Skip to content

What is NIST SP 800-53?

What is NIST SP 800-53?

If you have run across a reference to NIST SP 800-53, you probably found it for a good reason. In case you haven’t yet figured out this much, NIST SP 800-53 is a set of federal regulations that were established in 2005. it should be noted that the standards have been updated five times since then, so they are still effective today. These regulations apply to the storage and use of sensitive computer data, specifically any data that originates with the Federal Government.

Is This A Law?

Yes and no. Technically, NIST SP 800-53 is not a law. The “SP” stands for “special publication.” As such, this was merely a set of recommendations from the National Institute Of Standards And Technology. If you would like to read them in their entirety, they can be found here. The recommendations made in this report have since been turned into federal law.

The law in question is known as FISMA (Federal Information Security Management Act). It was meant to update the government’s aging data protection apparatus, but its provisions don’t apply to the average citizen. Instead, this law requires all federal agencies to follow the recommendations of NIST SP 800-53 when developing a cyber-defense program. All companies that do business with the federal government will also be required to follow these guidelines, especially if they are receiving any information from federal sources.

The Most Important Things To Control

Although some of its provisions might be hard to understand, NIST Sp 800-53 identifies 18 key security areas that must be tightly controlled at all times. These are referred to as the “security control family,” and they consist of the following:

  1. Access Control: These regulations are meant to keep all unauthorized persons from gaining access.
  2. Audit And Accountability: These regulations establish protocols for auditing the security of the system and holding people accountable for any flaws or problems.
  3. Awareness And Training: Awareness of cyber-threats is one of the best ways to avoid them, so this is obviously an important matter.
  4. Configuration Management: All computers have settings that can be tweaked, and these regulations are about tweaking them for maximum security.
  5. Contingency Planning: In spite of all your best efforts, a breach of security can still happen. When it does, you need a “plan B.”
  6. Identification And Authentication: These regulations establish procedures for the authentication of all system users.
  7. Incident Response: When suspicious activity is detected, these regulations tell you how to respond.
  8. Maintenance: By keeping up to date with all the latest security patches, you can give yourself the best possible defenses. These regulations relate to maintenance methods and schedules.
  9. Media Protection: These regulations relate to the protection of all physical media (hard drives, disks, etc.).
  10. Personnel Security: These regulations are meant to guard against insider threats, which are a particularly large concern for the U.S. government.
  11. Physical And Environmental Protection: This one is self-explanatory
  12. Planning: This one is also self-explanatory.
  13. Program Management: These regulations relate to the proper use of software programs so that they do not compromise overall security at any point.
  14. Risk Assessment: These regulations govern the way in which agencies and organizations can calculate their level of risk
  15. Security Assessment And Authorization: This is merely an assessment of the current situation.
  16. System And Communications Protection: These regulations are meant to protect communications systems specifically.
  17. System And Information Integrity: These regulations are meant to keep information secure and unchanged, and to make sure it stays that way.
  18. System And Services Acquisition: These regulations govern the way in which covered federal agencies can acquire outside services.

How To Implement NIST SP 800-53

Even if you are not required by law to follow these standards, they still bear a second look. These standards are followed by all federal agencies except those directly concerned with national security. Obviously, there is a different set of standards for those agencies, and they aren’t going to be made public.

When implementing these regulations, you should start with a simple audit to determine how closely you are following the standards. This will be followed up (if necessary) by a rebuilding of your security system. Most of the guidelines in this law can be summed up with the phrase “build it correctly and monitor it constantly.”

This makes a lot of sense because network monitoring is one of the surest ways to keep a network secure. When you’re talking about sensitive government information, it would be foolish to neglect this kind of thing. There are all sorts of software tools that can help you monitor all the packets of information that pass across your network. As long as someone is there to watch, suspicious transactions can be spotted and stopped.


Compliance with federal regulations is never a simple matter, but we hope that we have given you a better idea about how all of this works. You should, of course, consult with the relevant government agency (or agencies) as you work to maintain compliance with these regulations, as they can provide much more reliable information than we can. By following these sensible safety standards, you can create a much more secure system. If we have helped you to do this, you can thank us by filling out the contact form below.