The world has moved online and so have many of the risks that come with running a business. In the never-ending cybersecurity arms race, security-focused companies are always looking for new solutions to protect their systems. NIST special publication 800-53 is one such solution.

This government publication lays out multiple security controls, grouped into control families—essentially, clusters that all relate to a facet of cybersecurity best practices. The current version of SP 800-53 includes 20 different control families, all of which organizations must abide by to be in compliance.

It’s a dense publication, but 800-53 is worth understanding because it covers so many foundational practices and concepts. To save you some time, we’ve put together a list of NIST SP 800-53 control families and included an overview of why each one matters and what it includes. 

What is NIST SP 800-53?

The National Institute of Standards and Technology (NIST) has many duties, including developing information security standards and minimum security requirements for federal systems. The agency publishes its recommended controls in special publication (SP) 800-53. 

The guidelines set forth in SP 800-53 are intended to ensure the security of government data: Federal agencies are required to comply with NIST standards. However, any private actor may access and use the document. Many organizations with no ties to the federal government opt to follow NIST SP 800-53 because it is a thorough and trustworthy guide that is revised regularly as the security landscape changes.

NIST 800-53 vs NIST CSF

Special publication 800-53 is not the only security guidance released by NIST. The NIST cybersecurity framework (NIST CSF) also contains valuable security guidance. Organizations can (and do) use both sets of guidance to ensure their security. 

NIST CSF and SP 800-53 were created to fulfill different goals and, thus, have different approaches to the security advice they include. CSF is voluntary, whereas SP 800-53 applies to all federal information systems. CSF is also higher-level and more abstract: it provides best practices for six functions of security systems (govern, identify, protect, detect, respond, and recover). SP 800-53 sets out a number of “control families,” or groups of safeguards (called controls) organizations should use to meet key cybersecurity goals. Additionally, while 800-53 is designed specifically for government agencies, CSF was written to apply to organizations of all types and sizes.

If you’re comparing CSF and 800-53 to see which is “best” for your organization, there’s no need to choose. The two are complementary; the controls in 800-53 all fit within the functions laid out in CSF and help you translate CSF’s abstract ideals into concrete practices. 

NIST 800-53 vs NIST 800-171

Special publication 800-171 contains cybersecurity guidance for federal contractors that use controlled unclassified information (CUI). CUI is a blanket term that covers any type of information that laws or regulations require to be safeguarded. It may include personally identifiable information (PII), proprietary data, and intellectual property. 

Like 800-53, 800-171 lists a set of control families considered essential to protecting privileged information. However, 800-171 only contains 14 control families, whereas 800-53 contains 20. 800-171 is designed to protect only CUI, whereas 800-53 has a wider mandate. Some organizations, especially smaller ones, may consider 800-171 sufficient to meet their needs. However, 800-53 is more detailed and covers both risk assessment and risk management; only the latter is covered by 800-171.

NIST SP 800-53 Rev. 5: What Changed

In 2020, 800-53 Revision 5 was released with updates that recognized changing cybersecurity needs. The most notable differences are:

• New control families: The additions reflect an increased focus on privacy and supply chain risk management.

• New controls: Control families were modified with updated guidance related to governance and accountability, system design and survivability, and cyber resilience.

• Supplementary publication: 800-53B defines three security control baselines and provides guidance on how to use the suggested controls to align an organization’s security practices with its security needs. 

• Updated language: Revision 5 shifts the focus to outcomes rather than liability, allowing organizations the flexibility to shift responsibilities and collaborate toward outcomes. This change also makes it easier for non-government entities to comply, as previous versions assigned duties based on roles common to government agencies.

 Any organizations in compliance with revision 4 should implement the new revision to ensure their cybersecurity efforts meet the needs of the moment.

The NIST 800-53 Control Families

With the new control families added in revision 5, SP 800-53 now includes 20 control families. Each control family included by NIST is considered a foundational element of a strong cybersecurity program. 

Read on for an overview of each.

AC: Access Control

The Access Control family covers best practices for restricting data and applications to authorized individuals only. As a rule, PII and other sensitive information should only be accessible to those whose jobs require them to work with it. This control family sets forth guidelines that ensure this practice is followed. The controls in this family also support transparency: practices like user access reviews and audits are essential to seeing who has accessed data or systems and preventing unauthorized access. 

AT: Awareness and Training

This control family gives guidance for training all individuals who interact with secure information systems, whether as architects or users. Its controls cover details such as creating training policies, types of training that should be offered, and documentation needs.

AU: Audit and Accountability

The controls in the Audit and Accountability family cover how to create and maintain trustworthy logs. Secure organizations should have the ability to see who has accessed and/or changed data or systems. These controls walk organizations through choosing appropriate logging capabilities, creating thorough audit records, and ensuring logs are protected from unauthorized edits.

CA: Assessment, Authorization, and Monitoring

This family covers everything related to keeping your security practices up to date. Cybersecurity is an evolving field, and the most secure systems are continuously monitored and regularly tested. These controls cover the procedures organizations should follow to ensure continued system security. 

CM: Configuration Management

The Configuration Management control family lays out how organizations should ensure all systems are properly configured. System updates and settings must be carefully managed to decrease risk. Relevant considerations range from inventorying system components to blocking the use of unauthorized software to creating data action maps that show how PII is processed.

CP: Contingency Planning

Contingency planning means preparing for the worst: How will your organization continue to meet its obligations if your systems lose data, suffer a breach, get infected with ransomware, end up compromised by extreme weather, or face other circumstances that affect your ability to function as normal? Prepare for such risks by creating procedures to ensure the continuity of essential functions, training personnel, testing contingency plans, and setting up backups of data storage and secondary processing sites.

IA: Identification and Authentication

Restricting systems and data to authorized users requires you to have a robust authorization system. This control family deals with the practices necessary for identifying and authenticating users and devices. 

IR: Incident Response

The Incident Response control family is related to the Contingency Planning family but with a focus on detecting and recovering from incidents rather than on continued operations. Organizations that monitor their systems for irregularities and have plans to help contain incidents will suffer less harm. The controls in this family cover topics including training, testing incident response plans, continuous monitoring of systems, reporting incidents, and more. 

MA: Maintenance

Well-maintained systems are more secure. This control family covers everything related to keeping your system in working order. The controls cover best practices for secure hardware, software, and firmware maintenance.

MP: Media Protection

This control family addresses file storage, access, and transfers. As the Access Control family set forth rules for restricting data and system access, these controls create methods for ensuring media does not get shared with unauthorized parties.  

PE: Physical and Environmental Protection

Server rooms, data centers, and other physical spaces are central to digital operations. If not secured, they are a potential weak point. This control family lays out practices for restricting access to authorized individuals, securing transmissions and outputs, and maintaining the physical environment to prevent damage to critical infrastructure. 

PL: Planning

Organizations achieve a strong security posture and good privacy practices through careful planning. This control family helps users create thorough security plans that meet organizational needs. It includes tools that can help organizations understand what details and contingencies their plans should address. 

PM: Program Management

This control family sets forth the requirements for creating and maintaining a solid security program at your organization. The controls cover a variety of facets, including leadership, resource availability, various areas your program should oversee, and how teams should measure a program’s effectiveness. As you implement your program, you may notice overlap between the controls listed in this family and those in other families; a good security program should include your NIST 800-53 (and other regulatory) compliance.

PS: Personnel Security

Personnel security does not refer to the physical safety of your employees and contractors; it refers to the practices you should take to make sure your personnel do not pose an inside threat to your security. This control family covers procedures for determining the risk level of each position in your organization and properly screening individuals before they are allowed access. It also covers best practices for situations that involve external collaboration, transfers, or termination. 

PT: Personally Identifiable Information Processing and Transparency

Most discussions of data privacy include PII because laws and regulations, such as GDPR, have recognized that individuals have a right to know their sensitive data is safe and will not be shared without their consent. The controls in this family cover many of the same topics privacy laws seek to address, including obtaining consent before processing PII, providing a privacy notice that details how and why you use personal data, and processing PII only when necessary. 

RA: Risk Assessment

The Risk Assessment control family includes measures to help organizations identify potential security risks, determine their likelihood of harming the organization, and enact countermeasures. Tools such as privacy impact assessments (PIAs) and criticality analyses are introduced alongside broader guidelines for threat modeling.

SA: System and Services Acquisition

As organizations grow, they often acquire competitors or utilities that make up an integral part of their systems. Unless the software you are acquiring is also compliant with NIST SP 800-53, this process is likely to introduce security and privacy risks. The System and Services Acquisition control family includes procedures for safely acquiring and integrating systems that started as external or third-party components. 

SC: System and Communications Protection

The largest control family in NIST SP 800-53 covers requirements for safe intersystem communications. Hardly any system is entirely self-contained, and some of the most powerful technological tools we have rely on sharing data or integrating with other systems. However, every outside contact increases your attack surface. Organizations must take steps to preempt cyberattacks; these measures take many forms, including creating system architectures that protect sensitive data, securing every connection, and protecting against known attack types.

SI: System and Information Integrity

This control family covers the steps organizations should take to make sure their information systems—and the data within them—are not compromised. Data can be corrupted by software errors, malicious actions, or improper input. Use these controls to ensure this does not happen and to protect data against exfiltration and other harmful manipulations.

SR: Supply Chain Risk Management

The final control family in SP 800-53 addresses security risks that may come from your supply chain. Its controls lay out procedures for vetting third-party systems, components, or data and reviewing supplier and contractor records. They also include guidelines for authenticating and re-inspecting hardware and components. 

NIST 800-53 Compliance, Simplified

With over 1,100 controls across 20 families, complying with NIST SP 800-53 can seem like a full-time job. Drata can help. We explain each control in detail and share its purpose, provide supporting documentation, and help you spot interdependencies between controls. It also dovetails with our other compliance frameworks; controls that are already active due to other compliance efforts are easy to implement in 800-53.

Drata’s NIST 800-53 compliance framework includes up-to-date information on security requirements. Scope your Control Baseline, customize our 800-53 tracker to match your business needs, and then keep track of your progress on our centralized dashboard. Our experts are also on hand to help you improve your risk management strategy: Drata customers can take advantage of a team of former auditors and compliance advisors to support their efforts. 

Compliance doesn’t have to be a hassle when you have the right tools on your side. Explore our NIST 800-53 compliance framework, and book a demo today.

NIST 800-53 Control Families Frequently Asked Questions (FAQs)

Still have questions about NIST 800-53 control families? We answer some common queries below.

How Many Controls Does NIST 800-53 Have?

The current version (revision 5) of NIST SP 800-53 contains over 1,150 controls.

What Are the NIST 800-53 Control Families?

NIST SP 800-53 Revision 5 contains the following 20 control families:

• AC: Access Control

• AT: Awareness and Training

• AU: Audit and Accountability

• CA: Assessment, Authorization, and Monitoring

• CM: Configuration Management 

• CP: Contingency Planning

• IA: Identification and Authentication

• IR: Incident Response

• MA: Maintenance

• MP: Media Protection

• PE: Physics and Environmental Protection

• PL: Planning

• PM: Program Management

• PS: Personnel Security

• PT: Personally Identifiable Information Processing and Transparency

• RA: Risk Assessment

• SA: System and Services Acquisition

• SC: System and Communications Protection

• SI: System and Information Integrity  

• SR: Supply Chain Risk Management

What Changed With NIST SP 800-53 Rev. 5?

The biggest change in NIST SP 800-53 Revision 5 was the addition of two new control families centered on privacy and supply chain risk management. Some existing control families were updated with additional controls. Additionally, SP 800-53B was concurrently published, laying out security control baselines for use in determining how to best comply with the requirements in SP 800-53.