How many controls are in NIST 800-53 R5?

How many controls are in NIST 800-53 R5?

ComplianceForge Support ComplianceForge Support Cybersecurity Compliance FAQ
July 18th, 2025 1 minute read

Listen to article
Audio generated by DropInBlog's Blog Voice AI™ may have slight pronunciation nuances. Learn more

NIST SP 800 53 Revision 5 includes a staggering 1,189 controls, divided into the 20 control families:

NIST 800-53 Control Families

  1. Access Control;
  2. Awareness & Training;
  3. Audit & Accountability;
  4. Assessment, Authorization & Monitoring;
  5. Configuration Management;
  6. Contingency Planning;
  7. Identification & Authentication;
  8. Incident Response;
  9. Maintenance;
  10. Media Protection;
  11. Physical & Environmental Protection;
  12. Planning;
  13. Program Management;
  14. Personnel Security;
  15. Personally Identifiable Information (PII) Processing & Transparency;
  16. Risk Assessment;
  17. System & Services Acquisition;
  18. System & Communications Protection;
  19. System & Information Integrity; and
  20. Supply Chain Risk Management.

This NIST SP 800-53 R5 control count includes deprecated controls that have been removed or rolled into other controls.

NIST SP 800-53B breaks most of those controls into low, moderate, high and privacy baselines. However, there are many NIST SP 800-53 R5 controls that are not otherwise categorized and are therefore not part of a baseline.

ComplianceForge NIST 800-53 Policy Templates

ComplianceForge has 1-1 matching for NIST SP 800-53 R5 families and controls in its NIST SP 800-53 R5 Cybersecurity & Data Protection Program (CDPP) documentation.  

« Back to Blog

Related Articles

NIST 800-171 vs NIST 800-161

NIST 800-171 Rev 3 vs NIST 800-161 Rev 1

4 minute read

June 11th, 2025

Secure Software Development Attestation Forms

Secure Software Development Attestation Forms

3 minute read

May 19th, 2025

NIST 800-171 ODP

NIST 800-171 R3 ODPs

1 minute read

April 24th, 2025

NIST SP 800‑53 R5 Control Families

This release includes a total of 1,189 controls, organized into 20 families:

  1. Access Control
  2. Awareness & Training
  3. Audit & Accountability
  4. Assessment, Authorization & Monitoring
  5. Configuration Management
  6. Contingency Planning
  7. Identification & Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical & Environmental Protection
  12. Planning
  13. Program Management
  14. Personnel Security
  15. Personally Identifiable Information (PII) Processing & Transparency
  16. Risk Assessment
  17. System & Services Acquisition
  18. System & Communications Protection
  19. System & Information Integrity
  20. Supply Chain Risk Management

This count includes deprecated controls that have been removed or folded into others. Some controls are not categorized under baselines—low, moderate, high, or privacy—per NIST SP 800‑53B.

ComplianceForge provides full 1:1 mapping of all 20 families and their controls in its CDPP documentation.

!