Federal Information Security

NIST SP 800-53 Rev. 5

The security and privacy control catalog for federal information systems.

Knowledge Hub
20 Control Families
AC → SI coverage
Rev. 5
2020 edition
1,000+ Controls
Base + enhancements
Federal Standard
FISMA · FedRAMP
Overview

NIST Special Publication 800-53 is the U.S. federal government's security and privacy control catalog, required by FISMA for all federal information systems and adopted by FedRAMP for cloud service authorization. Rev. 5, published in 2020, expanded coverage to include privacy controls, integrated supply chain risk management, and introduced outcome-based control statements.

Documentation is central to NIST 800-53 implementation: System Security Plans (SSPs) document how each applicable control is implemented; Security Assessment Reports (SARs) document testing results; Plans of Action and Milestones (POA&Ms) document open findings. The control implementation statement — a precise, auditable description of how a control operates within a specific system — is the core documentation artifact across all 20 families.

Standard Identity
NIST SP 800-53 Rev. 5
Federal Information Security
NIST 800-53
Key Requirements

What the standard
requires you to document.

AC – Access Control

User access provisioning, privileged account management, remote access, and least privilege documentation.

AU – Audit & Accountability

Event logging, audit record review, audit trail protection, and reporting documentation.

CM – Configuration Management

System baseline documentation, change control procedures, and software usage policy.

IA – Identification & Authentication

Identity management, multi-factor authentication, and identifier management documentation.

IR – Incident Response

Incident response plan, testing records, and incident handling procedures.

RA – Risk Assessment

Risk assessment methodology, threat modeling, vulnerability scanning documentation.

SC – System & Comms Protection

Boundary protection, network segmentation, cryptographic key management documentation.

SI – System & Info Integrity

Flaw remediation, malware protection, and intrusion detection documentation.

ELDR Documentation

Templates and resources
available from the Knowledge Hub.

System Security Plan (SSP) — full system characterization and all applicable controls
Control Implementation Statements — all 20 control family templates
Security Assessment Plan (SAP) and Security Assessment Report (SAR)
Plan of Action & Milestones (POA&M) tracking workbook
Continuous Monitoring Plan and ConMon reporting templates
Control tailoring rationale documentation
Privacy Impact Assessment (PIA) templates (Rev. 5 privacy controls)
Supply Chain Risk Management Plan (SCRM)
Request Access

Templates and implementation resources for NIST SP 800-53 Rev. 5 are available through the ELDR Institute Knowledge Hub and via direct request.

Or: [email protected]

Related Frameworks