/ resume
Practitioner's Checklist

NIST 800-53 Rev 5 Compliance Checklist

A working checklist for taking a system to NIST 800-53 Rev 5 compliance.

Built around the process you actually follow, not just a wall of controls. Work it top to bottom and treat the control-family pass at the end as your coverage backstop. This is a practitioner's roadmap, not a replacement for the catalog itself.

Contents·Jump to a section

Before you start

  • Confirm you're working from Revision 5, the current catalog — not lingering Rev 4 documentation.
  • Check whether Release 5.2.0 (August 2025) applies to your scope. It added controls for software-update integrity and cyber resiliency (SA-15, SI-02(07), SA-24) in response to recent federal direction on patching. If you build or ship software, those apply to you.
  • Pull your control baseline from SP 800-53B — in Rev 5 the Low/Moderate/High baselines moved out of the main catalog into this separate document.
  • Confirm privacy is in scope. Rev 5 folds privacy controls into the same catalog through the PT family, so security and privacy are handled together.

Phase 1: Prepare and categorize

  • Assign roles: system owner, authorizing official (AO), information system security officer, and control assessors.
  • Set your organizational risk tolerance.
  • Identify common (inherited) controls you can reuse across systems instead of rebuilding per system.
  • Categorize the system under FIPS 199 — Low, Moderate, or High — based on the impact of losing confidentiality, integrity, or availability.
  • Inventory the system: authorization boundary, data types, data flows, and any FTI, PII, or CUI in scope.

Phase 2: Select and tailor

  • Pull the matching baseline (Low, Moderate, or High) from SP 800-53B.
  • Tailor it: add, remove, or adjust controls based on your risk assessment.
  • Apply any overlays that fit your mission or data type.
  • Layer in regulatory requirements where they apply — FedRAMP for cloud services, IRS Pub 1075 for federal tax information, CMMC for controlled unclassified information.
  • Document every tailoring decision and the reasoning behind it. Undocumented tailoring is an audit finding waiting to happen.

Phase 3: Implement

  • Put each selected control and enhancement in place.
  • Write the System Security Plan (SSP): how each control is met, by whom, and where.
  • Separate inherited control responsibilities from system-specific ones so nothing falls through the cracks.

Phase 4: Assess

  • Build a security assessment plan aligned to the procedures in SP 800-53A.
  • Test the controls, using an independent assessor where your impact level requires one.
  • Record every gap and open item in a Plan of Action and Milestones (POA&M).

Phase 5: Authorize

  • Assemble the authorization package: SSP, assessment results, and POA&M.
  • Have the AO weigh residual risk and issue — or withhold — the Authority to Operate (ATO).
  • Record the authorization term and any conditions attached to it.

Phase 6: Monitor (the step that never ends)

  • Stand up continuous monitoring for control status, vulnerabilities, and configuration drift.
  • Keep the POA&M current and actively work it down.
  • Re-assess on a set cadence and after any significant system change.
  • Track NIST releases and fold new or updated controls — like those in Release 5.2.0 — into your scope.

Control-family coverage check

A final pass to confirm you've addressed all 20 Rev 5 families. For each, ask: do I have documented, implemented controls here?

  • ACAccess Control: least privilege, account management, remote access.
  • ATAwareness and Training: role-based security and privacy training.
  • AUAudit and Accountability: logging, log review, log protection.
  • CAAssessment, Authorization, and Monitoring: assessments, ATO, continuous monitoring. (Renamed in Rev 5 to put monitoring front and center.)
  • CMConfiguration Management: secure baselines, change control, asset inventory.
  • CPContingency Planning: backups, disaster recovery, tested restoration.
  • IAIdentification and Authentication: multi-factor authentication, identity management, credential handling.
  • IRIncident Response: plan, training, reporting, and testing.
  • MAMaintenance: controlled and logged system maintenance.
  • MPMedia Protection: media handling, marking, sanitization, disposal.
  • PEPhysical and Environmental Protection: facility access, environmental safeguards.
  • PLPlanning: the SSP, rules of behavior, security architecture.
  • PMProgram Management: organization-wide security and privacy governance.
  • PSPersonnel Security: screening, onboarding, offboarding.
  • PTPII Processing and Transparency: consent, data minimization, privacy notices. (New in Rev 5.)
  • RARisk Assessment: risk assessments and vulnerability scanning.
  • SASystem and Services Acquisition: secure development practices and security terms in contracts.
  • SCSystem and Communications Protection: encryption, boundary protection, segmentation.
  • SISystem and Information Integrity: patching, malware defense, flaw remediation, monitoring.
  • SRSupply Chain Risk Management: vendor risk, component provenance, software bills of materials. (New in Rev 5.)

Don't-skip reminders from the field

  • Treat monitoring as ongoing work, not a one-time certification. An ATO is accurate the day it's signed and decays from there.
  • Give PT and SR real attention — they're the two families added in Rev 5, and the ones programs carried over from Rev 4 most often neglect.
  • If you develop or ship software, re-check your scope against Release 5.2.0's update-integrity and resiliency controls.
  • Keep the SSP and POA&M as living documents. Assessors open those first, and stale ones set the tone for the whole review.

About the author

Jose D Soto is an information security leader with hands-on experience across federal and government IT, GRC, and security modernization, including building and assessing programs against NIST 800-53 and related federal frameworks. This checklist reflects real implementation work, not theory.

← Back to home