NIST SP 800-53 Rev 5 Control Families

NIST Special Publication 800-53 Revision 5, published September 2020, is the definitive catalog of security and privacy controls for US federal information systems and organizations, mandated under FISMA and adopted as the control baseline for FedRAMP, CMMC, and numerous other regulatory frameworks. Rev 5 contains 20 control families — identified by two-letter prefixes — spanning Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical and Environmental Protection (PE), Planning (PL), Program Management (PM), Risk Assessment (RA), System and Communications Protection (SC), System and Information Integrity (SI), Supply Chain Risk Management (SR), and the new Privacy (PT) family added in Rev 5. Three baselines — Low, Moderate, and High — specify which controls apply based on system impact categorization per FIPS 199.

Engineers implementing SP 800-53 Rev 5 controls encounter significant technical depth in the control families most relevant to system design. The SC (System and Communications Protection) family covers network segmentation (SC-7 Boundary Protection), cryptographic key management (SC-12, SC-17), mobile code restrictions (SC-18), and VoIP protections. The AU (Audit and Accountability) family mandates event logging (AU-2), audit record content (AU-3), log protection (AU-9), and time synchronization (AU-8) — with AU-11 specifying retention periods. The CM (Configuration Management) family requires baseline configurations (CM-2), configuration change control (CM-3), security impact analysis (CM-4), and configuration settings (CM-6) enforcing SCAP-compatible benchmarks. The RA family includes RA-3 (Risk Assessment), RA-5 (Vulnerability Monitoring and Scanning), and the Rev 5 addition of RA-7 (Risk Response) and RA-9 (Criticality Analysis). Each control includes a base control statement, optional control enhancements numbered with parenthetical identifiers (e.g., AC-2(1)), and supplemental guidance.

A critical engineering nuance of SP 800-53 Rev 5 is its separation of controls from implementation guidance — the catalog describes what must be achieved, while SP 800-53B provides tailoring guidance and SP 800-53A Rev 5 defines assessment procedures. Organizations frequently mistake the control catalog for an implementation checklist, leading to controls that satisfy the letter but not the spirit of the requirement. Rev 5 also introduced a significant privacy program expansion via the PT family and the integration of privacy controls throughout existing families — for example, AC-3 (Access Enforcement) now includes privacy-scoped enhancements. The Supply Chain Risk Management (SR) family, heavily expanded in Rev 5 in response to software supply chain compromises, introduces SCRM plan requirements (SR-2), supplier assessments (SR-6), and supply chain incident response (SR-8) that require coordination between security engineering and vendor management functions.

We implement SP 800-53 Rev 5 control families using automated configuration management tooling that maps infrastructure-as-code policies to specific control identifiers, producing continuous compliance evidence rather than point-in-time assessments. Our FedRAMP and FISMA engagement methodology starts with FIPS 199 system categorization to establish the correct baseline, then uses control inheritance mapping to identify which controls are satisfied by cloud platform services (leveraging existing FedRAMP authorizations) versus those requiring customer implementation. Assessment-ready System Security Plans (SSPs) are generated from our infrastructure documentation pipeline.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.