NIST SP 800-53 Control Families Explained

The NIST SP 800-53 provides guidance for how organizations should implement and maintain custom security and privacy controls for information systems.

Whether you need to understand NIST SP 800-53 for compliance, or you just want to strengthen your IT security systems, you’ve come to the right place. This guide explains everything you need to know about the NIST SP 800-53 control families, including how they work, examples, and how to get started using them.

What Are NIST SP 800-53 Control Families Anyway?

The NIST Special Publication 800-53 contains cybersecurity guidelines for US federal agencies. It sets forth the instructions to maintain information security systems in a way that protects both the privacy and security of citizens.

When implemented, the controls harden information systems and protect the data being processed within those systems.

While the NIST SP 800-53 was designed for federal agencies, the principles can be adopted by any organization that wants to implement better privacy controls and security best practices.

NIST SP 800-53 contains 20 different control families. Each family is its own separate category or area of focus. There are more than 1,000+ total controls within the families.

How NIST SP 800-53 Control Families Work

The National Institute of Standards and Technology is a US agency within the Department of Commerce. The organization’s goal is to promote innovation and industrial competitiveness through science, standards, and technology.

NIST Special Publication (SP) 800-53 is designed to help organizations with risk management for processing, storing, and transmitting sensitive information. The publication is segmented into 20 control families, each with different functions and techniques to determine the effectiveness of a control.

Originally published in 2005, NIST SP 800-53 was intended to help government agencies and government contractors comply with the Federal Information Security Management Act (FISMA) of 2002.

The publication undergoes regular reviews and revisions to ensure that the guidelines address new threats to IT systems.

The latest revision contains 20 control families. Here’s a brief overview of each control family and its purpose:

AC – Access Control

This family covers all controls related to system access, network access, and device access. It offers guidance on implementing access control policies, account management policies, and user privileges. The access control family is designed to reduce risks associated with unauthorized access to devices, networks, and systems.

AT – Awareness and Training

These controls ensure that all users who have access to information systems are properly trained to use the systems and identify possible threats. Improving awareness of operational risks and privacy threats is a major focus of this family. Training policies, record keeping, and cybersecurity training are all part of the awareness and training family.

AU – Audit and Accountability

The audit and accountability control family explains how organizations should establish procedures for event logging and audits. It covers the baselines for audit records, log storage capacities, and guidelines for log monitoring and reviews. Effective log audits are crucial for identifying system issues and breaches, and they can hold staff accountable as well.

CA – Assessment, Authorization, and Monitoring

Assessment, authorization, and monitoring focus on continuous improvement and monitoring of both security controls and privacy controls. It covers assessment plans and the delegation of team responsibilities. This control family also includes documentation for identifying vulnerabilities and fixing weaknesses.

CM – Configuration Management

This family focuses on software configurations and devices on the organization’s network. It covers the configuration policy, baseline system configurations, and managing authorized access to devices. Applying these controls helps lower the risk of unauthorized software or hardware getting installed on systems.

CP – Contingency Planning

The CP family includes the controls to help organizations prepare for breaches and system failures. It covers alternative storage sites and system backups to help reduce and mitigate system downtimes. Contingency planning helps organizations restore operations to normal after a breach or outage.

IA – Identification and Authentication

IA contains the controls to identify devices and users within a system and network. It has different controls that focus on various elements of device authentication and how to trust users. This control family helps strengthen management policies and reduces risks associated with unauthorized system access.

IR – Incident Response

The IR family encompasses training, planning, and active monitoring for series incidents. It covers enhanced controls for specific events that an organization might be faced with, including malicious code, data breaches, supply chain breakdowns, and PR damage.

MA – Maintenance

The maintenance control family covers system maintenance, software updates, inspection procedures, and logging tools. The purpose of this control family is to outline policies, reduce risks associated with operational outages, and manage maintenance personnel.

MP – Media Protection

The media protection control family includes the safe destruction, use, and storage of all organizational media files. It helps organizations with baseline controls and enhanced controls to reduce risks associated with data breaches and information leaks.

PE – Physical and Environmental Protection

This covers controls related to physical access to facilities and devices. It helps organizations set up policies for physical access controls, including visitor access and device monitoring. It can also include response planning for threats like emergency power or the emergency relocation to another facility.

PL – Planning

The planning control family relates to system architecture, system security plans, privacy security plans, and management processes. It helps set the baseline system settings for security controls.

PM – Program Management

Program management controls include all managerial elements of IT and information systems. This includes all of the plans, processes, and programs associated with organizational systems. The controls help organizations set up a risk management strategy, critical infrastructure plan, and information security program plan.

PS – Personnel Security

The PS control family includes policies and procedures surrounding personnel management. It sets guidelines for contract termination and helps organizations understand the risks of each personnel position as it relates to IT security.

PT – Personally Identifiable Information Processing and Transparency

Personally identifiable information (PII) processing and transparency controls are designed to safeguard sensitive data. This control family focuses on both consent and privacy for user data. It helps organizations lower risks associated with data branches by having the right policies in place to store and manage all PII.

RA – Risk Assessment

The RA control family covers system vulnerability assessments and relevant risks for different system categories. It outlines risk response procedures, vulnerability monitoring processes, and tools for risk assessments.

SA – System and Services Acquisition

The SA control family covers resource allocation and system development life cycle policies. These controls are designed to help organizations safely acquire new devices and systems while protecting the integrity of existing systems and data.

SC – System and Communications Protection

System and communications protection controls include safe management policies and boundaries for shared devices. It helps organizations set controls for access, usage restrictions, setup procedures, and ongoing management of collaborative systems.

SI – System and Information Integrity

The SI control family covers topics like malicious code protection, spam protection, and system-wide monitoring processes. All of this is designed to maintain the integrity of the broader organization-wide information systems.

SR – Supply Chain Risk Management

Supply chain risk management controls establish policies to mitigate supply chain risks. It includes supplier management, supplier assessments, and inspections to supply chain components.

How to Get Started With NIST SP 800-53 Control Families

Now that you have a better understanding of the NIST SP 800-53 control families and how they work, it’s time to implement these security controls within your organization. The steps below will help steer you on the right track as you’re strengthening your information systems.

Step 1: Determine Compliance Requirements

The first thing you need to do is determine whether or not your organization must comply with NIST SP 800-53 controls. It’s required for all federal agencies, and the control families outline the security and privacy standards to protect government information systems.

Each time NIST SP 800-53 has a revision, federal agencies have one year within the release of that revision to comply with the latest regulations.

Any organization that works with the federal government, such as government contractors, must also comply with NIST 800-53 to maintain the relationship. Government contractors that operate or manage any federal IT networks will have these compliance requirement stipulations in their contracts or SLAs.

If your organization does not fall into any of these categories, you can still implement the guidelines in NIST SP 800-53. You just won’t have to do it for compliance purposes.

There are still plenty of benefits of NIST SP 800-53 that go beyond compliance.

You can use it to harden risk management processes by referencing a detailed category of security controls. With more than 1,000 controls, it covers all aspects of information systems that can help organizations in any industry reduce the scope of damage related to security breaches or IT incidents. This includes privacy breaches, malicious attacks, human error, and other cybersecurity incidents.

Step 2: Understand Which Data is Protected by NIST SP 800-53 Control Families

NIST SP 800-53 establishes comprehensive guidelines for security and privacy controls in an effort to harden information systems. But before you can implement it, you must understand what type of data will be protected by the control families.

The publication refers to sensitive data on federal networks. This information is typically related to the ongoing functions of the US government. NIST SP 800-53 control families can also include private user data, including personally identifiable information.

The NIST SP 800-53 offers a systematic method for safeguarding information across different IT computing systems. This includes cloud computing systems, mobile devices, IoT (internet of things) products, healthcare systems, physical computing systems, and systems that control processes.

New revisions of NIST SP 800-53 are flexible and written in a way that can fit the varying needs of organizations using different environments to store and process data. Since such a wide range of organization types and systems will be using the control families, the data requirements will also vary.

Step 3: Establish Minimum Controls

Every control family within the NIST SP 800-53 guidelines contains a base control and control enhancement.

As the name implies, minimum controls are the baseline standards for security and privacy that must be implemented to properly safeguard the system. Implementing minimum controls is crucial for NIST SP 800-53 compliance.

The enhanced controls build on the minimum requirements—adding even more protection or increased functionality for the systems.

For example, base controls within the incident response family cover basic incident handling. An enhanced control in this family could be something more specific, like supply chain coordination.

On a broader level, all security controls can be segmented into four main categories—physical access controls, procedural controls, technical controls, and compliance controls.

Step 4: Determine Which Controls You Need to Comply With

IT security teams must perform a risk assessment to identify the security controls that need protection under NIST SP 800-53.

This includes organization-specific operations related to the organization’s functions, mission, reputation, and assets. The assessment should also look at security controls that relate to US national security, individual user data, and other organizations.

To figure out which controls you need to comply with, the NIST SP 800-53 B has control baselines for information systems and organizations that provide all the privacy guidelines to use as a starting point.

There are three control baselines—low impact, moderate impact, and high impact. There are also privacy control baselines that can be applied at each impact level.

The publication provides custom guidance based on certain assumptions during the control selection steps. This helps protect both organizational assets and the privacy of individuals.

Step 5: Follow the NIST Risk Management Framework (RMF)

The NIST Risk Management Framework (RMF) is a lifecycle development framework for privacy, security, and cyber supply chain operations.

It’s a detailed process that provides organizations with a blueprint for selecting which control families can best protect the company based on different risk categories. This is crucial for privacy programs and information security systems.

There are seven steps in the NIST RMF:

Prepare
Categorize
Select
Implement
Assess
Authorize
Monitor

Any organization, even outside of government agencies and government contractors, can use the NIST RMF to assist with implementing NIST SP 800-53 control families.