Security and Privacy Controls for Information Systems and Organizations

See the Errata (beginning on p. xvii) for a list of updates to the original publication.

New supplemental materials are also available:

• Control Catalog Spreadsheet (NEW)
  The entire security and privacy control catalog in spreadsheet format. Note: For a spreadsheet of control baselines, see the SP 800-53B details.
  
• Analysis of updates between 800-53 Rev. 5 and Rev. 4 (Updated 1/22/21)
  Describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significance of the changes. Note that this comparison was authored by The MITRE Corporation for the Director of National Intelligence (DNI) and is being shared with permission by DNI.
  
• Mapping of Appendix J Privacy Controls (Rev. 4) to Rev. 5
  Supports organizations using the privacy controls in Appendix J of SP 800-53 Rev. 4 that are transitioning to the integrated control catalog in Rev. 5.
  
• Mappings between 800-53 Rev. 5 and other frameworks and standards (NIST Cybersecurity Framework and NIST Privacy Framework; ISO/IEC 27001 [updated 1/22/21])
  The mappings provide organizations a general indication of SP 800-53 control coverage with respect to other frameworks and standards. When leveraging the mappings, it is important to consider the intended scope of each publication and how each publication is used; organizations should not assume equivalency based solely on the mapping tables because mappings are not always one-to-one and there is a degree of subjectivity in the mapping analysis.

• Security and Privacy Control Collaboration Index Template (Excel & Word)
  The collaboration index template supports information security and privacy program collaboration to help ensure that the objectives of both disciplines are met and that risks are appropriately managed. It is an optional tool for information security and privacy programs to identify the degree of collaboration needed between security and privacy programs with respect to the selection and/or implementation of controls in Rev. 5.
  
• OSCAL version of 800-53 Rev. 5 controls
  Rev. 5 controls are provided using the Open Security Controls Assessment Language (OSCAL); currently available in JSON, XML, and YAML.

Author(s)

Joint Task Force

Abstract

This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.

This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural. See full abstract

This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.

Keywords

assurance ; availability ; computer security ; confidentiality ; control ; cybersecurity ; FISMA ; information security ; information system ; integrity ; personally identifiable information ; Privacy Act ; privacy controls ; privacy functions ; privacy requirements ; Risk Management Framework ; security controls ; security functions ; security requirements ; system ; system security

Control Families

Access Control ; Audit and Accountability ; Awareness and Training ; Configuration Management ; Contingency Planning ; Assessment, Authorization and Monitoring ; Identification and Authentication ; Incident Response ; Maintenance ; Media Protection ; Personnel Security ; Physical and Environmental Protection ; Planning ; Risk Assessment ; System and Services Acquisition ; System and Information Integrity ; System and Communications Protection ; Program Management ; PII Processing and Transparency ; Supply Chain Risk Management

Documentation

Other Parts of this Publication:
SP 800-53B

Document History:
12/10/20: SP 800-53 Rev. 5 (Final)