NIST 800-53 Rev 4 Excel – filtered like a fine aged whiskey
If you are looking for a better way to view and audit against NIST Special Publication 800-53 Revision 4 hopefully you have found the right place. The original from NVD/NIST is the tab delimited form via .txt file and although detailed, it does not allow you to filter based on impact level. That is because the impact level is not filled out completely into sublevels and also does not specify where a control has no impact level, i.e. none.
For me, while reviewing requirements for a new Government RFP, I had a need to run a quick audit against 800-53 specifically for low security controls only. I searched online for modified versions but found most to be behind subscription walls, copies of the original, or overly complex. Since I bothered to go through all 1600 or so lines and fill in all impact levels including the none controls, I figured others might want this as well. Here it is linked below in all its glory…
Here is my current updated NIST Controls Audit worksheet I use for my own Corporate NIST Assessments. The template has a 2nd tab to run a pivot table against the sheet and spit out a table you can use to make pretty charts for your executive team.
Here is the link to the original .txt file provided by NVD/NIST.
NIST 800-53 Rev 4 Original
I also searched online for modified versions but found most to be behind subscription walls, copies of the original, or overly complex. Maybe some of these will prove useful to you
Tikras.com Excel – The way this one provided low/medium/high impact was ok it looked like they used a parser to break down the sublevels and created additional sub levels that did not seem to exist in the original document.
Cloud Audit Controls – Excel Link – Controls_800_53r4_ver02 This one was great but complicated by its associations with another Cloud Security Controls doc that I did not need. By the way, Christopher Davis of Cloud Audit Controls puts out some great documentation so check out his site.