What are NIST Framework Controls?

Published October 15, 2019 • < 1 min read

The National Institute of Standards and Technology (NIST) Framework Controls are contained in Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. It is important to examine the overall NIST cybersecurity framework to understand how the security controls should be applied in information security. The NIST Framework Core Controls support critical infrastructure, cybersecurity risk, and overall information security.

The NIST Framework at its most basic element outlines the activities that must be done in order to effect organizational change. The framework is broken into five functional areas, which contain categories (also known as families), sub categories, and informative references.

The five functional areas of the NIST framework and primary categories are:

Identify

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy

Protect

  • Awareness Control
  • Awareness and Training
  • Data Security
  • Info Protection and Procedures
  • Maintenance
  • Protective Technology

Detect

  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Process

Respond

  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements

Recover

  • Recover Planning
  • Improvements
  • Communications

When reading NIST SP 800-53, it is important to note that the controls are categorized into low, medium, and high severity. Each control has a family, class, priority, and baseline allocation. 

The control contains a detailed description of how it is organized along with supplemental guidance and any enhancements. The controls also have a helpful reference section that chains previous NIST Special Publications, which is useful when exploring the “why” of a particular control.

Other Helpful Content

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo