Skip to main content

Getting Started with NIST CSF and 800-53

The National Institute of Standards and Technology (NIST) publishes two of the most widely referenced cybersecurity frameworks in the world:
  • NIST Cybersecurity Framework (CSF) 2.0 - A voluntary framework for managing and reducing cybersecurity risk, organized around six core functions. Used by organizations of all sizes and sectors.
  • NIST SP 800-53 Rev. 5 - A comprehensive catalog of security and privacy controls, primarily used by US federal agencies and their contractors. Increasingly adopted by private sector organizations seeking a rigorous control baseline.
Matproof supports both frameworks. CSF provides the strategic risk management structure, while 800-53 provides the detailed control catalog. Many organizations use CSF for governance and communication, then map specific controls from 800-53 for implementation.
Activate NIST CSF and/or NIST 800-53 under Settings - Frameworks. You can activate both - Matproof automatically maps controls between them so you avoid duplicate work.

NIST CSF 2.0 - The Six Core Functions

CSF 2.0 (released February 2024) organizes cybersecurity activities into six functions:

Govern (GV)

Establish and monitor cybersecurity risk management strategy, expectations, and policy. New in CSF 2.0.

Identify (ID)

Understand your assets, business environment, risks, and supply chain to manage cybersecurity risk.

Protect (PR)

Implement safeguards to ensure delivery of critical services.

Detect (DE)

Identify the occurrence of cybersecurity events in a timely manner.

Respond (RS)

Take action regarding a detected cybersecurity incident.

Recover (RC)

Maintain plans for resilience and restore capabilities impaired by a cybersecurity incident.
CSF 2.0 added the Govern function to emphasize that cybersecurity risk management must be integrated into enterprise risk management and driven by leadership. Start with Govern if you are building a program from scratch.

NIST 800-53 - Control Families

NIST SP 800-53 Rev. 5 contains over 1,000 controls organized into 20 families:
FamilyCodeDescription
Access ControlACAccess enforcement, least privilege, account management
Awareness and TrainingATSecurity awareness, role-based training
Audit and AccountabilityAUAudit logging, review, analysis
Assessment, Authorization, and MonitoringCASecurity assessments, system authorization
Configuration ManagementCMBaseline configuration, change control
Contingency PlanningCPBackup, recovery, continuity
Identification and AuthenticationIAUser identification, MFA, credential management
Incident ResponseIRIncident handling, reporting, monitoring
MaintenanceMASystem maintenance, tools, remote maintenance
Media ProtectionMPMedia access, transport, sanitization
Physical and Environmental ProtectionPEPhysical access, environmental controls
PlanningPLSecurity planning, rules of behavior
Program ManagementPMRisk management strategy, enterprise architecture
Personnel SecurityPSScreening, termination, transfer
PII Processing and TransparencyPTPrivacy, consent, data processing
Risk AssessmentRARisk assessment, vulnerability scanning
System and Services AcquisitionSASystem development lifecycle, supply chain
System and Communications ProtectionSCBoundary protection, cryptography, transmission security
System and Information IntegritySIFlaw remediation, malicious code protection, monitoring
Supply Chain Risk ManagementSRSupply chain controls, component authenticity
You do not need to implement all 1,000+ controls. Select a baseline (Low, Moderate, or High) based on your system’s security categorization (FIPS 199), then tailor controls to your environment.

Which Framework Should I Use?

Use CaseRecommended Framework
Building a cybersecurity program from scratchStart with CSF 2.0 for structure, add 800-53 controls for implementation detail
US federal agency or contractor (FISMA)800-53 is mandatory
FedRAMP cloud authorization800-53 Moderate or High baseline
Private sector, non-regulatedCSF 2.0 is typically sufficient
Mapping to multiple frameworksCSF 2.0 maps well to ISO 27001, DORA, and other frameworks
Detailed technical controls needed800-53 provides the most granular control catalog available
1
Step 1 - Establish governance (CSF: Govern)
2
  • Go to Policies - Generate and create your Cybersecurity Risk Management Policy
  • Define roles and responsibilities for cybersecurity governance
  • Establish your risk appetite and risk tolerance levels
  • Ensure leadership oversight of the cybersecurity program
  • Document supply chain risk management expectations
    • 3
    Step 2 - Identify assets and risks (CSF: Identify)
    4
  • Create an inventory of hardware, software, data, and services
  • Go to Risk Management - New Risk Assessment
  • Identify threats and vulnerabilities to your critical assets
  • Assess risks based on likelihood and impact
  • Prioritize risks for treatment based on your risk appetite
    • 5
    Step 3 - Select your control baseline (800-53)
    6
    If using NIST 800-53:
    7
  • Categorize your information systems using FIPS 199 (Low, Moderate, or High impact)
  • Select the corresponding 800-53 baseline
  • Matproof pre-populates the applicable controls based on your selection
  • Tailor the baseline - add or remove controls based on your specific environment, threats, and risk assessment
    • 8
    Most commercial organizations implementing 800-53 voluntarily choose the Moderate baseline. It provides strong security coverage without the full rigor of the High baseline required for national security systems.
    9
    Step 4 - Implement protective controls (CSF: Protect)
    10
    Work through the controls in Controls - NIST:
    11
  • Access control and identity management (AC, IA)
  • Security awareness and training (AT)
  • Data protection and cryptography (SC)
  • Configuration management and change control (CM)
  • Maintenance and media protection (MA, MP)
    • 12
    For each control, document the implementation, assign an owner, and link evidence.
    13
    Step 5 - Detection and monitoring (CSF: Detect)
    14
  • Implement audit logging across systems in scope (AU)
  • Configure continuous monitoring for security events
  • Establish security event correlation and analysis processes
  • Define detection thresholds and alerting criteria
  • Link monitoring evidence to the relevant controls
    • 15
    Step 6 - Incident response (CSF: Respond)
    16
  • Go to Incidents and configure your incident response workflow
  • Define incident classification criteria and escalation procedures
  • Establish communication plans for internal teams, leadership, and external parties
  • Document lessons learned processes for post-incident improvement
  • Test your incident response plan at least annually
    • 17
    Step 7 - Recovery planning (CSF: Recover)
    18
  • Develop and document recovery plans for critical systems and services
  • Define recovery time objectives (RTOs) and recovery point objectives (RPOs)
  • Test recovery procedures regularly
  • Document improvements identified during recovery testing
  • Link recovery test results as evidence against the relevant controls
    • 19
    Step 8 - Assessment and continuous improvement
    20
  • Go to Audit Programs - New Audit - NIST
  • Assess your implementation against CSF functions and/or 800-53 controls
  • Document findings as Corrective Actions
  • Update your risk assessment based on findings
  • Establish a continuous monitoring program to maintain compliance over time

    • CSF 2.0 Profiles and Tiers

    Profiles

    CSF profiles describe your organization’s current and target cybersecurity posture. Create two profiles in Matproof:
    • Current Profile - where you are today (based on your control assessment results)
    • Target Profile - where you need to be (based on risk appetite, business requirements, and regulatory obligations)
    The gap between the two profiles drives your implementation roadmap.

    Tiers

    CSF implementation tiers describe the degree of rigor in your cybersecurity risk management:
    TierDescription
    Tier 1 - PartialAd hoc, reactive. Limited awareness of cybersecurity risk.
    Tier 2 - Risk InformedRisk management practices are approved by management but may not be organization-wide.
    Tier 3 - RepeatableRisk management practices are formally established, regularly updated, and informed by threat landscape changes.
    Tier 4 - AdaptiveOrganization adapts cybersecurity practices based on lessons learned and predictive indicators. Continuous improvement.

    Next Steps

    • Risk Management - risk assessments aligned to NIST methodology
    • Controls - working through CSF and 800-53 control sets
    • Incidents - incident response workflow configuration
    • Audit Programs - security assessments and continuous monitoring