The National Institute of Standards and Technology (NIST) Framework Controls are contained in Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. It is important to examine the overall NIST cybersecurity framework to understand how the security controls should be applied in information security. The NIST Framework Core Controls support critical infrastructure, cybersecurity risk, and overall information security.

The NIST Framework at its most basic element outlines the activities that must be done in order to effect organizational change. The framework is broken into five functional areas, which contain categories (also known as families), sub categories, and informative references.

The five functional areas of the NIST framework and primary categories are:


  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy


  • Awareness Control
  • Awareness and Training
  • Data Security
  • Info Protection and Procedures
  • Maintenance
  • Protective Technology


  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Process


  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements


  • Recover Planning
  • Improvements
  • Communications

When reading NIST SP 800-53, it is important to note that the controls are categorized into low, medium, and high severity. Each control has a family, class, priority, and baseline allocation. 

The control contains a detailed description of how it is organized along with supplemental guidance and any enhancements. The controls also have a helpful reference section that chains previous NIST Special Publications, which is useful when exploring the “why” of a particular control.

How to Upgrade Your Cyber Risk
Management Program with NIST