FISMA vs NIST 800-53, what's the relationship?

FISMA (the Federal Information Security Modernization Act of 2014) is the statute requiring every federal agency to operate an information security program. OMB Circular A-130 is the implementing policy. NIST SP 800-53 Rev 5 is the control catalog FISMA points at, it is what your security program must implement. NIST SP 800-37 Rev 2 (RMF) is the lifecycle that produces the Authorization to Operate. So FISMA is the law, A-130 is the policy, 800-53 is the control catalog, and 800-37 is the process, and the checklist covers the latter three end-to-end.

Low / Moderate / High baseline, which one applies to me?

Your FIPS 199 categorization decides. You pick the highest impact level across confidentiality, integrity, and availability. Most internal-facing federal systems land in Moderate (the FedRAMP Moderate baseline is roughly 325 controls). Public-facing low-impact systems can be Low (about 125 controls). National-security-adjacent or high-PII systems hit High (about 425 controls). The checklist ships with all three baselines marked column-by-column, so the same family worksheet flexes to Low, Moderate, or High depending on which system you're scoping.

Is the RMF 6-step process covered?

Yes. The checklist runs each of the 20 families through the NIST 800-37 Rev 2 RMF lifecycle, Categorize, Select, Implement, Assess, Authorize, Monitor. The output ties back to the artifacts the Authorizing Official actually reviews: the System Security Plan (SSP), the Security Assessment Report (SAR), the Plan of Action + Milestones (POA&M), the Risk Assessment Report (RAR), and the FIPS 199 categorization. Reaching Step 5 produces the ATO. Step 6 (Monitor) is where Continuous Monitoring lives.

Does the checklist support OSCAL?

Yes. Each family worksheet is structured to map cleanly to the OSCAL (Open Security Controls Assessment Language) data model NIST publishes, the same JSON/XML schema FedRAMP automation tooling and 3PAO assessment platforms ingest. FedRAMP 20x is driving wide OSCAL adoption (Phase 3 in the second half of 2026), so completing the checklist with OSCAL-aware structure makes the eventual machine-readable submission faster. The RiskWatch platform produces the OSCAL JSON/XML directly when you outgrow the spreadsheet.

How does it cross-map to FedRAMP, StateRAMP, GovRAMP, and CMMC?

All four of those programs build on NIST 800-53. FedRAMP Low/Moderate/High are 800-53 baselines plus FedRAMP-specific overlays for cloud service providers serving federal civilian agencies. StateRAMP is modeled on FedRAMP Moderate with state-government-specific deltas. GovRAMP covers state + local + tribal + education. CMMC 2.0 (Levels 1, 2, 3) overlays 800-171 Rev 3, which is itself a tailored subset of 800-53. The checklist appendix carries the cross-mapping reference so one 800-53 control assessment scores against the FedRAMP overlay, the CMMC practice, and the StateRAMP requirement at once.

Free Download · FISMA + NIST 800-53 Rev 5

The complete FISMA + NIST 800-53 Rev 5 checklist

All 20 NIST 800-53 r5 control families across the FedRAMP Low, Moderate, and High baselines, plus the NIST 800-37 Rev 2 RMF 6-step lifecycle and the full ATO package, in one auditor-built download. Built for federal Authorizing Officials, ISSOs, and contractors preparing for FISMA + FedRAMP authorization.

Start 30-day free trial See the NIST 800-53 platform

Categorize

FIPS 199 · System Boundary

Assess

20 Families · 1,000+ Controls

Authorize

ATO · ConMon · POA&M

Coverage

20 / 20

ATO-ready posture

Families covered

FISMA · A-130 · 800-53 r5 · RMFLive

Trusted by federal civilian agencies, FedRAMP CSPs, DoD contractors, and federal systems integrators preparing for ATO under FISMA, OMB A-130, NIST 800-53 Rev 5, and the full RMF lifecycle.

What's Inside

All 20 NIST 800-53 Rev 5 control families · Low / Moderate / High baselines

The checklist mirrors the official NIST SP 800-53 Rev 5.1.1 catalog exactly. Every family is listed with its identifier, the Rev 5 control count, and the FedRAMP Low/Moderate/High baseline that scopes it for your system. Two of these, SR (Supply Chain Risk Management) and PT (PII Processing + Transparency), were added or restructured in Rev 5 and are where most legacy r4 programs find the largest gap.

Access Control

Account management, least privilege, separation of duties, session control, remote access.

Awareness + Training

Literacy, role-based training, insider threat, social engineering, advanced training records.

Audit + Accountability

Event logging, audit record content, retention, time stamps, protection from modification.

Assessment + Authorization

Control assessments, system interconnections, plans of action + milestones (POA&M), authorization.

Configuration Management

Baseline configurations, change control, least functionality, software inventory, signed components.

Contingency Planning

Contingency plan, training, testing, alternate sites, system backup, recovery + reconstitution.

Identification + Authentication

Organizational + non-organizational user authentication, MFA, credential management, identity proofing.

Incident Response

Incident response plan, training, testing, handling, monitoring, reporting, supply chain coordination.

Maintenance

Controlled maintenance, tools, non-local maintenance, personnel, timely maintenance + diagnostics.

Media Protection

Media access, marking, storage, transport, sanitization, use, downgrading.

Physical + Environmental Protection

Physical access authorizations, monitoring, visitor control, emergency power, fire + temperature.

Planning

System security + privacy plans, rules of behavior, baseline tailoring, central management.

PII Processing + Transparency

Authority + purpose, consent, privacy notice, data quality, individual access, redress (Rev 5 family).

Personnel Security

Position risk, screening, termination, transfer, access agreements, third-party personnel.

Risk Assessment

Categorization, risk assessment, vulnerability monitoring + scanning, threat hunting, criticality.

System + Services Acquisition

System development life cycle, acquisition process, external services, supply chain, secure design.

System + Communications Protection

Boundary protection, transmission confidentiality + integrity, cryptography, denial-of-service, VoIP.

System + Information Integrity

Flaw remediation, malicious code protection, monitoring, security alerts, software + firmware integrity.

Supply Chain Risk Management

Supply chain risk plan, provenance, supplier assessments, counterfeit + tamper, inspection (Rev 5 family).

Program Management

Information security + privacy program plans, senior agency officials, enterprise architecture, threat awareness.

LLow≈ 125 controlsMModerate≈ 325 controlsHHigh≈ 425 controls

Why Use This Checklist

Federal authorization runs on three shifting standards. The checklist tracks all three.

FISMA (the Federal Information Security Modernization Act) and OMB Circular A-130 require every federal information system to follow the NIST 800-53 control catalog. Revision 5 (and the 5.1.1 patch release) is the current authoritative version, every Authorizing Official packet, every Inspector General review, and every FedRAMP submission since May 2024 is scored against it. The checklist mirrors the published 800-53 Rev 5.1.1 catalog exactly, family by family.

csrc.nist.gov · NIST SP 800-53 Rev 5

Authorization itself is the NIST 800-37 Rev 2 Risk Management Framework, Categorize, Select, Implement, Assess, Authorize, Monitor. Reaching the Authorize step produces the ATO (Authorization to Operate). Holding it requires Continuous Monitoring (ConMon), the monthly + quarterly + annual evidence cadence FedRAMP-authorized cloud service providers submit indefinitely. The checklist runs each family through both, so what you complete reads the same way the AO will read it.

csrc.nist.gov · NIST SP 800-37 Rev 2 (RMF)

FedRAMP 20x and the broader federal modernization push are accelerating OSCAL adoption, the Open Security Controls Assessment Language for machine-readable SSP/SAP/SAR/POAM submissions. The same control library also cross-maps to StateRAMP, GovRAMP, CMMC 2.0 (Levels 1–3), ISO 27001:2022, and NIST 800-171 Rev 3. The checklist appendix carries the cross-mapping reference so a single 800-53 control assessment satisfies more than one authorization at once.

cio.gov · OMB Circular A-130

Plus the RMF Lifecycle + ATO Package

NIST 800-37 Rev 2 RMF 6-step process · plus the full ATO submission

The checklist runs each control family through the same 6-step Risk Management Framework an Authorizing Official sees on review, then maps the output to the Authorization to Operate (ATO) package, the bundle the AO actually signs.

The ATO package the checklist scopes

System Security Plan (SSP), control implementation narrative
Security Assessment Report (SAR), independent assessor output
Plan of Action + Milestones (POA&M), open finding tracker
Risk Assessment Report (RAR), RA-3 narrative
FIPS 199 Categorization, system impact analysis
Customer Responsibility Matrix (CRM), for FedRAMP CSPs

Categorize
FIPS 199 system categorization (Low, Moderate, High) for confidentiality, integrity, availability.
Select
Apply the FedRAMP Low/Moderate/High baseline plus organization-defined overlays + tailoring.
Implement
Per-control implementation statements + evidence captured against the 800-53 catalog.
Assess
Independent assessor produces the SAR using NIST 800-53A Rev 5 procedures.
Authorize
AO reviews SSP + SAR + POA&M + RAR and issues the ATO.
Monitor
Continuous monitoring (ConMon), monthly + quarterly + annual cadence per FedRAMP.

Who It's For

Built for the three roles that own ATO outcomes

Authorizing Official (AO) / Agency CISO

Owns the ATO decision, the residual-risk acceptance, and the reauthorization clock for every federal information system in the agency or program portfolio.

Use the checklist as the pre-AO-review gate, system + family + RMF step at a glance, before the ATO package lands on the desk.

Information System Security Officer (ISSO)

Owns day-to-day security posture, control implementation across all 20 families, evidence collection, and the monthly + quarterly ConMon cadence for the assigned system.

Family-by-family worksheet with control IDs, baseline scoping, and POA&M starter rows, the ISSO playbook from kickoff to first SAR.

Federal contractor / cloud service provider preparing for ATO

FedRAMP CSPs, DoD contractors handling CUI under CMMC 2.0, StateRAMP cloud providers, and federal systems integrators preparing for first-time authorization.

Cross-mapping to FedRAMP Low/Mod/High overlays + CMMC 2.0 + StateRAMP + 800-171 r3, score one control, satisfy multiple authorizations.

Get the checklist

20 control families · Low / Mod / High baselines · RMF + ATO

Start a free trial and the checklist + the underlying NIST 800-53 r5 control library land in your workspace, ready to score.

Start 30-day free trial

No credit card · No sales follow-up

FAQ

Frequently asked questions

FISMA · FedRAMP · CMMC · StateRAMP

Run NIST 800-53 + FedRAMP + ATO on one platform?

30-minute walkthrough: the 800-53 r5 control library, your system + baseline inputs, and the OSCAL ATO package output. No slideware, no consulting upsell, just the platform that automates what the checklist guides.

Book a 30-minute demo Talk to a federal compliance specialist

Or call US: +1 941-500-4525