NIST SP 800-53 \u2014 Security and Privacy Controls<\/title>\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=IBM+Plex+Mono:wght@400;600;700&family=Barlow+Condensed:wght@300;400;600;700;800&family=Barlow:wght@300;400;500;600&display=swap\" rel=\"stylesheet\">\n<style>\n:root {\n --bg:#080c14;--surf:#0d1420;--surf2:#111b2e;--border:#1e2f4a;--border2:#263d5e;\n --cyan:#00d8f0;--amber:#ffb300;--green:#00cc70;--red:#e84848;--purple:#8866ff;\n --blue:#1a7fd4;--teal:#00b4a8;\n --text:#f0f4ff;--text2:#b8cce0;--text3:#6e8fa8;\n --mono:'IBM Plex Mono',monospace;--cond:'Barlow Condensed',sans-serif;--body:'Barlow',sans-serif;\n}\n*{margin:0;padding:0;box-sizing:border-box;}\nhtml,body{height:100%;overflow:hidden;background:var(--bg);color:var(--text);font-family:var(--body);-webkit-font-smoothing:antialiased;}\n.app{display:flex;height:100vh;overflow:hidden;}\n.sidebar{width:232px;min-width:232px;background:var(--surf);border-right:1px solid var(--border);display:flex;flex-direction:column;overflow:hidden;}\n.sb-hdr{padding:22px 18px 16px;border-bottom:1px solid var(--border);flex-shrink:0;}\n.sb-logo{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.2em;color:var(--cyan);text-transform:uppercase;margin-bottom:6px;}\n.sb-title{font-family:var(--cond);font-size:20px;font-weight:800;color:#fff;line-height:1.1;}\n.sb-sub{font-size:10px;color:var(--text3);margin-top:4px;line-height:1.5;}\n.sb-fsize{padding:10px 18px 12px;border-bottom:1px solid var(--border);flex-shrink:0;display:flex;align-items:center;gap:10px;flex-wrap:wrap;}\n.fsize-label{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;text-transform:uppercase;color:var(--text3);}\n.fsize-btns{display:flex;gap:4px;}\n.fsz{background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 7px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;}\n.fsz:hover{background:var(--border2);color:var(--text);}\n.theme-btn{margin-left:auto;background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 9px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;white-space:nowrap;}\n.theme-btn:hover{background:var(--border2);color:var(--text);}\nnav{flex:1;overflow-y:auto;padding-bottom:16px;}\n.ng{padding:16px 0 4px;}\n.ngl{font-family:var(--cond);font-size:13px;font-weight:800;letter-spacing:.12em;text-transform:uppercase;color:var(--cyan);padding:4px 18px 8px;display:block;border-bottom:1px solid var(--border2);}\n.ni{display:flex;align-items:center;gap:9px;padding:7px 18px 7px 20px;cursor:pointer;font-size:13px;font-family:var(--body);color:var(--text);transition:background .1s,color .1s;border-left:2px solid transparent;line-height:1.3;}\n.ni:hover{background:var(--surf2);color:var(--text);}\n.ni.active{color:var(--cyan);border-left-color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd{width:5px;height:5px;border-radius:50%;background:var(--border2);flex-shrink:0;transition:background .1s;}\n.ni.active .nd,.ni:hover .nd{background:currentColor;}\n.ni-ext{font-size:9px;color:var(--text3);}\n.sb-copy{padding:10px 18px 14px;font-family:var(--mono);font-size:9px;color:var(--text3);letter-spacing:.06em;flex-shrink:0;border-top:1px solid var(--border);}\n.main{flex:1;overflow-y:auto;background:var(--bg);}\n.panel{display:none;padding:36px 52px 72px;max-width:960px;}\n.panel.active{display:block;animation:fi .18s ease;}\n@keyframes fi{from{opacity:0;transform:translateY(10px)}to{opacity:1;transform:translateY(0)}}\n.p-eye{font-family:var(--mono);font-size:9px;font-weight:700;letter-spacing:.18em;text-transform:uppercase;color:var(--cyan);margin-bottom:10px;display:flex;align-items:center;gap:8px;}\n.p-eye::before{content:'';width:22px;height:2px;background:var(--cyan);}\n.p-title{font-family:var(--cond);font-size:46px;font-weight:800;color:#fff;line-height:1;margin-bottom:6px;}\n.p-title span{color:var(--cyan);}\n.p-sub{font-family:var(--cond);font-size:17px;font-weight:300;color:var(--text2);margin-bottom:28px;letter-spacing:.04em;}\n.divider{height:1px;background:var(--border);margin:24px 0;}\n.prose{font-size:13.5px;line-height:1.75;color:var(--text2);}\n.prose+.prose{margin-top:12px;}\n.prose strong{color:var(--text);font-weight:600;}\n.prose code{font-family:var(--mono);font-size:11.5px;color:var(--cyan);background:rgba(0,216,240,.08);padding:1px 5px;border-radius:2px;}\nh3{font-family:var(--cond);font-size:19px;font-weight:700;color:#fff;margin:26px 0 11px;letter-spacing:.03em;}\n.cg{display:grid;gap:8px;}\n.cg2{grid-template-columns:1fr 1fr;}\n.cg3{grid-template-columns:1fr 1fr 1fr;}\n.cg4{grid-template-columns:1fr 1fr 1fr 1fr;}\n.card{background:var(--surf);border:1px solid var(--border);padding:15px 16px;}\n.cnum{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;color:var(--text3);margin-bottom:6px;}\n.ctitle{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:6px;line-height:1.2;}\n.ctext{font-size:11.5px;line-height:1.58;color:var(--text2);}\n.family-card{background:var(--surf);border:1px solid var(--border);padding:14px 16px;cursor:pointer;transition:background .12s,border-color .12s;}\n.family-card:hover{background:var(--surf2);border-color:var(--border2);}\n.fc-id{font-family:var(--mono);font-size:18px;font-weight:700;margin-bottom:4px;}\n.fc-name{font-family:var(--cond);font-size:13px;font-weight:700;color:#fff;margin-bottom:5px;line-height:1.2;}\n.fc-count{font-family:var(--mono);font-size:9px;color:var(--text3);}\n.sr{display:flex;align-items:flex-start;gap:12px;background:var(--surf);border:1px solid var(--border);padding:12px 14px;margin-bottom:6px;}\n.st{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.12em;padding:2px 7px;border-radius:2px;flex-shrink:0;margin-top:2px;white-space:nowrap;}\n.t-ac{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.t-ia{background:rgba(26,127,212,.1);color:#60b8f8;border:1px solid rgba(26,127,212,.25);}\n.t-au{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.t-cm{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.t-si{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.t-sc{background:rgba(0,180,168,.1);color:#40d8d0;border:1px solid rgba(0,180,168,.25);}\n.t-ir{background:rgba(232,72,72,.1);color:#f08080;border:1px solid rgba(232,72,72,.25);}\n.t-ra{background:rgba(255,112,67,.1);color:#ff8a65;border:1px solid rgba(255,112,67,.25);}\n.t-gen{background:rgba(110,143,168,.1);color:var(--text3);border:1px solid rgba(110,143,168,.2);}\n.si{flex:1;}\n.sn{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.sd{font-size:12px;color:var(--text2);line-height:1.5;}\n.or{display:flex;align-items:flex-start;gap:11px;border:1px solid var(--border);padding:13px 14px;margin-bottom:6px;}\n.or.grant{background:rgba(0,204,112,.04);border-color:rgba(0,204,112,.22);}\n.or.warn{background:rgba(255,179,0,.04);border-color:rgba(255,179,0,.22);}\n.or.risk{background:rgba(232,72,72,.04);border-color:rgba(232,72,72,.22);}\n.od{width:9px;height:9px;border-radius:50%;flex-shrink:0;margin-top:4px;}\n.od.g{background:var(--green);}.od.a{background:var(--amber);}.od.r{background:var(--red);}\n.ol{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.oc{font-size:12px;color:var(--text2);line-height:1.5;}\n.ib{background:var(--surf);border:1px solid var(--border);border-left:3px solid var(--cyan);padding:14px 16px;margin:14px 0;}\n.ib.a{border-left-color:var(--amber);}\n.ib.g{border-left-color:var(--green);}\n.ib.p{border-left-color:var(--purple);}\n.ib.r{border-left-color:var(--red);}\n.ibt{font-family:var(--cond);font-size:13px;font-weight:700;color:#fff;margin-bottom:5px;}\n.ibb{font-size:12px;line-height:1.6;color:var(--text2);}\n.ibb strong{color:var(--text);}\ntable{width:100%;border-collapse:collapse;font-size:12.5px;margin:14px 0;}\nth{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.12em;text-transform:uppercase;color:var(--text3);padding:8px 12px;border-bottom:1px solid var(--border2);text-align:left;}\ntd{padding:10px 12px;border-bottom:1px solid var(--border);color:var(--text2);line-height:1.5;vertical-align:top;}\ntd:first-child{color:var(--text);font-weight:500;}\ntr:last-child td{border-bottom:none;}\n.tbl-wrap{overflow-x:auto;-webkit-overflow-scrolling:touch;margin:14px 0;}\n.tbl-wrap table{margin:0;}\n.related{margin-top:34px;border-top:1px solid var(--border);padding-top:16px;}\n.rlab{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.16em;text-transform:uppercase;color:var(--text3);margin-bottom:10px;}\n.rls{display:flex;flex-wrap:wrap;gap:7px;}\n.rl{font-size:11.5px;font-family:var(--mono);color:var(--cyan);background:rgba(0,216,240,.05);border:1px solid rgba(0,216,240,.18);padding:4px 11px;cursor:pointer;transition:background .1s;}\n.rl:hover{background:rgba(0,216,240,.12);}\n\/* Baseline badges *\/\n.bl-badge{display:inline-flex;align-items:center;gap:5px;font-family:var(--mono);font-size:9px;font-weight:700;letter-spacing:.1em;padding:3px 9px;border-radius:2px;margin:2px;}\n.bl-l{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.3);}\n.bl-m{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.3);}\n.bl-h{background:rgba(232,72,72,.1);color:#f08080;border:1px solid rgba(232,72,72,.3);}\n\/* Impact level row color *\/\ntr.low td{border-left:2px solid var(--green);}\ntr.mod td{border-left:2px solid var(--amber);}\ntr.high td{border-left:2px solid var(--red);}\n\/* Control ID inline tag *\/\n.ctrl{font-family:var(--mono);font-size:10px;font-weight:700;color:var(--cyan);background:rgba(0,216,240,.08);border:1px solid rgba(0,216,240,.18);padding:1px 6px;border-radius:2px;margin-right:4px;white-space:nowrap;}\n\/* Hamburger *\/\n.hamburger{display:none;position:fixed;top:12px;left:12px;z-index:1100;background:var(--surf);border:1px solid var(--border);border-radius:4px;padding:8px 7px;cursor:pointer;flex-direction:column;gap:4px;align-items:center;justify-content:center;-webkit-tap-highlight-color:transparent;}\n.hamburger span{display:block;width:18px;height:2px;background:var(--cyan);border-radius:1px;transition:transform .2s,opacity .2s;}\n.hamburger.open span:nth-child(1){transform:translateY(6px) rotate(45deg);}\n.hamburger.open span:nth-child(2){opacity:0;}\n.hamburger.open span:nth-child(3){transform:translateY(-6px) rotate(-45deg);}\n.sb-overlay{display:none;position:fixed;inset:0;background:rgba(0,0,0,.55);z-index:999;-webkit-backdrop-filter:blur(2px);backdrop-filter:blur(2px);}\n\n\/* \u2500\u2500 LIGHT MODE \u2500\u2500 *\/\nbody.light{\n --bg:#eef2f7;--surf:#ffffff;--surf2:#e0e8f2;--border:#b0c4d8;--border2:#8aaac4;\n --text:#0a111e;--text2:#1e3448;--text3:#4a6680;\n --cyan:#005f8a;--amber:#a85c00;--green:#006030;--red:#a81820;--purple:#4422aa;\n --blue:#0a50a0;--teal:#006060;\n}\nbody.light .sb-title,body.light h3,body.light .p-title{color:#0a111e;}\nbody.light .p-title span{color:var(--cyan);}\nbody.light .sb-logo,.body.light .ngl{color:var(--cyan);}\nbody.light .ni{color:#0a111e;}\nbody.light .ni:hover{background:var(--surf2);}\nbody.light .card,.body.light .pb,.body.light .ib,.body.light .family-card{background:var(--surf);}\nbody.light .ctitle,.body.light .sn,.body.light .ol,.body.light .ibt,.body.light .fc-name{color:#0a111e;}\nbody.light .prose code{background:rgba(0,95,138,.1);}\nbody.light table td:first-child{color:#1a2535;}\n\n\/* \u2500\u2500 RESPONSIVE \u2500\u2500 *\/\n@media(max-width:900px){\n .hamburger{display:flex;}\n .sidebar{position:fixed;left:-260px;top:0;bottom:0;width:250px;min-width:250px;z-index:1000;transition:left .25s ease;}\n .sidebar.open{left:0;box-shadow:4px 0 24px rgba(0,0,0,.45);}\n .sb-overlay.open{display:block;}\n .main{margin-left:0;}\n .panel{padding:28px 28px 60px;max-width:100%;}\n .p-title{font-size:36px;}\n .cg3,.cg4{grid-template-columns:1fr 1fr;}\n}\n@media(max-width:560px){\n .panel{padding:18px 14px 48px;}\n .p-title{font-size:28px;}\n .cg2,.cg3,.cg4{grid-template-columns:1fr;}\n table{font-size:11px;}\n th{font-size:7.5px;padding:6px 8px;}\n td{padding:8px;}\n .sr{flex-direction:column;gap:6px;}\n .st{align-self:flex-start;}\n}\n<\/style>\n<\/head>\n<body>\n<div class=\"app\">\n\n<button class=\"hamburger\" id=\"menuBtn\" onclick=\"toggleMenu()\" aria-label=\"Toggle navigation\">\n <span><\/span><span><\/span><span><\/span>\n<\/button>\n<div class=\"sb-overlay\" id=\"sbOverlay\" onclick=\"toggleMenu()\"><\/div>\n\n\n<aside class=\"sidebar\" id=\"sidebar\">\n <div class=\"sb-hdr\">\n <div class=\"sb-logo\">NIST Special Publication<\/div>\n <div class=\"sb-title\">800-53 Rev 5<\/div>\n <div class=\"sb-sub\">Security and Privacy Controls for<br>Information Systems and Organizations<\/div>\n <\/div>\n <div class=\"sb-fsize\">\n <span class=\"fsize-label\">Size<\/span>\n <div class=\"fsize-btns\">\n <button class=\"fsz\" onclick=\"adjFont(-1)\">A\u2212<\/button>\n <button class=\"fsz\" onclick=\"adjFont(0)\">A<\/button>\n <button class=\"fsz\" onclick=\"adjFont(1)\">A+<\/button>\n <\/div>\n <button class=\"theme-btn\" id=\"themeBtn\" onclick=\"toggleTheme()\">\u2600 Light<\/button>\n <\/div>\n <nav>\n <div class=\"ng\">\n <span class=\"ngl\">Overview<\/span>\n <div class=\"ni active\" onclick=\"nav('home')\"><div class=\"nd\"><\/div>Introduction<\/div>\n <div class=\"ni\" onclick=\"nav('rev5')\"><div class=\"nd\"><\/div>What’s New in Rev 5<\/div>\n <div class=\"ni\" onclick=\"nav('structure')\"><div class=\"nd\"><\/div>Control Structure<\/div>\n <div class=\"ni\" onclick=\"nav('baselines')\"><div class=\"nd\"><\/div>Baselines & Impact Levels<\/div>\n <div class=\"ni\" onclick=\"nav('tailoring')\"><div class=\"nd\"><\/div>Tailoring & Overlays<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Identity & Access<\/span>\n <div class=\"ni\" onclick=\"nav('ac')\"><div class=\"nd\"><\/div>AC \u2014 Access Control<\/div>\n <div class=\"ni\" onclick=\"nav('ia')\"><div class=\"nd\"><\/div>IA \u2014 Identification & Auth<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Audit & Risk<\/span>\n <div class=\"ni\" onclick=\"nav('au')\"><div class=\"nd\"><\/div>AU \u2014 Audit & Accountability<\/div>\n <div class=\"ni\" onclick=\"nav('ca')\"><div class=\"nd\"><\/div>CA \u2014 Assessment & Authorization<\/div>\n <div class=\"ni\" onclick=\"nav('ra')\"><div class=\"nd\"><\/div>RA \u2014 Risk Assessment<\/div>\n <div class=\"ni\" onclick=\"nav('pm')\"><div class=\"nd\"><\/div>PM \u2014 Program Management<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Config & Integrity<\/span>\n <div class=\"ni\" onclick=\"nav('cm')\"><div class=\"nd\"><\/div>CM \u2014 Configuration Mgmt<\/div>\n <div class=\"ni\" onclick=\"nav('si')\"><div class=\"nd\"><\/div>SI \u2014 System & Info Integrity<\/div>\n <div class=\"ni\" onclick=\"nav('sa')\"><div class=\"nd\"><\/div>SA \u2014 System & Svc Acquisition<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Infrastructure<\/span>\n <div class=\"ni\" onclick=\"nav('sc')\"><div class=\"nd\"><\/div>SC \u2014 Sys & Comms Protection<\/div>\n <div class=\"ni\" onclick=\"nav('pe')\"><div class=\"nd\"><\/div>PE \u2014 Physical & Environmental<\/div>\n <div class=\"ni\" onclick=\"nav('ma')\"><div class=\"nd\"><\/div>MA \u2014 Maintenance<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Resilience<\/span>\n <div class=\"ni\" onclick=\"nav('cp')\"><div class=\"nd\"><\/div>CP \u2014 Contingency Planning<\/div>\n <div class=\"ni\" onclick=\"nav('ir')\"><div class=\"nd\"><\/div>IR \u2014 Incident Response<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Personnel & Policy<\/span>\n <div class=\"ni\" onclick=\"nav('at')\"><div class=\"nd\"><\/div>AT \u2014 Awareness & Training<\/div>\n <div class=\"ni\" onclick=\"nav('ps')\"><div class=\"nd\"><\/div>PS \u2014 Personnel Security<\/div>\n <div class=\"ni\" onclick=\"nav('pl')\"><div class=\"nd\"><\/div>PL \u2014 Planning<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Data & Supply Chain<\/span>\n <div class=\"ni\" onclick=\"nav('mp')\"><div class=\"nd\"><\/div>MP \u2014 Media Protection<\/div>\n <div class=\"ni\" onclick=\"nav('pt')\"><div class=\"nd\"><\/div>PT \u2014 PII & Privacy<\/div>\n <div class=\"ni\" onclick=\"nav('sr')\"><div class=\"nd\"><\/div>SR \u2014 Supply Chain Risk<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Document<\/span>\n <div class=\"ni\" onclick=\"nav('nist')\"><div class=\"nd\"><\/div>Source Publication<\/div>\n <\/div>\n <\/nav>\n <div class=\"sb-copy\">Rev 5 \u00b7 Sep 2020 \u00b7 20 Families \u00b7 1000+ Controls<\/div>\n<\/aside>\n\n\n<main class=\"main\">\n\n\n<div class=\"panel active\" id=\"panel-home\">\n <div class=\"p-eye\">NIST Special Publication 800-53 Revision 5<\/div>\n <div class=\"p-title\">Security & Privacy <span>Controls<\/span><\/div>\n <div class=\"p-sub\">A comprehensive catalog of safeguards for information systems, organizations, and individuals<\/div>\n <div class=\"prose\">NIST SP 800-53 is the federal government’s authoritative catalog of security and privacy controls. First published in 2005 and now in its fifth revision (September 2020), it defines <strong>over 1,000 controls and control enhancements<\/strong> organized into 20 families. It serves as the foundational control catalog for FedRAMP, FISMA compliance, RMF Step 2 control selection, and is widely adopted in commercial enterprise security programs.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\">Rev 5 made the catalog <strong>technology-neutral and sector-agnostic<\/strong> \u2014 explicitly applicable to federal agencies, commercial organizations, industrial control systems, cloud environments, IoT, and privacy programs. It is no longer scoped exclusively to federal information systems.<\/div>\n <h3>The 20 Control Families<\/h3>\n <div class=\"cg cg4\" style=\"gap:8px;\">\n <div class=\"family-card\" onclick=\"nav('ac')\"><div class=\"fc-id\" style=\"color:var(--cyan)\">AC<\/div><div class=\"fc-name\">Access Control<\/div><div class=\"fc-count\">25 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('at')\"><div class=\"fc-id\" style=\"color:#60b8f8\">AT<\/div><div class=\"fc-name\">Awareness & Training<\/div><div class=\"fc-count\">6 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('au')\"><div class=\"fc-id\" style=\"color:var(--amber)\">AU<\/div><div class=\"fc-name\">Audit & Accountability<\/div><div class=\"fc-count\">16 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ca')\"><div class=\"fc-id\" style=\"color:#ff8a65\">CA<\/div><div class=\"fc-name\">Assessment & Authorization<\/div><div class=\"fc-count\">9 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('cm')\"><div class=\"fc-id\" style=\"color:#b39dff\">CM<\/div><div class=\"fc-name\">Configuration Mgmt<\/div><div class=\"fc-count\">14 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('cp')\"><div class=\"fc-id\" style=\"color:#40d8d0\">CP<\/div><div class=\"fc-name\">Contingency Planning<\/div><div class=\"fc-count\">13 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ia')\"><div class=\"fc-id\" style=\"color:var(--cyan)\">IA<\/div><div class=\"fc-name\">Identification & Auth<\/div><div class=\"fc-count\">12 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ir')\"><div class=\"fc-id\" style=\"color:#f08080\">IR<\/div><div class=\"fc-name\">Incident Response<\/div><div class=\"fc-count\">10 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ma')\"><div class=\"fc-id\" style=\"color:var(--text3)\">MA<\/div><div class=\"fc-name\">Maintenance<\/div><div class=\"fc-count\">6 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('mp')\"><div class=\"fc-id\" style=\"color:var(--text3)\">MP<\/div><div class=\"fc-name\">Media Protection<\/div><div class=\"fc-count\">8 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('pe')\"><div class=\"fc-id\" style=\"color:var(--text3)\">PE<\/div><div class=\"fc-name\">Physical & Environmental<\/div><div class=\"fc-count\">23 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('pl')\"><div class=\"fc-id\" style=\"color:#60b8f8\">PL<\/div><div class=\"fc-name\">Planning<\/div><div class=\"fc-count\">11 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('pm')\"><div class=\"fc-id\" style=\"color:#ff8a65\">PM<\/div><div class=\"fc-name\">Program Management<\/div><div class=\"fc-count\">32 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ps')\"><div class=\"fc-id\" style=\"color:var(--text3)\">PS<\/div><div class=\"fc-name\">Personnel Security<\/div><div class=\"fc-count\">9 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('pt')\"><div class=\"fc-id\" style=\"color:#b39dff\">PT<\/div><div class=\"fc-name\">PII & Privacy<\/div><div class=\"fc-count\">8 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ra')\"><div class=\"fc-id\" style=\"color:#ff8a65\">RA<\/div><div class=\"fc-name\">Risk Assessment<\/div><div class=\"fc-count\">10 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('sa')\"><div class=\"fc-id\" style=\"color:#b39dff\">SA<\/div><div class=\"fc-name\">System & Svc Acquisition<\/div><div class=\"fc-count\">23 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('sc')\"><div class=\"fc-id\" style=\"color:#40d8d0\">SC<\/div><div class=\"fc-name\">Sys & Comms Protection<\/div><div class=\"fc-count\">51 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('si')\"><div class=\"fc-id\" style=\"color:var(--green)\">SI<\/div><div class=\"fc-name\">System & Info Integrity<\/div><div class=\"fc-count\">23 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('sr')\"><div class=\"fc-id\" style=\"color:#f08080\">SR<\/div><div class=\"fc-name\">Supply Chain Risk Mgmt<\/div><div class=\"fc-count\">12 base controls<\/div><\/div>\n <\/div>\n <h3>Three security baselines<\/h3>\n <div class=\"prose\">Every control in the catalog is tagged to one or more baselines based on the impact level of the system. Organizations select a baseline appropriate to their impact categorization under FIPS 199, then apply tailoring to adjust controls to their specific environment and risk posture.<\/div>\n <div class=\"cg cg3\" style=\"margin-top:14px;\">\n <div class=\"card\" style=\"border-top:3px solid var(--green)\"><div class=\"cnum\">LOW IMPACT<\/div><div class=\"ctitle\">Low Baseline<\/div><div class=\"ctext\">Minimum controls for systems where compromise would have limited adverse effect. ~116 controls from 17 families.<\/div><\/div>\n <div class=\"card\" style=\"border-top:3px solid var(--amber)\"><div class=\"cnum\">MODERATE IMPACT<\/div><div class=\"ctitle\">Moderate Baseline<\/div><div class=\"ctext\">Most federal systems fall here. Serious adverse effect if compromised. ~323 controls and enhancements.<\/div><\/div>\n <div class=\"card\" style=\"border-top:3px solid var(--red)\"><div class=\"cnum\">HIGH IMPACT<\/div><div class=\"ctitle\">High Baseline<\/div><div class=\"ctext\">Systems where compromise causes severe\/catastrophic harm. ~447 controls and enhancements.<\/div><\/div>\n <\/div>\n <div class=\"ib\" style=\"margin-top:18px\"><div class=\"ibt\">800-53 is a catalog, not a checklist<\/div><div class=\"ibb\">The full catalog contains every possible control across all impact levels. No organization implements all of them. The intent is to <strong>select from the catalog<\/strong> using baselines, then tailor to your specific environment, threat profile, mission, and risk tolerance. Selecting the moderate baseline is the starting point \u2014 not the endpoint.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Start here<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('structure')\">Control structure<\/span><span class=\"rl\" onclick=\"nav('baselines')\">Baselines<\/span><span class=\"rl\" onclick=\"nav('rev5')\">What’s new in Rev 5<\/span><span class=\"rl\" onclick=\"nav('tailoring')\">Tailoring<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-rev5\">\n <div class=\"p-eye\">September 2020<\/div>\n <div class=\"p-title\">What’s New in <span>Rev 5<\/span><\/div>\n <div class=\"p-sub\">The most significant rewrite since the catalog’s inception \u2014 seven major changes<\/div>\n <div class=\"prose\">Revision 5, finalized September 23, 2020, was the first major revision since Rev 4 in 2013. It fundamentally changed the catalog’s scope, structure, and philosophy \u2014 not just added controls. Security architects and compliance teams need to understand these changes to apply the catalog correctly and avoid carrying Rev 4 assumptions forward.<\/div>\n\n <h3>1. Technology and sector-neutral scope<\/h3>\n <div class=\"prose\">Rev 4 was written primarily for federal information systems. Rev 5 explicitly removes this limitation. The catalog is now applicable to <strong>any organization in any sector<\/strong> \u2014 commercial enterprises, healthcare, financial services, critical infrastructure, and state\/local government \u2014 without any translation or interpretation layer required. The language no longer assumes a federal context.<\/div>\n\n <h3>2. Privacy controls fully integrated<\/h3>\n <div class=\"prose\">Prior to Rev 5, privacy controls were maintained in a separate appendix (Appendix J) and treated as a secondary concern. Rev 5 <strong>integrates privacy controls throughout the catalog<\/strong>, treating security and privacy as complementary disciplines. The new <code>PT<\/code> family (PII Processing and Transparency) formalizes privacy requirements. Privacy-specific controls appear alongside security controls within each family where relevant.<\/div>\n <div class=\"ib p\"><div class=\"ibt\">SP 800-53B separates the catalog from the baselines<\/div><div class=\"ibb\">Rev 5 moved the security and privacy control baselines into a companion document: <strong>NIST SP 800-53B<\/strong> (October 2020). This separates “what controls exist” (800-53) from “which controls are required at each impact level” (800-53B), making both documents easier to maintain independently.<\/div><\/div>\n\n <h3>3. Outcomes-based control language<\/h3>\n <div class=\"prose\">Rev 4 controls were written as requirements directed at organizations (<em>“The organization shall…”<\/em>). Rev 5 restructures control statements into <strong>outcome-based language<\/strong> focused on what the control achieves rather than prescribing how an organization must be structured. This makes controls more flexible across different operating models and organizational structures.<\/div>\n\n <h3>4. Supply Chain Risk Management \u2014 new SR family<\/h3>\n <div class=\"prose\">Supply chain risk was addressed implicitly in Rev 4. Rev 5 elevates it to a <strong>dedicated family (SR)<\/strong> with 12 base controls covering supply chain risk plans, procurement processes, supply chain protection, provenance tracking, and supplier assessments. This responds directly to years of supply chain compromise incidents (SolarWinds, hardware implants, counterfeit components).<\/div>\n\n <h3>5. PII Processing and Transparency \u2014 new PT family<\/h3>\n <div class=\"prose\">The <strong>PT family<\/strong> is entirely new in Rev 5, covering authority for PII processing, purpose specification, information sharing, consent, and individual access. It aligns with GDPR concepts while remaining NIST-native. Organizations subject to both FISMA and privacy regulations now have a single control framework that addresses both.<\/div>\n\n <h3>6. Controls linked to attack TTPs<\/h3>\n <div class=\"prose\">Rev 5 includes explicit references to <strong>MITRE ATT&CK<\/strong> and other threat frameworks in control supplemental guidance. Controls are now contextualized against real-world adversary behavior \u2014 not just compliance checklists. This allows security architects to map their control gaps directly to ATT&CK tactics and evaluate control effectiveness against known threat actor techniques.<\/div>\n\n <h3>7. Reduced federal\/organizational separation<\/h3>\n <div class=\"prose\">Rev 4 separated controls into “organization-level” and “information system-level” designations. Rev 5 removes this artificial split. Controls operate at whatever level is appropriate for the organization’s structure. This simplification is particularly important for cloud-hosted systems where the traditional boundary between organization and system has dissolved.<\/div>\n\n <div class=\"ib a\" style=\"margin-top:18px\"><div class=\"ibt\">Rev 4 mappings do not carry forward automatically<\/div><div class=\"ibb\">Rev 5 renumbered, merged, and restructured many controls. Rev 4 control IDs do not map 1:1 to Rev 5. NIST publishes a formal Rev 4-to-Rev 5 mapping document. FedRAMP completed its Rev 5 transition in 2023 \u2014 systems authorized under Rev 4 baselines must be re-assessed against Rev 5.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pt')\">PT family (new)<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR family (new)<\/span><span class=\"rl\" onclick=\"nav('baselines')\">Rev 5 baselines<\/span><span class=\"rl\" onclick=\"nav('nist')\">Source document<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-structure\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Chapter Two<\/div>\n <div class=\"p-title\">Control <span>Structure<\/span><\/div>\n <div class=\"p-sub\">How individual controls are organized, layered, and read<\/div>\n <div class=\"prose\">Every control in the 800-53 catalog follows a consistent structure. Understanding this structure is prerequisite to using the catalog correctly \u2014 particularly the relationship between base controls and enhancements, and the role of parameters and supplemental guidance.<\/div>\n <h3>Anatomy of a control<\/h3>\n <div class=\"sr\"><span class=\"st t-ac\">ID<\/span><div class=\"si\"><div class=\"sn\">Control Identifier<\/div><div class=\"sd\">Family prefix + sequential number. Example: <code>AC-3<\/code> is the third control in the Access Control family. Enhancements add a parenthetical: <code>AC-3(7)<\/code> is enhancement 7 of Access Control-3.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">NAME<\/span><div class=\"si\"><div class=\"sn\">Control Name<\/div><div class=\"sd\">A short descriptive title for the control. Not a requirement itself \u2014 the statement is the requirement. Example: AC-3 is named “Access Enforcement.”<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">STMT<\/span><div class=\"si\"><div class=\"sn\">Control Statement<\/div><div class=\"sd\">The actual requirement. Rev 5 uses outcome-based language. May include <strong>assignment parameters<\/strong> [organization-defined values] and <strong>selection parameters<\/strong> [one or more from a list]. Organizations must fill in or select parameter values as part of implementation.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">DISC<\/span><div class=\"si\"><div class=\"sn\">Discussion<\/div><div class=\"sd\">Non-mandatory supplemental guidance explaining the intent, rationale, and implementation considerations. Not a requirement \u2014 but essential context for interpreting the control correctly and making implementation decisions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">RELATED<\/span><div class=\"si\"><div class=\"sn\">Related Controls<\/div><div class=\"sd\">Cross-references to other controls that complement or depend on this one. These are critical for architecture \u2014 they reveal the dependency graph between controls and help identify where a single implementation decision satisfies multiple requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">REFS<\/span><div class=\"si\"><div class=\"sn\">References<\/div><div class=\"sd\">Other NIST publications and external standards that provide additional guidance. Common references include SP 800-160, SP 800-207, FIPS 140-3, FIPS 186-5, and ISO\/IEC 27001.<\/div><\/div><\/div>\n\n <h3>Base controls vs. control enhancements<\/h3>\n <div class=\"prose\">Each family contains <strong>base controls<\/strong> (numbered sequentially) and <strong>control enhancements<\/strong> (parenthetical additions to base controls). Enhancements add capability, specificity, or rigor to the base control. They are never selected without first selecting the base control they extend.<\/div>\n <div class=\"ib\"><div class=\"ibt\">Example: AC-2 and its enhancements<\/div><div class=\"ibb\"><strong>AC-2<\/strong> (base) requires account management \u2014 creating, modifying, enabling, disabling, and removing accounts. <strong>AC-2(1)<\/strong> adds automated system account management. <strong>AC-2(3)<\/strong> adds automatic disabling of inactive accounts after [organization-defined time period]. <strong>AC-2(13)<\/strong> adds disabling accounts on high risk from threat intelligence. Each enhancement is additive \u2014 higher baselines require more enhancements on top of the same base.<\/div><\/div>\n\n <h3>Organization-defined parameters (ODPs)<\/h3>\n <div class=\"prose\">Many control statements contain <strong>[Assignment: organization-defined values]<\/strong>. These are not blanks to leave empty \u2014 they are security decisions that organizations must make and document. NIST SP 800-53B provides default parameter values for each baseline. Organizations may accept the defaults or define stricter values. Examples:<\/div>\n <div class=\"tbl-wrap\"><table>\n <thead><tr><th>Control<\/th><th>Parameter<\/th><th>Low default<\/th><th>Mod default<\/th><th>High default<\/th><\/tr><\/thead>\n <tbody>\n <tr><td>AC-2(3)<\/td><td>Inactivity period before account disable<\/td><td>Not required<\/td><td>35 days<\/td><td>35 days<\/td><\/tr>\n <tr><td>AC-7<\/td><td>Max consecutive invalid logon attempts<\/td><td>3<\/td><td>3<\/td><td>3<\/td><\/tr>\n <tr><td>AU-11<\/td><td>Audit log retention period<\/td><td>Not specified<\/td><td>Not specified<\/td><td>Not specified<\/td><\/tr>\n <tr><td>SI-2<\/td><td>Flaw remediation time (critical flaws)<\/td><td>Not specified<\/td><td>Not specified<\/td><td>Not specified<\/td><\/tr>\n <tr><td>IA-5(1)<\/td><td>Password minimum length<\/td><td>Not required<\/td><td>Not required<\/td><td>Not required<\/td><\/tr>\n <\/tbody>\n <\/table><\/div>\n <div class=\"ib a\"><div class=\"ibt\">Undefined ODPs are an audit finding<\/div><div class=\"ibb\">Leaving organization-defined parameters undefined is not a minor procedural gap \u2014 it means the control has not been fully implemented. Assessors (CA-7, CA-8) will flag undefined ODPs as incomplete control implementations. Document every parameter value in your System Security Plan (SSP).<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('baselines')\">Baselines<\/span><span class=\"rl\" onclick=\"nav('tailoring')\">Tailoring<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Authorization<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-baselines\">\n <div class=\"p-eye\">NIST SP 800-53B \u00b7 October 2020<\/div>\n <div class=\"p-title\">Baselines & <span>Impact Levels<\/span><\/div>\n <div class=\"p-sub\">Three control baselines derived from FIPS 199 impact categorization<\/div>\n <div class=\"prose\">SP 800-53B defines three security control baselines \u2014 Low, Moderate, and High \u2014 corresponding to the impact levels established by <strong>FIPS 199<\/strong> (Standards for Security Categorization). The baseline provides the starting set of controls for each impact level, which organizations then tailor to their specific context.<\/div>\n <h3>Impact categorization (FIPS 199)<\/h3>\n <div class=\"prose\">The security category of a system is determined by assessing the potential impact of a security breach on <strong>three security objectives<\/strong>: Confidentiality, Integrity, and Availability. Each is rated Low, Moderate, or High. The overall system categorization is the <em>high watermark<\/em> \u2014 the highest individual rating across all three objectives.<\/div>\n <div class=\"tbl-wrap\"><table>\n <thead><tr><th>Impact Level<\/th><th>Definition<\/th><th>Example systems<\/th><\/tr><\/thead>\n <tbody>\n <tr class=\"low\"><td><span class=\"bl-badge bl-l\">LOW<\/span><\/td><td>Limited adverse effect. Loss of confidentiality, integrity, or availability would cause minor mission degradation, minor financial damage, or minor harm.<\/td><td>Public-facing informational websites, internal training systems, non-sensitive productivity apps<\/td><\/tr>\n <tr class=\"mod\"><td><span class=\"bl-badge bl-m\">MODERATE<\/span><\/td><td>Serious adverse effect. Would cause significant mission degradation, significant financial damage, significant harm (not loss of life) to individuals.<\/td><td>HR systems, financial reporting, internal collaboration, most federal IT systems<\/td><\/tr>\n <tr class=\"high\"><td><span class=\"bl-badge bl-h\">HIGH<\/span><\/td><td>Severe or catastrophic adverse effect. Could cause severe mission failure, major financial damage, severe harm, or loss of life.<\/td><td>Emergency services, power grid control, law enforcement systems, weapons systems<\/td><\/tr>\n <\/tbody>\n <\/table><\/div>\n\n <h3>What each baseline includes<\/h3>\n <div class=\"cg cg3\" style=\"margin-top:8px\">\n <div class=\"card\" style=\"border-top:3px solid var(--green)\">\n <div class=\"cnum\">LOW BASELINE<\/div>\n <div class=\"ctitle\">~116 controls<\/div>\n <div class=\"ctext\" style=\"margin-top:8px\">Covers all 17 applicable families (PM and PT are organizational-level and not tied to impact level). Primarily base controls with minimal enhancements. Focuses on foundational hygiene: account management, basic access enforcement, audit logging, incident response capability, and contingency planning basics.<\/div>\n <\/div>\n <div class=\"card\" style=\"border-top:3px solid var(--amber)\">\n <div class=\"cnum\">MODERATE BASELINE<\/div>\n <div class=\"ctitle\">~323 controls<\/div>\n <div class=\"ctext\" style=\"margin-top:8px\">Includes all Low baseline controls plus significant enhancements. Adds automated monitoring, stronger authentication, more rigorous audit requirements, network boundary protection, flaw remediation timeframes, and insider threat program requirements. The target for most commercial enterprises and federal civilian systems.<\/div>\n <\/div>\n <div class=\"card\" style=\"border-top:3px solid var(--red)\">\n <div class=\"cnum\">HIGH BASELINE<\/div>\n <div class=\"ctitle\">~447 controls<\/div>\n <div class=\"ctext\" style=\"margin-top:8px\">Maximum controls for systems with catastrophic impact potential. Adds additional enhancements on top of Moderate: two-person integrity requirements, enhanced physical controls, insider threat capabilities, advanced cryptographic requirements, and near-real-time monitoring. Typically DoD, IC, and critical infrastructure systems.<\/div>\n <\/div>\n <\/div>\n\n <h3>Privacy baseline<\/h3>\n <div class=\"prose\">SP 800-53B also defines a <strong>Privacy Baseline<\/strong> that applies to systems processing Personally Identifiable Information (PII), regardless of security impact level. The privacy baseline draws primarily from the <code>PT<\/code> family and privacy-related controls scattered across other families. It applies <em>in addition to<\/em> the applicable security baseline \u2014 not as a replacement.<\/div>\n <div class=\"ib g\"><div class=\"ibt\">FedRAMP and baseline alignment<\/div><div class=\"ibb\">FedRAMP aligns to SP 800-53 baselines but adds additional FedRAMP-specific controls and parameters. FedRAMP Low = ~125 controls, FedRAMP Moderate = ~325 controls, FedRAMP High = ~421 controls. The differences reflect FedRAMP-specific cloud requirements and tailored ODPs. FedRAMP completed transition to Rev 5 in 2023.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('tailoring')\">Tailoring<\/span><span class=\"rl\" onclick=\"nav('structure')\">Control structure<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Authorization<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-tailoring\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Chapter Three<\/div>\n <div class=\"p-title\">Tailoring & <span>Overlays<\/span><\/div>\n <div class=\"p-sub\">Adjusting the baseline to match your environment, threat profile, and risk tolerance<\/div>\n <div class=\"prose\">No baseline fits every organization perfectly. Tailoring is the <strong>formal process of modifying a selected baseline<\/strong> to produce a set of controls that is appropriately protective for a specific system, environment, and risk posture. Every tailoring decision must be documented and justified in the System Security Plan.<\/div>\n <h3>Tailoring operations<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Applying scoping considerations<\/div><div class=\"oc\">Removing controls that are not applicable given the system’s technology, deployment model, or operational context. Example: a system with no external network interfaces may scope out several SC boundary protection controls. <strong>Scoping must be justified \u2014 not assumed.<\/strong><\/div><\/div><\/div>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Selecting compensating controls<\/div><div class=\"oc\">Substituting an equivalent control when a baseline control cannot be implemented as specified. The compensating control must provide equivalent protection and be documented with a rationale for why it is equally effective.<\/div><\/div><\/div>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Specifying organization-defined parameters<\/div><div class=\"oc\">Filling in all ODPs with specific, documented values. This is not optional \u2014 unresolved ODPs are incomplete control implementations. Parameter values may be stricter than SP 800-53B defaults but not less protective without documented risk acceptance.<\/div><\/div><\/div>\n <div class=\"or warn\"><div class=\"od a\"><\/div><div><div class=\"ol\">Supplementing the baseline<\/div><div class=\"oc\">Adding controls from the catalog (or from other sources) that the baseline doesn’t include, when your threat profile or operational context requires additional protection. Common for high-value targets, critical infrastructure, and organizations with mature threat intelligence programs.<\/div><\/div><\/div>\n <div class=\"or risk\"><div class=\"od r\"><\/div><div><div class=\"ol\">Accepting risk for unimplemented controls<\/div><div class=\"oc\">When a control cannot be implemented and no compensating control is available, the residual risk must be explicitly accepted by the Authorizing Official (AO) \u2014 not the ISSO or system owner. Undocumented risk acceptance is a fundamental audit finding.<\/div><\/div><\/div>\n\n <h3>Overlays<\/h3>\n <div class=\"prose\">An <strong>overlay<\/strong> is a pre-built tailoring package developed for a specific community of interest, environment, or technology type. Overlays provide parameter values, scoping decisions, and supplementary controls that have already been vetted for a particular context. Organizations apply an overlay by importing its tailoring decisions into their baseline selection.<\/div>\n <div class=\"tbl-wrap\"><table>\n <thead><tr><th>Overlay<\/th><th>Applies to<\/th><th>Source<\/th><\/tr><\/thead>\n <tbody>\n <tr><td>Industrial Control Systems (ICS)<\/td><td>SCADA, DCS, PLC environments<\/td><td>NIST SP 800-82<\/td><\/tr>\n <tr><td>Privacy<\/td><td>Systems processing PII<\/td><td>SP 800-53B Privacy Baseline<\/td><\/tr>\n <tr><td>Cloud Systems<\/td><td>FedRAMP cloud service providers<\/td><td>FedRAMP Rev 5<\/td><\/tr>\n <tr><td>Classified National Security Systems<\/td><td>TS\/SCI and below classified systems<\/td><td>CNSSI 1253<\/td><\/tr>\n <tr><td>Healthcare<\/td><td>HHS\/CMS covered entities and BAs<\/td><td>HHS 405(d)<\/td><\/tr>\n <tr><td>Intelligence Community<\/td><td>IC systems and networks<\/td><td>ICD 503<\/td><\/tr>\n <\/tbody>\n <\/table><\/div>\n <div class=\"ib a\"><div class=\"ibt\">Tailoring is not risk elimination \u2014 it’s risk documentation<\/div><div class=\"ibb\">The purpose of tailoring is not to reduce the control set to the minimum possible. It is to produce a control set that is <strong>properly scoped, documented, and risk-accepted<\/strong>. An auditor reviewing a well-tailored SSP can evaluate every control decision \u2014 what was selected, why, and what risk was accepted. A poorly tailored SSP has gaps the organization doesn’t know exist.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('baselines')\">Baselines<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Assessment<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM \u2014 Program management<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ac\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family AC<\/div>\n <div class=\"p-title\">Access <span>Control<\/span><\/div>\n <div class=\"p-sub\">25 base controls governing who can access what, under what conditions, and to what degree<\/div>\n <div class=\"prose\">The AC family is the largest and most commonly referenced family in the catalog. It governs <strong>account lifecycle, access enforcement, least privilege, separation of duties, remote access, and wireless access<\/strong>. For Zero Trust architectures, AC is the primary family \u2014 ZTA principles are direct implementations of AC controls taken to their logical extreme.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ac\">AC-2<\/span><div class=\"si\"><div class=\"sn\">Account Management<\/div><div class=\"sd\">Establishes the full lifecycle for accounts: identification, establishment, activation, modification, review, disabling, and removal. Requires defining account types, conditions for use, and time-limited accounts for temporary access. AC-2 enhancements add automation, privileged account management, and dynamic privilege management.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-3<\/span><div class=\"si\"><div class=\"sn\">Access Enforcement<\/div><div class=\"sd\">Enforces approved authorizations for logical access to information and system resources using access control policies such as attribute-based access control (ABAC), identity-based access control, role-based access control (RBAC), and relationship-based access control. The core enforcement control.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-4<\/span><div class=\"si\"><div class=\"sn\">Information Flow Enforcement<\/div><div class=\"sd\">Controls how information flows between systems, domains, and components based on security policy. Critical for data loss prevention, cross-domain solutions, and network segmentation. Enhancements address encrypted information, metadata, and dynamic information flow policies.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-5<\/span><div class=\"si\"><div class=\"sn\">Separation of Duties<\/div><div class=\"sd\">Ensures no single individual can complete a critical function alone. Defines incompatible roles and enforces separation. Essential for preventing insider fraud and limiting the blast radius of a compromised account.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-6<\/span><div class=\"si\"><div class=\"sn\">Least Privilege<\/div><div class=\"sd\">Access rights limited to the minimum necessary for authorized tasks. Enhancements cover privileged accounts (AC-6(1)), non-privileged access for non-security functions (AC-6(2)), network access for privileged commands (AC-6(3)), and limiting functions available to non-privileged users.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-17<\/span><div class=\"si\"><div class=\"sn\">Remote Access<\/div><div class=\"sd\">Establishes usage restrictions, configuration\/connection requirements, and documentation for remote access. Enhancements require monitoring and control of remote access sessions, automated enforcement of remote access policy, and protection of confidentiality and integrity of remote access sessions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-24<\/span><div class=\"si\"><div class=\"sn\">Access Control Decisions<\/div><div class=\"sd\">New in Rev 5. Requires the system to transmit access authorization information to other systems that need to make their own access control decisions. Enables consistent access enforcement across distributed architectures and aligns directly with ZTA policy engine concepts.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">AC and Zero Trust alignment<\/div><div class=\"ibb\">AC-2 (account management), AC-3 (access enforcement), AC-4 (information flow), and AC-6 (least privilege) collectively describe the behavioral requirements of a Zero Trust architecture. The ZTNA Policy Engine (PE) and Policy Enforcement Point (PEP) are implementation mechanisms for these controls. Mapping your ZTA design to these controls demonstrates compliance through architecture.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ia')\">IA \u2014 Authentication<\/span><span class=\"rl\" onclick=\"nav('au')\">AU \u2014 Audit<\/span><span class=\"rl\" onclick=\"nav('sc')\">SC \u2014 Communications protection<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM \u2014 Configuration<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ia\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family IA<\/div>\n <div class=\"p-title\">Identification & <span>Authentication<\/span><\/div>\n <div class=\"p-sub\">12 base controls governing identity verification, credential management, and device authentication<\/div>\n <div class=\"prose\">The IA family establishes how users, devices, services, and processes prove their identity to a system before access is granted. It covers <strong>unique identification, credential strength, authenticator management, re-authentication, and device-level identity<\/strong>. In Zero Trust architectures, IA and AC are the two families most directly implemented by the IDMS, PKI, and Policy Engine.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ia\">IA-2<\/span><div class=\"si\"><div class=\"sn\">Identification and Authentication (Organizational Users)<\/div><div class=\"sd\">The foundational MFA control. Requires MFA for network access to privileged accounts (IA-2(1)) and non-privileged accounts (IA-2(2)). IA-2(6) requires MFA for local access. IA-2(12) added in Rev 5 specifically requires acceptance of PIV credentials and FIDO-AAL2\/AAL3 authenticators \u2014 aligning with phishing-resistant MFA requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-3<\/span><div class=\"si\"><div class=\"sn\">Device Identification and Authentication<\/div><div class=\"sd\">Devices must uniquely identify and authenticate themselves before connection. Critical for ZTA: every device must present a verifiable identity (typically an enterprise-issued X.509 certificate) before the Policy Engine will evaluate an access request. Enhancements add cryptographic bidirectional authentication.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-5<\/span><div class=\"si\"><div class=\"sn\">Authenticator Management<\/div><div class=\"sd\">Governs the full authenticator lifecycle: initial distribution, storage, use, revocation, and recovery. IA-5(1) applies to password-based authenticators (minimum length, complexity, history). IA-5(2) covers PKI-based authenticators. IA-5(13) prohibits caching credentials beyond the established organizational time limit \u2014 relevant for offline token handling.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-8<\/span><div class=\"si\"><div class=\"sn\">Identification and Authentication (Non-Organizational Users)<\/div><div class=\"sd\">Extends authentication requirements to external users, contractors, and partners. Enhancements (IA-8(1)\u2013(6)) address PIV acceptance from other federal agencies, acceptance of third-party credentials, and use of FICAM-approved credentials. Essential for federated identity architectures.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-11<\/span><div class=\"si\"><div class=\"sn\">Re-authentication<\/div><div class=\"sd\">Requires re-authentication when [organization-defined circumstances or situations] occur. This is the control that mandates session re-authentication on risk change \u2014 a cornerstone of Zero Trust dynamic access policies. Organizations define the triggering conditions (inactivity timeout, privilege escalation, anomaly detection).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-12<\/span><div class=\"si\"><div class=\"sn\">Identity Proofing<\/div><div class=\"sd\">New in Rev 5. Requires in-person or remote identity proofing before issuing credentials. Aligns with NIST SP 800-63A Identity Assurance Levels (IAL1\u2013IAL3). Establishes that digital credentials are only as trustworthy as the identity proofing process that backed them.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">IA-2(12): The phishing-resistant MFA control<\/div><div class=\"ibb\">OMB M-22-09 and CISA guidance point to <strong>IA-2(12)<\/strong> as the control that mandates phishing-resistant MFA \u2014 specifically PIV, CAC, and FIDO2\/WebAuthn authenticators. Organizations that satisfy IA-2(1) and IA-2(2) with legacy SMS OTP or TOTP do not satisfy IA-2(12). The distinction matters for federal systems and increasingly for commercial enterprises under cyber insurance requirements.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">AC \u2014 Access control<\/span><span class=\"rl\" onclick=\"nav('sc')\">SC-8 (transmission confidentiality)<\/span><span class=\"rl\" onclick=\"nav('au')\">AU \u2014 Audit<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-au\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family AU<\/div>\n <div class=\"p-title\">Audit & <span>Accountability<\/span><\/div>\n <div class=\"p-sub\">16 base controls governing what gets logged, how it’s protected, reviewed, and retained<\/div>\n <div class=\"prose\">The AU family establishes the organization’s audit capability \u2014 <strong>what events are recorded, how audit records are protected, how they’re reviewed, and how long they’re retained<\/strong>. A robust audit posture is foundational to both compliance and security operations \u2014 without it, incident detection, forensic investigation, and accountability are impossible.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-au\">AU-2<\/span><div class=\"si\"><div class=\"sn\">Event Logging<\/div><div class=\"sd\">Defines the event types the organization determines to be auditable. The organization must coordinate with other entities to select audit events, and balance audit requirements with capabilities. The baseline events differ by impact level \u2014 High baseline systems log significantly more event types than Low baseline systems.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-3<\/span><div class=\"si\"><div class=\"sn\">Content of Audit Records<\/div><div class=\"sd\">Each audit record must contain sufficient information to determine: what event occurred, when, where (source and destination), who or what was involved, and the outcome. Enhancements add additional content: user identity (AU-3(1)), centralized management of planned audit record content (AU-3(2)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-6<\/span><div class=\"si\"><div class=\"sn\">Audit Record Review, Analysis, and Reporting<\/div><div class=\"sd\">Requires review and analysis of audit records for indications of inappropriate or unusual activity. Enhancements add automated integration with SIEM (AU-6(1)), correlation across systems (AU-6(3)), and integration with vulnerability scanning (AU-6(5)). This is the control that drives SIEM\/SOC requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-9<\/span><div class=\"si\"><div class=\"sn\">Protection of Audit Information<\/div><div class=\"sd\">Protects audit logs and tools from unauthorized access, modification, and deletion. The principle: the attacker who can delete logs can hide. Enhancements cover cryptographic protection of audit information (AU-9(3)) and protecting audit information via separate storage (AU-9(2)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-11<\/span><div class=\"si\"><div class=\"sn\">Audit Record Retention<\/div><div class=\"sd\">Retains audit records for [organization-defined time period] to support after-the-fact investigations. The ODP is critical \u2014 organizations must define the retention period. NIST provides no default; sector-specific requirements (HIPAA, PCI DSS, federal) drive this value. Common values: 90 days online, 1\u20133 years archived.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-12<\/span><div class=\"si\"><div class=\"sn\">Audit Record Generation<\/div><div class=\"sd\">Requires information systems to generate audit records for the events defined in AU-2. All system components must support audit record generation and compile records from multiple sources. Enhancements add system-wide audit trails (AU-12(1)) and standardized formats.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('si')\">SI-4 (system monitoring)<\/span><span class=\"rl\" onclick=\"nav('ac')\">AC \u2014 Access control<\/span><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ca\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family CA<\/div>\n <div class=\"p-title\">Assessment, Authorization <span>& Monitoring<\/span><\/div>\n <div class=\"p-sub\">9 base controls \u2014 the RMF process controls for authorizing and continuously monitoring systems<\/div>\n <div class=\"prose\">The CA family governs the <strong>Risk Management Framework (RMF) process<\/strong>: how systems are assessed, how an Authority to Operate (ATO) is obtained, and how ongoing security posture is maintained through continuous monitoring. CA is the family most closely aligned with governance and compliance processes.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ra\">CA-2<\/span><div class=\"si\"><div class=\"sn\">Control Assessments<\/div><div class=\"sd\">Requires a plan for and execution of security control assessments. Assessments must occur before initial operation (initial ATO) and at defined intervals thereafter. Enhancements add inclusion of automated tools, specialized assessments (CA-2(2)), and independent assessors (CA-2(1)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">CA-5<\/span><div class=\"si\"><div class=\"sn\">Plan of Action and Milestones<\/div><div class=\"sd\">The POA&M is the formal tracking document for all control deficiencies. It must document the deficiency, responsible party, planned remediation, and target completion date. Updating the POA&M is ongoing \u2014 assessors review it at every assessment. An incomplete POA&M is one of the most common ATO findings.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">CA-6<\/span><div class=\"si\"><div class=\"sn\">Authorization<\/div><div class=\"sd\">The ATO (Authority to Operate) control. An Authorizing Official must formally accept the risk of operating the system. The authorization package includes the SSP, SAR, and POA&M. Authorization decisions are based on risk \u2014 not on whether all controls are implemented, but on whether remaining risk is acceptable.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">CA-7<\/span><div class=\"si\"><div class=\"sn\">Continuous Monitoring<\/div><div class=\"sd\">Ongoing monitoring of control effectiveness, security posture, and changes. Requires a continuous monitoring strategy, ongoing assessments, ongoing remediation, and regular reporting. This is what transforms a point-in-time ATO into a living security program. Enhancements add independent assessment (CA-7(1)) and trend analysis (CA-7(4)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">CA-8<\/span><div class=\"si\"><div class=\"sn\">Penetration Testing<\/div><div class=\"sd\">Required at Moderate and High baselines. Defines the frequency and scope of penetration testing. Enhancements add independent penetration agent (CA-8(1)) and red team exercises (CA-8(2)). The control requires acting on pentest findings \u2014 not just conducting the test.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">Continuous monitoring vs. point-in-time assessment<\/div><div class=\"ibb\">CA-6 grants the ATO; CA-7 keeps it valid. Many organizations treat the ATO as a milestone \u2014 once granted, the focus shifts away from security rigor. NIST’s intent is the opposite: the ATO initiates a <strong>continuous monitoring program<\/strong> that provides ongoing visibility into the system’s actual security posture. The ATO’s validity depends on continuous monitoring remaining active and effective.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM \u2014 Program management<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-4 (monitoring)<\/span><span class=\"rl\" onclick=\"nav('au')\">AU \u2014 Audit<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ra\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family RA<\/div>\n <div class=\"p-title\">Risk <span>Assessment<\/span><\/div>\n <div class=\"p-sub\">10 base controls governing how threats, vulnerabilities, and risks are identified and evaluated<\/div>\n <div class=\"prose\">The RA family establishes how the organization identifies and evaluates risks to operations, assets, and individuals. It drives the intelligence-informed security architecture discipline \u2014 <strong>security controls should be selected based on identified risks, not on what’s easiest to implement<\/strong>. RA is the analytical foundation on which CA, PM, and tailoring decisions rest.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ra\">RA-2<\/span><div class=\"si\"><div class=\"sn\">Security Categorization<\/div><div class=\"sd\">Formal categorization of the information system per FIPS 199. This determines baseline selection \u2014 the security category is the input to tailoring. Must be documented in the SSP and approved by the AO. Incorrect categorization (usually under-categorizing) is a systemic risk \u2014 it results in the wrong baseline and systematically under-protected systems.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">RA-3<\/span><div class=\"si\"><div class=\"sn\">Risk Assessment<\/div><div class=\"sd\">A formal assessment of risk to organizational operations, assets, individuals, other organizations, and the nation. Must assess likelihood and impact of threats and vulnerabilities. RA-3 informs which controls to implement, where to augment the baseline, and what residual risks require AO acceptance.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">RA-5<\/span><div class=\"si\"><div class=\"sn\">Vulnerability Monitoring and Scanning<\/div><div class=\"sd\">Requires ongoing vulnerability scanning at organization-defined frequencies and when new vulnerabilities affecting the system are identified. Analyzes and remediates vulnerabilities. Enhancements add privileged access for scans (RA-5(5)), automated trend analysis (RA-5(8)), and reviewing historical audit logs for vulnerabilities (RA-5(10)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">RA-7<\/span><div class=\"si\"><div class=\"sn\">Risk Response<\/div><div class=\"sd\">New in Rev 5. Requires responding to findings from risk assessments with corrective actions. Bridges the gap between identifying risk and acting on it \u2014 the control that makes RA-3 operational rather than documentary.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">RA-9<\/span><div class=\"si\"><div class=\"sn\">Criticality Analysis<\/div><div class=\"sd\">New in Rev 5. Identifies critical system components and functions \u2014 the parts whose compromise would have the highest impact. Focuses protection resources on the highest-criticality elements. Supports the supply chain risk management (SR) controls by identifying which components require enhanced supply chain scrutiny.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Assessment<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM \u2014 Program management<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM \u2014 Configuration<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR \u2014 Supply chain<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pm\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PM<\/div>\n <div class=\"p-title\">Program <span>Management<\/span><\/div>\n <div class=\"p-sub\">32 base controls \u2014 the enterprise-level governance and oversight framework for security programs<\/div>\n <div class=\"prose\">The PM family is unique: its controls operate at the <strong>organizational level<\/strong>, not the system level. PM controls establish the overall security program structure \u2014 governance, risk management, security architecture, workforce, and resource management. They apply to the organization regardless of how many systems it operates. PM cannot be satisfied by a single system SSP.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ra\">PM-1<\/span><div class=\"si\"><div class=\"sn\">Information Security Program Plan<\/div><div class=\"sd\">The overarching document that describes the security program. Must address program management controls, describe how the program is implemented, and be reviewed and updated at defined intervals. The program plan is the governance backbone \u2014 it establishes authority and accountability for the entire security program.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">PM-9<\/span><div class=\"si\"><div class=\"sn\">Risk Management Strategy<\/div><div class=\"sd\">Establishes the organization’s risk tolerance, risk appetite, and the framework for managing risk across all systems. Must be approved at the senior leadership level. The risk management strategy is what makes tailoring decisions defensible \u2014 without it, there’s no documented basis for risk acceptance.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">PM-11<\/span><div class=\"si\"><div class=\"sn\">Mission and Business Process Definition<\/div><div class=\"sd\">Defines the mission-critical and business-critical processes that the security program must protect. Feeds directly into FIPS 199 categorization by grounding impact levels in actual mission impact \u2014 not abstract definitions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">PM-30<\/span><div class=\"si\"><div class=\"sn\">Supply Chain Risk Management Strategy<\/div><div class=\"sd\">New in Rev 5. Establishes the organizational supply chain risk management strategy that drives the SR family controls. Defines risk tolerance for supply chain risks, accountability, and how supply chain risk integrates with the broader risk management program.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">PM-31<\/span><div class=\"si\"><div class=\"sn\">Insider Threat Program<\/div><div class=\"sd\">Requires an insider threat program that includes a cross-discipline insider threat working group, access to HR data, automatic indicators, and response procedures. Required at Moderate and High baselines. Insider threat is the risk that pure technical controls cannot fully address \u2014 PM-31 establishes the people and process layer.<\/div><\/div><\/div>\n <div class=\"ib a\"><div class=\"ibt\">PM controls are frequently under-assessed<\/div><div class=\"ibb\">Because PM controls don’t belong to any single system, they often fall through the cracks in system-level security assessments. In practice, many organizations have robust system-level controls (AC, IA, AU) but weak program-level governance (PM). Assessors reviewing an ATO package should verify that PM controls are addressed \u2014 typically in an organization-wide security program plan rather than a system SSP.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Authorization<\/span><span class=\"rl\" onclick=\"nav('pl')\">PL \u2014 Planning<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR \u2014 Supply chain<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cm\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family CM<\/div>\n <div class=\"p-title\">Configuration <span>Management<\/span><\/div>\n <div class=\"p-sub\">14 base controls governing system baselines, change control, software inventory, and least functionality<\/div>\n <div class=\"prose\">The CM family establishes control over the technical configuration of information systems. The core discipline is maintaining <strong>known, documented, approved configurations<\/strong> and controlling how those configurations change over time. Configuration drift is one of the most common root causes of security vulnerabilities \u2014 CM controls are the preventive layer.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-cm\">CM-2<\/span><div class=\"si\"><div class=\"sn\">Baseline Configuration<\/div><div class=\"sd\">Documents and maintains a current baseline configuration for each information system component. The baseline is the authoritative reference for what a system is supposed to look like. Enhancements add automation (CM-2(2)), review and update triggers (CM-2(3)), and unauthorized software controls (CM-2(7)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-3<\/span><div class=\"si\"><div class=\"sn\">Configuration Change Control<\/div><div class=\"sd\">Establishes a formal change control process for all configuration changes. Changes must be documented, tested, approved, and reviewed. Unauthorized changes are detected and rolled back. This is the control that prevents “one quick change in prod” from becoming a persistent vulnerability.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-6<\/span><div class=\"si\"><div class=\"sn\">Configuration Settings<\/div><div class=\"sd\">Requires configuration settings that reflect the most restrictive mode consistent with operational requirements, using security configuration checklists (DISA STIGs, CIS Benchmarks). Forces explicit justification for any deviation from the hardened baseline \u2014 deviation must be documented and approved.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-7<\/span><div class=\"si\"><div class=\"sn\">Least Functionality<\/div><div class=\"sd\">Configure systems to provide only essential capabilities. Prohibit or restrict the use of functions, ports, protocols, services, and programs not required for operation. The configuration equivalent of least privilege for access control. Enhancements add authorized software lists and application deny-listing.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-8<\/span><div class=\"si\"><div class=\"sn\">System Component Inventory<\/div><div class=\"sd\">Maintains an accurate, current inventory of system components. You cannot protect what you don’t know you have. Enhancements add automated updates, discovery of unauthorized components, and no-duplicate accounting. This feeds directly into vulnerability management (RA-5) and supply chain risk (SR).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-14<\/span><div class=\"si\"><div class=\"sn\">Signed Components<\/div><div class=\"sd\">New in Rev 5. Prevents installation of software without verification of the developer or manufacturer’s digital signature. A direct countermeasure to supply chain attacks that introduce tampered software. Requires code signing enforcement at the OS or deployment pipeline level.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('si')\">SI-2 (flaw remediation)<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-5 (vulnerability scanning)<\/span><span class=\"rl\" onclick=\"nav('sa')\">SA \u2014 Acquisition<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR \u2014 Supply chain<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-si\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family SI<\/div>\n <div class=\"p-title\">System & Information <span>Integrity<\/span><\/div>\n <div class=\"p-sub\">23 base controls \u2014 flaw remediation, malware protection, monitoring, and information accuracy<\/div>\n <div class=\"prose\">The SI family addresses the ongoing trustworthiness of systems and the information they process. It covers <strong>patching, malware defense, intrusion detection, monitoring, and information quality<\/strong>. While CM controls prevent unauthorized change, SI controls detect when changes have occurred or when systems are behaving anomalously \u2014 the detective layer.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-si\">SI-2<\/span><div class=\"si\"><div class=\"sn\">Flaw Remediation<\/div><div class=\"sd\">Identifies, reports, and corrects system flaws. Tests software and firmware updates before installation. Installs security-relevant updates within organization-defined time periods after release. The ODP (remediation time period) is among the most important in the catalog \u2014 organizations must define patching SLAs by severity and document them.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-3<\/span><div class=\"si\"><div class=\"sn\">Malicious Code Protection<\/div><div class=\"sd\">Requires malware protection mechanisms at entry and exit points, including workstations, servers, and mobile computing devices. Enhancements add non-signature-based detection, centralized management, and protection during system maintenance.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-4<\/span><div class=\"si\"><div class=\"sn\">System Monitoring<\/div><div class=\"sd\">One of the most critical controls in the catalog. Monitors the system to detect attacks, indicators of potential attacks, and unauthorized connections. Requires identifying unauthorized use, deploying monitoring devices, protecting monitoring information, and heightened monitoring when indications of compromise are detected. The control that drives SIEM and SOC investment.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-5<\/span><div class=\"si\"><div class=\"sn\">Security Alerts, Advisories, and Directives<\/div><div class=\"sd\">Receives, tracks, and disseminates security alerts from external organizations (CISA, sector ISACs, vendors). Implements security directives in accordance with established timeframes. Ensures operational security awareness is continuously updated from external intelligence sources.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-7<\/span><div class=\"si\"><div class=\"sn\">Software, Firmware, and Information Integrity<\/div><div class=\"sd\">Employs integrity verification tools to detect unauthorized changes to software, firmware, and information. Enhancements add automated response (SI-7(5)), integration of detection and response (SI-7(7)), and code authentication. This is the control behind file integrity monitoring (FIM) requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-10<\/span><div class=\"si\"><div class=\"sn\">Information Input Validation<\/div><div class=\"sd\">Checks validity of information inputs \u2014 the primary application security control in the 800-53 catalog. Defines what the system does with invalid, unexpected, or erroneous inputs. The NIST control that maps to OWASP input validation requirements for application-layer security.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cm')\">CM-2\/CM-6 (configuration)<\/span><span class=\"rl\" onclick=\"nav('au')\">AU-6 (audit review)<\/span><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-5 (vulnerability scanning)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sa\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family SA<\/div>\n <div class=\"p-title\">System & Services <span>Acquisition<\/span><\/div>\n <div class=\"p-sub\">23 base controls \u2014 security requirements for development, procurement, and outsourcing<\/div>\n <div class=\"prose\">The SA family governs how organizations <strong>build and buy<\/strong> systems and services. It establishes security requirements that must be incorporated into acquisition contracts, development lifecycle processes, and third-party services. SA is the primary family for DevSecOps alignment and cloud service procurement security requirements.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-cm\">SA-4<\/span><div class=\"si\"><div class=\"sn\">Acquisition Process<\/div><div class=\"sd\">Includes security and privacy functional requirements, security strength requirements, security assurance requirements, and developer requirements in acquisition contracts. Requires documentation of design, development, and security test results. The control that gives legal force to security requirements in vendor contracts.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">SA-8<\/span><div class=\"si\"><div class=\"sn\">Security and Privacy Engineering Principles<\/div><div class=\"sd\">Applies established security engineering principles to the development, implementation, modification, and retirement of the information system. Enhancements reference specific principles from NIST SP 800-160. Maps directly to mature security architecture practice \u2014 this is the control that requires security to be designed in, not bolted on.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">SA-11<\/span><div class=\"si\"><div class=\"sn\">Developer Testing and Evaluation<\/div><div class=\"sd\">Requires developers to create and implement a security and privacy assessment plan, perform testing, and provide documentation of results. Enhancements add static analysis (SA-11(1)), threat modeling (SA-11(2)), and dynamic analysis (SA-11(5)). The control that drives SAST\/DAST and security testing requirements in software development.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">SA-15<\/span><div class=\"si\"><div class=\"sn\">Development Process, Standards, and Tools<\/div><div class=\"sd\">Requires a documented development process that addresses security and privacy. Mandates the use of development tools with security capabilities and the explicit management of vulnerabilities introduced by tools. The secure SDLC and pipeline security control.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">SA-22<\/span><div class=\"si\"><div class=\"sn\">Unsupported System Components<\/div><div class=\"sd\">Replaces or provides compensating controls for system components that cannot be supported or have reached end-of-life. One of the most practically important controls for large enterprises \u2014 requires documenting and managing every EoL component rather than simply ignoring them.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cm')\">CM \u2014 Configuration<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR \u2014 Supply chain<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-9 (criticality analysis)<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-2 (flaw remediation)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sc\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family SC<\/div>\n <div class=\"p-title\">System & Communications <span>Protection<\/span><\/div>\n <div class=\"p-sub\">51 base controls \u2014 the largest family, covering network architecture, cryptography, and boundary protection<\/div>\n <div class=\"prose\">SC is the largest family in the catalog and addresses the technical infrastructure of data protection: <strong>network boundaries, encryption, cryptographic key management, denial-of-service protection, and information in transit<\/strong>. SC controls are the technical implementation layer for Zero Trust network architecture and encryption requirements.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-sc\">SC-5<\/span><div class=\"si\"><div class=\"sn\">Denial-of-Service Protection<\/div><div class=\"sd\">Protects against and limits the effects of DoS attacks. Enhancements add capacity and bandwidth management, protection against resource exhaustion, and detection\/reporting. Required at all baseline levels with increasing specificity.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-7<\/span><div class=\"si\"><div class=\"sn\">Boundary Protection<\/div><div class=\"sd\">Monitors and controls communications at external boundaries and key internal boundaries. Requires managed interfaces, connection denying by default, and fail-secure configurations. Enhancements (SC-7(3)\u2013(29)) cover access points, transmission of system component information, host-based boundary protection, and dynamic isolation\/segregation. One of the most extensively enhanced controls in the catalog.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-8<\/span><div class=\"si\"><div class=\"sn\">Transmission Confidentiality and Integrity<\/div><div class=\"sd\">Implements cryptographic mechanisms to prevent unauthorized disclosure or modification of information during transmission. SC-8(1) requires FIPS-validated cryptographic algorithms. The foundational control for TLS\/mTLS requirements \u2014 all data in transit must be encrypted.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-12<\/span><div class=\"si\"><div class=\"sn\">Cryptographic Key Establishment and Management<\/div><div class=\"sd\">Establishes and manages cryptographic keys when cryptography is employed. The organization must define the key management practices, key lifecycle procedures, key storage requirements, and key recovery procedures. A weak key management posture undermines all encryption controls \u2014 SC-12 is the governance control for the entire cryptographic infrastructure.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-28<\/span><div class=\"si\"><div class=\"sn\">Protection of Information at Rest<\/div><div class=\"sd\">Protects the confidentiality and integrity of information at rest. Enhancement SC-28(1) requires cryptographic protection. Drives full-disk encryption and database encryption requirements. SC-28 paired with SC-8 establishes the “encrypt everything, everywhere” baseline requirement.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-39<\/span><div class=\"si\"><div class=\"sn\">Process Isolation<\/div><div class=\"sd\">Maintains a separate execution domain for each executing process. Prevents processes from accessing memory space or resources assigned to other processes. The control behind container isolation, hypervisor segmentation, and OS-level process sandboxing requirements.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">SC and Zero Trust alignment<\/div><div class=\"ibb\">SC-7 (boundary protection with microsegmentation enhancements), SC-8 (encrypted transmission including mTLS), SC-28 (encryption at rest), and SC-39 (process isolation) collectively describe the SC-layer requirements for a Zero Trust architecture. A ZTA implementation that satisfies NIST 800-207 tenets will simultaneously satisfy large portions of the SC family.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">AC-4 (information flow)<\/span><span class=\"rl\" onclick=\"nav('ia')\">IA-3 (device auth)<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-7 (least functionality)<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-4 (monitoring)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pe\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PE<\/div>\n <div class=\"p-title\">Physical & Environmental <span>Protection<\/span><\/div>\n <div class=\"p-sub\">23 base controls governing physical access, environmental controls, and facility security<\/div>\n <div class=\"prose\">The PE family addresses the physical security of facilities and equipment. It governs <strong>physical access authorization, monitoring, visitor management, power protection, temperature and humidity controls, and emergency procedures<\/strong>. Often underweighted in software-centric security programs, physical security remains a foundational layer \u2014 an attacker with physical access bypasses most logical controls.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-gen\">PE-2<\/span><div class=\"si\"><div class=\"sn\">Physical Access Authorizations<\/div><div class=\"sd\">Manages physical access authorizations to facilities containing information systems. Maintains a list of individuals with authorized access, issues authorization credentials, and reviews the list at defined intervals. Physical access authorization follows the same lifecycle as logical account management (AC-2) \u2014 joiners, movers, and leavers must be reflected in both.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PE-3<\/span><div class=\"si\"><div class=\"sn\">Physical Access Control<\/div><div class=\"sd\">Enforces physical access authorizations at entry\/exit points. Inspects individuals entering and exiting facilities. Requires visitor escorts and monitoring. Maintains access logs. Controls must match the sensitivity of the facility \u2014 a data center requires more rigorous controls than an office building.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PE-6<\/span><div class=\"si\"><div class=\"sn\">Monitoring Physical Access<\/div><div class=\"sd\">Monitors physical access to detect and respond to physical security incidents. Reviews physical access logs and coordinates results with incident response capability. Enhancements add video surveillance, monitoring at defined physical spaces (PE-6(2)), and automated intrusion recognition (PE-6(4)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PE-19<\/span><div class=\"si\"><div class=\"sn\">Information Leakage<\/div><div class=\"sd\">Protects the system from information leakage due to electromagnetic signals emanations. TEMPEST control. Required at High baseline for systems in close proximity to adversarial environments. Signals intelligence capability is an underappreciated physical threat vector for high-value systems.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">AC-2 (access management)<\/span><span class=\"rl\" onclick=\"nav('ma')\">MA \u2014 Maintenance<\/span><span class=\"rl\" onclick=\"nav('mp')\">MP \u2014 Media protection<\/span><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ma\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family MA<\/div>\n <div class=\"p-title\"><span>Maintenance<\/span><\/div>\n <div class=\"p-sub\">6 base controls governing who can maintain systems, how, from where, and with what tools<\/div>\n <div class=\"prose\">The MA family controls <strong>system maintenance activities<\/strong> \u2014 both on-site and remote. It addresses who is authorized to perform maintenance, how maintenance is scheduled and recorded, what tools can be used, and how remote maintenance sessions are secured. Maintenance windows are high-risk periods: authorized individuals have elevated access, and unauthorized tools can introduce persistent access mechanisms.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-gen\">MA-2<\/span><div class=\"si\"><div class=\"sn\">Controlled Maintenance<\/div><div class=\"sd\">Schedules, documents, and reviews maintenance. Requires approval, explicit records, and review of completed maintenance activities. The control foundation \u2014 all other MA controls assume MA-2 is in place.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MA-4<\/span><div class=\"si\"><div class=\"sn\">Nonlocal Maintenance<\/div><div class=\"sd\">Authorizes, monitors, and controls nonlocal (remote) maintenance. Requires authentication equivalent to local access, session recording, and documented approval. Enhancements add document authentication (MA-4(2)), comparable security (MA-4(3)), and disconnection verification (MA-4(7)). The control governing all remote admin sessions \u2014 RDP, SSH, jump servers.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MA-5<\/span><div class=\"si\"><div class=\"sn\">Maintenance Personnel<\/div><div class=\"sd\">Establishes a process for authorizing maintenance personnel and maintaining records of organizations and individuals performing maintenance. Controls what happens when maintenance personnel don’t have appropriate access authorizations \u2014 requires escort and monitoring during maintenance activities by unauthorized individuals.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MA-6<\/span><div class=\"si\"><div class=\"sn\">Timely Maintenance<\/div><div class=\"sd\">Obtains maintenance support and spare parts within organization-defined time periods. Ensures that critical systems have an assured supply of spare parts and maintenance support so that recovery objectives (see CP family) can be met. Particularly important for systems with long lead times for specialized hardware.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">PE \u2014 Physical access<\/span><span class=\"rl\" onclick=\"nav('ac')\">AC-17 (remote access)<\/span><span class=\"rl\" onclick=\"nav('cp')\">CP \u2014 Contingency planning<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-3 (change control)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cp\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family CP<\/div>\n <div class=\"p-title\">Contingency <span>Planning<\/span><\/div>\n <div class=\"p-sub\">13 base controls governing backup, recovery, testing, and continuity of operations<\/div>\n <div class=\"prose\">The CP family addresses what happens when systems fail. It governs <strong>contingency plans, backup procedures, alternate processing sites, system recovery, and reconstitution<\/strong>. CP controls ensure that organizations can restore operations within defined time objectives after disruptions \u2014 natural disasters, ransomware, hardware failures, or destructive cyberattacks.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-sc\">CP-2<\/span><div class=\"si\"><div class=\"sn\">Contingency Plan<\/div><div class=\"sd\">Develops, documents, and distributes a contingency plan for the system. Must identify essential missions and business functions, provide recovery objectives, and address alternate processing. The plan must be reviewed and updated after testing and after system changes. The foundation of the entire CP family.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">CP-4<\/span><div class=\"si\"><div class=\"sn\">Contingency Plan Testing<\/div><div class=\"sd\">Tests the contingency plan at defined intervals. Documents results and initiates corrective actions. An untested contingency plan is not a contingency plan \u2014 organizations regularly discover that backups don’t restore, alternate sites aren’t functional, or key personnel don’t know their roles during a real event.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">CP-9<\/span><div class=\"si\"><div class=\"sn\">System Backup<\/div><div class=\"sd\">Conducts backups of user-level and system-level information. Defines backup frequency and retains backups for defined periods. Protects backup confidentiality and integrity. Enhancements add cryptographic protection (CP-9(8)), and off-site transfer (CP-9(3)). The control that mandates the 3-2-1 backup strategy at a policy level.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">CP-10<\/span><div class=\"si\"><div class=\"sn\">System Recovery and Reconstitution<\/div><div class=\"sd\">Provides for the recovery and reconstitution of the system to a known state after a disruption. Defines the point where reconstitution is considered complete. Enhancements address transaction recovery (CP-10(2)), restore within defined time period (CP-10(4)), and failover capability (CP-10(6)).<\/div><\/div><\/div>\n <div class=\"ib r\"><div class=\"ibt\">RTO and RPO must be defined and tested, not assumed<\/div><div class=\"ibb\">CP-2 requires documenting recovery time objectives (RTO) and recovery point objectives (RPO). CP-4 requires testing that these are achievable. <strong>Many organizations document ambitious RTOs and RPOs they have never validated.<\/strong> A ransomware incident is the wrong time to discover that restoring from backup takes 72 hours, not the 4-hour RTO in the contingency plan.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-3 (risk assessment)<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-7 (integrity)<\/span><span class=\"rl\" onclick=\"nav('ma')\">MA-6 (timely maintenance)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ir\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family IR<\/div>\n <div class=\"p-title\">Incident <span>Response<\/span><\/div>\n <div class=\"p-sub\">10 base controls governing detection, reporting, handling, and learning from security incidents<\/div>\n <div class=\"prose\">The IR family ensures organizations can <strong>detect, contain, eradicate, recover from, and learn from security incidents<\/strong>. It establishes the policy, training, testing, monitoring, and handling procedures that make incident response a repeatable capability rather than an ad-hoc crisis. Paired with AU (audit) and SI-4 (monitoring), IR is the detection-to-response pipeline.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ir\">IR-2<\/span><div class=\"si\"><div class=\"sn\">Incident Response Training<\/div><div class=\"sd\">Provides incident response training before assuming an incident response role, when required by system changes, and at defined frequencies thereafter. Enhancements add simulated events (IR-2(1)) and automated training (IR-2(2)). Training must address roles and responsibilities \u2014 a documented plan with untrained personnel provides no real capability.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">IR-3<\/span><div class=\"si\"><div class=\"sn\">Incident Response Testing<\/div><div class=\"sd\">Tests the incident response capability at defined frequencies. Documents and reviews results. Enhancements add coordination with related plans (IR-3(2)). Tabletop exercises, red team exercises, and live-fire simulations all satisfy IR-3 at increasing levels of rigor \u2014 the baseline requires testing, not necessarily the most intensive form.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">IR-4<\/span><div class=\"si\"><div class=\"sn\">Incident Handling<\/div><div class=\"sd\">Implements an incident handling capability covering preparation, detection, analysis, containment, eradication, and recovery. Coordinates with contingency planning (CP family). Enhancements add automated incident handling (IR-4(1)), insider threats (IR-4(6)), correlation with physical incidents (IR-4(7)), and dynamic response capability (IR-4(9)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">IR-5<\/span><div class=\"si\"><div class=\"sn\">Incident Monitoring<\/div><div class=\"sd\">Tracks and documents incidents. Provides a formal record of each incident through its lifecycle. The documentation requirement feeds into post-incident analysis (IR-8) and continuous improvement. Incident statistics also feed the CA-7 continuous monitoring program and PM-level risk reporting.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">IR-8<\/span><div class=\"si\"><div class=\"sn\">Incident Response Plan<\/div><div class=\"sd\">Documents the incident response plan: organizational structure and management commitment, scope, roles and responsibilities, handling of specific incident types, escalation paths, and criteria for declaring a major incident. The plan must be distributed, tested, and updated. The governing document for the entire IR capability.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('au')\">AU-6 (audit review)<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-4 (monitoring)<\/span><span class=\"rl\" onclick=\"nav('cp')\">CP \u2014 Contingency<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-3 (risk assessment)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-at\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family AT<\/div>\n <div class=\"p-title\">Awareness & <span>Training<\/span><\/div>\n <div class=\"p-sub\">6 base controls governing security literacy, role-based training, and insider threat awareness<\/div>\n <div class=\"prose\">The AT family ensures that personnel who use, operate, and manage information systems have the <strong>security and privacy awareness and role-based training<\/strong> they need to carry out their responsibilities. Technical controls are only as effective as the people operating them \u2014 AT controls address the human layer of the security architecture.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ia\">AT-2<\/span><div class=\"si\"><div class=\"sn\">Literacy Training and Awareness<\/div><div class=\"sd\">Provides basic security and privacy literacy training to all users before authorizing access, when changes require it, and at defined intervals. Covers recognizing threats (phishing, social engineering), reporting requirements, organizational policies, and individual responsibilities. Enhancements add insider threat awareness (AT-2(2)) and social engineering simulations (AT-2(3)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">AT-3<\/span><div class=\"si\"><div class=\"sn\">Role-based Training<\/div><div class=\"sd\">Provides role-based security and privacy training before assuming responsibilities, when required by changes, and at defined intervals. Role-based training goes beyond general awareness \u2014 system administrators, security personnel, developers, and executives each receive training appropriate to their security responsibilities and the risks they manage.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">AT-4<\/span><div class=\"si\"><div class=\"sn\">Training Records<\/div><div class=\"sd\">Documents and monitors training activities. Records must be retained and available for audit. The documentation requirement is not bureaucratic box-checking \u2014 it creates accountability and enables verification that high-risk roles are actually trained before accessing sensitive systems.<\/div><\/div><\/div>\n <div class=\"ib a\"><div class=\"ibt\">AT-2(3): Phishing simulations are now a control requirement<\/div><div class=\"ibb\">Enhancement AT-2(3) requires simulated social engineering and phishing exercises. This makes regular phishing simulation campaigns a compliance requirement \u2014 not just a best practice \u2014 for organizations implementing the Moderate or High baseline. Simulation results feed back into training content targeting demonstrated weaknesses.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ps')\">PS \u2014 Personnel security<\/span><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM-31 (insider threat)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ps\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PS<\/div>\n <div class=\"p-title\">Personnel <span>Security<\/span><\/div>\n <div class=\"p-sub\">9 base controls governing screening, terms of employment, transfers, termination, and sanctions<\/div>\n <div class=\"prose\">The PS family addresses the human side of security before and after employment. It governs <strong>background screening, access agreements, the rules of behavior, and what happens when employment changes<\/strong>. While technical controls protect against external threats, PS controls reduce insider risk by establishing the personnel management processes that constrain human behavior.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-gen\">PS-3<\/span><div class=\"si\"><div class=\"sn\">Personnel Screening<\/div><div class=\"sd\">Screens individuals before authorizing access. The depth of screening scales with the risk designation of the position. Individuals with privileged access, access to sensitive data, or critical operational roles require more rigorous screening than general users. Rescreening at defined conditions (changes in circumstances, defined time periods) is required.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PS-4<\/span><div class=\"si\"><div class=\"sn\">Personnel Termination<\/div><div class=\"sd\">Disables access, retrieves credentials and equipment, and ensures departed individuals no longer have access within the organization-defined time period after termination. The time period ODP is critical \u2014 immediate vs. end-of-day vs. end-of-week are very different risk postures for insider threat scenarios.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PS-5<\/span><div class=\"si\"><div class=\"sn\">Personnel Transfer<\/div><div class=\"sd\">Reviews and adjusts logical and physical access authorizations when individuals transfer to different positions. Role changes that reduce privilege must be reflected in access changes \u2014 not just handled via off-boarding at departure. This is the JML (Joiner, Mover, Leaver) “Mover” control.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PS-6<\/span><div class=\"si\"><div class=\"sn\">Access Agreements<\/div><div class=\"sd\">Requires signed access agreements (rules of behavior, acceptable use policies, nondisclosure agreements) before access is granted, and updated agreements when content changes. The access agreement is the legal and policy acknowledgment that creates individual accountability for how access is used.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">AC-2 (account management)<\/span><span class=\"rl\" onclick=\"nav('at')\">AT \u2014 Training<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM-31 (insider threat)<\/span><span class=\"rl\" onclick=\"nav('pe')\">PE \u2014 Physical access<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pl\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PL<\/div>\n <div class=\"p-title\"><span>Planning<\/span><\/div>\n <div class=\"p-sub\">11 base controls \u2014 security planning, rules of behavior, architecture, and concept of operations<\/div>\n <div class=\"prose\">The PL family governs security <strong>planning documents and artifacts<\/strong> at the system level. It requires the organization to think through its security posture, document it formally, and review it periodically. PL controls produce the System Security Plan (SSP), rules of behavior, security architecture documentation, and concept of operations \u2014 the authoritative record of how a system is secured.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ia\">PL-2<\/span><div class=\"si\"><div class=\"sn\">System Security and Privacy Plans<\/div><div class=\"sd\">The SSP \u2014 the central document that describes the system boundary, system environment, security categorization, all implemented controls, and the rationale for tailoring decisions. Required for every system seeking an ATO. The SSP must be kept current \u2014 a stale SSP that doesn’t reflect the current system state is a compliance finding.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">PL-4<\/span><div class=\"si\"><div class=\"sn\">Rules of Behavior<\/div><div class=\"sd\">Establishes and distributes rules of behavior for system users. Defines responsibilities and expected behavior for information and system access. Users sign acknowledgment before access is granted. Pairs with PS-6 (access agreements) \u2014 together they define the behavioral contract for system use.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">PL-8<\/span><div class=\"si\"><div class=\"sn\">Security and Privacy Architectures<\/div><div class=\"sd\">Develops security and privacy architecture for the system that describes the overall philosophy, requirements, and approach for protecting the system. Addresses how the architecture integrates with and supports the enterprise architecture. This is the NIST control that formally requires <strong>documented security architecture<\/strong> \u2014 not just implemented controls, but a documented architectural rationale.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">PL-8 is the security architecture control<\/div><div class=\"ibb\">PL-8 requires organizations to <strong>document their security architecture<\/strong> \u2014 the why behind control placement, trust boundary definitions, data flow protections, and integration with enterprise architecture. For mature security programs, PL-8 is where architecture decision records, threat models, and trust zone diagrams live. An SSP with only a control checklist and no architectural documentation has not satisfied PL-8.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Authorization<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM \u2014 Program management<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><span class=\"rl\" onclick=\"nav('sa')\">SA-8 (engineering principles)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-mp\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family MP<\/div>\n <div class=\"p-title\">Media <span>Protection<\/span><\/div>\n <div class=\"p-sub\">8 base controls governing the handling, transport, sanitization, and disposal of information media<\/div>\n <div class=\"prose\">The MP family governs physical and digital media \u2014 <strong>how it’s classified, accessed, transported, sanitized, and disposed of<\/strong>. While cloud-native architectures have reduced removable media risk, MP remains essential for environments handling classified, sensitive, or regulated data where media handling creates real data exfiltration and exposure risks.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-gen\">MP-2<\/span><div class=\"si\"><div class=\"sn\">Media Access<\/div><div class=\"sd\">Restricts access to digital and non-digital media containing sensitive information to authorized individuals. Ties media access control to the same authorization framework as system access control. Prevents unauthorized copying of sensitive data to removable media.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MP-6<\/span><div class=\"si\"><div class=\"sn\">Media Sanitization<\/div><div class=\"sd\">Sanitizes media before disposal, release outside organizational control, or reuse. Sanitization method must match the sensitivity of the data \u2014 overwriting for moderate-sensitivity, physical destruction for high-sensitivity or classified. Enhancements add equipment testing, non-destructive techniques, and controlled unclassified information (CUI) provisions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MP-7<\/span><div class=\"si\"><div class=\"sn\">Media Use<\/div><div class=\"sd\">Restricts or prohibits the use of organization-defined types of system media on information systems. The control that allows organizations to disable USB ports, prohibit removable storage, or restrict the types of media that can be connected. A primary DLP (data loss prevention) control at the endpoint layer.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">PE-3 (physical access)<\/span><span class=\"rl\" onclick=\"nav('sc')\">SC-28 (protection at rest)<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-7 (least functionality)<\/span><span class=\"rl\" onclick=\"nav('ac')\">AC-19 (mobile devices)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pt\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PT \u00b7 New in Rev 5<\/div>\n <div class=\"p-title\">PII Processing & <span>Transparency<\/span><\/div>\n <div class=\"p-sub\">8 base controls \u2014 the privacy family, new in Rev 5, governing PII authority, purpose, consent, and access<\/div>\n <div class=\"prose\">The PT family is entirely new in Rev 5. It governs the organization’s <strong>authority to collect and process PII, the purpose for which PII is used, how that purpose is disclosed, consent and privacy preferences, and individual rights to access their own information<\/strong>. PT aligns NIST’s control catalog with modern privacy frameworks including GDPR, CCPA, and the Fair Information Practice Principles (FIPPs).<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-cm\">PT-1<\/span><div class=\"si\"><div class=\"sn\">Policy and Procedures<\/div><div class=\"sd\">Establishes and maintains privacy policy and procedures. The PT family’s governance foundation \u2014 defines the organizational commitment to privacy and the procedural framework for all other PT controls.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">PT-2<\/span><div class=\"si\"><div class=\"sn\">Authority to Process Personally Identifiable Information<\/div><div class=\"sd\">Identifies and documents the legal authority that permits the collection, use, maintenance, sharing, and disposal of PII. Organizations must be able to point to a legal basis for every PII processing activity. Without documented authority, PII processing is unauthorized \u2014 a direct GDPR Article 6 parallel.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">PT-3<\/span><div class=\"si\"><div class=\"sn\">Personally Identifiable Information Processing Purposes<\/div><div class=\"sd\">Identifies and documents the purpose for which PII is processed. Restricts the processing of PII to only the identified purposes. Connects legal authority (PT-2) to actual processing activities \u2014 organizations must document not just that they can process PII, but why they are processing it.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">PT-5<\/span><div class=\"si\"><div class=\"sn\">Privacy Notice<\/div><div class=\"sd\">Provides notice to individuals about PII processing before or at the time of collection, or as soon as practicable. Covers: what is collected, authority, purpose, how it’s shared, and individual rights. The control that drives privacy policy and consent banner requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">PT-7<\/span><div class=\"si\"><div class=\"sn\">Specific Categories of Personally Identifiable Information<\/div><div class=\"sd\">Applies additional processing conditions and additional safeguards for categories of PII that require special treatment \u2014 health data, financial data, biometrics, race\/ethnicity, and other sensitive categories. Aligns with GDPR Article 9 special category requirements.<\/div><\/div><\/div>\n <div class=\"ib p\"><div class=\"ibt\">PT applies regardless of security baseline<\/div><div class=\"ibb\">PT controls are driven by <strong>whether a system processes PII<\/strong> \u2014 not by the system’s security impact level. A Low-baseline system that processes PII must implement the privacy baseline’s PT controls. Organizations often miss this because they categorize systems only for security impact (FIPS 199) without separately assessing privacy impact (NISTIR 8062).<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('mp')\">MP \u2014 Media protection<\/span><span class=\"rl\" onclick=\"nav('ac')\">AC-3 (access enforcement)<\/span><span class=\"rl\" onclick=\"nav('au')\">AU \u2014 Audit<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-3 (risk assessment)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sr\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family SR \u00b7 New in Rev 5<\/div>\n <div class=\"p-title\">Supply Chain Risk <span>Management<\/span><\/div>\n <div class=\"p-sub\">12 base controls \u2014 the supply chain family, new in Rev 5, governing vendor risk, provenance, and integrity<\/div>\n <div class=\"prose\">The SR family is entirely new in Rev 5, elevated from scattered references in Rev 4 to a standalone family. It governs <strong>supply chain risk management strategy, vendor risk assessment, procurement security requirements, provenance tracking, and component integrity verification<\/strong>. SR was created in direct response to supply chain compromises (SolarWinds, CCleaner, hardware implants) demonstrating that security cannot stop at the organization’s boundary.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ir\">SR-2<\/span><div class=\"si\"><div class=\"sn\">Supply Chain Risk Management Plan<\/div><div class=\"sd\">Develops and documents a supply chain risk management plan. The plan must address organizational roles and responsibilities, supplier risk assessment, and how supply chain risks integrate with organizational risk management. Required at all baselines \u2014 the plan drives all other SR controls.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-3<\/span><div class=\"si\"><div class=\"sn\">Supply Chain Controls and Processes<\/div><div class=\"sd\">Establishes and maintains a process or processes to identify, assess, and select suppliers and vendors. Uses multi-tiered risk assessments. Enhancements add qualified supplier lists (SR-3(1)), limited disclosure (SR-3(2)), and primary and alternate suppliers.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-4<\/span><div class=\"si\"><div class=\"sn\">Provenance<\/div><div class=\"sd\">Documents and maintains provenance of systems, components, and associated data. Provenance tracking answers: where did this component come from, who made it, what chain of custody has it followed? Essential for detecting counterfeit components and tampered software. Directly addresses the hardware implant threat class.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-6<\/span><div class=\"si\"><div class=\"sn\">Supplier Assessments and Reviews<\/div><div class=\"sd\">Assesses and reviews suppliers at organization-defined frequencies using organization-defined methods. Enhancements add testing and analysis of supply chain elements (SR-6(1)). Supplier assessments are not one-time events at procurement \u2014 they must be ongoing, especially for critical suppliers.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-10<\/span><div class=\"si\"><div class=\"sn\">Inspection of Systems or Components<\/div><div class=\"sd\">Inspects systems or components before and after installation and at defined intervals. The physical inspection control \u2014 looking for evidence of tampering, unexpected components, or physical modifications. Particularly relevant for systems deployed in remote or exposed locations.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-11<\/span><div class=\"si\"><div class=\"sn\">Component Authenticity<\/div><div class=\"sd\">Employs mechanisms to detect counterfeit components. Reports counterfeit components to defined external organizations. Enhancements add anti-counterfeit scanning, configuration control for component service and repair, and anti-counterfeit training. Counterfeit components introduced through legitimate maintenance channels are a real and documented threat vector.<\/div><\/div><\/div>\n <div class=\"ib r\"><div class=\"ibt\">SR requires RA-9 (criticality analysis) as a prerequisite<\/div><div class=\"ibb\">Supply chain controls must be prioritized \u2014 you cannot apply full SR rigor to every vendor and every component. <strong>RA-9 (criticality analysis)<\/strong> identifies which components are most critical to mission and most attractive to adversaries. SR controls are then applied most rigorously to critical components. Without a criticality analysis, SR implementation degenerates into either checkbox compliance or unsustainable overhead.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ra')\">RA-9 (criticality analysis)<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-8 (component inventory)<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-14 (signed components)<\/span><span class=\"rl\" onclick=\"nav('sa')\">SA-4 (acquisition)<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM-30 (SCRM strategy)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-nist\">\n <div class=\"p-eye\">Source document<\/div>\n <div class=\"p-title\">NIST SP <span>800-53<\/span><\/div>\n <div class=\"p-sub\">Security and Privacy Controls for Information Systems and Organizations \u2014 Revision 5, September 2020<\/div>\n <div class=\"ib\" style=\"margin-top:8px\">\n <div class=\"ibt\">About this document<\/div>\n <div class=\"ibb\">NIST Special Publication 800-53 Rev 5 defines the comprehensive catalog of security and privacy controls for protecting federal information systems and organizations. Published September 23, 2020, it represents the most significant revision since Rev 4 (2013). It is sector-neutral, technology-neutral, and integrates privacy controls throughout. The companion document SP 800-53B (October 2020) provides the security and privacy control baselines.<\/div>\n <\/div>\n <div style=\"margin-top:28px;display:flex;flex-direction:column;gap:12px;\">\n <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--cyan);color:#000;font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\u2197 Open SP 800-53 Rev 5 PDF<\/a>\n <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53B.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\u2197 Open SP 800-53B (Baselines) PDF<\/a>\n <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-5\/final\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\u2197 NIST CSRC Publication Page<\/a>\n <\/div>\n <div class=\"divider\"><\/div>\n <h3>Related publications<\/h3>\n <div class=\"tbl-wrap\"><table>\n <thead><tr><th>Publication<\/th><th>Relationship to 800-53<\/th><\/tr><\/thead>\n <tbody>\n <tr><td>SP 800-53B<\/td><td>Companion document containing Low, Moderate, and High control baselines. Released October 2020.<\/td><\/tr>\n <tr><td>SP 800-53A Rev 5<\/td><td>Assessment procedures \u2014 how to assess whether each control is implemented correctly.<\/td><\/tr>\n <tr><td>SP 800-37 Rev 2<\/td><td>Risk Management Framework \u2014 the process that uses 800-53 for control selection (Step 2) and assessment (Step 5).<\/td><\/tr>\n <tr><td>FIPS 199<\/td><td>Security categorization standards that determine which baseline to apply.<\/td><\/tr>\n <tr><td>SP 800-160<\/td><td>Systems security engineering \u2014 engineering principles referenced by SA-8.<\/td><\/tr>\n <tr><td>SP 800-207<\/td><td>Zero Trust Architecture \u2014 describes the implementation model that satisfies many AC, IA, SC, and SI controls.<\/td><\/tr>\n <tr><td>SP 800-63<\/td><td>Digital identity guidelines \u2014 the technical standard referenced by IA-2, IA-5, and IA-12.<\/td><\/tr>\n <\/tbody>\n <\/table><\/div>\n <div class=\"divider\"><\/div>\n <div class=\"prose\"><strong>Full citation:<\/strong> Joint Task Force. (2020). <em>Security and Privacy Controls for Information Systems and Organizations<\/em> (NIST Special Publication 800-53, Rev. 5). National Institute of Standards and Technology. https:\/\/doi.org\/10.6028\/NIST.SP.800-53r5<\/div>\n<\/div>\n\n<\/main>\n<\/div>\n\n<script>\nfunction toggleMenu() {\n var sb = document.getElementById('sidebar');\n var btn = document.getElementById('menuBtn');\n var ov = document.getElementById('sbOverlay');\n var open = sb.classList.toggle('open');\n btn.classList.toggle('open', open);\n ov.classList.toggle('open', open);\n document.body.style.overflow = open ? 'hidden' : '';\n}\nfunction closeMenu() {\n var sb = document.getElementById('sidebar');\n if (sb.classList.contains('open')) toggleMenu();\n}\nfunction toggleTheme() {\n var isLight = document.body.classList.toggle('light');\n document.getElementById('themeBtn').textContent = isLight ? '\u263e Dark' : '\u2600 Light';\n}\nvar fontScale = 100;\nvar fontSteps = [80, 90, 100, 110, 120, 135, 150, 170];\nfunction adjFont(dir) {\n if (dir === 0) { fontScale = 100; }\n else {\n var idx = fontSteps.indexOf(fontScale);\n if (idx === -1) idx = 2;\n idx = Math.max(0, Math.min(fontSteps.length - 1, idx + dir));\n fontScale = fontSteps[idx];\n }\n document.querySelector('.main').style.zoom = (fontScale \/ 100);\n if (window.innerWidth > 900) {\n document.querySelector('.sidebar').style.zoom = (fontScale \/ 100);\n }\n}\nfunction nav(id) {\n document.querySelectorAll('.panel').forEach(p => p.classList.remove('active'));\n document.querySelectorAll('.ni').forEach(n => n.classList.remove('active'));\n var panel = document.getElementById('panel-' + id);\n if (panel) { panel.classList.add('active'); panel.closest('.main').scrollTop = 0; }\n document.querySelectorAll('.ni').forEach(function(n) {\n var oc = n.getAttribute('onclick') || '';\n if (oc.indexOf(\"'\" + id + \"'\") !== -1) n.classList.add('active');\n });\n closeMenu();\n}\n<\/script>\n<\/body>\n<\/html>\n\n","protected":false},"excerpt":{"rendered":"<p>NIST SP 800-53 \u2014 Security and Privacy Controls NIST Special Publication 800-53 Rev 5 Security and Privacy Controls forInformation Systems and Organizations Size A\u2212 A A+ \u2600 Light Overview Introduction What’s New in Rev 5 Control Structure Baselines & Impact Levels Tailoring & Overlays Identity & Access AC \u2014 Access Control IA \u2014 Identification &… <br \/> <a class=\"read-more\" href=\"https:\/\/www-geek.com\/index.php\/800-53\/\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"pro\/page-templates\/landing-page.php","meta":{"footnotes":""},"class_list":["post-64","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/64","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/comments?post=64"}],"version-history":[{"count":1,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/64\/revisions"}],"predecessor-version":[{"id":65,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/64\/revisions\/65"}],"wp:attachment":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/media?parent=64"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":64,"date":"2026-03-26T09:29:25","date_gmt":"2026-03-26T16:29:25","guid":{"rendered":"https:\/\/www-geek.com\/?page_id=64"},"modified":"2026-03-26T09:34:08","modified_gmt":"2026-03-26T16:34:08","slug":"800-53","status":"publish","type":"page","link":"https:\/\/www-geek.com\/index.php\/800-53\/","title":{"rendered":"800-53"},"content":{"rendered":"\n\n\n\n\n\nNIST SP 800-53 \u2014 Security and Privacy Controls<\/title>\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=IBM+Plex+Mono:wght@400;600;700&family=Barlow+Condensed:wght@300;400;600;700;800&family=Barlow:wght@300;400;500;600&display=swap\" rel=\"stylesheet\">\n<style>\n:root {\n --bg:#080c14;--surf:#0d1420;--surf2:#111b2e;--border:#1e2f4a;--border2:#263d5e;\n --cyan:#00d8f0;--amber:#ffb300;--green:#00cc70;--red:#e84848;--purple:#8866ff;\n --blue:#1a7fd4;--teal:#00b4a8;\n --text:#f0f4ff;--text2:#b8cce0;--text3:#6e8fa8;\n --mono:'IBM Plex Mono',monospace;--cond:'Barlow Condensed',sans-serif;--body:'Barlow',sans-serif;\n}\n*{margin:0;padding:0;box-sizing:border-box;}\nhtml,body{height:100%;overflow:hidden;background:var(--bg);color:var(--text);font-family:var(--body);-webkit-font-smoothing:antialiased;}\n.app{display:flex;height:100vh;overflow:hidden;}\n.sidebar{width:232px;min-width:232px;background:var(--surf);border-right:1px solid var(--border);display:flex;flex-direction:column;overflow:hidden;}\n.sb-hdr{padding:22px 18px 16px;border-bottom:1px solid var(--border);flex-shrink:0;}\n.sb-logo{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.2em;color:var(--cyan);text-transform:uppercase;margin-bottom:6px;}\n.sb-title{font-family:var(--cond);font-size:20px;font-weight:800;color:#fff;line-height:1.1;}\n.sb-sub{font-size:10px;color:var(--text3);margin-top:4px;line-height:1.5;}\n.sb-fsize{padding:10px 18px 12px;border-bottom:1px solid var(--border);flex-shrink:0;display:flex;align-items:center;gap:10px;flex-wrap:wrap;}\n.fsize-label{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;text-transform:uppercase;color:var(--text3);}\n.fsize-btns{display:flex;gap:4px;}\n.fsz{background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 7px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;}\n.fsz:hover{background:var(--border2);color:var(--text);}\n.theme-btn{margin-left:auto;background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 9px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;white-space:nowrap;}\n.theme-btn:hover{background:var(--border2);color:var(--text);}\nnav{flex:1;overflow-y:auto;padding-bottom:16px;}\n.ng{padding:16px 0 4px;}\n.ngl{font-family:var(--cond);font-size:13px;font-weight:800;letter-spacing:.12em;text-transform:uppercase;color:var(--cyan);padding:4px 18px 8px;display:block;border-bottom:1px solid var(--border2);}\n.ni{display:flex;align-items:center;gap:9px;padding:7px 18px 7px 20px;cursor:pointer;font-size:13px;font-family:var(--body);color:var(--text);transition:background .1s,color .1s;border-left:2px solid transparent;line-height:1.3;}\n.ni:hover{background:var(--surf2);color:var(--text);}\n.ni.active{color:var(--cyan);border-left-color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd{width:5px;height:5px;border-radius:50%;background:var(--border2);flex-shrink:0;transition:background .1s;}\n.ni.active .nd,.ni:hover .nd{background:currentColor;}\n.ni-ext{font-size:9px;color:var(--text3);}\n.sb-copy{padding:10px 18px 14px;font-family:var(--mono);font-size:9px;color:var(--text3);letter-spacing:.06em;flex-shrink:0;border-top:1px solid var(--border);}\n.main{flex:1;overflow-y:auto;background:var(--bg);}\n.panel{display:none;padding:36px 52px 72px;max-width:960px;}\n.panel.active{display:block;animation:fi .18s ease;}\n@keyframes fi{from{opacity:0;transform:translateY(10px)}to{opacity:1;transform:translateY(0)}}\n.p-eye{font-family:var(--mono);font-size:9px;font-weight:700;letter-spacing:.18em;text-transform:uppercase;color:var(--cyan);margin-bottom:10px;display:flex;align-items:center;gap:8px;}\n.p-eye::before{content:'';width:22px;height:2px;background:var(--cyan);}\n.p-title{font-family:var(--cond);font-size:46px;font-weight:800;color:#fff;line-height:1;margin-bottom:6px;}\n.p-title span{color:var(--cyan);}\n.p-sub{font-family:var(--cond);font-size:17px;font-weight:300;color:var(--text2);margin-bottom:28px;letter-spacing:.04em;}\n.divider{height:1px;background:var(--border);margin:24px 0;}\n.prose{font-size:13.5px;line-height:1.75;color:var(--text2);}\n.prose+.prose{margin-top:12px;}\n.prose strong{color:var(--text);font-weight:600;}\n.prose code{font-family:var(--mono);font-size:11.5px;color:var(--cyan);background:rgba(0,216,240,.08);padding:1px 5px;border-radius:2px;}\nh3{font-family:var(--cond);font-size:19px;font-weight:700;color:#fff;margin:26px 0 11px;letter-spacing:.03em;}\n.cg{display:grid;gap:8px;}\n.cg2{grid-template-columns:1fr 1fr;}\n.cg3{grid-template-columns:1fr 1fr 1fr;}\n.cg4{grid-template-columns:1fr 1fr 1fr 1fr;}\n.card{background:var(--surf);border:1px solid var(--border);padding:15px 16px;}\n.cnum{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;color:var(--text3);margin-bottom:6px;}\n.ctitle{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:6px;line-height:1.2;}\n.ctext{font-size:11.5px;line-height:1.58;color:var(--text2);}\n.family-card{background:var(--surf);border:1px solid var(--border);padding:14px 16px;cursor:pointer;transition:background .12s,border-color .12s;}\n.family-card:hover{background:var(--surf2);border-color:var(--border2);}\n.fc-id{font-family:var(--mono);font-size:18px;font-weight:700;margin-bottom:4px;}\n.fc-name{font-family:var(--cond);font-size:13px;font-weight:700;color:#fff;margin-bottom:5px;line-height:1.2;}\n.fc-count{font-family:var(--mono);font-size:9px;color:var(--text3);}\n.sr{display:flex;align-items:flex-start;gap:12px;background:var(--surf);border:1px solid var(--border);padding:12px 14px;margin-bottom:6px;}\n.st{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.12em;padding:2px 7px;border-radius:2px;flex-shrink:0;margin-top:2px;white-space:nowrap;}\n.t-ac{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.t-ia{background:rgba(26,127,212,.1);color:#60b8f8;border:1px solid rgba(26,127,212,.25);}\n.t-au{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.t-cm{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.t-si{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.t-sc{background:rgba(0,180,168,.1);color:#40d8d0;border:1px solid rgba(0,180,168,.25);}\n.t-ir{background:rgba(232,72,72,.1);color:#f08080;border:1px solid rgba(232,72,72,.25);}\n.t-ra{background:rgba(255,112,67,.1);color:#ff8a65;border:1px solid rgba(255,112,67,.25);}\n.t-gen{background:rgba(110,143,168,.1);color:var(--text3);border:1px solid rgba(110,143,168,.2);}\n.si{flex:1;}\n.sn{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.sd{font-size:12px;color:var(--text2);line-height:1.5;}\n.or{display:flex;align-items:flex-start;gap:11px;border:1px solid var(--border);padding:13px 14px;margin-bottom:6px;}\n.or.grant{background:rgba(0,204,112,.04);border-color:rgba(0,204,112,.22);}\n.or.warn{background:rgba(255,179,0,.04);border-color:rgba(255,179,0,.22);}\n.or.risk{background:rgba(232,72,72,.04);border-color:rgba(232,72,72,.22);}\n.od{width:9px;height:9px;border-radius:50%;flex-shrink:0;margin-top:4px;}\n.od.g{background:var(--green);}.od.a{background:var(--amber);}.od.r{background:var(--red);}\n.ol{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.oc{font-size:12px;color:var(--text2);line-height:1.5;}\n.ib{background:var(--surf);border:1px solid var(--border);border-left:3px solid var(--cyan);padding:14px 16px;margin:14px 0;}\n.ib.a{border-left-color:var(--amber);}\n.ib.g{border-left-color:var(--green);}\n.ib.p{border-left-color:var(--purple);}\n.ib.r{border-left-color:var(--red);}\n.ibt{font-family:var(--cond);font-size:13px;font-weight:700;color:#fff;margin-bottom:5px;}\n.ibb{font-size:12px;line-height:1.6;color:var(--text2);}\n.ibb strong{color:var(--text);}\ntable{width:100%;border-collapse:collapse;font-size:12.5px;margin:14px 0;}\nth{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.12em;text-transform:uppercase;color:var(--text3);padding:8px 12px;border-bottom:1px solid var(--border2);text-align:left;}\ntd{padding:10px 12px;border-bottom:1px solid var(--border);color:var(--text2);line-height:1.5;vertical-align:top;}\ntd:first-child{color:var(--text);font-weight:500;}\ntr:last-child td{border-bottom:none;}\n.tbl-wrap{overflow-x:auto;-webkit-overflow-scrolling:touch;margin:14px 0;}\n.tbl-wrap table{margin:0;}\n.related{margin-top:34px;border-top:1px solid var(--border);padding-top:16px;}\n.rlab{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.16em;text-transform:uppercase;color:var(--text3);margin-bottom:10px;}\n.rls{display:flex;flex-wrap:wrap;gap:7px;}\n.rl{font-size:11.5px;font-family:var(--mono);color:var(--cyan);background:rgba(0,216,240,.05);border:1px solid rgba(0,216,240,.18);padding:4px 11px;cursor:pointer;transition:background .1s;}\n.rl:hover{background:rgba(0,216,240,.12);}\n\/* Baseline badges *\/\n.bl-badge{display:inline-flex;align-items:center;gap:5px;font-family:var(--mono);font-size:9px;font-weight:700;letter-spacing:.1em;padding:3px 9px;border-radius:2px;margin:2px;}\n.bl-l{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.3);}\n.bl-m{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.3);}\n.bl-h{background:rgba(232,72,72,.1);color:#f08080;border:1px solid rgba(232,72,72,.3);}\n\/* Impact level row color *\/\ntr.low td{border-left:2px solid var(--green);}\ntr.mod td{border-left:2px solid var(--amber);}\ntr.high td{border-left:2px solid var(--red);}\n\/* Control ID inline tag *\/\n.ctrl{font-family:var(--mono);font-size:10px;font-weight:700;color:var(--cyan);background:rgba(0,216,240,.08);border:1px solid rgba(0,216,240,.18);padding:1px 6px;border-radius:2px;margin-right:4px;white-space:nowrap;}\n\/* Hamburger *\/\n.hamburger{display:none;position:fixed;top:12px;left:12px;z-index:1100;background:var(--surf);border:1px solid var(--border);border-radius:4px;padding:8px 7px;cursor:pointer;flex-direction:column;gap:4px;align-items:center;justify-content:center;-webkit-tap-highlight-color:transparent;}\n.hamburger span{display:block;width:18px;height:2px;background:var(--cyan);border-radius:1px;transition:transform .2s,opacity .2s;}\n.hamburger.open span:nth-child(1){transform:translateY(6px) rotate(45deg);}\n.hamburger.open span:nth-child(2){opacity:0;}\n.hamburger.open span:nth-child(3){transform:translateY(-6px) rotate(-45deg);}\n.sb-overlay{display:none;position:fixed;inset:0;background:rgba(0,0,0,.55);z-index:999;-webkit-backdrop-filter:blur(2px);backdrop-filter:blur(2px);}\n\n\/* \u2500\u2500 LIGHT MODE \u2500\u2500 *\/\nbody.light{\n --bg:#eef2f7;--surf:#ffffff;--surf2:#e0e8f2;--border:#b0c4d8;--border2:#8aaac4;\n --text:#0a111e;--text2:#1e3448;--text3:#4a6680;\n --cyan:#005f8a;--amber:#a85c00;--green:#006030;--red:#a81820;--purple:#4422aa;\n --blue:#0a50a0;--teal:#006060;\n}\nbody.light .sb-title,body.light h3,body.light .p-title{color:#0a111e;}\nbody.light .p-title span{color:var(--cyan);}\nbody.light .sb-logo,.body.light .ngl{color:var(--cyan);}\nbody.light .ni{color:#0a111e;}\nbody.light .ni:hover{background:var(--surf2);}\nbody.light .card,.body.light .pb,.body.light .ib,.body.light .family-card{background:var(--surf);}\nbody.light .ctitle,.body.light .sn,.body.light .ol,.body.light .ibt,.body.light .fc-name{color:#0a111e;}\nbody.light .prose code{background:rgba(0,95,138,.1);}\nbody.light table td:first-child{color:#1a2535;}\n\n\/* \u2500\u2500 RESPONSIVE \u2500\u2500 *\/\n@media(max-width:900px){\n .hamburger{display:flex;}\n .sidebar{position:fixed;left:-260px;top:0;bottom:0;width:250px;min-width:250px;z-index:1000;transition:left .25s ease;}\n .sidebar.open{left:0;box-shadow:4px 0 24px rgba(0,0,0,.45);}\n .sb-overlay.open{display:block;}\n .main{margin-left:0;}\n .panel{padding:28px 28px 60px;max-width:100%;}\n .p-title{font-size:36px;}\n .cg3,.cg4{grid-template-columns:1fr 1fr;}\n}\n@media(max-width:560px){\n .panel{padding:18px 14px 48px;}\n .p-title{font-size:28px;}\n .cg2,.cg3,.cg4{grid-template-columns:1fr;}\n table{font-size:11px;}\n th{font-size:7.5px;padding:6px 8px;}\n td{padding:8px;}\n .sr{flex-direction:column;gap:6px;}\n .st{align-self:flex-start;}\n}\n<\/style>\n<\/head>\n<body>\n<div class=\"app\">\n\n<button class=\"hamburger\" id=\"menuBtn\" onclick=\"toggleMenu()\" aria-label=\"Toggle navigation\">\n <span><\/span><span><\/span><span><\/span>\n<\/button>\n<div class=\"sb-overlay\" id=\"sbOverlay\" onclick=\"toggleMenu()\"><\/div>\n\n\n<aside class=\"sidebar\" id=\"sidebar\">\n <div class=\"sb-hdr\">\n <div class=\"sb-logo\">NIST Special Publication<\/div>\n <div class=\"sb-title\">800-53 Rev 5<\/div>\n <div class=\"sb-sub\">Security and Privacy Controls for<br>Information Systems and Organizations<\/div>\n <\/div>\n <div class=\"sb-fsize\">\n <span class=\"fsize-label\">Size<\/span>\n <div class=\"fsize-btns\">\n <button class=\"fsz\" onclick=\"adjFont(-1)\">A\u2212<\/button>\n <button class=\"fsz\" onclick=\"adjFont(0)\">A<\/button>\n <button class=\"fsz\" onclick=\"adjFont(1)\">A+<\/button>\n <\/div>\n <button class=\"theme-btn\" id=\"themeBtn\" onclick=\"toggleTheme()\">\u2600 Light<\/button>\n <\/div>\n <nav>\n <div class=\"ng\">\n <span class=\"ngl\">Overview<\/span>\n <div class=\"ni active\" onclick=\"nav('home')\"><div class=\"nd\"><\/div>Introduction<\/div>\n <div class=\"ni\" onclick=\"nav('rev5')\"><div class=\"nd\"><\/div>What’s New in Rev 5<\/div>\n <div class=\"ni\" onclick=\"nav('structure')\"><div class=\"nd\"><\/div>Control Structure<\/div>\n <div class=\"ni\" onclick=\"nav('baselines')\"><div class=\"nd\"><\/div>Baselines & Impact Levels<\/div>\n <div class=\"ni\" onclick=\"nav('tailoring')\"><div class=\"nd\"><\/div>Tailoring & Overlays<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Identity & Access<\/span>\n <div class=\"ni\" onclick=\"nav('ac')\"><div class=\"nd\"><\/div>AC \u2014 Access Control<\/div>\n <div class=\"ni\" onclick=\"nav('ia')\"><div class=\"nd\"><\/div>IA \u2014 Identification & Auth<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Audit & Risk<\/span>\n <div class=\"ni\" onclick=\"nav('au')\"><div class=\"nd\"><\/div>AU \u2014 Audit & Accountability<\/div>\n <div class=\"ni\" onclick=\"nav('ca')\"><div class=\"nd\"><\/div>CA \u2014 Assessment & Authorization<\/div>\n <div class=\"ni\" onclick=\"nav('ra')\"><div class=\"nd\"><\/div>RA \u2014 Risk Assessment<\/div>\n <div class=\"ni\" onclick=\"nav('pm')\"><div class=\"nd\"><\/div>PM \u2014 Program Management<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Config & Integrity<\/span>\n <div class=\"ni\" onclick=\"nav('cm')\"><div class=\"nd\"><\/div>CM \u2014 Configuration Mgmt<\/div>\n <div class=\"ni\" onclick=\"nav('si')\"><div class=\"nd\"><\/div>SI \u2014 System & Info Integrity<\/div>\n <div class=\"ni\" onclick=\"nav('sa')\"><div class=\"nd\"><\/div>SA \u2014 System & Svc Acquisition<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Infrastructure<\/span>\n <div class=\"ni\" onclick=\"nav('sc')\"><div class=\"nd\"><\/div>SC \u2014 Sys & Comms Protection<\/div>\n <div class=\"ni\" onclick=\"nav('pe')\"><div class=\"nd\"><\/div>PE \u2014 Physical & Environmental<\/div>\n <div class=\"ni\" onclick=\"nav('ma')\"><div class=\"nd\"><\/div>MA \u2014 Maintenance<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Resilience<\/span>\n <div class=\"ni\" onclick=\"nav('cp')\"><div class=\"nd\"><\/div>CP \u2014 Contingency Planning<\/div>\n <div class=\"ni\" onclick=\"nav('ir')\"><div class=\"nd\"><\/div>IR \u2014 Incident Response<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Personnel & Policy<\/span>\n <div class=\"ni\" onclick=\"nav('at')\"><div class=\"nd\"><\/div>AT \u2014 Awareness & Training<\/div>\n <div class=\"ni\" onclick=\"nav('ps')\"><div class=\"nd\"><\/div>PS \u2014 Personnel Security<\/div>\n <div class=\"ni\" onclick=\"nav('pl')\"><div class=\"nd\"><\/div>PL \u2014 Planning<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Data & Supply Chain<\/span>\n <div class=\"ni\" onclick=\"nav('mp')\"><div class=\"nd\"><\/div>MP \u2014 Media Protection<\/div>\n <div class=\"ni\" onclick=\"nav('pt')\"><div class=\"nd\"><\/div>PT \u2014 PII & Privacy<\/div>\n <div class=\"ni\" onclick=\"nav('sr')\"><div class=\"nd\"><\/div>SR \u2014 Supply Chain Risk<\/div>\n <\/div>\n <div class=\"ng\">\n <span class=\"ngl\">Document<\/span>\n <div class=\"ni\" onclick=\"nav('nist')\"><div class=\"nd\"><\/div>Source Publication<\/div>\n <\/div>\n <\/nav>\n <div class=\"sb-copy\">Rev 5 \u00b7 Sep 2020 \u00b7 20 Families \u00b7 1000+ Controls<\/div>\n<\/aside>\n\n\n<main class=\"main\">\n\n\n<div class=\"panel active\" id=\"panel-home\">\n <div class=\"p-eye\">NIST Special Publication 800-53 Revision 5<\/div>\n <div class=\"p-title\">Security & Privacy <span>Controls<\/span><\/div>\n <div class=\"p-sub\">A comprehensive catalog of safeguards for information systems, organizations, and individuals<\/div>\n <div class=\"prose\">NIST SP 800-53 is the federal government’s authoritative catalog of security and privacy controls. First published in 2005 and now in its fifth revision (September 2020), it defines <strong>over 1,000 controls and control enhancements<\/strong> organized into 20 families. It serves as the foundational control catalog for FedRAMP, FISMA compliance, RMF Step 2 control selection, and is widely adopted in commercial enterprise security programs.<\/div>\n <div class=\"prose\" style=\"margin-top:10px\">Rev 5 made the catalog <strong>technology-neutral and sector-agnostic<\/strong> \u2014 explicitly applicable to federal agencies, commercial organizations, industrial control systems, cloud environments, IoT, and privacy programs. It is no longer scoped exclusively to federal information systems.<\/div>\n <h3>The 20 Control Families<\/h3>\n <div class=\"cg cg4\" style=\"gap:8px;\">\n <div class=\"family-card\" onclick=\"nav('ac')\"><div class=\"fc-id\" style=\"color:var(--cyan)\">AC<\/div><div class=\"fc-name\">Access Control<\/div><div class=\"fc-count\">25 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('at')\"><div class=\"fc-id\" style=\"color:#60b8f8\">AT<\/div><div class=\"fc-name\">Awareness & Training<\/div><div class=\"fc-count\">6 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('au')\"><div class=\"fc-id\" style=\"color:var(--amber)\">AU<\/div><div class=\"fc-name\">Audit & Accountability<\/div><div class=\"fc-count\">16 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ca')\"><div class=\"fc-id\" style=\"color:#ff8a65\">CA<\/div><div class=\"fc-name\">Assessment & Authorization<\/div><div class=\"fc-count\">9 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('cm')\"><div class=\"fc-id\" style=\"color:#b39dff\">CM<\/div><div class=\"fc-name\">Configuration Mgmt<\/div><div class=\"fc-count\">14 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('cp')\"><div class=\"fc-id\" style=\"color:#40d8d0\">CP<\/div><div class=\"fc-name\">Contingency Planning<\/div><div class=\"fc-count\">13 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ia')\"><div class=\"fc-id\" style=\"color:var(--cyan)\">IA<\/div><div class=\"fc-name\">Identification & Auth<\/div><div class=\"fc-count\">12 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ir')\"><div class=\"fc-id\" style=\"color:#f08080\">IR<\/div><div class=\"fc-name\">Incident Response<\/div><div class=\"fc-count\">10 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ma')\"><div class=\"fc-id\" style=\"color:var(--text3)\">MA<\/div><div class=\"fc-name\">Maintenance<\/div><div class=\"fc-count\">6 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('mp')\"><div class=\"fc-id\" style=\"color:var(--text3)\">MP<\/div><div class=\"fc-name\">Media Protection<\/div><div class=\"fc-count\">8 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('pe')\"><div class=\"fc-id\" style=\"color:var(--text3)\">PE<\/div><div class=\"fc-name\">Physical & Environmental<\/div><div class=\"fc-count\">23 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('pl')\"><div class=\"fc-id\" style=\"color:#60b8f8\">PL<\/div><div class=\"fc-name\">Planning<\/div><div class=\"fc-count\">11 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('pm')\"><div class=\"fc-id\" style=\"color:#ff8a65\">PM<\/div><div class=\"fc-name\">Program Management<\/div><div class=\"fc-count\">32 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ps')\"><div class=\"fc-id\" style=\"color:var(--text3)\">PS<\/div><div class=\"fc-name\">Personnel Security<\/div><div class=\"fc-count\">9 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('pt')\"><div class=\"fc-id\" style=\"color:#b39dff\">PT<\/div><div class=\"fc-name\">PII & Privacy<\/div><div class=\"fc-count\">8 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('ra')\"><div class=\"fc-id\" style=\"color:#ff8a65\">RA<\/div><div class=\"fc-name\">Risk Assessment<\/div><div class=\"fc-count\">10 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('sa')\"><div class=\"fc-id\" style=\"color:#b39dff\">SA<\/div><div class=\"fc-name\">System & Svc Acquisition<\/div><div class=\"fc-count\">23 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('sc')\"><div class=\"fc-id\" style=\"color:#40d8d0\">SC<\/div><div class=\"fc-name\">Sys & Comms Protection<\/div><div class=\"fc-count\">51 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('si')\"><div class=\"fc-id\" style=\"color:var(--green)\">SI<\/div><div class=\"fc-name\">System & Info Integrity<\/div><div class=\"fc-count\">23 base controls<\/div><\/div>\n <div class=\"family-card\" onclick=\"nav('sr')\"><div class=\"fc-id\" style=\"color:#f08080\">SR<\/div><div class=\"fc-name\">Supply Chain Risk Mgmt<\/div><div class=\"fc-count\">12 base controls<\/div><\/div>\n <\/div>\n <h3>Three security baselines<\/h3>\n <div class=\"prose\">Every control in the catalog is tagged to one or more baselines based on the impact level of the system. Organizations select a baseline appropriate to their impact categorization under FIPS 199, then apply tailoring to adjust controls to their specific environment and risk posture.<\/div>\n <div class=\"cg cg3\" style=\"margin-top:14px;\">\n <div class=\"card\" style=\"border-top:3px solid var(--green)\"><div class=\"cnum\">LOW IMPACT<\/div><div class=\"ctitle\">Low Baseline<\/div><div class=\"ctext\">Minimum controls for systems where compromise would have limited adverse effect. ~116 controls from 17 families.<\/div><\/div>\n <div class=\"card\" style=\"border-top:3px solid var(--amber)\"><div class=\"cnum\">MODERATE IMPACT<\/div><div class=\"ctitle\">Moderate Baseline<\/div><div class=\"ctext\">Most federal systems fall here. Serious adverse effect if compromised. ~323 controls and enhancements.<\/div><\/div>\n <div class=\"card\" style=\"border-top:3px solid var(--red)\"><div class=\"cnum\">HIGH IMPACT<\/div><div class=\"ctitle\">High Baseline<\/div><div class=\"ctext\">Systems where compromise causes severe\/catastrophic harm. ~447 controls and enhancements.<\/div><\/div>\n <\/div>\n <div class=\"ib\" style=\"margin-top:18px\"><div class=\"ibt\">800-53 is a catalog, not a checklist<\/div><div class=\"ibb\">The full catalog contains every possible control across all impact levels. No organization implements all of them. The intent is to <strong>select from the catalog<\/strong> using baselines, then tailor to your specific environment, threat profile, mission, and risk tolerance. Selecting the moderate baseline is the starting point \u2014 not the endpoint.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Start here<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('structure')\">Control structure<\/span><span class=\"rl\" onclick=\"nav('baselines')\">Baselines<\/span><span class=\"rl\" onclick=\"nav('rev5')\">What’s new in Rev 5<\/span><span class=\"rl\" onclick=\"nav('tailoring')\">Tailoring<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-rev5\">\n <div class=\"p-eye\">September 2020<\/div>\n <div class=\"p-title\">What’s New in <span>Rev 5<\/span><\/div>\n <div class=\"p-sub\">The most significant rewrite since the catalog’s inception \u2014 seven major changes<\/div>\n <div class=\"prose\">Revision 5, finalized September 23, 2020, was the first major revision since Rev 4 in 2013. It fundamentally changed the catalog’s scope, structure, and philosophy \u2014 not just added controls. Security architects and compliance teams need to understand these changes to apply the catalog correctly and avoid carrying Rev 4 assumptions forward.<\/div>\n\n <h3>1. Technology and sector-neutral scope<\/h3>\n <div class=\"prose\">Rev 4 was written primarily for federal information systems. Rev 5 explicitly removes this limitation. The catalog is now applicable to <strong>any organization in any sector<\/strong> \u2014 commercial enterprises, healthcare, financial services, critical infrastructure, and state\/local government \u2014 without any translation or interpretation layer required. The language no longer assumes a federal context.<\/div>\n\n <h3>2. Privacy controls fully integrated<\/h3>\n <div class=\"prose\">Prior to Rev 5, privacy controls were maintained in a separate appendix (Appendix J) and treated as a secondary concern. Rev 5 <strong>integrates privacy controls throughout the catalog<\/strong>, treating security and privacy as complementary disciplines. The new <code>PT<\/code> family (PII Processing and Transparency) formalizes privacy requirements. Privacy-specific controls appear alongside security controls within each family where relevant.<\/div>\n <div class=\"ib p\"><div class=\"ibt\">SP 800-53B separates the catalog from the baselines<\/div><div class=\"ibb\">Rev 5 moved the security and privacy control baselines into a companion document: <strong>NIST SP 800-53B<\/strong> (October 2020). This separates “what controls exist” (800-53) from “which controls are required at each impact level” (800-53B), making both documents easier to maintain independently.<\/div><\/div>\n\n <h3>3. Outcomes-based control language<\/h3>\n <div class=\"prose\">Rev 4 controls were written as requirements directed at organizations (<em>“The organization shall…”<\/em>). Rev 5 restructures control statements into <strong>outcome-based language<\/strong> focused on what the control achieves rather than prescribing how an organization must be structured. This makes controls more flexible across different operating models and organizational structures.<\/div>\n\n <h3>4. Supply Chain Risk Management \u2014 new SR family<\/h3>\n <div class=\"prose\">Supply chain risk was addressed implicitly in Rev 4. Rev 5 elevates it to a <strong>dedicated family (SR)<\/strong> with 12 base controls covering supply chain risk plans, procurement processes, supply chain protection, provenance tracking, and supplier assessments. This responds directly to years of supply chain compromise incidents (SolarWinds, hardware implants, counterfeit components).<\/div>\n\n <h3>5. PII Processing and Transparency \u2014 new PT family<\/h3>\n <div class=\"prose\">The <strong>PT family<\/strong> is entirely new in Rev 5, covering authority for PII processing, purpose specification, information sharing, consent, and individual access. It aligns with GDPR concepts while remaining NIST-native. Organizations subject to both FISMA and privacy regulations now have a single control framework that addresses both.<\/div>\n\n <h3>6. Controls linked to attack TTPs<\/h3>\n <div class=\"prose\">Rev 5 includes explicit references to <strong>MITRE ATT&CK<\/strong> and other threat frameworks in control supplemental guidance. Controls are now contextualized against real-world adversary behavior \u2014 not just compliance checklists. This allows security architects to map their control gaps directly to ATT&CK tactics and evaluate control effectiveness against known threat actor techniques.<\/div>\n\n <h3>7. Reduced federal\/organizational separation<\/h3>\n <div class=\"prose\">Rev 4 separated controls into “organization-level” and “information system-level” designations. Rev 5 removes this artificial split. Controls operate at whatever level is appropriate for the organization’s structure. This simplification is particularly important for cloud-hosted systems where the traditional boundary between organization and system has dissolved.<\/div>\n\n <div class=\"ib a\" style=\"margin-top:18px\"><div class=\"ibt\">Rev 4 mappings do not carry forward automatically<\/div><div class=\"ibb\">Rev 5 renumbered, merged, and restructured many controls. Rev 4 control IDs do not map 1:1 to Rev 5. NIST publishes a formal Rev 4-to-Rev 5 mapping document. FedRAMP completed its Rev 5 transition in 2023 \u2014 systems authorized under Rev 4 baselines must be re-assessed against Rev 5.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pt')\">PT family (new)<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR family (new)<\/span><span class=\"rl\" onclick=\"nav('baselines')\">Rev 5 baselines<\/span><span class=\"rl\" onclick=\"nav('nist')\">Source document<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-structure\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Chapter Two<\/div>\n <div class=\"p-title\">Control <span>Structure<\/span><\/div>\n <div class=\"p-sub\">How individual controls are organized, layered, and read<\/div>\n <div class=\"prose\">Every control in the 800-53 catalog follows a consistent structure. Understanding this structure is prerequisite to using the catalog correctly \u2014 particularly the relationship between base controls and enhancements, and the role of parameters and supplemental guidance.<\/div>\n <h3>Anatomy of a control<\/h3>\n <div class=\"sr\"><span class=\"st t-ac\">ID<\/span><div class=\"si\"><div class=\"sn\">Control Identifier<\/div><div class=\"sd\">Family prefix + sequential number. Example: <code>AC-3<\/code> is the third control in the Access Control family. Enhancements add a parenthetical: <code>AC-3(7)<\/code> is enhancement 7 of Access Control-3.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">NAME<\/span><div class=\"si\"><div class=\"sn\">Control Name<\/div><div class=\"sd\">A short descriptive title for the control. Not a requirement itself \u2014 the statement is the requirement. Example: AC-3 is named “Access Enforcement.”<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">STMT<\/span><div class=\"si\"><div class=\"sn\">Control Statement<\/div><div class=\"sd\">The actual requirement. Rev 5 uses outcome-based language. May include <strong>assignment parameters<\/strong> [organization-defined values] and <strong>selection parameters<\/strong> [one or more from a list]. Organizations must fill in or select parameter values as part of implementation.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">DISC<\/span><div class=\"si\"><div class=\"sn\">Discussion<\/div><div class=\"sd\">Non-mandatory supplemental guidance explaining the intent, rationale, and implementation considerations. Not a requirement \u2014 but essential context for interpreting the control correctly and making implementation decisions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">RELATED<\/span><div class=\"si\"><div class=\"sn\">Related Controls<\/div><div class=\"sd\">Cross-references to other controls that complement or depend on this one. These are critical for architecture \u2014 they reveal the dependency graph between controls and help identify where a single implementation decision satisfies multiple requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">REFS<\/span><div class=\"si\"><div class=\"sn\">References<\/div><div class=\"sd\">Other NIST publications and external standards that provide additional guidance. Common references include SP 800-160, SP 800-207, FIPS 140-3, FIPS 186-5, and ISO\/IEC 27001.<\/div><\/div><\/div>\n\n <h3>Base controls vs. control enhancements<\/h3>\n <div class=\"prose\">Each family contains <strong>base controls<\/strong> (numbered sequentially) and <strong>control enhancements<\/strong> (parenthetical additions to base controls). Enhancements add capability, specificity, or rigor to the base control. They are never selected without first selecting the base control they extend.<\/div>\n <div class=\"ib\"><div class=\"ibt\">Example: AC-2 and its enhancements<\/div><div class=\"ibb\"><strong>AC-2<\/strong> (base) requires account management \u2014 creating, modifying, enabling, disabling, and removing accounts. <strong>AC-2(1)<\/strong> adds automated system account management. <strong>AC-2(3)<\/strong> adds automatic disabling of inactive accounts after [organization-defined time period]. <strong>AC-2(13)<\/strong> adds disabling accounts on high risk from threat intelligence. Each enhancement is additive \u2014 higher baselines require more enhancements on top of the same base.<\/div><\/div>\n\n <h3>Organization-defined parameters (ODPs)<\/h3>\n <div class=\"prose\">Many control statements contain <strong>[Assignment: organization-defined values]<\/strong>. These are not blanks to leave empty \u2014 they are security decisions that organizations must make and document. NIST SP 800-53B provides default parameter values for each baseline. Organizations may accept the defaults or define stricter values. Examples:<\/div>\n <div class=\"tbl-wrap\"><table>\n <thead><tr><th>Control<\/th><th>Parameter<\/th><th>Low default<\/th><th>Mod default<\/th><th>High default<\/th><\/tr><\/thead>\n <tbody>\n <tr><td>AC-2(3)<\/td><td>Inactivity period before account disable<\/td><td>Not required<\/td><td>35 days<\/td><td>35 days<\/td><\/tr>\n <tr><td>AC-7<\/td><td>Max consecutive invalid logon attempts<\/td><td>3<\/td><td>3<\/td><td>3<\/td><\/tr>\n <tr><td>AU-11<\/td><td>Audit log retention period<\/td><td>Not specified<\/td><td>Not specified<\/td><td>Not specified<\/td><\/tr>\n <tr><td>SI-2<\/td><td>Flaw remediation time (critical flaws)<\/td><td>Not specified<\/td><td>Not specified<\/td><td>Not specified<\/td><\/tr>\n <tr><td>IA-5(1)<\/td><td>Password minimum length<\/td><td>Not required<\/td><td>Not required<\/td><td>Not required<\/td><\/tr>\n <\/tbody>\n <\/table><\/div>\n <div class=\"ib a\"><div class=\"ibt\">Undefined ODPs are an audit finding<\/div><div class=\"ibb\">Leaving organization-defined parameters undefined is not a minor procedural gap \u2014 it means the control has not been fully implemented. Assessors (CA-7, CA-8) will flag undefined ODPs as incomplete control implementations. Document every parameter value in your System Security Plan (SSP).<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('baselines')\">Baselines<\/span><span class=\"rl\" onclick=\"nav('tailoring')\">Tailoring<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Authorization<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-baselines\">\n <div class=\"p-eye\">NIST SP 800-53B \u00b7 October 2020<\/div>\n <div class=\"p-title\">Baselines & <span>Impact Levels<\/span><\/div>\n <div class=\"p-sub\">Three control baselines derived from FIPS 199 impact categorization<\/div>\n <div class=\"prose\">SP 800-53B defines three security control baselines \u2014 Low, Moderate, and High \u2014 corresponding to the impact levels established by <strong>FIPS 199<\/strong> (Standards for Security Categorization). The baseline provides the starting set of controls for each impact level, which organizations then tailor to their specific context.<\/div>\n <h3>Impact categorization (FIPS 199)<\/h3>\n <div class=\"prose\">The security category of a system is determined by assessing the potential impact of a security breach on <strong>three security objectives<\/strong>: Confidentiality, Integrity, and Availability. Each is rated Low, Moderate, or High. The overall system categorization is the <em>high watermark<\/em> \u2014 the highest individual rating across all three objectives.<\/div>\n <div class=\"tbl-wrap\"><table>\n <thead><tr><th>Impact Level<\/th><th>Definition<\/th><th>Example systems<\/th><\/tr><\/thead>\n <tbody>\n <tr class=\"low\"><td><span class=\"bl-badge bl-l\">LOW<\/span><\/td><td>Limited adverse effect. Loss of confidentiality, integrity, or availability would cause minor mission degradation, minor financial damage, or minor harm.<\/td><td>Public-facing informational websites, internal training systems, non-sensitive productivity apps<\/td><\/tr>\n <tr class=\"mod\"><td><span class=\"bl-badge bl-m\">MODERATE<\/span><\/td><td>Serious adverse effect. Would cause significant mission degradation, significant financial damage, significant harm (not loss of life) to individuals.<\/td><td>HR systems, financial reporting, internal collaboration, most federal IT systems<\/td><\/tr>\n <tr class=\"high\"><td><span class=\"bl-badge bl-h\">HIGH<\/span><\/td><td>Severe or catastrophic adverse effect. Could cause severe mission failure, major financial damage, severe harm, or loss of life.<\/td><td>Emergency services, power grid control, law enforcement systems, weapons systems<\/td><\/tr>\n <\/tbody>\n <\/table><\/div>\n\n <h3>What each baseline includes<\/h3>\n <div class=\"cg cg3\" style=\"margin-top:8px\">\n <div class=\"card\" style=\"border-top:3px solid var(--green)\">\n <div class=\"cnum\">LOW BASELINE<\/div>\n <div class=\"ctitle\">~116 controls<\/div>\n <div class=\"ctext\" style=\"margin-top:8px\">Covers all 17 applicable families (PM and PT are organizational-level and not tied to impact level). Primarily base controls with minimal enhancements. Focuses on foundational hygiene: account management, basic access enforcement, audit logging, incident response capability, and contingency planning basics.<\/div>\n <\/div>\n <div class=\"card\" style=\"border-top:3px solid var(--amber)\">\n <div class=\"cnum\">MODERATE BASELINE<\/div>\n <div class=\"ctitle\">~323 controls<\/div>\n <div class=\"ctext\" style=\"margin-top:8px\">Includes all Low baseline controls plus significant enhancements. Adds automated monitoring, stronger authentication, more rigorous audit requirements, network boundary protection, flaw remediation timeframes, and insider threat program requirements. The target for most commercial enterprises and federal civilian systems.<\/div>\n <\/div>\n <div class=\"card\" style=\"border-top:3px solid var(--red)\">\n <div class=\"cnum\">HIGH BASELINE<\/div>\n <div class=\"ctitle\">~447 controls<\/div>\n <div class=\"ctext\" style=\"margin-top:8px\">Maximum controls for systems with catastrophic impact potential. Adds additional enhancements on top of Moderate: two-person integrity requirements, enhanced physical controls, insider threat capabilities, advanced cryptographic requirements, and near-real-time monitoring. Typically DoD, IC, and critical infrastructure systems.<\/div>\n <\/div>\n <\/div>\n\n <h3>Privacy baseline<\/h3>\n <div class=\"prose\">SP 800-53B also defines a <strong>Privacy Baseline<\/strong> that applies to systems processing Personally Identifiable Information (PII), regardless of security impact level. The privacy baseline draws primarily from the <code>PT<\/code> family and privacy-related controls scattered across other families. It applies <em>in addition to<\/em> the applicable security baseline \u2014 not as a replacement.<\/div>\n <div class=\"ib g\"><div class=\"ibt\">FedRAMP and baseline alignment<\/div><div class=\"ibb\">FedRAMP aligns to SP 800-53 baselines but adds additional FedRAMP-specific controls and parameters. FedRAMP Low = ~125 controls, FedRAMP Moderate = ~325 controls, FedRAMP High = ~421 controls. The differences reflect FedRAMP-specific cloud requirements and tailored ODPs. FedRAMP completed transition to Rev 5 in 2023.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('tailoring')\">Tailoring<\/span><span class=\"rl\" onclick=\"nav('structure')\">Control structure<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Authorization<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-tailoring\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Chapter Three<\/div>\n <div class=\"p-title\">Tailoring & <span>Overlays<\/span><\/div>\n <div class=\"p-sub\">Adjusting the baseline to match your environment, threat profile, and risk tolerance<\/div>\n <div class=\"prose\">No baseline fits every organization perfectly. Tailoring is the <strong>formal process of modifying a selected baseline<\/strong> to produce a set of controls that is appropriately protective for a specific system, environment, and risk posture. Every tailoring decision must be documented and justified in the System Security Plan.<\/div>\n <h3>Tailoring operations<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Applying scoping considerations<\/div><div class=\"oc\">Removing controls that are not applicable given the system’s technology, deployment model, or operational context. Example: a system with no external network interfaces may scope out several SC boundary protection controls. <strong>Scoping must be justified \u2014 not assumed.<\/strong><\/div><\/div><\/div>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Selecting compensating controls<\/div><div class=\"oc\">Substituting an equivalent control when a baseline control cannot be implemented as specified. The compensating control must provide equivalent protection and be documented with a rationale for why it is equally effective.<\/div><\/div><\/div>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">Specifying organization-defined parameters<\/div><div class=\"oc\">Filling in all ODPs with specific, documented values. This is not optional \u2014 unresolved ODPs are incomplete control implementations. Parameter values may be stricter than SP 800-53B defaults but not less protective without documented risk acceptance.<\/div><\/div><\/div>\n <div class=\"or warn\"><div class=\"od a\"><\/div><div><div class=\"ol\">Supplementing the baseline<\/div><div class=\"oc\">Adding controls from the catalog (or from other sources) that the baseline doesn’t include, when your threat profile or operational context requires additional protection. Common for high-value targets, critical infrastructure, and organizations with mature threat intelligence programs.<\/div><\/div><\/div>\n <div class=\"or risk\"><div class=\"od r\"><\/div><div><div class=\"ol\">Accepting risk for unimplemented controls<\/div><div class=\"oc\">When a control cannot be implemented and no compensating control is available, the residual risk must be explicitly accepted by the Authorizing Official (AO) \u2014 not the ISSO or system owner. Undocumented risk acceptance is a fundamental audit finding.<\/div><\/div><\/div>\n\n <h3>Overlays<\/h3>\n <div class=\"prose\">An <strong>overlay<\/strong> is a pre-built tailoring package developed for a specific community of interest, environment, or technology type. Overlays provide parameter values, scoping decisions, and supplementary controls that have already been vetted for a particular context. Organizations apply an overlay by importing its tailoring decisions into their baseline selection.<\/div>\n <div class=\"tbl-wrap\"><table>\n <thead><tr><th>Overlay<\/th><th>Applies to<\/th><th>Source<\/th><\/tr><\/thead>\n <tbody>\n <tr><td>Industrial Control Systems (ICS)<\/td><td>SCADA, DCS, PLC environments<\/td><td>NIST SP 800-82<\/td><\/tr>\n <tr><td>Privacy<\/td><td>Systems processing PII<\/td><td>SP 800-53B Privacy Baseline<\/td><\/tr>\n <tr><td>Cloud Systems<\/td><td>FedRAMP cloud service providers<\/td><td>FedRAMP Rev 5<\/td><\/tr>\n <tr><td>Classified National Security Systems<\/td><td>TS\/SCI and below classified systems<\/td><td>CNSSI 1253<\/td><\/tr>\n <tr><td>Healthcare<\/td><td>HHS\/CMS covered entities and BAs<\/td><td>HHS 405(d)<\/td><\/tr>\n <tr><td>Intelligence Community<\/td><td>IC systems and networks<\/td><td>ICD 503<\/td><\/tr>\n <\/tbody>\n <\/table><\/div>\n <div class=\"ib a\"><div class=\"ibt\">Tailoring is not risk elimination \u2014 it’s risk documentation<\/div><div class=\"ibb\">The purpose of tailoring is not to reduce the control set to the minimum possible. It is to produce a control set that is <strong>properly scoped, documented, and risk-accepted<\/strong>. An auditor reviewing a well-tailored SSP can evaluate every control decision \u2014 what was selected, why, and what risk was accepted. A poorly tailored SSP has gaps the organization doesn’t know exist.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('baselines')\">Baselines<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Assessment<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM \u2014 Program management<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ac\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family AC<\/div>\n <div class=\"p-title\">Access <span>Control<\/span><\/div>\n <div class=\"p-sub\">25 base controls governing who can access what, under what conditions, and to what degree<\/div>\n <div class=\"prose\">The AC family is the largest and most commonly referenced family in the catalog. It governs <strong>account lifecycle, access enforcement, least privilege, separation of duties, remote access, and wireless access<\/strong>. For Zero Trust architectures, AC is the primary family \u2014 ZTA principles are direct implementations of AC controls taken to their logical extreme.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ac\">AC-2<\/span><div class=\"si\"><div class=\"sn\">Account Management<\/div><div class=\"sd\">Establishes the full lifecycle for accounts: identification, establishment, activation, modification, review, disabling, and removal. Requires defining account types, conditions for use, and time-limited accounts for temporary access. AC-2 enhancements add automation, privileged account management, and dynamic privilege management.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-3<\/span><div class=\"si\"><div class=\"sn\">Access Enforcement<\/div><div class=\"sd\">Enforces approved authorizations for logical access to information and system resources using access control policies such as attribute-based access control (ABAC), identity-based access control, role-based access control (RBAC), and relationship-based access control. The core enforcement control.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-4<\/span><div class=\"si\"><div class=\"sn\">Information Flow Enforcement<\/div><div class=\"sd\">Controls how information flows between systems, domains, and components based on security policy. Critical for data loss prevention, cross-domain solutions, and network segmentation. Enhancements address encrypted information, metadata, and dynamic information flow policies.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-5<\/span><div class=\"si\"><div class=\"sn\">Separation of Duties<\/div><div class=\"sd\">Ensures no single individual can complete a critical function alone. Defines incompatible roles and enforces separation. Essential for preventing insider fraud and limiting the blast radius of a compromised account.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-6<\/span><div class=\"si\"><div class=\"sn\">Least Privilege<\/div><div class=\"sd\">Access rights limited to the minimum necessary for authorized tasks. Enhancements cover privileged accounts (AC-6(1)), non-privileged access for non-security functions (AC-6(2)), network access for privileged commands (AC-6(3)), and limiting functions available to non-privileged users.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-17<\/span><div class=\"si\"><div class=\"sn\">Remote Access<\/div><div class=\"sd\">Establishes usage restrictions, configuration\/connection requirements, and documentation for remote access. Enhancements require monitoring and control of remote access sessions, automated enforcement of remote access policy, and protection of confidentiality and integrity of remote access sessions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ac\">AC-24<\/span><div class=\"si\"><div class=\"sn\">Access Control Decisions<\/div><div class=\"sd\">New in Rev 5. Requires the system to transmit access authorization information to other systems that need to make their own access control decisions. Enables consistent access enforcement across distributed architectures and aligns directly with ZTA policy engine concepts.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">AC and Zero Trust alignment<\/div><div class=\"ibb\">AC-2 (account management), AC-3 (access enforcement), AC-4 (information flow), and AC-6 (least privilege) collectively describe the behavioral requirements of a Zero Trust architecture. The ZTNA Policy Engine (PE) and Policy Enforcement Point (PEP) are implementation mechanisms for these controls. Mapping your ZTA design to these controls demonstrates compliance through architecture.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ia')\">IA \u2014 Authentication<\/span><span class=\"rl\" onclick=\"nav('au')\">AU \u2014 Audit<\/span><span class=\"rl\" onclick=\"nav('sc')\">SC \u2014 Communications protection<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM \u2014 Configuration<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ia\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family IA<\/div>\n <div class=\"p-title\">Identification & <span>Authentication<\/span><\/div>\n <div class=\"p-sub\">12 base controls governing identity verification, credential management, and device authentication<\/div>\n <div class=\"prose\">The IA family establishes how users, devices, services, and processes prove their identity to a system before access is granted. It covers <strong>unique identification, credential strength, authenticator management, re-authentication, and device-level identity<\/strong>. In Zero Trust architectures, IA and AC are the two families most directly implemented by the IDMS, PKI, and Policy Engine.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ia\">IA-2<\/span><div class=\"si\"><div class=\"sn\">Identification and Authentication (Organizational Users)<\/div><div class=\"sd\">The foundational MFA control. Requires MFA for network access to privileged accounts (IA-2(1)) and non-privileged accounts (IA-2(2)). IA-2(6) requires MFA for local access. IA-2(12) added in Rev 5 specifically requires acceptance of PIV credentials and FIDO-AAL2\/AAL3 authenticators \u2014 aligning with phishing-resistant MFA requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-3<\/span><div class=\"si\"><div class=\"sn\">Device Identification and Authentication<\/div><div class=\"sd\">Devices must uniquely identify and authenticate themselves before connection. Critical for ZTA: every device must present a verifiable identity (typically an enterprise-issued X.509 certificate) before the Policy Engine will evaluate an access request. Enhancements add cryptographic bidirectional authentication.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-5<\/span><div class=\"si\"><div class=\"sn\">Authenticator Management<\/div><div class=\"sd\">Governs the full authenticator lifecycle: initial distribution, storage, use, revocation, and recovery. IA-5(1) applies to password-based authenticators (minimum length, complexity, history). IA-5(2) covers PKI-based authenticators. IA-5(13) prohibits caching credentials beyond the established organizational time limit \u2014 relevant for offline token handling.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-8<\/span><div class=\"si\"><div class=\"sn\">Identification and Authentication (Non-Organizational Users)<\/div><div class=\"sd\">Extends authentication requirements to external users, contractors, and partners. Enhancements (IA-8(1)\u2013(6)) address PIV acceptance from other federal agencies, acceptance of third-party credentials, and use of FICAM-approved credentials. Essential for federated identity architectures.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-11<\/span><div class=\"si\"><div class=\"sn\">Re-authentication<\/div><div class=\"sd\">Requires re-authentication when [organization-defined circumstances or situations] occur. This is the control that mandates session re-authentication on risk change \u2014 a cornerstone of Zero Trust dynamic access policies. Organizations define the triggering conditions (inactivity timeout, privilege escalation, anomaly detection).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">IA-12<\/span><div class=\"si\"><div class=\"sn\">Identity Proofing<\/div><div class=\"sd\">New in Rev 5. Requires in-person or remote identity proofing before issuing credentials. Aligns with NIST SP 800-63A Identity Assurance Levels (IAL1\u2013IAL3). Establishes that digital credentials are only as trustworthy as the identity proofing process that backed them.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">IA-2(12): The phishing-resistant MFA control<\/div><div class=\"ibb\">OMB M-22-09 and CISA guidance point to <strong>IA-2(12)<\/strong> as the control that mandates phishing-resistant MFA \u2014 specifically PIV, CAC, and FIDO2\/WebAuthn authenticators. Organizations that satisfy IA-2(1) and IA-2(2) with legacy SMS OTP or TOTP do not satisfy IA-2(12). The distinction matters for federal systems and increasingly for commercial enterprises under cyber insurance requirements.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">AC \u2014 Access control<\/span><span class=\"rl\" onclick=\"nav('sc')\">SC-8 (transmission confidentiality)<\/span><span class=\"rl\" onclick=\"nav('au')\">AU \u2014 Audit<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-au\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family AU<\/div>\n <div class=\"p-title\">Audit & <span>Accountability<\/span><\/div>\n <div class=\"p-sub\">16 base controls governing what gets logged, how it’s protected, reviewed, and retained<\/div>\n <div class=\"prose\">The AU family establishes the organization’s audit capability \u2014 <strong>what events are recorded, how audit records are protected, how they’re reviewed, and how long they’re retained<\/strong>. A robust audit posture is foundational to both compliance and security operations \u2014 without it, incident detection, forensic investigation, and accountability are impossible.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-au\">AU-2<\/span><div class=\"si\"><div class=\"sn\">Event Logging<\/div><div class=\"sd\">Defines the event types the organization determines to be auditable. The organization must coordinate with other entities to select audit events, and balance audit requirements with capabilities. The baseline events differ by impact level \u2014 High baseline systems log significantly more event types than Low baseline systems.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-3<\/span><div class=\"si\"><div class=\"sn\">Content of Audit Records<\/div><div class=\"sd\">Each audit record must contain sufficient information to determine: what event occurred, when, where (source and destination), who or what was involved, and the outcome. Enhancements add additional content: user identity (AU-3(1)), centralized management of planned audit record content (AU-3(2)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-6<\/span><div class=\"si\"><div class=\"sn\">Audit Record Review, Analysis, and Reporting<\/div><div class=\"sd\">Requires review and analysis of audit records for indications of inappropriate or unusual activity. Enhancements add automated integration with SIEM (AU-6(1)), correlation across systems (AU-6(3)), and integration with vulnerability scanning (AU-6(5)). This is the control that drives SIEM\/SOC requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-9<\/span><div class=\"si\"><div class=\"sn\">Protection of Audit Information<\/div><div class=\"sd\">Protects audit logs and tools from unauthorized access, modification, and deletion. The principle: the attacker who can delete logs can hide. Enhancements cover cryptographic protection of audit information (AU-9(3)) and protecting audit information via separate storage (AU-9(2)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-11<\/span><div class=\"si\"><div class=\"sn\">Audit Record Retention<\/div><div class=\"sd\">Retains audit records for [organization-defined time period] to support after-the-fact investigations. The ODP is critical \u2014 organizations must define the retention period. NIST provides no default; sector-specific requirements (HIPAA, PCI DSS, federal) drive this value. Common values: 90 days online, 1\u20133 years archived.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-au\">AU-12<\/span><div class=\"si\"><div class=\"sn\">Audit Record Generation<\/div><div class=\"sd\">Requires information systems to generate audit records for the events defined in AU-2. All system components must support audit record generation and compile records from multiple sources. Enhancements add system-wide audit trails (AU-12(1)) and standardized formats.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('si')\">SI-4 (system monitoring)<\/span><span class=\"rl\" onclick=\"nav('ac')\">AC \u2014 Access control<\/span><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ca\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family CA<\/div>\n <div class=\"p-title\">Assessment, Authorization <span>& Monitoring<\/span><\/div>\n <div class=\"p-sub\">9 base controls \u2014 the RMF process controls for authorizing and continuously monitoring systems<\/div>\n <div class=\"prose\">The CA family governs the <strong>Risk Management Framework (RMF) process<\/strong>: how systems are assessed, how an Authority to Operate (ATO) is obtained, and how ongoing security posture is maintained through continuous monitoring. CA is the family most closely aligned with governance and compliance processes.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ra\">CA-2<\/span><div class=\"si\"><div class=\"sn\">Control Assessments<\/div><div class=\"sd\">Requires a plan for and execution of security control assessments. Assessments must occur before initial operation (initial ATO) and at defined intervals thereafter. Enhancements add inclusion of automated tools, specialized assessments (CA-2(2)), and independent assessors (CA-2(1)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">CA-5<\/span><div class=\"si\"><div class=\"sn\">Plan of Action and Milestones<\/div><div class=\"sd\">The POA&M is the formal tracking document for all control deficiencies. It must document the deficiency, responsible party, planned remediation, and target completion date. Updating the POA&M is ongoing \u2014 assessors review it at every assessment. An incomplete POA&M is one of the most common ATO findings.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">CA-6<\/span><div class=\"si\"><div class=\"sn\">Authorization<\/div><div class=\"sd\">The ATO (Authority to Operate) control. An Authorizing Official must formally accept the risk of operating the system. The authorization package includes the SSP, SAR, and POA&M. Authorization decisions are based on risk \u2014 not on whether all controls are implemented, but on whether remaining risk is acceptable.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">CA-7<\/span><div class=\"si\"><div class=\"sn\">Continuous Monitoring<\/div><div class=\"sd\">Ongoing monitoring of control effectiveness, security posture, and changes. Requires a continuous monitoring strategy, ongoing assessments, ongoing remediation, and regular reporting. This is what transforms a point-in-time ATO into a living security program. Enhancements add independent assessment (CA-7(1)) and trend analysis (CA-7(4)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">CA-8<\/span><div class=\"si\"><div class=\"sn\">Penetration Testing<\/div><div class=\"sd\">Required at Moderate and High baselines. Defines the frequency and scope of penetration testing. Enhancements add independent penetration agent (CA-8(1)) and red team exercises (CA-8(2)). The control requires acting on pentest findings \u2014 not just conducting the test.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">Continuous monitoring vs. point-in-time assessment<\/div><div class=\"ibb\">CA-6 grants the ATO; CA-7 keeps it valid. Many organizations treat the ATO as a milestone \u2014 once granted, the focus shifts away from security rigor. NIST’s intent is the opposite: the ATO initiates a <strong>continuous monitoring program<\/strong> that provides ongoing visibility into the system’s actual security posture. The ATO’s validity depends on continuous monitoring remaining active and effective.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM \u2014 Program management<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-4 (monitoring)<\/span><span class=\"rl\" onclick=\"nav('au')\">AU \u2014 Audit<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ra\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family RA<\/div>\n <div class=\"p-title\">Risk <span>Assessment<\/span><\/div>\n <div class=\"p-sub\">10 base controls governing how threats, vulnerabilities, and risks are identified and evaluated<\/div>\n <div class=\"prose\">The RA family establishes how the organization identifies and evaluates risks to operations, assets, and individuals. It drives the intelligence-informed security architecture discipline \u2014 <strong>security controls should be selected based on identified risks, not on what’s easiest to implement<\/strong>. RA is the analytical foundation on which CA, PM, and tailoring decisions rest.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ra\">RA-2<\/span><div class=\"si\"><div class=\"sn\">Security Categorization<\/div><div class=\"sd\">Formal categorization of the information system per FIPS 199. This determines baseline selection \u2014 the security category is the input to tailoring. Must be documented in the SSP and approved by the AO. Incorrect categorization (usually under-categorizing) is a systemic risk \u2014 it results in the wrong baseline and systematically under-protected systems.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">RA-3<\/span><div class=\"si\"><div class=\"sn\">Risk Assessment<\/div><div class=\"sd\">A formal assessment of risk to organizational operations, assets, individuals, other organizations, and the nation. Must assess likelihood and impact of threats and vulnerabilities. RA-3 informs which controls to implement, where to augment the baseline, and what residual risks require AO acceptance.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">RA-5<\/span><div class=\"si\"><div class=\"sn\">Vulnerability Monitoring and Scanning<\/div><div class=\"sd\">Requires ongoing vulnerability scanning at organization-defined frequencies and when new vulnerabilities affecting the system are identified. Analyzes and remediates vulnerabilities. Enhancements add privileged access for scans (RA-5(5)), automated trend analysis (RA-5(8)), and reviewing historical audit logs for vulnerabilities (RA-5(10)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">RA-7<\/span><div class=\"si\"><div class=\"sn\">Risk Response<\/div><div class=\"sd\">New in Rev 5. Requires responding to findings from risk assessments with corrective actions. Bridges the gap between identifying risk and acting on it \u2014 the control that makes RA-3 operational rather than documentary.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">RA-9<\/span><div class=\"si\"><div class=\"sn\">Criticality Analysis<\/div><div class=\"sd\">New in Rev 5. Identifies critical system components and functions \u2014 the parts whose compromise would have the highest impact. Focuses protection resources on the highest-criticality elements. Supports the supply chain risk management (SR) controls by identifying which components require enhanced supply chain scrutiny.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Assessment<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM \u2014 Program management<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM \u2014 Configuration<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR \u2014 Supply chain<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pm\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PM<\/div>\n <div class=\"p-title\">Program <span>Management<\/span><\/div>\n <div class=\"p-sub\">32 base controls \u2014 the enterprise-level governance and oversight framework for security programs<\/div>\n <div class=\"prose\">The PM family is unique: its controls operate at the <strong>organizational level<\/strong>, not the system level. PM controls establish the overall security program structure \u2014 governance, risk management, security architecture, workforce, and resource management. They apply to the organization regardless of how many systems it operates. PM cannot be satisfied by a single system SSP.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ra\">PM-1<\/span><div class=\"si\"><div class=\"sn\">Information Security Program Plan<\/div><div class=\"sd\">The overarching document that describes the security program. Must address program management controls, describe how the program is implemented, and be reviewed and updated at defined intervals. The program plan is the governance backbone \u2014 it establishes authority and accountability for the entire security program.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">PM-9<\/span><div class=\"si\"><div class=\"sn\">Risk Management Strategy<\/div><div class=\"sd\">Establishes the organization’s risk tolerance, risk appetite, and the framework for managing risk across all systems. Must be approved at the senior leadership level. The risk management strategy is what makes tailoring decisions defensible \u2014 without it, there’s no documented basis for risk acceptance.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">PM-11<\/span><div class=\"si\"><div class=\"sn\">Mission and Business Process Definition<\/div><div class=\"sd\">Defines the mission-critical and business-critical processes that the security program must protect. Feeds directly into FIPS 199 categorization by grounding impact levels in actual mission impact \u2014 not abstract definitions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">PM-30<\/span><div class=\"si\"><div class=\"sn\">Supply Chain Risk Management Strategy<\/div><div class=\"sd\">New in Rev 5. Establishes the organizational supply chain risk management strategy that drives the SR family controls. Defines risk tolerance for supply chain risks, accountability, and how supply chain risk integrates with the broader risk management program.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ra\">PM-31<\/span><div class=\"si\"><div class=\"sn\">Insider Threat Program<\/div><div class=\"sd\">Requires an insider threat program that includes a cross-discipline insider threat working group, access to HR data, automatic indicators, and response procedures. Required at Moderate and High baselines. Insider threat is the risk that pure technical controls cannot fully address \u2014 PM-31 establishes the people and process layer.<\/div><\/div><\/div>\n <div class=\"ib a\"><div class=\"ibt\">PM controls are frequently under-assessed<\/div><div class=\"ibb\">Because PM controls don’t belong to any single system, they often fall through the cracks in system-level security assessments. In practice, many organizations have robust system-level controls (AC, IA, AU) but weak program-level governance (PM). Assessors reviewing an ATO package should verify that PM controls are addressed \u2014 typically in an organization-wide security program plan rather than a system SSP.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Authorization<\/span><span class=\"rl\" onclick=\"nav('pl')\">PL \u2014 Planning<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR \u2014 Supply chain<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cm\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family CM<\/div>\n <div class=\"p-title\">Configuration <span>Management<\/span><\/div>\n <div class=\"p-sub\">14 base controls governing system baselines, change control, software inventory, and least functionality<\/div>\n <div class=\"prose\">The CM family establishes control over the technical configuration of information systems. The core discipline is maintaining <strong>known, documented, approved configurations<\/strong> and controlling how those configurations change over time. Configuration drift is one of the most common root causes of security vulnerabilities \u2014 CM controls are the preventive layer.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-cm\">CM-2<\/span><div class=\"si\"><div class=\"sn\">Baseline Configuration<\/div><div class=\"sd\">Documents and maintains a current baseline configuration for each information system component. The baseline is the authoritative reference for what a system is supposed to look like. Enhancements add automation (CM-2(2)), review and update triggers (CM-2(3)), and unauthorized software controls (CM-2(7)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-3<\/span><div class=\"si\"><div class=\"sn\">Configuration Change Control<\/div><div class=\"sd\">Establishes a formal change control process for all configuration changes. Changes must be documented, tested, approved, and reviewed. Unauthorized changes are detected and rolled back. This is the control that prevents “one quick change in prod” from becoming a persistent vulnerability.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-6<\/span><div class=\"si\"><div class=\"sn\">Configuration Settings<\/div><div class=\"sd\">Requires configuration settings that reflect the most restrictive mode consistent with operational requirements, using security configuration checklists (DISA STIGs, CIS Benchmarks). Forces explicit justification for any deviation from the hardened baseline \u2014 deviation must be documented and approved.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-7<\/span><div class=\"si\"><div class=\"sn\">Least Functionality<\/div><div class=\"sd\">Configure systems to provide only essential capabilities. Prohibit or restrict the use of functions, ports, protocols, services, and programs not required for operation. The configuration equivalent of least privilege for access control. Enhancements add authorized software lists and application deny-listing.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-8<\/span><div class=\"si\"><div class=\"sn\">System Component Inventory<\/div><div class=\"sd\">Maintains an accurate, current inventory of system components. You cannot protect what you don’t know you have. Enhancements add automated updates, discovery of unauthorized components, and no-duplicate accounting. This feeds directly into vulnerability management (RA-5) and supply chain risk (SR).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">CM-14<\/span><div class=\"si\"><div class=\"sn\">Signed Components<\/div><div class=\"sd\">New in Rev 5. Prevents installation of software without verification of the developer or manufacturer’s digital signature. A direct countermeasure to supply chain attacks that introduce tampered software. Requires code signing enforcement at the OS or deployment pipeline level.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('si')\">SI-2 (flaw remediation)<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-5 (vulnerability scanning)<\/span><span class=\"rl\" onclick=\"nav('sa')\">SA \u2014 Acquisition<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR \u2014 Supply chain<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-si\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family SI<\/div>\n <div class=\"p-title\">System & Information <span>Integrity<\/span><\/div>\n <div class=\"p-sub\">23 base controls \u2014 flaw remediation, malware protection, monitoring, and information accuracy<\/div>\n <div class=\"prose\">The SI family addresses the ongoing trustworthiness of systems and the information they process. It covers <strong>patching, malware defense, intrusion detection, monitoring, and information quality<\/strong>. While CM controls prevent unauthorized change, SI controls detect when changes have occurred or when systems are behaving anomalously \u2014 the detective layer.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-si\">SI-2<\/span><div class=\"si\"><div class=\"sn\">Flaw Remediation<\/div><div class=\"sd\">Identifies, reports, and corrects system flaws. Tests software and firmware updates before installation. Installs security-relevant updates within organization-defined time periods after release. The ODP (remediation time period) is among the most important in the catalog \u2014 organizations must define patching SLAs by severity and document them.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-3<\/span><div class=\"si\"><div class=\"sn\">Malicious Code Protection<\/div><div class=\"sd\">Requires malware protection mechanisms at entry and exit points, including workstations, servers, and mobile computing devices. Enhancements add non-signature-based detection, centralized management, and protection during system maintenance.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-4<\/span><div class=\"si\"><div class=\"sn\">System Monitoring<\/div><div class=\"sd\">One of the most critical controls in the catalog. Monitors the system to detect attacks, indicators of potential attacks, and unauthorized connections. Requires identifying unauthorized use, deploying monitoring devices, protecting monitoring information, and heightened monitoring when indications of compromise are detected. The control that drives SIEM and SOC investment.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-5<\/span><div class=\"si\"><div class=\"sn\">Security Alerts, Advisories, and Directives<\/div><div class=\"sd\">Receives, tracks, and disseminates security alerts from external organizations (CISA, sector ISACs, vendors). Implements security directives in accordance with established timeframes. Ensures operational security awareness is continuously updated from external intelligence sources.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-7<\/span><div class=\"si\"><div class=\"sn\">Software, Firmware, and Information Integrity<\/div><div class=\"sd\">Employs integrity verification tools to detect unauthorized changes to software, firmware, and information. Enhancements add automated response (SI-7(5)), integration of detection and response (SI-7(7)), and code authentication. This is the control behind file integrity monitoring (FIM) requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-si\">SI-10<\/span><div class=\"si\"><div class=\"sn\">Information Input Validation<\/div><div class=\"sd\">Checks validity of information inputs \u2014 the primary application security control in the 800-53 catalog. Defines what the system does with invalid, unexpected, or erroneous inputs. The NIST control that maps to OWASP input validation requirements for application-layer security.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cm')\">CM-2\/CM-6 (configuration)<\/span><span class=\"rl\" onclick=\"nav('au')\">AU-6 (audit review)<\/span><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-5 (vulnerability scanning)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sa\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family SA<\/div>\n <div class=\"p-title\">System & Services <span>Acquisition<\/span><\/div>\n <div class=\"p-sub\">23 base controls \u2014 security requirements for development, procurement, and outsourcing<\/div>\n <div class=\"prose\">The SA family governs how organizations <strong>build and buy<\/strong> systems and services. It establishes security requirements that must be incorporated into acquisition contracts, development lifecycle processes, and third-party services. SA is the primary family for DevSecOps alignment and cloud service procurement security requirements.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-cm\">SA-4<\/span><div class=\"si\"><div class=\"sn\">Acquisition Process<\/div><div class=\"sd\">Includes security and privacy functional requirements, security strength requirements, security assurance requirements, and developer requirements in acquisition contracts. Requires documentation of design, development, and security test results. The control that gives legal force to security requirements in vendor contracts.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">SA-8<\/span><div class=\"si\"><div class=\"sn\">Security and Privacy Engineering Principles<\/div><div class=\"sd\">Applies established security engineering principles to the development, implementation, modification, and retirement of the information system. Enhancements reference specific principles from NIST SP 800-160. Maps directly to mature security architecture practice \u2014 this is the control that requires security to be designed in, not bolted on.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">SA-11<\/span><div class=\"si\"><div class=\"sn\">Developer Testing and Evaluation<\/div><div class=\"sd\">Requires developers to create and implement a security and privacy assessment plan, perform testing, and provide documentation of results. Enhancements add static analysis (SA-11(1)), threat modeling (SA-11(2)), and dynamic analysis (SA-11(5)). The control that drives SAST\/DAST and security testing requirements in software development.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">SA-15<\/span><div class=\"si\"><div class=\"sn\">Development Process, Standards, and Tools<\/div><div class=\"sd\">Requires a documented development process that addresses security and privacy. Mandates the use of development tools with security capabilities and the explicit management of vulnerabilities introduced by tools. The secure SDLC and pipeline security control.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">SA-22<\/span><div class=\"si\"><div class=\"sn\">Unsupported System Components<\/div><div class=\"sd\">Replaces or provides compensating controls for system components that cannot be supported or have reached end-of-life. One of the most practically important controls for large enterprises \u2014 requires documenting and managing every EoL component rather than simply ignoring them.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cm')\">CM \u2014 Configuration<\/span><span class=\"rl\" onclick=\"nav('sr')\">SR \u2014 Supply chain<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-9 (criticality analysis)<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-2 (flaw remediation)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sc\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family SC<\/div>\n <div class=\"p-title\">System & Communications <span>Protection<\/span><\/div>\n <div class=\"p-sub\">51 base controls \u2014 the largest family, covering network architecture, cryptography, and boundary protection<\/div>\n <div class=\"prose\">SC is the largest family in the catalog and addresses the technical infrastructure of data protection: <strong>network boundaries, encryption, cryptographic key management, denial-of-service protection, and information in transit<\/strong>. SC controls are the technical implementation layer for Zero Trust network architecture and encryption requirements.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-sc\">SC-5<\/span><div class=\"si\"><div class=\"sn\">Denial-of-Service Protection<\/div><div class=\"sd\">Protects against and limits the effects of DoS attacks. Enhancements add capacity and bandwidth management, protection against resource exhaustion, and detection\/reporting. Required at all baseline levels with increasing specificity.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-7<\/span><div class=\"si\"><div class=\"sn\">Boundary Protection<\/div><div class=\"sd\">Monitors and controls communications at external boundaries and key internal boundaries. Requires managed interfaces, connection denying by default, and fail-secure configurations. Enhancements (SC-7(3)\u2013(29)) cover access points, transmission of system component information, host-based boundary protection, and dynamic isolation\/segregation. One of the most extensively enhanced controls in the catalog.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-8<\/span><div class=\"si\"><div class=\"sn\">Transmission Confidentiality and Integrity<\/div><div class=\"sd\">Implements cryptographic mechanisms to prevent unauthorized disclosure or modification of information during transmission. SC-8(1) requires FIPS-validated cryptographic algorithms. The foundational control for TLS\/mTLS requirements \u2014 all data in transit must be encrypted.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-12<\/span><div class=\"si\"><div class=\"sn\">Cryptographic Key Establishment and Management<\/div><div class=\"sd\">Establishes and manages cryptographic keys when cryptography is employed. The organization must define the key management practices, key lifecycle procedures, key storage requirements, and key recovery procedures. A weak key management posture undermines all encryption controls \u2014 SC-12 is the governance control for the entire cryptographic infrastructure.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-28<\/span><div class=\"si\"><div class=\"sn\">Protection of Information at Rest<\/div><div class=\"sd\">Protects the confidentiality and integrity of information at rest. Enhancement SC-28(1) requires cryptographic protection. Drives full-disk encryption and database encryption requirements. SC-28 paired with SC-8 establishes the “encrypt everything, everywhere” baseline requirement.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">SC-39<\/span><div class=\"si\"><div class=\"sn\">Process Isolation<\/div><div class=\"sd\">Maintains a separate execution domain for each executing process. Prevents processes from accessing memory space or resources assigned to other processes. The control behind container isolation, hypervisor segmentation, and OS-level process sandboxing requirements.<\/div><\/div><\/div>\n <div class=\"ib g\"><div class=\"ibt\">SC and Zero Trust alignment<\/div><div class=\"ibb\">SC-7 (boundary protection with microsegmentation enhancements), SC-8 (encrypted transmission including mTLS), SC-28 (encryption at rest), and SC-39 (process isolation) collectively describe the SC-layer requirements for a Zero Trust architecture. A ZTA implementation that satisfies NIST 800-207 tenets will simultaneously satisfy large portions of the SC family.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">AC-4 (information flow)<\/span><span class=\"rl\" onclick=\"nav('ia')\">IA-3 (device auth)<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-7 (least functionality)<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-4 (monitoring)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pe\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PE<\/div>\n <div class=\"p-title\">Physical & Environmental <span>Protection<\/span><\/div>\n <div class=\"p-sub\">23 base controls governing physical access, environmental controls, and facility security<\/div>\n <div class=\"prose\">The PE family addresses the physical security of facilities and equipment. It governs <strong>physical access authorization, monitoring, visitor management, power protection, temperature and humidity controls, and emergency procedures<\/strong>. Often underweighted in software-centric security programs, physical security remains a foundational layer \u2014 an attacker with physical access bypasses most logical controls.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-gen\">PE-2<\/span><div class=\"si\"><div class=\"sn\">Physical Access Authorizations<\/div><div class=\"sd\">Manages physical access authorizations to facilities containing information systems. Maintains a list of individuals with authorized access, issues authorization credentials, and reviews the list at defined intervals. Physical access authorization follows the same lifecycle as logical account management (AC-2) \u2014 joiners, movers, and leavers must be reflected in both.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PE-3<\/span><div class=\"si\"><div class=\"sn\">Physical Access Control<\/div><div class=\"sd\">Enforces physical access authorizations at entry\/exit points. Inspects individuals entering and exiting facilities. Requires visitor escorts and monitoring. Maintains access logs. Controls must match the sensitivity of the facility \u2014 a data center requires more rigorous controls than an office building.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PE-6<\/span><div class=\"si\"><div class=\"sn\">Monitoring Physical Access<\/div><div class=\"sd\">Monitors physical access to detect and respond to physical security incidents. Reviews physical access logs and coordinates results with incident response capability. Enhancements add video surveillance, monitoring at defined physical spaces (PE-6(2)), and automated intrusion recognition (PE-6(4)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PE-19<\/span><div class=\"si\"><div class=\"sn\">Information Leakage<\/div><div class=\"sd\">Protects the system from information leakage due to electromagnetic signals emanations. TEMPEST control. Required at High baseline for systems in close proximity to adversarial environments. Signals intelligence capability is an underappreciated physical threat vector for high-value systems.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">AC-2 (access management)<\/span><span class=\"rl\" onclick=\"nav('ma')\">MA \u2014 Maintenance<\/span><span class=\"rl\" onclick=\"nav('mp')\">MP \u2014 Media protection<\/span><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ma\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family MA<\/div>\n <div class=\"p-title\"><span>Maintenance<\/span><\/div>\n <div class=\"p-sub\">6 base controls governing who can maintain systems, how, from where, and with what tools<\/div>\n <div class=\"prose\">The MA family controls <strong>system maintenance activities<\/strong> \u2014 both on-site and remote. It addresses who is authorized to perform maintenance, how maintenance is scheduled and recorded, what tools can be used, and how remote maintenance sessions are secured. Maintenance windows are high-risk periods: authorized individuals have elevated access, and unauthorized tools can introduce persistent access mechanisms.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-gen\">MA-2<\/span><div class=\"si\"><div class=\"sn\">Controlled Maintenance<\/div><div class=\"sd\">Schedules, documents, and reviews maintenance. Requires approval, explicit records, and review of completed maintenance activities. The control foundation \u2014 all other MA controls assume MA-2 is in place.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MA-4<\/span><div class=\"si\"><div class=\"sn\">Nonlocal Maintenance<\/div><div class=\"sd\">Authorizes, monitors, and controls nonlocal (remote) maintenance. Requires authentication equivalent to local access, session recording, and documented approval. Enhancements add document authentication (MA-4(2)), comparable security (MA-4(3)), and disconnection verification (MA-4(7)). The control governing all remote admin sessions \u2014 RDP, SSH, jump servers.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MA-5<\/span><div class=\"si\"><div class=\"sn\">Maintenance Personnel<\/div><div class=\"sd\">Establishes a process for authorizing maintenance personnel and maintaining records of organizations and individuals performing maintenance. Controls what happens when maintenance personnel don’t have appropriate access authorizations \u2014 requires escort and monitoring during maintenance activities by unauthorized individuals.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MA-6<\/span><div class=\"si\"><div class=\"sn\">Timely Maintenance<\/div><div class=\"sd\">Obtains maintenance support and spare parts within organization-defined time periods. Ensures that critical systems have an assured supply of spare parts and maintenance support so that recovery objectives (see CP family) can be met. Particularly important for systems with long lead times for specialized hardware.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">PE \u2014 Physical access<\/span><span class=\"rl\" onclick=\"nav('ac')\">AC-17 (remote access)<\/span><span class=\"rl\" onclick=\"nav('cp')\">CP \u2014 Contingency planning<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-3 (change control)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cp\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family CP<\/div>\n <div class=\"p-title\">Contingency <span>Planning<\/span><\/div>\n <div class=\"p-sub\">13 base controls governing backup, recovery, testing, and continuity of operations<\/div>\n <div class=\"prose\">The CP family addresses what happens when systems fail. It governs <strong>contingency plans, backup procedures, alternate processing sites, system recovery, and reconstitution<\/strong>. CP controls ensure that organizations can restore operations within defined time objectives after disruptions \u2014 natural disasters, ransomware, hardware failures, or destructive cyberattacks.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-sc\">CP-2<\/span><div class=\"si\"><div class=\"sn\">Contingency Plan<\/div><div class=\"sd\">Develops, documents, and distributes a contingency plan for the system. Must identify essential missions and business functions, provide recovery objectives, and address alternate processing. The plan must be reviewed and updated after testing and after system changes. The foundation of the entire CP family.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">CP-4<\/span><div class=\"si\"><div class=\"sn\">Contingency Plan Testing<\/div><div class=\"sd\">Tests the contingency plan at defined intervals. Documents results and initiates corrective actions. An untested contingency plan is not a contingency plan \u2014 organizations regularly discover that backups don’t restore, alternate sites aren’t functional, or key personnel don’t know their roles during a real event.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">CP-9<\/span><div class=\"si\"><div class=\"sn\">System Backup<\/div><div class=\"sd\">Conducts backups of user-level and system-level information. Defines backup frequency and retains backups for defined periods. Protects backup confidentiality and integrity. Enhancements add cryptographic protection (CP-9(8)), and off-site transfer (CP-9(3)). The control that mandates the 3-2-1 backup strategy at a policy level.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-sc\">CP-10<\/span><div class=\"si\"><div class=\"sn\">System Recovery and Reconstitution<\/div><div class=\"sd\">Provides for the recovery and reconstitution of the system to a known state after a disruption. Defines the point where reconstitution is considered complete. Enhancements address transaction recovery (CP-10(2)), restore within defined time period (CP-10(4)), and failover capability (CP-10(6)).<\/div><\/div><\/div>\n <div class=\"ib r\"><div class=\"ibt\">RTO and RPO must be defined and tested, not assumed<\/div><div class=\"ibb\">CP-2 requires documenting recovery time objectives (RTO) and recovery point objectives (RPO). CP-4 requires testing that these are achievable. <strong>Many organizations document ambitious RTOs and RPOs they have never validated.<\/strong> A ransomware incident is the wrong time to discover that restoring from backup takes 72 hours, not the 4-hour RTO in the contingency plan.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-3 (risk assessment)<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-7 (integrity)<\/span><span class=\"rl\" onclick=\"nav('ma')\">MA-6 (timely maintenance)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ir\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family IR<\/div>\n <div class=\"p-title\">Incident <span>Response<\/span><\/div>\n <div class=\"p-sub\">10 base controls governing detection, reporting, handling, and learning from security incidents<\/div>\n <div class=\"prose\">The IR family ensures organizations can <strong>detect, contain, eradicate, recover from, and learn from security incidents<\/strong>. It establishes the policy, training, testing, monitoring, and handling procedures that make incident response a repeatable capability rather than an ad-hoc crisis. Paired with AU (audit) and SI-4 (monitoring), IR is the detection-to-response pipeline.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ir\">IR-2<\/span><div class=\"si\"><div class=\"sn\">Incident Response Training<\/div><div class=\"sd\">Provides incident response training before assuming an incident response role, when required by system changes, and at defined frequencies thereafter. Enhancements add simulated events (IR-2(1)) and automated training (IR-2(2)). Training must address roles and responsibilities \u2014 a documented plan with untrained personnel provides no real capability.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">IR-3<\/span><div class=\"si\"><div class=\"sn\">Incident Response Testing<\/div><div class=\"sd\">Tests the incident response capability at defined frequencies. Documents and reviews results. Enhancements add coordination with related plans (IR-3(2)). Tabletop exercises, red team exercises, and live-fire simulations all satisfy IR-3 at increasing levels of rigor \u2014 the baseline requires testing, not necessarily the most intensive form.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">IR-4<\/span><div class=\"si\"><div class=\"sn\">Incident Handling<\/div><div class=\"sd\">Implements an incident handling capability covering preparation, detection, analysis, containment, eradication, and recovery. Coordinates with contingency planning (CP family). Enhancements add automated incident handling (IR-4(1)), insider threats (IR-4(6)), correlation with physical incidents (IR-4(7)), and dynamic response capability (IR-4(9)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">IR-5<\/span><div class=\"si\"><div class=\"sn\">Incident Monitoring<\/div><div class=\"sd\">Tracks and documents incidents. Provides a formal record of each incident through its lifecycle. The documentation requirement feeds into post-incident analysis (IR-8) and continuous improvement. Incident statistics also feed the CA-7 continuous monitoring program and PM-level risk reporting.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">IR-8<\/span><div class=\"si\"><div class=\"sn\">Incident Response Plan<\/div><div class=\"sd\">Documents the incident response plan: organizational structure and management commitment, scope, roles and responsibilities, handling of specific incident types, escalation paths, and criteria for declaring a major incident. The plan must be distributed, tested, and updated. The governing document for the entire IR capability.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('au')\">AU-6 (audit review)<\/span><span class=\"rl\" onclick=\"nav('si')\">SI-4 (monitoring)<\/span><span class=\"rl\" onclick=\"nav('cp')\">CP \u2014 Contingency<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-3 (risk assessment)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-at\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family AT<\/div>\n <div class=\"p-title\">Awareness & <span>Training<\/span><\/div>\n <div class=\"p-sub\">6 base controls governing security literacy, role-based training, and insider threat awareness<\/div>\n <div class=\"prose\">The AT family ensures that personnel who use, operate, and manage information systems have the <strong>security and privacy awareness and role-based training<\/strong> they need to carry out their responsibilities. Technical controls are only as effective as the people operating them \u2014 AT controls address the human layer of the security architecture.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ia\">AT-2<\/span><div class=\"si\"><div class=\"sn\">Literacy Training and Awareness<\/div><div class=\"sd\">Provides basic security and privacy literacy training to all users before authorizing access, when changes require it, and at defined intervals. Covers recognizing threats (phishing, social engineering), reporting requirements, organizational policies, and individual responsibilities. Enhancements add insider threat awareness (AT-2(2)) and social engineering simulations (AT-2(3)).<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">AT-3<\/span><div class=\"si\"><div class=\"sn\">Role-based Training<\/div><div class=\"sd\">Provides role-based security and privacy training before assuming responsibilities, when required by changes, and at defined intervals. Role-based training goes beyond general awareness \u2014 system administrators, security personnel, developers, and executives each receive training appropriate to their security responsibilities and the risks they manage.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">AT-4<\/span><div class=\"si\"><div class=\"sn\">Training Records<\/div><div class=\"sd\">Documents and monitors training activities. Records must be retained and available for audit. The documentation requirement is not bureaucratic box-checking \u2014 it creates accountability and enables verification that high-risk roles are actually trained before accessing sensitive systems.<\/div><\/div><\/div>\n <div class=\"ib a\"><div class=\"ibt\">AT-2(3): Phishing simulations are now a control requirement<\/div><div class=\"ibb\">Enhancement AT-2(3) requires simulated social engineering and phishing exercises. This makes regular phishing simulation campaigns a compliance requirement \u2014 not just a best practice \u2014 for organizations implementing the Moderate or High baseline. Simulation results feed back into training content targeting demonstrated weaknesses.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ps')\">PS \u2014 Personnel security<\/span><span class=\"rl\" onclick=\"nav('ir')\">IR \u2014 Incident response<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM-31 (insider threat)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ps\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PS<\/div>\n <div class=\"p-title\">Personnel <span>Security<\/span><\/div>\n <div class=\"p-sub\">9 base controls governing screening, terms of employment, transfers, termination, and sanctions<\/div>\n <div class=\"prose\">The PS family addresses the human side of security before and after employment. It governs <strong>background screening, access agreements, the rules of behavior, and what happens when employment changes<\/strong>. While technical controls protect against external threats, PS controls reduce insider risk by establishing the personnel management processes that constrain human behavior.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-gen\">PS-3<\/span><div class=\"si\"><div class=\"sn\">Personnel Screening<\/div><div class=\"sd\">Screens individuals before authorizing access. The depth of screening scales with the risk designation of the position. Individuals with privileged access, access to sensitive data, or critical operational roles require more rigorous screening than general users. Rescreening at defined conditions (changes in circumstances, defined time periods) is required.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PS-4<\/span><div class=\"si\"><div class=\"sn\">Personnel Termination<\/div><div class=\"sd\">Disables access, retrieves credentials and equipment, and ensures departed individuals no longer have access within the organization-defined time period after termination. The time period ODP is critical \u2014 immediate vs. end-of-day vs. end-of-week are very different risk postures for insider threat scenarios.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PS-5<\/span><div class=\"si\"><div class=\"sn\">Personnel Transfer<\/div><div class=\"sd\">Reviews and adjusts logical and physical access authorizations when individuals transfer to different positions. Role changes that reduce privilege must be reflected in access changes \u2014 not just handled via off-boarding at departure. This is the JML (Joiner, Mover, Leaver) “Mover” control.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">PS-6<\/span><div class=\"si\"><div class=\"sn\">Access Agreements<\/div><div class=\"sd\">Requires signed access agreements (rules of behavior, acceptable use policies, nondisclosure agreements) before access is granted, and updated agreements when content changes. The access agreement is the legal and policy acknowledgment that creates individual accountability for how access is used.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">AC-2 (account management)<\/span><span class=\"rl\" onclick=\"nav('at')\">AT \u2014 Training<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM-31 (insider threat)<\/span><span class=\"rl\" onclick=\"nav('pe')\">PE \u2014 Physical access<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pl\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PL<\/div>\n <div class=\"p-title\"><span>Planning<\/span><\/div>\n <div class=\"p-sub\">11 base controls \u2014 security planning, rules of behavior, architecture, and concept of operations<\/div>\n <div class=\"prose\">The PL family governs security <strong>planning documents and artifacts<\/strong> at the system level. It requires the organization to think through its security posture, document it formally, and review it periodically. PL controls produce the System Security Plan (SSP), rules of behavior, security architecture documentation, and concept of operations \u2014 the authoritative record of how a system is secured.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ia\">PL-2<\/span><div class=\"si\"><div class=\"sn\">System Security and Privacy Plans<\/div><div class=\"sd\">The SSP \u2014 the central document that describes the system boundary, system environment, security categorization, all implemented controls, and the rationale for tailoring decisions. Required for every system seeking an ATO. The SSP must be kept current \u2014 a stale SSP that doesn’t reflect the current system state is a compliance finding.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">PL-4<\/span><div class=\"si\"><div class=\"sn\">Rules of Behavior<\/div><div class=\"sd\">Establishes and distributes rules of behavior for system users. Defines responsibilities and expected behavior for information and system access. Users sign acknowledgment before access is granted. Pairs with PS-6 (access agreements) \u2014 together they define the behavioral contract for system use.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ia\">PL-8<\/span><div class=\"si\"><div class=\"sn\">Security and Privacy Architectures<\/div><div class=\"sd\">Develops security and privacy architecture for the system that describes the overall philosophy, requirements, and approach for protecting the system. Addresses how the architecture integrates with and supports the enterprise architecture. This is the NIST control that formally requires <strong>documented security architecture<\/strong> \u2014 not just implemented controls, but a documented architectural rationale.<\/div><\/div><\/div>\n <div class=\"ib\"><div class=\"ibt\">PL-8 is the security architecture control<\/div><div class=\"ibb\">PL-8 requires organizations to <strong>document their security architecture<\/strong> \u2014 the why behind control placement, trust boundary definitions, data flow protections, and integration with enterprise architecture. For mature security programs, PL-8 is where architecture decision records, threat models, and trust zone diagrams live. An SSP with only a control checklist and no architectural documentation has not satisfied PL-8.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ca')\">CA \u2014 Authorization<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM \u2014 Program management<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA \u2014 Risk assessment<\/span><span class=\"rl\" onclick=\"nav('sa')\">SA-8 (engineering principles)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-mp\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family MP<\/div>\n <div class=\"p-title\">Media <span>Protection<\/span><\/div>\n <div class=\"p-sub\">8 base controls governing the handling, transport, sanitization, and disposal of information media<\/div>\n <div class=\"prose\">The MP family governs physical and digital media \u2014 <strong>how it’s classified, accessed, transported, sanitized, and disposed of<\/strong>. While cloud-native architectures have reduced removable media risk, MP remains essential for environments handling classified, sensitive, or regulated data where media handling creates real data exfiltration and exposure risks.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-gen\">MP-2<\/span><div class=\"si\"><div class=\"sn\">Media Access<\/div><div class=\"sd\">Restricts access to digital and non-digital media containing sensitive information to authorized individuals. Ties media access control to the same authorization framework as system access control. Prevents unauthorized copying of sensitive data to removable media.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MP-6<\/span><div class=\"si\"><div class=\"sn\">Media Sanitization<\/div><div class=\"sd\">Sanitizes media before disposal, release outside organizational control, or reuse. Sanitization method must match the sensitivity of the data \u2014 overwriting for moderate-sensitivity, physical destruction for high-sensitivity or classified. Enhancements add equipment testing, non-destructive techniques, and controlled unclassified information (CUI) provisions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-gen\">MP-7<\/span><div class=\"si\"><div class=\"sn\">Media Use<\/div><div class=\"sd\">Restricts or prohibits the use of organization-defined types of system media on information systems. The control that allows organizations to disable USB ports, prohibit removable storage, or restrict the types of media that can be connected. A primary DLP (data loss prevention) control at the endpoint layer.<\/div><\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('pe')\">PE-3 (physical access)<\/span><span class=\"rl\" onclick=\"nav('sc')\">SC-28 (protection at rest)<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-7 (least functionality)<\/span><span class=\"rl\" onclick=\"nav('ac')\">AC-19 (mobile devices)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pt\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family PT \u00b7 New in Rev 5<\/div>\n <div class=\"p-title\">PII Processing & <span>Transparency<\/span><\/div>\n <div class=\"p-sub\">8 base controls \u2014 the privacy family, new in Rev 5, governing PII authority, purpose, consent, and access<\/div>\n <div class=\"prose\">The PT family is entirely new in Rev 5. It governs the organization’s <strong>authority to collect and process PII, the purpose for which PII is used, how that purpose is disclosed, consent and privacy preferences, and individual rights to access their own information<\/strong>. PT aligns NIST’s control catalog with modern privacy frameworks including GDPR, CCPA, and the Fair Information Practice Principles (FIPPs).<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-cm\">PT-1<\/span><div class=\"si\"><div class=\"sn\">Policy and Procedures<\/div><div class=\"sd\">Establishes and maintains privacy policy and procedures. The PT family’s governance foundation \u2014 defines the organizational commitment to privacy and the procedural framework for all other PT controls.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">PT-2<\/span><div class=\"si\"><div class=\"sn\">Authority to Process Personally Identifiable Information<\/div><div class=\"sd\">Identifies and documents the legal authority that permits the collection, use, maintenance, sharing, and disposal of PII. Organizations must be able to point to a legal basis for every PII processing activity. Without documented authority, PII processing is unauthorized \u2014 a direct GDPR Article 6 parallel.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">PT-3<\/span><div class=\"si\"><div class=\"sn\">Personally Identifiable Information Processing Purposes<\/div><div class=\"sd\">Identifies and documents the purpose for which PII is processed. Restricts the processing of PII to only the identified purposes. Connects legal authority (PT-2) to actual processing activities \u2014 organizations must document not just that they can process PII, but why they are processing it.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">PT-5<\/span><div class=\"si\"><div class=\"sn\">Privacy Notice<\/div><div class=\"sd\">Provides notice to individuals about PII processing before or at the time of collection, or as soon as practicable. Covers: what is collected, authority, purpose, how it’s shared, and individual rights. The control that drives privacy policy and consent banner requirements.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-cm\">PT-7<\/span><div class=\"si\"><div class=\"sn\">Specific Categories of Personally Identifiable Information<\/div><div class=\"sd\">Applies additional processing conditions and additional safeguards for categories of PII that require special treatment \u2014 health data, financial data, biometrics, race\/ethnicity, and other sensitive categories. Aligns with GDPR Article 9 special category requirements.<\/div><\/div><\/div>\n <div class=\"ib p\"><div class=\"ibt\">PT applies regardless of security baseline<\/div><div class=\"ibb\">PT controls are driven by <strong>whether a system processes PII<\/strong> \u2014 not by the system’s security impact level. A Low-baseline system that processes PII must implement the privacy baseline’s PT controls. Organizations often miss this because they categorize systems only for security impact (FIPS 199) without separately assessing privacy impact (NISTIR 8062).<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('mp')\">MP \u2014 Media protection<\/span><span class=\"rl\" onclick=\"nav('ac')\">AC-3 (access enforcement)<\/span><span class=\"rl\" onclick=\"nav('au')\">AU \u2014 Audit<\/span><span class=\"rl\" onclick=\"nav('ra')\">RA-3 (risk assessment)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sr\">\n <div class=\"p-eye\">NIST SP 800-53 Rev 5 \u00b7 Family SR \u00b7 New in Rev 5<\/div>\n <div class=\"p-title\">Supply Chain Risk <span>Management<\/span><\/div>\n <div class=\"p-sub\">12 base controls \u2014 the supply chain family, new in Rev 5, governing vendor risk, provenance, and integrity<\/div>\n <div class=\"prose\">The SR family is entirely new in Rev 5, elevated from scattered references in Rev 4 to a standalone family. It governs <strong>supply chain risk management strategy, vendor risk assessment, procurement security requirements, provenance tracking, and component integrity verification<\/strong>. SR was created in direct response to supply chain compromises (SolarWinds, CCleaner, hardware implants) demonstrating that security cannot stop at the organization’s boundary.<\/div>\n <h3>Key controls<\/h3>\n <div class=\"sr\"><span class=\"st t-ir\">SR-2<\/span><div class=\"si\"><div class=\"sn\">Supply Chain Risk Management Plan<\/div><div class=\"sd\">Develops and documents a supply chain risk management plan. The plan must address organizational roles and responsibilities, supplier risk assessment, and how supply chain risks integrate with organizational risk management. Required at all baselines \u2014 the plan drives all other SR controls.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-3<\/span><div class=\"si\"><div class=\"sn\">Supply Chain Controls and Processes<\/div><div class=\"sd\">Establishes and maintains a process or processes to identify, assess, and select suppliers and vendors. Uses multi-tiered risk assessments. Enhancements add qualified supplier lists (SR-3(1)), limited disclosure (SR-3(2)), and primary and alternate suppliers.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-4<\/span><div class=\"si\"><div class=\"sn\">Provenance<\/div><div class=\"sd\">Documents and maintains provenance of systems, components, and associated data. Provenance tracking answers: where did this component come from, who made it, what chain of custody has it followed? Essential for detecting counterfeit components and tampered software. Directly addresses the hardware implant threat class.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-6<\/span><div class=\"si\"><div class=\"sn\">Supplier Assessments and Reviews<\/div><div class=\"sd\">Assesses and reviews suppliers at organization-defined frequencies using organization-defined methods. Enhancements add testing and analysis of supply chain elements (SR-6(1)). Supplier assessments are not one-time events at procurement \u2014 they must be ongoing, especially for critical suppliers.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-10<\/span><div class=\"si\"><div class=\"sn\">Inspection of Systems or Components<\/div><div class=\"sd\">Inspects systems or components before and after installation and at defined intervals. The physical inspection control \u2014 looking for evidence of tampering, unexpected components, or physical modifications. Particularly relevant for systems deployed in remote or exposed locations.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st t-ir\">SR-11<\/span><div class=\"si\"><div class=\"sn\">Component Authenticity<\/div><div class=\"sd\">Employs mechanisms to detect counterfeit components. Reports counterfeit components to defined external organizations. Enhancements add anti-counterfeit scanning, configuration control for component service and repair, and anti-counterfeit training. Counterfeit components introduced through legitimate maintenance channels are a real and documented threat vector.<\/div><\/div><\/div>\n <div class=\"ib r\"><div class=\"ibt\">SR requires RA-9 (criticality analysis) as a prerequisite<\/div><div class=\"ibb\">Supply chain controls must be prioritized \u2014 you cannot apply full SR rigor to every vendor and every component. <strong>RA-9 (criticality analysis)<\/strong> identifies which components are most critical to mission and most attractive to adversaries. SR controls are then applied most rigorously to critical components. Without a criticality analysis, SR implementation degenerates into either checkbox compliance or unsustainable overhead.<\/div><\/div>\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ra')\">RA-9 (criticality analysis)<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-8 (component inventory)<\/span><span class=\"rl\" onclick=\"nav('cm')\">CM-14 (signed components)<\/span><span class=\"rl\" onclick=\"nav('sa')\">SA-4 (acquisition)<\/span><span class=\"rl\" onclick=\"nav('pm')\">PM-30 (SCRM strategy)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-nist\">\n <div class=\"p-eye\">Source document<\/div>\n <div class=\"p-title\">NIST SP <span>800-53<\/span><\/div>\n <div class=\"p-sub\">Security and Privacy Controls for Information Systems and Organizations \u2014 Revision 5, September 2020<\/div>\n <div class=\"ib\" style=\"margin-top:8px\">\n <div class=\"ibt\">About this document<\/div>\n <div class=\"ibb\">NIST Special Publication 800-53 Rev 5 defines the comprehensive catalog of security and privacy controls for protecting federal information systems and organizations. Published September 23, 2020, it represents the most significant revision since Rev 4 (2013). It is sector-neutral, technology-neutral, and integrates privacy controls throughout. The companion document SP 800-53B (October 2020) provides the security and privacy control baselines.<\/div>\n <\/div>\n <div style=\"margin-top:28px;display:flex;flex-direction:column;gap:12px;\">\n <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--cyan);color:#000;font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\u2197 Open SP 800-53 Rev 5 PDF<\/a>\n <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53B.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\u2197 Open SP 800-53B (Baselines) PDF<\/a>\n <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-5\/final\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\u2197 NIST CSRC Publication Page<\/a>\n <\/div>\n <div class=\"divider\"><\/div>\n <h3>Related publications<\/h3>\n <div class=\"tbl-wrap\"><table>\n <thead><tr><th>Publication<\/th><th>Relationship to 800-53<\/th><\/tr><\/thead>\n <tbody>\n <tr><td>SP 800-53B<\/td><td>Companion document containing Low, Moderate, and High control baselines. Released October 2020.<\/td><\/tr>\n <tr><td>SP 800-53A Rev 5<\/td><td>Assessment procedures \u2014 how to assess whether each control is implemented correctly.<\/td><\/tr>\n <tr><td>SP 800-37 Rev 2<\/td><td>Risk Management Framework \u2014 the process that uses 800-53 for control selection (Step 2) and assessment (Step 5).<\/td><\/tr>\n <tr><td>FIPS 199<\/td><td>Security categorization standards that determine which baseline to apply.<\/td><\/tr>\n <tr><td>SP 800-160<\/td><td>Systems security engineering \u2014 engineering principles referenced by SA-8.<\/td><\/tr>\n <tr><td>SP 800-207<\/td><td>Zero Trust Architecture \u2014 describes the implementation model that satisfies many AC, IA, SC, and SI controls.<\/td><\/tr>\n <tr><td>SP 800-63<\/td><td>Digital identity guidelines \u2014 the technical standard referenced by IA-2, IA-5, and IA-12.<\/td><\/tr>\n <\/tbody>\n <\/table><\/div>\n <div class=\"divider\"><\/div>\n <div class=\"prose\"><strong>Full citation:<\/strong> Joint Task Force. (2020). <em>Security and Privacy Controls for Information Systems and Organizations<\/em> (NIST Special Publication 800-53, Rev. 5). National Institute of Standards and Technology. https:\/\/doi.org\/10.6028\/NIST.SP.800-53r5<\/div>\n<\/div>\n\n<\/main>\n<\/div>\n\n<script>\nfunction toggleMenu() {\n var sb = document.getElementById('sidebar');\n var btn = document.getElementById('menuBtn');\n var ov = document.getElementById('sbOverlay');\n var open = sb.classList.toggle('open');\n btn.classList.toggle('open', open);\n ov.classList.toggle('open', open);\n document.body.style.overflow = open ? 'hidden' : '';\n}\nfunction closeMenu() {\n var sb = document.getElementById('sidebar');\n if (sb.classList.contains('open')) toggleMenu();\n}\nfunction toggleTheme() {\n var isLight = document.body.classList.toggle('light');\n document.getElementById('themeBtn').textContent = isLight ? '\u263e Dark' : '\u2600 Light';\n}\nvar fontScale = 100;\nvar fontSteps = [80, 90, 100, 110, 120, 135, 150, 170];\nfunction adjFont(dir) {\n if (dir === 0) { fontScale = 100; }\n else {\n var idx = fontSteps.indexOf(fontScale);\n if (idx === -1) idx = 2;\n idx = Math.max(0, Math.min(fontSteps.length - 1, idx + dir));\n fontScale = fontSteps[idx];\n }\n document.querySelector('.main').style.zoom = (fontScale \/ 100);\n if (window.innerWidth > 900) {\n document.querySelector('.sidebar').style.zoom = (fontScale \/ 100);\n }\n}\nfunction nav(id) {\n document.querySelectorAll('.panel').forEach(p => p.classList.remove('active'));\n document.querySelectorAll('.ni').forEach(n => n.classList.remove('active'));\n var panel = document.getElementById('panel-' + id);\n if (panel) { panel.classList.add('active'); panel.closest('.main').scrollTop = 0; }\n document.querySelectorAll('.ni').forEach(function(n) {\n var oc = n.getAttribute('onclick') || '';\n if (oc.indexOf(\"'\" + id + \"'\") !== -1) n.classList.add('active');\n });\n closeMenu();\n}\n<\/script>\n<\/body>\n<\/html>\n\n","protected":false},"excerpt":{"rendered":"<p>NIST SP 800-53 \u2014 Security and Privacy Controls NIST Special Publication 800-53 Rev 5 Security and Privacy Controls forInformation Systems and Organizations Size A\u2212 A A+ \u2600 Light Overview Introduction What’s New in Rev 5 Control Structure Baselines & Impact Levels Tailoring & Overlays Identity & Access AC \u2014 Access Control IA \u2014 Identification &… <br \/> <a class=\"read-more\" href=\"https:\/\/www-geek.com\/index.php\/800-53\/\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"pro\/page-templates\/landing-page.php","meta":{"footnotes":""},"class_list":["post-64","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/64","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/comments?post=64"}],"version-history":[{"count":1,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/64\/revisions"}],"predecessor-version":[{"id":65,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/64\/revisions\/65"}],"wp:attachment":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/media?parent=64"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}