NIST SP 800-53 Organization Profile

NIST NIST 800-53 FIPS 199 Compliance GRC USA

Overview

Build and validate the organizational context profile for NIST SP 800-53 Rev 5 compliance. Captures FIPS 199 security categorization (Confidentiality, Integrity, Availability impact levels), applicable regulations (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, FISMA, CMMC), existing frameworks, and authorization boundary. Validates completeness of categorization and scope for downstream baseline selection and control implementation.

The organization profile is the foundation of the entire 800-53 program. Every downstream skill – baseline selection, policy authoring, control standards, gap analysis, and CSF crosswalk – reads this file for consistent organizational context. Getting it right here prevents rework across the entire compliance lifecycle.

What It Covers

FIPS 199 Security Categorization – impact levels for Confidentiality, Integrity, and Availability across all information types, with high-water mark derivation
Applicable Regulations – HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, FISMA, CMMC, and other industry-specific requirements
Existing Frameworks – ISO 27001, SOC 2, CIS Controls, NIST CSF, and other certifications or attestations
Authorization Boundary – system name, in-scope components, exclusions with justification, interconnections, and data flows
Key Personnel – executive sponsor, compliance lead, CISO, system owner, and IT security lead

This skill is part of the NIST SP 800-53 Compliance Program workspace — see the full walkthrough for how all 7 skills work together.

Example Conversation

You: We need to build an organization profile for our NIST 800-53 compliance program. We’re MedVault Health Systems, a healthcare IT company with about 220 employees. We run an EHR platform on AWS.
Agent: I’ll help you build the organization profile. Let me start with the basics and work through each section. First, a few questions:
What is the legal entity name?
Where are your offices and data centers located?
What departments make up the organization?
Who are the key personnel for the compliance program – executive sponsor, CISO, compliance lead, system owner?
You: Legal entity is MedVault Health Systems, Inc. HQ in Austin, TX. Disaster recovery site in us-east-1. Departments: Engineering, Product, Clinical Operations, Compliance & Legal, HR, Finance. Our CEO is the exec sponsor, we have a CISO (Sarah Chen), compliance lead is James Rivera, and the system owner is our VP of Engineering.
Agent: Good. Now for the critical part – FIPS 199 Security Categorization. This drives your entire 800-53 program. What information types does your EHR platform process, store, or transmit? For healthcare, typical types include:
Protected Health Information (PHI)
Payment card data
Employee PII
System audit logs
For each type, I need to assess Confidentiality, Integrity, and Availability impact.
You: We process PHI including diagnosis records, prescription data, and lab results. We also handle insurance billing data and employee HR records. Our platform must be available 24/7 for clinical use.
Agent: Based on those information types and healthcare industry guidance from NIST SP 800-60 Vol 2, here is the categorization:
Information Type Confidentiality Integrity Availability
PHI (diagnosis, prescriptions, labs) High High High
Insurance billing data High High Moderate
Employee HR records Moderate Moderate Low
System audit logs Moderate High Moderate
Applying the high-water mark principle across all types: Confidentiality: High, Integrity: High, Availability: High. Overall FIPS 199 impact level: High.
Now, which regulations apply? For a healthcare IT company with PHI handling, I’d expect at minimum HIPAA. Do any of these also apply?
FedRAMP (if serving federal agencies)
PCI-DSS (if processing payment cards)
SOX (if publicly traded)
You: HIPAA for sure, FedRAMP because we serve VA hospitals, PCI-DSS for patient payment processing, and SOX because we went public last year.
Agent: Got it – four regulatory overlays. Let me also capture existing frameworks. Do you have any current certifications or compliance programs?
You: We completed SOC 2 Type II last year and we’re using CIS Controls v8 at Implementation Group 2.
Agent: Excellent – those provide a strong foundation. Now let me define the authorization boundary. I’ll write up the profile and run the validator…
I’ve run fips199_categorization_validator on the draft profile. Results:
Profile Completeness: 86% (6/7 sections)
1 WARNING: No out-of-scope items defined. Explicitly stating exclusions reduces scope ambiguity.
Can you tell me what components are explicitly out of scope? For example, corporate Wi-Fi, employee personal devices, or third-party SaaS tools not directly part of the EHR platform?
You: Corporate guest Wi-Fi is out of scope, and employee personal mobile devices since we don’t allow BYOD for clinical access.
Agent: Profile updated with out-of-scope exclusions and justifications. Running the validator again…
PASS – All validation checks passed. Profile Completeness: 100% (7/7 sections). The organization-profile.json file is saved and ready for baseline selection.

Information Type	Confidentiality	Integrity	Availability
PHI (diagnosis, prescriptions, labs)	High	High	High
Insurance billing data	High	High	Moderate
Employee HR records	Moderate	Moderate	Low
System audit logs	Moderate	High	Moderate

Sample Output Excerpt

The skill produces a structured JSON organization profile. Here is a representative excerpt showing the FIPS 199 categorization and regulatory sections.

{
  "organization": {
    "name": "MedVault Health Systems, Inc.",
    "legal_entity": "MedVault Health Systems, Inc.",
    "industry": "Healthcare IT",
    "size": { "employees": 220, "revenue_band": "$50M-$100M" },
    "locations": [
      { "name": "Austin HQ", "type": "headquarters" },
      { "name": "AWS us-west-2", "type": "primary_data_center" },
      { "name": "AWS us-east-1", "type": "disaster_recovery" }
    ],
    "departments": [
      "Engineering", "Product", "Clinical Operations",
      "Compliance & Legal", "HR", "Finance"
    ],
    "key_personnel": {
      "executive_sponsor": "Michael Torres, CEO",
      "ciso": "Sarah Chen, CISO",
      "compliance_lead": "James Rivera, Director of Compliance",
      "system_owner": "Priya Patel, VP of Engineering",
      "it_security_lead": "David Kim, Sr. Security Engineer"
    }
  },
  "fips199_categorization": {
    "information_types": [
      {
        "name": "Protected Health Information (PHI)",
        "confidentiality": "High",
        "integrity": "High",
        "availability": "High"
      },
      {
        "name": "Insurance Billing Data",
        "confidentiality": "High",
        "integrity": "High",
        "availability": "Moderate"
      }
    ],
    "overall": {
      "confidentiality": "High",
      "integrity": "High",
      "availability": "High"
    },
    "overall_impact_level": "High"
  },
  "applicable_regulations": ["HIPAA", "FedRAMP", "PCI-DSS", "SOX"],
  "existing_frameworks": [
    { "name": "SOC 2 Type II", "status": "Certified (2025)" },
    { "name": "CIS Controls v8", "status": "IG2 implemented" }
  ],
  "scope_boundaries": {
    "system_name": "MedVault EHR Platform",
    "system_description": "Cloud-hosted electronic health records platform serving hospitals and clinics",
    "in_scope": [
      { "item": "EHR web application", "description": "Patient-facing and clinician-facing portals" },
      { "item": "AWS infrastructure", "description": "VPC, RDS, S3, EKS clusters in us-west-2 and us-east-1" },
      { "item": "API gateway", "description": "External integrations with labs, pharmacies, and insurance" }
    ],
    "out_of_scope": [
      { "item": "Corporate guest Wi-Fi", "justification": "Isolated network segment with no access to EHR systems or data" },
      { "item": "Employee personal devices", "justification": "BYOD prohibited for clinical access; corporate MDM enforced on managed devices" }
    ]
  }
}

Extension Tools

`fips199_categorization_validator`

Reads the organization profile JSON and validates FIPS 199 fields, regulations, scope boundaries, and overall profile completeness.

Check	What It Validates	Severity
Organization basics	Name and industry sector are present	ERROR if missing
Locations	At least one location is documented	WARNING if empty
Key personnel	System owner, CISO, compliance lead are identified	WARNING if missing
Information types	At least one information type with C/I/A ratings (Low, Moderate, High)	ERROR if missing or invalid
Overall categorization	C/I/A overall levels present and valid, overall impact level derived	ERROR if missing
Applicable regulations	At least one regulation specified (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, FISMA, CMMC)	ERROR if empty
Scope boundaries	System name, in-scope items defined; out-of-scope items have justification	ERROR if no in-scope; WARNING on missing exclusions
Existing frameworks	ISO 27001, SOC 2, CIS, CSF programs documented	WARNING if empty
Completeness score	Reports percentage of sections filled (0-100%)	Informational

The validator reports a PASS (no findings), WARN (warnings only), or FAIL (errors present) result, along with a completeness percentage. Iterate until all errors are resolved.

Getting Started

Create a new project from the NIST SP 800-53 template, then start a session with the Organization Profile skill active. The agent will guide you through each section in order.

Have this information ready:

Your organization’s legal name, industry sector, and headcount
Office locations and data center regions
Department or team structure
Names and titles for key personnel: executive sponsor, CISO, compliance lead, system owner
A list of information types your system processes, stores, or transmits
Known regulatory obligations (HIPAA, FedRAMP, PCI-DSS, SOX, etc.)
Any existing certifications or compliance programs (SOC 2, ISO 27001, CIS Controls)
What falls inside and outside the authorization boundary

The completed profile feeds directly into the Baseline Selector skill and all other NIST 800-53 skills, so getting the FIPS 199 categorization right here is critical – it determines which controls apply to your entire program.