- Indirectly — via FISMA, FedRAMP, DoD CMMC, and HIPAA all of which derive from 800-53
- Directly — when a federal customer requires you implement specific 800-53 controls in your environment
Baselines
| Baseline | Control count | Use case |
|---|---|---|
| Low | ~149 controls | Public-facing data, low-impact systems |
| Moderate | ~287 controls | Internal data, most SaaS scenarios — the default for FedRAMP Moderate |
| High | ~370 controls | Sensitive data, mission-critical systems — military, intelligence |
How Codex maps the high-leverage families
AC — Access Control (25 controls in Moderate baseline)
| Control | Codex evidence |
|---|---|
| AC-2 Account Management | IdP user lifecycle (provisioning, modification, termination logs from Google Workspace, M365, Okta) |
| AC-3 Access Enforcement | App-level role assignments + RLS policy reviews from cloud connector |
| AC-6 Least Privilege | Privileged-access reports per app (admin counts, named admins) |
| AC-7 Unsuccessful Logon Attempts | IdP failed-auth event volume from SIEM connector |
| AC-11 Session Lock | MDM screen-lock policy enforcement (FileVault auto-lock, BitLocker session timeout) |
| AC-17 Remote Access | VPN config + session logs from cloud or VPN connector |
AU — Audit and Accountability (12 controls in Moderate)
| Control | Evidence |
|---|---|
| AU-2 Event Logging | SIEM connector event coverage report — what’s logged, what isn’t |
| AU-4 Audit Storage Capacity | Cloud-storage retention configs for log archives |
| AU-9 Protection of Audit Information | CloudTrail / Activity Log immutability config |
| AU-12 Audit Record Generation | Per-system logging-enabled audit (each cloud account, each prod service) |
CM — Configuration Management (10 controls in Moderate)
| Control | Evidence |
|---|---|
| CM-2 Baseline Configuration | Terraform/IaC commit history — your declared baseline |
| CM-3 Configuration Change Control | Merged PR records with reviewer + CI status |
| CM-7 Least Functionality | Cloud security group config (open ports, allowed protocols) |
| CM-8 System Component Inventory | The thing Layer is for. Every device, app, license, user, with timestamps. |
CP — Contingency Planning (9 controls in Moderate)
| Control | Evidence |
|---|---|
| CP-2 Contingency Plan | Linked Notion / Google Doc + last review timestamp |
| CP-9 System Backup | Backup snapshot history from cloud connector |
| CP-10 System Recovery | Restore-test results (manually uploaded with timestamp + tester identity) |
IA — Identification and Authentication (12 controls in Moderate)
| Control | Evidence |
|---|---|
| IA-2 Identification and Authentication | IdP MFA enforcement reports |
| IA-5 Authenticator Management | Password policy config + rotation enforcement |
| IA-8 Identification and Authentication (Non-Org Users) | External-user inventory (Slack-Connect, GitHub outside collaborators, etc.) |
IR — Incident Response (9 controls in Moderate)
| Control | Evidence |
|---|---|
| IR-4 Incident Handling | Per-incident timeline from PagerDuty / Linear / Jira |
| IR-5 Incident Monitoring | Aggregate incident metrics (volume, severity, MTTR per quarter) |
| IR-8 Incident Response Plan | Linked plan + last review timestamp |
RA — Risk Assessment (5 controls in Moderate)
| Control | Evidence |
|---|---|
| RA-3 Risk Assessment | Linked risk register + last update timestamp |
| RA-5 Vulnerability Monitoring and Scanning | Snyk/Wiz/Dependabot findings + remediation timelines per severity |
SC — System and Communications Protection (24 controls in Moderate)
| Control | Evidence |
|---|---|
| SC-7 Boundary Protection | Cloud security groups + WAF config |
| SC-8 Transmission Confidentiality | TLS coverage report |
| SC-13 Cryptographic Protection | KMS config + algorithms in use |
| SC-28 Protection of Information at Rest | At-rest encryption config across all data stores |
SI — System and Information Integrity (15 controls in Moderate)
| Control | Evidence |
|---|---|
| SI-2 Flaw Remediation | Patch management cadence (OS patch level from MDM, dependency-update PRs) |
| SI-3 Malicious Code Protection | EDR coverage from CrowdStrike / SentinelOne |
| SI-4 System Monitoring | SIEM event collection coverage + alert rules |
What Codex doesn’t replace
NIST 800-53 has a heavy policy + process component that Codex doesn’t auto-generate:- PL Planning controls — your System Security Plan (SSP) is a 100+ page document describing every control’s implementation. Codex provides the evidence; you write the prose.
- PM Program Management controls — organization-wide program (CISO function, threat awareness program, etc.). Pure organizational design.
- PS Personnel Security controls — background checks, position designation. HR-system data, mostly manual.
Connection to FedRAMP
If you want to sell to federal agencies directly (not just contractors), you need FedRAMP authorization — a formal third-party assessment of your 800-53 implementation. Three paths:- FedRAMP Tailored — for low-impact SaaS (think: simple form-collection apps). ~120 controls. ~6 months, ~$50K-100K.
- FedRAMP Moderate — the default for most B2B SaaS to federal. ~325 controls. ~12-18 months, ~$300K-500K.
- FedRAMP High — only for sensitive workloads. ~410 controls. ~18-24 months, ~$500K-1M.
When you’re ready
Reports → NIST 800-53 evidence package outputs:- Per-control implementation evidence with timestamps
- Control inheritance map (which controls rely on which CSP — AWS GovCloud, Azure Government — vs your application’s implementation)
- Continuous monitoring metrics (the ConMon report federal customers expect monthly)
- Plan of Action and Milestones (POAM) for any controls you’ve documented as exceptions