An introduction to security and privacy controls

Explaining NIST’s 800-53 control families for information systems and organizations

What are the NIST controls?

Federal security compliance is based on evaluating security criteria. Those criteria are a wide-ranging set of considerations called controls. The National Institute for Standards and Technology (NIST) defines these controls in a special publication (SP) called NIST SP 800-53 (Revision 5), Security and Privacy Controls for Information Systems and Organizations.

To use, buy, or build software for the government, you need authorization to operate (ATO). A huge part of that process is documenting how you are addressing the controls in your system security and privacy plan (SSPP). During the ATO process, assessors determine what controls apply to a given system. The higher the risk of the system, the more controls. Then, that system needs to document those considerations and prove that they have taken those security measures into account.

For an overview of ATOs, read An introduction to ATOs.

Why worry about controls?

Understanding the controls is an important part of the ATO process. Specifically when writing a system security and privacy plan. With hundreds of controls, approaching ATOs can be quite daunting. That's why it's good to start off with an overview of the controls.

The controls are grouped by topic, and those topics are called families. Next, we'll explore each control family and what kind of considerations that control family focuses on.

Meet the family

The three-column table below lists the 20 control families alphabetically by their two-character ID (identification code). Security and compliance folks often refer to the controls by this ID. For each, the ID is linked to the full list of controls for that family.

The second column provides the full name of the control family. The third column provides a plain language description of the control to give you a feel for what kind of security concern that control family covers.

 

ID

Control family

Plain language description

AC

Access Control

Have policies that define who can access information and systems.

AT

Awareness and Training

Train staff on IT safety practices, such as annual security training and phishing exercises.

AU

Audit and Accountability

Make sure you are creating and monitoring necessary logs and keeping records for the amount of time that they should be kept. You need policies to establish these practices and to produce evidence that you follow these actions.

CA

Security Assessment and Authorization

This describes most of the ATO process.

CM

Configuration Management

This includes policies and procedures of how software is approved and deployed. Defines who can make decisions and what policies or constraints prevent others from making unauthorized changes. Creating system inventory to document what you have and keeping that up to date.

CP

Contingency Planning

Being able to recover if your system goes down or isn't working. You accomplish this by having the policies, technologies, testing, and training on how to recover from your system.

IA

Identification and Authentication

How you verify the identity of the users of your system and how your users log into your system.

IR

Incident Response

Have policies and procedures to respond to a cyber attack. Have people and tools to respond to data breaches and attacks.

MA

Maintenance

Who is responsible for system maintenance. For example approving and monitoring security software, keeping packages up to date.

MP

Media Protection

Policies, procedures and tools to keep media secure. Media includes records of data, this could be a wide range of storage options, such as paper or electronic.

PS

Personnel Security

Policies and procedures about people's access to information and systems. Making sure people are cleared and trained to access information. People should lose system access when they leave.

PT

PII Processing and Transparency

When you can collect PII and how you need to protect PII. This includes giving people a privacy notice and consent to collection.

PE

Physical and Environmental Protection

This includes things like locking doors and keeping buildings and access to servers secure.

PL

Planning

Policies and procedures about System Security Plans, Rules of engagement and other planning for your system.

PM

Program Management

Policies and procedures about managing your broader cyber security environment. This includes things like security and privacy training, data governance and management structures.

RA

Risk Assessment

Determining how much risk your system presents. Evaluating what the implications are if your system went down, if data was exposed or if data was tampered with. Looking at the privacy risk of your system and looking for threats.

SA

System and Services Acquisition

Covers requirements for acquisition, software development and system management tools

SC

System and Communications Protection

Availability protections against things like DDOS. Security features like Network boundaries, encryption and DNS protections.

SI

System and Information Integrity

Monitoring your system to look for data breaches.

SR

Supply Chain Risk Management

Preventing and looking for tampering of upstream components of your system.

You may have noticed that many of the controls require the efforts of your whole team. To get them onboard, it helps to describe the larger objectives of your policies and procedures. Taking the time to explain controls can help everyone better contribute to your system's security and compliance. View NIST's Cybersecurity and Privacy Reference Tool for more on control families.

Additional Resources

 

 

Note

Web Managers Community

The Web Managers Community of Practice is a group of government employees and contractors who manage government websites and digital services. They work to create a trusted, seamless online experience for all. Join the Web Managers Community.