# NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
NIST National Institute of Standards and Technology
SP Special Publication

# Overview

NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.

# Controls

The catalog of security and privacy controls provides protective measures for systems, organizations, and individuals. The controls are designed to facilitate risk management and compliance with applicable federal laws, executive orders, directives, regulations, policies, and standards.

  • 3.1: Access Control
  • 3.2: Awareness and Training
  • 3.3: Audit and Accountability
  • 3.4: Assessment, Authorization, and Monitoring
  • 3.5: Configuration Management
  • 3.6: Contingency Planning
  • 3.7: Identification and Authentication
  • 3.8: Incident Response
  • 3.9: Maintenance
  • 3.10: Media Protection
  • 3.11: Physical and Environmental Protection
  • 3.12: Planning
  • 3.13: Program Management
  • 3.14: Personnel Security
  • 3.15: Personally Identifiable Information Processing and Transparency
  • 3.16: Risk Assessment
  • 3.17: System and Services Acquisition
  • 3.18: System and Communications Protection
  • 3.19: System and Information Integrity
  • 3.20: Supply Chain Risk Management

# Sources