← Frameworks / EU GDPR / Coverage Analysis

EU General Data Protection Regulation (2016/679) — SP 800-53 Coverage

How well do NIST SP 800-53 Rev 5 controls address each EU GDPR requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.

Clauses: 95
Avg Coverage: 36.7%
Publisher: European Union
Coverage Distribution
Full (85-100%): 7 Substantial (65-84%): 3 Partial (40-64%): 34 Weak (1-39%): 51
EU GDPR → SP 800-53 SP 800-53 → EU GDPR Coverage Analysis

Clause-by-Clause Analysis

Sorted by clause
Art.5(1)(a) Lawfulness, fairness and transparency
PT-01 PT-02 PT-04 PT-05
25%

Rationale

PT-02 (Authority to Process) partially addresses lawfulness. PT-04 (Consent) supports one legal basis. PT-05 (Privacy Notice) addresses transparency. No new Rev 5 controls improve coverage — this is fundamentally a legal framework requirement.

Gaps

SP 800-53 does not address lawfulness of processing (six legal bases under Art.6), fairness in data processing, or the comprehensive transparency obligations under GDPR. These are fundamental privacy law concepts outside SP 800-53 scope.

Mapped Controls

PT-01 PT-02 PT-04 PT-05
Art.5(1)(b) Purpose limitation
PT-01 PT-03 PT-05 PT-07 +1
50%

Rationale

PT-03 (Processing Purposes) requires purpose specification. PT-07 (Specific Categories) supports purpose-bound processing. CM-13 (new in Rev 5) data action mapping documents processing activities against stated purposes, strengthening purpose limitation traceability.

Gaps

SP 800-53 addresses purpose specification but lacks enforcement mechanisms for preventing further processing incompatible with original purposes. GDPR requires explicit compatibility assessment for secondary use. CM-13 improves documentation but not enforcement.

Mapped Controls

PT-01 PT-03 PT-05 PT-07 CM-13
Art.5(1)(c) Data minimisation
AC-06 PT-07 CM-12
58%

Rationale

PT-07 (Specific Categories) supports minimisation. AC-06 (Least Privilege) applies minimisation to access. CM-12 (new in Rev 5) information location identifies where data resides, supporting inventory needed for minimisation assessments.

Gaps

SP 800-53 covers data minimisation at a high level. GDPR requires data to be adequate, relevant, and limited to what is necessary — a stricter standard than SP 800-53's approach. CM-12 helps locate data but does not enforce the minimisation principle.

Mapped Controls

AC-06 PT-07 CM-12
Art.5(1)(d) Accuracy
SI-01 SI-06 SI-07 SI-10 +1
40%

Rationale

SI-10 (Information Input Validation) partially addresses accuracy. SI-18 (new in Rev 5) PII Quality Operations directly addresses data quality by requiring organizations to check accuracy, relevance, timeliness, and completeness of PII — a significant improvement for GDPR accuracy mapping.

Gaps

SI-18 is the most relevant new control for GDPR accuracy. However, GDPR mandates that personal data be accurate, kept up to date, and that inaccurate data be erased or rectified without delay. SI-18 covers quality checks but not the right-to-rectification workflow.

Mapped Controls

SI-01 SI-06 SI-07 SI-10 SI-18
Art.5(1)(e) Storage limitation
AC-16 AU-04 AU-11 PT-07 +2
58%

Rationale

SI-12 (Information Handling and Retention) addresses retention limits. AU-11 (Audit Record Retention) models retention policy enforcement. CM-12 (new in Rev 5) information location identifies where data resides, supporting identification of data stores subject to retention policies.

Gaps

SP 800-53 addresses retention schedules but does not explicitly require that personal data be kept in identifiable form only for as long as necessary for the processing purpose. CM-12 improves data discovery but the GDPR storage limitation principle remains broader.

Mapped Controls

AC-16 AU-04 AU-11 PT-07 SI-12 CM-12
Art.5(1)(f) Integrity and confidentiality
AC-01 AC-02 AC-03 AC-04 +25
90%

Rationale

SC-08 (Transmission Confidentiality/Integrity), SC-13 (Cryptographic Protection), SC-28 (Protection at Rest), AC family (Access Control). SP 800-53 excels at technical security controls. SC-28 and SC-13 added to v2.0 for explicit at-rest and cryptographic coverage.

Gaps

Minimal gap. SP 800-53 provides comprehensive integrity and confidentiality controls that align well with GDPR Art. 5(1)(f).

Mapped Controls

AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-09 AC-13 AC-15 AU-09 IA-01 IA-04 MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 SC-01 SC-02 SC-04 SC-07 SC-08 SI-01 SI-07 SI-09 SI-12 SC-28 SC-13
Art.5(2) Accountability
AC-13 AT-04 AU-01 AU-02 +4
42%

Rationale

AU family (Audit and Accountability), PT-01 (Privacy Policy). CM-13 (new in Rev 5) data action mapping provides processing documentation that supports GDPR accountability by recording what data actions occur, who performs them, and on what components.

Gaps

GDPR accountability requires the controller to demonstrate compliance with all processing principles. SP 800-53 provides audit and assessment controls but not the GDPR-specific accountability framework (records, DPIAs, codes of conduct, certifications). CM-13 improves processing documentation but does not close the gap.

Mapped Controls

AC-13 AT-04 AU-01 AU-02 AU-07 AU-10 PT-01 CM-13
Art.6(1) Lawfulness of processing — general
PT-01 PT-02
20%

Rationale

PT-01 (Policy and Procedures) provides a general privacy framework. PT-02 (Authority to Process) covers authority concepts.

Gaps

SP 800-53 PT-01/PT-02 establish privacy policies and processing authority but do not address GDPR's six legal bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests). No new Rev 5 controls address this gap.

Mapped Controls

PT-01 PT-02
Art.6(1)(a) Lawfulness — consent as legal basis
PT-04
35%

Rationale

PT-04 (Consent) addresses consent. No new Rev 5 controls improve consent management.

Gaps

SP 800-53 PT-04 covers consent mechanically but GDPR Art. 6(1)(a) requires freely given, specific, informed, unambiguous consent with ability to withdraw. Consent management lifecycle not addressed.

Mapped Controls

PT-04
Art.6(1)(b) Lawfulness — contractual necessity
15%

Rationale

PT-02 (Authority to Process) partially relevant but not mapped directly as it covers US federal authority, not contractual necessity.

Gaps

SP 800-53 has no concept of contractual necessity as a legal basis for processing. This is a legal framework concept outside SP 800-53 scope. No new Rev 5 controls address this gap.

Art.6(1)(c) Lawfulness — legal obligation
20%

Rationale

PT-02 (Authority to Process) covers authority but in a US federal context. Not mapped directly as the concept differs fundamentally.

Gaps

SP 800-53 covers authority to process in US federal context. GDPR legal obligation basis requires compliance with EU/member state law, which is outside SP 800-53 scope. No new Rev 5 controls address this gap.

Art.6(1)(f) Lawfulness — legitimate interests
10%

Rationale

No SP 800-53 equivalent. PT-02 partially relevant for authority concepts but the legitimate interest balancing test is a legal construct without technical control parallel.

Gaps

GDPR legitimate interest requires a balancing test between controller interests and data subject rights. SP 800-53 has no equivalent concept. Entirely outside SP 800-53 scope.

Art.6(4) Lawfulness — compatibility of further processing
PT-03 PT-07 CM-13
35%

Rationale

PT-03 (Processing Purposes) and PT-07 (Specific Categories) partially address purpose compatibility. CM-13 (new in Rev 5) data action mapping documents processing flows which supports assessing whether further processing is compatible with original purposes.

Gaps

SP 800-53 covers purpose specification but GDPR Art. 6(4) requires a specific compatibility test for further processing including: link between purposes, context, data nature, consequences, and safeguards. CM-13 provides better documentation but not the compatibility assessment methodology.

Mapped Controls

PT-03 PT-07 CM-13
Art.7(1) Conditions for consent — demonstrability
PT-04 AU-02 AU-03
38%

Rationale

PT-04 (Consent) covers consent. AU-02/AU-03 (Audit Events/Content) provide audit trails that can support consent demonstrability.

Gaps

SP 800-53 covers consent and audit trails but does not specifically require the controller to demonstrate that consent was given. Consent records management not addressed.

Mapped Controls

PT-04 AU-02 AU-03
Art.7(2) Conditions for consent — distinguishable request
PT-04
25%

Rationale

PT-04 (Consent) and PT-05 (Privacy Notice) partially relevant.

Gaps

SP 800-53 does not require consent requests to be distinguishable, in clear/plain language, or presented separately from other matters. No new Rev 5 controls address presentation of consent requests.

Mapped Controls

PT-04
Art.7(3) Conditions for consent — right to withdraw
PT-04
20%

Rationale

PT-04 (Consent) partially covers consent lifecycle.

Gaps

SP 800-53 PT-04 does not explicitly address consent withdrawal mechanisms, ease of withdrawal, or processing cessation upon withdrawal. No new Rev 5 controls address this gap.

Mapped Controls

PT-04
Art.8(1) Child's consent in relation to information society services
PT-04
15%

Rationale

PT-04 (Consent) partially relevant.

Gaps

SP 800-53 has no age-specific consent requirements. GDPR Art. 8 requires parental consent for children under 16 (or lower per member state) for information society services. Entirely outside SP 800-53 scope.

Mapped Controls

PT-04
Art.9(1) Processing of special categories of personal data — prohibition
AC-16 MP-03 PT-01 PT-03 +1
28%

Rationale

PT-07 (Specific Categories of PII) addresses special categories in US federal context. AC-16 (Security/Privacy Attributes) enables data classification including sensitive categories.

Gaps

SP 800-53 PT-07 covers some sensitive PII categories but GDPR Art. 9 prohibits processing of racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health data, sex life/orientation unless specific derogations apply. Much broader than SP 800-53.

Mapped Controls

AC-16 MP-03 PT-01 PT-03 PT-07
Art.9(2) Processing of special categories — exceptions
PT-03
15%

Rationale

PT-07 (Specific Categories of PII) partially relevant.

Gaps

GDPR Art. 9(2) provides specific derogations (explicit consent, employment law, vital interests, public health, etc.). SP 800-53 has no equivalent exception framework for sensitive data processing. No new Rev 5 controls address this gap.

Mapped Controls

PT-03
Art.12(1) Transparent information, communication and modalities — transparency
AC-08 PT-01 PT-02 PT-05
30%

Rationale

PT-05 (Privacy Notice) addresses transparency requirements. AC-08 (System Use Notification) provides notice mechanisms.

Gaps

SP 800-53 PT-05 covers privacy notices but GDPR Art. 12 requires information in concise, transparent, intelligible, easily accessible form, using clear and plain language, especially for children. No new Rev 5 controls address presentation requirements.

Mapped Controls

AC-08 PT-01 PT-02 PT-05
Art.12(2) Transparent information — facilitating exercise of data subject rights
10%

Rationale

No SP 800-53 equivalent for facilitating data subject rights exercise.

Gaps

GDPR requires controllers to facilitate the exercise of data subject rights, including providing information on actions taken within one month. SP 800-53 has no equivalent workflow for data subject rights management. No new Rev 5 controls address this gap.

Art.12(7) Transparent information — standardised icons
PT-02
15%

Rationale

PT-02 (Authority to Process) partially covers information provision.

Gaps

GDPR Art. 12(7) allows use of standardised icons for transparency. SP 800-53 does not address presentation format of privacy information. No new Rev 5 controls address this gap.

Mapped Controls

PT-02
Art.13(1) Information to be provided where data collected from data subject
AC-08 PT-01 PT-02 PT-05
35%

Rationale

PT-05 (Privacy Notice) covers notice at collection. AC-08 (System Use Notification) provides collection-time notice.

Gaps

GDPR Art. 13 requires specific information at collection including: controller identity, DPO contact, processing purposes, legal basis, legitimate interests, recipients, third-country transfers, retention period, data subject rights, consent withdrawal, supervisory authority complaint. SP 800-53 PT-05 covers some but not all.

Mapped Controls

AC-08 PT-01 PT-02 PT-05
Art.13(2) Information to be provided — additional information for fair processing
PT-02
25%

Rationale

PT-05 (Privacy Notice) partially covers additional information requirements.

Gaps

GDPR Art. 13(2) requires additional information on retention, rights, consent withdrawal, supervisory complaint, contractual obligation status, and automated decision-making. Most of these are outside SP 800-53 scope.

Mapped Controls

PT-02
Art.14(1) Information where data not obtained from data subject
PT-01 PT-02 PT-05
22%

Rationale

PT-05 (Privacy Notice) partially relevant. PT-01 establishes privacy policy framework.

Gaps

SP 800-53 does not address notice requirements when personal data is not obtained directly from the data subject, including the requirement to inform about the source of data and categories of data. No new Rev 5 controls address indirect collection notice.

Mapped Controls

PT-01 PT-02 PT-05
Art.14(2) Information where data not obtained — additional details
PT-02
15%

Rationale

PT-05 partially relevant.

Gaps

Similar gap to Art. 13(2) — SP 800-53 does not cover the full set of additional information requirements for indirect data collection. No new Rev 5 controls address this gap.

Mapped Controls

PT-02
Art.15(1) Right of access by the data subject
20%

Rationale

PT-06 (System of Records Notice) covers individual access in US Privacy Act context but is not directly mapped as the concept differs fundamentally from GDPR subject access.

Gaps

SP 800-53 PT-06 is specific to US Privacy Act. GDPR right of access is broader: confirmation of processing, access to data, information about processing purposes, categories, recipients, retention, rights, source, and automated decision-making. No new Rev 5 controls address GDPR-style subject access.

Art.15(3) Right of access — copy of data
15%

Rationale

PT-06 partially relevant in US federal context.

Gaps

SP 800-53 does not explicitly require providing a copy of personal data in a commonly used electronic format. GDPR requires the first copy free of charge. No new Rev 5 controls address data copies.

Art.16 Right to rectification
SI-18
20%

Rationale

SI-18 (new in Rev 5) PII Quality Operations addresses data accuracy and correction, providing the first SP 800-53 control relevant to rectification. It requires checking and correcting inaccurate PII.

Gaps

SI-18 improves coverage by addressing PII quality and correction. However, GDPR Art. 16 establishes a data subject RIGHT to rectification without undue delay, which is a legal obligation triggered by individual request. SI-18 addresses organizational quality processes, not individual rights fulfillment workflows.

Mapped Controls

SI-18
Art.17(1) Right to erasure ('right to be forgotten')
AU-11 MP-06 SI-12 SR-12
20%

Rationale

SI-12 (Data Retention/Disposal) and MP-06 (Media Sanitization) cover data deletion mechanics.

Gaps

SP 800-53 covers data disposal mechanics but not the right to erasure triggered by data subject request. GDPR grounds for erasure (purpose fulfilled, consent withdrawn, objection, unlawful processing, legal obligation, child's data) not addressed. No new Rev 5 controls address individual erasure rights.

Mapped Controls

AU-11 MP-06 SI-12 SR-12
Art.17(2) Right to erasure — notification to recipients
10%

Rationale

No SP 800-53 equivalent.

Gaps

GDPR requires controllers who have made personal data public to take reasonable steps to inform other controllers processing the data that the data subject has requested erasure. Entirely outside SP 800-53 scope.

Art.18(1) Right to restriction of processing
10%

Rationale

No SP 800-53 equivalent.

Gaps

GDPR right to restriction allows data subjects to limit processing in specific circumstances (accuracy contested, unlawful processing, purpose fulfilled but data needed for legal claims, pending objection verification). Entirely outside SP 800-53 scope.

Art.19 Notification obligation regarding rectification or erasure or restriction
10%

Rationale

No SP 800-53 equivalent.

Gaps

GDPR requires controllers to communicate rectification, erasure, or restriction to each recipient to whom data was disclosed. Entirely outside SP 800-53 scope.

Art.20(1) Right to data portability
5%

Rationale

No SP 800-53 equivalent.

Gaps

GDPR right to data portability requires providing personal data in a structured, commonly used, machine-readable format and transmitting to another controller. No SP 800-53 control addresses data portability. No new Rev 5 controls address this gap.

Art.20(2) Right to data portability — direct transmission
5%

Rationale

No SP 800-53 equivalent.

Gaps

GDPR requires the right to have personal data transmitted directly from one controller to another where technically feasible. Entirely outside SP 800-53 scope.

Art.21(1) Right to object
10%

Rationale

No SP 800-53 equivalent.

Gaps

GDPR right to object allows data subjects to object to processing based on legitimate interests or public interest, requiring controller to cease processing unless compelling grounds. Entirely outside SP 800-53 scope.

Art.22(1) Automated individual decision-making, including profiling
PT-08
10%

Rationale

PT-08 (Computer Matching) covers matching in US federal context only.

Gaps

GDPR Art. 22 restricts solely automated decision-making producing legal or significant effects. Requires human intervention right, right to express views, right to contest. SP 800-53 PT-08 is limited to US federal computer matching agreements. No new Rev 5 controls address automated decision-making rights.

Mapped Controls

PT-08
Art.22(2) Automated decision-making — exceptions allowing automated processing
PT-08
15%

Rationale

PT-08 (Computer Matching) covers matching in US federal context only.

Gaps

GDPR Art. 22(2) exceptions (contractual necessity, legal authorisation, explicit consent) for automated decision-making have no SP 800-53 equivalent.

Mapped Controls

PT-08
Art.22(3) Automated decision-making — safeguards
PT-08
10%

Rationale

No SP 800-53 equivalent for automated decision safeguards.

Gaps

GDPR requires safeguards for automated decision-making including right to human intervention, express views, and contest the decision. Entirely outside SP 800-53 scope.

Mapped Controls

PT-08
Art.22(4) Automated decision-making — special categories
PT-08
15%

Rationale

PT-08 (Computer Matching) partially relevant.

Gaps

GDPR restricts automated decisions based on special category data unless explicit consent or substantial public interest with suitable safeguards. Outside SP 800-53 scope.

Mapped Controls

PT-08
Art.24(1) Responsibility of the controller — appropriate measures
AC-01 AC-05 AT-04 AU-01 +7
58%

Rationale

PM-01 (Program Plan), PM-02 (Senior Officer), PM-03 (Resources), PM-09 (Risk Strategy) address organizational security responsibilities. PL-09 (new in Rev 5) central management provides unified control governance. PL-10 (new in Rev 5) baseline selection supports risk-based security measure selection. Together they strengthen the organizational responsibility framework.

Gaps

SP 800-53 covers program-level responsibilities but GDPR Art. 24 requires the controller to implement appropriate technical and organisational measures to ensure and demonstrate GDPR compliance, including data protection policies. PL-09/PL-10 improve governance but the GDPR-specific accountability demonstration remains a gap.

Mapped Controls

AC-01 AC-05 AT-04 AU-01 CA-01 CA-05 CA-06 PL-01 RA-01 PL-09 PL-10
Art.24(2) Responsibility of the controller — data protection policies
AC-01 PL-09
52%

Rationale

PM-01 (Program Plan), PL-01 (Security Planning Policy) cover policy requirements. PL-09 (new in Rev 5) central management enables centralized policy administration and enforcement.

Gaps

SP 800-53 covers security policies broadly. GDPR requires specific data protection policies proportionate to processing activities. The policy scope differs (security vs. data protection). PL-09 improves centralized management but the data protection policy specificity gap remains.

Mapped Controls

AC-01 PL-09
Art.25(1) Data protection by design
AC-01 CM-01 CM-02 CM-06 +16
48%

Rationale

SA-08 (Security Engineering Principles) partially addresses by-design. CM-12 (new in Rev 5) information location enables data-aware system design by identifying where data resides across components. CM-13 (new in Rev 5) data action mapping documents data processing flows during design, supporting privacy-by-design assessments.

Gaps

SP 800-53 covers security-by-design but GDPR data protection by design requires implementing data protection principles (minimisation, pseudonymisation) at the point of determining the means and processing. CM-12/CM-13 improve data awareness in design but privacy-specific engineering principles remain less developed.

Mapped Controls

AC-01 CM-01 CM-02 CM-06 CM-07 PL-01 PL-02 PL-03 PL-06 PT-06 SA-01 SA-02 SA-03 SA-06 SA-07 SA-08 SA-10 SA-11 CM-12 CM-13
Art.25(2) Data protection by default
AC-02 AC-03 AC-06 AC-14 +5
40%

Rationale

CM-06 (Configuration Settings) covers secure defaults. AC-06 (Least Privilege) enforces minimal access by default.

Gaps

SP 800-53 covers secure defaults for systems. GDPR by-default requires that only personal data necessary for each specific purpose is processed by default, covering amount, extent, storage, and accessibility. No new Rev 5 controls directly address privacy-by-default.

Mapped Controls

AC-02 AC-03 AC-06 AC-14 CM-06 CM-07 PT-06 SA-08 SI-09
Art.28(1) Processor obligations — sufficient guarantees
AC-20 PS-07 SA-03 SA-04 +6
50%

Rationale

SA-04 (Acquisitions), SA-09 (External System Services), SR-01 (Supply Chain Policy) address third-party requirements.

Gaps

SP 800-53 covers supply chain and external services. GDPR Art. 28 requires specific contractual obligations including processing only on documented instructions, confidentiality, security measures, sub-processor management, assistance with data subject rights, deletion/return, and audit rights. No new Rev 5 controls close the GDPR-specific processor obligation gap.

Mapped Controls

AC-20 PS-07 SA-03 SA-04 SA-09 SR-01 SR-02 SR-03 SR-09 SR-12
Art.28(2) Processor obligations — sub-processor authorisation
SR-03
45%

Rationale

SR-03 (Supply Chain Controls) addresses sub-contractor management.

Gaps

SP 800-53 SR-03 covers supply chain controls but GDPR requires specific prior written authorisation for sub-processors and imposes the same data protection obligations via contract.

Mapped Controls

SR-03
Art.28(3) Processor obligations — binding contract terms
SA-04 SA-09 SR-01
40%

Rationale

SA-04 (Acquisitions), SA-09 (External System Services) cover contractual requirements.

Gaps

GDPR requires specific contractual clauses including: processing on instructions only, confidentiality obligations, Art. 32 security measures, sub-processor conditions, data subject rights assistance, deletion/return after services end, audit cooperation.

Mapped Controls

SA-04 SA-09 SR-01
Art.28(3)(a) Processor contract — processing on documented instructions
AC-20 CA-03 SA-04 SR-04 +2
55%

Rationale

AC-20 (External Systems), CA-03 (System Interconnections), SA-04 (Acquisitions), SR-04/SR-05/SR-07 (Supply Chain) address contractual requirements.

Gaps

SP 800-53 covers external system agreements. GDPR specifically requires processors to process only on documented controller instructions and inform the controller if an instruction infringes GDPR.

Mapped Controls

AC-20 CA-03 SA-04 SR-04 SR-05 SR-07
Art.28(3)(b) Processor contract — confidentiality obligations
MA-05 PS-03 PS-07
60%

Rationale

MA-05 (Maintenance Personnel), PS-03 (Personnel Screening), PS-07 (Third-Party Personnel) address personnel confidentiality.

Gaps

SP 800-53 covers personnel security for third parties. GDPR requires contractual commitment that authorised persons have committed to confidentiality or are under statutory confidentiality obligation.

Mapped Controls

MA-05 PS-03 PS-07
Art.28(3)(c) Processor contract — security measures per Art. 32
SR-02
55%

Rationale

SR-02 (Supply Chain Risk Management Plan) addresses security requirements for third parties.

Gaps

SP 800-53 SR-02 covers supply chain security. GDPR requires the processor to implement all measures required under Art. 32 (security of processing).

Mapped Controls

SR-02
Art.28(3)(f) Processor contract — audit and inspection rights
SR-08
45%

Rationale

SR-08 (Notification Agreements) addresses supplier communication.

Gaps

SP 800-53 SR-08 covers notification. GDPR requires processors to make available all information necessary for demonstrating compliance and allow audits/inspections by the controller.

Mapped Controls

SR-08
Art.28(3)(g) Processor contract — data deletion/return after services end
SR-12
40%

Rationale

SR-12 (Component Disposal) addresses data disposal.

Gaps

SP 800-53 SR-12 covers disposal. GDPR requires deletion or return of all personal data after the end of service provision, and deletion of existing copies unless storage is required by law.

Mapped Controls

SR-12
Art.28(3)(h) Processor contract — compliance demonstration and audit cooperation
SR-02 SR-04 SR-05 SR-06 +3
55%

Rationale

SR-02/SR-04/SR-05/SR-06/SR-07/SR-10/SR-11 (Supply Chain family) provide supplier assessment capabilities.

Gaps

SP 800-53 SR family covers supplier assessment. GDPR requires processors to make available all information for compliance demonstration and cooperate with audits.

Mapped Controls

SR-02 SR-04 SR-05 SR-06 SR-07 SR-10 SR-11
Art.28(4) Processor obligations — sub-processor contract obligations
SR-01 SR-03 SR-09
50%

Rationale

SR-01 (Supply Chain Policy), SR-03 (Controls), SR-09 (Acquisition Strategies) address sub-contractor management.

Gaps

SP 800-53 covers supply chain cascading. GDPR requires same data protection obligations on sub-processors via contract, with initial processor remaining liable.

Mapped Controls

SR-01 SR-03 SR-09
Art.29 Processing under the authority of the controller or processor
AT-03 PL-04 PS-04 PS-05 +2
62%

Rationale

AT-03 (Role-Based Training), PL-04 (Rules of Behaviour), PS-04/PS-05/PS-06 (Personnel) address personnel processing authority. PS-09 (new in Rev 5) position descriptions explicitly incorporate security and privacy responsibilities into role definitions, strengthening the link between personnel authority and processing instructions.

Gaps

SP 800-53 covers personnel authorisation and training. PS-09 improves role definition. GDPR requires that persons acting under controller/processor authority process data only on instructions (unless required by EU/member state law).

Mapped Controls

AT-03 PL-04 PS-04 PS-05 PS-06 PS-09
Art.30(1) Records of processing activities — controller
AU-01 AU-04 AU-07 CM-08 +4
32%

Rationale

PM-05 (System Inventory) and PT-03 (Processing Purposes) partially address processing records. CM-12 (new in Rev 5) information location identifies where data resides across systems — a key input to processing records. CM-13 (new in Rev 5) data action mapping documents processing activities systematically, directly supporting GDPR Art. 30 requirements.

Gaps

CM-12 and CM-13 are the most significant new controls for Art. 30. However, GDPR Art. 30 requires specific records including: purposes, data categories, recipient categories, third-country transfers, retention periods, and security measures description. CM-13 covers processing flows but not all mandated record fields.

Mapped Controls

AU-01 AU-04 AU-07 CM-08 RA-02 SA-05 CM-12 CM-13
Art.30(1)(g) Records of processing — security measures description
AU-02 AU-03
55%

Rationale

AU-02 (Audit Events), AU-03 (Content of Audit Records) document security measures.

Gaps

SP 800-53 documents security measures through audit policies. GDPR requires a general description of technical and organisational security measures in processing records.

Mapped Controls

AU-02 AU-03
Art.30(2) Records of processing activities — processor
AU-01 CM-13
25%

Rationale

PM-05 (System Inventory) partially relevant. CM-13 (new in Rev 5) data action mapping supports processor documentation of processing activities.

Gaps

GDPR requires processors to maintain records including: categories of processing, controller details, third-country transfers, and security measures. SP 800-53 does not distinguish controller/processor record requirements. CM-13 improves documentation but does not address the processor-specific obligations.

Mapped Controls

AU-01 CM-13
Art.30(2)(d) Records of processing — processor security measures description
SR-11
40%

Rationale

SR-11 (Component Authenticity) partially relevant.

Gaps

GDPR requires processor records to include a general description of Art. 32 security measures. SP 800-53 does not require processors to maintain such records.

Mapped Controls

SR-11
Art.32(1) Security of processing — appropriate technical and organisational measures
RA-01 RA-03 SA-02 RA-07
87%

Rationale

SP 800-53 control families comprehensively address technical and organisational security measures including AC, AU, CM, CP, IA, IR, PE, SC, SI families. RA-07 (new in Rev 5) risk response provides explicit risk treatment actions, strengthening the risk-based security measure selection that Art. 32(1) requires.

Gaps

Minor gap. SP 800-53 provides excellent coverage of security measures. GDPR Art. 32 specifically mentions pseudonymisation, encryption, confidentiality/integrity/availability/resilience, restoration ability, and regular testing — all covered by SP 800-53. RA-07 improves risk response.

Mapped Controls

RA-01 RA-03 SA-02 RA-07
Art.32(1)(a) Security measures — pseudonymisation and encryption
AC-04 AC-17 AC-18 AC-19 +27
82%

Rationale

SC-13 (Cryptographic Protection), SC-28 (Protection at Rest), SC-08 (Transmission Confidentiality). SC-28 added to v2.0 for explicit at-rest encryption coverage.

Gaps

SP 800-53 covers encryption well. Pseudonymisation as a specific GDPR concept is not directly addressed — it's broader than de-identification and requires the ability to re-identify with additional information kept separately.

Mapped Controls

AC-04 AC-17 AC-18 AC-19 CA-03 IA-05 IA-07 MA-04 MP-01 MP-04 MP-05 MP-06 SC-01 SC-03 SC-04 SC-07 SC-08 SC-09 SC-11 SC-12 SC-13 SC-14 SC-16 SC-17 SC-19 SC-20 SC-21 SC-22 SC-23 SI-12 SC-28
Art.32(1)(b) Security measures — confidentiality, integrity, availability, resilience
AC-01 AC-02 AC-03 AC-05 +60
92%

Rationale

AC family (confidentiality), SI family (integrity), CP family (availability), SC family (resilience). SC-24 (new in Rev 5) fail in known state adds resilience by ensuring systems fail securely, directly supporting Art. 32(1)(b) resilience requirement.

Gaps

Minimal gap. SP 800-53 provides comprehensive CIA coverage. GDPR explicitly adds 'resilience of processing systems' which CP and SC families address. SC-24 strengthens resilience.

Mapped Controls

AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-10 AC-11 AC-12 AC-17 AC-18 AC-19 AC-20 AU-05 AU-09 CM-01 CM-02 CM-03 CM-05 CM-06 CM-07 CP-01 CP-02 CP-08 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 MA-01 MA-02 MA-03 MA-04 MP-02 PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-16 PE-17 PS-04 PS-05 SC-01 SC-02 SC-03 SC-05 SC-06 SC-07 SC-10 SC-15 SC-18 SC-23 SC-24 SI-01 SI-02 SI-03 SI-04 SI-07 SI-08 SI-11
Art.32(1)(c) Security measures — restore availability and access after incident
CP-01 CP-02 CP-05 CP-06 +4
90%

Rationale

CP-09 (Backup), CP-10 (Recovery), CP-02 (Contingency Plan), IR-04 (Incident Handling) directly address recovery capabilities.

Gaps

Minimal gap. SP 800-53 CP and IR families provide strong recovery and restoration controls.

Mapped Controls

CP-01 CP-02 CP-05 CP-06 CP-07 CP-08 CP-09 CP-10
Art.32(1)(d) Security measures — regular testing and evaluation
AC-07 AC-09 AC-13 AU-05 +28
87%

Rationale

CA-02 (Security Assessments), CA-07 (Continuous Monitoring), CP-04 (Contingency Testing), IR-03 (Incident Response Testing). CA-09 (new in Rev 5) internal system connections adds monitoring and testing of internal connection integrity.

Gaps

Minor gap. SP 800-53 provides comprehensive testing and assessment controls that align with GDPR Art. 32(1)(d) regular testing requirements. CA-09 strengthens internal connection assurance.

Mapped Controls

AC-07 AC-09 AC-13 AU-05 AU-06 CA-01 CA-02 CA-04 CA-05 CA-07 CM-03 CM-04 CP-02 CP-03 CP-04 CP-05 CP-10 IA-01 IA-02 IR-03 MA-02 MA-06 PE-06 RA-04 RA-05 SA-10 SA-11 SI-02 SI-04 SI-05 SI-06 CA-09
Art.32(2) Security measures — risk assessment for appropriate level
AC-01 CA-01 RA-07
82%

Rationale

RA-03 (Risk Assessment), RA-05 (Vulnerability Scanning), PM-09 (Risk Management Strategy). RA-07 (new in Rev 5) risk response provides explicit risk treatment selection that supports identifying the 'appropriate level' of security.

Gaps

SP 800-53 covers risk assessment comprehensively. Minor gap: GDPR specifically requires considering risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. RA-07 strengthens risk-to-treatment linkage.

Mapped Controls

AC-01 CA-01 RA-07
Art.32(4) Security measures — personnel authorisation and confidentiality
AC-02 AT-03 MA-05 PS-01 +6
87%

Rationale

PS family (Personnel Security), AC-02 (Account Management). PS-09 (new in Rev 5) position descriptions incorporates security/privacy responsibilities into role definitions, strengthening the link between authorisation and personnel obligations.

Gaps

Minor gap. SP 800-53 PS and AT families cover personnel security and authorisation requirements well. PS-09 improves role clarity.

Mapped Controls

AC-02 AT-03 MA-05 PS-01 PS-02 PS-03 PS-06 PS-07 PS-08 PS-09
Art.33(1) Notification of breach to supervisory authority — 72 hours
AU-08 IR-01 IR-04 IR-06 +1
55%

Rationale

IR-06 (Incident Reporting) addresses incident reporting. IR-01 (Incident Response Policy) establishes reporting procedures.

Gaps

SP 800-53 IR-06 covers incident reporting but does not specify 72-hour notification to a supervisory authority. GDPR requires notification unless unlikely to result in risk to data subjects. Regulatory reporting specifics (authority contact, format, content) not addressed. No new Rev 5 controls address supervisory authority notification.

Mapped Controls

AU-08 IR-01 IR-04 IR-06 IR-07
Art.33(2) Notification of breach — processor to controller notification
IR-01 IR-02 IR-06 SR-08 +1
48%

Rationale

IR-06 (Incident Reporting), SA-09 (External System Services) partially address processor notification. IR-09 (new in Rev 5) information spillage response adds specific handling for data breach/spillage incidents, which is highly relevant to GDPR breach notification chains.

Gaps

SP 800-53 covers incident reporting but does not specifically require processors to notify controllers 'without undue delay'. IR-09 improves data spillage response but the GDPR processor-to-controller breach notification chain is not explicitly addressed.

Mapped Controls

IR-01 IR-02 IR-06 SR-08 IR-09
Art.33(3) Notification of breach — content requirements
AU-02 IR-04
40%

Rationale

IR-06 (Incident Reporting), AU-03 (Content of Audit Records) partially address reporting content.

Gaps

GDPR requires specific breach notification content: nature of breach, DPO contact, likely consequences, measures taken/proposed. SP 800-53 IR-06 covers general reporting but not GDPR-specific content requirements.

Mapped Controls

AU-02 IR-04
Art.33(3)(a) Breach notification content — nature of breach
AU-03
45%

Rationale

AU-03 (Content of Audit Records) addresses incident documentation content.

Gaps

SP 800-53 covers audit record content. GDPR requires breach notifications to describe the nature of the breach including categories and approximate numbers of data subjects and records.

Mapped Controls

AU-03
Art.33(3)(b) Breach notification content — DPO contact details
AU-03
25%

Rationale

AU-03 partially relevant.

Gaps

SP 800-53 does not require DPO contact details in breach notifications. GDPR mandates the name and contact details of the DPO or other contact point.

Mapped Controls

AU-03
Art.33(3)(d) Breach notification content — measures taken
AU-06 IR-05
55%

Rationale

AU-06 (Audit Review and Reporting), IR-05 (Incident Monitoring) address incident response reporting.

Gaps

SP 800-53 covers incident response reporting. GDPR requires specific description of measures taken or proposed to address the breach and mitigate adverse effects.

Mapped Controls

AU-06 IR-05
Art.33(4) Breach notification — phased provision of information
IR-04
45%

Rationale

IR-04 (Incident Handling) supports phased incident response.

Gaps

SP 800-53 IR-04 covers incident handling processes. GDPR allows phased notification without undue further delay where information cannot be provided at the same time.

Mapped Controls

IR-04
Art.33(5) Breach notification — documentation requirement
IR-03 IR-05 IR-09
58%

Rationale

IR-03 (Incident Response Testing), IR-05 (Incident Monitoring) support breach documentation. IR-09 (new in Rev 5) information spillage response adds specific data breach documentation requirements including containment and notification steps.

Gaps

SP 800-53 covers incident documentation. IR-09 improves data breach-specific documentation. GDPR requires documentation of all breaches including facts, effects, and remedial actions to enable supervisory authority verification.

Mapped Controls

IR-03 IR-05 IR-09
Art.34(1) Communication of breach to data subject — high risk
IR-01 IR-04 IR-06 IR-07
30%

Rationale

IR-06 (Incident Reporting), IR-07 (Incident Response Assistance) partially relevant.

Gaps

SP 800-53 does not require breach notification to affected individuals (data subjects) when the breach is likely to result in high risk. GDPR requires 'without undue delay' communication in clear and plain language. No new Rev 5 controls address individual breach notification.

Mapped Controls

IR-01 IR-04 IR-06 IR-07
Art.34(2) Breach communication to data subject — content
IR-01 IR-07
35%

Rationale

IR-01 (Incident Response Policy), IR-07 (Incident Response Assistance) partially relevant.

Gaps

SP 800-53 covers incident response procedures. GDPR requires communication to data subjects in clear and plain language describing the nature of the breach and providing DPO contact, likely consequences, and measures taken.

Mapped Controls

IR-01 IR-07
Art.34(3) Communication of breach to data subject — exceptions
IR-06
20%

Rationale

IR-06 partially relevant.

Gaps

GDPR provides exceptions from data subject notification (encryption, measures eliminating risk, disproportionate effort with public communication). SP 800-53 has no equivalent exception framework for breach notification.

Mapped Controls

IR-06
Art.35(1) Data protection impact assessment — requirement
CA-02 CM-04 PL-02 PL-05 +5
45%

Rationale

RA-03 (Risk Assessment) addresses risk assessment methodology. RA-08 (new in Rev 5) privacy impact assessment is directly relevant — it requires organizations to conduct privacy impact assessments for systems processing PII. This is the most significant new control for GDPR DPIA requirements.

Gaps

RA-08 improves DPIA coverage substantially. However, GDPR DPIA is different from US PIA: triggered by high-risk processing, requires systematic description, necessity/proportionality assessment, risk assessment to data subjects, and planned mitigation measures. RA-08 covers PIA but not all GDPR DPIA elements.

Mapped Controls

CA-02 CM-04 PL-02 PL-05 PL-06 PT-06 RA-01 RA-03 RA-08
Art.35(3) DPIA — mandatory cases
RA-08
28%

Rationale

RA-08 (new in Rev 5) privacy impact assessment provides a framework for triggering privacy assessments when PII is processed.

Gaps

RA-08 provides a PIA trigger but GDPR mandates DPIA for specific cases: systematic/extensive automated processing including profiling, large-scale special categories, and large-scale systematic public monitoring. SP 800-53 has no equivalent mandatory DPIA triggers based on these criteria.

Mapped Controls

RA-08
Art.35(7) DPIA — minimum content
CA-02 PL-02 PL-05 PT-06 +1
35%

Rationale

RA-03 (Risk Assessment), RA-08 (new in Rev 5) privacy impact assessment partially address assessment content. RA-08 improves privacy-specific assessment content requirements.

Gaps

GDPR DPIA must contain: systematic description of processing, necessity/proportionality assessment, risk assessment, and planned measures including safeguards and compliance demonstration mechanisms. SP 800-53 RA-08 PIA has different content requirements. RA-08 improves alignment but does not match all GDPR DPIA elements.

Mapped Controls

CA-02 PL-02 PL-05 PT-06 RA-08
Art.35(7)(a) DPIA content — systematic description of processing
CM-08 RA-02 CM-12 CM-13
40%

Rationale

CM-08 (Component Inventory), RA-02 (Security Categorization) address system documentation. CM-12 (new in Rev 5) information location identifies data stores. CM-13 (new in Rev 5) data action mapping documents processing operations systematically, directly supporting the GDPR requirement for systematic description of processing.

Gaps

CM-12 and CM-13 significantly improve processing description capabilities. GDPR DPIA requires systematic description of processing operations, purposes, and legitimate interest if applicable. CM-13 addresses processing documentation but not purpose or legal basis documentation.

Mapped Controls

CM-08 RA-02 CM-12 CM-13
Art.35(7)(c) DPIA content — risk assessment to data subjects
RA-03 RA-08
42%

Rationale

RA-03 (Risk Assessment) addresses risk assessment methodology. RA-08 (new in Rev 5) privacy impact assessment focuses assessment on privacy risks from PII processing, more closely aligned with GDPR's data subject risk focus.

Gaps

RA-08 improves alignment with GDPR's data subject risk perspective. However, GDPR DPIA requires assessment of risks to the rights and freedoms of data subjects specifically, encompassing discrimination, identity theft, financial loss, reputational damage — broader than SP 800-53's system/privacy risk model.

Mapped Controls

RA-03 RA-08
Art.35(11) DPIA — review when processing changes
CA-07 RA-04
50%

Rationale

CA-07 (Continuous Monitoring), RA-04 (Risk Assessment Update) address ongoing assessment.

Gaps

SP 800-53 covers continuous monitoring and risk updates. GDPR requires DPIA review when there is a change in the risk represented by processing operations.

Mapped Controls

CA-07 RA-04
Art.36(1) Prior consultation with supervisory authority
CA-06 PL-05
5%

Rationale

No SP 800-53 equivalent.

Gaps

GDPR requires prior consultation with the supervisory authority when a DPIA indicates high residual risk. SP 800-53 has no equivalent regulatory consultation requirement. No new Rev 5 controls address this gap.

Mapped Controls

CA-06 PL-05
Art.37(1) Designation of the data protection officer
PS-09
18%

Rationale

PM-02 (Senior Information Security Officer) assigns a security role. PS-09 (new in Rev 5) position descriptions enables formal role definition with privacy responsibilities, partially supporting DPO designation by incorporating data protection duties into position descriptions.

Gaps

PS-09 improves role definition but the DPO under GDPR is a distinct role with specific designation criteria (public authority, large-scale monitoring, large-scale special categories), required expertise, and independence requirements that go far beyond position descriptions.

Mapped Controls

PS-09
Art.38(3) Position of the DPO — independence and non-dismissal
5%

Rationale

No SP 800-53 equivalent.

Gaps

GDPR requires DPO independence: no instructions regarding task exercise, no dismissal/penalty for performing duties, reports to highest management level. SP 800-53 has no concept of protected independence for privacy roles. No new Rev 5 controls address this gap.

Art.39(1) Tasks of the DPO
PS-09
12%

Rationale

PM-02 (Senior Officer) partially relevant for role definition. PS-09 (new in Rev 5) position descriptions can document DPO task responsibilities.

Gaps

GDPR defines specific DPO tasks: inform/advise on GDPR obligations, monitor compliance, advise on DPIAs, cooperate with supervisory authority, act as contact point. These specific tasks have no SP 800-53 equivalent. PS-09 helps define the role but not its GDPR-specific tasks.

Mapped Controls

PS-09
Art.39(1)(b) DPO tasks — monitoring compliance including training
AT-01 AT-02 AT-05 IR-02 +3
32%

Rationale

AT-01/AT-02/AT-05 (Awareness Training), IR-02 (Incident Response Training), PL-04 (Rules of Behaviour), PS-01 (Personnel Policy). AT-06 (new in Rev 5) training feedback measures training effectiveness, supporting GDPR DPO compliance monitoring by tracking whether training achieves its data protection objectives.

Gaps

SP 800-53 covers security training and awareness. AT-06 improves training measurement. GDPR DPO tasks include monitoring GDPR compliance, assigning responsibilities, raising awareness, and training staff involved in processing operations. The training feedback loop from AT-06 partially supports compliance monitoring.

Mapped Controls

AT-01 AT-02 AT-05 IR-02 PL-04 PS-01 AT-06
Art.44 General principle for transfers to third countries
AC-04 AC-17 MP-05 SA-09
10%

Rationale

No SP 800-53 equivalent for international transfer restrictions.

Gaps

GDPR restricts international transfers of personal data to countries without adequate protection. SP 800-53 has no data localisation or cross-border transfer restrictions. No new Rev 5 controls address international transfer requirements.

Mapped Controls

AC-04 AC-17 MP-05 SA-09
Art.46(1) Transfers subject to appropriate safeguards
AC-04 SA-09
10%

Rationale

No SP 800-53 equivalent for transfer safeguards.

Gaps

GDPR requires appropriate safeguards for transfers including standard contractual clauses (SCCs), binding corporate rules, or approved codes of conduct/certifications. Entirely outside SP 800-53 scope.

Mapped Controls

AC-04 SA-09
Art.46(2) Appropriate safeguards — specific instruments for transfers
SA-09
15%

Rationale

SA-09 (External System Services) partially addresses external service agreements.

Gaps

GDPR Art. 46(2) lists specific transfer safeguards (SCCs, BCRs, codes of conduct, certifications). SP 800-53 covers external service agreements but not international transfer-specific instruments.

Mapped Controls

SA-09
Art.47(2)(n) Binding corporate rules — training content
AT-01 AT-02 AT-03 AT-06
42%

Rationale

AT-01/AT-02/AT-03 (Awareness and Training) address training requirements. AT-06 (new in Rev 5) training feedback measures effectiveness of data protection training, supporting BCR compliance verification.

Gaps

SP 800-53 covers security training. AT-06 improves training measurement. GDPR requires BCRs to include appropriate data protection training for personnel with permanent or regular access to personal data.

Mapped Controls

AT-01 AT-02 AT-03 AT-06
Art.49(1) Derogations for specific situations
5%

Rationale

No SP 800-53 equivalent.

Gaps

GDPR derogations for transfers (explicit consent, contractual necessity, public interest, legal claims, vital interests) are legal framework provisions entirely outside SP 800-53 scope. No new Rev 5 controls address this gap.

Rec.78 Recital 78 — appropriate technical and organisational measures
AT-01 CM-01 MA-01 MP-01 +6
72%

Rationale

AT-01/CM-01/MA-01/MP-01/PE-01/PS-01/SA-01 (Policy controls), SA-08 (Security Engineering). CM-12 (new in Rev 5) information location supports data protection by design through data awareness. CM-13 (new in Rev 5) data action mapping supports organisational measures by documenting processing flows.

Gaps

SP 800-53 provides comprehensive policy and engineering controls. CM-12/CM-13 improve data-aware organisational measures. Rec.78 specifically calls for data protection by design and by default, data minimisation, and pseudonymisation — CM-12/CM-13 partially address these.

Mapped Controls

AT-01 CM-01 MA-01 MP-01 PE-01 PS-01 SA-01 SA-08 CM-12 CM-13
Rec.83 Recital 83 — security measures including encryption
IA-07 SC-08 SC-09 SC-12 +3
87%

Rationale

IA-07 (Cryptographic Module Authentication), SC-08/SC-09 (Transmission Integrity/Confidentiality), SC-12/SC-13/SC-17 (Cryptography). SC-28 (Protection at Rest) added to v2.0 for explicit at-rest encryption coverage.

Gaps

Minimal gap. SP 800-53 cryptographic controls align well with Rec.83 security measures including encryption and pseudonymisation. SC-28 strengthens at-rest coverage.

Mapped Controls

IA-07 SC-08 SC-09 SC-12 SC-13 SC-17 SC-28

Methodology and Disclaimer

This coverage analysis maps from EU GDPR clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.

Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.

This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.