Security and Privacy Controls for Information Systems and Organizations

Date Published: September 2020 (includes updates as of Dec. 10, 2020)

Supersedes: SP 800-53 Rev. 5 (09/23/2020)

Planning Note (12/19/2023):

(12/19/23) Updated the "Mappings and crosswalks" text below and the link to the ISO/IEC 27001:2022 OLIR crosswalk.

On November 7, 2023, NIST issued a patch release of SP 800-53 (Release 5.1.1) that includes:

• minor grammatical edits and clarification;
• the introduction of “leading zeros” to the control identifiers (e.g., instead of AC-1, the control identifier will be updated to AC-01); and
• one new control and three supporting control enhancements related to identity providers, authorization servers, the protection of cryptographic keys, the verification of identity assertions and access tokens, and token management.

A list of all the changes in the patch release is available under Supplemental Material.

***

Summary of supplemental files:

• Control Catalog Spreadsheet
  The entire security and privacy control catalog in spreadsheet format. Note: For a spreadsheet of control baselines, see the SP 800-53B details.
   
• Analysis of updates between 800-53 Rev. 5 and Rev. 4 (Updated 1/07/22)
  Describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significance of the changes.  Note that this comparison was authored by The MITRE Corporation for the Director of National Intelligence (DNI) and is being shared with permission by DNI.
   
• Mapping of Appendix J Privacy Controls (Rev. 4) to Rev. 5
  Supports organizations using the privacy controls in Appendix J of SP 800-53 Rev. 4 that are transitioning to the integrated control catalog in Rev. 5.
   
• Mappings and crosswalks between 800-53 Rev. 5 and other frameworks and standards (NIST Cybersecurity Framework and NIST Privacy Framework; ISO/IEC 27001:2022 [updated 12/19/23])
  Mappings and crosswalks provide a general indication of SP 800-53 control coverage with respect to other frameworks and standards. When leveraging these relationships, consider the scope and intended use of each publication. Do not assume equivalency based solely on relationship tables; mappings and crosswalks are not always one-to-one and relationship analysis can be subjective.

Also available:

• Security and Privacy Control Collaboration Index Template (Excel & Word)
  The collaboration index template supports information security and privacy program collaboration to help ensure that the objectives of both disciplines are met and that risks are appropriately managed. It is an optional tool for information security and privacy programs to identify the degree of collaboration needed between security and privacy programs with respect to the selection and/or implementation of controls in Rev. 5.
   
• OSCAL version of 800-53 Rev. 5 controls
  Rev. 5 controls are provided using the Open Security Controls Assessment Language (OSCAL); currently available in JSON, XML, and YAML.

Author(s)

Joint Task Force

Control Families

Access Control; Awareness and Training; Audit and Accountability; Assessment, Authorization and Monitoring; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Physical and Environmental Protection; Planning; Program Management; Personnel Security; PII Processing and Transparency; Risk Assessment; System and Services Acquisition; System and Communications Protection; System and Information Integrity; Supply Chain Risk Management