{ "version" : "https://jsonfeed.org/version/1", "content" : "resources", "type" : "single", "title" : "An introduction to security and privacy controls |Digital.gov", "description": "An introduction to security and privacy controls", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/resources/an-introduction-to-security-and-privacy-controls/index.json","item" : [ {"title" :"An introduction to security and privacy controls","deck" : "Explaining NIST’s 800-53 control families for information systems and organizations","summary" : "What do the control families of NIST 800-53 mean? Here’s an overview of the control families that create the foundation of federal security compliance.","date" : "2023-10-16T17:52:00-05:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"lindsay-young" : "Lindsay Young"},"topics" : { "public-policy" : "Public policy", "security" : "Security" },"primary_image" : { "uid" : "intro-security-privacy-controls-nist-800-53-rabbit-photo-istock-getty-images-1203479919", "alt" : "Title card with blue and gold padlock icons is for An introduction to security and privacy controls: Explaining NIST’s 800-53 control families for information systems and organizations.", "width" : "1200", "height" : "630", "credit" : "", "caption" : "Rabbit Photo/iStock via Getty Images", "format" : "png" },"branch" : "bc-archive-content-3", "filename" :"an-introduction-to-security-and-privacy-controls.md", "filepath" :"resources/an-introduction-to-security-and-privacy-controls.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/resources/an-introduction-to-security-and-privacy-controls.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/resources/an-introduction-to-security-and-privacy-controls.md","slug" : "an-introduction-to-security-and-privacy-controls","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/resources/an-introduction-to-security-and-privacy-controls/","weight" : "1","content" :"\u003ch2 id=\"what-are-the-nist-controls\"\u003eWhat are the NIST controls?\u003c/h2\u003e\n\u003cp\u003eFederal security compliance is based on evaluating security criteria. Those criteria are a wide-ranging set of considerations called controls. The National Institute for Standards and Technology (NIST) defines these controls in a special publication (SP) called \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final\"\u003eNIST SP 800-53 (Revision 5), Security and Privacy Controls for Information Systems and Organizations\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eTo use, buy, or build software for the government, you need authorization to operate (ATO). A huge part of that process is documenting how you are addressing the controls in your system security and privacy plan (SSPP). During the ATO process, assessors determine what controls apply to a given system. The higher the risk of the system, the more controls. Then, that system needs to document those considerations and prove that they have taken those security measures into account.\u003c/p\u003e\n\u003cp\u003eFor an overview of ATOs, read \u003ca href=\"https://digital.gov/resources/an-introduction-to-ato/\"\u003eAn introduction to ATOs\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"why-worry-about-controls\"\u003eWhy worry about controls?\u003c/h2\u003e\n\u003cp\u003eUnderstanding the controls is an important part of the ATO process. Specifically when writing a system security and privacy plan. With hundreds of controls, approaching ATOs can be quite daunting. That\u0026rsquo;s why it\u0026rsquo;s good to start off with an overview of the controls.\u003c/p\u003e\n\u003cp\u003eThe controls are grouped by \u003cem\u003etopic\u003c/em\u003e, and those topics are called \u003cem\u003efamilies\u003c/em\u003e. Next, we\u0026rsquo;ll explore each control family and what kind of considerations that control family focuses on.\u003c/p\u003e\n\u003ch2 id=\"meet-the-family\"\u003eMeet the family\u003c/h2\u003e\n\u003cp\u003eThe three-column table below lists the 20 control families alphabetically by their two-character ID (identification code). Security and compliance folks often refer to the controls by this ID. For each, the ID is linked to the full list of controls for that family.\u003c/p\u003e\n\u003cp\u003eThe second column provides the full name of the control family. The third column provides a plain language description of the control to give you a feel for what kind of security concern that control family covers.\u003c/p\u003e\n\u003ctable class=\"usa-table usa-table--striped\"\u003e\n \u003ccaption\u003e\u003c/caption\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth scope=\"col\" width=\"10%\"\u003eID\u003c/th\u003e\n \u003cth scope=\"col\"\u003eControl family\u003c/th\u003e\n \u003cth scope=\"col\"\u003ePlain language description\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC\"\u003eAC\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eAccess Control\u003c/td\u003e\n \u003ctd\u003eHave policies that define who can access information and systems.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AT\"\u003eAT\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eAwareness and Training\u003c/td\u003e\n \u003ctd\u003eTrain staff on IT safety practices, such as annual security training and phishing exercises.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU\"\u003eAU\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eAudit and Accountability\u003c/td\u003e\n \u003ctd\u003eMake sure you are creating and monitoring necessary logs and keeping records for the amount of time that they should be kept. You need policies to establish these practices and to produce evidence that you follow these actions.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA\"\u003eCA\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eSecurity Assessment and Authorization\u003c/td\u003e\n \u003ctd\u003eThis describes most of the ATO process.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM\"\u003eCM\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eConfiguration Management\u003c/td\u003e\n \u003ctd\u003eThis includes policies and procedures of how software is approved and deployed. Defines who can make decisions and what policies or constraints prevent others from making unauthorized changes. Creating system inventory to document what you have and keeping that up to date.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP\"\u003eCP\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eContingency Planning\u003c/td\u003e\n \u003ctd\u003eBeing able to recover if your system goes down or isn't working. You accomplish this by having the policies, technologies, testing, and training on how to recover from your system.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA\"\u003eIA\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eIdentification and Authentication\u003c/td\u003e\n \u003ctd\u003eHow you verify the identity of the users of your system and how your users log into your system.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR\"\u003eIR\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eIncident Response\u003c/td\u003e\n \u003ctd\u003eHave policies and procedures to respond to a cyber attack. Have people and tools to respond to data breaches and attacks.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MA\"\u003eMA\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eMaintenance\u003c/td\u003e\n \u003ctd\u003eWho is responsible for system maintenance. For example approving and monitoring security software, keeping packages up to date.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MP\"\u003eMP\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eMedia Protection\u003c/td\u003e\n \u003ctd\u003ePolicies, procedures and tools to keep media secure. Media includes records of data, this could be a wide range of storage options, such as paper or electronic.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS\"\u003ePS\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003ePersonnel Security\u003c/td\u003e\n \u003ctd\u003ePolicies and procedures about people's access to information and systems. Making sure people are cleared and trained to access information. People should lose system access when they leave.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT\"\u003ePT\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003ePII Processing and Transparency\u003c/td\u003e\n \u003ctd\u003eWhen you can collect PII and how you need to protect PII. This includes giving people a privacy notice and consent to collection.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE\"\u003ePE\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003ePhysical and Environmental Protection\u003c/td\u003e\n \u003ctd\u003eThis includes things like locking doors and keeping buildings and access to servers secure.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL\"\u003ePL\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003ePlanning\u003c/td\u003e\n \u003ctd\u003ePolicies and procedures about System Security Plans, Rules of engagement and other planning for your system.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM\"\u003ePM\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eProgram Management\u003c/td\u003e\n \u003ctd\u003ePolicies and procedures about managing your broader cyber security environment. This includes things like security and privacy training, data governance and management structures.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA\"\u003eRA\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eRisk Assessment\u003c/td\u003e\n \u003ctd\u003eDetermining how much risk your system presents. Evaluating what the implications are if your system went down, if data was exposed or if data was tampered with. Looking at the privacy risk of your system and looking for threats.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA\"\u003eSA\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eSystem and Services Acquisition\u003c/td\u003e\n \u003ctd\u003eCovers requirements for acquisition, software development and system management tools\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC\"\u003eSC\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eSystem and Communications Protection\u003c/td\u003e\n \u003ctd\u003eAvailability protections against things like DDOS. Security features like Network boundaries, encryption and DNS protections.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI\"\u003eSI\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eSystem and Information Integrity\u003c/td\u003e\n \u003ctd\u003eMonitoring your system to look for data breaches.\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003cth scope=\"row\"\u003e\u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR\"\u003eSR\u003c/a\u003e\u003c/th\u003e\n \u003ctd\u003eSupply Chain Risk Management\u003c/td\u003e\n \u003ctd\u003ePreventing and looking for tampering of upstream components of your system.\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eYou may have noticed that many of the controls require the efforts of your whole team. To get them onboard, it helps to describe the larger objectives of your policies and procedures. Taking the time to explain controls can help everyone better contribute to your system\u0026rsquo;s security and compliance. View NIST\u0026rsquo;s \u003ca href=\"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home\"\u003eCybersecurity and Privacy Reference Tool\u003c/a\u003e for more on control families.\u003c/p\u003e\n\n\n\n\n\n\n\u003carticle class=\"dg-ring\" aria-labelledby=\"a9e846b34206df56299a478ef4c5e4dd\"\u003e\n \u003ch2 id=\"a9e846b34206df56299a478ef4c5e4dd\" class=\"dg-ring__title\"\u003eAdditional Resources\u003c/h2\u003e\n \u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://www.fedramp.gov/rev5-transition/\"\u003eFedRAMP: Understanding the Transition from NIST SP 800-53 Rev. 4 to Rev. 5\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final\"\u003eNIST SP 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations\u003c/a\u003e\n\u003cul\u003e\n\u003cli\u003ePart A: \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/53/a/r5/final\"\u003eSP 800-53A Rev. 5, Assessing Security and Privacy Controls in Information Systems and Organizations\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePart B: \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final\"\u003eNIST SP 800-53B, Control Baselines for Information Systems and Organizations\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/glossary\"\u003eNIST Computer Security Resource Center Glossary\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003c/article\u003e\n\n\n\n\n\u003carticle\n class=\"dg-note \"\n\u003e\n \u003ch4 class=\"dg-note__heading\"\u003e\n \u003csvg\n class=\"dg-note__icon usa-icon dg-icon dg-icon--large\"\n aria-hidden=\"true\"\n focusable=\"false\"\n \u003e\n \u003cuse xlink:href=\"/preview/gsa/digitalgov.gov/bc-archive-content-3/uswds/img/sprite.svg#notifications\"\u003e\u003c/use\u003e\n \u003c/svg\u003e\n \n Note\n \n \u003c/h4\u003e\n \u003cp\u003e\u003cstrong\u003eWeb Managers Community\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe Web Managers Community of Practice is a group of government employees and contractors who manage government websites and digital services. They work to create a trusted, seamless online experience for all. \u003ca href=\"https://digital.gov/communities/web-content-managers/\"\u003eJoin the Web Managers Community\u003c/a\u003e.\u003c/p\u003e\n\n\u003c/article\u003e\n\n"} ] }