NIST SP 800-53 Rev 4
Deprecated Framework
This framework has been superseded by NIST SP 800-53 Revision 5. Organizations should migrate to Revision 5, which was released in September 2020 with updated security and privacy controls for federal information systems.
Best for: U.S. federal agencies and contractors that haven't migrated to NIST 800-53 Rev 5. If your ATO still references Rev 4 control baselines, you need to maintain compliance until renewal. FedRAMP packages authorized before the Rev 5 transition may also reference Rev 4 controls. Defense industrial base companies with legacy DFARS 252.204-7012 references sometimes still encounter Rev 4 language in older contract vehicles.
๐ National Institute of Standards and Technology (NIST), U.S. Department of Commerce ยท NIST SP 800-53 Rev 4 (superseded by Rev 5) Official source โ
Get Started
module "..." {
source = "nist80053rev4.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Trail Integrity and Coverage: Runs 11 controls validating CloudTrail configuration: multi-region enablement, S3 data event logging for reads and writes, CloudWatch integration, log file validation, and KMS encryption of trail logs. Covers AU-2, AU-3, AU-6, AU-9, and AU-11 control requirements.
- Encryption at Rest: Checks KMS CMK encryption on CloudTrail logs and API Gateway stage caches. Validates that ACM certificates are not within 30 days of expiration.
- Network Boundary Protection: Validates that DMS replication instances are not publicly accessible, checking security group and subnet configurations that would expose data processing resources.
- Secure Configuration Baselines: Detects plaintext sensitive values in CodeBuild environment variables and verifies OAuth is used for source repository connections. Maps to CM-6 and SC-28.
- Availability and Recovery: Confirms Auto Scaling groups attached to load balancers use ELB health checks and that DynamoDB tables have auto scaling enabled. Addresses CP-10 and SI-13.
What you handle
- Audit Trail Integrity and Coverage: Defining the audit event baseline per AU-2, establishing log review procedures (AU-6 manual review cadence), and documenting incident escalation workflows when anomalous events are detected.
- Encryption at Rest: Selecting FIPS 140-2 validated modules where required, defining key rotation schedules, documenting key custodian roles, and maintaining a cryptographic key inventory per SC-12.
- Network Boundary Protection: Documenting authorized information flow paths per AC-4, maintaining network architecture diagrams, configuring WAF rules, and performing periodic boundary device rule reviews.
- Secure Configuration Baselines: Maintaining an approved configuration baseline document, running a change control board process for CM-3, and conducting periodic configuration deviation scans beyond what Terraform state captures.
- Availability and Recovery: Developing and testing the full contingency plan (CP-2), conducting annual tabletop exercises (CP-4), and defining Recovery Time Objectives and Recovery Point Objectives for each system.
Controls by Category
Access Control (AC) (1 control)
Publicly accessible DMS instances represent an unauthorized information flow path and will generate AC-4 findings immediately. Auditors examine VPC configurations, public IP assignments, and security group rules to confirm that data processing components aren't exposed without explicit authorization per AC-17 (Remote Access).
Audit and Accountability (AU) (5 controls)
CloudTrail must be active across all regions with both read and write event logging to satisfy AU-2 and AU-3. Assessors check for log file validation (AU-9), CloudWatch integration (AU-6), and a retention period that matches organizational policy (AU-11). Missing S3 data event logging is the most common finding in this category: without it, object-level access goes completely unaudited.
compliance.tf module Incident Response and Continuous Monitoring (IR/CA) (1 control)
The first thing an assessor checks here is whether CloudWatch alarms have actual response actions configured, not just thresholds. Alarms with no SNS or Lambda action attached fail CA-7 (Continuous Monitoring) and IR-4 (Incident Handling) outright.
System and Communications Protection (SC) (2 controls)
SC-28 requires encryption of stored data using FIPS-validated cryptographic modules. Assessors want to see KMS CMK usage rather than default AWS-managed keys, since CMKs produce an auditable key management trail. Expired or expiring ACM certificates draw SC-12 (Cryptographic Key Establishment and Management) findings, and most teams don't catch them until the auditor does.
Additional Controls (64)
AWS IAM (2)
AWS KMS (1)
AWS Lambda (2)
compliance.tf module Lambda functions should restrict public URL compliance.tf module Amazon CloudWatch Logs (1)
Amazon DynamoDB (3)
compliance.tf module DynamoDB table should have encryption enabled compliance.tf module DynamoDB table point-in-time recovery should be enabled compliance.tf module Amazon EBS (2)
compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module Amazon EC2 (4)
compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Amazon EFS (2)
compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module Amazon EMR (1)
Amazon ElastiCache (1)
Amazon OpenSearch Service (2)
compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (14)
compliance.tf module RDS DB instance and cluster enhanced monitoring should be enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module Amazon Redshift (4)
compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (11)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 bucket object lock should be enabled compliance.tf module S3 buckets object logging should be enabledS3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module Amazon SNS (1)
Amazon SageMaker (4)
Elastic Load Balancing (6)
compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module ELB application load balancers should be configured to drop HTTP headers compliance.tf module Application Load Balancer should be configured to drop invalid http headers compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module Other (3)
Related Frameworks
Frequently Asked Questions
NIST 800-53 Rev 5 has been out since 2020. Should I still use Rev 4?
Only if you have an active ATO or contract that explicitly references Rev 4. OMB directed federal agencies to transition to Rev 5, and NIST archived Rev 4 in September 2021. If your ATO is up for renewal, your assessor will likely require Rev 5. For new system authorizations, Rev 4 should not be used. If you are maintaining a legacy ATO, continue using Rev 4 until your renewal date, but plan your migration now.
How do I map my existing Rev 4 controls to Rev 5 during migration?
NIST published a detailed control mapping in SP 800-53B and supplemental materials at csrc.nist.gov. Most controls have a direct 1:1 mapping. The main structural changes: Rev 5 integrates privacy controls directly (removing the separate Appendix J), adds the SR (Supply Chain Risk Management) family, and treats what were formerly 'control enhancements' as standalone controls. Budget 2 to 4 months for a moderate-complexity system migration, including SSP rewriting and assessor review.
These 50 controls only cover a fraction of 800-53. What about the rest?
NIST 800-53 Rev 4 contains over 900 controls and enhancements across 18 families. The controls mapped here focus on AWS infrastructure checks that can be automated through Terraform and Steampipe. Families like PS (Personnel Security), PE (Physical and Environmental Protection), and PL (Planning) require procedural and organizational evidence that infrastructure scanning cannot produce. You need a GRC platform or manual assessment process for those.
Does this framework apply to my organization if we are not a federal agency?
Directly, no. NIST 800-53 is mandatory for federal information systems under FISMA. It applies indirectly if you are a federal contractor processing federal data, a cloud service provider seeking FedRAMP authorization, or a defense contractor subject to DFARS/CMMC. Some private sector organizations voluntarily adopt 800-53 as a comprehensive control catalog even without a federal mandate. State governments occasionally reference it as well.
What is the difference between the low, moderate, and high baselines?
FIPS 199 system categorization determines which baseline applies. Low-impact systems use roughly 125 controls, moderate uses about 325, and high uses approximately 420. The selection depends on the potential impact of a security breach on confidentiality, integrity, and availability. Most federal systems are categorized as moderate. The controls in this compliance.tf mapping span all three baselines, since logging and encryption requirements appear at every impact level, though parameter values (like retention periods) differ.