What are the NIST control families?

What are the NIST control families?What are the NIST control families?
Rebecca KappelRebecca Kappel Staff asked 9 months ago

1 Answers
Rebecca KappelRebecca Kappel Staff answered 8 months ago
The NIST (National Institute of Standards and Technology) has established a comprehensive framework for ensuring the security of information systems known as Special Publication 800-53. The NIST security control families are at the core of this framework, which provides a structured and systematic approach to addressing various security concerns. These control families collectively address a wide range of security aspects, forming a foundation for organizations to enhance their security posture effectively.

Defining Security Control Families:

Security control families refer to groups of related security controls that collectively address specific areas of concern within an organization’s information systems. Each control family focuses on a distinct security aspect, from access control and identification to incident response and continuity planning. The intent is to provide a granular yet cohesive approach to managing security risks comprehensively.

NIST Control Families Structure

The NIST control families are organized into distinct groups, each centered around a particular security objective. These families encompass a wide array of controls that, when effectively implemented, contribute to the overall security posture of an organization. They serve as a vital resource for security professionals, compliance officers, and IT administrators to guide security measures’ selection, implementation, and assessment.

A List of the 18 Control Families 

  1. Access Control (AC): Ensures proper access to information and resources, preventing unauthorized access.
  2. Awareness and Training (AT): Educates personnel about security risks and best practices.
  3. Audit and Accountability (AU): Generates audit records and monitors system activity to ensure accountability.
  4. Configuration Management (CM): Manages system configurations to prevent unauthorized changes.
  5. Contingency Planning (CP): Prepares for and responds to incidents, ensuring business continuity.
  6. Identification and Authentication (IA): Establishes the identity of users and ensures authorized access.
  7. Incident Response and Management (IR): Detects, responds to, and mitigates security incidents.
  8. Maintenance (MA): Maintains systems and hardware for secure operations.
  9. Media Protection (MP): Protects physical and digital media containing sensitive information.
  10. Personnel Security (PS): Ensures the trustworthiness of personnel through security measures.
  11. Physical and Environmental Protection (PE): Protects physical assets and the environment.
  12. Planning (PL): Develop a comprehensive security plan aligned with business objectives.
  13. Program Management (PM): Oversees security initiatives and resources.
  14. Risk Assessment (RA): Identifies, assesses, and mitigates risks.
  15. Security Assessment and Authorization (CA): Evaluates and authorizes information systems.
  16. System and Communications Protection (SC): Protects systems against unauthorized access.
  17. System and Information Integrity (SI): Ensures systems and data integrity.
  18. System and Services Acquisition (SA): Incorporates security into system acquisition.

Looking to learn more about What are the NIST control families?

Related Content

Authorization to Operate (ATO)

Authorization to Operate (ATO)

What is an ATO? An ATO is a hallmark of approval that endorses an information system…


What is StateRAMP? In 2011, the Federal Risk and Authorization Management Program (FedRAMP) laid the groundwork…
Segregation of Duties

Segregation of Duties

What is the Segregation of Duties? Segregation of duties (SoD) is like a game of checks…
Skip to content