The security and privacy control catalog for federal information systems.
NIST Special Publication 800-53 is the U.S. federal government's security and privacy control catalog, required by FISMA for all federal information systems and adopted by FedRAMP for cloud service authorization. Rev. 5, published in 2020, expanded coverage to include privacy controls, integrated supply chain risk management, and introduced outcome-based control statements.
Documentation is central to NIST 800-53 implementation: System Security Plans (SSPs) document how each applicable control is implemented; Security Assessment Reports (SARs) document testing results; Plans of Action and Milestones (POA&Ms) document open findings. The control implementation statement — a precise, auditable description of how a control operates within a specific system — is the core documentation artifact across all 20 families.
User access provisioning, privileged account management, remote access, and least privilege documentation.
Event logging, audit record review, audit trail protection, and reporting documentation.
System baseline documentation, change control procedures, and software usage policy.
Identity management, multi-factor authentication, and identifier management documentation.
Incident response plan, testing records, and incident handling procedures.
Risk assessment methodology, threat modeling, vulnerability scanning documentation.
Boundary protection, network segmentation, cryptographic key management documentation.
Flaw remediation, malware protection, and intrusion detection documentation.
Templates and implementation resources for NIST SP 800-53 Rev. 5 are available through the ELDR Institute Knowledge Hub and via direct request.