NIST 800-53 guidelines and requirements

To help increase their cybersecurity posture and successfully meet compliance regulations, organizations must consult the latest guidance regarding security and privacy controls for securing business-critical data. The National Institute of Standards and Technology (NIST) is a respected authority for cybersecurity guidance. The NIST 800-53 publication offers guidance for organizations to maintain security and privacy controls for their information systems. One of the areas of security addressed by NIST 800-53 is passwords. Let’s consider the NIST 800-53 compensating controls for using passwords in the environment and why these are important.

What is NIST 800-53?

The NIST 800-53 publication is a security compliance standard developed by the National Institute of Standards and Technology that details the minimum baseline controls required by the Information Technology Laboratory (ITL). The NIST 800-53 compliance standard is a required standard for U.S. federal information systems. However, any organization can adopt the measures and recommendations as outlined to comply with the Federal Information Security Modernization Act (FISMA) to bolster its cybersecurity posture.

NIST 800-53 is part of the NIST Risk Management Framework (RMF). What is the NIST RMF? According to NIST:

The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).

As mentioned above, NIST 800-53 provides the compensating controls that allow organizations to offset the security risk inherently associated with their environment that is too difficult or impractical to implement at present. For example, doing away with passwords in all systems may be a lofty cybersecurity goal or requirement that is too difficult to implement due to system limitations. The compensating controls allow passwords to be used by offsetting the risk with the security measures needed.

In this respect, the NIST 800-53 compensating controls go hand-in-hand with the cybersecurity guidance defined in NIST Special Publication 800-63B – Digital Identity Guidelines and others.  Specifically, regarding passwords, let’s see the compensating controls defined in NIST 800-53.

NIST 800-53 FAQs

  1. NIST 800-53 is part of a series of documents produced by NIST that define specific guidance as outlined for maintaining compliance with the Federal Information Security Modernization Act (FISMA)
  2. It documents the minimum level of controls required by the Federal Information Processing Standard (FIPs)
  3. All federal information systems across all agencies and organizations must comply with the controls as defined
  4. Download the 800-53 Revision 5 document  

NIST 800-53 compensating controls for password authentication

In this respect, the NIST 800-53 compensating controls go hand-in-hand with the cybersecurity guidance defined in NIST Special Publication 800-63B  – Digital Identity Guidelines and others. As an example, note the following compensating controls as documented in Control Identifier IA-5(1) in NIST 800-53.

For password-based authentication:

  • Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
  • Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
  • Transmit passwords only over cryptographically-protected channels;
  • Store passwords using an approved salted key derivation function, preferably using a keyed hash;
  • Require immediate selection of a new password upon account recovery;
  • Allow user selection of long passwords and passphrases, including spaces and all printable characters;
  • Employ automated tools to assist the user in selecting strong password authenticators; and
  • Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].

For unsuccessful logon attempts:

  • The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection.
  • Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address

All compensating controls are not possible with out-of-the-box Active Directory features

If you look closely at the compensating control defined by the NIST Risk Management Framework (RMF), all of the compensating controls are not possible using native Active Directory capabilities. For example, checking passwords against a compromised password list is not possible with out-of-the-box Active Directory capabilities. Also, implementing password filtering based on custom dictionary files is not easy with default Active Directory features and requires some low-level modifications.

Specops Password Policy is a tool that allows organizations to meet modern compliance and best practice cybersecurity guidance by NIST and others. Organizations using Specops Password Policy can easily implement compromised password check with Breached Password Protection, custom dictionary files, block incremental and context-based passwords, and many other features with a few checkboxes.

Specops Password Policy now includes live attack data as part of the Breached Password Protection. It gathers continuous real-time attack data and aggregates this for use in the Breached Password Protection module.

Specops Breached Password protection

Use custom dictionaries and custom content restrictions.

Define dictionaries and content restrictions using Specops Password Policy

Easily disallow incremental passwords, reusing part of a password, and enforce a minimum number of changed characters.

Disallow incremental passwords and character reuse

In addition, Specops provides the following functionality:

  • Access to a database of over 4 billion compromised passwords
  • Live password attack data to protect against password compromise
  • Find and remove breached passwords in your environment
  • Intuitive client messaging
  • Length-based password expiration
  • Dynamic feedback to end-users during password change
  • Customizable email notifications
  • Use passphrases
  • Block usernames, display names, specific words, consecutive characters, incremental passwords, and reusing a part of the current password
  • Regular Expressions support
  • Granular, GPO-driven targeting for any GPO level, computer, user, or group population
  • Multi-language support

Learn more about Specops Password Policy, how it can help align your organization with NIST cybersecurity standards, and download a free trial version of Specops Password Policy.

(Last updated on May 16, 2022)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at

Back to Blog