NIST 800-53 and NIST 800-171: What’s the Difference?

NIST SP 800-53 and 800-171 have a lot in common: Both set mandatory security standards for organizations who work with government data. But while SP 800-53 contains strict and detailed guidelines for organizations with access to federal IT systems, 800-171 covers a looser set of regulations for entities that process controlled information. In this overview, we are going to look at the differences between SP 800-53 and 171, who these standards are addressed to and what organizations can do to achieve compliance.

What Is NIST SP 800-53?

Special Publication 800-53 is a catalog of security and privacy controls for IT systems created and maintained by the National Institute of Standards and Technology (NIST). When congress passed FISMA (the Federal Information Security Management Act) in 2002, NIST was tasked with developing mandatory cybersecurity standards for federal agencies. To fulfil that obligation, SP 800-53 was first released in 2005. Since then, NIST has continuously updated and revised the document, with the latest update, Revision 5, published in 2020.

Controls covered in SP 800-53:

  • Access Control

  • Awareness & Training

  • Audit & Accountability

  • Assessment, Authorization & Monitoring

  • Configuration Management

  • Contingency Planning

  • Identification & Authentication

  • Incident Response

  • Maintenance

  • Media Protection

  • Physical & Environmental Protection

  • Planning

  • Program Management

  • Personnel Security

  • Personally Identifiable Information

  • Risk Assessment

  • System & Services Acquisition

  • System & Communications Protection

  • System & Information Integrity

  • Supply Chain Risk Management

Side by side: SP 800-53 vs 171

NIST SP 800-53NIST SP 800-171NIST Cybersecurity Framework
AudienceFederal agencies, (sub)contractors and local governments with access to federal information systemsNon-federal entities who store or process controlled unclassified information (CUI) in their own networkVoluntary guidance for private and public organizations, mandatory for federal agencies
Controls20 control families, over 1,000 controls and control enhancements14 control families, 110 security requirements5 core functions, 108 security targets
LevelsThree control baselines for low, moderate and high impact systemsModerate baseline as standard, optional enhanced controls in SP 800-172Four implementation tiers measuring organizational risk management

For more information on the Cybersecurity Framework, read our NIST CSF Compliance Guide.

Who Does NIST 800-53 Apply to?

SP 800-53 applies to organizations with access to federal information systems, which are defined as any IT system used by an agency, one of their contractors, or another organization on their behalf. Although the publication was written with federal agencies in mind, the standard applies to many other entities in both the private and public sector. The three main groups that are covered by 800-53 are:

  • 1

    Federal agencies

  • 2

    Vendors, suppliers and contractors that access federal IT or operate IT systems on behalf of an agency

  • 3

    State and local governments that manage federal programs like student loans, unemployment insurance or Medicare/Medicaid

If you’re a private business affected by NIST 800-53, the need to comply with the special publication should be clearly communicated in any government contract you operate under. However, sometimes the need to follow SP 800-53 becomes less obvious on deeper levels of the government supply chain.

Implementing the mandatory security controls of SP 800-53 is one step towards achieving FISMA compliance, which also includes inventorization, risk assessments, system security plans and continuous monitoring.

NIST 800-53: Control Baselines

With over 1,000 controls spread across 20 different control families, Special Publication 800-53 offers a detailed catalog of IT security measures. However, entities regulated by 800-53 are not required to implement every control in the document. The security controls in NIST 800-53 are grouped into three different baselines for systems with a low, moderate or high security impact. The supplementary publication 800-53B contains detailed tables showing which controls are part of which control baselines.

Organizations must select the appropriate control baseline for their IT systems based on their potential security impact. This process is regulated by FIPS 199 (Standards for Security Categorization) and follows a high watermark approach, which means that the security impact of a system is equal to the highest value among the three categories of confidentiality, availability and integrity. For example, a system with a low potential impact on the availability and integrity of data and a high potential impact on its confidentiality would be classified as a high impact system overall.

NIST 800-53: Tailoring Process

Aside from selecting the appropriate baseline, your company must also tailor controls from the special publication to their specific security needs, IT environment and overall goals. This includes assigning values to the adjustible parameters included in many sections: for example, defining the interval in which user accounts will be audited.

As part of the tailoring process, businesses can incorporate additional controls that are not part of their selected baseline to address their need for increased security. Likewise, an organization has the option to exclude controls that are part of their baseline if they are not relevant, technically feasibly or negatively affect business outcomes. In this case, compensating controls can be chosen to replace them and the decision not to implement certain safety measures must be documented in the system security plan.

Other steps in the tailoring process include:

  • Choosing the scope of implementation

  • Identifying and designating common controls

  • Supplementing baselines with additional controls and enhancements as necessary

  • Choosing compensating controls for ones that are not relevant, feasible or cost effective

  • Documenting how controls were implemented and the rationale behind scoping and compensating decisions

NIST 800-53: What Are Common Controls?

Common controls are security controls that an information system inherits from another entity, eliminating the need to replicate the same control on a system level. For example, SP 800-53 covers physical access controls such as visitor logs. If you are located in a building that already keeps visitor records, you don’t have to repeat the process when they walk into your office. Instead, you could designate this requirement as a common control and designate the operator of the building as the Common Control Provider or CCP (assuming they agree, of course).

Good candidates for common control status include physical and environmental safety for businesses that share premises with other entities or staff awareness and training requirements for entities that are part of a larger organization with its own hiring and training policies. Note that in order to qualify for common control status, the Common Control Provider must authorize, assess and monitor the safety measure in question.

NIST 800-53: Controls vs. Control Enhancements

Each of the 20 control families in the document is split into several base controls and control enhancements. Control enhancements are directly connected to a specific base control and designed to offer increased security for systems that demand additional protection.

Some control enhancements are included in a control baseline, meaning organizations that select the corresponding baseline are expected to implement them. Other enhancements are not assigned to any tier and can be used to improve security or compensate for other controls and enhancements that were scoped out of an organization’s system security plan due to technical conflicts or adverse effects.

White paper

NIST-Compliant Access Control With tenfold

Download our compliance guide to learn which access control measures are required by the NIST CSF and SP 800 series and how tenfold helps you implement them!

What Is NIST SP 800-171?

Special Publication 800-171 establishes security requirements for the protection of controlled unclassified information (CUI) that is stored or processed in non-federal systems. The security requirements in SP 800-171 are derived from the moderate control baseline of SP 800-53. In essence, NIST 800-171 represents a subset of NIST 800-53, covering 14 control families and 110 basic and derived security requirements.

Controls covered in SP 800-171:

  • Access Control

  • Awareness & Training

  • Audit & Accountability

  • Configuration Management

  • Identification & Authentication

  • Incident Response

  • Maintenance

  • Media Protection

  • Personnel Security

  • Physical Protection

  • Risk Assessment

  • Security Assessment

  • System & Communications Protection

  • System & Information Integrity

Who Does NIST 800-171 Apply to?

Like SP 800-53, SP 800-171 regulates organizations that work with sensitive government data. However, the standard casts a wider net than its counterpart: It affects companies that government data is shared with, even if they don’t have access to federal networks. NIST 800-171 applies to a wide range of government contractors and subcontractors across the public sector supply chain. For example, compliance with NIST 800-171 is a contractual requirement for companies that work with NASA, the Department of Defense (DoD) or the General Services Administration (GSA).

SP 800-172: Enhanced Controls

For controlled information that relates to critical programs or high value assets, SP 800-172 provides enhanced security requirements that federal agencies can optionally include in contracts with private entitities. This allows agencies to mandate a higher level of IT security where necessary.

What Is Controlled Unclassified Information (CUI)?

Controlled unclassified information is defined as any information that requires safeguarding by law, regulation or government policy, but is not classified, i.e. labelled confidential, secret or top secret. In other words, CUI describes information that is sensitive, but not top-secret, national security material. Examples of controlled unclassified information include law enforcement data, patent applications, taxpayer data or visa & asylum information. You can find more information in the CUI registry of the National Archives.

CMMC 2.0: Replacing NIST 800-171?

Cybersecurity Maturity Model Certification (CMMC) was developed by the Department of Defense in order to better enforce and assess compliance with NIST 800-171 in its supply chain. The new rule will go into effect by 2025 for all contracts that fall under DFARS, the Defense Federal Acquisition Regulation Supplement.

Although the CMMC framework initially contained unique controls and requirements, CMMC 2.0 simplifies the standard down to three levels which closely align to the existing security requirements of SP 800-171 and SP 800-172. This change was made in response to criticism about the added complexity of listing additional requirements in a separate guideline. With this change, CMMC essentially unifies the demands of SP 800-171 and 172 under a new label.

Under CMMC 2.0, businesses that handle federal contract information (FCI) are required to meet the foundational requirements of Level 1 and conduct annual self-assessments (federal contract information describes data the government shares with contractors that is not public knowledge or intended for public release). Level 2 of CMMC 2.0 aligns with the security requirements of SP 800-171 and is mandatory for entities that handle controlled unclassified data. Level 3 is reserved for high-priority programs and includes enhanced controls from SP 800-172.

Achieving NIST-Compliance with Access Management

Whether you need to comply with NIST 800-53, NIST 800-171 or want to implement the recommended security controls voluntarily to get a head start on future regulations, an effective cybersecurity program has to address a wide range of topics. From identifying at-risk assets to educating users, network monitoring, malware protection and data backups, there are many aspects that a business must consider as part of its compliance efforts.

One key component of NIST compliance is access control: To meet the security requirements of SP 800-53 and 171, your company must restrict access to sensitive systems, enforce the principle of least privilege and perform regular user access reviews to audit existing accounts. To implement the necessary processes, companies need a dedicated identity and access management solution that supports secure provisioning, permission audits and centralized reporting.

To learn more about the access control requirements in these NIST standards and how tenfold helps you achieve them, download our free compliance overview. Our powerful, user-friendly and easy-to-implement IAM solution is the fastest path to NIST-compliant access control! Watch our video demo to see just how easy access management can be with the right tool, or sign up for a free trial to test tenfold yourself.

Why tenfold?

What makes tenfold the leading IAM solution for mid-market organizations?

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.