NIST SP 800-53 Rev 5
Best for: U.S. federal agencies must implement NIST 800-53 Rev 5 under FISMA. Federal contractors and cloud providers seeking FedRAMP authorization also map to this catalog. Private sector organizations in defense, healthcare, and financial services use it as a control baseline when no sector-specific regulation applies. State and local governments increasingly reference it in procurement. If your organization operates federal information systems or sells SaaS to the U.S.
🏛 National Institute of Standards and Technology (NIST), U.S. Department of Commerce · NIST SP 800-53 Rev 5 (Sep 2020) Official source →
Get Started
module "..." {
source = "nist80053.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Logging and Monitoring: Runs 9 controls validating CloudTrail configuration across regions, S3 data event logging (read and write), CloudWatch Logs integration, and log file validation. API Gateway stage logging is also checked. These directly address AU-2, AU-3, AU-6, AU-9, and AU-12.
- Encryption at Rest: Checks encryption on API Gateway stage caches, AWS Backup recovery points, and CloudTrail logs (KMS CMK). Validates that customer-managed keys are in use where specified. Maps to SC-28 and SC-13.
- Encryption in Transit: Validates SSL certificate assignment on API Gateway stages and confirms ACM certificates are not within 30 days of expiration. Maps to SC-8 and SC-13.
- Network Boundary Protection: Checks that Auto Scaling launch configurations do not assign public IPs by default and that API Gateway stages are associated with WAF web ACLs. Maps to SC-7.
- Backup and Recovery: Validates that backup recovery points have manual deletion disabled (vault lock) and that Auto Scaling groups with load balancers use ELB health checks. Maps to CP-9 and CP-10.
- Configuration Baseline Management: Verifies AWS account membership in AWS Organizations and CloudFormation stack notification configuration. Maps to CM-2 and CM-3.
What you handle
- Audit Logging and Monitoring: Defining which events constitute AU-2 auditable events in your SSP, configuring CloudWatch alarms and incident response workflows for AU-6 (Audit Record Review), establishing log retention periods per your records management policy, and training staff on log analysis procedures.
- Encryption at Rest: KMS key rotation policies, key access policies, documenting cryptographic standards in the SSP, and extending coverage to additional data stores (RDS, EBS, DynamoDB, etc.) beyond the controls mapped here.
- Encryption in Transit: TLS version and cipher suite policy enforcement, certificate pinning decisions, and documenting minimum acceptable cryptographic algorithms in system security plans.
- Network Boundary Protection: Network architecture diagrams, WAF rule set management and rate-limiting policy, VPC flow log configuration, and boundary protection documentation in the SSP. Security group and NACL configurations require controls beyond this mapped set.
- Backup and Recovery: Backup frequency schedules, recovery time and recovery point objectives (RTO/RPO), testing backup restoration procedures, and documenting the contingency plan per CP-2.
- Configuration Baseline Management: Defining and documenting baseline configurations, managing Service Control Policies (SCPs), maintaining a configuration management plan, and tracking configuration changes through a formal change control board process.
Controls by Category
Audit and Accountability (AU) (4 controls)
The most common findings here: trails scoped to a single region, missing S3 data event logging for object-level operations, and CloudTrail not forwarding to CloudWatch Logs. AU-2 requires defining auditable events; AU-12 requires generating records for those events across all regions; AU-9 requires protecting log integrity. Bring CloudTrail configuration exports, CloudWatch log group retention settings, and evidence that log file validation is enabled.
Configuration Management (CM) (1 control)
Assessors want to see AWS accounts operating under an Organizations structure with Service Control Policies enforcing the security baseline (CM-2), and CloudFormation stacks wired to SNS so infrastructure changes generate notifications for change tracking (CM-3). Evidence: Organizations membership confirmation, SCP policy exports, and CloudFormation stack notification ARN configurations.
System and Communications Protection, Cryptographic Controls (SC) (3 controls)
These controls map primarily to SC-8 (Transmission Confidentiality and Integrity), SC-13 (Cryptographic Protection), and SC-28 (Protection of Information at Rest). Assessors check for encryption at rest using customer-managed KMS keys rather than default AWS-managed keys, valid TLS certificates on external endpoints, and active certificate lifecycle management. A recurring gap: organizations encrypt primary data stores but leave API Gateway caches unencrypted, or let ACM certificates drift toward expiration without automated renewal.
Additional Controls (89)
AWS Database Migration Service (1)
AWS IAM (3)
AWS KMS (1)
AWS Lambda (4)
compliance.tf module Lambda functions should be configured with a dead-letter queue compliance.tf module Lambda functions should be in a VPC compliance.tf module Lambda functions should restrict public URL compliance.tf module AWS Secrets Manager (1)
Amazon CloudWatch (2)
compliance.tf module Log group retention period should be at least 365 days compliance.tf module Amazon CloudWatch Logs (1)
Amazon DynamoDB (3)
compliance.tf module DynamoDB table should have encryption enabled compliance.tf module DynamoDB table point-in-time recovery should be enabled compliance.tf module Amazon EBS (2)
compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module Amazon EC2 (6)
compliance.tf module EC2 instances should have IAM profile attached compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module Amazon ECR (1)
Amazon EFS (2)
compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module Amazon ElastiCache (1)
Amazon OpenSearch Service (3)
compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (16)
compliance.tf module RDS DB instance and cluster enhanced monitoring should be enabled compliance.tf module RDS DB instance automatic minor version upgrade should be enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module Amazon Redshift (9)
compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module AWS Redshift should have automatic upgrades to major versions enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift enhanced VPC routing should be enabled compliance.tf module AWS Redshift clusters should be encrypted with KMS compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (14)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 buckets should have lifecycle policies configured compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 buckets object logging should be enabledS3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 buckets with versioning enabled should have lifecycle policies configured compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module Amazon SNS (1)
Amazon SageMaker (4)
Amazon VPC (2)
compliance.tf module VPC subnet auto assign public IP should be disabled compliance.tf module Elastic Load Balancing (8)
compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module Application and Network Load Balancers with listeners should use recommended security policies compliance.tf module ELB application and network load balancers should only use SSL or HTTPS listeners compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module ELB network load balancers should have TLS listener security policy configured compliance.tf module ELB listeners SSL/TLS protocol version should be checked compliance.tf module Other (4)
Related Frameworks
Frequently Asked Questions
Does NIST 800-53 Rev 5 apply to my organization if we are not a federal agency?
There is no legal requirement for private sector organizations to adopt 800-53 unless you process federal data, operate federal systems, or pursue FedRAMP authorization. Many private companies adopt it voluntarily as a control baseline because it is the most comprehensive publicly available catalog. Defense contractors subject to DFARS/CMMC will encounter 800-53 controls through NIST SP 800-171, which derives its requirements from 800-53. If you sell to the U.S. government or handle Controlled Unclassified Information (CUI), you will likely need to demonstrate alignment.
What changed between Rev 4 and Rev 5?
Several structural changes. Privacy controls (previously in Appendix J) were integrated into the main catalog as the PT (Personally Identifiable Information Processing and Transparency) family. Supply chain risk management controls previously scattered across SA and related families were consolidated into the new SR family. Control baselines were moved to a separate publication, SP 800-53B. The language shifted from 'federal information systems' to 'systems and organizations' to encourage broader adoption. Rev 5 also introduced outcome-based control language and removed the numbering distinction between security and privacy controls.
How do I select which controls apply? The full catalog has over 1,000 controls.
Start with SP 800-53B, which defines Low, Moderate, and High baselines. Your system's FIPS 199 categorization determines the starting baseline; for federal systems, this categorization is mandatory. From there, tailor by scoping, compensating, or supplementing controls based on your risk assessment (per SP 800-37 and SP 800-30). Most AWS workloads in federal environments land at Moderate, which includes roughly 325 controls. The 50 controls mapped in compliance.tf cover a subset of the most automatable technical controls.
Can compliance.tf fully automate a NIST 800-53 assessment?
No. Compliance.tf automates checks for 50 technical controls that can be validated through AWS API queries and Terraform state. NIST 800-53 contains over 1,000 controls across 20 families, many of which are procedural, organizational, or require human judgment (for example, PE physical security controls, PS personnel security, AT awareness training). Use compliance.tf to maintain continuous technical compliance and feed results into your broader POA&M and assessment process. You still need an SSP, risk assessment documentation, and (for federal systems) assessor-led evaluations.
How does 800-53 Rev 5 relate to FedRAMP?
FedRAMP selects controls from 800-53 and adds FedRAMP-specific parameters, requirements, and testing procedures. FedRAMP baselines (Low, Moderate, High) are subsets of the corresponding SP 800-53B baselines with additional controls and stricter parameter values. If you are pursuing FedRAMP authorization, you implement 800-53 controls as specified in the FedRAMP baseline, not the raw SP 800-53B baseline. Beyond control selection, FedRAMP adds continuous monitoring cadences (ConMon), specific POA&M remediation timelines, and mandatory use of FedRAMP-provided templates.