NIST SP 800-53:CONTROLS STANDARD [PDF]

 
ID Family Class
CA SECURITY ASSESSMENT AND AUTHORIZATION MANAGEMENT
PL PLANNING MANAGEMENT
PM PROGRAM MANAGEMENT MANAGEMENT
RA RISK ASSESSMENT MANAGEMENT
SA SYSTEM AND SERVICES ACQUISITION MANAGEMENT

 
ID Family Class
AC ACCESS CONTROL TECHNICAL
AU AUDIT AND ACCOUNTABILITY TECHNICAL
IA IDENTIFICATION AND AUTHENTICATION TECHNICAL
SC SYSTEM AND COMMUNICATIONS PROTECTION TECHNICAL

 
ID Family Class
AT AWARENESS AND TRAINING OPERATIONAL
CM CONFIGURATION MANAGEMENT OPERATIONAL
CP CONTINGENCY PLANNING OPERATIONAL
IR INCIDENT RESPONSE OPERATIONAL
MA MAINTENANCE OPERATIONAL
MP MEDIA PROTECTION OPERATIONAL
PE PHYSICAL AND ENVIRONMENTAL PROTECTION OPERATIONAL
PS PERSONNEL SECURITY OPERATIONAL
SI SYSTEM AND INFORMATION INTEGRITY OPERATIONAL

 
 
ID Name Priority LOW MOD HIGH
AC-1 ACCESS CONTROL POLICY AND PROCEDURES P1    AC-1    AC-1    AC-1
AC-2 ACCOUNT MANAGEMENT P1    AC-2    AC-2 (1) (2) (3) (4)    AC-2 (1) (2) (3) (4)
AC-3 ACCESS ENFORCEMENT P1    AC-3    AC-3    AC-3
AC-4 INFORMATION FLOW ENFORCEMENT P1    Not Selected    AC-4    AC-4
AC-5 SEPARATION OF DUTIES P1    Not Selected    AC-5    AC-5
AC-6 LEAST PRIVILEGE P1    Not Selected    AC-6 (1) (2)    AC-6 (1) (2)
AC-7 UNSUCCESSFUL LOGIN ATTEMPTS P2    AC-7    AC-7    AC-7
AC-8 SYSTEM USE NOTIFICATION P1    AC-8    AC-8    AC-8
AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION P0    Not Selected    Not Selected    Not Selected
AC-10 CONCURRENT SESSION CONTROL P2    Not Selected    Not Selected    AC-10
AC-11 SESSION LOCK P3    Not Selected    AC-11    AC-11
AC-12 SESSION TERMINATION ---    ---    ---    ---
AC-13 SUPERVISION AND REVIEW - ACCESS CONTROL ---    ---    ---    ---
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION P1    AC-14    AC-14 (1)    AC-14 (1)
AC-15 AUTOMATED MARKING ---    ---    ---    ---
AC-16 SECURITY ATTRIBUTES P0    Not Selected    Not Selected    Not Selected
AC-17 REMOTE ACCESS P1    AC-17    AC-17 (1) (2) (3) (4) (5) (7) (8)    AC-17 (1) (2) (3) (4) (5) (7) (8)
AC-18 WIRELESS ACCESS P1    AC-18    AC-18 (1)    AC-18 (1) (2) (4) (5)
AC-19 ACCESS CONTROL FOR MOBILE DEVICES P1    AC-19    AC-19 (1) (2) (3)    AC-19 (1) (2) (3)
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS P1    AC-20    AC-20 (1) (2)    AC-20 (1) (2)
AC-21 USER-BASED COLLABORATION AND INFORMATION SHARING P0    Not Selected    Not Selected    Not Selected
AC-22 PUBLICLY ACCESSIBLE CONTENT P2    AC-22    AC-22    AC-22
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES P1    AT-1    AT-1    AT-1
AT-2 SECURITY AWARENESS P1    AT-2    AT-2    AT-2
AT-3 SECURITY TRAINING P1    AT-3    AT-3    AT-3
AT-4 SECURITY TRAINING RECORDS P3    AT-4    AT-4    AT-4
AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS P0    Not Selected    Not Selected    Not Selected
AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES P1    AU-1    AU-1    AU-1
AU-2 AUDITABLE EVENTS P1    AU-2    AU-2 (3) (4)    AU-2 (3) (4)
AU-3 CONTENT OF AUDIT RECORDS P1    AU-3    AU-3 (1)    AU-3 (1) (2)
AU-4 AUDIT STORAGE CAPACITY P1    AU-4    AU-4    AU-4
AU-5 RESPONSE TO AUDIT PROCESSING FAILURES P1    AU-5    AU-5    AU-5 (1) (2)
AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING P1    AU-6    AU-6    AU-6 (1)
AU-7 AUDIT REDUCTION AND REPORT GENERATION P2    Not Selected    AU-7 (1)    AU-7 (1)
AU-8 TIME STAMPS P1    AU-8    AU-8 (1)    AU-8 (1)
AU-9 PROTECTION OF AUDIT INFORMATION P1    AU-9    AU-9    AU-9
AU-10 NON-REPUDIATION P1    Not Selected    Not Selected    AU-10
AU-11 AUDIT RECORD RETENTION P3    AU-11    AU-11    AU-11
AU-12 AUDIT GENERATION P1    AU-12    AU-12    AU-12 (1)
AU-13 MONITORING FOR INFORMATION DISCLOSURE P0    Not Selected    Not Selected    Not Selected
AU-14 SESSION AUDIT P0    Not Selected    Not Selected    Not Selected
CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURES P1    CA-1    CA-1    CA-1
CA-2 SECURITY ASSESSMENTS P2    CA-2    CA-2 (1)    CA-2 (1) (2)
CA-3 INFORMATION SYSTEM CONNECTIONS P1    CA-3    CA-3    CA-3
CA-4 SECURITY CERTIFICATION ---    ---    ---    ---
CA-5 PLAN OF ACTION AND MILESTONES P3    CA-5    CA-5    CA-5
CA-6 SECURITY AUTHORIZATION P3    CA-6    CA-6    CA-6
CA-7 CONTINUOUS MONITORING P3    CA-7    CA-7    CA-7
CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES P1    CM-1    CM-1    CM-1
CM-2 BASELINE CONFIGURATION P1    CM-2    CM-2 (1) (3) (4)    CM-2 (1) (2) (3) (5) (6)
CM-3 CONFIGURATION CHANGE CONTROL P1    Not Selected    CM-3 (2)    CM-3 (1) (2)
CM-4 SECURITY IMPACT ANALYSIS P2    CM-4    CM-4    CM-4 (1)
CM-5 ACCESS RESTRICTIONS FOR CHANGE P1    Not Selected    CM-5    CM-5 (1) (2) (3)
CM-6 CONFIGURATION SETTINGS P1    CM-6    CM-6 (3)    CM-6 (1) (2) (3)
CM-7 LEAST FUNCTIONALITY P1    CM-7    CM-7 (1)    CM-7 (1) (2)
CM-8 INFORMATION SYSTEM COMPONENT INVENTORY P1    CM-8    CM-8 (1) (5)    CM-8 (1) (2) (3) (4) (5)
CM-9 CONFIGURATION MANAGEMENT PLAN P1    Not Selected    CM-9    CM-9
CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES P1    CP-1    CP-1    CP-1
CP-2 CONTINGENCY PLAN P1    CP-2    CP-2 (1)    CP-2 (1) (2) (3)
CP-3 CONTINGENCY TRAINING P2    CP-3    CP-3    CP-3 (1)
CP-4 CONTINGENCY PLAN TESTING AND EXERCISES P2    CP-4    CP-4 (1)    CP-4 (1) (2) (4)
CP-5 CONTINGENCY PLAN UPDATE ---    ---    ---    ---
CP-6 ALTERNATE STORAGE SITE P1    Not Selected    CP-6 (1) (3)    CP-6 (1) (2) (3)
CP-7 ALTERNATE PROCESSING SITE P1    Not Selected    CP-7 (1) (2) (3) (5)    CP-7 (1) (2) (3) (4) (5)
CP-8 TELECOMMUNICATIONS SERVICES P1    Not Selected    CP-8 (1) (2)    CP-8 (1) (2) (3) (4)
CP-9 INFORMATION SYSTEM BACKUP P1    CP-9    CP-9 (1)    CP-9 (1) (2) (3)
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION P1    CP-10    CP-10 (2) (3)    CP-10 (2) (3) (4)
IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES P1    IA-1    IA-1    IA-1
IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) P1    IA-2 (1)    IA-2 (1) (2) (3) (8)    IA-2 (1) (2) (3) (4) (8) (9)
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION P1    Not Selected    IA-3    IA-3
IA-4 IDENTIFIER MANAGEMENT P1    IA-4    IA-4    IA-4
IA-5 AUTHENTICATOR MANAGEMENT P1    IA-5 (1)    IA-5 (1) (2) (3)    IA-5 (1) (2) (3)
IA-6 AUTHENTICATOR FEEDBACK P1    IA-6    IA-6    IA-6
IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION P1    IA-7    IA-7    IA-7
IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) P1    IA-8    IA-8    IA-8
IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES P1    IR-1    IR-1    IR-1
IR-2 INCIDENT RESPONSE TRAINING P2    IR-2    IR-2    IR-2 (1) (2)
IR-3 INCIDENT RESPONSE TESTING AND EXERCISES P2    Not Selected    IR-3    IR-3 (1)
IR-4 INCIDENT HANDLING P1    IR-4    IR-4 (1)    IR-4 (1)
IR-5 INCIDENT MONITORING P1    IR-5    IR-5    IR-5 (1)
IR-6 INCIDENT REPORTING P1    IR-6    IR-6 (1)    IR-6 (1)
IR-7 INCIDENT RESPONSE ASSISTANCE P3    IR-7    IR-7 (1)    IR-7 (1)
IR-8 INCIDENT RESPONSE PLAN P1    IR-8    IR-8    IR-8
MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES P1    MA-1    MA-1    MA-1
MA-2 CONTROLLED MAINTENANCE P2    MA-2    MA-2 (1)    MA-2 (1) (2)
MA-3 MAINTENANCE TOOLS P2    Not Selected    MA-3 (1) (2)    MA-3 (1) (2) (3)
MA-4 NON-LOCAL MAINTENANCE P1    MA-4    MA-4 (1) (2)    MA-4 (1) (2) (3)
MA-5 MAINTENANCE PERSONNEL P1    MA-5    MA-5    MA-5
MA-6 TIMELY MAINTENANCE P1    Not Selected    MA-6    MA-6
MP-1 MEDIA PROTECTION POLICY AND PROCEDURES P1    MP-1    MP-1    MP-1
MP-2 MEDIA ACCESS P1    MP-2    MP-2 (1)    MP-2 (1)
MP-3 MEDIA MARKING P1    Not Selected    MP-3    MP-3
MP-4 MEDIA STORAGE P1    Not Selected    MP-4    MP-4
MP-5 MEDIA TRANSPORT P1    Not Selected    MP-5 (2) (4)    MP-5 (2) (3) (4)
MP-6 MEDIA SANITIZATION P1    MP-6    MP-6    MP-6 (1) (2) (3)
PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES P1    PE-1    PE-1    PE-1
PE-2 PHYSICAL ACCESS AUTHORIZATIONS P1    PE-2    PE-2    PE-2
PE-3 PHYSICAL ACCESS CONTROL P1    PE-3    PE-3    PE-3 (1)
PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM P1    Not Selected    PE-4    PE-4
PE-5 ACCESS CONTROL FOR OUTPUT DEVICES P1    Not Selected    PE-5    PE-5
PE-6 MONITORING PHYSICAL ACCESS P1    PE-6    PE-6 (1)    PE-6 (1) (2)
PE-7 VISITOR CONTROL P1    PE-7    PE-7 (1)    PE-7 (1)
PE-8 ACCESS RECORDS P3    PE-8    PE-8    PE-8 (1) (2)
PE-9 POWER EQUIPMENT AND POWER CABLING P1    Not Selected    PE-9    PE-9
PE-10 EMERGENCY SHUTOFF P1    Not Selected    PE-10    PE-10
PE-11 EMERGENCY POWER P1    Not Selected    PE-11    PE-11 (1)
PE-12 EMERGENCY LIGHTING P1    PE-12    PE-12    PE-12
PE-13 FIRE PROTECTION P1    PE-13    PE-13 (1) (2) (3)    PE-13 (1) (2) (3)
PE-14 TEMPERATURE AND HUMIDITY CONTROLS P1    PE-14    PE-14    PE-14
PE-15 WATER DAMAGE PROTECTION P1    PE-15    PE-15    PE-15 (1)
PE-16 DELIVERY AND REMOVAL P1    PE-16    PE-16    PE-16
PE-17 ALTERNATE WORK SITE P1    Not Selected    PE-17    PE-17
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS P2    Not Selected    PE-18    PE-18 (1)
PE-19 INFORMATION LEAKAGE P0    Not Selected    Not Selected    Not Selected
PL-1 SECURITY PLANNING POLICY AND PROCEDURES P1    PL-1    PL-1    PL-1
PL-2 SYSTEM SECURITY PLAN P1    PL-2    PL-2    PL-2
PL-3 SYSTEM SECURITY PLAN UPDATE ---    ---    ---    ---
PL-4 RULES OF BEHAVIOR P1    PL-4    PL-4    PL-4
PL-5 PRIVACY IMPACT ASSESSMENT P1    PL-5    PL-5    PL-5
PL-6 SECURITY-RELATED ACTIVITY PLANNING P3    Not Selected    PL-6    PL-6
PM-1 INFORMATION SECURITY PROGRAM PLAN P1    PM-1    PM-1    PM-1
PM-2 SENIOR INFORMATION SECURITY OFFICER P1    PM-2    PM-2    PM-2
PM-3 INFORMATION SECURITY RESOURCES P1    PM-3    PM-3    PM-3
PM-4 PLAN OF ACTION AND MILESTONES PROCESS P1    PM-4    PM-4    PM-4
PM-5 INFORMATION SYSTEM INVENTORY P1    PM-5    PM-5    PM-5
PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE P1    PM-6    PM-6    PM-6
PM-7 ENTERPRISE ARCHITECTURE P1    PM-7    PM-7    PM-7
PM-8 CRITICAL INFRASTRUCTURE PLAN P1    PM-8    PM-8    PM-8
PM-9 RISK MANAGEMENT STRATEGY P1    PM-9    PM-9    PM-9
PM-10 SECURITY AUTHORIZATION PROCESS P1    PM-10    PM-10    PM-10
PM-11 MISSION/BUSINESS PROCESS DEFINITION P1    PM-11    PM-11    PM-11
PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES P1    PS-1    PS-1    PS-1
PS-2 POSITION CATEGORIZATION P1    PS-2    PS-2    PS-2
PS-3 PERSONNEL SCREENING P1    PS-3    PS-3    PS-3
PS-4 PERSONNEL TERMINATION P2    PS-4    PS-4    PS-4
PS-5 PERSONNEL TRANSFER P2    PS-5    PS-5    PS-5
PS-6 ACCESS AGREEMENTS P3    PS-6    PS-6    PS-6
PS-7 THIRD-PARTY PERSONNEL SECURITY P1    PS-7    PS-7    PS-7
PS-8 PERSONNEL SANCTIONS P3    PS-8    PS-8    PS-8
RA-1 RISK ASSESSMENT POLICY AND PROCEDURES P1    RA-1    RA-1    RA-1
RA-2 SECURITY CATEGORIZATION P1    RA-2    RA-2    RA-2
RA-3 RISK ASSESSMENT P1    RA-3    RA-3    RA-3
RA-4 RISK ASSESSMENT UPDATE ---    ---    ---    ---
RA-5 VULNERABILITY SCANNING P1    RA-5    RA-5 (1)    RA-5 (1) (2) (3) (4) (5) (7)
SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES P1    SA-1    SA-1    SA-1
SA-2 ALLOCATION OF RESOURCES P1    SA-2    SA-2    SA-2
SA-3 LIFE CYCLE SUPPORT P1    SA-3    SA-3    SA-3
SA-4 ACQUISITIONS P1    SA-4    SA-4 (1) (4)    SA-4 (1) (2) (4)
SA-5 INFORMATION SYSTEM DOCUMENTATION P2    SA-5    SA-5 (1) (3)    SA-5 (1) (2) (3)
SA-6 SOFTWARE USAGE RESTRICTIONS P1    SA-6    SA-6    SA-6
SA-7 USER-INSTALLED SOFTWARE P1    SA-7    SA-7    SA-7
SA-8 SECURITY ENGINEERING PRINCIPLES P1    Not Selected    SA-8    SA-8
SA-9 EXTERNAL INFORMATION SYSTEM SERVICES P1    SA-9    SA-9    SA-9
SA-10 DEVELOPER CONFIGURATION MANAGEMENT P1    Not Selected    SA-10    SA-10
SA-11 DEVELOPER SECURITY TESTING P2    Not Selected    SA-11    SA-11
SA-12 SUPPLY CHAIN PROTECTION P1    Not Selected    Not Selected    SA-12
SA-13 TRUSTWORTHINESS P1    Not Selected    Not Selected    SA-13
SA-14 CRITICAL INFORMATION SYSTEM COMPONENTS P0    Not Selected    Not Selected    Not Selected
SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES P1    SC-1    SC-1    SC-1
SC-2 APPLICATION PARTITIONING P1    Not Selected    SC-2    SC-2
SC-3 SECURITY FUNCTION ISOLATION P1    Not Selected    Not Selected    SC-3
SC-4 INFORMATION IN SHARED RESOURCES P1    Not Selected    SC-4    SC-4
SC-5 DENIAL OF SERVICE PROTECTION P1    SC-5    SC-5    SC-5
SC-6 RESOURCE PRIORITY P0    Not Selected    Not Selected    Not Selected
SC-7 BOUNDARY PROTECTION P1    SC-7    SC-7 (1) (2) (3) (4) (5) (7)    SC-7 (1) (2) (3) (4) (5) (6) (7) (8)
SC-8 TRANSMISSION INTEGRITY P1    Not Selected    SC-8 (1)    SC-8 (1)
SC-9 TRANSMISSION CONFIDENTIALITY P1    Not Selected    SC-9 (1)    SC-9 (1)
SC-10 NETWORK DISCONNECT P2    Not Selected    SC-10    SC-10
SC-11 TRUSTED PATH P0    Not Selected    Not Selected    Not Selected
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT P1    SC-12    SC-12    SC-12 (1)
SC-13 USE OF CRYPTOGRAPHY P1    SC-13    SC-13    SC-13
SC-14 PUBLIC ACCESS PROTECTIONS P1    SC-14    SC-14    SC-14
SC-15 COLLABORATIVE COMPUTING DEVICES P1    SC-15    SC-15    SC-15
SC-16 TRANSMISSION OF SECURITY ATTRIBUTES P0    Not Selected    Not Selected    Not Selected
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES P1    Not Selected    SC-17    SC-17
SC-18 MOBILE CODE P1    Not Selected    SC-18    SC-18
SC-19 VOICE OVER INTERNET PROTOCOL P1    Not Selected    SC-19    SC-19
SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) P1    SC-20 (1)    SC-20 (1)    SC-20 (1)
SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) P1    Not Selected    Not Selected    SC-21
SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE P1    Not Selected    SC-22    SC-22
SC-23 SESSION AUTHENTICITY P1    Not Selected    SC-23    SC-23
SC-24 FAIL IN KNOWN STATE P1    Not Selected    Not Selected    SC-24
SC-25 THIN NODES P0    Not Selected    Not Selected    Not Selected
SC-26 HONEYPOTS P0    Not Selected    Not Selected    Not Selected
SC-27 OPERATING SYSTEM-INDEPENDENT APPLICATIONS P0    Not Selected    Not Selected    Not Selected
SC-28 PROTECTION OF INFORMATION AT REST P1    Not Selected    SC-28    SC-28
SC-29 HETEROGENEITY P0    Not Selected    Not Selected    Not Selected
SC-30 VIRTUALIZATION TECHNIQUES P0    Not Selected    Not Selected    Not Selected
SC-31 COVERT CHANNEL ANALYSIS P0    Not Selected    Not Selected    Not Selected
SC-32 INFORMATION SYSTEM PARTITIONING P1    Not Selected    SC-32    SC-32
SC-33 TRANSMISSION PREPARATION INTEGRITY P0    Not Selected    Not Selected    Not Selected
SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS P0    Not Selected    Not Selected    Not Selected
SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES P1    SI-1    SI-1    SI-1
SI-2 FLAW REMEDIATION P1    SI-2    SI-2 (2)    SI-2 (1) (2)
SI-3 MALICIOUS CODE PROTECTION P1    SI-3    SI-3 (1) (2) (3)    SI-3 (1) (2) (3)
SI-4 INFORMATION SYSTEM MONITORING P1    Not Selected    SI-4 (2) (4) (5) (6)    SI-4 (2) (4) (5) (6)
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES P1    SI-5    SI-5    SI-5 (1)
SI-6 SECURITY FUNCTIONALITY VERIFICATION P1    Not Selected    Not Selected    SI-6
SI-7 SOFTWARE AND INFORMATION INTEGRITY P1    Not Selected    SI-7 (1)    SI-7 (1) (2)
SI-8 SPAM PROTECTION P1    Not Selected    SI-8    SI-8 (1)
SI-9 INFORMATION INPUT RESTRICTIONS P2    Not Selected    SI-9    SI-9
SI-10 INFORMATION INPUT VALIDATION P1    Not Selected    SI-10    SI-10
SI-11 ERROR HANDLING P2    Not Selected    SI-11    SI-11
SI-12 INFORMATION OUTPUT HANDLING AND RETENTION P2    SI-12    SI-12    SI-12
SI-13 PREDICTABLE FAILURE PREVENTION P0    Not Selected    Not Selected    Not Selected


NIST Special Publication 800-53: This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States.
Attribution would, however, be appreciated by NIST.

This document was produced from an export of the database beta application released with NIST SP 800-53 REV 3.
The text is unchanged from the information contained in the database. You are free to use this material under the same terms provided by NIST.
Attribution for this arrangement of the material would be appreciated.
Tim Hudson - tjh@cryptsoft.com