The Framework is growing larger & more complex

There are over 8601 security controls in NIST SP 800-53, and in all probability this number will continue to grow in the future.

- Beyond Compliance: Addressing the Political, Cultural and Technical Dimensions of Applying the Risk Management Framework, The MITRE Corporation, 2014

Twenty years ago, following the Federal Information Security Modernization Act of 2002 and the development of SP 800-60, the Framework spanned approximately 400 pages, equivalent to the length of Herman Melville’s Moby Dick.

By 2008 it had surpassed Joyce’s Ulysses.

Ten years on, the Framework had grown larger than Tolstoy’s War and Peace.

Today, the catalog of Risk Management Framework documentation is lengthier than all seven books of the Harry Potter series.2

Special Publication (SP) 800-53 alone is nearly 500 pages. NIST later released 800-53A, a guide to assess the controls in SP 800-53, that contains more than 700 additional pages. 800-53B, an addendum outlining the use of baselines for control selection, was published in 2020 adding 85 new pages.

One example of how quickly the policy landscape can grow in complexity is the introduction of continuous monitoring. The Office of Management and Budget (OMB) introduced continuous monitoring in 2011 but agencies struggled to implement it. NIST issued guidance for agencies in a new document, SP 800-137. In response to SP 800-137, OMB issued Memorandum M-14-03, providing three options for continuous monitoring. NIST then issued another document, NISTIR 8011 to manage those three options. One policy change led to three new policy documents.

On January 26, 2023, NIST released the AI Risk Management Framework (AI RMF 1.0) along with a companion NIST AI RMF Playbook, AI RMF Explainer Video, an AI RMF Roadmap, AI RMF Crosswalk, and various Perspectives.

- NIST.gov online announcement, 2023

Most recently, to address the widespread adoption of AI, NIST released a separate, AI-specific RMF containing 72 new evaluation criteria, along with several supporting documents. In the last five years alone, the Framework has grown by nearly 1,000 pages.

“Writing more policy to have other orgs implement more policy to have other orgs implement their policy; that trickle down? I don’t know. I’m skeptical that at the size of our bureaucracy it’s going to make a change in a way that we need it to. Which is sad to say, and I want to be wrong. But it is my true answer that I think something has to give to where we break all the glass and we’re just like, nope… this doesn’t work. Try again.”

Acknowledging the situation, a large agency CISO posed the question, “how has that 20 year old program… matured? And to answer, it really hasn’t. In fact, it’s just grown. We’re now onto NIST 800-53 revision five and if you go back through and look at the first version of NIST 800-53, the number of controls there have exponentially expanded, as have the baselines from low, moderate, and high.”

  1. NIST SP 800-53Ar5 now contains 1189 baseline controls. 

  2. Not including the recent Artificial Intelligence Risk Management Framework. 

Back to top

This site was last updated on 9 OCT 2023.