Dissecting FedRAMP NIST 800-53, NIST 800-171 & CMMC 2.0 Control Structure

In this article, we are going to discuss controls in the context of any variation of the NIST 800-53 and NIST 800-171 requirements. NIST SP 800-53 provides us with a fundamental understanding of how government and many commercial organizations structure control language. If you work within the government sector, you have most likely come across NIST 800-53 in different forms such as CNSSI 1253, internal DoD A&A Process, industry-wide FedRAMP, and even the emerging A&A processes around cATO, cRMF, FastATO, Accelerated ATO, and our very own micro layered ATO for the cloud. These are all derivative works of NIST SP 800-53.  We can take it even one step further as many of the industry frameworks such as PCI-DSS, HITRUST, FFIEC-CAT, etc. essentially look to NIST as the industry authority when it comes to defining information security structures, strategy, and information assurance systems.

If you work within Defense Industry Base (DIBs) and you have to comply with CMMC 2.0, NIST-171, and/or DoDAM guidance, understanding the control structure and assessment procedure anatomy is important to prepare yourself for an external audit.

Therefore, it is key for Compliance-as-Code Professionals, developers, compliance professionals, and cyber professionals to really understand controls at a foundational level.  A control has two main parts, the control itself and the test or assessment procedures associated with the control.

Control Families

Control families are the starting point. All controls are part of their respective control family. These families are the same for the NIST SP 800-53, NIST SP-171, and CMMC 2.0 Frameworks.

The NIST SP 800-53 Rev 5 has 20 control families. These families provide the basic context on the control language.

Part One 

Control Structure

The most common and well-known elements within all NIST-based controls schemes are control identifiers. Control Identifiers can often change depending on the organization and agency. These identifiers are critical to mapping sentences and language to test cases and the operational security environment.

  • Control Name – There is a short title for each control that provides a bit more context prior to reading the control statement(s).
  • Base Control Statement(s) – Control statements are considered core content and are the primary benefit of using NIST-based controls. Many organizations modify the control content exclusively to fit their needs.
  • Organization-defined Parameter (ODPs) – These parameters change typically depending on the agency, commercial organization, and/or the system under inspection. It is important to pay attention to these as they are also part of the assessment language in revision 5.

Note: The NIST SP 800-171 and CMMC 2.0 do not contain organizational defined parameters.

Part Two

The second part, and many times the most often forgotten part, are the test cases or assessment procedures. This is sometimes referred to as the “Alpha” document because all the test cases are documented within the NIST SP 800-53 A or NIST SP 800 171 A special publications.

The assessment guide contains assessment procedures. The assessment procedures all start with “Determine if:” The language here is very similar to the control language itself except that it has been converted into an audit and assessment question through the use of determination statements.

The first part of the assessment procedure is the Assessment Objectives.

The second part of the assessment procedure is the assessment methods and objects.

Assessment Methods and Objects provide the auditor with a view into what type of documentation to examine, who to potentially interview, and what type of technical tests to conduct as evidence of compliance.

A fundamental difference between NIST 800-53 controls and ALL the other frameworks out there is that NIST forces measurements directly into the control structure and assessment procedures, whereas other frameworks utilize outside supplementary guidance or bake it into procedural documents. These measurement criteria are normally captured within the {Organizational Parameters} area. This is unique to the NIST 800-53 way of describing control language. Organizations (public and private) leverage some, or all parts of these controls, in different ways when organizing their risk management processes.

Useful resources:


Stay up to date with everything Ignyte