RMF

This is the index for the RMF control-families material on trackr.live. It is built for people who already have a system in front of them and a deadline behind them: ISSOs, ISSEs, assessors, the engineer who got handed the SSP because they touched the firewall once. It is a reference, not a course. If you want the framework taught in order, that is the roadmap, linked below. If you came here to look up what AC-6(9) means at High, go straight to the family page.

One thing to get straight before anything else, because the whole section depends on it. The twenty families below are SP 800-53 control families. They are not stages of the RMF. The RMF itself is a separate document, SP 800-37 Rev 2, a seven-step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor). The control families get pulled into that process at the Select step and graded at Assess. People conflate the two constantly, including in SSPs that should know better, and an assessor who reads carefully will notice when your prose treats “Access Control” like a phase instead of a catalog slice.

Where each document actually fits

The catalog is one piece of a stack, and the pieces are easy to mix up because they were less separated under Rev 4.

FIPS 199 sets your categorization, low/moderate/high across confidentiality, integrity, and availability, with SP 800-60 mapping information types to provisional impact levels. FIPS 200 sets the minimum-security floor every federal system has to clear. SP 800-53 Rev 5 is the control catalog itself, the twenty families. And the baselines, the actual low/moderate/high control allocations, no longer live inside that catalog: Rev 4 kept them in Appendix D of 800-53, Rev 5 split them out into SP 800-53B. So 800-53B is the document you tailor against, not 800-53. If your mental model still has the baselines living in the catalog, it is a Rev 4 model.

Rev 5 also did something people who learned this under Rev 4 keep tripping over: it merged security and privacy into one catalog. Privacy used to sit in the old Appendix J. Now it lives mainly in the PT family, with the rest of the privacy obligations distributed across PM, SI, RA, and AC. There is no separate privacy appendix to go hunting for anymore.

Start with the roadmap

If you are new to any of this, do not start with a family page. Start with the RMF roadmap. It walks the seven 800-37 steps in order, shows where FIPS 199/200 and 800-53B slot in, and gives a reading order through the rest of the site that doesn’t drop you in the deep end. Everything on this page assumes you already know what an SSP and an ATO are. The roadmap is the one place that assumption is suspended.

The twenty families

SP 800-53 Rev 5 organizes controls into twenty families, each with its own page here. The two-letter prefix is what you will see all over SSPs, SARs, and assessment evidence, so the code-to-name mapping is worth burning into memory early.

Code	Family	Page
AC	Access Control	access-control
AT	Awareness and Training	at-security-awareness-and-training-policy-and-procedures
AU	Audit and Accountability	au-audit-and-accountability
CA	Assessment, Authorization, and Monitoring	ca-security-assessment-and-authorization
CM	Configuration Management	cm-configuration-management
CP	Contingency Planning	cp-contingency-planning
IA	Identification and Authentication	ia-identification-and-authentication
IR	Incident Response	ir-incident-response
MA	Maintenance	ma-maintenance
MP	Media Protection	mp-media-protection
PE	Physical and Environmental Protection	pe-physical-and-environmental-protection
PL	Planning	pl-planning
PM	Program Management	pm-program-management
PS	Personnel Security	ps-personnel-security
PT	PII Processing and Transparency	pt-pii-processing-and-transparency
RA	Risk Assessment	ra-risk-assessment
SA	System and Services Acquisition	sa-system-and-services-acquisition
SC	System and Communications Protection	sc-system-and-communications-protection
SI	System and Information Integrity	si-system-and-information-integrity
SR	Supply Chain Risk Management	sr-supply-chain-risk-management

SR is the one to check your source material against. Supply Chain Risk Management became a full family in Rev 5, after the SolarWinds class of problem made it impossible to keep treating supply chain as a footnote. If the catalog you are working from has no SR family, it predates Rev 5 and is stale, and so is whatever guidance handed it to you.

A word on the stance this section takes, since the rest of the internet is full of the other kind. RMF is risk management, not a compliance ritual, and the control families are the mechanism, not the goal. A baseline applied without tailoring, with everything left in “to be safe,” is not the cautious move people think it is. It is an unexamined control set that an assessor will tear into, because nobody can tell a deliberate decision from a control somebody forgot to remove. The families below are where that work gets specific. Pick the one in front of you.

Sources

• SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations (NIST)
• SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations (NIST)
• SP 800-53B, Control Baselines for Information Systems and Organizations (NIST)
• FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (NIST)
• FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (NIST)
• SP 800-60 Vol. 1 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories (NIST)

Adjacent material on this site

• RMF roadmap (start here: the seven-step walk and a reading order)
• CA, Assessment, Authorization, and Monitoring (the assessment and ATO machinery that ties the framework together)
• AC, Access Control (the largest technical family and a good first deep-dive)
• PT, PII Processing and Transparency (where Rev 5 privacy now lives)
• SR, Supply Chain Risk Management (the family Rev 5 added; absent in older catalogs)