NIST SP 800-53 Rev. 4: Definition, attributes & control families

In 2002, the National Institute of Standards and Technology (NIST) released SP 800-53 to help organizations streamline their cybersecurity practices. The objective is to provide proactive guidance for building system infrastructures that rebuff the biggest cyber threats. The NIST has updated that first framework in several different revisions, including NIST SP 800-53 Rev 4 in 2013.

Revision 4 focuses on new technologies and the evolved threats that come with them. While it’s not the most recent revision, Rev 4 was a significant change for IT risk management and still offers helpful guidance for risk and compliance teams.

In this article, we discuss the following topics pertaining to NIST SP 800-53 Rev 4:

• What is NIST SP 800-53 Rev 4 and what are the 18 controls families?
• What are the attributes of NIST SP 800-53 Rev 4?
• Subsequent updates to Revision 4

*Note: For the latest NIST guidance, learn about the NIST SP 800-53 Rev 5 (the latest revision) here.

What Is NIST SP 800-53 Rev. 4?

NIST SP 800-53 Rev 4 is the fourth revision to the NIST SP 800-53 cybersecurity framework. In it, the NIST offers new requirements and controls to address what were emerging technologies and threats back in 2013, namely mobile and cloud computing, application security, supply chain issues and privacy protection. At the time, these controls also established best practices for IT risk management.

Many of the new controls emphasized the people responsible for implementing them. The language largely focuses on roles in government agencies, but it can be interpreted as defining who needs to do what in order to be in compliance. NIST SP 800-53 Rev 4 also features new privacy controls and an implementation guide in its appendix.

Much of this language was updated in Rev. 5, as were several of the control families.

How Many NIST SP 800-53 Rev. 4 Controls Are There?

How many NIST SP 800-53 Rev. 4 controls there are depends on whether or not you include the privacy controls. The NIST included the privacy controls in the appendix, but they’re still a key part of the revision.

Excluding the privacy controls, there are 444 controls and 284 enhancements. If you take the privacy controls into account, that tally rises to 570 controls. These controls are divided across 18 families. The NIST SP 800-53 Rev. 4 control families are:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Security Assessment and Audit
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response
9. Maintenance
10. Media Protection
11. Physical and Environmental
12. Planning
13. Personnel Security
14. Risk Assessment
15. System and Services Acquisition
16. System and Communications
17. System and Information Integrity
18. Program Management

See NIST SP 800-53 Rev 5 for the most recent control families.

What Are NIST SP 800-53 Rev. 4 Security Control Attributes?

Security attributes enhance the controls. The NIST describes them as “metadata” that represent the properties or characteristics an organization needs in order to safeguard its systems effectively. They also represent a roadmap for CISOs and risk teams looking to achieve best practices in their infrastructure. 

In Revision 4, these attributes are:

• Dynamic Associations: The system should be able to associate specific security measures with specific subjects and/or objects according to the organization’s security policies. This is important in instances where security attributes change, such as when different users need different system privileges. 
• Authorized Individuals: Systems should be able to limit or manage an individual’s access. This includes ensuring only authorized individuals can make changes to security controls and assigning different attributes to different users. 
• Information Systems: Ideally, different cybersecurity procedures should be able to be automated. To that end, systems need to assign and maintain different security attributes for different objects.
• Output Devices: Any system output, like screens, pages, or video displays, should be in a format that’s readable to humans.
• Interpretations: Organizations should use controls consistently — meaning that they interpret the same controls in the same way across departments. This helps the system transmit information and maintain enforcement actions. 
• Technologies: Different technologies can provide different levels of assurance. For example, a system can use digital signatures to help enforce different access levels or controls. 

Updates to the NIST SP 800 53 Rev. 4

Revision 4 was an important update to the NIST SP 800-53 framework. It helped organizations keep up with evolving technologies and evolving threats by creating controls that either prevented or swiftly mitigated risks. That said, this is not the most up-to-date information on NIST requirements.

See our article on NIST SP 800-53 Revision 5 for the latest guidance, which includes two new control families and a focus on the outcomes of cybersecurity actions rather than the role that implements them.