Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework

How many controls are in NIST 800-53?

Direct Answer

NIST SP 800 53 Revision 5 includes a staggering 1,189 controls, divided into the following 20 control families:

  • Access Control;
  • Awareness & Training;
  • Audit & Accountability;
  • Assessment, Authorization & Monitoring;
  • Configuration Management;
  • Contingency Planning;
  • Identification & Authentication;
  • Incident Response;
  • Maintenance;
  • Media Protection;
  • Physical & Environmental Protection;
  • Planning;
  • Program Management;
  • Personnel Security;
  • Personally Identifiable Information (PII) Processing & Transparency;
  • Risk Assessment;
  • System & Services Acquisition;
  • System & Communications Protection;
  • System & Information Integrity; and
  • Supply Chain Risk Management.

This NIST SP 800-53 R5 control count includes deprecated controls that have been removed or rolled into other controls.

NIST SP 800-53B breaks most of those controls into low, moderate, high and privacy baselines. However, there are many NIST SP 800-53 R5 controls that are not otherwise categorized and are therefore not part of a baseline.

ComplianceForge has 1-1 matching for NIST SP 800-53 R5 families and controls in its NIST SP 800-53 R5 Cybersecurity & Data Protection Program (CDPP) documentation.