What does the NIST SP 800-53 Control Identifier regex match?

Matches a NIST SP 800-53 control identifier: family code + control number + optional enhancement.

Is the NIST SP 800-53 Control Identifier regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

How do I use this regex in javascript?

// No imports required — RegExp is built into JavaScript const regex = /^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|PT|RA|SA|SC|SI|SR)-([0-9]{1,2})(?:\s*$([0-9]{1,2})$)?$/i; const isValid = regex.test(input);

Security/Audit & Compliance

Verified Safe

NIST SP 800-53 Control Identifier Regex for JavaScript

/^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|PT|RA|SA|SC|SI|SR)-([0-9]{1,2})(?:\s*$([0-9]{1,2})$)?$/i

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching nist sp 800-53 control identifier, ported and verified for JavaScript. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

Javascript

// NIST SP 800-53 Control Identifier
// ReDoS-safe | RegexVault — Security > Audit & Compliance

const nistSp80053ControlIdentifierRegex = /^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|PT|RA|SA|SC|SI|SR)-([0-9]{1,2})(?:\s*\(([0-9]{1,2})\))?$/i;

function validateNistSp80053ControlIdentifier(input: string): boolean {
  return nistSp80053ControlIdentifierRegex.test(input);
}

// Example
console.log(validateNistSp80053ControlIdentifier("AC-1")); // true

Test Cases

Matches (Valid)	Rejects (Invalid)
`AC-1`	`XX-1`
`IA-5`	`AC-100`
`SI-10 (3)`	`AC-1-2`
`AC-2(1)`	`AC 1`
`CM-6`	`IA5`

When to use this pattern

This pattern is drawn from the Security > Audit & Compliance category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

NIST SP 800-53 Rev. 4 vs Rev. 5 have different control sets. FedRAMP baseline (Low/Moderate/High) defines which controls apply to federal cloud systems. State whether you are referencing Rev. 4 or Rev. 5.

Technical Notes

NIST SP 800-53 Rev. 5 control families: AC=Access Control, AT=Awareness Training, AU=Audit Accountability, CA=Assessment Authorization, CM=Config Management, CP=Contingency Planning, IA=Identification Authentication, IR=Incident Response, MA=Maintenance, MP=Media Protection, PE=Physical Environmental, PL=Planning, PM=Program Management, PS=Personnel Security, PT=Privacy, RA=Risk Assessment, SA=System Services Acquisition, SC=System Communications, SI=System Information Integrity, SR=Supply Chain Risk.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern