Skip to main content

Overview

NIST Special Publication 800-53 provides a comprehensive catalog of security and privacy controls for federal information systems and organizations. Developed by the National Institute of Standards and Technology (NIST), this framework is widely adopted by government agencies and private sector organizations for risk management and security control implementation. Wazuh helps organizations monitor and assess NIST 800-53 control effectiveness through security event correlation and automated monitoring.

NIST 800-53 Controls Coverage

Wazuh maps security events to NIST 800-53 controls through the rule.nist_800_53 field. The compliance requirements are defined in: Source: plugins/main/common/compliance-requirements/nist-requirements.ts

Control Families

Access Control (AC)

Identifies and selects the following types of information system accounts to support organizational missions/business functions.Control Requirements:
  • Define authorized account types
  • Assign account managers
  • Establish account conditions
  • Monitor account usage
  • Authorize access appropriately
  • Review accounts periodically
  • Remove or disable unnecessary accounts
Monitored by:
  • Account creation events
  • Account deletion/disabling events
  • Account modification alerts
  • Privileged account usage
  • Account lifecycle violations
Wazuh Detection: User account changes, account provisioning events, unauthorized account creation, dormant account detection
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.Control Requirements:
  • Implement least privilege access
  • Restrict privileged functions
  • Audit privileged operations
  • Review privilege assignments
  • Limit elevated privileges
Monitored by:
  • Privilege escalation attempts
  • Unnecessary privilege usage
  • Privileged command execution
  • Access control violations
  • Sudo and su command usage
Wazuh Detection: Privilege abuse, unnecessary administrative access, privilege escalation attempts, sudo violations
Enforces a limit of consecutive invalid logon attempts by a user during a time period.Control Requirements:
  • Define maximum failed attempts
  • Implement account lockout
  • Set lockout duration
  • Log failed attempts
  • Alert on brute force patterns
Monitored by:
  • Failed authentication events
  • Account lockout events
  • Brute force attack patterns
  • Multiple failed login attempts
Wazuh Detection: Authentication failures, brute force attacks, account lockouts, credential stuffing attempts
The information system automatically terminates a user session after a defined condition or event.Control Requirements:
  • Define session timeout periods
  • Implement automatic logout
  • Terminate inactive sessions
  • Log session events
Monitored by:
  • Session timeout events
  • Inactive session detection
  • Session termination logs
  • Long-running session alerts
Wazuh Detection: Session timeout violations, idle session warnings, abnormal session durations

Audit and Accountability (AU)

The information system alerts organization-defined personnel or roles in the event of an audit processing failure and takes organization-defined actions (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).Control Requirements:
  • Define audit failure conditions
  • Identify personnel to alert
  • Specify failure response actions
  • Monitor audit system health
  • Prevent audit loss
Monitored by:
  • Audit system failures
  • Log storage capacity issues
  • Logging service failures
  • Audit record loss
Wazuh Detection: Wazuh agent failures, log collection errors, storage capacity alerts, audit system health issues
Reviews and analyzes information system audit records for indications of inappropriate or unusual activity.Control Requirements:
  • Review audit records regularly
  • Analyze for security incidents
  • Report findings appropriately
  • Identify unusual activity patterns
  • Integrate with incident response
Monitored by:
  • All security events
  • Anomalous activity patterns
  • Security incident indicators
  • Compliance violations
Wazuh Detection: Wazuh provides the audit review mechanism through real-time analysis and alerting
Wazuh’s core functionality directly implements this control by performing continuous audit review and analysis.
Uses internal system clocks to generate time stamps for audit records and records time stamps that can be mapped to Coordinated Universal Time (UTC).Control Requirements:
  • Synchronize system clocks
  • Use authoritative time sources
  • Generate accurate timestamps
  • Maintain time correlation
  • Protect time synchronization mechanisms
Monitored by:
  • Time synchronization failures
  • Clock skew detection
  • NTP service status
  • Time source availability
Wazuh Detection: NTP failures, time synchronization errors, clock drift alerts, timestamp anomalies
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.Control Requirements:
  • Restrict audit log access
  • Protect audit tools
  • Prevent log tampering
  • Monitor audit system access
  • Implement log integrity controls
Monitored by:
  • Unauthorized log access
  • Audit file modifications
  • Audit tool tampering
  • Log deletion attempts
Wazuh Detection: File integrity monitoring on log files, unauthorized log access, log tampering attempts
The information system provides audit record generation capability for auditable events, allows personnel to select which events are audited, and generates audit records.Control Requirements:
  • Define auditable events
  • Implement audit record generation
  • Allow selective auditing
  • Capture required audit data
  • Support forensic analysis
Monitored by:
  • All system security events
  • Configurable event monitoring
  • Custom rule generation
Wazuh Detection: Wazuh generates audit records for all configured events through its rule engine

Security Assessment and Authorization (CA)

Authorizes connections from the information system to other information systems through Interconnection Security Agreements, documents interface characteristics and security requirements, and reviews/updates agreements.Control Requirements:
  • Document system interconnections
  • Authorize connections
  • Define security requirements
  • Monitor connection usage
  • Review agreements regularly
Monitored by:
  • Unauthorized network connections
  • New system interconnections
  • Unusual network traffic
  • Inter-system communication
Wazuh Detection: Unauthorized network connections, new network services, unusual inter-system traffic

Configuration Management (CM)

Develops, documents, and disseminates a configuration management policy. Reviews and updates the current configuration management policy and procedures.Control Requirements:
  • Establish CM policy
  • Define CM procedures
  • Document configuration standards
  • Review and update regularly
  • Disseminate to stakeholders
Monitored by:
  • Configuration changes
  • Policy violations
  • Unauthorized modifications
Wazuh Detection: Configuration file changes, policy violation alerts, unauthorized system modifications
The organization determines the types of changes to the information system that are configuration-controlled.Control Requirements:
  • Define configuration items
  • Establish change control process
  • Review change requests
  • Document changes
  • Test changes before implementation
  • Track configuration baselines
Monitored by:
  • System configuration changes
  • Unauthorized modifications
  • Configuration baseline deviations
  • Change control violations
Wazuh Detection: File integrity monitoring alerts, system configuration changes, unauthorized modifications
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.Control Requirements:
  • Restrict change access
  • Define authorized personnel
  • Enforce change controls
  • Monitor change activities
  • Audit configuration changes
Monitored by:
  • Unauthorized change attempts
  • Configuration modification events
  • Access control violations during changes
Wazuh Detection: Unauthorized configuration changes, privilege abuse during changes, access violations

Identification and Authentication (IA)

The organization manages information system identifiers by receiving authorization, selecting appropriate identifiers, assigning to intended entity, preventing reuse, and disabling after period of inactivity.Control Requirements:
  • Authorize identifier assignment
  • Select unique identifiers
  • Prevent identifier reuse
  • Disable inactive identifiers
  • Monitor identifier lifecycle
Monitored by:
  • Identifier creation/deletion
  • Duplicate identifier detection
  • Inactive identifier usage
  • Unauthorized identifier changes
Wazuh Detection: Account lifecycle events, duplicate user detection, inactive account usage
The organization manages information system authenticators by verifying identity, establishing initial authenticator content, ensuring sufficient strength, and establishing administrative procedures.Control Requirements:
  • Verify identity before issuing
  • Establish authenticator strength
  • Protect authenticator content
  • Change default authenticators
  • Implement password policies
  • Monitor authenticator compromise
Monitored by:
  • Weak password usage
  • Default credential usage
  • Authenticator changes
  • Compromised credential detection
Wazuh Detection: Weak authentication attempts, default credential usage, authentication policy violations
The organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific circumstances or situations.Control Requirements:
  • Define high-risk scenarios
  • Implement adaptive authentication
  • Require additional factors when needed
  • Monitor authentication context
  • Adjust security based on risk
Monitored by:
  • High-risk access attempts
  • Geographic anomalies
  • Unusual access patterns
  • Multi-factor authentication events
Wazuh Detection: Anomalous login locations, unusual access times, high-risk authentication patterns

System and Services Acquisition (SA)

The organization requires the developer of the information system, system component, or information system service to create and implement a security assessment plan.Control Requirements:
  • Require security testing
  • Define assessment criteria
  • Review test results
  • Address identified flaws
  • Conduct penetration testing
Monitored by:
  • Application security events
  • Code vulnerability exploitation
  • Security testing activities
  • Flaw remediation tracking
Wazuh Detection: Application attacks, exploitation attempts, security testing artifacts, vulnerability exploitation

System and Communications Protection (SC)

The information system separates user functionality (including user interface services) from information system management functionality.Control Requirements:
  • Separate user and admin functions
  • Implement role-based interfaces
  • Restrict management access
  • Monitor privilege usage
Monitored by:
  • Management function access
  • Privilege usage patterns
  • Separation violations
Wazuh Detection: Management interface access from user contexts, privilege boundary violations
The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.Control Requirements:
  • Define security boundaries
  • Implement boundary controls
  • Monitor boundary traffic
  • Control information flows
  • Deploy managed interfaces
Monitored by:
  • Boundary crossing attempts
  • Firewall events
  • Network perimeter violations
  • Unauthorized external connections
Wazuh Detection: Firewall alerts, boundary violation attempts, unauthorized network traffic
The information system protects the confidentiality and integrity of transmitted information.Control Requirements:
  • Implement encryption for transmission
  • Use secure protocols
  • Protect data in transit
  • Verify transmission integrity
  • Prevent interception
Monitored by:
  • Unencrypted transmissions
  • Insecure protocol usage
  • Man-in-the-middle attempts
  • Data transmission integrity failures
Wazuh Detection: Unencrypted connections, insecure protocol usage (HTTP, FTP, Telnet), transmission security violations

System and Information Integrity (SI)

The organization identifies, reports, and corrects information system flaws; tests software and firmware updates for effectiveness; and installs security-relevant updates within organization-defined time period.Control Requirements:
  • Identify system flaws
  • Report vulnerabilities
  • Test patches and updates
  • Install updates timely
  • Verify remediation effectiveness
  • Track flaw remediation
Monitored by:
  • Vulnerability detection
  • Missing patch detection
  • Unpatched system identification
  • Exploitation attempts on known flaws
Wazuh Detection: Vulnerability scanner integration, missing patch alerts, exploitation attempts, outdated software detection
The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code.Control Requirements:
  • Deploy anti-malware solutions
  • Update malware signatures
  • Scan files and downloads
  • Monitor for malicious activity
  • Quarantine detected threats
  • Configure automatic updates
Monitored by:
  • Malware detection events
  • Anti-virus status
  • Signature update failures
  • Malicious code execution
  • Ransomware activity
Wazuh Detection: Malware alerts, virus detection, ransomware indicators, anti-virus events, suspicious file execution
The organization employs integrity verification tools to detect unauthorized changes to organization-defined software, firmware, and information.Control Requirements:
  • Implement integrity monitoring
  • Define critical files
  • Detect unauthorized changes
  • Alert on integrity violations
  • Use cryptographic hashes
  • Verify code signatures
Monitored by:
  • File integrity violations
  • Unauthorized file modifications
  • System file changes
  • Critical file alterations
Wazuh Detection: File Integrity Monitoring (FIM) alerts, unauthorized system changes, binary modifications, configuration tampering
Enable Wazuh FIM on critical system directories, binaries, and configuration files to implement this control.

Using the NIST 800-53 Dashboard

Accessing NIST 800-53 Compliance View

1

Open NIST Module

Navigate to the NIST 800-53 section in the Wazuh Dashboard overview.
2

Review Control Families

The dashboard displays controls organized by family (AC, AU, CA, CM, IA, SA, SC, SI).
3

Filter by Control Family

Click on control family categories to view specific controls.
4

Analyze Control Effectiveness

Review security events indicating control failures or violations.

Dashboard Components

The NIST 800-53 dashboard includes:
  • Top controls by alert count - Identifies controls with most violations
  • Control family distribution - Shows coverage across control families
  • Control effectiveness metrics - Tracks control implementation success
  • Compliance trend analysis - Historical view of control adherence
Source: plugins/main/public/components/overview/nist/dashboards/dashboard-panels.ts

Data Source Implementation

The NIST 800-53 data source filters events by the rule.nist_800_53 field: 
const KEY_EXIST = 'rule.nist_800_53';
Reference: plugins/main/public/components/common/data-source/pattern/events/nist-800-53/nist-800-53-data-source.ts:5

Event Columns

NIST 800-53 events table displays:
  • Timestamp
  • Rule description
  • NIST 800-53 control (rule.nist_800_53 field)
  • Alert level
  • Control family
  • Agent information
Source: plugins/main/public/components/overview/nist/events/nist-columns.tsx:8

Compliance Reporting for NIST 800-53

Control Naming Convention

NIST 800-53 controls follow the pattern [FAMILY].[NUMBER]:
  • AC.2 - Access Control family, control #2
  • AU.6 - Audit and Accountability family, control #6
  • SI.7 - System and Information Integrity family, control #7

Generating NIST 800-53 Reports

1

Define Assessment Period

Select the date range for the NIST 800-53 assessment.
2

Select Control Baseline

Focus on controls from your baseline (Low, Moderate, or High).
3

Filter by Control Family

Generate reports by control family for organized assessments.
4

Document Control Effectiveness

Export evidence of control implementation and effectiveness.
5

Include Continuous Monitoring Data

Demonstrate ongoing control effectiveness through historical data.

Control Baselines

NIST 800-53 defines three security control baselines:
Minimal controls for low-impact systems where loss would have limited adverse effects.Key Controls:
  • AC.2, AC.7, AU.6, AU.8, SI.3, SI.7
Wazuh helps monitor baseline low controls effectively.

Continuous Monitoring

NIST 800-53 requires continuous monitoring of security controls. Wazuh provides:

Real-time Control Assessment

Continuous evaluation of control effectiveness through real-time event monitoring.

Automated Reporting

Generate control assessment reports showing compliance status over time.

Deviation Detection

Immediate alerts when controls fail or are bypassed.

Trend Analysis

Historical view of control effectiveness and compliance trends.

Integration with Risk Management Framework (RMF)

Wazuh supports NIST RMF phases:
RMF StepWazuh Support
CategorizeIdentify system impact level for control selection
SelectMap Wazuh rules to required NIST 800-53 controls
ImplementDeploy monitoring for implemented controls
AssessUse Wazuh data to assess control effectiveness
AuthorizeProvide evidence for authorization decision
MonitorContinuous monitoring through real-time alerting

Control Overlays and Tailoring

Wazuh supports monitoring for various NIST 800-53 overlays:
  • Privacy Overlay - Controls for protecting PII
  • Cloud Computing Overlay - Controls for cloud environments
  • Industrial Control Systems (ICS) Overlay - Controls for SCADA/ICS

Crosswalk with Other Frameworks

NIST 800-53 maps to other frameworks monitored by Wazuh:
NIST 800-53PCI DSSHIPAAGDPR
AU.910.5.2-IV_32.2
SI.711.5164.312.c.2II_5.1.f
SI.35.1, 5.2-IV_35.7.d
AC.78.1.6164.312.a.2.IIV_32.2
Reference: plugins/main/common/dashboards/dashboard-definitions/overview/nist/vis-states.ts:1051

Requirement Data Structure

The complete NIST 800-53 requirements mapping: 
export const nistRequirementsFile = {
  'AC.2': 'ACCOUNT MANAGEMENT - Identifies and selects...',
  'AC.6': 'LEAST PRIVILEGE - Employs the principle...',
  'AC.7': 'UNSUCCESSFUL LOGON ATTEMPTS - Enforces a limit...',
  'AC.12': 'SESSION TERMINATION - Automatically terminates...',
  'AU.5': 'RESPONSE TO AUDIT PROCESSING FAILURES...',
  'AU.6': 'AUDIT REVIEW, ANALYSIS, AND REPORTING...',
  'AU.8': 'TIME STAMPS - Uses internal system clocks...',
  'AU.9': 'PROTECTION OF AUDIT INFORMATION...',
  'AU.12': 'AUDIT GENERATION - Provides audit record...',
  'CA.3': 'SYSTEM INTERCONNECTIONS - Authorizes connections...',
  'CM.1': 'CONFIGURATION MANAGEMENT POLICY...',
  'CM.3': 'CONFIGURATION CHANGE CONTROL...',
  'CM.5': 'ACCESS RESTRICTIONS FOR CHANGE...',
  'IA.4': 'IDENTIFIER MANAGEMENT...',
  'IA.5': 'AUTHENTICATOR MANAGEMENT...',
  'IA.10': 'ADAPTIVE IDENTIFICATION AND AUTHENTICATION...',
  'SA.11': 'DEVELOPER SECURITY TESTING...',
  'SC.2': 'APPLICATION PARTITIONING...',
  'SC.7': 'BOUNDARY PROTECTION...',
  'SC.8': 'TRANSMISSION CONFIDENTIALITY AND INTEGRITY...',
  'SI.2': 'FLAW REMEDIATION...',
  'SI.3': 'MALICIOUS CODE PROTECTION...',
  'SI.7': 'SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY...',
};
Full definition: plugins/main/common/compliance-requirements/nist-requirements.ts:12

Best Practices

Focus on Your Baseline

Prioritize monitoring controls from your applicable baseline (Low, Moderate, or High).

Enable FIM for SI.7

Use file integrity monitoring to implement control SI.7 effectively.

Continuous Monitoring

Leverage Wazuh for NIST-required continuous monitoring (control CA-7).

Control Tailoring

Customize Wazuh rules to align with your organization’s control tailoring.

Integration with POA&M

Use Wazuh alerts to track control weaknesses in your Plan of Action & Milestones.

Regular Assessments

Generate periodic control assessment reports for RMF compliance.
  • Compliance Overview
  • [File Integrity Monitoring(/modules/file-integrity-monitoring) - Implements SI.7
  • [Log Analysis(/modules/threat-hunting) - Implements AU.6
  • [Vulnerability Detection(/modules/vulnerability-detection) - Supports SI.2
  • [Incident Response(/guides/threat-analysis) - Supports IR family controls

Build docs developers (and LLMs) love

Get started for freeTalk to us