# NIST SP 800-53 Organization Profile

> Build and validate the organizational context profile for NIST SP 800-53 Rev 5 compliance. Captures FIPS 199 security categorization (Confidentiality, Integrity, Availability impact levels), applicable regulations (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, FISMA, CMMC), existing frameworks, and authorization boundary. Validates completeness of categorization and scope for downstream baseline selection and control implementation.



Tags: NIST, NIST 800-53, FIPS 199, Compliance, GRC, USA


## Example Prompts

- Create an organization profile for our NIST 800-53 compliance program
- Perform FIPS 199 categorization for our healthcare information system
- Identify applicable regulatory overlays for our federal cloud service
- Define our authorization boundary and scope for 800-53 compliance

URL: https://rakenne.app/skills/nist-800-53-organization-profile/index.md

Try this skill: https://rakenne.app/a/?skill=nist-800-53-organization-profile



## Overview

Build and validate the organizational context profile for NIST SP 800-53 Rev 5 compliance. Captures FIPS 199 security categorization (Confidentiality, Integrity, Availability impact levels), applicable regulations (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, FISMA, CMMC), existing frameworks, and authorization boundary. Validates completeness of categorization and scope for downstream baseline selection and control implementation.

The organization profile is the foundation of the entire 800-53 program. Every downstream skill -- baseline selection, policy authoring, control standards, gap analysis, and CSF crosswalk -- reads this file for consistent organizational context. Getting it right here prevents rework across the entire compliance lifecycle.

### What It Covers

- **FIPS 199 Security Categorization** -- impact levels for Confidentiality, Integrity, and Availability across all information types, with high-water mark derivation
- **Applicable Regulations** -- HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, FISMA, CMMC, and other industry-specific requirements
- **Existing Frameworks** -- ISO 27001, SOC 2, CIS Controls, NIST CSF, and other certifications or attestations
- **Authorization Boundary** -- system name, in-scope components, exclusions with justification, interconnections, and data flows
- **Key Personnel** -- executive sponsor, compliance lead, CISO, system owner, and IT security lead

This skill is part of the [NIST SP 800-53 Compliance Program](/learn/tutorials/nist-800-53-compliance-workspace-guide/) workspace — see the full walkthrough for how all 7 skills work together.

## Example Conversation

> **You:** We need to build an organization profile for our NIST 800-53 compliance program. We're MedVault Health Systems, a healthcare IT company with about 220 employees. We run an EHR platform on AWS.
>
> **Agent:** I'll help you build the organization profile. Let me start with the basics and work through each section. First, a few questions:
>
> 1. What is the legal entity name?
> 2. Where are your offices and data centers located?
> 3. What departments make up the organization?
> 4. Who are the key personnel for the compliance program -- executive sponsor, CISO, compliance lead, system owner?
>
> **You:** Legal entity is MedVault Health Systems, Inc. HQ in Austin, TX. Disaster recovery site in us-east-1. Departments: Engineering, Product, Clinical Operations, Compliance & Legal, HR, Finance. Our CEO is the exec sponsor, we have a CISO (Sarah Chen), compliance lead is James Rivera, and the system owner is our VP of Engineering.
>
> **Agent:** Good. Now for the critical part -- FIPS 199 Security Categorization. This drives your entire 800-53 program. What information types does your EHR platform process, store, or transmit? For healthcare, typical types include:
>
> - Protected Health Information (PHI)
> - Payment card data
> - Employee PII
> - System audit logs
>
> For each type, I need to assess Confidentiality, Integrity, and Availability impact.
>
> **You:** We process PHI including diagnosis records, prescription data, and lab results. We also handle insurance billing data and employee HR records. Our platform must be available 24/7 for clinical use.
>
> **Agent:** Based on those information types and healthcare industry guidance from NIST SP 800-60 Vol 2, here is the categorization:
>
> | Information Type | Confidentiality | Integrity | Availability |
> |-----------------|:-:|:-:|:-:|
> | PHI (diagnosis, prescriptions, labs) | High | High | High |
> | Insurance billing data | High | High | Moderate |
> | Employee HR records | Moderate | Moderate | Low |
> | System audit logs | Moderate | High | Moderate |
>
> Applying the **high-water mark** principle across all types: **Confidentiality: High, Integrity: High, Availability: High**. Overall FIPS 199 impact level: **High**.
>
> Now, which regulations apply? For a healthcare IT company with PHI handling, I'd expect at minimum HIPAA. Do any of these also apply?
> - FedRAMP (if serving federal agencies)
> - PCI-DSS (if processing payment cards)
> - SOX (if publicly traded)
>
> **You:** HIPAA for sure, FedRAMP because we serve VA hospitals, PCI-DSS for patient payment processing, and SOX because we went public last year.
>
> **Agent:** Got it -- four regulatory overlays. Let me also capture existing frameworks. Do you have any current certifications or compliance programs?
>
> **You:** We completed SOC 2 Type II last year and we're using CIS Controls v8 at Implementation Group 2.
>
> **Agent:** Excellent -- those provide a strong foundation. Now let me define the authorization boundary. I'll write up the profile and run the validator...
>
> I've run `fips199_categorization_validator` on the draft profile. Results:
>
> **Profile Completeness: 86% (6/7 sections)**
>
> - 1 WARNING: No out-of-scope items defined. Explicitly stating exclusions reduces scope ambiguity.
>
> Can you tell me what components are explicitly out of scope? For example, corporate Wi-Fi, employee personal devices, or third-party SaaS tools not directly part of the EHR platform?
>
> **You:** Corporate guest Wi-Fi is out of scope, and employee personal mobile devices since we don't allow BYOD for clinical access.
>
> **Agent:** Profile updated with out-of-scope exclusions and justifications. Running the validator again...
>
> **PASS** -- All validation checks passed. Profile Completeness: 100% (7/7 sections). The `organization-profile.json` file is saved and ready for baseline selection.

## Sample Output Excerpt

The skill produces a structured JSON organization profile. Here is a representative excerpt showing the FIPS 199 categorization and regulatory sections.

---

```json
{
  "organization": {
    "name": "MedVault Health Systems, Inc.",
    "legal_entity": "MedVault Health Systems, Inc.",
    "industry": "Healthcare IT",
    "size": { "employees": 220, "revenue_band": "$50M-$100M" },
    "locations": [
      { "name": "Austin HQ", "type": "headquarters" },
      { "name": "AWS us-west-2", "type": "primary_data_center" },
      { "name": "AWS us-east-1", "type": "disaster_recovery" }
    ],
    "departments": [
      "Engineering", "Product", "Clinical Operations",
      "Compliance & Legal", "HR", "Finance"
    ],
    "key_personnel": {
      "executive_sponsor": "Michael Torres, CEO",
      "ciso": "Sarah Chen, CISO",
      "compliance_lead": "James Rivera, Director of Compliance",
      "system_owner": "Priya Patel, VP of Engineering",
      "it_security_lead": "David Kim, Sr. Security Engineer"
    }
  },
  "fips199_categorization": {
    "information_types": [
      {
        "name": "Protected Health Information (PHI)",
        "confidentiality": "High",
        "integrity": "High",
        "availability": "High"
      },
      {
        "name": "Insurance Billing Data",
        "confidentiality": "High",
        "integrity": "High",
        "availability": "Moderate"
      }
    ],
    "overall": {
      "confidentiality": "High",
      "integrity": "High",
      "availability": "High"
    },
    "overall_impact_level": "High"
  },
  "applicable_regulations": ["HIPAA", "FedRAMP", "PCI-DSS", "SOX"],
  "existing_frameworks": [
    { "name": "SOC 2 Type II", "status": "Certified (2025)" },
    { "name": "CIS Controls v8", "status": "IG2 implemented" }
  ],
  "scope_boundaries": {
    "system_name": "MedVault EHR Platform",
    "system_description": "Cloud-hosted electronic health records platform serving hospitals and clinics",
    "in_scope": [
      { "item": "EHR web application", "description": "Patient-facing and clinician-facing portals" },
      { "item": "AWS infrastructure", "description": "VPC, RDS, S3, EKS clusters in us-west-2 and us-east-1" },
      { "item": "API gateway", "description": "External integrations with labs, pharmacies, and insurance" }
    ],
    "out_of_scope": [
      { "item": "Corporate guest Wi-Fi", "justification": "Isolated network segment with no access to EHR systems or data" },
      { "item": "Employee personal devices", "justification": "BYOD prohibited for clinical access; corporate MDM enforced on managed devices" }
    ]
  }
}
```

<!-- /excerpt -->

## Extension Tools

### `fips199_categorization_validator`

Reads the organization profile JSON and validates FIPS 199 fields, regulations, scope boundaries, and overall profile completeness.

| Check | What It Validates | Severity |
|-------|------------------|----------|
| **Organization basics** | Name and industry sector are present | ERROR if missing |
| **Locations** | At least one location is documented | WARNING if empty |
| **Key personnel** | System owner, CISO, compliance lead are identified | WARNING if missing |
| **Information types** | At least one information type with C/I/A ratings (Low, Moderate, High) | ERROR if missing or invalid |
| **Overall categorization** | C/I/A overall levels present and valid, overall impact level derived | ERROR if missing |
| **Applicable regulations** | At least one regulation specified (HIPAA, PCI-DSS, GDPR, SOX, FedRAMP, FISMA, CMMC) | ERROR if empty |
| **Scope boundaries** | System name, in-scope items defined; out-of-scope items have justification | ERROR if no in-scope; WARNING on missing exclusions |
| **Existing frameworks** | ISO 27001, SOC 2, CIS, CSF programs documented | WARNING if empty |
| **Completeness score** | Reports percentage of sections filled (0-100%) | Informational |

The validator reports a **PASS** (no findings), **WARN** (warnings only), or **FAIL** (errors present) result, along with a completeness percentage. Iterate until all errors are resolved.

## Getting Started

Create a new project from the **NIST SP 800-53** template, then start a session with the Organization Profile skill active. The agent will guide you through each section in order.

Have this information ready:
- Your organization's legal name, industry sector, and headcount
- Office locations and data center regions
- Department or team structure
- Names and titles for key personnel: executive sponsor, CISO, compliance lead, system owner
- A list of information types your system processes, stores, or transmits
- Known regulatory obligations (HIPAA, FedRAMP, PCI-DSS, SOX, etc.)
- Any existing certifications or compliance programs (SOC 2, ISO 27001, CIS Controls)
- What falls inside and outside the authorization boundary

The completed profile feeds directly into the **Baseline Selector** skill and all other NIST 800-53 skills, so getting the FIPS 199 categorization right here is critical -- it determines which controls apply to your entire program.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)