Audit41Readiness
NIST SP 800-53 Rev. 5

The security framework behind US federal compliance — and NIS2 in Hungary.

NIST SP 800-53 is the US federal government’s primary cybersecurity control framework. It is mandatory for federal agencies and contractors — and forms the technical basis of Hungary’s NIS2 implementation. Audit41 Readiness assesses your gaps against NIST SP 800-53 Rev. 5.

🇺🇸 US federal agencies & contractors🇭🇺 Hungarian NIS2 — mandatory framework
Get started →See NIS2 in Hungary →

The framework

What is NIST SP 800-53?

NIST SP 800-53 is published by the National Institute of Standards and Technology (NIST), a US federal agency within the Department of Commerce. The framework provides a catalogue of security and privacy controls for information systems and organisations — primarily US federal information systems, but increasingly adopted globally.

Revision 5, published in September 2020, made a significant shift: it separated the control catalogue from the assessment procedures, made the framework applicable to any organisation (not just federal agencies), and added a dedicated privacy control family. Revision 5 introduced ‘outcome-based’ controls that focus on what must be achieved rather than prescriptive methods.

For US federal contractors, NIST SP 800-53 compliance is not optional — it is a prerequisite for operating in the federal supply chain. The framework underpins FedRAMP, FISMA, CMMC, and other US federal compliance programmes. Internationally, it has been adopted by Hungary as the mandatory technical basis for NIS2 security classifications.

Published by

NIST (National Institute of Standards and Technology)

US Department of Commerce

Current revision

Rev. 5 — September 2020

Rev. 5.1 initial public draft released 2023

Mandatory for

US federal agencies + contractors

Also: Hungary NIS2 (Act LXIX/2024)

Control families

20 control families

Approx. 1,000 individual controls across baseline levels

20 control families. Three baseline levels.

NIST SP 800-53 organises controls into 20 families. Every system is assigned a baseline (Low, Moderate, or High) that determines which controls apply.

ACAccess ControlATAwareness and TrainingAUAudit and AccountabilityCAAssessment, Authorisation and MonitoringCMConfiguration ManagementCPContingency PlanningIAIdentification and AuthenticationIRIncident ResponseMAMaintenanceMPMedia ProtectionPEPhysical and Environmental ProtectionPLPlanningPMProgram ManagementPSPersonnel SecurityPTPII Processing and TransparencyRARisk AssessmentSASystem and Services AcquisitionSCSystem and Communications ProtectionSISystem and Information IntegritySRSupply Chain Risk Management

Low baseline

Minimum required controls. For systems where loss of confidentiality, integrity, or availability would have limited adverse effect.

Moderate baseline

Most federal systems. For systems where compromise would have serious adverse effect on operations, assets, or individuals.

High baseline

Critical systems. For systems where compromise would have severe or catastrophic adverse effect — including national security.

US federal supply chain

Who must comply with NIST SP 800-53?

US federal agencies

All federal agencies are required to implement NIST SP 800-53 controls under FISMA (Federal Information Security Modernization Act). Non-compliance exposes agencies to audit findings and budget implications.

Federal contractors

Companies contracting with the US federal government must demonstrate NIST SP 800-53 compliance for any systems handling Controlled Unclassified Information (CUI). This is enforced through CMMC 2.0 for defence contractors.

FedRAMP cloud providers

Any cloud service provider seeking FedRAMP authorisation must implement NIST SP 800-53 controls at Moderate or High baseline. FedRAMP is the gateway to US federal cloud procurement.

EU companies in the US supply chain

European companies supplying services to US federal agencies, defence contractors, or FedRAMP customers must demonstrate NIST compliance — regardless of where they are headquartered.

Hungary specific

Hungary mandates NIST SP 800-53 for NIS2 compliance.

Hungary’s NIS2 implementation (Act LXIX of 2024) uniquely requires organisations to classify their electronic information systems as basic, significant, or high security — and implement controls from NIST SP 800-53 Rev. 5 mapped to that classification.

This means Hungarian NIS2 entities do not choose their security framework — NIST SP 800-53 is mandated by law. The SZTFH-certified auditor who conducts your mandatory NIS2 audit will evaluate your controls against NIST SP 800-53 baselines, not against NIS2 Article 21 controls in isolation.

Audit41 Readiness maps your current controls against NIST SP 800-53 Rev. 5 so you know exactly where your gaps are before your SZTFH auditor does.

Get started →See NIS2 in Hungary →

How Audit41 helps

From baseline selection to audit-ready evidence.

Gap assessment

Every control family, every applicable baseline

Audit41 Readiness maps your controls against NIST SP 800-53 Rev. 5 across all 20 control families. You select your baseline level — Low, Moderate, or High — and the assessment applies the right control set automatically.

Remediation roadmap

Prioritised by risk and baseline requirement

Gaps are ranked by the severity of the control requirement and your operational risk profile. The roadmap tells you which controls to implement first to achieve your target baseline.

Evidence structure

Structured for FedRAMP, FISMA, and SZTFH audit

Gap findings reports are formatted to meet the evidence expectations of US federal audit processes and Hungarian SZTFH auditors — two very different but equally demanding standards.

Get started with your NIST SP 800-53 gap assessment.

Tell us about your organisation and we'll send you everything you need to start — whether you're a federal contractor, FedRAMP candidate, or Hungarian NIS2 entity.

Hungarian NIS2 entities: confirm your NIS2 scope first. Start NIS2 self-check →