What is the difference between NIST SP 800-53 and NIST SP 800-53B?

SP 800-53 is the comprehensive catalog of over 1,000 security and privacy controls available for information systems and organizations. SP 800-53B is the companion document that defines which controls from that catalog belong in each baseline (Low, Moderate, High, and Privacy). Think of SP 800-53 as the complete menu and SP 800-53B as the recommended meals for different dietary needs. Prior to Revision 5, the baselines were contained in Appendix D of SP 800-53 itself; NIST separated them into their own publication starting with the September 2020 release.

How do I determine which baseline my organization needs?

Baseline selection is driven by the FIPS 199 categorization process. You assess the potential impact of a breach across confidentiality, integrity, and availability for each information type your system processes. The highest impact rating across all three objectives determines your baseline. Federal agencies are required to perform this categorization; federal contractors should follow the categorization specified in their contract or by the sponsoring agency. PTG conducts FIPS 199 categorization assessments as part of every compliance engagement.

Can I implement a lower baseline than what FIPS 199 indicates?

No. FIPS 200 establishes minimum security requirements, and the baseline selected via FIPS 199 represents the minimum control set. Implementing fewer controls than the baseline requires violates federal policy. However, you can tailor the baseline by applying scoping considerations, selecting compensating controls, and assigning organization-defined parameters, all of which must be documented and justified. You cannot reduce the baseline level itself.

What is the relationship between SP 800-53B baselines and CMMC levels?

CMMC Level 2 maps to the 110 security requirements in SP 800-171, which were derived from the SP 800-53B Moderate baseline. CMMC Level 3 maps to SP 800-172, which adds enhanced security requirements beyond the Moderate baseline. CMMC Level 1 covers 17 basic safeguarding requirements from FAR 52.204-21, which represent a subset of the Low baseline. The derivation chain runs: SP 800-53 catalog, then SP 800-53B Moderate baseline, then SP 800-171 extraction, then CMMC Level 2 assessment.

How does FedRAMP relate to SP 800-53B baselines?

FedRAMP starts with the SP 800-53B baselines and adds FedRAMP-specific parameters, additional controls, and enhanced requirements tailored for cloud service providers. FedRAMP Low, Moderate, and High correspond to the SP 800-53B Low, Moderate, and High baselines plus FedRAMP additions. Organizations that have already implemented an 800-53B baseline have completed the majority of the work required for the corresponding FedRAMP authorization level.

What is a control overlay, and when would I need one?

An overlay is a specialized set of control requirements developed for a specific community, technology, or environment that supplements or modifies a baseline. Examples include the FedRAMP overlay for cloud services, the CJIS overlay for criminal justice information, and the IRS Publication 1075 overlay for federal tax information. You need an overlay when your organization operates in a specialized environment with security requirements that go beyond the general baselines. Overlays are applied on top of a tailored baseline.

How often does NIST update SP 800-53B?

NIST updates SP 800-53B as needed, typically in conjunction with major revisions to SP 800-53. The current version was published in September 2020 alongside SP 800-53 Rev. 5, with updates released through December 2024. NIST also maintains an online repository of controls at the NIST Cybersecurity and Privacy Reference Tool (CPRT) that reflects the latest control assignments. Organizations should monitor the SP 800-53B publication page for updates.

Is the privacy baseline required for all federal systems?

The privacy baseline applies to federal systems that process PII, regardless of the system's security categorization. If a system at the Low security impact level processes PII, it must implement both the Low security baseline and the privacy baseline. The privacy baseline is not optional for systems handling PII; OMB guidance, including OMB Circular A-130, mandates privacy controls for federal information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII.

How does SP 800-53B relate to the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) 2.0 is an outcome-based framework that describes what security outcomes an organization should achieve. SP 800-53B provides the specific controls that implement those outcomes. NIST publishes crosswalk mappings between CSF categories/subcategories and SP 800-53 controls, allowing organizations to trace from CSF outcomes to specific baseline controls. Organizations using CSF for risk management and SP 800-53B for control selection get the benefits of both approaches.

What changed when baselines moved from Appendix D to SP 800-53B?

The primary changes include: new controls added to baselines reflecting the evolving threat landscape; the addition of the privacy baseline as a standalone construct; the introduction of the supply chain risk management (SR) control family with controls assigned across all three baselines; the removal of the "Priority and Baseline Allocation" column format in favor of clearer baseline assignment tables; and the ability for NIST to update baselines independently from the control catalog. Organizations transitioning from Rev. 4 to Rev. 5 should conduct a detailed gap analysis to identify new control requirements, which PTG automates through its AI-powered compliance platform.

NIST SP 800-53B

Control Baselines for Security and Privacy

NIST SP 800-53B defines the Low, Moderate, and High security baselines that determine which controls your systems must implement. PTG maps baselines across CMMC, FedRAMP, 800-171, SOC 2, and HIPAA to reduce redundant compliance work.

CMMC Registered Practitioner Org | BBB A+ Since 2003 | 23+ Years Experience

Get Baseline Assessment Call 919-601-1601

Three Baselines

Low, Moderate, and High Impact

Each baseline is cumulative. Moderate includes all Low controls plus additions. High includes all Moderate controls plus further requirements.

Low Baseline

Approximately 137 controls for systems where loss of confidentiality, integrity, or availability has limited adverse effect.

Moderate Baseline

Approximately 267 controls for systems where loss would have serious adverse effect. Basis for FedRAMP Moderate and NIST 800-171.

High Baseline

Approximately 343 controls for systems where loss would have severe or catastrophic adverse effect on operations or national security.

Privacy Baseline

Separate baseline covering PII processing controls, reflecting growing regulatory focus on privacy across federal law.

Tailoring

Customizing Baselines for Your Environment

Tailoring Activities

Identify common controls inherited from the organization
Apply scoping considerations based on technology and mission
Select compensating controls where direct implementation is infeasible
Apply overlays for specialized environments (e.g., classified, SCADA)

Cross-Framework Mapping

NIST 800-171 derives from the Moderate baseline
FedRAMP adds parameters and enhancements to baselines
CMMC practices map to specific baseline controls
PTG automates cross-framework mapping to eliminate redundancy

Who This Is For

Built For

Federal Agencies (FISMA) Cloud Providers (FedRAMP) Defense Contractors (CMMC) Healthcare (HIPAA) Financial Services (GLBA)

FAQ

Frequently Asked Questions

Why was 800-53B separated from 800-53?

Separation allows NIST to update the control catalog and baselines independently. It also enables frameworks like FedRAMP and CMMC to define their own baselines using the 800-53 catalog as a foundation.

How do I determine my system's impact level?

FIPS 199 defines the categorization process. You assess the potential impact of loss of confidentiality, integrity, and availability for each information type. The highest impact level across all types determines your baseline.

How does 800-171 relate to 800-53B baselines?

NIST 800-171 controls derive directly from the Moderate baseline in 800-53B, tailored for non-federal organizations protecting Controlled Unclassified Information (CUI).

Can PTG help with multiple frameworks simultaneously?

Yes. PTG's patented compliance tools map controls across SP 800-53, 800-53B baselines, CMMC, SOC 2, and HIPAA to identify overlap and reduce redundant implementation work.

Related Resources

Ready to Select the Right Baseline?

PTG maps your systems to the correct 800-53B baseline and handles cross-framework compliance in a single engagement.

Schedule a Consultation Call 919-601-1601

Control Baselines for Security and Privacy

Low, Moderate, and High Impact

Low Baseline

Moderate Baseline

High Baseline

Privacy Baseline

Customizing Baselines for Your Environment

Tailoring Activities

Cross-Framework Mapping

Built For

Frequently Asked Questions

Explore More

SP 800-53 Controls

SP 800-37 RMF

NIST 800-171 Compliance

SP 800-137 Monitoring

Compliance Packages

Ready to Select the Right Baseline?