> ## Documentation Index
> Fetch the complete documentation index at: https://docs.matproof.com/llms.txt
> Use this file to discover all available pages before exploring further.

# NIST SP 800-53

> NIST Special Publication 800-53 Revision 5 — security and privacy controls for federal information systems.

# NIST SP 800-53

## Overview

**NIST Special Publication 800-53 Revision 5** is the U.S. federal catalog of security and privacy controls for federal information systems and organizations. It is the foundational control set behind FedRAMP, FISMA, the DoD Risk Management Framework, and many state and sector-specific U.S. compliance regimes.

Matproof ships the full Revision 5 control catalog with mappings into your other adopted frameworks.

### Who It Applies To

* **U.S. federal agencies** — Required under FISMA
* **Federal contractors and FedRAMP CSPs** — Cloud providers serving the U.S. federal government
* **DoD and intelligence community systems** — Through the Risk Management Framework (RMF)
* **State and local governments** — Many adopt 800-53 as a baseline by reference
* **Private organizations** that need to demonstrate alignment with U.S. federal expectations

## Control Families

NIST 800-53 organizes controls into 20 families. The major ones:

| Family                                | Code   | Focus                                                   |
| ------------------------------------- | ------ | ------------------------------------------------------- |
| Access Control                        | AC     | Account management, separation of duties, remote access |
| Awareness and Training                | AT     | Security awareness program                              |
| Audit and Accountability              | AU     | Logging, monitoring, audit retention                    |
| Assessment, Authorization, Monitoring | CA     | System assessments, ATO process                         |
| Configuration Management              | CM     | Baseline configurations, change control                 |
| Contingency Planning                  | CP     | Backup, DR, COOP                                        |
| Identification and Authentication     | IA     | MFA, credential management                              |
| Incident Response                     | IR     | IR plan, reporting, training                            |
| Maintenance                           | MA     | System maintenance procedures                           |
| Media Protection                      | MP     | Sanitization, transport, disposal                       |
| Physical and Environmental Protection | PE     | Facility security                                       |
| Planning                              | PL     | System security plan, rules of behavior                 |
| Personnel Security                    | PS     | Background checks, termination procedures               |
| Risk Assessment                       | RA     | Risk assessments, vulnerability scanning                |
| System and Services Acquisition       | SA     | Supplier risk, secure SDLC                              |
| System and Communications Protection  | SC     | Boundary protection, cryptography                       |
| System and Information Integrity      | SI     | Flaw remediation, malicious code protection             |
| Supply Chain Risk Management          | SR     | C-SCRM program, supplier review                         |
| Privacy                               | PT, PM | Privacy controls (added in Rev 5)                       |

## Control Baselines

NIST 800-53 controls apply via **baselines** depending on system impact level:

* **LOW** baseline — minimum controls for low-impact systems
* **MODERATE** baseline — most federal systems sit here
* **HIGH** baseline — systems where loss of confidentiality, integrity, or availability would have catastrophic impact

Matproof lets you select a baseline when adopting NIST 800-53; only the relevant controls are included in your program.

## How Matproof Helps

### Control Catalog

* Full Revision 5 control catalog (1,189 controls including enhancements)
* Pre-tagged by family and baseline
* Searchable across control text and supplemental guidance

### FedRAMP Alignment

* FedRAMP LOW / MODERATE / HIGH baselines pre-configured
* FedRAMP-specific control parameters tracked
* Continuous Monitoring (ConMon) artifact templates

### Cross-Framework Mapping

NIST 800-53 maps extensively into other frameworks Matproof ships:

* ISO 27001 — Annex A controls
* SOC 2 — Trust Services Criteria
* NIST Cybersecurity Framework (CSF) — through the CSF-to-800-53 informative references
* HIPAA — Security Rule safeguards
* DORA / NIS2 — security requirements

A single piece of evidence (e.g. an MFA configuration screenshot) can satisfy controls across all of these frameworks at once.

### Evidence Automation

* Cloud integration evidence (AWS, Azure, GCP) automatically populates AC, AU, CM, IA, SC controls
* Device Agent evidence populates SI, CM, AC controls for endpoints
* Manual evidence with structured templates for the rest

### System Security Plan (SSP)

* Generate SSPs from your control implementations
* Export-ready format for ATO submissions
* Continuous updates as controls change

## Getting Started

1. Select **NIST 800-53** as a framework during onboarding (or in Settings > Frameworks)
2. Choose your impact baseline: LOW / MODERATE / HIGH (or full catalog)
3. Review the control mapping into your other adopted frameworks
4. Assign control owners across your organization
5. Connect cloud and identity integrations to start populating evidence

<CardGroup cols={2}>
  <Card title="NIST CSF" href="/frameworks/nist">
    The companion Cybersecurity Framework — risk-based, lighter weight
  </Card>

  <Card title="Frameworks Overview" href="/frameworks/dora">
    See all 16 frameworks Matproof supports
  </Card>
</CardGroup>
