IAM Maturity Assessment for NIST SP 800-53
NIST SP 800-53 is the control catalog used across US federal systems and many regulated programs. The Access Control (AC) and Identification and Authentication (IA) families define account management, least privilege, separation of duties, and authenticator management. AXIS scores against the Moderate baseline; the High baseline carries a stricter threshold for enhanced and automated controls.
- Maturity threshold
- 2.5 / 4.0
- Mapped questions
- 19
- IAM domains
- 6
- Assessment scope
- All scopes
What NIST SP 800-53 Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to NIST SP 800-53 citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Account management, least privilege, and separation of duties (AC family)
- Authenticator and identifier management for human and non-human identities (IA family)
- Privileged access enforcement, session auditing, and just-in-time elevation
- Cloud permission management and infrastructure-as-code guardrails for federal-style environments
AXIS Questions Mapped to NIST SP 800-53
19 of the 37 questions in the AXIS bank carry NIST SP 800-53 citations, including 3 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | NIST SP 800-53 references |
|---|---|---|---|
| IGA-02 | IGA | Access Requests & Approvals | NIST SP 800-53 AC-2 |
| IGA-03 | IGA | Access Reviews & Recertification | NIST SP 800-53 AC-2 |
| IGA-04 | IGA | Role-Based Access Control (RBAC) & Access Modeling | NIST SP 800-53 AC-2 |
| IGA-05 | IGA | Entitlement Discovery and Classification | NIST SP 800-53 AC-6; NIST SP 800-53 AC-6(3); NIST SP 800-53 AC-6(5) |
| IGA-06 | IGA | Segregation of Duties (SoD) | NIST SP 800-53 AC-5; NIST SP 800-53 AC-5(1) |
| PAM-01 Domino | PAM | Admin Credential Protection | NIST 800-53 AC-2/AC-6 |
| PAM-02 Domino | PAM | Secrets Management (Non-Human & Application Credentials) | NIST SP 800-53 IA-5 |
| PAM-03 | PAM | Endpoint Privilege & Local Admin Control | NIST SP 800-53 AC-6 |
| PAM-04 | PAM | Just-In-Time (JIT) Cloud & Infrastructure Access | NIST SP 800-53 AC-6 |
| PAM-05 | PAM | Session Management and Recording | NIST SP 800-53 AU-14; NIST SP 800-53 AU-14(1) |
| AUTH-02 | Auth/SSO | Single Sign-On (SSO) Coverage & Enforcement | NIST SP 800-53 IA-2 |
| AUTH-03 | Auth/SSO | Device Trust & Zero Trust Enforcement | NIST SP 800-53 SI-7 |
| CLOUD-01 Domino | Cloud | Multi-Cloud Permission Management (CIEM) | NIST 800-53 AC controls |
| CLOUD-02 | Cloud | Non-Human Identity (NHI) Governance | NIST SP 800-53 IA-7; NIST SP 800-53 IA-2 |
| CLOUD-04 | Cloud | Infrastructure-as-Code (IaC) IAM Guardrails & Drift Control | NIST SP 800-53 AC-6 |
| CLOUD-05 | Cloud | AI Agent Identity Governance | NIST SP 800-53 IA-9; NIST SP 800-53 IA-8; NIST SP 800-53 AC-3 |
| SEC-02 | Security | Identity Resilience & Disaster Recovery | NIST SP 800-53 CP-2; NIST SP 800-53 CP-10 |
| SEC-04 | Security | Data Security Posture & Identity-to-Data Risk Mapping (DSPM) | NIST SP 800-53 AC-6 |
| GOV-03 | Governance | IAM Policy Definition, Enforcement & Drift Control | NIST SP 800-53 AC-3 |
How AXIS Scores NIST SP 800-53 Alignment
A threshold model: each mapped control either meets the NIST SP 800-53 maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.5 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For NIST SP 800-53, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for NIST SP 800-53 in a given assessment reflects the answers selected. The table above lists every question whose answer options carry NIST SP 800-53 citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
NIST SP 800-53 appears in every assessment scope: workforce, customer identity (CIAM), and full.
It is shown for all assessed industries, so it appears in every compliance matrix where enough of its controls are answered.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to NIST SP 800-53 (Moderate Baseline). Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how NIST SP 800-53 applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against NIST SP 800-53
Run the AXIS assessment and get your maturity score, NIST SP 800-53 alignment, and a prioritized roadmap in one pass. No signup required to start.