NIST 800-53 Controls
NIST 800-53 includes a set of controls designed to enhance the resilience and security of federal information systems. These controls encompass operational, technical, and management standards that information systems utilize to uphold privacy and security measures.
These controls are categorised into three classes, which reflect the potential impact of each risk. These broad classes are:
- High impact
- Medium impact
- Low impact
How many NIST 800-53 controls are there?
The NIST 800-53 includes 20 different control families within its framework. Across the entire range of NIST 800-53 control families, there are 322 controls. Each NIST 800-53 control family has its own controls, which may or may not be applicable to any given organisation. Therefore, organisations using NIST 800-53 can choose the controls that are most applicable to them.
NIST 800-53 control families
AC – Access Control
25 controls covering activities such as policies and procedures, account management, separation of duties and the policy of least privilege.
AT – Awareness and Training
6 controls covering awareness and security training across all employees, as well as more technical training for privileged users.
AU – Audit and Accountability
16 controls addressing the auditing and retention of records, as well as associated analysis, review and reporting.
CA – Assessment, Authorisation and Monitoring
9 controls relating to penetration testing, monitoring of network connections and monitoring of external systems.
CM – Configuration Management
14 controls covering configuration change, data action mapping and setting software policies.
CP – Contingency Planning
13 controls relating to the creation, testing and implementation of business continuity strategies, as well as alternative solutions for data processing and storage.
IA – Identification and Authentication
12 controls addressing the management of credentials, implementation of authentication policies and creation of systems for users, devices and services.
IR – Incident Response
10 controls for establishing incident response education and training, as well as associated monitoring systems and reporting processes.
MA – Maintenance
7 controls relating to the ongoing maintenance of systems, personnel and tools.
MP – Media Protection
8 controls on securing and protecting the access, use, storage and transportation of media.
PE – Physical and Environmental Protection
23 controls relating to protection against physical risk and damage, including access to emergency power and securing physical access in an incident.
PL – Planning
11 controls for putting strategies in place to maintain a comprehensive security architecture, including impact assessments, activity planning and rules of behaviour.
PM – Programme Management
32 controls dedicated to defining strategies for risk management and insider threats, as well as scaling architecture.
PS – Personnel Security
9 controls for addressing the requirements for screening personnel (both internal and external), transferring personnel and terminating personnel, as well as position risk designation.
PT – Personally Identifiable Information Processing and Transparency
8 controls addressing the creation of privacy notices, achieving consent and processing personally identifiable information.
RA – Risk Assessment
10 controls relating to vulnerability scanning, risk assessments and ongoing privacy impact.
SA – System and Services Acquisition
23 controls for the acquisition processes, allocation of resources and system development lifecycle, among others.
SC – System and Communications Protection
51 controls addressing activities such as the partition of applications, securing passwords and cryptographic key management.
SI – System and Information Integrity
23 controls relating to the implementation of system monitoring, alerting systems, spam protection and flaw remediation processes.
SR – Supply Chain Risk Management
12 controls covering supplier assessments and reviews, risk management plans notification agreements and the inspection of systems or components.
Implementing NIST 800-53 Controls
Between 20 families and over 300 controls, implementing the necessary control families may seem daunting. However, the Hicomply platform enables organisations to prioritise activities with greater accuracy and visibility. Easily establish your baseline controls and monitor control performance to ensure continued compliance.
Learn more about the NIST 800-53 framework in our NIST 800-53 Information Hub.
Ready to Take Control of Your Privacy Compliance?
Book a demo and experience the difference with Hicomply.