This is an archive
(replace .gov by .rip)

FISMA Implementation Project FISMA

Security Controls

Security and Privacy Controls for Federal Information Systems and Organizations

**Note: All reference to SP 800-53 on this page refers to SP 800-53 Revision 4.**

The purpose of Special Publication 800-53 is to provide guidelines for selecting and specifying security controls for systems supporting the executive agencies of the federal government. The guidelines have been developed to help achieve more secure systems within the federal government by:

  • Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for systems;
  • Providing a recommendation for minimum security controls for systems categorized in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems;
  • Providing a stable, yet flexible catalog of security controls for systems to meet current organizational protection needs and the demands of future protection needs based on changing requirements and technologies; and
  • Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness.

The guidelines provided in NIST Special Publication 800-53 are applicable to all federal systems1 other than those systems designated as national security systems as defined in 44 U.S.C., Section 35422. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems. This publication is intended to provide guidance to federal agencies implementing FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. In addition to the agencies of the federal government, state, local, and tribal governments, and private sector organizations that compose the critical infrastructure of the United States, are encouraged to use these guidelines, as appropriate.

The security controls cover the following topic areas:

  • Risk Assessment;
  • Certification, Accreditation and Security Assessments;
  • System Services and Acquisition;
  • Security Planning;
  • Configuration Management;
  • System and Communications Protection;
  • Personnel Security;
  • Awareness and Training;
  • Physical and Environmental Protection;
  • Media Protection;
  • Contingency Planning;
  • System and Information Integrity;
  • Incident Response;
  • Identification and Authentication;
  • Access Control; and
  • Accountability and Audit

Footnotes:

1. A federal system is an system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

2. NIST Special Publication 800-59 provides guidance on identifying an system as a national security system.

Created November 30, 2016, Updated December 03, 2020