NIST Special Publication 800-53 Revision 5

From SecWiki
Jump to navigation Jump to search


Full title of the specification is NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations.

Baselines

Security baselines in the NIST Special Publication 800-53 Revision 5 specification:

Control families

Security baselines in the NIST Special Publication 800-53 Revision 5 specification:

Controls

Controls in NIST Special Publication 800-53 Revision 5 specification excluding retired controls:

TitleIdentifierControl family
Access Control: Policy and ProceduresAc-1Ac
Access Control: Account ManagementAc-2Ac
Access Control: Access EnforcementAc-3Ac
Access Control: Information Flow EnforcementAc-4Ac
Access Control: Separation of DutiesAc-5Ac
Access Control: Least PrivilegeAc-6Ac
Access Control: Unsuccessful Logon AttemptsAc-7Ac
Access Control: System Use NotificationAc-8Ac
Access Control: Previous Logon NotificationAc-9Ac
Access Control: Concurrent Session ControlAc-10Ac
Access Control: Device LockAc-11Ac
Access Control: Session TerminationAc-12Ac
Access Control: Permitted Actions Without Identification or AuthenticationAc-14Ac
Access Control: Security and Privacy AttributesAc-16Ac
Access Control: Remote AccessAc-17Ac
Access Control: Wireless AccessAc-18Ac
Access Control: Access Control for Mobile DevicesAc-19Ac
Access Control: Use of External SystemsAc-20Ac
Access Control: Information SharingAc-21Ac
Access Control: Publicly Accessible ContentAc-22Ac
Access Control: Data Mining ProtectionAc-23Ac
Access Control: Access Control DecisionsAc-24Ac
Access Control: Reference MonitorAc-25Ac
Awareness and Training: Policy and ProceduresAt-1At
Awareness and Training: Literacy Training and AwarenessAt-2At
Awareness and Training: Role-based TrainingAt-3At
Awareness and Training: Training RecordsAt-4At
Awareness and Training: Training FeedbackAt-6At
Audit and Accountability: Policy and ProceduresAu-1Au
Audit and Accountability: Event LoggingAu-2Au
Audit and Accountability: Content of Audit RecordsAu-3Au
Audit and Accountability: Audit Log Storage CapacityAu-4Au
Audit and Accountability: Response to Audit Logging Process FailuresAu-5Au
Audit and Accountability: Audit Record Review, Analysis, and ReportingAu-6Au
Audit and Accountability: Audit Record Reduction and Report GenerationAu-7Au
Audit and Accountability: Time StampsAu-8Au
Audit and Accountability: Protection of Audit InformationAu-9Au
Audit and Accountability: Non-repudiationAu-10Au
Audit and Accountability: Audit Record RetentionAu-11Au
Audit and Accountability: Audit Record GenerationAu-12Au
Audit and Accountability: Monitoring for Information DisclosureAu-13Au
Audit and Accountability: Session AuditAu-14Au
Audit and Accountability: Cross-organizational Audit LoggingAu-16Au
Assessment, Authorization, and Monitoring: Policy and ProceduresCa-1Ca
Assessment, Authorization, and Monitoring: Control AssessmentsCa-2Ca
Assessment, Authorization, and Monitoring: Information ExchangeCa-3Ca
Assessment, Authorization, and Monitoring: Plan of Action and MilestonesCa-5Ca
Assessment, Authorization, and Monitoring: AuthorizationCa-6Ca
Assessment, Authorization, and Monitoring: Continuous MonitoringCa-7Ca
Assessment, Authorization, and Monitoring: Penetration TestingCa-8Ca
Assessment, Authorization, and Monitoring: Internal System ConnectionsCa-9Ca
Configuration Management: Policy and ProceduresCm-1Cm
Configuration Management: Baseline ConfigurationCm-2Cm
Configuration Management: Configuration Change ControlCm-3Cm
Configuration Management: Impact AnalysesCm-4Cm
Configuration Management: Access Restrictions for ChangeCm-5Cm
Configuration Management: Configuration SettingsCm-6Cm
Configuration Management: Least FunctionalityCm-7Cm
Configuration Management: System Component InventoryCm-8Cm
Configuration Management: Configuration Management PlanCm-9Cm
Configuration Management: Software Usage RestrictionsCm-10Cm
Configuration Management: User-installed SoftwareCm-11Cm
Configuration Management: Information LocationCm-12Cm
Configuration Management: Data Action MappingCm-13Cm
Configuration Management: Signed ComponentsCm-14Cm
Contingency Planning: Policy and ProceduresCp-1Cp
Contingency Planning: Contingency PlanCp-2Cp
Contingency Planning: Contingency TrainingCp-3Cp
Contingency Planning: Contingency Plan TestingCp-4Cp
Contingency Planning: Alternate Storage SiteCp-6Cp
Contingency Planning: Alternate Processing SiteCp-7Cp
Contingency Planning: Telecommunications ServicesCp-8Cp
Contingency Planning: System BackupCp-9Cp
Contingency Planning: System Recovery and ReconstitutionCp-10Cp
Contingency Planning: Alternate Communications ProtocolsCp-11Cp
Contingency Planning: Safe ModeCp-12Cp
Contingency Planning: Alternative Security MechanismsCp-13Cp
Identification and Authentication: Policy and ProceduresIa-1Ia
Identification and Authentication: Identification and Authentication (organizational Users)Ia-2Ia
Identification and Authentication: Device Identification and AuthenticationIa-3Ia
Identification and Authentication: Identifier ManagementIa-4Ia
Identification and Authentication: Authenticator ManagementIa-5Ia
Identification and Authentication: Authentication FeedbackIa-6Ia
Identification and Authentication: Cryptographic Module AuthenticationIa-7Ia
Identification and Authentication: Identification and Authentication (non-organizational Users)Ia-8Ia
Identification and Authentication: Service Identification and AuthenticationIa-9Ia
Identification and Authentication: Adaptive AuthenticationIa-10Ia
Identification and Authentication: Re-authenticationIa-11Ia
Identification and Authentication: Identity ProofingIa-12Ia
Incident Response: Policy and ProceduresIr-1Ir
Incident Response: Incident Response TrainingIr-2Ir
Incident Response: Incident Response TestingIr-3Ir
Incident Response: Incident HandlingIr-4Ir
Incident Response: Incident MonitoringIr-5Ir
Incident Response: Incident ReportingIr-6Ir
Incident Response: Incident Response AssistanceIr-7Ir
Incident Response: Incident Response PlanIr-8Ir
Incident Response: Information Spillage ResponseIr-9Ir
Maintenance: Policy and ProceduresMa-1Ma
Maintenance: Controlled MaintenanceMa-2Ma
Maintenance: Maintenance ToolsMa-3Ma
Maintenance: Nonlocal MaintenanceMa-4Ma
Maintenance: Maintenance PersonnelMa-5Ma
Maintenance: Timely MaintenanceMa-6Ma
Maintenance: Field MaintenanceMa-7Ma
Media Protection: Policy and ProceduresMp-1Mp
Media Protection: Media AccessMp-2Mp
Media Protection: Media MarkingMp-3Mp
Media Protection: Media StorageMp-4Mp
Media Protection: Media TransportMp-5Mp
Media Protection: Media SanitizationMp-6Mp
Media Protection: Media UseMp-7Mp
Media Protection: Media DowngradingMp-8Mp
Physical and Environmental Protection: Policy and ProceduresPe-1Pe
Physical and Environmental Protection: Physical Access AuthorizationsPe-2Pe
Physical and Environmental Protection: Physical Access ControlPe-3Pe
Physical and Environmental Protection: Access Control for TransmissionPe-4Pe
Physical and Environmental Protection: Access Control for Output DevicesPe-5Pe
Physical and Environmental Protection: Monitoring Physical AccessPe-6Pe
Physical and Environmental Protection: Visitor Access RecordsPe-8Pe
Physical and Environmental Protection: Power Equipment and CablingPe-9Pe
Physical and Environmental Protection: Emergency ShutoffPe-10Pe
Physical and Environmental Protection: Emergency PowerPe-11Pe
Physical and Environmental Protection: Emergency LightingPe-12Pe
Physical and Environmental Protection: Fire ProtectionPe-13Pe
Physical and Environmental Protection: Environmental ControlsPe-14Pe
Physical and Environmental Protection: Water Damage ProtectionPe-15Pe
Physical and Environmental Protection: Delivery and RemovalPe-16Pe
Physical and Environmental Protection: Alternate Work SitePe-17Pe
Physical and Environmental Protection: Location of System ComponentsPe-18Pe
Physical and Environmental Protection: Information LeakagePe-19Pe
Physical and Environmental Protection: Asset Monitoring and TrackingPe-20Pe
Physical and Environmental Protection: Electromagnetic Pulse ProtectionPe-21Pe
Physical and Environmental Protection: Component MarkingPe-22Pe
Physical and Environmental Protection: Facility LocationPe-23Pe
Planning: Policy and ProceduresPl-1Pl
Planning: System Security and Privacy PlansPl-2Pl
Planning: Rules of BehaviorPl-4Pl
Planning: Concept of OperationsPl-7Pl
Planning: Security and Privacy ArchitecturesPl-8Pl
Planning: Central ManagementPl-9Pl
Planning: Baseline SelectionPl-10Pl
Planning: Baseline TailoringPl-11Pl
Program Management: Information Security Program PlanPm-1Pm
Program Management: Information Security Program Leadership RolePm-2Pm
Program Management: Information Security and Privacy ResourcesPm-3Pm
Program Management: Plan of Action and Milestones ProcessPm-4Pm
Program Management: System InventoryPm-5Pm
Program Management: Measures of PerformancePm-6Pm
Program Management: Enterprise ArchitecturePm-7Pm
Program Management: Critical Infrastructure PlanPm-8Pm
Program Management: Risk Management StrategyPm-9Pm
Program Management: Authorization ProcessPm-10Pm
Program Management: Mission and Business Process DefinitionPm-11Pm
Program Management: Insider Threat ProgramPm-12Pm
Program Management: Security and Privacy WorkforcePm-13Pm
Program Management: Testing, Training, and MonitoringPm-14Pm
Program Management: Security and Privacy Groups and AssociationsPm-15Pm
Program Management: Threat Awareness ProgramPm-16Pm
Program Management: Protecting Controlled Unclassified Information on External SystemsPm-17Pm
Program Management: Privacy Program PlanPm-18Pm
Program Management: Privacy Program Leadership RolePm-19Pm
Program Management: Dissemination of Privacy Program InformationPm-20Pm
Program Management: Accounting of DisclosuresPm-21Pm
Program Management: Personally Identifiable Information Quality ManagementPm-22Pm
Program Management: Data Governance BodyPm-23Pm
Program Management: Data Integrity BoardPm-24Pm
Program Management: Minimization of Personally Identifiable Information Used in Testing, Training, and ResearchPm-25Pm
Program Management: Complaint ManagementPm-26Pm
Program Management: Privacy ReportingPm-27Pm
Program Management: Risk FramingPm-28Pm
Program Management: Risk Management Program Leadership RolesPm-29Pm
Program Management: Supply Chain Risk Management StrategyPm-30Pm
Program Management: Continuous Monitoring StrategyPm-31Pm
Program Management: PurposingPm-32Pm
Personnel Security: Policy and ProceduresPs-1Ps
Personnel Security: Position Risk DesignationPs-2Ps
Personnel Security: Personnel ScreeningPs-3Ps
Personnel Security: Personnel TerminationPs-4Ps
Personnel Security: Personnel TransferPs-5Ps
Personnel Security: Access AgreementsPs-6Ps
Personnel Security: External Personnel SecurityPs-7Ps
Personnel Security: Personnel SanctionsPs-8Ps
Personnel Security: Position DescriptionsPs-9Ps
Personally Identifiable Information Processing and Transparency: Policy and ProceduresPt-1Pt
Personally Identifiable Information Processing and Transparency: Authority to Process Personally Identifiable InformationPt-2Pt
Personally Identifiable Information Processing and Transparency: Personally Identifiable Information Processing PurposesPt-3Pt
Personally Identifiable Information Processing and Transparency: ConsentPt-4Pt
Personally Identifiable Information Processing and Transparency: Privacy NoticePt-5Pt
Personally Identifiable Information Processing and Transparency: System of Records NoticePt-6Pt
Personally Identifiable Information Processing and Transparency: Specific Categories of Personally Identifiable InformationPt-7Pt
Personally Identifiable Information Processing and Transparency: Computer Matching RequirementsPt-8Pt
Risk Assessment: Policy and ProceduresRa-1Ra
Risk Assessment: Security CategorizationRa-2Ra
Risk Assessment: Risk AssessmentRa-3Ra
Risk Assessment: Vulnerability Monitoring and ScanningRa-5Ra
Risk Assessment: Technical Surveillance Countermeasures SurveyRa-6Ra
Risk Assessment: Risk ResponseRa-7Ra
Risk Assessment: Privacy Impact AssessmentsRa-8Ra
Risk Assessment: Criticality AnalysisRa-9Ra
Risk Assessment: Threat HuntingRa-10Ra
System and Services Acquisition: Policy and ProceduresSa-1Sa
System and Services Acquisition: Allocation of ResourcesSa-2Sa
System and Services Acquisition: System Development Life CycleSa-3Sa
System and Services Acquisition: Acquisition ProcessSa-4Sa
System and Services Acquisition: System DocumentationSa-5Sa
System and Services Acquisition: Security and Privacy Engineering PrinciplesSa-8Sa
System and Services Acquisition: External System ServicesSa-9Sa
System and Services Acquisition: Developer Configuration ManagementSa-10Sa
System and Services Acquisition: Developer Testing and EvaluationSa-11Sa
System and Services Acquisition: Development Process, Standards, and ToolsSa-15Sa
System and Services Acquisition: Developer-provided TrainingSa-16Sa
System and Services Acquisition: Developer Security and Privacy Architecture and DesignSa-17Sa
System and Services Acquisition: Customized Development of Critical ComponentsSa-20Sa
System and Services Acquisition: Developer ScreeningSa-21Sa
System and Services Acquisition: Unsupported System ComponentsSa-22Sa
System and Services Acquisition: SpecializationSa-23Sa
System and Communications Protection: Policy and ProceduresSc-1Sc
System and Communications Protection: Separation of System and User FunctionalitySc-2Sc
System and Communications Protection: Security Function IsolationSc-3Sc
System and Communications Protection: Information in Shared System ResourcesSc-4Sc
System and Communications Protection: Denial-of-service ProtectionSc-5Sc
System and Communications Protection: Resource AvailabilitySc-6Sc
System and Communications Protection: Boundary ProtectionSc-7Sc
System and Communications Protection: Transmission Confidentiality and IntegritySc-8Sc
System and Communications Protection: Network DisconnectSc-10Sc
System and Communications Protection: Trusted PathSc-11Sc
System and Communications Protection: Cryptographic Key Establishment and ManagementSc-12Sc
System and Communications Protection: Cryptographic ProtectionSc-13Sc
System and Communications Protection: Collaborative Computing Devices and ApplicationsSc-15Sc
System and Communications Protection: Transmission of Security and Privacy AttributesSc-16Sc
System and Communications Protection: Public Key Infrastructure CertificatesSc-17Sc
System and Communications Protection: Mobile CodeSc-18Sc
System and Communications Protection: Secure Name/address Resolution Service (authoritative Source)Sc-20Sc
System and Communications Protection: Secure Name/address Resolution Service (recursive or Caching Resolver)Sc-21Sc
System and Communications Protection: Architecture and Provisioning for Name/address Resolution ServiceSc-22Sc
System and Communications Protection: Session AuthenticitySc-23Sc
System and Communications Protection: Fail in Known StateSc-24Sc
System and Communications Protection: Thin NodesSc-25Sc
System and Communications Protection: DecoysSc-26Sc
System and Communications Protection: Platform-independent ApplicationsSc-27Sc
System and Communications Protection: Protection of Information at RestSc-28Sc
System and Communications Protection: HeterogeneitySc-29Sc
System and Communications Protection: Concealment and MisdirectionSc-30Sc
System and Communications Protection: Covert Channel AnalysisSc-31Sc
System and Communications Protection: System PartitioningSc-32Sc
System and Communications Protection: Non-modifiable Executable ProgramsSc-34Sc
System and Communications Protection: External Malicious Code IdentificationSc-35Sc
System and Communications Protection: Distributed Processing and StorageSc-36Sc
System and Communications Protection: Out-of-band ChannelsSc-37Sc
System and Communications Protection: Operations SecuritySc-38Sc
System and Communications Protection: Process IsolationSc-39Sc
System and Communications Protection: Wireless Link ProtectionSc-40Sc
System and Communications Protection: Port and I/O Device AccessSc-41Sc
System and Communications Protection: Sensor Capability and DataSc-42Sc
System and Communications Protection: Usage RestrictionsSc-43Sc
System and Communications Protection: Detonation ChambersSc-44Sc
System and Communications Protection: System Time SynchronizationSc-45Sc
System and Communications Protection: Cross Domain Policy EnforcementSc-46Sc
System and Communications Protection: Alternate Communications PathsSc-47Sc
System and Communications Protection: Sensor RelocationSc-48Sc
System and Communications Protection: Hardware-enforced Separation and Policy EnforcementSc-49Sc
System and Communications Protection: Software-enforced Separation and Policy EnforcementSc-50Sc
System and Communications Protection: Hardware-based ProtectionSc-51Sc
System and Information Integrity: Policy and ProceduresSi-1Si
System and Information Integrity: Flaw RemediationSi-2Si
System and Information Integrity: Malicious Code ProtectionSi-3Si
System and Information Integrity: System MonitoringSi-4Si
System and Information Integrity: Security Alerts, Advisories, and DirectivesSi-5Si
System and Information Integrity: Security and Privacy Function VerificationSi-6Si
System and Information Integrity: Software, Firmware, and Information IntegritySi-7Si
System and Information Integrity: Spam ProtectionSi-8Si
System and Information Integrity: Information Input ValidationSi-10Si
System and Information Integrity: Error HandlingSi-11Si
System and Information Integrity: Information Management and RetentionSi-12Si
System and Information Integrity: Predictable Failure PreventionSi-13Si
System and Information Integrity: Non-persistenceSi-14Si
System and Information Integrity: Information Output FilteringSi-15Si
System and Information Integrity: Memory ProtectionSi-16Si
System and Information Integrity: Fail-safe ProceduresSi-17Si
System and Information Integrity: Personally Identifiable Information Quality OperationsSi-18Si
System and Information Integrity: De-identificationSi-19Si
System and Information Integrity: TaintingSi-20Si
System and Information Integrity: Information RefreshSi-21Si
System and Information Integrity: Information DiversitySi-22Si
System and Information Integrity: Information FragmentationSi-23Si
Supply Chain Risk Management: Policy and ProceduresSr-1Sr
Supply Chain Risk Management: Supply Chain Risk Management PlanSr-2Sr
Supply Chain Risk Management: Supply Chain Controls and ProcessesSr-3Sr
Supply Chain Risk Management: ProvenanceSr-4Sr
Supply Chain Risk Management: Acquisition Strategies, Tools, and MethodsSr-5Sr
Supply Chain Risk Management: Supplier Assessments and ReviewsSr-6Sr
Supply Chain Risk Management: Supply Chain Operations SecuritySr-7Sr
Supply Chain Risk Management: Notification AgreementsSr-8Sr
Supply Chain Risk Management: Tamper Resistance and DetectionSr-9Sr
Supply Chain Risk Management: Inspection of Systems or ComponentsSr-10Sr
Supply Chain Risk Management: Component AuthenticitySr-11Sr
Supply Chain Risk Management: Component DisposalSr-12Sr