, and other security programs.

Instead of a framework, maturity model, or compliance checklist, NIST 800-53 is a structured library of individual security and privacy requirements. Organizations can select and implement the controls they need from this catalog based on their risk profile and system categorization.

As of 2026, the catalog contains 1,196 security and privacy controls organized into 20 control families. These families cover technical, operational, and management requirements. Revision 5, published in September 2020, introduced integrated privacy controls and made every control technology-neutral. As a result, the catalog now applies to any type of system — not just traditional federal IT.

In practice, organizations preparing for authorization, pursuing federal contracts, or aligning with government security requirements must implement, document, and monitor NIST 800-53 controls. Doing so demonstrates compliance and helps manage system risk.

A Brief History of NIST 800-53

NIST first published 800-53 in 2005 as part of the FISMA Implementation Project. The goal was to give federal agencies a standardized set of security controls. Since then, NIST has released multiple versions to expand coverage and keep pace with modern threats.

• Initial Release (2005): Established the first standardized control catalog for federal systems.
• Revision 1 (2006): Expanded controls and added supplemental guidance.
• Revision 2 (2007): Refined control structure and added application-level guidance.
• Revision 3 (2009): Major expansion with priority codes and baseline allocations.
• Revision 4 (2013): Added privacy controls in Appendix J and introduced overlays.
• Revision 5 (2020): Integrated privacy controls into the main catalog, added supply chain and PII families and made controls outcome-based and technology-neutral.

Most recently, NIST introduced Rev 5.2 in 2025 to support secure software development. NIST published this update in response to EO 14306. The changes address software resiliency by design, developer testing, update management, and software integrity validation.

NIST 800-53 Rev 5.2.0 also introduces three entirely new controls:

• Logging Syntax (SA-15): Defines an electronic format for recording security-related events to support better incident response.
• Root Cause Analysis (SI-02(07)): Specifies conducting a review to find the root cause of an issue or failure with the software update, forming an action plan, and implementing it.
• Design for Cyber Resiliency (SA-24): Recommends designing systems for survivability, or the ability to anticipate, withstand, respond, and recover from attacks while maintaining critical functions.

For an updated version of NIST SP 800-53 with the complete set of changes in Revision 5.2, check out the Cybersecurity and Privacy Reference Tool (CPRT).

Who Publishes NIST 800-53 and Why?

The National Institute of Standards and Technology publishes NIST 800-53. NIST is a non-regulatory federal agency within the U.S. Department of Commerce. Unlike enforcement agencies, NIST does not audit organizations or penalize non-compliance. Instead, it develops standards, guidelines, and best practices that other agencies and organizations apply.

Congress originally enacted the Federal Information Security Modernization Act (FISMA) in 2002 and updated it in 2014. FISMA requires every federal agency to develop, document, and implement an information security program. To help agencies meet these responsibilities, NIST released Special Publication 800-53 in 2005.

Who Enforces NIST SP 800-53?

In federal environments, the Office of Management and Budget (OMB) holds oversight authority. OMB sets government-wide security policy for federal agencies. For example, OMB Circular A-130 directs federal agencies to implement the NIST Risk Management Framework (RMF) when selecting and managing their security and privacy controls.

Each agency’s Inspector General conducts annual FISMA audits to evaluate compliance. As a result, a clear chain emerges: Congress mandates security through FISMA, NIST provides the controls through 800-53, agencies implement controls through the RMF, and Inspectors General verify compliance through annual audits.

Agency leadership and designated security and privacy officials carry responsibility for implementation. This typically includes the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Senior Agency Official for Privacy (SAOP), system owners, and risk executives.

Before exploring the controls and baselines, however, organizations should first determine whether NIST 800-53 applies to their environment.

Who Must Comply with NIST 800-53?

Compliance with NIST SP 800-53 is mandatory for all U.S. federal agencies, organizations operating information systems on behalf of the federal government, and contractors handling federal data. However, many cloud service providers, private contractors, and organizations also align with 800-53 voluntarily to meet contractual obligations or broader security expectations.

For additional context, see this complete ISRM guide. In most cases, an organization’s NIST 800-53 scope falls into one of three categories: mandatory compliance, contractual requirements, or voluntary adoption.

Mandatory Compliance

The following organizations are legally or contractually required to implement NIST 800-53 controls:

• All U.S. federal agencies must comply under FISMA. Every executive branch agency must categorize its information systems and implement the appropriate baseline controls.
• Federal contractors and subcontractors handling federal information are bound by contract clauses (including DFARS and FAR provisions) that often require implementation or alignment with NIST 800-53 controls.
• Cloud service providers seeking FedRAMP authorization must implement 800-53 controls at the relevant baseline level (Low, Moderate, or High) to receive an Authority to Operate (ATO).
• Department of Defense (DoD) contractors are subject to DFARS requirements that trace back to NIST 800-53.

Effectively Required

Some organizations are not directly mandated to use NIST 800-53, but regulatory, funding or contractual conditions make alignment practically necessary:

• State and local government agencies receiving federal funding often must demonstrate security controls consistent with federal standards.
• Higher education institutions handling federal research data or Controlled Unclassified Information (CUI) must comply with NIST 800-171. And because NIST 800-171 derives its controls from NIST 800-53, understanding the parent catalog helps institutions build more comprehensive security programs.
• Healthcare organizations subject to HIPAA can map NIST 800-53 controls to HIPAA Security Rule requirements and federal agencies frequently reference NIST publications when assessing compliance posture and risk management maturity.

Voluntary Adoption

Private-sector organizations have no legal obligation to implement NIST 800-53, but many adopt it voluntarily because it provides one of the most thorough and well-documented control catalogs available. Organizations preparing for ISO 27001 certification often find significant overlap, and companies in regulated industries like financial services and energy use 800-53 for prescriptive guidance that other frameworks lack.

NIST 800-53 Compliance by Organization Type

Regardless of whether compliance is mandatory or voluntary, most organizations encounter NIST 800-53 alongside other frameworks. Understanding how they relate is key.

For the step-by-step compliance process, see our NIST 800-53 compliance guide. Practitioners may also find our NIST 800-53 risk assessment guide useful for the risk assessment stage.

Current Version: NIST 800-53 Revision 5

NIST 800-53 Revision 5 is the current and most comprehensive version of the control catalog. Published in September 2020, it was the first major update since Rev 4 was released in 2013, introducing significant changes that would reshape how organizations approach security and privacy compliance.

Today, NIST continues to maintain the catalog through periodic updates to reflect evolving threats, technologies and implementation practices.

Key Changes from Rev 4 to Rev 5

The transition from Rev 4 to Rev 5 brought five major changes:

1. Privacy controls integrated into the main catalog. NIST moved privacy controls out of Appendix J and wove them throughout the catalog. This gave privacy equal standing with security controls and eliminated the siloed approach from earlier versions.
2. Two new control families added. PT (Personally Identifiable Information Processing and Transparency) provides specific requirements for handling personally identifiable information. SR (Supply Chain Risk Management) addresses the growing threat of third-party and supply chain compromise.
3. Control baselines moved to NIST SP 800-53B. The Low, Moderate, and High baselines are now maintained in a separate publication, allowing NIST to update baseline selections without revising the entire control catalog.
4. Controls made outcome-based and technology-neutral. Rev 5 removed references to specific technologies and federal-only language. As a result, controls now apply to any type of system — cloud, on-premises, IoT, industrial control systems, or hybrid environments.
5. State-of-practice controls added. New controls were introduced for areas including cyber resiliency, secure systems design, and governance. These reflect the evolving threat landscape and modern security architectures.

Organizations undergoing audits, pursuing FedRAMP authorization, or mapping controls for FISMA compliance should confirm they reference Revision 5. While some legacy systems may still use Rev 4 controls, all new authorizations should align with the current version.

In addition, NIST continues to maintain and update the control catalog. Organizations should monitor the NIST CSRC publication page for errata and clarifications.

Security and Privacy Controls

Starting with Revision 5, NIST 800-53 combines both security and privacy controls into a single, integrated catalog — eliminating the separate privacy appendix that existed in NIST 800-53 Rev 4. This change reflects a fundamental shift in how the federal government approaches information protection.

In previous versions, privacy controls lived in Appendix J. They served as supplementary guidance rather than core requirements. Rev 5 elevated privacy to first-class status by placing privacy controls alongside security controls throughout the catalog.

Several factors drove this integration. The EU’s General Data Protection Regulation (GDPR) raised global privacy expectations. State-level privacy laws expanded in the United States. In addition, updated OMB guidance now requires agencies to address both security and privacy together.

The unified catalog now addresses three dimensions of information protection:

• Confidentiality, integrity, and availability — the traditional security triad
• Individual privacy protections — ensuring that personally identifiable information (PII) is collected, used, and shared responsibly

Two new control families were added in Rev 5 to support this integration:

• PT (Personally Identifiable Information Processing and Transparency) addresses how organizations handle personal information, including consent mechanisms and data minimization.
• SR (Supply Chain Risk Management) addresses risks introduced by third-party suppliers, an increasingly critical concern given the prevalence of supply chain attacks.

NIST also significantly expanded Program Management (PM) to include privacy governance requirements. These additions cover privacy impact assessments, roles and responsibilities, and privacy reporting. As a result, organizations can now address both security and privacy requirements from a single, authoritative source.

How NIST 800-53 Controls Are Structured

NIST SP 800-53 organizes its 1,196 security and privacy controls into a three-tier hierarchy. The three levels are: 20 control families, 324 base controls, and control enhancements that add specificity.

Tier 1: Control Families

The 20 control families are the top-level groupings. Each family addresses a broad security or privacy domain and is identified by a two-letter code.

For example, AC stands for Access Control, AU stands for Audit and Accountability, and IR stands for Incident Response. Families range in size from 6 controls (Awareness and Training) to 51 controls (System and Communications Protection).

For a detailed breakdown of each family’s controls and requirements, see our NIST 800-53 control families guide.

Tier 2: Individual Controls

Within each family, individual controls define specific security or privacy requirements. Each control has a unique identifier combining the family code and a sequential number.

For example, AC-2 is the Account Management control within the Access Control family. AC-2 requires organizations to define, create, enable, modify, disable, and remove accounts in accordance with policy.

Tier 3: Control Enhancements

Control enhancements extend a base control with additional requirements or specificity. They are identified by the base control number followed by a parenthetical number.

For instance, AC-2(1) adds automated system account management to the base AC-2 control. It requires organizations to use automated mechanisms for managing accounts. However, not every base control has enhancements, and not every enhancement applies at every baseline level.

The 20 Control Families

The complete list of NIST 800-53 Rev 5 control families is as follows:

The Control Baselines

Beyond the control catalog itself, NIST defines three predefined baselines: Low, Moderate, and High. Each baseline specifies which controls to apply based on the potential impact of a confidentiality, integrity, or availability compromise.

Organizations use FIPS 199 to evaluate potential impact and then select the appropriate baseline. A Low-baseline system requires fewer controls, while a High-baseline system requires the most extensive set. In NIST 800-53:

• Low baseline: ~ 149 controls
• Moderate baseline: ~ 287 controls
• High baseline: ~ 370 controls

In Revision 5, NIST relocated the baselines to a separate companion document: NIST SP 800-53B. As a result, NIST can update baseline assignments as risks evolve — without revising the entire control catalog.

NIST 800-53 vs Other Frameworks

NIST 800-53 connects to, overlaps with, and feeds into several other major security and compliance frameworks. For organizations managing multiple compliance requirements, understanding these relationships helps avoid duplicated effort and clarifies where 800-53 fits in the broader landscape.

NIST CSF (Cybersecurity Framework)

The NIST Cybersecurity Framework is a voluntary, outcome-based risk management framework that describes security functions at a high level: Govern, Identify, Protect, Detect, Respond, and Recover. NIST 800-53 provides the detailed, prescriptive controls that map to CSF subcategories. Many organizations use CSF as the “what” (what outcomes do we need?) and 800-53 as the “how” (how do we achieve those outcomes?). Organizations using NIST CSF compliancetools often find they need to reference 800-53 for implementation details.

NIST 800-171

NIST 800-171 derives directly from NIST SP 800-53. It includes a tailored set of 110 controls for protecting Controlled Unclassified Information (CUI) in non-federal systems. Consequently, DoD contractors and research institutions handling federally funded data often must implement 800-171.

CMMC (Cybersecurity Maturity Model Certification)

CMMC builds on the requirements defined in NIST 800-171, which also derives from NIST 800-53. Beyond technical safeguards, CMMC introduces maturity levels and requires independent third-party assessments for DoD contractors. Because of this lineage, many CMMC practices trace back to controls originally defined in NIST SP 800-53.

ISO 27001

ISO/IEC 27001 is an internationally recognized standard for establishing an Information Security Management System (ISMS). Its Annex A controls often align in intent with those found in NIST 800-53. However, the two serve distinct purposes. ISO 27001 supports certification through an audit process, while NIST 800-53 helps organizations select and implement controls based on system impact and risk exposure.

To map ISO/IEC 27001 requirements to NIST SP 800-53 controls directly, organizations can use the official crosswalk.

RMF (NIST 800-37)

The Risk Management Framework, defined in RMF (NIST 800-37), outlines a six-step process for selecting, implementing, assessing, authorizing, and monitoring 800-53 controls. In short, the RMF answers “how do I use the catalog?” while 800-53 answers “what controls are available?”

For risk management at the organizational level, see NIST 800-39 risk management.

Other Frameworks vs NIST 800-53

How to Simplify NIST 800-53

Managing 1,196 controls across 20 families is complex. This is especially true when multiple departments, systems, and compliance timelines are involved. NIST 800-53 compliance solutions give security teams one shared workspace purpose-built for assessments, risk management, and compliance reporting. With Isora GRC, organizations can simplify:

Assessment Management: Organize assessments by compliance goal and distribute NIST 800-53 questionnaires to unit-level owners across your organization. Track completion rates in real time — across departments, campuses, or business units — instead of chasing responses through email chains and spreadsheets.

Questionnaires & Surveys: Use pre-built questionnaires for NIST 800-53 or customize question sets to match your organization’s specific baseline and tailoring decisions. Unit owners attach evidence directly within their responses, building an audit trail without scattered files or manual coordination.

Reports & Scorecards: Generate compliance scorecards and status reports for leadership, auditors, and federal oversight bodies. Automated scoring and category comparisons give your team the documentation needed for FISMA audits, FedRAMP assessments, or internal governance reviews.

Isora GRC is the collaborative GRC Assessment Platform™ for structure, clarity and real-time visibility into how security teams manage NIST SP 800-53 compliance.

Key Takeaways

NIST 800-53 is one of the most comprehensive security and privacy control catalogs available, with 1,196 controls across 20 families in its current Rev 5 release. It serves as the foundational reference point for FISMA, FedRAMP and DoD compliance, while its technology-neutral, outcome-based design also makes it equally valuable for private-sector organizations seeking a more structured security baseline.

Whether NIST 800-53 is mandatory for your organization or something you are considering adopting as a best practice, taking the time to understand its structure, scope and relationship to other frameworks can help you make a more informed decision about next steps.

Next, explore the control families in more detail, review what changed in Rev. 5, or follow our step-by-step compliance guide, based on your program’s needs.

Ready to simplify NIST 800-53 compliance? Learn how Isora GRC helps organizations implement and track controls at scale.

NIST 800-53 FAQs

What is NIST 800-53?

NIST 800-53 is a security and privacy controls catalog published by the National Institute of Standards and Technology. Organized into 20 control families, it provides the standard control set for protecting federal information systems under FISMA. The most current version, Revision 5, was published in September 2020. Unlike previous versions, it integrates both security and privacy controls in a single catalog.

How many controls are in NIST 800-53?

NIST 800-53 Rev. 5 contains 1,196 individual controls organized across 20 control families. Each control can have multiple enhancements that add specificity or tailor the requirement to specific environments. Because of this, the actual number of controls an organization implements depends on the selected baseline. The system’s impact level, as defined in NIST SP 800-53B, determines whether it qualifies as Low, Moderate, or High.

Is NIST 800-53 mandatory?

Under FISMA, NIST 800-53 is mandatory for all U.S. federal agencies. It also applies to organizations that process, store, or transmit federal data. This includes FedRAMP cloud service providers and DoD contractors subject to DFARS requirements. However, many private-sector organizations adopt 800-53 voluntarily as a best-practice framework.

What is the difference between NIST 800-53 and 800-171?

NIST 800-171 defines a tailored subset of 110 controls designed to protect Controlled Unclassified Information (CUI)in non-federal systems. NIST 800-53 contains 1,196 controls for federal information systems from which the curated selection of 800-171 controls was derived.

What is the difference between NIST 800-53 and NIST CSF?

The NIST Cybersecurity Framework (CSF) is a voluntary risk management framework that describes desired security outcomes at a high level. NIST 800-53, on the other hand, is a prescriptive catalog of specific, implementable controls. Organizations often use NIST CSF to identify what security outcomes they need to achieve and then use 800-53 to determine exactly which specific control implementations to achieve them.

What are the 20 control families in NIST 800-53?

The 20 control families in 800-53 are: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Assessment, Authorization, and Monitoring (CA), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environmental Protection (PE), Planning (PL), Program Management (PM), Personnel Security (PS), Personally Identifiable Information Processing and Transparency (PT), Risk Assessment (RA), System and Services Acquisition (SA), System and Communications Protection (SC), System and Information Integrity (SI) and Supply Chain Risk Management (SR).

What changed in NIST 800-53 Rev 5?

NIST published NIST 800-53 Rev. 5 on September 23, 2020, introducing five major changes. First, NIST integrated privacy controls into the main catalog rather than maintaining them in a separate appendix. Second, two new control families were added: PT (PII Processing and Transparency) and SR (Supply Chain Risk Management). Third, NIST moved control baselines to a separate publication, NIST SP 800-53B. Fourth, all controls shifted to outcome-based and technology-neutral language. Finally, the revision introduced state-of-practice controls for cyber resiliency and secure systems design.

Does NIST 800-53 apply to cloud environments?

Yes, NIST 800-53 applies to all federal information systems regardless of where they are hosted, whether on-premises, in the cloud, across hybrid or multi-cloud environments. FedRAMP specifically requires cloud service providers to implement 800-53 controls at the appropriate baseline level (Low, Moderate, or High) to receive an Authority to Operate (ATO). The technology-neutral language in Rev. 5 also makes the controls directly applicable to modern cloud architectures.

How do I implement NIST 800-53?

NIST SP 800-53 implementation follows the Risk Management Framework (RMF) defined in NIST SP 800-37. The process involves categorizing your information system, selecting the appropriate control baseline, and implementing the selected controls. After that, organizations assess control effectiveness, obtain authorization to operate, and continuously monitor.

For many teams, the first step is identifying which baseline applies. From there, a gap analysis helps reveal how existing safeguards align with the selected requirements.

What is the latest version of NIST 800-53?

As of 2026, the latest version is NIST SP 800-53 Revision 5, published on September 23, 2020. Most recently, NIST released Rev. 5.2, and continues to maintain the catalog through periodic updates to reflect evolving threats, technologies and implementation practices.

As a result, new system authorizations, FedRAMP assessments, and FISMA audits should reference Rev. 5 and its subsequent updates. These are available through the NIST Computer Security Resource Center, where you can access the full publication.

This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.