FrameworksNIST 800-53 Rev.5
control catalogvRev. 5Published
NIST SP 800-53 Rev. 5
NIST 800-53 Rev.5
NIST SP 800-53 provides a catalog of security and privacy controls for information systems and organizations. It is the primary control catalog for US federal agencies and is widely used in the private sector. Rev. 5 integrated privacy controls and added supply chain risk management controls.
Issuing Body
National Institute of Standards and Technology (NIST)
Version
Rev. 5
Published
2020-09-23
Controls
28
Mapped Laws
35
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| AC-1 | Access Control Policy and Procedures Develop, document, and disseminate an access control policy and procedures that facilitate the implementation of the access control policy and associated controls. | — | defined |
| AC-2 | Account Management Manage system accounts including establishing, activating, modifying, reviewing, disabling, and removing accounts. Employ automated mechanisms to support account management. | — | managed |
| AC-3 | Access Enforcement Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | — | managed |
| AC-17 | Remote Access Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. Authorize remote access prior to allowing connections. | — | managed |
| AU-2 | Event Logging Identify the types of events that the system is capable of logging in support of the audit function. Coordinate with other entities requiring audit-related information to enhance mutual support. | — | managed |
| AU-6 | Audit Record Review, Analysis, and Reporting Review and analyze system audit records for indications of inappropriate or unusual activity. Report findings to designated officials. Adjust the level of audit review, analysis, and reporting within the system when there is a change in risk. | — | managed |
| CA-2 | Control Assessments Select the appropriate assessor or assessment team and assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome. | — | defined |
| CA-7 | Continuous Monitoring Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy. | — | managed |
| CM-2 | Baseline Configuration Develop, document, and maintain under configuration control, a current baseline configuration of the system. Review and update the baseline configuration at defined frequencies. | — | managed |
| CM-6 | Configuration Settings Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements. | — | managed |
| CP-9 | System Backup Conduct backups of user-level information, system-level information, and system documentation at defined frequencies. Protect the confidentiality, integrity, and availability of backup information. | — | managed |
| IA-2 | Identification and Authentication (Organizational Users) Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. Implement multi-factor authentication for access to privileged accounts. | — | managed |
| IA-5 | Authenticator Management Manage system authenticators by verifying the identity of the individual, group, role, service, or device receiving the authenticator as part of initial authenticator distribution. | — | managed |
| IR-4 | Incident Handling Implement an incident handling capability for incidents that includes preparation, detection and analysis, containment, eradication, and recovery. Coordinate incident handling activities with contingency planning activities. | — | managed |
| IR-5 | Incident Monitoring Track and document incidents. Employ automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. | — | managed |
| MA-2 | Controlled Maintenance Schedule, document, and review records of maintenance, repair, and replacement on system components. Approve and monitor all maintenance activities, whether performed on site or remotely. | — | defined |
| MP-5 | Media Transport Protect and control digital and non-digital media during transport outside controlled areas using defined security safeguards. Maintain accountability for media during transport outside of controlled areas. | — | managed |
| PE-3 | Physical Access Control Enforce physical access authorizations at defined entry and exit points to the facility where the system resides. Verify individual access authorizations before granting access to the facility. | — | managed |
| PL-2 | System Security and Privacy Plans Develop security and privacy plans for the system that describe the security and privacy requirements for the system and the controls in place or planned for meeting those requirements. | — | defined |
| PS-3 | Personnel Screening Screen individuals prior to authorizing access to the system. Rescreening individuals at defined frequencies and when defined circumstances warrant rescreening. | — | defined |
| RA-3 | Risk Assessment Conduct a risk assessment, including the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits. | — | managed |
| RA-5 | Vulnerability Monitoring and Scanning Monitor and scan for vulnerabilities in the system and hosted applications at defined frequencies and when new vulnerabilities potentially affecting the system are identified and reported. | — | managed |
| SA-11 | Developer Testing and Evaluation Require the developer of the system, system component, or system service to implement a security and privacy assessment plan and conduct unit, integration, system, and regression testing/evaluation. | — | managed |
| SC-7 | Boundary Protection Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. Implement subnetworks for publicly accessible system components. | — | managed |
| SC-8 | Transmission Confidentiality and Integrity Implement cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by alternative physical safeguards. | — | managed |
| SI-2 | Flaw Remediation Identify, report, and correct information system flaws. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation. | — | managed |
| SI-3 | Malicious Code Protection Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. Update malicious code protection mechanisms whenever new releases are available. | — | managed |
| SI-4 | System Monitoring Monitor the system to detect attacks and indicators of potential attacks, and unauthorized local, network, and remote connections. Identify unauthorized use of the system. | — | managed |