🏛️

NIST Special Publication 800-53 Rev. 5 Security Controls

National Institute of Standards and Technology security and privacy controls for federal information systems. 20 control families covering every aspect of information security.

7 critical24 high10 medium

AC-2high

Account Management

Define and enforce account management processes including account types, conditions, attributes, and authorization.

→

AC-3high

Access Enforcement

Enforce approved authorizations for access to information and systems using RBAC.

→

AC-6high

Least Privilege

Employ the principle of least privilege, allowing only authorized access necessary for users to accomplish assigned tasks.

→

CM-6medium

Configuration Settings

Establish and enforce security configuration settings for IT products and systems.

→

SC-7critical

Boundary Protection

Monitor and control communications at external and key internal boundaries of the system.

→

SC-12high

Cryptographic Key Management

Establish and manage cryptographic keys used in the system.

→

SI-4high

System Monitoring

Monitor the system to detect attacks, indicators of compromise, and unauthorized connections.

→

AC-7NIST-AC-007high

Unsuccessful Logon Attempts

Enforce a limit on consecutive invalid logon attempts; automatically lock the account / node / device when the limit is exceeded.

→

AC-17NIST-AC-017high

Remote Access

Establish and document usage restrictions, configuration requirements, connection requirements, and implementation guidance for each type of remote access allowed.

→

AU-2NIST-AU-002high

Event Logging

Identify the types of events that the system is capable of logging; specify the event types that the organization deems necessary to be logged.

→

AU-6NIST-AU-006high

Audit Record Review, Analysis, and Reporting

Review and analyze audit records for indications of inappropriate or unusual activity; report findings to designated personnel.

→

CA-7NIST-CA-007high

Continuous Monitoring

Develop a continuous monitoring strategy and implement a continuous monitoring program for the system.

→

CM-2NIST-CM-002high

Baseline Configuration

Develop, document, and maintain a current baseline configuration of the system.

→

CM-7NIST-CM-007medium

Least Functionality

Configure the system to provide only essential capabilities and prohibit or restrict the use of unnecessary functions, ports, protocols, and services.

→

CM-8NIST-CM-008high

System Component Inventory

Develop and document an inventory of system components that accurately reflects the system, includes all components within the authorization boundary, and is at the level of granularity deemed necessary.

→

CP-9NIST-CP-009critical

System Backup

Conduct backups of user-level information, system-level information, and system documentation; protect backups from unauthorized modification.

→

IA-2NIST-IA-002critical

Identification and Authentication (Organizational Users)

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

→

IA-5NIST-IA-005high

Authenticator Management

Manage system authenticators (passwords, tokens, cryptographic keys) including initial distribution, periodic rotation, and protection against compromise.

→

IR-4NIST-IR-004critical

Incident Handling

Implement an incident handling capability for security incidents including preparation, detection and analysis, containment, eradication, and recovery.

→

IR-6NIST-IR-006high

Incident Reporting

Require personnel to report suspected security incidents within established time frames; report security incident information to authorities.

→

RA-3NIST-RA-003high

Risk Assessment

Conduct risk assessments of the system; document risk assessment results; review and update assessments periodically.

→

SA-11NIST-SA-011high

Developer Testing and Evaluation

Require developers to perform unit, integration, system, and regression testing including static analysis (SAST) and dynamic analysis (DAST) of code.

→

SC-8NIST-SC-008critical

Transmission Confidentiality and Integrity

Protect the confidentiality and integrity of transmitted information.

→

SC-28NIST-SC-028critical

Protection of Information at Rest

Protect the confidentiality and integrity of information at rest.

→

SI-2NIST-SI-002critical

Flaw Remediation

Identify, report, and correct flaws in the system; install security-relevant software and firmware updates within timelines based on flaw criticality.

→

AU-9NIST-AU-009high

Protection of Audit Information

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

→

SR-3NIST-SR-003high

Supply Chain Controls and Processes

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes.

→

CP-2NIST-CP-002high

Contingency Plan

Develop a contingency plan for the system that identifies essential missions and business functions, recovery objectives, restoration priorities, and metrics.

→

PE-3NIST-PE-003medium

Physical Access Control

Enforce physical access authorizations for entry into facilities containing the system.

→

AT-2NIST-AT-002medium

Literacy Training and Awareness

Provide security and privacy literacy training to system users (including managers, executives, contractors) based on assigned roles and responsibilities.

→

AU-3NIST-AU-003medium

Content of Audit Records

Generate audit records containing information that establishes: what type of event occurred, when the event occurred, where the event occurred, source of the event, outcome of the event, and identity of involved subjects.

→

IA-4NIST-IA-004medium

Identifier Management

Manage system identifiers — selecting, assigning, disabling, archiving identifiers — to prevent the reassignment of identifiers to other individuals.

→

IR-8NIST-IR-008high

Incident Response Plan

Develop an incident response plan that provides the organization with a roadmap for implementing its incident response capability; review and update at least annually.

→

MA-2NIST-MA-002medium

Controlled Maintenance

Schedule, document, and review records of maintenance, repair, or replacement of system components; sanitize equipment to remove information prior to maintenance, removal, or disposal.

→

MP-7NIST-MP-007medium

Media Use Restrictions

Restrict or prohibit the use of removable digital media (USB drives, external SSDs, CDs) on organizational systems.

→

PS-3NIST-PS-003medium

Personnel Screening

Screen individuals prior to authorizing access to the system; rescreen individuals based on conditions requiring rescreening.

→

RA-5NIST-RA-005high

Vulnerability Monitoring and Scanning

Monitor and scan for vulnerabilities in the system; analyze scan reports; remediate or document acceptance of vulnerabilities.

→

SC-13NIST-SC-013high

Cryptographic Protection

Determine the types of cryptography required for protecting the system; implement them using FIPS-validated cryptography for federal systems.

→

SI-3NIST-SI-003high

Malicious Code Protection

Implement signature-based and non-signature-based malicious code protection mechanisms at system entry and exit points; periodically update the protection mechanisms.

→

SI-7NIST-SI-007high

Software, Firmware, and Information Integrity

Employ integrity-verification tools to detect unauthorized changes to software, firmware, and information; respond to detected violations.

→

SR-11NIST-SR-011medium

Component Authenticity

Develop and implement anti-counterfeit policies and procedures; train personnel to detect counterfeit components.

→