Enhancing cybersecurity risk management with NIST 800-53

The NIST 800-53 standard offers solid guidance for how organizations should select and maintain customized security and privacy controls for their information systems. NIST SP 800-53 Revision 5 is a cybersecurity risk management tool for CIOs and CISOs. This framework provides a benchmark for cyber risk quantification, so security leaders can assess risks, measure outcomes, and communicate with C-level executives about where budgeting should be set for cybersecurity. 

With this guide, learn how to navigate the evolving landscape of cybersecurity risk management and apply NIST 800-53 compliance practices to your organization. 

What is NIST 800-53? 

NIST 800-53 is a security compliance standard created by the U.S. Department of Commerce and the National Institute of Standards in Technology (NIST) in response to cybersecurity threats from national adversaries. 

It was first instituted in 2005 and has gone through several revisions over the last decade and a half. In 2019 the 5th revision was published. As digital technology has integrated more with our infrastructure and work environments, the standard has evolved to integrate privacy and security controls as well as promote integration with cybersecurity and risk management initiatives. 

It contributes to the scope of the Federal Information Processing Standards (FIPS). FIPS requires that organizations implement a minimum baseline of security controls as defined in NIST 800-53. Additionally, NIST aids organizations in compliance with the Federal Information Security Modernization Act (FISMA), which includes privacy and security guidelines as part of administering federal programs.

While the standard is mandatory for information systems associated with the federal government, it is voluntary for private organizations to adopt NIST 800-53. To that end, it is not a set of rules, controls, or tools. Rather, it offers processes that help organizations to measure the maturity of their current cybersecurity and risk management systems to take steps to strengthen them.

What is the goal of NIST 800-53?

It is a framework of guidelines and standards for companies to better manage and reduce cybersecurity risks. Once adopted, the NIST 800-53 provides a framework of privacy and security controls for protecting against a variety of threats, from natural disasters to hostile attacks. 

Who must comply? 

NIST 800-53 is mandatory for all organizations associated with federal information systems. However, its guidelines are voluntary for any organization (state, local, tribal governments; private companies, including SMBs and enterprises) operating an information system with sensitive or regulated data. 

What are the benefits?

The most prominent benefit of NIST 800-53 is more secure information systems. Organizations that adopt the standard have a much better way of meeting the challenge of selecting the appropriate basic security controls, policies, and procedures to protect information security and privacy. 

The standards laid out in NIST 800-53 are easy to understand and apply. It is meant to be customized; organizations can prioritize the activities that will help them improve their security systems. Additionally, as a technology-agnostic framework, it encourages organizations to use systems that will help them comply with other regulations and programs like HIPAA, DFARS, PCI DSS, and GDPR. 

It is risk-based — it helps organizations determine which assets are most at risk and take steps to protect them first. It allows the cybersecurity leadership team to: 

  • Gain a better understanding of current security risks
  • Prioritize the activities that are the most critical
  • Identify mitigation strategies
  • Evaluate potential tools and processes
  • Measure the ROI of cybersecurity investments

Finally, NIST 800-53 helps cybersecurity leaders with cyber risk quantification, measuring the risk to a business or organization. With a benchmark for potential threats and pitfalls, the CIO and CISO can communicate effectively with all stakeholders, including IT, business, and executive teams.

Security Controls

NIST 800-53 has a broad catalog of security and privacy controls and guidance for selection. Every organization has unique compliance requirements – they can choose controls based on the protection requirements of their content types. This starts with a careful risk assessment and analysis of the impact of incidents on different data and information systems. FIPS 199 defines three impact levels:

  • Low — Loss would have a limited adverse impact.
  • Moderate — Loss would have a serious adverse impact.
  • High — Loss would have a catastrophic impact.

Security Control Families

NIST 800-53 controls are allocated into the following 20 families:

ID  Family Name Examples of Controls
ACAccess ControlAccount management and monitoring; least privilege; separation of duties
ATAwareness and TrainingUser training on security threats; technical training for privileged users
AUAudit and AccountabilityContent of audit records; analysis and reporting; record retention
CAAssessment, Authorization, and MonitoringConnections to public networks and external systems; penetration testing
CMConfiguration ManagementAuthorized software policies, configuration change control
CPContingency PlanningAlternate processing and storage sites; business continuity strategies; testing
IAIdentification and AuthenticationAuthentication policies for users, devices, and services; credential management
IPIndividual ParticipationConsent and privacy authorization
IRIncident ResponseIncident response training, monitoring, and reporting
MAMaintenanceSystem, personnel, and tool maintenance
MPMedia ProtectionAccess, storage, transport, sanitization, and use of media
PAPrivacy AuthorizationCollection, use, and sharing of personally identifiable information (PII)
PEPhysical and Environment ProtectionPhysical access; emergency power; fire protection; temperature control
PLPlanningSocial media and networking restrictions; defense-in-depth security architecture
PMProgram ManagementRisk management strategy; insider threat program; enterprise architecture
PSPersonnel SecurityPersonnel screening, termination, and transfer; external personnel; sanctions
RARisk AssessmentRisk assessment; vulnerability scanning; privacy impact assessment
SASystem and Services AcquisitionSystem development lifecycle; acquisition process; supply chain risk management
SCSystem and Communications ProtectionApplication partitioning; boundary protection; cryptographic key management
SISystem and Information IntegrityFlaw remediation; system monitoring and alerting


How to achieve NIST 800-53 compliance

Achieving NIST 800-53 compliance begins with an audit of existing information and security systems. The following are the best practices to aid in selecting and implementing the appropriate measures for NIST 800-53 compliance.

  • Identify your sensitive data. Find out what kind of data the organization deals with; where it is stored; and how it is received, maintained, and transferred. Sensitive data is not always centrally located – it can be in multiple systems and applications.  
  • Classify sensitive data. What is the value and sensitivity of the data? Assign each information type an impact value (low, moderate, or high) for each security objective (confidentiality, integrity, and availability), and categorize it at the highest impact level. Consider FIPS 199 for relevant security categories and impact levels that relate to your organizational goals, mission, and business success. Automate discovery and classification to streamline the process and ensure consistent, reliable results.
  • Evaluate your current level of cybersecurity with a risk assessment. A risk assessment involves identifying risks, assessing the likelihood of their occurrence and impact, taking steps to mitigate the most critical risks, and then assessing the effectiveness of those steps.
  • Document a plan to improve your policies and procedures. What controls fulfill the specific business needs? The extent and rigor of the selection process should be proportional to the impact level of the risk being mitigated. Record the plan and rationale for each policy and procedure.
  • Provide ongoing employee training. Educate all employees on access governance and cybersecurity best practices, such as how to identify and report malware.
  • Make compliance an ongoing process. Once the system is in compliance with NIST 800-53, it is a matter of maintenance and consistent improvement based on system audits, changes to security standards, or a security incident. 

See how rapid change is affecting cybersecurity. 

Recent media coverage is inundated with ever-more-sophisticated cyber attacks. RedMonocle has produced an industry intelligence report detailing CISOs strategies for responding across five critical areas. Download this free resource today.

Get the Report


Nichole Kelly

Nichole Kelly

Vice President of Growth

Nichole Kelly brings over two decades of experience in growing organizations top line and bottom line revenue. As one of the leading marketing influencers she is the author of "How to Measure Social Media" and has traveled the world teaching marketers how to build and execute ROI-driven marketing strategies at every major marketing conference. Also an entrepreneur, Kelly was also the founder of SME Digital, a digital marketing agency that was sold to Renegade Marketing.

Kelly leads an active life of service and is the founder of The Bipolar Executive blog and podcast. This project is  designed to help shift the conversation around mental illness to one of mental wellness in Corporate America. 

Kelly holds a Bachelor’s Degree in Business Administration with a minor in Marketing from Saint Leo University.

Connect on my blog The Bipolar Executive

Connect on LinkedIn

Chris Schroeder

Vice President of Engineering, Co-Founder

Chris Schroeder has over 25 years of experience in large complex IT environments from the Fortune 500 to the federal government. Chris has an extensive technology background in mobility, infrastructure operations, and data analytics. Schroeder is a seasoned entrepreneur and co-founder of App47 and the Vice President of Engineering and co-founder of RealOps (sold to BMC).

Chris is an active volunteer in his community coaching boys and girls lacrosse, supporting high school STEM programs, and serving on the Pastoral Council. 

Schroeder holds a Bachelor’s Degree in Computer Science from Radford University and a Masters Degree in Technology Engineering from George Washington University.

Connect on LinkedIn

Sean McDermott

President & CEO, Founder

Sean McDermott’s curiosity for advancing technology began at his first job as a network engineer/architect installing and managing the first private internet for the U.S. Department of Justice. At a time when the internet was just taking off, McDermott was at the forefront and has continued to be on the cutting edge of technology leading Fortune 500 companies through the dot-com bust, 9/11 and the 2008 recession. Sean has over three decades of experience working with CIOs in the Fortune 500 to trail blaze innovation and protect the IT infrastructure of the largest commercial and federal organizations in the world. 

McDermott is a mission-driven, serial entrepreneur who founded Windward Consulting Group, RealOps, Inc. (sold to BMC), App47 and RedMonocle. He is also the founder of the Windward Foundation and Alzheimer’s Caregiver Alliance, an organization dedicated to easing the burden of caregiving for individuals and families touched by Alzheimer’s disease.

McDermott is a member of the Forbes Tech Council and has been featured in Security Boulevard, TechRepublic, IT Visionaries, APM Digest, Inside BigData, DevPro Journal, IT Toolbox and more. He  holds a Bachelor’s Degree in Electrical Engineering from Villanova University and a Masters in Engineering Management from The Catholic University of America. 

Connect on my blog Wheels up World 

Connect on LinkedIn