Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

NIST SP 800-53 Control Families Explained

down-arrow

The National Institute of Standards and Technology (NIST) is responsible for developing the NIST Cybersecurity Framework (CSF), the gold standard cybersecurity framework. NIST Special Publication 800-53 operates as one of the forefront cybersecurity guidelines for federal agencies in the United States to maintain their information security systems. These guidelines protect the system's security and the sensitive data of the citizens being served. 

How Many Controls are in NIST 800-53? 

NIST SP 800-53 has had five revisions and comprises over 1000 controls. This catalog of security controls allows federal government agencies the recommended security and privacy controls for federal information systems and organizations to protect against potential security issues and cyber attacks. Here, we will look at the 18 NIST 800-53 control families and give a general overview of the list of NIST standards.

NIST 800 53 Control Families

AC - Access Control

The AC Control Family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users can access the system and their level of access.

AU - Audit and Accountability

The AU control family comprises security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information.

AT - Awareness and Training

The control sets in the AT Control Family are specific to your security training and procedures, including security training records.

CM - Configuration Management

CM controls are specific to an organization’s configuration management policies. These include a baseline configuration that will operate as the basis for future builds or changes to information systems, information system component inventories, and a security impact analysis control.

CP - Contingency Planning

The CP control family includes controls specific to an organization's contingency plan in case a cybersecurity event should occur. These include controls like contingency plan testing, updating, training, backups, and system reconstitution.

IA - Identification and Authentication

IA controls are specific to an organization's identification and authentication policies. This includes the identification and authentication of organizational and non-organizational users and the management of those systems.

 

IR - Incident Response

IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plans.

 

MA - Maintenance

The MA controls in NIST 800-53 revision five detail requirements for maintaining organizational systems and the tools used.

 

MP - Media Protection

The Media Protection control family includes controls specific to access, marking, storage, transport policies, sanitization, and defined organizational media use.

PS - Personnel Security

PS controls relate to how an organization protects its personnel through position risk, personnel screening, termination, transfers, sanctions, and access agreements.

PE - Physical and Environmental Protection

The Physical and Environmental Protection control family is implemented to protect systems, buildings, and supporting infrastructure against physical threats. These controls include physical access authorizations, monitoring, visitor records, emergency shutoff, power, lighting, fire protection, and water damage protection.

PL - Planning

The NIST SP 800-53 control PL family is specific to an organization's security planning policies and must address the purpose, scope, roles, responsibilities, management commitment, coordination among entities, and organizational compliance.

PM - Program Management

The PM control family is specific to who manages your cybersecurity program and how it operates. This includes but is not limited to, a critical infrastructure plan, information security program plan, plan of action milestones and processes, risk management strategy, and enterprise architecture.

RA - Risk Assessment

The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. An integrated cyber risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts.

CA - Security Assessment and Authorization

The Security Assessment and Authorization control family includes controls that supplement the execution of cybersecurity assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections.

SC - System and Communications Protection

The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others.

SI - System and Information Integrity

The SI control family correlates to controls that protect the system and information integrity. This control family includes NIST SI 7, which involves flaw remediation, malicious code protection, information system monitoring, security alerts, software, firmware integrity, and spam protection.

SA - System and Services Acquisition

The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls.

A cyber risk management solution like CyberStrong can help streamline and harmonize an organization's cybersecurity efforts across multiple standards and guidelines, saving teams time, energy, and resources to comply continuously.

Learn about NIST 800-53 Rev 5 here

If you have questions about NIST SP 800 53, the NIST Cybersecurity Framework, cyber risk management, or how CyberStrong enables regulatory agencies to streamline and automate their compliance efforts, click here to schedule a conversation.

You may also like

How to Leverage the FAIR Model ...
on December 19, 2024

In light of the Colonial Pipeline cyberattack, measuring risk is on everyone’s minds. However, quantifying risk is often not easy. So many factors go into determining and ...

Kyndall Elliott
How to Effectively Communicate Top ...
on December 9, 2024

Effective cybersecurity reporting is more important than ever for CISOs, CIOs, and other security leaders in today's complex threat landscape. Reporting isn’t just about sharing ...

November Product Update
on November 27, 2024

The CyberSaint team has been working hard to deliver the latest updates to streamline and improve our customers’ user experience and address their top-of-mind challenges. We’re ...

Putting the “R” back in GRC - ...
on December 5, 2024

Cyber GRC (Governance, Risk, and Compliance) tools help organizations manage and streamline their cybersecurity, risk management, and compliance processes. These tools integrate ...

October Product Update
on October 17, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates to the CyberStrong solution. To start off, we’ve made it easier to create an assessment and risk ...

Transforming Cyber Risk ...
on October 12, 2024

In today’s complex cyber landscape, managing risks effectively isn’t just about identifying threats—it’s about understanding their impact and knowing how to prioritize ...