FISMA NIST 800-53 Rev. 4 Controls – By the Numbers
Have you even been in a FISMA discussion or meeting and someone asked how many actual NIST 800-53 controls they needed to meet and no one seemed to have the exact answer? Well just to make it easy for you we prepared the two tables below that provide the total controls and enhancements for low, moderate and high organizations. If you have any questions about how these apply to you come to our web site and request a free one hour phone consultation and we can discuss the most cost effective ways your organization can satisfy these controls.
NIST 800-53 Revision 4 Control Tally
(excluding PM and Privacy)
| LOW | MODERATE | HIGH | ||||
|---|---|---|---|---|---|---|
| CONTROL FAMILY | Number of Applicable Controls | Number of Applicable Enhancements | Number of Applicable Controls | Number of Applicable Enhancements | Number of Applicable Controls | Number of Applicable Enhancements |
| AC- Access Control | 11 | 0 | 17 | 18 | 18 | 25 |
| AT- Awareness & Training | 4 | 0 | 4 | 1 | 4 | 1 |
| AU – Audit and Accountability | 10 | 0 | 11 | 7 | 12 | 16 |
| CA – Security Assessment and Audit | 7 | 0 | 7 | 3 | 8 | 4 |
| CM – Configuration Management | 8 | 0 | 11 | 10 | 11 | 20 |
| CP – Contingency Planning | 6 | 0 | 9 | 13 | 9 | 26 |
| IA – Identification and Authentication | 7 | 8 | 8 | 14 | 8 | 16 |
| IR – Incident Response | 7 | 0 | 8 | 4 | 8 | 8 |
| MA – Maintenance | 4 | 0 | 6 | 3 | 6 | 7 |
| MP – Media Protection | 4 | 0 | 7 | 2 | 7 | 5 |
| PE – Physical and Environmental | 10 | 0 | 16 | 2 | 17 | 9 |
| PL- Planning | 3 | 0 | 4 | 2 | 4 | 2 |
| PS – Personnel Security | 8 | 0 | 8 | 0 | 8 | 1 |
| RA – Risk Assessment | 4 | 0 | 4 | 3 | 4 | 4 |
| SA – System and Services Acquisition | 6 | 1 | 9 | 5 | 13 | 5 |
| SC – System and Communications | 10 | 0 | 19 | 5 | 21 | 9 |
| SI – System and Information Integrity | 6 | 0 | 11 | 10 | 12 | 15 |
| TOTALS | 115 | 9 | 159 | 102 | 170 | 173 |
NIST 800-53 Revision 4 Control Tally
(including PM and Privacy)
| LOW | MODERATE | HIGH | ||||
|---|---|---|---|---|---|---|
| CONTROL FAMILY | Number of Applicable Controls | Number of Applicable Enhancements | Number of Applicable Controls | Number of Applicable Enhancements | Number of Applicable Controls | Number of Applicable Enhancements |
| AC- Access Control | 11 | 0 | 17 | 18 | 18 | 25 |
| AT- Awareness & Training | 4 | 0 | 4 | 1 | 4 | 1 |
| AU – Audit and Accountability | 10 | 0 | 11 | 7 | 12 | 16 |
| CA – Security Assessment and Audit | 7 | 0 | 7 | 3 | 8 | 4 |
| CM – Configuration Management | 8 | 0 | 11 | 10 | 11 | 20 |
| CP – Contingency Planning | 6 | 0 | 9 | 13 | 9 | 26 |
| IA – Identification and Authentication | 7 | 8 | 8 | 14 | 8 | 16 |
| IR – Incident Response | 7 | 0 | 8 | 4 | 8 | 8 |
| MA – Maintenance | 4 | 0 | 6 | 3 | 6 | 7 |
| MP – Media Protection | 4 | 0 | 7 | 2 | 7 | 5 |
| PE – Physical and Environmental | 10 | 0 | 16 | 2 | 17 | 9 |
| PL- Planning | 3 | 0 | 4 | 2 | 4 | 2 |
| PS – Personnel Security | 8 | 0 | 8 | 0 | 8 | 1 |
| RA – Risk Assessment | 4 | 0 | 4 | 3 | 4 | 4 |
| SA – System and Services Acquisition | 6 | 1 | 9 | 5 | 13 | 5 |
| SC – System and Communications | 10 | 0 | 19 | 5 | 21 | 9 |
| SI – System and Information Integrity | 6 | 0 | 11 | 10 | 12 | 15 |
| PM – Program Management | 16 | 0 | 16 | 0 | 16 | 0 |
| Privacy | 26 | 0 | 26 | 0 | 26 | 0 |
| TOTALS | 157 | 9 | 201 | 102 | 212 | 173 |
