compliance.tf
Compliance FrameworksRetired Frameworks

NIST SP 800-53 Rev 4

Deprecated Framework

This framework has been superseded by NIST SP 800-53 Revision 5. Organizations should migrate to Revision 5, which was released in September 2020 with updated security and privacy controls for federal information systems.

Best for: U.S. federal agencies and contractors that haven't migrated to NIST 800-53 Rev 5. If your ATO still references Rev 4 control baselines, you need to maintain compliance until renewal. FedRAMP packages authorized before the Rev 5 transition may also reference Rev 4 controls. Defense industrial base companies with legacy DFARS 252.204-7012 references sometimes still encounter Rev 4 language in older contract vehicles.

Mandatory?Mandatory for U.S. federal agencies (superseded by Rev 5)
Who validates?Authorizing Official; 3PAO for FedRAMP overlays · No self-assessment
RenewalATO reauthorization every 3 years (federal)
ScopeFederal information systems

🏛 National Institute of Standards and Technology (NIST), U.S. Department of Commerce · NIST SP 800-53 Rev 4 (superseded by Rev 5) Official source →

Get Started

module "..." {
  source  = "nist80053rev4.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Audit Trail Integrity and Coverage: Runs 11 controls validating CloudTrail configuration: multi-region enablement, S3 data event logging for reads and writes, CloudWatch integration, log file validation, and KMS encryption of trail logs. Covers AU-2, AU-3, AU-6, AU-9, and AU-11 control requirements.
  • Encryption at Rest: Checks KMS CMK encryption on CloudTrail logs and API Gateway stage caches. Validates that ACM certificates are not within 30 days of expiration.
  • Network Boundary Protection: Validates that DMS replication instances are not publicly accessible, checking security group and subnet configurations that would expose data processing resources.
  • Secure Configuration Baselines: Detects plaintext sensitive values in CodeBuild environment variables and verifies OAuth is used for source repository connections. Maps to CM-6 and SC-28.
  • Availability and Recovery: Confirms Auto Scaling groups attached to load balancers use ELB health checks and that DynamoDB tables have auto scaling enabled. Addresses CP-10 and SI-13.

What you handle

  • Audit Trail Integrity and Coverage: Defining the audit event baseline per AU-2, establishing log review procedures (AU-6 manual review cadence), and documenting incident escalation workflows when anomalous events are detected.
  • Encryption at Rest: Selecting FIPS 140-2 validated modules where required, defining key rotation schedules, documenting key custodian roles, and maintaining a cryptographic key inventory per SC-12.
  • Network Boundary Protection: Documenting authorized information flow paths per AC-4, maintaining network architecture diagrams, configuring WAF rules, and performing periodic boundary device rule reviews.
  • Secure Configuration Baselines: Maintaining an approved configuration baseline document, running a change control board process for CM-3, and conducting periodic configuration deviation scans beyond what Terraform state captures.
  • Availability and Recovery: Developing and testing the full contingency plan (CP-2), conducting annual tabletop exercises (CP-4), and defining Recovery Time Objectives and Recovery Point Objectives for each system.

Controls by Category

Access Control (AC) (1 control)

Publicly accessible DMS instances represent an unauthorized information flow path and will generate AC-4 findings immediately. Auditors examine VPC configurations, public IP assignments, and security group rules to confirm that data processing components aren't exposed without explicit authorization per AC-17 (Remote Access).

DMS replication instances should not be publicly accessiblecompliance.tf module

Audit and Accountability (AU) (5 controls)

CloudTrail must be active across all regions with both read and write event logging to satisfy AU-2 and AU-3. Assessors check for log file validation (AU-9), CloudWatch integration (AU-6), and a retention period that matches organizational policy (AU-11). Missing S3 data event logging is the most common finding in this category: without it, object-level access goes completely unaudited.

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have log file validation enabledAPI Gateway stages should have logging enabledCloudWatch log groups should have retention period of at least 365 dayscompliance.tf module

Incident Response and Continuous Monitoring (IR/CA) (1 control)

The first thing an assessor checks here is whether CloudWatch alarms have actual response actions configured, not just thresholds. Alarms with no SNS or Lambda action attached fail CA-7 (Continuous Monitoring) and IR-4 (Incident Handling) outright.

CloudWatch alarms should have an action configuredcompliance.tf module

System and Communications Protection (SC) (2 controls)

SC-28 requires encryption of stored data using FIPS-validated cryptographic modules. Assessors want to see KMS CMK usage rather than default AWS-managed keys, since CMKs produce an auditable key management trail. Expired or expiring ACM certificates draw SC-12 (Cryptographic Key Establishment and Management) findings, and most teams don't catch them until the auditor does.

CloudTrail trails should have logs encrypted using a customer managed KMS keyAPI Gateway stages should have cache encryption at rest enabled
Additional Controls (64)

AWS IAM (2)

IAM password policies should prevent password reuseIAM password policies should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (2)

Lambda functions should be in a VPCcompliance.tf moduleLambda functions should restrict public URLcompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon DynamoDB (3)

DynamoDB tables should have AWS KMS encryption enabledcompliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf moduleDynamoDB tables should have point-in-time recovery enabledcompliance.tf module

Amazon EBS (2)

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS volumes should have encryption at rest enabledcompliance.tf module

Amazon EC2 (4)

EC2 instances should have detailed monitoring enabledcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf module

Amazon EFS (2)

EFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon EMR (1)

EMR cluster Kerberos should be enabledcompliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf module

Amazon OpenSearch Service (2)

OpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (14)

RDS clusters should have deletion protection enabledcompliance.tf moduleRDS DB instances and clusters should have enhanced monitoring enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instances should have deletion protection enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (4)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (11)

S3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object lock enabledcompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SageMaker (4)

SageMaker endpoint configuration encryption should be enabledSageMaker notebook instances should not have direct internet accessSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabled

Elastic Load Balancing (6)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB application load balancer deletion protection should be enabledcompliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf moduleELB classic load balancers should have cross-zone load balancing enabledcompliance.tf module

Other (3)

ES domain encryption at rest should be enabledES domains should be in a VPCElasticsearch domain node-to-node encryption should be enabled

Related Frameworks

NIST 800-53 Rev 5🟢 High overlap (85%)

Rev 5 is the direct successor. Most Rev 4 controls carry forward, but Rev 5 consolidates some control families (for example, merging PM controls into the main catalog), adds supply chain risk management (SR family), and removes the concept of 'control enhancements' as separate items. NIST published the migration mapping in SP 800-53B.

FedRAMP Moderate Rev 4🟢 High overlap (90%)

FedRAMP Moderate baselines are derived directly from the NIST 800-53 Rev 4 moderate baseline, with additional FedRAMP-specific parameters and requirements. Nearly all FedRAMP controls trace back to 800-53, but FedRAMP adds stricter parameter values and continuous monitoring requirements.

NIST CSF🟡 Medium overlap (40%)

The NIST Cybersecurity Framework references 800-53 controls as informative references. CSF operates at a higher abstraction level with five functions (Identify, Protect, Detect, Respond, Recover), while 800-53 provides the specific implementation controls. Organizations often use CSF for risk framing and 800-53 for technical implementation.

Frequently Asked Questions

NIST 800-53 Rev 5 has been out since 2020. Should I still use Rev 4?
Only if you have an active ATO or contract that explicitly references Rev 4. OMB directed federal agencies to transition to Rev 5, and NIST archived Rev 4 in September 2021. If your ATO is up for renewal, your assessor will likely require Rev 5. For new system authorizations, Rev 4 should not be used. If you are maintaining a legacy ATO, continue using Rev 4 until your renewal date, but plan your migration now.
How do I map my existing Rev 4 controls to Rev 5 during migration?
NIST published a detailed control mapping in SP 800-53B and supplemental materials at csrc.nist.gov. Most controls have a direct 1:1 mapping. The main structural changes: Rev 5 integrates privacy controls directly (removing the separate Appendix J), adds the SR (Supply Chain Risk Management) family, and treats what were formerly 'control enhancements' as standalone controls. Budget 2 to 4 months for a moderate-complexity system migration, including SSP rewriting and assessor review.
These 50 controls only cover a fraction of 800-53. What about the rest?
NIST 800-53 Rev 4 contains over 900 controls and enhancements across 18 families. The controls mapped here focus on AWS infrastructure checks that can be automated through Terraform and Steampipe. Families like PS (Personnel Security), PE (Physical and Environmental Protection), and PL (Planning) require procedural and organizational evidence that infrastructure scanning cannot produce. You need a GRC platform or manual assessment process for those.
Does this framework apply to my organization if we are not a federal agency?
Directly, no. NIST 800-53 is mandatory for federal information systems under FISMA. It applies indirectly if you are a federal contractor processing federal data, a cloud service provider seeking FedRAMP authorization, or a defense contractor subject to DFARS/CMMC. Some private sector organizations voluntarily adopt 800-53 as a comprehensive control catalog even without a federal mandate. State governments occasionally reference it as well.
What is the difference between the low, moderate, and high baselines?
FIPS 199 system categorization determines which baseline applies. Low-impact systems use roughly 125 controls, moderate uses about 325, and high uses approximately 420. The selection depends on the potential impact of a security breach on confidentiality, integrity, and availability. Most federal systems are categorized as moderate. The controls in this compliance.tf mapping span all three baselines, since logging and encryption requirements appear at every impact level, though parameter values (like retention periods) differ.

NIST Cybersecurity Framework v1.1

Previous Page

PCI DSS v3.2.1

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryAccess Control (AC) (1)Audit and Accountability (AU) (5)Incident Response and Continuous Monitoring (IR/CA) (1)System and Communications Protection (SC) (2)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page