nist 800-53 controls

Key Considerations for NIST 800-53 Control Family Selection

Kyle Morris

Senior Compliance Success Manager

Summary: Key Considerations for NIST 800-53 Control Families, How They Work, and How to Get Started With Implementing Them.

As an information security professional, you understand the critical importance of selecting the right set of security controls to protect your organization’s data and IT systems. The National Institute of Standards and Technology (NIST) Special Publication 800-53 provides a catalog of security controls and control enhancements that can help strengthen the cybersecurity posture of federal agencies and private sector organizations. Within the NIST 800-53 framework are 17 control families that group related controls and span the range of security topics from access control to system and services acquisition. Choosing the appropriate control families to implement for your organization is a key first step to building a robust security program aligned with the NIST 800-53 guidelines. 

What Are NIST SP 800-53 Control Families?

The NIST SP 800-53 control families provide a structured set of information security controls for federal information systems and organizations. They are published by NIST as Special Publication 800-53 Revision 5 and are mandatory for federal information systems, but are also widely adopted in the private sector as a benchmark for best practices in information security. The control families within NIST 800-53 include:

  • Access Control: Focuses on managing access to resources and protecting system components.
  • Awareness and Training: Ensures personnel are adequately trained to carry out their information security-related duties and responsibilities.
  • Audit and Accountability: Supports the assessment of information system controls and compliance with security requirements.
  • Security Assessment and Authorization: Focuses on assessing the security controls in information systems and authorizing systems to operate.
  • Configuration Management: Establishes and maintains control over system configurations and system components.
  • Contingency Planning: Ensures the ability to continue essential missions and business functions despite disruptions.
  • Identification and Authentication: Ensures users are properly identified and authenticated before accessing agency information systems.
  • Incident Response: Ensures agencies have the necessary capabilities to detect, analyze, and respond to information security incidents.
  • Maintenance: Ensures information systems and components are properly maintained to minimize downtime and vulnerabilities.
  • Media Protection: Ensures data, both electronic and physical, are properly protected throughout their life cycle.
  • Physical and Environmental Protection: Ensures adequate physical security controls for facilities, equipment, and data.
  • Planning: Ensures information security requirements are integrated into the system development life cycle.
  • Personnel Security: Ensures personnel have appropriate access authorizations for the systems and data they use.Risk Assessment: Ensures risks from the operation and use of information systems are properly analyzed and mitigated.
  • System and Services Acquisition: Ensures information systems are developed, acquired, and maintained using risk-based and integrated processes.
  • System and Communications Protection: Ensures the protection of information systems and the data transmitted by those systems.
  • System and Information Integrity: Ensures systems and data maintain integrity and are not improperly modified.
nist controls scytale

How NIST SP 800-53 Control Families Work

The NIST 800-53 control families allow you to focus on certain areas of cybersecurity. For example, the Access Control family helps you manage access to assets, the Awareness and Training family helps you address security skills and knowledge, and the Risk Assessment family helps you identify and assess risks.

Some families are more technical, focusing on topics like cryptography or system and communications protection. Other families are more administrative, concentrating on areas such as personnel security or planning. The control families work together to provide comprehensive security coverage.

The NIST control families provide a structured way to view and select controls. You can focus on one control family at a time based on the specific needs of your system or organization. Within each control family are a set of related controls. For example, the Access Control family contains controls around account management, access enforcement, and separation of duties. The Audit and Accountability family focuses on controls to support auditing organizational systems and the events within those systems.

How to Get Started With NIST SP 800-53 Control Families

To begin implementing NIST 800-53 controls, follow these steps:

  1. Review your systems and security requirements. Determine which control families are most relevant and important for your needs. Some may be mandatory, depending on regulations like FISMA.
  2. Select the specific controls within the families that you will implement. Not all controls need to be implemented, but you must justify exclusions. Start with the basic and high-value controls.
  3. Develop control implementation procedures and policies. Figure out how each control will actually be carried out and documented in your organization.
  4. Monitor and assess the effectiveness of the controls. Make adjustments and updates as needed to ensure continued security and compliance.

Using the NIST 800-53 control families systemically and thoroughly can help strengthen your organization’s information security posture and enable compliance with regulations like FISMA. With time and practice, the control selection and implementation process will become more efficient and streamlined.

The NIST 800-53 provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.

To utilize the NIST security control families, you should first gain an understanding of your system security and privacy needs. Review risk assessments, compliance frameworks, and organizational policies that apply to gain insight into priority areas. Once you have a sense of focus, explore the related control families. Select controls within those families that meet the identified needs. You may need to refine or adjust controls to best suit your system and environment. Document the controls selected and how they have been tailored to your system. The selected and tailored set of controls can then be implemented to strengthen your system security and privacy posture.

Using the NIST 800-53 control families as a starting point allows you to leverage a standardized set of vetted controls, then customize them to best meet your unique requirements. The control families provide an efficient way to view related controls in one place, making the selection and tailoring process easier. With over 900 controls in NIST 800-53, the control family organization is essential for navigating and applying the catalog.


Selecting appropriate NIST 800-53 control families is a critical first step to building a comprehensive cybersecurity program aligned with industry standards. By understanding the different families, how they work together, and how to get started with implementation, you can craft security controls tailored to your organization’s specific risks and needs. 

With the right compliance software, controls in place and a continuous monitoring process to ensure their effectiveness over time, you will be well on your way to achieving compliance, reducing vulnerabilities, and ultimately improving your organization’s security posture. The benefits of this investment in cybersecurity far outweigh the costs. Now is the time to take action.