# NIST SP 800-53 Baseline Selector > Select and tailor an SP 800-53 Rev 5 control baseline based on FIPS 199 categorization and regulatory overlays (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, CMMC). Applies the appropriate Low/Moderate/High baseline, adds regulation-specific controls, and supports tailoring with documented justification. Produces tailored-control-catalog.json for all downstream skills. Tags: NIST, NIST 800-53, Compliance, GRC, Baseline, USA ## Example Prompts - Select the Moderate baseline for our FIPS 199 Moderate system - Apply HIPAA and FedRAMP overlays to our baseline - Tailor the baseline by removing PE controls with justification - Generate the tailored control catalog for our compliance program URL: https://rakenne.app/skills/nist-800-53-baseline-selector/index.md Try this skill: https://rakenne.app/a/?skill=nist-800-53-baseline-selector ## Overview Select and tailor an SP 800-53 Rev 5 control baseline based on FIPS 199 categorization and regulatory overlays (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, CMMC). Applies the appropriate Low/Moderate/High baseline, adds regulation-specific controls, and supports tailoring with documented justification. Produces tailored-control-catalog.json for all downstream skills. The tailored control catalog is the single source of truth for which controls are in scope. Every downstream skill -- policy authoring, control standards, gap analysis, and CSF crosswalk -- reads this file to know exactly which controls to address. The baseline selector bridges the gap between your FIPS 199 categorization and the specific controls your organization must implement. ### What It Covers - **Base Baseline Selection** -- Low (~207 controls), Moderate (~345 controls), or High (~428 controls) based on FIPS 199 impact level - **Regulatory Overlays** -- additional controls required by HIPAA (SP 800-66), PCI-DSS v4.0, GDPR, SOX (COSO 2013), FedRAMP, and CMMC v2.0 - **Tailoring** -- add controls beyond the baseline or remove controls with documented justification and compensating measures - **Validation** -- ensures critical families are covered, control IDs are well-formed, and removals are justified This skill is part of the [NIST SP 800-53 Compliance Program](/learn/tutorials/nist-800-53-compliance-workspace-guide/) workspace — see the full walkthrough for how all 7 skills work together. ## Example Conversation > **You:** We've completed our organization profile. MedVault is categorized as FIPS 199 High with HIPAA, FedRAMP, PCI-DSS, and SOX overlays. Let's select and tailor our baseline. > > **Agent:** I've loaded your organization profile. Based on the FIPS 199 High categorization, I'll start with the **High baseline** which includes approximately 428 controls across all 20 families. Now I'll apply each of your four regulatory overlays. > > Starting with the base High baseline and adding overlay-specific controls: > > | Overlay | Additional Controls | Key Families Affected | > |---------|-------------------:|----------------------| > | HIPAA (SP 800-66 Rev 2) | +12 | AC, AU, IA, SC, IR, PT | > | FedRAMP High | +18 | All families (enhanced parameters) | > | PCI-DSS v4.0 | +8 | AC, AU, CM, SC, SI | > | SOX (COSO 2013) | +6 | AC, AU, CM, IA, PS | > > **Total after overlays: 472 controls** across 20 families. Would you like to review the full catalog, or should we proceed to tailoring? > > **You:** Let's tailor. We're fully cloud-hosted on AWS, so most PE (Physical and Environmental Protection) controls are handled by AWS under the shared responsibility model. Can we remove those? > > **Agent:** Good call. For a cloud-hosted system, many PE controls shift to the CSP. However, I need to be careful -- some PE controls still apply even in cloud environments (like PE-2 Physical Access Authorizations for your office spaces and PE-6 Monitoring Physical Access to server rooms if you have any on-premise equipment). > > Here are the PE controls I recommend removing with justification: > > | Control | Name | Justification | > |---------|------|---------------| > | PE-3 | Physical Access Control | Cloud-hosted; physical data center access controlled by AWS under SOC 2 and FedRAMP authorization | > | PE-4 | Access Control for Transmission | Cloud-hosted; network cabling and transmission infrastructure managed by AWS | > | PE-5 | Access Control for Output Devices | No on-premise output devices processing PHI; all printing restricted to secure virtual desktop | > | PE-13 | Fire Protection | Cloud-hosted; fire suppression managed by AWS data centers per FedRAMP requirements | > | PE-14 | Environmental Controls | Cloud-hosted; HVAC and environmental monitoring managed by AWS | > | PE-15 | Water Damage Protection | Cloud-hosted; water damage protections managed by AWS data centers | > > I'll keep PE-2 (Physical Access Authorizations) and PE-6 (Monitoring Physical Access) since you have office space in Austin. Shall I proceed with these removals? > > **You:** Yes, that looks right. Proceed. > > **Agent:** I've applied the tailoring. Let me run `check_baseline_completeness` to validate... > > **Result:** PASS -- Baseline is complete and well-formed. > - Baseline Level: High > - Total Controls Selected: 466 > - Overlays Applied: HIPAA, FedRAMP, PCI-DSS, SOX > - Tailoring Removals: 6 (all with documented justification) > - Critical families present: AC (25), SC (38), SI (19), AU (16) > > The `tailored-control-catalog.json` file is saved. You can now proceed to policy authoring or control standards. ## Sample Output Excerpt The skill produces a tailored control catalog JSON. Here is a representative excerpt showing the structure with baseline controls, overlay additions, and tailoring removals. --- ```json { "baseline_level": "High", "overlays_applied": ["HIPAA", "FedRAMP", "PCI-DSS", "SOX"], "controls": [ { "id": "AC-1", "name": "Policy and Procedures", "family": "AC", "source": "baseline", "overlay_source": null }, { "id": "AC-2", "name": "Account Management", "family": "AC", "source": "baseline", "overlay_source": null }, { "id": "AC-2(1)", "name": "Automated System Account Management", "family": "AC", "source": "baseline", "overlay_source": null }, { "id": "AC-2(13)", "name": "Disable Accounts for High-Risk Individuals", "family": "AC", "source": "overlay", "overlay_source": "HIPAA" }, { "id": "AU-3(1)", "name": "Additional Audit Information", "family": "AU", "source": "overlay", "overlay_source": "FedRAMP" }, { "id": "SC-28(1)", "name": "Cryptographic Protection", "family": "SC", "source": "overlay", "overlay_source": "PCI-DSS" } ], "tailoring_removals": [ { "id": "PE-3", "justification": "Cloud-hosted on AWS; physical data center access controlled by AWS under SOC 2 Type II and FedRAMP High authorization." }, { "id": "PE-13", "justification": "Cloud-hosted; fire suppression systems managed by AWS data centers per FedRAMP requirements and AWS SOC 2 report." }, { "id": "PE-14", "justification": "Cloud-hosted; HVAC and environmental monitoring managed by AWS under shared responsibility model." } ] } ``` ## Extension Tools ### `check_baseline_completeness` Reads the tailored control catalog JSON and validates control IDs, baseline coverage, overlay documentation, and tailoring removals. | Check | What It Validates | Severity | |-------|------------------|----------| | **Baseline level** | `baseline_level` field is present and valid (Low, Moderate, High) | ERROR if missing or invalid | | **Control ID format** | Each control ID matches 800-53 pattern (e.g., AC-1, AC-2(1), SC-7(3)) | WARNING for non-matching IDs | | **Duplicate detection** | No duplicate control IDs in the selected controls array | WARNING on duplicates | | **Critical families** | AC (Access Control), SC (System and Communications Protection), SI (System and Information Integrity), AU (Audit and Accountability) all have controls selected | ERROR if a critical family is missing | | **Baseline size** | Total controls meet minimum expected for the baseline level (~150 Low, ~280 Moderate, ~380 High) | WARNING if below threshold | | **Tailoring justification** | Every removal in `tailoring_removals` has a justification of at least 20 characters | ERROR if justification is missing or too short | | **Per-family breakdown** | Reports control count per family with source statistics (baseline, overlay, tailoring-add) | Informational | The tool also normalizes common field naming variants (e.g., `applied_overlays` to `overlays_applied`, `fips_199_level` to `baseline_level`) and filters out controls with a "Removed" status that were accidentally placed in the `controls` array. ## Getting Started Complete the **Organization Profile** skill first -- the Baseline Selector reads `organization-profile.json` to determine the FIPS 199 impact level and applicable regulations. Once the profile is ready, start a session with the Baseline Selector skill active. The agent will: 1. Load your FIPS 199 categorization and select the corresponding base baseline 2. Apply each regulatory overlay and show which controls are added 3. Walk you through tailoring -- removing controls that don't apply to your environment (with required justification) 4. Validate the final catalog with `check_baseline_completeness` 5. Save `tailored-control-catalog.json` for all downstream skills Have these decisions ready: - Whether your environment is cloud-hosted, on-premise, or hybrid (affects PE family tailoring) - Any compensating controls for controls you want to remove - Whether you need to add controls beyond the baseline for specific business requirements --- Back to [Skill Library](https://rakenne.app/skills/index.md)