NIST SP 800-53

NIST Special Publication 800-53 is the comprehensive security and privacy control catalog underlying FISMA, FedRAMP, and most US federal cybersecurity baselines.

What is 800-53?

NIST SP 800-53 is the most comprehensive cybersecurity control catalog published by NIST. The current revision (Rev. 5, September 2020) organizes 1,189 controls and enhancements across 20 control families — access control, audit and accountability, configuration management, identification and authentication, incident response, supply chain risk management, system and communications protection, and more. It is the underlying catalog for FISMA, FedRAMP, the CIS Critical Security Controls (which map to 800-53), and most US federal agency security policies.

Baselines

NIST 800-53B defines three security baselines selected from the full catalog: Low, Moderate, and High, corresponding to FIPS 199 impact levels. FedRAMP applies the same Low/Moderate/High baselines plus a small number of FedRAMP-specific control additions. Most enterprise AI vendors targeting US federal customers will pursue at least the FedRAMP Moderate baseline; vendors handling more sensitive workloads (intelligence, defense) need High.

For commercial buyers

Even outside federal procurement, 800-53 is the most widely-used control language in US enterprise security. Mature AI vendors publish a control mapping (their security controls → 800-53 control IDs) which makes diligence faster. Ask if they have one; if not, expect a longer back-and-forth as each control area gets evaluated narratively.