NIST 800-53 Rev. 5: What it Is, and Why You Should Care

NIST, security and privacy controls

Later this year, the National Institute for Standards and Technology (NIST) will release revision #5 to Special Publication SP 800-53 Security and Privacy Controls for Information Systems and Organizations, a key framework documenting recommended security controls for federal information systems. Soon, government agencies, contractors and FedRAMP certified vendors will be rushing to update their systems before the guidelines go into effect.

As the de facto standard for compliance with the Federal Information Security Management Act (FISMA), SP 800-53 directly applies to any federal organization (aside from national security agencies), and indirectly to non-federal organizations via SP 800-171. In this article, we’ll summarize the contents and newest revisions.

Establishing Security Controls

To maintain security, any IT system must observe basic security controls to prevent threat incidents and establish proper responses. On an ongoing basis, NIST compiles and documents controls recommended to it by research groups including the Information Technology Laboratory (ITL).

The most recent edition (Rev. 4) of SP 800-53 includes 212 controls distributed across 18 control families designated by acronyms, such as “AC” for “Access Control,” “IR” for “Incident Response” and “CM” for “Configuration Management”. Controls are ranked according to three (3) tiers of impact ranging from “low” to “moderate” to “high,” and fall into three types:

  • Common – used throughout an organization
  • Custom – specific to an application or device
  • Hybrid – standard control customized by an organization

SP 800-53 is very useful as reference material for designing security plans, and its controls are used as a basis for other special publications/regulations. However, to actually protect an organization it must be implemented according to a Risk Management Framework (RMF).


SP 800-53 contains outlines for a standardized Risk Management Framework. For this purpose, it is commonly used in conjunction with SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems:  A System Life Cycle Approach for Security and Privacy which details the formal certification and accreditation process.

The NIST RMF guides organizations through a comprehensive risk management and response plan in six (6) stages:

  1. Categorize – determine the category of information systems based on type of information processed and threat impact
  2. Select – select baseline security controls to mitigate risk
  3. Implement – implement and describe how the security controls have been deployed
  4. Assess – assess performance, correct implementation, and outcome of the security controls
  5. Authorize – authorize operation of the system based on its overall risk to an organization, its assets, mission, and personnel
  6. Monitor – monitor security controls on a regular basis and record performance, reporting concerns to appropriate organizational officials when necessary

Due to its methodological rigor, the NIST RMF gives organizations a high degree of precision in determining risk, mitigating threats, and maintaining accountability before regulatory bodies.

Who Does SP 800-53 Apply To?

SP 800-53 directly applies only to federal agencies. However, the publication is used as the basis for many other programs and should be referred to by anyone to whom they apply. This includes:

  • – Cloud Service Providers (CSPs) authorized under a FedRAMP program are required to use SP 800-53 controls to secure their services and facilities
  • – since SP 800-53 is used as the basis for FISMA[BS1], state agencies and any contractors partnered with the federal government will also have to comply
  • Defense Federal Acquisition Regulations (DFARS) – while  SP 800-171[BS2]  initially imported security controls from SP 800-53, the controls have since been adjusted to better protect controlled unclassified information (CUI) specifically. Nevertheless, SP 800-53 is recommended as a useful reference for non-federal businesses required to comply with DFARS, and is more and more being used as a reference for non-Federal security programs, such as to form a baseline for protection of Industrial Control Systems (ICS) in some industries.

In general, it is safe to assume that as an organization conducting any business with the U.S government, SP 800-53 or some portion of it will apply to information systems used during the contract.

Changes in Revision 5

Because SP 800-53 applies to all U.S. agencies and government partners, it goes without saying that compliance is mandatory, and systems should be updated to reflect new revisions as soon as they are released.

Revision 5, to be released later this year, brings with it a new emphasis on privacy, expanded security controls and changes to control categories:

  • Outcome-based (as opposed to impact-based) controls
  • New emphasis on privacy: integration of privacy controls with security controls, and better integration with cybersecurity/risk management
  • Separation of control selection from actual controls
  • New controls based on threat intelligence

Revision 5 will go into effect in 2020, a year from the date of its official release. In the meanwhile, preparing to comply will help your organization to be ready. To learn more about the latest version of SP 800-53, view the draft on NIST’s website.

Securicon Can Help

To become NIST 800-53 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!