Yes, you have to use SHA. SP 800-53 references FIPS 140-2 all over the place, implying that you must use SHA-256 or SHA-512. (Avoid SHA-1).
It's spelled out clearly in the MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES from the Executive Office of the President:
11. Is use of National Institute of Standards and Technology (NIST) publications
required?
Yes. For non-national security programs and information systems, agencies
must follow NIST standards and guidelines. ...
12. Are NIST guidelines flexible?
Yes. While agencies are required to follow NIST standards and guidelines in
accordance with OMB policy, there is flexibility within NIST’s guidelines
(specifically in the 800-series) in how agencies apply them. However,
Federal Information Processing Standards (FIPS) are mandatory. ...
(And think about it. NIST didn't publish SHA as a standard so that you could go and use something else instead...)
Also, SHA and Bcrypt aren't really directly comparable. SHA is a set of hashing algorithms. Bcrypt is more of a process to produce a hash with the Blowfish algorithm at its core. The FIPS equivalent of Bcrypt is PBKDF2, which uses SHA as its core algorithm.