index.md

NIST 800-53 v5 Controls

AC - Access Control

• AC-1 - Policy and Procedures
• AC-2 - Account Management
• AC-2.1 - Automated System Account Management
• AC-2.2 - Automated Temporary and Emergency Account Management
• AC-2.3 - Disable Accounts
• AC-2.4 - Automated Audit Actions
• AC-2.5 - Inactivity Logout
• AC-2.7 - Privileged User Accounts
• AC-2.9 - Restrictions on Use of Shared and Group Accounts
• AC-2.12 - Account Monitoring for Atypical Usage
• AC-2.13 - Disable Accounts for High-risk Individuals
• AC-3 - Access Enforcement
• AC-4 - Information Flow Enforcement
• AC-4.21 - Physical or Logical Separation of Information Flows
• AC-5 - Separation of Duties
• AC-6 - Least Privilege
• AC-6.1 - Authorize Access to Security Functions
• AC-6.2 - Non-privileged Access for Nonsecurity Functions
• AC-6.5 - Privileged Accounts
• AC-6.7 - Review of User Privileges
• AC-6.9 - Log Use of Privileged Functions
• AC-6.10 - Prohibit Non-privileged Users from Executing Privileged Functions
• AC-7 - Unsuccessful Logon Attempts
• AC-8 - System Use Notification
• AC-11 - Device Lock
• AC-11.1 - Pattern-hiding Displays
• AC-12 - Session Termination
• AC-14 - Permitted Actions Without Identification or Authentication
• AC-17 - Remote Access
• AC-17.1 - Monitoring and Control
• AC-17.2 - Protection of Confidentiality and Integrity Using Encryption
• AC-17.3 - Managed Access Control Points
• AC-17.4 - Privileged Commands and Access
• AC-18 - Wireless Access
• AC-18.1 - Authentication and Encryption
• AC-18.3 - Disable Wireless Networking
• AC-19 - Access Control for Mobile Devices
• AC-19.5 - Full Device or Container-based Encryption
• AC-20 - Use of External Systems
• AC-20.1 - Limits on Authorized Use
• AC-20.2 - Portable Storage Devices — Restricted Use
• AC-21 - Information Sharing
• AC-22 - Publicly Accessible Content

AT - Awareness and Training

• AT-1 - Policy and Procedures
• AT-2 - Literacy Training and Awareness
• AT-2.2 - Insider Threat
• AT-2.3 - Social Engineering and Mining
• AT-3 - Role-based Training
• AT-4 - Training Records

AU - Audit and Accountability

• AU-1 - Policy and Procedures
• AU-2 - Event Logging
• AU-3 - Content of Audit Records
• AU-3.1 - Additional Audit Information
• AU-4 - Audit Log Storage Capacity
• AU-5 - Response to Audit Logging Process Failures
• AU-6 - Audit Record Review, Analysis, and Reporting
• AU-6.1 - Automated Process Integration
• AU-6.3 - Correlate Audit Record Repositories
• AU-7 - Audit Record Reduction and Report Generation
• AU-7.1 - Automatic Processing
• AU-8 - Time Stamps
• AU-9 - Protection of Audit Information
• AU-9.4 - Access by Subset of Privileged Users
• AU-11 - Audit Record Retention
• AU-12 - Audit Record Generation

CA - Assessment, Authorization, and Monitoring

• CA-1 - Policy and Procedures
• CA-2 - Control Assessments
• CA-2.1 - Independent Assessors
• CA-2.3 - Leveraging Results from External Organizations
• CA-3 - Information Exchange
• CA-5 - Plan of Action and Milestones
• CA-6 - Authorization
• CA-7 - Continuous Monitoring
• CA-7.1 - Independent Assessment
• CA-7.4 - Risk Monitoring
• CA-8 - Penetration Testing
• CA-8.1 - Independent Penetration Testing Agent or Team
• CA-8.2 - Red Team Exercises
• CA-9 - Internal System Connections

CM - Configuration Management

• CM-1 - Policy and Procedures
• CM-2 - Baseline Configuration
• CM-2.2 - Automation Support for Accuracy and Currency
• CM-2.3 - Retention of Previous Configurations
• CM-2.7 - Configure Systems and Components for High-risk Areas
• CM-3 - Configuration Change Control
• CM-3.2 - Testing, Validation, and Documentation of Changes
• CM-3.4 - Security and Privacy Representatives
• CM-4 - Impact Analyses
• CM-4.2 - Verification of Controls
• CM-5 - Access Restrictions for Change
• CM-5.1 - Automated Access Enforcement and Audit Records
• CM-5.5 - Privilege Limitation for Production and Operation
• CM-6 - Configuration Settings
• CM-6.1 - Automated Management, Application, and Verification
• CM-7 - Least Functionality
• CM-7.1 - Periodic Review
• CM-7.2 - Prevent Program Execution
• CM-7.5 - Authorized Software — Allow-by-exception
• CM-8 - System Component Inventory
• CM-8.1 - Updates During Installation and Removal
• CM-8.3 - Automated Unauthorized Component Detection
• CM-9 - Configuration Management Plan
• CM-10 - Software Usage Restrictions
• CM-11 - User-installed Software
• CM-12 - Information Location
• CM-12.1 - Automated Tools to Support Information Location

CP - Contingency Planning

• CP-1 - Policy and Procedures
• CP-2 - Contingency Plan
• CP-2.1 - Coordinate with Related Plans
• CP-2.3 - Resume Mission and Business Functions
• CP-2.8 - Identify Critical Assets
• CP-3 - Contingency Training
• CP-4 - Contingency Plan Testing
• CP-4.1 - Coordinate with Related Plans
• CP-6 - Alternate Storage Site
• CP-6.1 - Separation from Primary Site
• CP-6.3 - Accessibility
• CP-7 - Alternate Processing Site
• CP-7.1 - Separation from Primary Site
• CP-7.2 - Accessibility
• CP-7.3 - Priority of Service
• CP-8 - Telecommunications Services
• CP-8.1 - Priority of Service Provisions
• CP-8.2 - Single Points of Failure
• CP-9 - System Backup
• CP-9.1 - Testing for Reliability and Integrity
• CP-9.8 - Cryptographic Protection
• CP-10 - System Recovery and Reconstitution
• CP-10.2 - Transaction Recovery

IA - Identification and Authentication

• IA-1 - Policy and Procedures
• IA-2 - Identification and Authentication (Organizational Users)
• IA-2.1 - Multi-factor Authentication to Privileged Accounts
• IA-2.2 - Multi-factor Authentication to Non-privileged Accounts
• IA-2.5 - Individual Authentication with Group Authentication
• IA-2.6 - Access to Accounts —separate Device
• IA-2.8 - Access to Accounts — Replay Resistant
• IA-2.12 - Acceptance of PIV Credentials
• IA-3 - Device Identification and Authentication
• IA-4 - Identifier Management
• IA-4.4 - Identify User Status
• IA-5 - Authenticator Management
• IA-5.1 - Password-based Authentication
• IA-5.2 - Public Key-based Authentication
• IA-5.6 - Protection of Authenticators
• IA-5.7 - No Embedded Unencrypted Static Authenticators
• IA-6 - Authentication Feedback
• IA-7 - Cryptographic Module Authentication
• IA-8 - Identification and Authentication (Non-organizational Users)
• IA-8.1 - Acceptance of PIV Credentials from Other Agencies
• IA-8.2 - Acceptance of External Authenticators
• IA-8.4 - Use of Defined Profiles
• IA-11 - Re-authentication
• IA-12 - Identity Proofing
• IA-12.2 - Identity Evidence
• IA-12.3 - Identity Evidence Validation and Verification
• IA-12.5 - Address Confirmation

IR - Incident Response

• IR-1 - Policy and Procedures
• IR-2 - Incident Response Training
• IR-3 - Incident Response Testing
• IR-3.2 - Coordination with Related Plans
• IR-4 - Incident Handling
• IR-4.1 - Automated Incident Handling Processes
• IR-5 - Incident Monitoring
• IR-6 - Incident Reporting
• IR-6.1 - Automated Reporting
• IR-6.3 - Supply Chain Coordination
• IR-7 - Incident Response Assistance
• IR-7.1 - Automation Support for Availability of Information and Support
• IR-8 - Incident Response Plan
• IR-9 - Information Spillage Response
• IR-9.2 - Training
• IR-9.3 - Post-spill Operations
• IR-9.4 - Exposure to Unauthorized Personnel

MA - Maintenance

• MA-1 - Policy and Procedures
• MA-2 - Controlled Maintenance
• MA-3 - Maintenance Tools
• MA-3.1 - Inspect Tools
• MA-3.2 - Inspect Media
• MA-3.3 - Prevent Unauthorized Removal
• MA-4 - Nonlocal Maintenance
• MA-5 - Maintenance Personnel
• MA-5.1 - Individuals Without Appropriate Access
• MA-6 - Timely Maintenance

MP - Media Protection

• MP-1 - Policy and Procedures
• MP-2 - Media Access
• MP-3 - Media Marking
• MP-4 - Media Storage
• MP-5 - Media Transport
• MP-6 - Media Sanitization
• MP-7 - Media Use

PE - Physical and Environmental Protection

• PE-1 - Policy and Procedures
• PE-2 - Physical Access Authorizations
• PE-3 - Physical Access Control
• PE-4 - Access Control for Transmission
• PE-5 - Access Control for Output Devices
• PE-6 - Monitoring Physical Access
• PE-6.1 - Intrusion Alarms and Surveillance Equipment
• PE-8 - Visitor Access Records
• PE-9 - Power Equipment and Cabling
• PE-10 - Emergency Shutoff
• PE-11 - Emergency Power
• PE-12 - Emergency Lighting
• PE-13 - Fire Protection
• PE-13.1 - Detection Systems — Automatic Activation and Notification
• PE-13.2 - Suppression Systems — Automatic Activation and Notification
• PE-14 - Environmental Controls
• PE-15 - Water Damage Protection
• PE-16 - Delivery and Removal
• PE-17 - Alternate Work Site

PL - Planning

• PL-1 - Policy and Procedures
• PL-2 - System Security and Privacy Plans
• PL-4 - Rules of Behavior
• PL-4.1 - Social Media and External Site/Application Usage Restrictions
• PL-8 - Security and Privacy Architectures
• PL-10 - Baseline Selection
• PL-11 - Baseline Tailoring

PS - Personnel Security

• PS-1 - Policy and Procedures
• PS-2 - Position Risk Designation
• PS-3 - Personnel Screening
• PS-3.3 - Information Requiring Special Protective Measures
• PS-4 - Personnel Termination
• PS-5 - Personnel Transfer
• PS-6 - Access Agreements
• PS-7 - External Personnel Security
• PS-8 - Personnel Sanctions
• PS-9 - Position Descriptions

RA - Risk Assessment

• RA-1 - Policy and Procedures
• RA-2 - Security Categorization
• RA-3 - Risk Assessment
• RA-3.1 - Supply Chain Risk Assessment
• RA-5 - Vulnerability Monitoring and Scanning
• RA-5.2 - Update Vulnerabilities to Be Scanned
• RA-5.3 - Breadth and Depth of Coverage
• RA-5.5 - Privileged Access
• RA-5.11 - Public Disclosure Program
• RA-7 - Risk Response
• RA-9 - Criticality Analysis

SA - System and Services Acquisition

• SA-1 - Policy and Procedures
• SA-2 - Allocation of Resources
• SA-3 - System Development Life Cycle
• SA-4 - Acquisition Process
• SA-4.1 - Functional Properties of Controls
• SA-4.2 - Design and Implementation Information for Controls
• SA-4.9 - Functions, Ports, Protocols, and Services in Use
• SA-4.10 - Use of Approved PIV Products
• SA-5 - System Documentation
• SA-8 - Security and Privacy Engineering Principles
• SA-9 - External System Services
• SA-9.1 - Risk Assessments and Organizational Approvals
• SA-9.2 - Identification of Functions, Ports, Protocols, and Services
• SA-9.5 - Processing, Storage, and Service Location
• SA-10 - Developer Configuration Management
• SA-11 - Developer Testing and Evaluation
• SA-11.1 - Static Code Analysis
• SA-11.2 - Threat Modeling and Vulnerability Analyses
• SA-15 - Development Process, Standards, and Tools
• SA-15.3 - Criticality Analysis
• SA-22 - Unsupported System Components

SC - System and Communications Protection

• SC-1 - Policy and Procedures
• SC-2 - Separation of System and User Functionality
• SC-4 - Information in Shared System Resources
• SC-5 - Denial-of-service Protection
• SC-7 - Boundary Protection
• SC-7.3 - Access Points
• SC-7.4 - External Telecommunications Services
• SC-7.5 - Deny by Default — Allow by Exception
• SC-7.7 - Split Tunneling for Remote Devices
• SC-7.8 - Route Traffic to Authenticated Proxy Servers
• SC-7.12 - Host-based Protection
• SC-7.18 - Fail Secure
• SC-8 - Transmission Confidentiality and Integrity
• SC-8.1 - Cryptographic Protection
• SC-10 - Network Disconnect
• SC-12 - Cryptographic Key Establishment and Management
• SC-13 - Cryptographic Protection
• SC-15 - Collaborative Computing Devices and Applications
• SC-17 - Public Key Infrastructure Certificates
• SC-18 - Mobile Code
• SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
• SC-21 - Secure Name/Address Resolution Service (Recursive or Caching Resolver)
• SC-22 - Architecture and Provisioning for Name/Address Resolution Service
• SC-23 - Session Authenticity
• SC-28 - Protection of Information at Rest
• SC-28.1 - Cryptographic Protection
• SC-39 - Process Isolation
• SC-45 - System Time Synchronization
• SC-45.1 - Synchronization with Authoritative Time Source

SI - System and Information Integrity

• SI-1 - Policy and Procedures
• SI-2 - Flaw Remediation
• SI-2.2 - Automated Flaw Remediation Status
• SI-2.3 - Time to Remediate Flaws and Benchmarks for Corrective Actions
• SI-3 - Malicious Code Protection
• SI-4 - System Monitoring
• SI-4.1 - System-wide Intrusion Detection System
• SI-4.2 - Automated Tools and Mechanisms for Real-time Analysis
• SI-4.4 - Inbound and Outbound Communications Traffic
• SI-4.5 - System-generated Alerts
• SI-4.16 - Correlate Monitoring Information
• SI-4.18 - Analyze Traffic and Covert Exfiltration
• SI-4.23 - Host-based Devices
• SI-5 - Security Alerts, Advisories, and Directives
• SI-6 - Security and Privacy Function Verification
• SI-7 - Software, Firmware, and Information Integrity
• SI-7.1 - Integrity Checks
• SI-7.7 - Integration of Detection and Response
• SI-8 - Spam Protection
• SI-8.2 - Automatic Updates
• SI-10 - Information Input Validation
• SI-11 - Error Handling
• SI-12 - Information Management and Retention
• SI-16 - Memory Protection

SR - Supply Chain Risk Management

• SR-1 - Policy and Procedures
• SR-2 - Supply Chain Risk Management Plan
• SR-2.1 - Establish SCRM Team
• SR-3 - Supply Chain Controls and Processes
• SR-5 - Acquisition Strategies, Tools, and Methods
• SR-6 - Supplier Assessments and Reviews
• SR-8 - Notification Agreements
• SR-10 - Inspection of Systems or Components
• SR-11 - Component Authenticity
• SR-11.1 - Anti-counterfeit Training
• SR-11.2 - Configuration Control for Component Service and Repair
• SR-12 - Component Disposal