Overview
Select and tailor an SP 800-53 Rev 5 control baseline based on FIPS 199 categorization and regulatory overlays (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, CMMC). Applies the appropriate Low/Moderate/High baseline, adds regulation-specific controls, and supports tailoring with documented justification. Produces tailored-control-catalog.json for all downstream skills.
The tailored control catalog is the single source of truth for which controls are in scope. Every downstream skill – policy authoring, control standards, gap analysis, and CSF crosswalk – reads this file to know exactly which controls to address. The baseline selector bridges the gap between your FIPS 199 categorization and the specific controls your organization must implement.
What It Covers
- Base Baseline Selection – Low (~207 controls), Moderate (~345 controls), or High (~428 controls) based on FIPS 199 impact level
- Regulatory Overlays – additional controls required by HIPAA (SP 800-66), PCI-DSS v4.0, GDPR, SOX (COSO 2013), FedRAMP, and CMMC v2.0
- Tailoring – add controls beyond the baseline or remove controls with documented justification and compensating measures
- Validation – ensures critical families are covered, control IDs are well-formed, and removals are justified
This skill is part of the NIST SP 800-53 Compliance Program workspace — see the full walkthrough for how all 7 skills work together.
Example Conversation
You: We’ve completed our organization profile. MedVault is categorized as FIPS 199 High with HIPAA, FedRAMP, PCI-DSS, and SOX overlays. Let’s select and tailor our baseline.
Agent: I’ve loaded your organization profile. Based on the FIPS 199 High categorization, I’ll start with the High baseline which includes approximately 428 controls across all 20 families. Now I’ll apply each of your four regulatory overlays.
Starting with the base High baseline and adding overlay-specific controls:
Overlay Additional Controls Key Families Affected HIPAA (SP 800-66 Rev 2) +12 AC, AU, IA, SC, IR, PT FedRAMP High +18 All families (enhanced parameters) PCI-DSS v4.0 +8 AC, AU, CM, SC, SI SOX (COSO 2013) +6 AC, AU, CM, IA, PS Total after overlays: 472 controls across 20 families. Would you like to review the full catalog, or should we proceed to tailoring?
You: Let’s tailor. We’re fully cloud-hosted on AWS, so most PE (Physical and Environmental Protection) controls are handled by AWS under the shared responsibility model. Can we remove those?
Agent: Good call. For a cloud-hosted system, many PE controls shift to the CSP. However, I need to be careful – some PE controls still apply even in cloud environments (like PE-2 Physical Access Authorizations for your office spaces and PE-6 Monitoring Physical Access to server rooms if you have any on-premise equipment).
Here are the PE controls I recommend removing with justification:
Control Name Justification PE-3 Physical Access Control Cloud-hosted; physical data center access controlled by AWS under SOC 2 and FedRAMP authorization PE-4 Access Control for Transmission Cloud-hosted; network cabling and transmission infrastructure managed by AWS PE-5 Access Control for Output Devices No on-premise output devices processing PHI; all printing restricted to secure virtual desktop PE-13 Fire Protection Cloud-hosted; fire suppression managed by AWS data centers per FedRAMP requirements PE-14 Environmental Controls Cloud-hosted; HVAC and environmental monitoring managed by AWS PE-15 Water Damage Protection Cloud-hosted; water damage protections managed by AWS data centers I’ll keep PE-2 (Physical Access Authorizations) and PE-6 (Monitoring Physical Access) since you have office space in Austin. Shall I proceed with these removals?
You: Yes, that looks right. Proceed.
Agent: I’ve applied the tailoring. Let me run
check_baseline_completenessto validate…Result: PASS – Baseline is complete and well-formed.
- Baseline Level: High
- Total Controls Selected: 466
- Overlays Applied: HIPAA, FedRAMP, PCI-DSS, SOX
- Tailoring Removals: 6 (all with documented justification)
- Critical families present: AC (25), SC (38), SI (19), AU (16)
The
tailored-control-catalog.jsonfile is saved. You can now proceed to policy authoring or control standards.
Sample Output Excerpt
The skill produces a tailored control catalog JSON. Here is a representative excerpt showing the structure with baseline controls, overlay additions, and tailoring removals.
{
"baseline_level": "High",
"overlays_applied": ["HIPAA", "FedRAMP", "PCI-DSS", "SOX"],
"controls": [
{
"id": "AC-1",
"name": "Policy and Procedures",
"family": "AC",
"source": "baseline",
"overlay_source": null
},
{
"id": "AC-2",
"name": "Account Management",
"family": "AC",
"source": "baseline",
"overlay_source": null
},
{
"id": "AC-2(1)",
"name": "Automated System Account Management",
"family": "AC",
"source": "baseline",
"overlay_source": null
},
{
"id": "AC-2(13)",
"name": "Disable Accounts for High-Risk Individuals",
"family": "AC",
"source": "overlay",
"overlay_source": "HIPAA"
},
{
"id": "AU-3(1)",
"name": "Additional Audit Information",
"family": "AU",
"source": "overlay",
"overlay_source": "FedRAMP"
},
{
"id": "SC-28(1)",
"name": "Cryptographic Protection",
"family": "SC",
"source": "overlay",
"overlay_source": "PCI-DSS"
}
],
"tailoring_removals": [
{
"id": "PE-3",
"justification": "Cloud-hosted on AWS; physical data center access controlled by AWS under SOC 2 Type II and FedRAMP High authorization."
},
{
"id": "PE-13",
"justification": "Cloud-hosted; fire suppression systems managed by AWS data centers per FedRAMP requirements and AWS SOC 2 report."
},
{
"id": "PE-14",
"justification": "Cloud-hosted; HVAC and environmental monitoring managed by AWS under shared responsibility model."
}
]
}
Extension Tools
check_baseline_completeness
Reads the tailored control catalog JSON and validates control IDs, baseline coverage, overlay documentation, and tailoring removals.
| Check | What It Validates | Severity |
|---|---|---|
| Baseline level | baseline_level field is present and valid (Low, Moderate, High) | ERROR if missing or invalid |
| Control ID format | Each control ID matches 800-53 pattern (e.g., AC-1, AC-2(1), SC-7(3)) | WARNING for non-matching IDs |
| Duplicate detection | No duplicate control IDs in the selected controls array | WARNING on duplicates |
| Critical families | AC (Access Control), SC (System and Communications Protection), SI (System and Information Integrity), AU (Audit and Accountability) all have controls selected | ERROR if a critical family is missing |
| Baseline size | Total controls meet minimum expected for the baseline level (~150 Low, ~280 Moderate, ~380 High) | WARNING if below threshold |
| Tailoring justification | Every removal in tailoring_removals has a justification of at least 20 characters | ERROR if justification is missing or too short |
| Per-family breakdown | Reports control count per family with source statistics (baseline, overlay, tailoring-add) | Informational |
The tool also normalizes common field naming variants (e.g., applied_overlays to overlays_applied, fips_199_level to baseline_level) and filters out controls with a “Removed” status that were accidentally placed in the controls array.
Getting Started
Complete the Organization Profile skill first – the Baseline Selector reads organization-profile.json to determine the FIPS 199 impact level and applicable regulations.
Once the profile is ready, start a session with the Baseline Selector skill active. The agent will:
- Load your FIPS 199 categorization and select the corresponding base baseline
- Apply each regulatory overlay and show which controls are added
- Walk you through tailoring – removing controls that don’t apply to your environment (with required justification)
- Validate the final catalog with
check_baseline_completeness - Save
tailored-control-catalog.jsonfor all downstream skills
Have these decisions ready:
- Whether your environment is cloud-hosted, on-premise, or hybrid (affects PE family tailoring)
- Any compensating controls for controls you want to remove
- Whether you need to add controls beyond the baseline for specific business requirements