How to Comply with NIST SP 800-53 Rev 5
NIST Special Publication 800-53 Revision 5 provides a comprehensive catalog of security and privacy controls for federal information systems and organizations. With over 1,000 controls organized into 20 families, it serves as the foundation for FedRAMP, FISMA compliance, and the NIST Cybersecurity Framework. Control families cover access control, audit, configuration management, incident response, and more.
100%
Coverage
49
Controls Required
0
Not Applicable
Why 800-53 Compliance Matters
NIST SP 800-53 Rev 5 is the authoritative control catalog for U.S. federal agencies under FISMA and forms the basis of FedRAMP authorization for cloud service providers. With over 1,000 controls across 20 families, it provides the most comprehensive security control framework available. Organizations pursuing government contracts or FedRAMP authorization must demonstrate compliance with applicable 800-53 controls.
Compliance Checklist by Domain
The 49 controls below are mapped to 800-53 requirements. Work through each domain to build your compliance program.
Govern (6 controls)
| Control | 800-53 References | Also In |
|---|---|---|
| Governance Policy | PL-1 PM-1 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Risk Management | RA-1 PM-9 PM-28 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Supply Chain Risk | SR-1 SR-2 SR-3 | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, HIPAA, GDPR |
| Roles & Responsibilities | PM-2 PM-10 PS-7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Compliance | CA-2 CA-7 PM-4 | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Vendor Risk Mgmt | SA-9 SR-6 PM-30 | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, HIPAA, GDPR |
Identify (6 controls)
| Control | 800-53 References | Also In |
|---|---|---|
| Asset Management | CM-8 CM-9 PM-5 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Risk Assessment | RA-3 RA-5 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Business Environment | PM-7 PM-11 | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, HIPAA, GDPR |
| Data Classification | RA-2 SC-16 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Vulnerability Mgmt | RA-5 SI-2 SI-5 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Threat Intelligence | PM-16 RA-3 SI-5 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC |
Protect (21 controls)
| Control | 800-53 References | Also In |
|---|---|---|
| Awareness & Training | AT-1 AT-2 AT-3 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Access Control | AC-1 AC-2 AC-3 AC-6 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Multi-Factor Auth | IA-2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Encryption | SC-8 SC-12 SC-13 SC-28 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Data Protection | MP-2 MP-4 SC-8 SC-28 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Backup & Recovery | CP-9 CP-10 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Privileged Access | AC-2 AC-6 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Firewall / Net Seg | SC-7 AC-4 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Endpoint Protection | SI-3 SI-4 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Patch Management | SI-2 CM-3 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Secure Config | CM-2 CM-6 CM-7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Secure Development | SA-3 SA-8 SA-11 SA-15 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, GDPR |
| Email Security | SI-3 SI-8 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Web Security | SC-7 SI-3 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Zero Trust | AC-4 SC-7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Mobile Security | AC-19 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Cloud Security | AC-20 SA-9 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| DNS Security | SC-7 SC-20 SC-21 SC-22 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC |
| WAF | SC-7 SI-3 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| DLP | AC-4 SC-7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| API Security | SC-7 SA-11 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
Detect (6 controls)
| Control | 800-53 References | Also In |
|---|---|---|
| Cont. Monitoring | CA-7 SI-4 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Logging & Audit | AU-2 AU-3 AU-6 AU-12 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Intrusion Detection | SI-4 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Anomaly Detection | SI-4 AC-2 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| SIEM / SOC | AU-6 SI-4 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Insider Threat | PM-12 AC-6 AU-12 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
Respond (5 controls)
| Control | 800-53 References | Also In |
|---|---|---|
| Incident Response | IR-1 IR-4 IR-5 IR-6 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Forensics | IR-4 AU-7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Communication | IR-6 IR-7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Mitigation | IR-4 IR-5 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Reporting | IR-6 IR-7 IR-8 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
Recover (5 controls)
| Control | 800-53 References | Also In |
|---|---|---|
| Recovery Planning | CP-2 CP-10 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Business Continuity | CP-2 CP-6 CP-7 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Lessons Learned | IR-4 CP-4 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Comms & Restore | CP-2 IR-4 | NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
| Disaster Recovery | CP-2 CP-10 | NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, HIPAA, GDPR |
How 800-53 Compares
See how 800-53 coverage overlaps with other frameworks: