Recommended Security Controls for Federal Information Systems

The National Institute of Standards and Technology (NIST) is responsible for developing standards and guidelines for information security for all civilian federal agencies. It produces security controls for information systems, which are the safeguards necessary to protect the confidentiality, integrity and availability of the data. The NIST SP (Special Publication) 800-53: Recommended Security Controls for Federal Information Systems defines security controls for executive agencies of the US federal government. This article introduces the publication and some of its key concepts.

Purpose of NIST SP 800-53

The FISMA (Federal Information Security Management Act) mandates that information system must adequately protect government data. Under the FISMA, the responsibility for developing security standards falls under the jurisdiction of the NIST. The NIST SP 800-53 provides guidelines for federal agencies to select and define security controls for their information systems. It is also used in non-federal government and private sector organizations as well.

Within the context of federal agencies, the publication was created to achieve the following:

  • Facilitate a consistent approach to select and specify information security controls.
  • Offer minimum information security controls.
  • Offer a catalog of information security controls to meet the current and future security needs of organizations.
  • Form a basis to develop security control assessment methods and procedures.

The NIST SP 800-53 is directed towards information system and security professionals, which may include:

  • Chief information officers
  • Senior agency information security officers
  • Authorizing officials
  • Program/project managers
  • Mission/application owners
  • System designers
  • System/application programmers
  • Information system owners
  • Information owners
  • Information system administrators
  • Information system security officers
  • Auditors
  • Inspectors general
  • Evaluators
  • Certification agents

Organization & Structure

There are three general classes of security controls and seventeen security control families, as listed below:


  • Certification, Accreditation and Security Assessments
  • Planning
  • Risk Assessment
  • System and Services Acquisition


  • Awareness and Training
  • Configuration Management
  • Contingency Planning
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Personnel Security
  • System and Information Integrity


  • Access Control
  • Audit and Accountability
  • Identification and Authentication
  • System and Communications Protection


The concept of baseline controls refer to the minimum security controls that are recommended for a system, based on its security categorization. The baseline enables agencies and organizations to determine the safeguards needed to protect the systems.

However, baselines alone are not enough to properly manage risk. The following considerations must be made when selecting baseline controls:

  • Security Controls – Which security controls are “common” controls? How does this relate to the responsibilities of the owners of the information systems?
  • Operational Environment – How can the operational environment of the system affect physical security controls?
  • Physical Infrastructure – Do the security controls of the facility provide adequate protection to the information system and its assets?
  • Public Access – What special security controls are necessary if users access the system through public interfaces? How are the issues of identification and authentication handled?
  • Technology – What types of technologies are being used within the system (e.g. cryptography, public key infrastructure, wireless technologies)? Which risks can be mitigated through automated mechanisms?
  • Policy and Regulation – Which laws, Executive Orders, directives, policies, standards or regulations apply to the types of data or systems used by the agency?
  • Security Objectives – Can any security controls be downgraded to the corresponding controls of a lower baseline?

There are three sets of baseline controls: low-impact, moderate-impact and high-impact levels. This is based on FIPS 199 (Federal Information Processing Standards Publication), which is the mandatory federal security categorization standard. Each impact level is associated with a different security category. Security categories facilitate the proper selection of security controls, as well as how to supplement the baseline to appropriately manage risk.

Security categories (low, moderate or high) are based on the security objectives of confidentiality, integrity and availability. The format for representing the security category (SC) of a system is as follows:

SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

Potential impact values for each objective can be low, moderate or high. Low-impact systems are information systems that have all three security objectives set at “low.” Moderate-impact systems have at least one “moderate” security objective and no objectives greater than moderate. High-impact systems have at least one “high” security objective.

Overall impact levels of information systems take into consideration three elements:

1.   Different types of information processed, stored or transmitted by the system.

2.   Impact levels of each type of information.

3.   Security categorization for each security objective.

The overall impact level is determined from the highest impact level of the three security objectives.

Risk Management

Proper risk management is crucial for any information security program. The risk approach balances security controls with efficacy, legislation, directives, regulations and policies. According to the NIST Risk Management Framework, managing risk involves the following steps:

  • The information system is categorized.
  • A set of baseline security controls are selected and used as a starting point for a risk assessment.
  • The baseline set of controls are supplemented with additional information, including agency security requirements, threat information and other circumstantial information.
  • The adjusted set of security controls is documented in the system security plan.
  • Security controls are implemented into the system.
  • Security controls are assessed using the appropriate methods and procedures.
  • Information system operation is based on risk determination. This may involve risk to operations, assets or individuals.
  • The selected security controls are monitored and assessed continuously. Any changes to the system are considered and reported as well.

Updating Controls

The security controls may need to be reassessed and updated. There are a number of events that may trigger this, including:

  • Data breach
  • Identification of a new and credible threat
  • Major changes to the system configuration

According to the NIST SP 800-53, it is recommended to take the following precautions:

  • Assess the sensitivity of the system and data processed, stored or transmitted by that system.
  • Assess the current situation of the system, taking into consideration vulnerabilities, threats and risks.
  • Determine any necessary corrections that may need to be initiated.
  • Determine if reaccreditation of the system is necessary.


This article introduces the NIST SP 800-53, which outlines recommended security standards and controls for information systems in federal agencies. The framework was developed as a mandate of the FISMA (Federal Information Security Management Act of 2002), and is recommended for use in the private sector as well.  The article outlines the purpose of the NIST publication and lists the organizational structure for the security controls. It also looks at the process by which the controls are selected and how baseline controls can be updated to better reflect an organization’s security situation. Finally, the article outlines the reasons for which controls may be updated and how agencies or organizations can respond to events.

CIPP/G Preparation

In preparation for the Certified Information Privacy Professional/US Government exam, a privacy professional should be comfortable with topics related to this post, including:

  • FISMA performance (I.C.f.i.3.)
  • System compliance (I.C.f.i.ii.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>