NIST 800-53

NIST Special Publication 800-53 provides a catalog of security controls for all U.S. federal information systems except those related to national security. NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information system security, and on ITL’s activity with industry, government, and academic organizations.

NIST 800-53 is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and to help with managing cost effective programs to protect their information and information systems. The current revision Rev.5 is released in draft by August 2017.

The controls can be implemented within any organization or information system that processes, stores, or transmits information. This publication is intended to help organizations manage risk and to satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974, OMB policies (e.g., OMB Circular A-130), and designated Federal Information Processing Standards, among others, by:

  • Providing a comprehensive and flexible catalog of security and privacy controls to meet current protection needs and the demands of future needs based on changing threats, requirements, and technologies;
  • Creating a foundation for the development of assessment methods and procedures for determining the effectiveness of the controls; and
  • Improving communication among organizations by providing a common lexicon that supports discussion of security, privacy, and risk management concepts.

A key part of the certification and accreditation process for federal information systems is selecting and implementing a subset of the controls (safeguards) from the Security Control Catalog. These controls are the management, operational, and technical safeguards (or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. To implement the needed safeguards or controls, agencies must first determine the security category of their information systems in accordance with the provisions of FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems.” The security categorization of the information system (low, moderate or high) determines the baseline collection of controls that must be implemented and monitored. Agencies have the ability to adjust these controls and tailor them to fit more closely with their organizational goals or environments.