# NIST SP 800-53 Family Policy Author > Author NIST SP 800-53 family-level policies (the -1 controls) for each control family. Produces structured policy documents with Purpose, Scope, Applicability, Policy Statements, Roles & Responsibilities, Compliance & Enforcement, Review Frequency, and Related Documents sections. Validates completeness and structure. Tags: NIST, NIST 800-53, Compliance, GRC, Policy, USA ## Example Prompts - Write the Access Control policy (AC-1) for our organization - Create policies for all families in our tailored baseline - Review and validate our existing AU-1 audit policy - Generate the Incident Response policy (IR-1) document URL: https://rakenne.app/skills/nist-800-53-family-policy-author/index.md Try this skill: https://rakenne.app/a/?skill=nist-800-53-family-policy-author ## Overview Author NIST SP 800-53 family-level policies (the -1 controls) for each control family. Produces structured policy documents with Purpose, Scope, Applicability, Policy Statements, Roles & Responsibilities, Compliance & Enforcement, Review Frequency, and Related Documents sections. Validates completeness and structure. Each control family in NIST SP 800-53 requires a -1 control (AC-1, AU-1, CM-1, etc.) that establishes the policy and procedures for that family. These are the foundation documents that auditors review first -- they set the organizational intent before any implementation detail. This skill produces one policy document per family, tailored to your organization's context from the organization profile. ### What It Covers - **8 Required Sections** -- Purpose, Scope, Applicability, Policy Statements, Roles and Responsibilities, Compliance and Enforcement, Review Frequency, and Related Documents - **Prescriptive Language** -- validates that policy statements use "shall", "must", or "is required to" rather than descriptive phrasing - **Control References** -- ensures each policy references its governing -1 control - **Review Frequency** -- validates that a specific cadence is stated (annually, quarterly, etc.) - **Section Completeness** -- flags sections shorter than 50 characters as likely incomplete This skill is part of the [NIST SP 800-53 Compliance Program](/learn/tutorials/nist-800-53-compliance-workspace-guide/) workspace — see the full walkthrough for how all 7 skills work together. ## Example Conversation > **You:** Let's write the Access Control policy -- AC-1. We're MedVault Health Systems with a High baseline, HIPAA/FedRAMP/PCI-DSS/SOX overlays. > > **Agent:** I'll write the AC-1 Access Control Policy tailored to MedVault. I've loaded your organization profile and tailored catalog -- your AC family has 25 controls selected including several HIPAA and FedRAMP overlay additions. > > Let me draft the full policy document with all 8 required sections... > > I've written the AC-1 policy to `output/policies/AC-1-policy.md`. Here is a summary of the key policy statements: > > - All access to MedVault EHR platform systems shall be authorized, authenticated, and auditable > - Workforce members shall be granted minimum necessary access based on job function and clinical role > - Privileged access shall require multi-factor authentication and shall be reviewed quarterly > - Access to systems containing PHI shall comply with HIPAA Minimum Necessary requirements > - All user accounts shall be managed through Okta SSO with automated provisioning and de-provisioning > - Access reviews shall be conducted quarterly for privileged accounts and semi-annually for standard accounts > > Let me now validate the structure... > > I've run `check_policy_structure` on the document. Results: > > **PASS** -- Policy structure is complete. > - All 8 required sections present > - Control reference: AC-1 found in Purpose and Policy Statements > - Review frequency: "annually and upon significant organizational or regulatory change" > - Prescriptive language confirmed in Policy Statements section > > **You:** Looks good. Can you also write the Audit and Accountability policy -- AU-1? > > **Agent:** Writing AU-1 now. For MedVault's High baseline with HIPAA and FedRAMP overlays, audit controls are especially critical -- HIPAA requires audit logs for all PHI access, and FedRAMP mandates centralized log management. > > Draft complete. Key policy statements for AU-1: > > - All access to systems containing PHI or PII shall generate audit records including user identity, timestamp, action, and outcome > - Audit logs shall be retained for a minimum of six years per HIPAA requirements and one year online per FedRAMP > - The organization shall deploy centralized log aggregation using AWS CloudWatch and Datadog > - Audit log integrity shall be protected through immutable storage in S3 with Object Lock > - Anomalous audit events shall trigger automated alerts to the security operations team within 15 minutes > > Running `check_policy_structure`... > > **PASS** -- Policy structure is complete. All 8 sections present, AU-1 referenced, review frequency specified as "annually." > > **You:** Great. How many more family policies do we need? > > **Agent:** Based on your tailored catalog, you have controls selected across 19 families (PM was excluded during tailoring). That means **19 family policies total**. You've completed 2 so far (AC-1, AU-1), leaving **17 remaining**. I can continue in any order you prefer, or work alphabetically through the remaining families: AT-1, CA-1, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PS-1, PT-1, RA-1, SA-1, SC-1, SI-1, SR-1. ## Sample Output Excerpt The skill produces a structured markdown policy document for each family. Here is a representative excerpt from the AC-1 Access Control Policy. --- ```markdown # AC-1 Access Control Policy **MedVault Health Systems, Inc.** **Document Version:** 1.0 **Effective Date:** 2026-03-18 **Classification:** Internal ## Purpose This policy establishes the access control requirements for MedVault Health Systems in accordance with NIST SP 800-53 Rev 5 control AC-1. It defines the principles, rules, and responsibilities governing logical and physical access to MedVault EHR platform systems, data, and facilities. This policy supports compliance with HIPAA Security Rule (45 CFR 164.312), FedRAMP High baseline requirements, PCI-DSS v4.0 Requirement 7, and SOX IT General Controls. ## Scope This policy applies to all information systems within the MedVault EHR Platform authorization boundary, including: - Production EHR web application and API services - AWS infrastructure (VPC, RDS, S3, EKS) in us-west-2 and us-east-1 - Supporting systems: Okta SSO, Datadog, GitHub, CI/CD pipelines ## Policy Statements 1. **Least Privilege.** All workforce members shall be granted the minimum access necessary to perform their assigned duties. Access rights shall be determined by job function, clinical role, and the HIPAA Minimum Necessary standard. 2. **Authentication.** All users shall authenticate through Okta SSO. Access to systems containing PHI or processing payment card data shall require multi-factor authentication (MFA) using phishing-resistant methods (FIDO2 or Okta Verify push). 3. **Account Management.** User accounts shall be provisioned through automated workflows in Okta. Accounts shall be disabled within 24 hours of separation and within 1 hour for involuntary termination. ## Review Frequency This policy shall be reviewed annually and upon significant organizational, regulatory, or technology changes. The CISO is responsible for initiating the review. All changes require approval from the Compliance Lead and executive sponsor. ``` ## Extension Tools ### `check_policy_structure` Reads a policy markdown file and validates required headings, control references, review frequency, section completeness, and prescriptive language. | Check | What It Validates | Severity | |-------|------------------|----------| | **Required headings** | All 8 sections present: Purpose, Scope, Applicability, Policy Statements, Roles and Responsibilities, Compliance and Enforcement, Review Frequency, Related Documents | ERROR for each missing section | | **Control reference** | The family's -1 control ID appears in the document (e.g., AC-1, AU-1, CM-1) | WARNING if no -1 reference found | | **Review frequency** | The Review Frequency section contains a specific cadence (annually, semi-annually, quarterly, monthly, or upon significant change) | WARNING if no clear frequency | | **Section length** | Each required section is at least 50 characters long | WARNING for sections that are too short | | **Prescriptive language** | Policy Statements section uses "shall", "must", "will", or "is required to" | WARNING if only descriptive language found | The validator reports all control IDs referenced in the document, making it easy to verify cross-references between policies. ## Getting Started Complete the **Baseline Selector** skill first -- the Family Policy Author reads `tailored-control-catalog.json` to determine which families need policies. Once the baseline is ready, start a session with the Family Policy Author skill active. You can request policies in any order: - Ask for a specific family: "Write the AC-1 Access Control policy" - Ask for all policies: "Write policies for all families in my tailored catalog" - Ask for a priority set: "Start with the critical families -- AC-1, AU-1, SC-1, SI-1" Have these details ready to help the agent tailor the policies: - Your organization's specific technology stack (Okta, AWS, Datadog, etc.) - Key personnel names and titles for the Roles and Responsibilities section - Any regulatory-specific requirements that should appear in policy statements - Your preferred review cadence (most organizations use "annually" for policies) --- Back to [Skill Library](https://rakenne.app/skills/index.md)