This is a potential security issue, you are being redirected to https://csrc.nist.gov.
You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.
Date Published: September 2020 (includes updates as of Dec. 10, 2020)
Supersedes:
SP 800-53 Rev. 5 (09/23/2020)
Planning Note (08/27/2025):
On August 27, 2025, NIST issued a minor release of SP 800-53 (Release 5.2.0) that includes: A list of all the changes in the patch release is available under Supplemental Material. *** Summary of supplemental files: Also available:
Describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significance of the changes. Note that this comparison was authored by The MITRE Corporation for the Director of National Intelligence (DNI) and is being shared with permission by DNI.
Supports organizations using the privacy controls in Appendix J of SP 800-53 Rev. 4 that are transitioning to the integrated control catalog in Rev. 5.
Mappings and crosswalks provide a general indication of SP 800-53 control coverage with respect to other frameworks and standards. When leveraging these relationships, consider the scope and intended use of each publication. Do not assume equivalency based solely on relationship tables; mappings and crosswalks are not always one-to-one and relationship analysis can be subjective.
The collaboration index template supports information security and privacy program collaboration to help ensure that the objectives of both disciplines are met and that risks are appropriately managed. It is an optional tool for information security and privacy programs to identify the degree of collaboration needed between security and privacy programs with respect to the selection and/or implementation of controls in Rev. 5.
Rev. 5 controls are provided using the Open Security Controls Assessment Language (OSCAL); currently available in JSON, XML, and YAML.
This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.
This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.
Access Control; Awareness and Training; Audit and Accountability; Assessment, Authorization and Monitoring; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Physical and Environmental Protection; Planning; Program Management; Personnel Security; PII Processing and Transparency; Risk Assessment; System and Services Acquisition; System and Communications Protection; System and Information Integrity; Supply Chain Risk Management
Publication:
https://doi.org/10.6028/NIST.SP.800-53r5
Download URL
Supplemental Material:
SP 800-53 Release 5.2.0
Summary of Changes SP 800-53 Release 5.2.0 (pdf)
Analysis of updates between 800-53 Rev. 5 and Rev. 4, by MITRE Corp. for ODNI (xlsx)
Mapping: Appendix J Privacy Controls (Rev. 4) to Rev. 5 (xlsx)
Mappings: Cybersecurity Framework and Privacy Framework to Rev. 5 (xlsx)
Crosswalk: 800-53 Rev. 5 to ISO/IEC 27001:2022 (OLIR)
OSCAL Version of Rev. 5 controls
Control Collaboration Index Template (xlsx)
Control Collaboration Index Template (docx)
Blog post
Publication Parts:
SP 800-53A Rev. 5
SP 800-53B
Document History:
12/10/20: SP 800-53 Rev. 5 (Final)
privacy controls, security controls, security programs & operations
Laws and RegulationsE-Government Act, Executive Order 14306, Federal Information Security Modernization Act, Homeland Security Presidential Directive 12, Homeland Security Presidential Directive 7, OMB Circular A-11, OMB Circular A-130