# NIST SP 800-53 Policy-Control Mapper

> Map existing policy and standard documents to NIST SP 800-53 controls with AI-assisted quality scoring. Rates each mapping as High/Medium/Low confidence with documented justification. Identifies unmapped controls and low-quality mappings for remediation. Produces policy-control-mapping.json for gap analysis.



Tags: NIST, NIST 800-53, Compliance, GRC, Mapping, USA


## Example Prompts

- Map our existing security policies to 800-53 controls
- Rate the quality of our current policy-to-control mappings
- Identify controls that have no policy coverage
- Assess how well our access control policy covers the AC family

URL: https://rakenne.app/skills/nist-800-53-policy-control-mapper/index.md

Try this skill: https://rakenne.app/a/?skill=nist-800-53-policy-control-mapper



## Overview

Map existing policy and standard documents to NIST SP 800-53 controls with AI-assisted quality scoring. For each document section, the agent identifies which 800-53 controls are addressed and rates the mapping as High, Medium, or Low confidence with a documented justification (minimum 50 characters). The output is a structured `policy-control-mapping.json` that feeds directly into the Gap Analysis skill. Controls with only Low-confidence mappings are flagged for policy improvement, and unmapped controls are listed for remediation planning.

This skill is part of the [NIST SP 800-53 Compliance Program](/learn/tutorials/nist-800-53-compliance-workspace-guide/) workspace — see the full walkthrough for how all 7 skills work together.

## Example

> **You:** We've finished writing family policies and control standards for MedVault Health Systems. Map them against our tailored 800-53 catalog so we can see how well our documentation covers each control. We're FIPS 199 High with HIPAA, FedRAMP, and PCI-DSS overlays.
>
> **Agent:** I'll read your tailored control catalog and scan the policy and standard documents in the workspace. *(Reads tailored-control-catalog.json, iterates through output/policies/ and output/standards/, maps each document section to 800-53 controls using the family reference tables and quality rubric.)* I've mapped 847 document sections across 19 family policies and 214 control standards. The quality distribution is 58% High, 29% Medium, and 13% Low. I ran `rate_control_mapping_quality` to validate — 12 mappings had justifications that were too short and 8 lacked domain key terms, so I strengthened those. AC-2(3) and AC-2(4) have no policy coverage at all and are listed as unmapped. The final `policy-control-mapping.json` is saved to the workspace root.

## Excerpt of a generated mapping

Below is a condensed example from a generated `policy-control-mapping.json`:

---

```json
{
  "mappings": [
    {
      "document": "output/policies/AC-1-policy.md",
      "section": "Policy Statements",
      "control_id": "AC-1",
      "quality": "High",
      "justification": "Policy directly establishes access control policy and procedure requirements as specified by AC-1, including designation of an Access Control Officer and annual review cycle."
    },
    {
      "document": "output/standards/AC-2-standard.md",
      "section": "Account Management Procedures",
      "control_id": "AC-2",
      "quality": "High",
      "justification": "Standard specifies account lifecycle management including provisioning, modification, disabling, and removal procedures with access reviews every 90 days for the EHR platform."
    },
    {
      "document": "output/policies/AU-1-policy.md",
      "section": "Audit Scope and Requirements",
      "control_id": "AU-3",
      "quality": "Medium",
      "justification": "Policy references audit content requirements but uses general language about 'sufficient detail' rather than specifying the exact record fields (source, destination, timestamps) required by AU-3."
    },
    {
      "document": "output/standards/IA-5-standard.md",
      "section": "Authenticator Complexity",
      "control_id": "IA-5(1)",
      "quality": "Low",
      "justification": "Standard mentions password complexity but does not address the specific composition, lifetime, or reuse constraints in IA-5(1). Needs significant expansion to cover MFA token and certificate-based authenticator management."
    }
  ],
  "unmapped_controls": ["AC-2(3)", "AC-2(4)", "PE-3(2)"],
  "mapping_date": "2026-03-18"
}
```

<!-- /excerpt -->

## Validation tools

The skill includes an extension tool that automates mapping quality assurance:

- **rate_control_mapping_quality** — Validates `policy-control-mapping.json` against multiple quality criteria. Checks that every control ID matches the valid 800-53 pattern (e.g., `AC-2`, `IA-5(1)`), quality ratings are strictly High/Medium/Low, and each justification is present and longer than 50 characters. Flags entries where the justification text lacks key terms from the control's domain family (e.g., an AC mapping that never mentions "access" or "control"). Reports a quality distribution bar chart (High/Medium/Low counts and percentages), lists controls that have only Low-confidence mappings needing stronger policy coverage, and cross-references unmapped controls against the tailored catalog.

## Getting Started

Complete your family policies (using the Family Policy Author skill) and control standards (using the Control Standard Author skill) before running the mapper. The agent needs actual document sections to map against 800-53 controls. Activate the Policy-Control Mapper skill and tell the agent to map your documentation — it will scan the workspace, build the mapping file, validate it with the quality rating tool, and iterate until the quality distribution is acceptable.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)