Introduction to 800-53 Controls

NIST SP 800-53 "Recommended Security Controls for Federal Information Systems" contains a list of nearly 200 security controls.

A security control is a safeguard or countermeasure that protects an information system.

Appendix F in 800-53 is the "Security Control Catalog" that contains the controls.

All NIST SP 800 documents can be accessed here:
NIST - CSRC Home - Publications - Special Publications

Description of 800-53 Controls

Each control in 800-53 has the following components:

800-53 Control Families

800-53 controls are divided into 17 families.

800-53 Impact Levels

There are three impact levels used to describe information systems.

800-53 rev3 IPD

A new version of 800-53 (revision 3) is in Initial Public Draft (IPD) and available for comments on the NIST web site. [note – IPD means the document is in “draft” mode while NIST collects comments from the public and incorporates them into changes/corrections before releasing the document in a final form, usually many months […]

800-53 rev3 FPD

The new revision of NIST SP 800-53 (rev3) is now in FINAL Public Draft (FPD) and should be published in final form soon. When NIST moves a draft document from IPD status to FPD status, the changes are often few as the document is nearly ready for final publishing. In this case, however, the changes […]

800-53 rev3 FINAL

NIST has released the final copy of SP 800-53 rev3 “Recommended Security Controls for Federal Information Systems and Organizations”. This document is the encyclopedia of security controls for federal agencies and this is the third revision since it was originally released in 2005. The impact level baseline information bar that was removed in the Final […]

Security Control Matrix

This matrix is a map that correlates attackers methodology with NIST 800-53 security controls: ATTACK METHODOLOGY/CONTROL Recon General/Google RA-3 RISK ASSESSMENT – you can only reduce exposure and can never “stop” general reconnaissance, but you damn well better know what you’re defending before the attacker starts to find out Network scanning CM-7 LEAST FUNCTIONALITY – […]

Security Controls – Tools for Your Gameplan

FOOTBALL In football (and other sports) the gameplan is an important part of success. How well the gameplan is implemented on the field will determine the final score, but with a flawed gameplan, performance may become irrelevant. Football organizations may use groups of scouts and coaches and spend weeks performing an analysis of their upcoming […]

Security Controls for Dummies

Security controls are functions, counter-measures, processes, safeguards and other efforts to minimize any potential impact from security risks. Security controls come in many different forms and categories: Policy and procedures – define ways to do things, establish methodologies for processes Proactive/Preventive controls – attempt to prevent security events from occurring Monitoring/Detection controls – establish ways […]

New Insider Threat Controls in 800-53 rev4 DRAFT

NIST is working on a DRAFT revision to 800-53 controls that is known as rev4. The new controls include materials related to insider threats. PM-12 (0) INSIDER THREAT PROGRAM – this is the master control requiring an insider threat program, including a team that is focused on insider threat incident handling. The team needs to […]