Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security and Privacy Controls for Federal Information Systems and Organizations [including updates as of 1/22/2015]



Ronald S. Ross


[Rev. 4 was superseded by Rev. 5 on 9/23/2020; Rev. 4 will be withdrawn one year from that date, on 9/23/2019] This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and security assurance ensures that information technology products and the information systems built from those products using sound systems and security engineering principles are sufficiently trustworthy.
Special Publication (NIST SP) - 800-53 Rev 4
Report Number
800-53 Rev 4


Assurance, computer security, FIPS Publication 199, FIPS Publication 200, FISMA, Privacy Act, Risk Management Framework, security controls, security requirements.


Ross, R. (2015), Security and Privacy Controls for Federal Information Systems and Organizations [including updates as of 1/22/2015], Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed June 21, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created January 21, 2015, Updated September 27, 2020