# NIST SP 800-53 / CSF Crosswalk

> Bidirectional crosswalk between NIST Cybersecurity Framework (CSF) 2.0 subcategories and SP 800-53 Rev 5 controls. Maps CSF subcategories to 800-53 controls and vice versa, identifies gaps in either direction, and produces a crosswalk document for dual-framework compliance.



Tags: NIST, NIST 800-53, NIST CSF, Cybersecurity, Compliance, GRC, USA


## Example Prompts

- Map our CSF profile subcategories to 800-53 controls
- Show which CSF functions our 800-53 baseline covers
- Create a bidirectional crosswalk between CSF 2.0 and 800-53
- Identify CSF subcategories not covered by our selected controls

URL: https://rakenne.app/skills/nist-800-53-csf-crosswalk/index.md

Try this skill: https://rakenne.app/a/?skill=nist-800-53-csf-crosswalk



## Overview

Produce a bidirectional crosswalk between NIST Cybersecurity Framework (CSF) 2.0 subcategories and SP 800-53 Rev 5 controls. The agent reads an authoritative reference mapping covering all 6 CSF functions (Govern, Identify, Protect, Detect, Respond, Recover) with approximately 90 subcategories and maps them to specific 800-53 controls. When a tailored control catalog is available, the crosswalk indicates which mapped controls are in scope and flags CSF subcategories where none of the corresponding 800-53 controls have been selected. The output is a crosswalk document for organizations that need to demonstrate alignment to both frameworks simultaneously.

This skill is part of the [NIST SP 800-53 Compliance Program](/learn/tutorials/nist-800-53-compliance-workspace-guide/) workspace — see the full walkthrough for how all 7 skills work together.

## Example

> **You:** MedVault Health Systems needs a bidirectional crosswalk between our NIST CSF 2.0 profile and the 800-53 controls we've selected. We need to show our board that our 800-53 compliance program also satisfies our CSF commitments, and identify any CSF subcategories that fall through the cracks.
>
> **Agent:** I'll build the full bidirectional crosswalk. *(Reads references/csf-to-800-53-mapping.md for the authoritative NIST mapping, then reads tailored-control-catalog.json to check which controls are in scope.)* I've mapped all 6 CSF functions. In the CSF-to-800-53 direction, 84 of 90 subcategories have at least one in-scope 800-53 control. Six subcategories under GV (Govern) have no matching selected controls — these are governance-focused areas where your PM-family controls were tailored out. In the 800-53-to-CSF direction, 261 of your 287 selected controls map to at least one CSF subcategory; the remaining 26 are 800-53-specific requirements (mostly PT and SR families) with no CSF equivalent. I ran `check_crosswalk_coverage` to verify completeness — all functions and families are represented. The crosswalk is saved to `output/csf-crosswalk.md`.

## Excerpt of a generated crosswalk

Below is a condensed example from a generated CSF-to-800-53 crosswalk document:

---

```markdown
# NIST CSF 2.0 / SP 800-53 Crosswalk — MedVault Health Systems

**Date:** 2026-03-18
**Direction:** Bidirectional
**CSF Subcategories Mapped:** 84 / 90
**800-53 Controls Mapped:** 261 / 287

## CSF → 800-53: Protect (PR) Function

| CSF Subcategory | Description | 800-53 Controls | In Scope? |
|-----------------|-------------|-----------------|-----------|
| PR.AA-01 | Identities and credentials for authorized users, services, and hardware are managed | AC-1, AC-2, IA-1, IA-2, IA-4, IA-5, IA-8 | All |
| PR.AA-02 | Identities are proofed and bound to credentials based on the context of interactions | IA-2, IA-4, IA-5, IA-8, IA-12 | All |
| PR.AA-03 | Users, services, and hardware are authenticated | AC-14, AC-17, IA-1, IA-2, IA-4, IA-5 | All |
| PR.AA-04 | Identity assertions are protected, conveyed, and verified | IA-2, IA-4, IA-5, IA-8, SC-23 | All |
| PR.AA-05 | Access permissions, entitlements, and authorizations are defined and managed | AC-1, AC-2, AC-3, AC-6, AC-24 | 4 of 5 |

## 800-53 → CSF: Access Control (AC) Family

| 800-53 Control | CSF Subcategories |
|----------------|-------------------|
| AC-1 | GV.PO-01, PR.AA-01, PR.AA-05 |
| AC-2 | PR.AA-01, PR.AA-05, DE.CM-03 |
| AC-3 | PR.AA-05, PR.DS-01 |
| AC-6 | PR.AA-05 |
| AC-17 | PR.AA-03, PR.DS-01, PR.IR-01 |
```

<!-- /excerpt -->

## Validation tools

The skill includes an extension tool that automates crosswalk coverage verification:

- **check_crosswalk_coverage** — Scans the crosswalk document and extracts all CSF 2.0 subcategory IDs (matching the standard notation GV.xx-nn, ID.xx-nn, PR.xx-nn, DE.xx-nn, RS.xx-nn, RC.xx-nn) and all 800-53 control IDs. Reports the count of CSF subcategories mentioned broken down by function (Govern, Identify, Protect, Detect, Respond, Recover) and 800-53 controls mentioned broken down by family. Warns if any CSF function has zero subcategories in the crosswalk or if no control IDs are found, indicating incomplete coverage that needs to be addressed before the crosswalk is finalized.

## Getting Started

Complete your baseline selection first so the crosswalk can indicate which 800-53 controls are in scope. If you have a CSF profile from the NIST CSF Profile Author skill, the agent can use it to focus the crosswalk on your prioritized subcategories. Activate the CSF Crosswalk skill and specify whether you want CSF-to-800-53, 800-53-to-CSF, or bidirectional — the agent will read the authoritative reference mapping, build the crosswalk, validate it with the coverage check tool, and save the result.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)