# NIST SP 800-53 Control Standard Author

> Author implementation standards for individual NIST SP 800-53 controls. Each standard documents the control objective, implementation narrative, technology and tools, responsible roles, evidence requirements, and review frequency. Validates narrative coverage and quality across control families.



Tags: NIST, NIST 800-53, Compliance, GRC, Controls, USA


## Example Prompts

- Write implementation standards for the Access Control (AC) family
- Create a standard for AC-2 Account Management
- Check coverage of standards across all selected control families
- Review and improve the narrative for SC-7 Boundary Protection

URL: https://rakenne.app/skills/nist-800-53-control-standard-author/index.md

Try this skill: https://rakenne.app/a/?skill=nist-800-53-control-standard-author



## Overview

Author implementation standards for individual NIST SP 800-53 controls. Each standard documents the control objective, implementation narrative, technology and tools, responsible roles, evidence requirements, and review frequency. Validates narrative coverage and quality across control families.

While policies state organizational intent, implementation standards describe exactly how each control is met -- specific configurations, procedures, tools, and responsible parties. These are the documents assessors use to verify that controls are actually implemented, not just written on paper. The agent references the full control text from NIST SP 800-53 Rev 5 and tailors each narrative to your organization's technology stack and operational context.

### What It Covers

- **Control Objective** -- restates the NIST control requirement in organizational context
- **Implementation Narrative** -- detailed description of how the control is implemented with specific procedures, configurations, and processes
- **Technology and Tools** -- systems, software, and configurations used (e.g., Okta, AWS IAM, Datadog)
- **Responsible Roles** -- specific personnel responsible for implementing and monitoring the control
- **Evidence Requirements** -- what an assessor would examine: logs, screenshots, reports, configuration exports
- **Vague Language Detection** -- flags phrases like "as needed", "periodically", "appropriate controls" that weaken narratives

This skill is part of the [NIST SP 800-53 Compliance Program](/learn/tutorials/nist-800-53-compliance-workspace-guide/) workspace — see the full walkthrough for how all 7 skills work together.

## Example Conversation

> **You:** Let's write implementation standards for the Access Control family, starting with AC-2 Account Management. We use Okta for SSO and AWS IAM for cloud access.
>
> **Agent:** I'll start with AC-2 Account Management. Let me load the full control text from the NIST reference and your organization profile...
>
> AC-2 requires the organization to define and manage information system accounts including identifying account types, establishing conditions for group and role membership, authorizing access, and establishing procedures for managing accounts throughout their lifecycle.
>
> For MedVault's High baseline with HIPAA and FedRAMP overlays, several AC-2 enhancements are also selected: AC-2(1) Automated Account Management, AC-2(2) Automated Temporary and Emergency Accounts, AC-2(3) Disable Accounts, AC-2(4) Automated Audit Actions, and AC-2(13) Disable Accounts for High-Risk Individuals.
>
> Let me write the standard with MedVault-specific implementation details...
>
> Draft complete for `output/standards/ac-2-standard.md`. Here are the key implementation narrative points:
>
> **Account Types and Management:**
> - Individual user accounts provisioned through Okta Universal Directory with SCIM integration to AWS IAM Identity Center
> - Service accounts managed through AWS IAM roles with automated credential rotation via AWS Secrets Manager (90-day maximum)
> - Emergency accounts created through Okta workflow with automatic 72-hour expiration and CISO notification
>
> **Lifecycle Procedures:**
> - Onboarding: HR initiates Okta provisioning via BambooHR integration; manager approves role assignment; access granted within 4 business hours
> - Transfer: Manager submits access change request; old permissions revoked and new permissions granted within 24 hours
> - Offboarding: HR termination event triggers automatic Okta deactivation; AWS sessions terminated within 1 hour for involuntary separation
>
> **Evidence Requirements:**
> - Okta system log exports showing account creation, modification, and deactivation events
> - Quarterly access review completion reports from Okta Access Certifications
> - AWS CloudTrail logs showing IAM role assumption and credential usage
> - Screenshot of Okta lifecycle policy configuration showing automatic deactivation rules
>
> Let me validate...
>
> I've run `check_control_narrative_coverage` on the standard. Results:
>
> **PASS** -- All 7 required sections present. Narrative length: 1,847 characters. No vague language detected.
>
> **You:** Good. Now do AC-3 Access Enforcement and AC-7 Unsuccessful Logon Attempts.
>
> **Agent:** Writing both standards now.
>
> **AC-3 Access Enforcement** -- Implementation narrative highlights:
> - Role-based access control (RBAC) enforced through Okta group policies mapped to AWS IAM permission boundaries
> - Attribute-based access control (ABAC) for PHI access using Okta expression policies that evaluate user department, clinical role, and patient relationship
> - API-level enforcement through AWS API Gateway with Okta JWT validation and custom authorizer Lambda functions
>
> **AC-7 Unsuccessful Logon Attempts** -- Implementation narrative highlights:
> - Okta sign-on policy locks accounts after 5 consecutive failed attempts within 15 minutes
> - Lockout duration: 30 minutes with automatic unlock, or manual unlock by IT Help Desk
> - Failed authentication events streamed to Datadog via Okta System Log API; alerts triggered after 3 failures within 5 minutes
> - AWS IAM access keys automatically disabled after 10 consecutive API authentication failures via CloudWatch alarm and Lambda remediation
>
> Running `check_control_narrative_coverage` on all three AC standards...
>
> **Result:** 3 files analyzed. Controls with standards: AC-2, AC-3, AC-7. Coverage for AC family: 12% (3/25). No warnings or vague language detected. 22 controls remaining in the AC family.

## Sample Output Excerpt

The skill produces a structured markdown standard for each control. Here is a representative excerpt from the AC-2 Account Management standard.

---

```markdown
# AC-2 Account Management — Implementation Standard

**MedVault Health Systems, Inc.**
**Control Family:** Access Control (AC)
**Baseline Source:** High baseline
**Overlay Sources:** HIPAA, FedRAMP

## Control Objective

MedVault Health Systems shall define, create, enable, modify, disable,
and remove information system accounts in accordance with documented
account management procedures. Account management activities shall
support the HIPAA Minimum Necessary standard and FedRAMP continuous
monitoring requirements.

## Implementation Narrative

### Account Types

MedVault manages the following account types within the EHR platform
authorization boundary:

| Account Type | Management System | Provisioning | Review Cycle |
|-------------|-------------------|:------------:|:------------:|
| Individual user | Okta Universal Directory | SCIM from BambooHR | Quarterly |
| Privileged admin | Okta + AWS IAM Identity Center | Manual with CISO approval | Monthly |
| Service account | AWS IAM roles | IaC (Terraform) | Quarterly |
| Emergency/break-glass | Okta workflow | On-demand, 72h expiry | Per-use audit |

### Provisioning Workflow

1. HR creates employee record in BambooHR with department and role
2. SCIM integration creates Okta account and assigns base group
3. Manager approves role-specific group membership via Okta Access Request
4. AWS IAM Identity Center provisions permission set based on Okta group
5. User receives activation email; completes MFA enrollment (FIDO2 key)

### De-provisioning

- Voluntary separation: Okta account deactivated on last working day
- Involuntary termination: Okta account deactivated within 1 hour;
  active AWS sessions revoked via IAM inline policy

## Technology and Tools

| Tool | Purpose |
|------|---------|
| Okta Universal Directory | Identity lifecycle management |
| AWS IAM Identity Center | Cloud access management |
| BambooHR | HR system of record for provisioning triggers |
| AWS Secrets Manager | Service account credential rotation |
| Datadog | Monitoring and alerting on account events |

## Responsible Roles

| Role | Responsibility |
|------|---------------|
| IT Help Desk | Day-to-day account provisioning and de-provisioning |
| CISO (Sarah Chen) | Approval of privileged and emergency accounts |
| HR Operations | Initiating provisioning and termination workflows |
| Engineering Managers | Quarterly access review certification |

## Evidence Requirements

- Okta system log export showing account lifecycle events (create,
  modify, deactivate) for the review period
- Quarterly access review completion report from Okta Access
  Certifications with manager sign-off
- AWS CloudTrail logs showing IAM Identity Center permission set changes
- Screenshot of Okta lifecycle policy configuration

## Review Frequency

This standard shall be reviewed semi-annually and updated when account
management tooling, organizational structure, or regulatory requirements
change.
```

<!-- /excerpt -->

## Extension Tools

### `check_control_narrative_coverage`

Validates control standard files for coverage, completeness, and narrative quality. Accepts a single file or an entire directory of standards.

| Check | What It Validates | Severity |
|-------|------------------|----------|
| **Required sections** | All 7 sections present: Control Objective, Implementation Narrative, Technology and Tools, Responsible Roles, Evidence Requirements, Related Controls, Review Frequency | WARNING for each missing section |
| **Narrative length** | Implementation Narrative is at least 100 characters | WARNING if too short |
| **Vague language** | Flags phrases like "as needed", "periodically", "appropriate controls", "reasonable measures", "reviewed regularly" | INFO-level suggestion to replace with specifics |
| **Catalog cross-reference** | When given a catalog path, reports which controls have standards, which are missing, and coverage percentage per family | Informational |
| **Per-family coverage** | Visual progress bar showing coverage percentage for each family | WARNING if a family has less than 50% coverage |
| **Missing controls list** | Lists specific control IDs that still need standards written | Informational |

The tool works in two modes: point it at a single standard file for structure validation, or point it at the `output/standards/` directory with a catalog path for full coverage reporting.

## Getting Started

Complete the **Baseline Selector** skill first -- the Control Standard Author reads `tailored-control-catalog.json` to know which controls need implementation standards.

Once the baseline is ready, start a session with the Control Standard Author skill active. You can work family by family or request specific controls:
- "Write implementation standards for the AC family"
- "Create a standard for AC-2 Account Management"
- "Check coverage of standards across all families"

Have these details ready to help the agent write specific narratives:
- Your identity provider and SSO tool (Okta, Azure AD, etc.)
- Cloud provider and key services (AWS IAM, S3, CloudWatch, etc.)
- Monitoring and logging tools (Datadog, Splunk, CloudTrail, etc.)
- Ticketing and workflow systems (Jira, ServiceNow, etc.)
- Names and titles of personnel responsible for each control area
- Specific configurations, thresholds, and timeframes your organization uses

The more specific your technology and process details, the stronger the implementation narratives will be for assessment and audit readiness.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)