NIST Special Publication 800-53 is the authoritative catalog of security and privacy controls for federal information systems. Originally published in 2005 and significantly updated with Revision 5 in 2020, the current version 5.2.0 (August 2025) contains 1,007 controls and control enhancements across 20 control families.
Scope and Applicability
NIST 800-53 is mandatory for federal agencies under FISMA and serves as the foundation for multiple compliance frameworks.
Federal agencies must implement appropriate controls based on system categorization. Government contractors are bound by contractual requirements when operating federal IT systems. Cloud service providers must comply through FedRAMP authorization. Defense contractors typically follow the derived NIST 800-171 standard through CMMC.
Control Families
Rev 5 expanded to 20 control families with the addition of PII Processing and Transparency (PT) and Supply Chain Risk Management (SR).
| ID | Family | Description |
|---|---|---|
| AC | Access Control | Authorization and access management |
| AT | Awareness and Training | Security education programs |
| AU | Audit and Accountability | Logging and monitoring |
| CA | Assessment, Authorization, Monitoring | Continuous security assessment |
| CM | Configuration Management | Baseline configurations and change control |
| CP | Contingency Planning | Business continuity and disaster recovery |
| IA | Identification and Authentication | Identity verification |
| IR | Incident Response | Security incident handling |
| MA | Maintenance | System maintenance controls |
| MP | Media Protection | Physical media security |
| PE | Physical and Environmental | Facility protection |
| PL | Planning | Security planning documentation |
| PM | Program Management | Organization-wide security program |
| PS | Personnel Security | Background checks and termination |
| PT | PII Processing and Transparency | Privacy controls (new in Rev 5) |
| RA | Risk Assessment | Risk identification and analysis |
| SA | System and Services Acquisition | Secure development lifecycle |
| SC | System and Communications Protection | Network and encryption |
| SI | System and Information Integrity | Malware protection, patching |
| SR | Supply Chain Risk Management | Third-party security (new in Rev 5) |
Security Categorization
Systems are categorized using FIPS 199 based on potential impact to confidentiality, integrity, and availability. The highest rating among the three determines the overall system impact level.
| Impact Level | Definition | Baseline Controls |
|---|---|---|
| Low | Limited adverse effect | 149 controls |
| Moderate | Serious adverse effect | 287 controls |
| High | Severe or catastrophic effect | 370 controls |
Rev 5 Key Changes
The 2020 revision made significant structural changes. Controls are now outcome-based rather than entity-specific. Privacy controls are fully integrated rather than in a separate appendix. Control baselines were moved to SP 800-53B. Two new control families address privacy and supply chain risk.
Version 5.2.0 Updates (August 2025)
The latest update aligns with Executive Order 14306 on software security. It includes revised discussion sections with enhanced implementation examples. Updated controls include all -01 controls, AU-02, AU-03, CA-07, IR-04, IR-06, IR-08, SA-15, and SI-02. New assessment procedures were added for SA-15(13), SA-24, and SI-02(07).
Relationship to Other Frameworks
NIST 800-53 serves as the parent framework for several derivative standards.
FedRAMP applies 800-53 controls specifically to cloud services with additional requirements. NIST 800-171 derives 97 requirements from 800-53 for protecting CUI in non-federal systems. CMMC builds certification levels based on 800-171 requirements. StateRAMP and TX-RAMP apply similar controls at state level.
Achieving compliance with one framework does not automatically satisfy another due to different scoping and verification requirements.
Implementation Timeline
Existing systems must be compliant within one year of new revision publication. New systems must be compliant at deployment. Organizations may tailor controls based on mission needs and documented risk assessments.
AI Security Controls
NIST has launched the COSAi (Control Overlays for Securing AI Systems) project to address AI-specific security concerns. The initiative covers model integrity, data provenance, adversarial robustness, and transparency. A Cyber AI Profile is available for public comment following a January 2026 NCCoE workshop.
Resources
Organizations should reference SP 800-53B for control baselines and tailoring guidance. FIPS 199 and NIST SP 800-60 provide system categorization guidance. The NIST OLIR catalog contains mappings to other frameworks including CSF v2.0.