NIST 800-53 Rev 5
NIST Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, is the foundational federal security control catalog. It is required for all federal information systems under FISMA and forms the basis for FedRAMP, CMMC, and dozens of other frameworks.
Infracast ships 94 automated rules mapped to NIST 800-53 controls, covering the most commonly audited control families across AWS cloud infrastructure.
Why NIST 800-53?
- Federal mandate: Required for all federal agencies and contractors handling federal data under FISMA
- Framework of frameworks: FedRAMP, CMMC, and CNSSI 1253 are all derived from NIST 800-53
- Risk-based: Controls are organized by impact level (Low / Moderate / High), letting you scope exactly what applies to your system
- Cross-industry: Increasingly adopted by financial, healthcare, and critical infrastructure sectors beyond the federal government
Control Families Covered
Infracast evaluates automated checks across the following NIST 800-53 control families:
| Family | ID | Automated Rules | Description |
|---|---|---|---|
| Access Control | AC | 25 | User accounts, least privilege, access enforcement |
| Audit and Accountability | AU | 16 | Logging, log protection, audit review |
| Security Assessment | CA | 5 | Continuous monitoring, system assessment |
| Configuration Management | CM | 14 | Baseline configurations, software restrictions |
| Identification and Authentication | IA | 12 | MFA, passwords, credential management |
| Incident Response | IR | 4 | Alert thresholds, incident detection |
| Risk Assessment | RA | 6 | Vulnerability scanning, risk analysis |
| System and Communications Protection | SC | 22 | Encryption in transit, boundary protection, DDoS |
| System and Information Integrity | SI | 10 | Anti-malware, software updates, input validation |
Sample Automated Rules
| Rule ID | Control | Severity | What It Checks |
|---|---|---|---|
NIST-AC-2-STALE-ACCESS-KEY | AC-2 | HIGH | IAM access keys unused for 90+ days |
NIST-AC-2-3-INACTIVE-USER | AC-2(3) | MEDIUM | IAM users inactive for 35+ days not disabled |
NIST-AC-3-USER-DIRECT-POLICY | AC-3 | MEDIUM | IAM policies attached directly to users |
NIST-SC-5-DDOS | SC-5 | HIGH | AWS Shield not enabled |
NIST-SC-7-WAF | SC-7 | HIGH | ALB without WAF protection |
Automated vs. Manual Controls
Not every NIST control can be evaluated by scanning infrastructure. Infracast distinguishes between three assessment types:
| Assessment Type | Example | How Handled |
|---|---|---|
| Automated | MFA enabled on root account | Graph rule checks node property |
| Attested | Security awareness training | Human uploads evidence + attestation |
| Hybrid | Incident response plan tested | Automated detection + evidence upload |
Manual Attestation (Build 38)
For non-automatable controls — such as AT-2 (Security Awareness Training), PL-2 (System Security Plan), or IR-3 (Incident Response Testing) — Infracast provides questionnaire-driven attestation workflows:
- Navigate to Compliance → NIST 800-53 → Attestations
- Find the control in the gap report
- Assign the questionnaire to the responsible team
- Upload supporting evidence (PDFs, screenshots, training records)
- Submit for reviewer approval
Control: AT-2 — Security Awareness Training
──────────────────────────────────────────────────────────────
Status: ✅ Attested
Evidence: security-training-completion-2024-q4.pdf
Attested By: security-admin@agency.gov
Date: 2024-10-15
Expires: 2025-10-15
Reviewer: isso@agency.gov (Approved)
Use the Control Status view (/api/v1/tenants/{id}/controls/status) to see the unified score combining both automated findings and manual attestations.
Evidence Generation and SSP Integration (Build 34)
Infracast's Continuous ATO Evidence Engine (Build 34) automatically collects and packages evidence artifacts to support your Authorization to Operate (ATO):
Evidence Collection
# Generate evidence package for NIST 800-53
curl -X POST https://api.infracast.io/api/v1/tenants/$TENANT/evidence/generate \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"framework": "nist-800-53",
"controls": ["AC-2", "AU-2", "CM-6", "IA-2", "SC-7"],
"format": "zip"
}'
The package includes:
- Timestamped findings snapshots for each control
- Resource inventory reports
- Configuration compliance screenshots
- Historical trend data
System Security Plan (SSP)
Generate a pre-populated SSP aligned to NIST 800-53 Rev 5:
POST /api/v1/tenants/{tenantID}/documents/generate
{
"type": "ssp",
"framework": "nist-800-53",
"format": "docx",
"options": {
"include_architecture_diagram": true,
"impact_level": "moderate"
}
}
The SSP (Build 46) includes:
- Auto-populated control implementation statements based on discovered resources
- Architecture diagrams generated from your infrastructure graph
- Control inheritance tables (organization vs. system-level)
- POA&M summary for open findings
SSP generation is available on Enterprise plans with the Evidence Engine feature enabled.
Sample Findings and Remediation
Finding: AC-2 — Stale IAM Access Key
{
"id": "NIST-AC-2-STALE-ACCESS-KEY-aws:us-east-1:aws.iam.user:svc-deploy",
"rule_id": "NIST-AC-2-STALE-ACCESS-KEY",
"framework": "nist-800-53",
"control_id": "AC-2",
"severity": "HIGH",
"title": "IAM access key unused for 90+ days",
"description": "IAM user 'svc-deploy' has an access key unused for 127 days (≥90).",
"resource_id": "aws:us-east-1:aws.iam.user:svc-deploy",
"resource_type": "aws.iam.user",
"remediation": "Deactivate or delete access keys unused for 90+ days per NIST AC-2."
}
Remediation steps:
# 1. Identify the stale key
aws iam list-access-keys --user-name svc-deploy
# 2. Deactivate (safer first step)
aws iam update-access-key \
--user-name svc-deploy \
--access-key-id AKIAIOSFODNN7EXAMPLE \
--status Inactive
# 3. Delete after confirming no impact
aws iam delete-access-key \
--user-name svc-deploy \
--access-key-id AKIAIOSFODNN7EXAMPLE
Finding: SC-7 — ALB Without WAF
{
"rule_id": "NIST-SC-7-WAF",
"control_id": "SC-7",
"severity": "HIGH",
"title": "Application Load Balancer missing WAF protection",
"description": "ALB 'prod-api-alb' does not have WAF (Web Application Firewall) enabled.",
"remediation": "Associate an AWS WAF web ACL with the ALB for boundary protection per NIST SC-7."
}
Terraform remediation patch:
resource "aws_wafv2_web_acl_association" "prod_api" {
resource_arn = aws_lb.prod_api.arn
web_acl_arn = aws_wafv2_web_acl.main.arn
}
Infracast can generate Terraform patches directly from findings. See GET /api/v1/tenants/{id}/findings/{findingID}/terraform-patch.
Compliance Score
Track your NIST 800-53 posture from the dashboard or API:
# Get NIST 800-53 compliance summary
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/compliance/summary?framework=nist-800-53"
{
"framework": "nist-800-53",
"score": 82,
"controls_total": 94,
"controls_passing": 77,
"controls_failing": 12,
"controls_attested": 5,
"by_family": {
"AC": { "score": 84, "passing": 21, "total": 25 },
"AU": { "score": 87, "passing": 14, "total": 16 },
"CM": { "score": 71, "passing": 10, "total": 14 },
"IA": { "score": 100, "passing": 12, "total": 12 },
"SC": { "score": 77, "passing": 17, "total": 22 }
}
}
Next Steps
- FedRAMP Guide — Build on NIST 800-53 for federal cloud authorization
- CMMC Guide — Defense contractor requirements mapped to NIST
- Evidence Engine — Generate ATO-ready evidence packages
- API: Findings — Query NIST findings programmatically