<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">

Understanding the NIST 800-53 Risk Management Framework

How to Use NIST 800-53 (Fifth Revision) to Reduce Cybersecurity Risks

NIST 800-53 Dashboard

What is NIST 800-53?

NIST 800-53 Design Screenshot

The National Institute of Standards and Technology (NIST) created NIST 800-53 standards as guidance for agencies as they implement and mature information security systems that protect sensitive government information. These standards facilitate federal agencies’ requirements as outlined in the Federal Information Security Management Act (FISMA). NIST SP 800-53 outlines security controls agencies can adopt as part of their cybersecurity management best practices.

In this NIST 800-53 knowledgebase, we take a look at the history of the framework, examine what’s changed in the fifth revision of NIST SP 800-53, explore the guiding principles behind FISMA, overview who should be compliant with the framework, and share ideas about how you can crosswalk NIST 800-53 to other cybersecurity frameworks your organization uses to protect and secure your attack surface and sensitive data.

Here’s What You’ll Find:

What is NIST 800-53?

NIST 800-53 is a set of controls and standards agencies can use to build secure information security systems.

Learn More

Build Your NIST 800-53 Strategy

A cybersecurity framework management platform can help your build your NIST 800-53 framework and ensure compliance.

Learn More

Who Needs NIST 800-53?

Agencies are expected to meet NIST 800-53 compliance standards as part of FISMA and building secure information security systems.

Learn More

What’s the Purpose of NIST 800-53?

The purpose of NIST 800-53 is to provide standards that help federal agencies meet FISMA requirements for information security.

Learn More

What are NIST 800-53 Compliance Benefits?

In addition to meeting government requirements for agencies, there are a number of benefits of adopting NIST 800-53 controls.

Learn More

Understanding NIST 800-53 Controls

There are more than 1,000 NIST 800-53 controls divided among 20 control families for policy, supervision, processes, and more.

Learn More

NIST 800-53 Implementation Approaches

NIST 800-53 controls are not listed in order of importance or criticality. Instead, you can apply a NIST-recommended approach for control implementation.

Learn More

NIST 800-53 Classifications

There are three classification levels for NIST SP 800-53 controls: low-impact baseline, medium-impact baseline, and high-impact baseline.

Learn More

NIST 800-53 Compliance Best Practices

Complying with security frameworks can be challenging, but these best practices can facilitate a successful implementation.

Learn More

NIST 800-53 Webinar Snapshots

While you may know you need to be NIST 800-53 compliant, what about others? Learn more in on-demand webinars.

Learn More

NIST 800-53 Frequently Asked Questions

Have questions about NIST 800-53? Do you need help understanding the role of NIST 800-53 with FISMA? Check out this FAQ for answers.

Learn More

NIST 800-53 Marketplace

Searching for tools, guidance, and assistance with NIST 800-53 compliance? You can find them in the NIST 800-53 Marketplace.

Learn More

The Apptega Solution for NIST 800-53

Apptega is the only solution you need to simplify management of all of your NIST 800-53 controls to ensure compliance.

Learn More

Understanding NIST 800-53

NIST SP 800-53 is a set of standards that guide agencies in implementing and maturing their information security systems to protect sensitive government information. The National Institute of Standards and Technology (NIST) guides these standards, which span 20 control families and more than 1,000 base controls and control enhancements.

NIST first published these standards in 2005 to support initiatives to facilitate compliance to the Federal Information Security Management (FISMA) Act of 2004, which requires agencies to develop and maintain minimum standards to protect federal information and federal information systems. The NIST 800-53 controls make up a cybersecurity risk management framework that can meet the FISMA requirements.

All federal agencies must be NIST 800-53 compliant and they had one year after publication to do so. Since then, there have been updates to the standards. The most current version is the fifth revision. Interestingly, this revision includes the removal of the word “federal” to clarify these standards are not just for federal agencies, but may be applicable to other organizations and to encourage more widespread use of this framework. NIST released the final version in September 2020.

NIST 800-53 Implementation Screenshot

NIST SP 800-53 v5 consists of 20 control families, an increase from 18 in the previous version and more than 1,000 related controls. Here are some of the key changes in this fifth revision:

  • Adjustments to both technical content and structure
  • Controls are now outcome-based
  • Consolidation of the control catalog for systems and organizations
  • Supply chain risk management now included and integrated in other control families
  • Control selection process now separate from controls
  • Control baselines and other guidance moved to NIST SP 800-53B “Control Baselines for Information Systems and Organizations
  • Clarifications between requirement and control relationships and security and privacy controls
  • New practice controls that address current threats
NIST 800-53 Reporting Dashboard Screenshot

Simplify and Streamline NIST 800-53 Compliance with Apptega

Need help getting started on your NIST 800-53 compliance journey or are you ready to mature your existing cybersecurity practices and want to add some of the framework controls to your program? Apptega can help you tackle all of your ongoing cybersecurity needs, including the selection, implementation, and scaling of a variety of risk management and cybersecurity frameworks. Take your compliance practices to the next level with Apptega today.

See a Demo

NIST 800-53 Compliance Guide: Best Practices

Choosing, implementing, and maturing a cybersecurity and risk management framework is challenging, but your journey to compliance doesn’t have to be as difficult or time-consuming as you might think. In this NIST 800-53 compliance guide, you can learn more about the history and background of the framework, why compliance is important, and how adopting a risk management framework is an important part of your overall cybersecurity posture.

By applying NIST 800-53 controls, you can address your risk management processes through a three-tiered approach—one that begins at the organizational level, then addresses your business process level and then helps you address risks at the information security level.

Use this compliance guide to help you better understand NIST 800-53 controls and control families and baseline allocations regarding system impacts. You can also learn more about how to prepare for a NIST assessment and how using a cybersecurity framework management solution can help you ensure compliance while giving you comprehensive insights into all of your controls, tasks, responsibilities, and more.

What Our Customers Are Saying

Ed Myers headshot
Ed Myers
Associate Compliance Director, Cape Henry Associates

“With Apptega, we now have the visibility needed to know the true status of our program at any time.”

Desiree D. Headshot
Desiree Davis
Operations Manager, Leap Credit

"I would absolutely recommend Apptega for anyone looking to elevate their compliance program from a static source to something that can be used to actively track and manage your compliance."

Jay Ferro headshot
Jay Ferro
CEO, Quikrete

"I see products in the market that promise '30-day audits', but in reality that's not feasible or very sustainable. Great security and compliance is not a one-time event to check a box. Apptega is a long-term platform and partner that supports my entire business and our strategic goals."

Should My Organization be NIST 800-53 Compliant?

All federal agencies must be compliant to NIST 800-53 to protect federal information and federal information systems. First published in 2005, all federal agencies were required to be compliant within one year. And while this is a requirement for federal agencies, the NIST 800-53 risk management framework can also be used by other organizations of all sizes and across diverse industries. The framework is closely related to NIST 800-171, which is required for organizations that work with the federal government and access controlled unclassified information (CUI).

Unlike federal agencies that must adhere to all of the standards, non-federal agencies may find it beneficial to adopt some (or all) of the controls represented in NIST 800-53 and then identify areas where additional controls can be added over time to mature your risk management practices. Recently, NIST updated NIST 800-53 to remove the reference to “federal” in regard to applicable agencies and organizations.

Understanding the Purpose of NIST 800-53

As a result of FISMA, NIST developed Federal Information Processing Standards (FIPS), which are requirements for all federal agencies. The purpose of NIST 800-53 is to establish controls to safeguard systems and protect the integrity, availability, and confidentiality of information while managing information security risks. While the controls were originally designed for federal agencies, they’re applicable to any organization that processes, stores, or transmits sensitive data.

By creating these standards, NIST hopes to streamline best practices and improve information security systems and processes used within the federal government and its related agencies.

Agencies can begin their NIST 800-53 compliance journey by first reviewing FIPS 199: Standards for Security Categorization of Federal Information and Information Systems. FIPS 199 is a tool agencies can use to better understand federal information and information system categorization so they can determine security objectives should threat actors compromise their information systems.

FIPS 199 outlines three core security objectives:

  • Confidentiality
  • Integrity
  • Availability

From FIPS 199, agencies can use FIPS 200 to determine minimum security requirements for the information and information systems. FIPS 200 outlines 17 areas of minimum security requirements that federal agencies must adhere to:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Certification, Accreditation, and Security Assessments
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response
9. Maintenance

10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Personnel Security
14. Risk Assessment
15. System and Services Acquisition
16. System and Communications Protection
17. System and Information Integrity

NIST 800-53 Compliance Benefits

There are many benefits to becoming NIST 800-53 compliant and adopting a risk management framework. Again, it’s worth pointing out that while the framework was created to guide federal agencies, these standards can benefit a range of organizations across most industries. If your organization, processes, transmits, or stores sensitive or protected data, then you may find it beneficial to adopt these NIST controls.

Here are some of the benefits of NIST 800-53 compliance:

  • Establish baseline security standards and then mature your processes over time
  • A great resource to develop policies and procedures to protect your information security systems
  • Unify your security protocols under specific security groupings to identify, protect, detect, respond, and recover from cyber risks
  • Identify where you have vulnerabilities and other security weaknesses
  • As a non-federal agency, NIST 800-53 compliance could give you an edge over other non-compliant organizations when bidding on federal contracts
  • Protect and secure your entire attack surface, including modern assets like IoT and IIoT
  • Strengthen your security infrastructure across all of your environments
  • Being NIST 800-53 compliant is a component of meeting FISMA compliance
  • NIST 800-53 compliance can help you on your compliance journey for other standards such as PCI DSS, CMMC, NIST 800-171, and more

Apptega: End-to-End Management of Your NIST 800-53 Compliance Framework

Managing your NIST 800-53 compliance journey has never been easier, thanks to the automation, support, templates, task packs, and more in Apptega’s cybersecurity management platform.

  • Need help identifying gaps? Apptega’s questionnaire-based assessment means you can quickly discover where you have gaps and with auto-scoring, you’ll know which areas need your attention first.
  • Need to communicate your NIST 800-53 compliance progress? Apptega’s one-click reporting means you can quickly access all the data you need. And with customization, you can ensure you’re sharing the right message to the right people at the right time.
  • Need fast insight into your entire ecosystem? Apptega enables users to quickly connect everything with pre-built connectors and open API.
  • Need help adopting and implementing more than one cybersecurity framework? Apptega covers all of the most common frameworks and makes it easy to eliminate redundancy and overhead with Harmony and pre-built policies and templates.
  • Need help on your compliance journey? Apptega’s dashboard gives you instant insight into where you are with your control implementation at any time, and if you have questions or need help, an Apptega advisor is on standby ready to assist.

Understanding NIST 800-53 Controls

There are more than 1,000 base controls and control enhancements for NIST 800-53 that are dispersed across 20 control families. Each control grouping represents controls specific to each family topic.

The control families have both base controls and control enhancements directly related to the family. The purpose of control enhancements are to either strengthen a base control or add additional functionality.

Why would your organization need or want to adopt control enhancements? Well, that depends on the complexity of your environment and maturity of your information security system. Based on your risk assessment, you may find that your information security practices would be stronger if they were supported by the control enhancements, in addition to the base controls.

Earlier, we shared the 17 minimum security standards outlined in FIPS 200. NIST 800-53 control families align with those minimum requirements and also include additional recommendations for supply chain risk management, program management, and personally identifiable information (PII) processing and transparency.

In the NIST publication and others, you’ll often find the controls listed in alphabetical order with related controls numbered in ascending order. It’s important to note here that although commonly listed this way, it doesn’t mean you should start with the first control family and first base control and then work forward in a progression or specific order. Instead, your organization should evaluate which controls are most applicable for your specific needs, goals, and critical systems and data. Remember, federal agencies must meet all controls, regardless of family or positioning.

Here is a quick look at the 20 control families:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Assessment, Authorization, and Monitoring
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response
9. Maintenance
10. Media Protection

11. Physical and Environmental Protection
12. Planning
13. Program Management
14. Personnel Security
15. PII Processing and Transparency
16. Risk Assessment
17. System and Services Acquisition
18. System and Communications Protection
19. System and Information Integrity
20. Supply Chain Risk Management

How to Approach NIST 800-53 Control Implementation

NIST 800-53 controls are not listed in a progressive order, which can make it challenging for some organizations when it comes to creating an implementation plan. And, if you’re a federal agency, you can’t cherry pick which controls you want to adopt. NIST 800-53 compliance means you’ll need to implement them all. With more than 1,000 controls, where do you begin?

NIST offers guidance on three approaches for control implementation. Each implementation approach defines the scope and applicability of each control, the control’s shared nature and inheritability, as well as outlining who is responsible for each control’s development, implementation, assessment, and authorization.

Each of the three approaches provides organizations with objectives and focus so you can understand which controls you should select and implement in the most effective manner so you can ensure you’re meeting security and privacy requirements. Consider aligning your implementation approach with your system development lifecycle.

1. Common control implementation
2. System-specific implementation
3. Hybrid implementation

NIST 800-53 Control Classifications

In addition to the control family groupings and implementation approaches, all of the NIST 800-53 controls are differentiated by a classification, which is associated with potential impact level. These classifications align with FIPS 199 security objectives discussed earlier: confidentiality, integrity, and availability.

Here’s a quick look at each level and what they mean:

Low-impact baseline
Moderate-impact baseline
High-impact baseline
Low-impact baseline

Low-impact baseline

The potential impacts related to all three of the security objectives (confidentiality, integrity and availability) are low. The potential impact is considered to be low if the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on operations, assets, or individuals.

NIST Low Impact Baseline Image


Moderate-impact baseline

Moderate-impact baseline

The potential impact related to at least one of the three security objectives (confidentiality, integrity and availability) is moderate, and none of the potential impacts are greater than moderate. The potential impact is considered to be moderate if the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on operations, assets, or individuals.

NIST Moderate Impact Baseline Image


High-impact baseline

High-impact baseline

The potential impact related to at least one of the security objectives (confidentiality, integrity and availability) is high. The potential impact is considered to be high if the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic effect on operations, assets, or individuals.

NIST High Impact Baseline Image


NIST 800-53 Best Practices

NIST 800-53 controls define best practices for implementing and maturing your information security systems to ensure availability and security of sensitive data, but there are some other recommendations you can also implement to protect and secure your information security systems.

One way to do this us by taking a structured approach to risk management. It looks like this:

1. Categorize your information system based on responsibilities, the environment, and roles
2. Determine which security controls you need based on your security categorization from FIPS 199
3. Implement the security controls
4. Document how your security controls are implemented throughout your systems
5. Assess if the controls are functioning properly
6. Identify gaps or areas of weakness
7. Monitor your controls as your environment changes and evolves
8. Test your controls often for effectiveness and make adjustments as needed

Here are a few other ideas to consider and questions to ask:

  • Where is all of your sensitive data processed, stored, and transmitted? Don’t forget third-party relationships.
  • How critical is this data/system for your operations and compliance?
  • Which users should be authorized to access this data and how much can they access?
  • Are you routinely reviewing and auditing your controls and processes?
  • Have you educated and trained your employees about what your controls are, why they’re needed, and what to do if there is an issue?
  • Are you creating reports about your program effectiveness and sharing those reports to your executive and key stakeholders?
  • Are you continuously monitoring your information security systems for weaknesses and vulnerabilities?
  • Do you have a plan to remediate and mitigate these risks?
  • Have you established a level of acceptable risk for your organization and do you know what to do when a new system, process, or application exceeds acceptable risk?
  • Are you keeping (and reviewing) logs of all event activity?
  • Are you routinely participating in internal and external audits (and penetration testing) to determine control effectiveness and compliance?

Ensuring NIST 800-53 Compliance

Unlike some other cybersecurity frameworks, you don’t have to complete a formal certification process to be NIST 800-53 compliant; however, compliance with this framework is part of the FISMA Certification and Accreditation (C&A) process. Also, it’s important to remember that if you’re a federal agency, you’re expected to be able to prove you’re NIST 800-53 compliant and that the controls you’ve adopted based on the framework's standards function as intended.

As with most compliance metrics, documentation is key, especially for a compliance assessment. Whether you’re subject to a formal assessment or are ready to conduct an internal audit to review framework effectiveness, here are a few steps you can take for success.

  • First, review your security and privacy controls. Which do you want to review for this assessment?
  • Second, select the specific procedures related to each privacy and security control you want to assess. Don’t forget to include documentation such as existing policies and written procedures.
  • Next, conduct the procedures and then assess the effectiveness of each control.
  • Next, analyze and document results, not just what worked properly, but also where you have gaps or weaknesses.
  • Make a plan to address those gaps.
  • Follow up and re-assess controls after you’re implemented gap remediation processes.
  • Repeat on a routine basis.

Need help reviewing your NIST 800-53 controls?

Contact an Apptega advisor today.

Achieving NIST 800-53 Compliance for FISMA Certification

While there isn’t a specific certification, becoming NIST 800-53 compliant is a component of FISMA certification.

As part of the Federal Information Security Management Act of 2002, all federal agencies must develop, implement, and document a risk management and cybersecurity program that protects federal information and federal information security systems. NIST’s Special Publication series 800 provides agencies with guidelines to meet FISMA requirements. Additionally, If you are a state agency that manages federal programs, for example, unemployment insurance, or if you’re a contractor or subcontractor that wants to do business with a federal agency, you should be FISMA compliant.

The first step in becoming FISMA compliant is to select, implement, and test security controls outlined in the NIST SP 800 series, as well as FIPS 199 and FIPS 200. You’ll also need to complete risk assessments, categorize your risks, complete an inventory of all of your information systems, how you use them and where they are located, and develop a System Security Plan (SSP).

Once you’ve successfully implemented these steps, you’ll need to conduct an annual security review that demonstrates your information security systems are FISMA compliant.

There is also an official FISMA Certification and Accreditation (C&A) process. Based on guidance from the FISMA Center and outlined in NIST SP 800-37, the C&A processes is in four phases:

1. Initiation: This phase includes preparation, notification and resource identification, and system security plan analysis with updates and acceptance.

2. Security Certification: This phase includes security control assessments and security certification documentation to demonstrate your controls are implemented correctly, functioning as intended, and producing the expected outcome. You’ll also need to address deficiencies and correct issues in this phase.

3. Security Accreditation: This phase is where the authorizing official makes a security accreditation decision, which, if successful, will include approval to operate (Authority to Operate) the information system (or with specific terms and conditions). If not successful, there will be a denial of operation.

4. Continuous Monitoring: This phase includes ongoing configuration management and control, continuous security monitoring, and status reports and documentation for ongoing oversight and should be completed throughout the information system’s lifecycle.

If you successfully complete the C&A and are granted an Authority to Operate, it is valid for three years, at which time you must undergo steps for renewal.

To learn more about the FISMA C&A process, visit https://www.fismacenter.com/SP800-37-final.pdf.

Simplify Management of NIST 800-53
and Other Frameworks with Apptega

There’s never been a more simplified way to manage your NIST 800-53 compliance journey—and crosswalk it with other controls and frameworks your organization uses today. With Apptega’s Intelligent Framework Mapping Tool, Harmony, you can map your frameworks with unlimited combinations.

Here are some other key Harmony features:

  • One-click reporting for individual frameworks or for your mapped programs
  • Replicated actions for all paired sub-controls so a change to one is automatically done in another
  • Ability to “uncouple” sub-controls any time you want to remove a mapped program
  • Increase efficiencies by more than 50% for time, effort, and resources in your cybersecurity program
  • Confidence you’re no longer duplicating work across related controls.

NIST 800-53 Blogs

NIST Background

Why Use NIST 800-53?

NIST 800-53 standards are applicable to all federal agencies and indirectly, through NIST 800-171, to contractors and other organizations that do business with the federal government and process, store, or transmit sensitive data. These standards help agencies design, implement, and mature their information security systems. This blog explores how the NIST risk management framework and NIST cybersecurity framework build stronger information security programs and the role NIST 800-53 plays in information security.

Read More

Choose the Right Framework to Better Navigate the Convergence of Data Privacy and Cybersecurity

If you’re a federal agency, you’ll need to be compliant to NIST 800-53 standards, but is this the only framework you need? Depending on the size, complexity, and compliance requirements for your organization, you may benefit from adopting other cybersecurity frameworks as well. So which is best for your organization? Do you need ISO? PCI DSS? CMMC? Something else? This blog explores some common frameworks and what they do to help you have a better understanding of frameworks that can benefit your today and support scalability for tomorrow.

Read More

NIST 800-53 Webinars

Choosing a Cybersecurity Framework Webinar Image

How to Choose Which Cybersecurity Framework to Follow

There are more than 20 major cybersecurity framework on the market today. You may already be using one because of your industry compliance standards. But are there others that can help you? Are you already successfully using controls for one framework that apply to another? Not sure which to choose or how to begin? In this webinar, you can explore:

• Common cybersecurity frameworks
• How organizations use these frameworks
• Where there are commonalities between frameworks
• What differentiates each framework from others
• How to manage the frameworks you implement

Watch Now

Secrets To Passing A Cybersecurity Audit: An Auditor's Perspective

Whether you’re doing an internal audit or are subject to a formal review, preparing for—and passing–an audit is often time-consuming, document-laden, and stressful. But it doesn’t have to be. In this webinar, hear from a panel of experts who have successfully tackled and passed a variety of audit types across a spectrum of industries. Watch now to learn:

• Best practices for audit preparation
• Tips from industry pros
• Common failures in the audit process
• How to mitigate risk for audit success
• How to gather you need to support auditor requests

Watch Now

NIST 800-53 Marketplace

NIST 800-53 Marketplace Dashboard

Searching for Tools, Guidance, and help with NIST 800-53 compliance?

The NIST 800-53 Marketplace in CyberXchange is mapped to all the controls defined in the NIST 800-53 framework. For each gap or compliance issue, you can find solutions that are mapped to your specific needs. The best part? No more guesswork. The research is already done for you. Join thousands of CISOs, CIOs and other cyber professionals in finding perfect-fit solutions.

Frequently Asked Questions about NIST 800-53 (FAQs)

What is NIST 800-53?
NIST SP 800-53 is a set of standards from the National Institute of Standards and Technology (NIST) that helps federal agencies meet requirements from the Federal Information Security Management Act (FISMA) to develop, implement, and mature information security programs that protect sensitive federal information and information security systems. While NIST 800-53 was developed for federal agencies, organizations of all sizes and across all industries that store, process, or transmit sensitive data may find it helpful to adopt some or all of NIST 800-53 base controls and control enhancements.
Who oversees NIST 800-53?
The National Institute of Standards and Technology (NIST) oversees NIST 800-53 and other standards that are recognized as best practices for cybersecurity and risk management program. NIST also oversees NIST 800-171, which sets security standards for organizations working directly with the federal government that want to bid on or renew contracts with the government.
What is risk management?
Related to cybersecurity, risk management includes all of the processes, policies, and controls you use to determine risk for your organization and the plans you make to protect your attack surface from cyber threats. A risk management framework, like NIST 800-53, outlines ways you can approach risk management to be better secure your enterprise.
Is there a NIST 800-53 certification?
No. There is not a formal NIST 800-53 certification, however, becoming NIST 800-53 compliant is part of earning a FISM certification. Also, all federal agencies must be compliant to all NIST 800-53 standards and must be able to prove they have successfully implemented NIST 800-53 controls and that these controls function as intended.
What is the most current version of NIST 800-53?

The most current version of NIST 800-53 is Revision 5, which NIST released on Sept. 23, 2020. This version reflects an increase in control families—from 18 to 20—and even more controls, which now exceed more than 1,000. NIST adapted this version to be more in line with today’s threat landscape and adds new components, including new state-of-the-art practice controls and integrated supply chain risk management. To see the most recent version, visit https://csrc.nist.gov/News/2020/sp-800-53-revision-5-published.

What is FISMA and how is it related to NIST 800-53?
FISMA is the Federal Information Security Management Act and part of the E-Government Act of 2002. FISMA outlines the importance of information security for federal agencies and establishes requirements for these agencies to protect federal information and federal information systems. NIST is responsible for establishing and updating standards and other compliance documents to meet FISMA requirements. One of those sets of standards is NIST 800-53, a risk management framework, that establishes base controls and control enhancements federal agencies are expected to adopt to meet FISMA mandates.
Are NIST 800-53 and NIST 800-171 the same?

No. NIST 800-53 and NIST 800-171 are not the same, but they do serve similar, closely related purposes. Both are standards and controls to protect sensitive information. NIST 800-53 is guidance for federal agencies, which are required to be compliant. NIST 800-171 standards are applicable to non-federal agencies that work with federal agencies and process, transmit, or store controlled unclassified information (CUI). NIST 800-171 compliance, as well as compliance to the new Cybersecurity Maturity Model Certification (CMMC), is required for all RFPs and RFIs.

Should my organization be compliant with NIST 800-53?
If you are a federal agency, you must be compliant for NIST 800-53. However, even if you’re not, if you process, store, or transmit sensitive data, you may find it beneficial to implement NIST 800-53 controls.
What happens if I am not NIST 800-53 compliant?
If you are a federal agency and you are not NIST 800-53 compliant, then you cannot successfully pass the FISMA C&A process. If you are not FISMA certified, then as an organization that works with the federal government, for example a state agency that manages Medicaid, you could lose your federal funding. Private sector contractors that are not FISMA compliant, may lose existing contracts and the ability to bid on future contracts as well.
Can I map my NIST 800-53 framework to others?
Yes. You can map your NIST 800-53 framework to others. This is often referred to as crosswalking. While some organizations attempt this mapping through static documents such as spreadsheets, you may find it easier—and more effective—to use a cybersecurity framework management solution like Apptega for insight into all your controls and frameworks in a single dashboard.
What’s the difference between NIST 800-53 and ISO 27001?
NIST 800-53 and ISO 27001 have some commonalities, like a focus on risk and cybersecurity, but they are also different. In general, ISO 27001 isn’t as technical as the more than 1,000 controls outlined in NIST 800-53. You can use NIST 800-53 as part of your FISMA certification, however, ISO 27001 has a specific certification to demonstrate that you meet the ISO 27001 standards.
Where can I find compliance resources for NIST 800-53?

NIST 800-53 compliance resources are in the NIST 800-53 Marketplace in CyberXchange. In the marketplace, you can quickly access products and services to help you with NIST 800-53 compliance, including access to consultants with expertise in your specific compliance areas.

The Best Resource for Your NIST 800-53 Compliance Journey

Improve your NIST 800-53 compliance journey with Apptega by streamlining and automating tasks, getting insight into all of your controls, and simplifying crosswalking of multiple cybersecurity frameworks.

With Apptega, you can develop, manage, and report on your NIST 800-53 framework, all from a single, easy-to-understand dashboard that gives you insight into where you have gaps and weaknesses so you know what to fix before an assessment and to always stay ahead of attackers wanting to exploit your vulnerabilities and put your sensitive data at risk.

Apptega supports all of the 20 control families in NIST 800-53. It can help you meet all of your FISMA requirements and help you mature your information security program to keep sensitive data safe.

Here are some of the key features of Apptega:

  • In one platform, you can simplify management of all of you cybersecurity frameworks
  • Insight into where you are on your compliance journey and recommendations to close security gaps
  • Integrated Task Packs to fast track the set up and assignment of remediation projects
  • Access to an ever-growing library of cybersecurity and privacy frameworks
  • Pre-built templates for an increasing number of policies and other security needs
  • The ability to quickly generate customized reports so you can share program status with key stakeholders
  • Instant access to cybersecurity software and other services that meet your organization’s specific needs
  • End-to-end cybersecurity and compliance management

Companies on the Journey to NIST 800-53 Compliance

CounterTrade Logo
Cortland Logo
HCTec logo
Focus on the Family logo
Greenhouse Software logo-1