CSA CCM v1.3

Cloud Controls Matrix (CCM) R1.
2
Architectural Relevance
Control Area
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Cloud Service Delivery Model

Applicability
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Scope Applicability
Tenant /
Consumer
Compliance - Audit
Planning
CO-01
Audit plans, activities and operational action

items focusing on data duplication, access, and
data boundary limitations shall be designed to
minimize the risk of business process
disruption. Audit activities must be planned and
agreed upon in advance by stakeholders.
Compliance Independent Audits
CO-02
Independent reviews and assessments shall be

performed at least annually, or at planned
intervals, to ensure the organization is
compliant with policies, procedures, standards
and applicable regulatory requirements (i.e.,
internal/external audits, certifications,
vulnerability and penetration testing)
Compliance - Third
Party Audits
CO-03
Third party service providers shall demonstrate

compliance with information security and
confidentiality, service definitions and delivery
level agreements included in third party
contracts. Third party reports, records and
services shall undergo audit and review, at
planned intervals, to govern and maintain
compliance with the service delivery
agreements.
Compliance - Contact /
Authority Maintenance
CO-04
Liaisons and points of contact with local

authorities shall be maintained in accordance
with business and customer requirements and
compliance with legislative, regulatory, and
contractual requirements. Data, objects,
applications, infrastructure and hardware may
be assigned legislative domain and jurisdiction
to facilitate proper compliance points of contact.
Compliance Information System

Regulatory Mapping
CO-05
Statutory, regulatory, and contractual

requirements shall be defined for all elements
of the information system. The organization's
approach to meet known requirements, and
adapt to new mandates shall be explicitly
defined, documented, and kept up to date for
each information system element in the
organization. Information system elements may
include data, objects, applications,
infrastructure and hardware. Each element may
be assigned a legislative domain and
jurisdiction to facilitate proper compliance
mapping.
Compliance Intellectual Property
CO-06
Policy, process and procedure shall be

established and implemented to safeguard
intellectual property and the use of proprietary
software within the legislative jurisdiction and
contractual constraints governing the
organization.
Data Governance Ownership /

Stewardship
DG-01
All data shall be designated with stewardship

with assigned responsibilities defined,
documented and communicated.
Data Governance Classification
DG-02
Data, and objects containing data, shall be

assigned a classification based on data type,
jurisdiction of origin, jurisdiction domiciled,
context, legal constraints, contractual
constraints, value, sensitivity, criticality to the
organization and third party obligation for
retention and prevention of unauthorized
disclosure or misuse.
Data Governance Handling / Labeling /

Security Policy
DG-03
Polices and procedures shall be established for

labeling, handling and security of data and
objects which contain data. Mechanisms for
label inheritance shall be implemented for
objects that acts as aggregate containers for
data.
Data Governance Retention Policy
DG-04
(v1.0) Policies and procedures for data

Control revision v1.1 rationale:
retention and storage shall be established and
backup or redundancy mechanisms
Removed the specific reference to tape and
implemented to ensure compliance with
disk backup as there are other media types.
regulatory, statutory, contractual or business
requirements. Testing the recovery of disk or
tape backups must be implemented at planned
intervals.
COBIT 4.1
HIPAA / HITECH Act
ISO/IEC 27001-2005
NIST SP800-53 R3
FedRAMP Security Controls

(Final Release, Jan 2012)
--LOW IMPACT LEVEL--
DG-05
Policies and procedures shall be established

and mechanisms implemented for the secure
disposal and complete removal of data from all
storage media, ensuring data is not recoverable
by any computer forensic means.
Data Governance Non-Production Data
DG-06
Production data shall not be replicated or used

in non-production environments.
Data Governance Information Leakage
DG-07
Security mechanisms shall be implemented to

prevent data leakage.
02/12/2015
PCI DSS v2.0
--MODERATE IMPACT LEVEL--
BITS Shared Assessments

SIG v6.0

AUP v5.0
GAPP (Aug 2009)
Jericho Forum
NERC CIP
ME 2.1
ME 2.2
PO 9.5
PO 9.6
45 CFR 164.312(b)
Clause 4.2.3 e)
Clause 4.2.3b
Clause 5.1 g
Clause 6
A.15.3.1
CA-2
CA-7
PL-6
NIST SP 800-53 R3 CA-2

NIST SP 800-53 R3 CA-2 (1)

NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 PL-6
2.1.2.b
L.1, L.2, L.7, L.9, L.11
10.2.5
Commandment #1
Commandment #2
Commandment #3
DS5.5
ME2.5
ME 3.1
PO 9.6
45 CFR 164.308 (a)(8)

45 CFR 164.308(a)(1)(ii)(D)
Clause 4.2.3e
Clause 5.1 g
Clause 5.2.1 d)
Clause 6
A.6.1.8
CA-1
CA-2
CA-6
RA-5

NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 RA-5

NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 RA-5 (1)
NIST SP 800-53 R3 RA-5 (2)
NIST SP 800-53 R3 RA-5 (3)
NIST SP 800-53 R3 RA-5 (6)
NIST SP 800-53 R3 RA-5 (9)
11.2
11.3
6.6
12.1.2.b
L.2, L.4, L.7, L.9, L.11
1.2.5
1.2.7
4.2.1
8.2.7
10.2.3
10.2.5
Commandment #1
Commandment #2
Commandment #3
ME 2.6
DS 2.1
DS 2.4
45 CFR 164.308(b)(1)
45 CFR 164.308 (b)(4)
A.6.2.3
A.10.2.1
A.10.2.2
A.10.6.2
CA-3
SA-9
SA-12
SC-7

NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 SC-7

NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SA-12
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
2.4
12.8.2
12.8.3
12.8.4
Appendix A
C.2.4,C.2.6, G.4.1, G.4.2, L.2, C.2

L.4, L.7, L.11
1.2.11
4.2.3
7.2.4
10.2.3
10.2.4
Commandment #1
Commandment #2
Commandment #3
ME 3.1
A.6.1.6
A.6.1.7
AT-5
IR-6
SI-5
NIST SP 800-53 R3 IR-6

NIST SP 800-53 R3 SI-5

NIST SP 800-53 R3 IR-6 (1)
11.1.e
12.5.3
12.9
L1
1.2.7
10.1.1
10.2.4
Commandment #1
Commandment #2
Commandment #3
ME 3.1
ISO/IEC 27001:2005
Clause 4.2.1 b) 2)
Clause 4.2.1 c) 1)
Clause 4.2.1 g)
Clause 4.2.3 d) 6)
Clause 4.3.3
Clause 5.2.1 a - f
Clause 7.3 c) 4)
A.7.2.1
A.15.1.1
A.15.1.3
A.15.1.4
A.15.1.6
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-7
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
RA-2
SA-1
SA-6
SC-1
SC-13
SI-1
NIST SP 800-53 R3 AC-1

NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 SC-13

3.1.1
3.1
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
L.1, L.2, L.4, L.7, L.9
1.2.2
1.2.4
1.2.6
1.2.11
3.2.4
5.2.1
Commandment #1
Commandment #2
Commandment #3
Clause 4.2.1
A.6.1.5
A.7.1.3
A.10.8.2
A.12.4.3
A.15.1.2
SA-6
SA-7
PM-5


L.4
A.6.1.3
A.7.1.2
A.15.1.4
CA-2
PM-5
PS-2
RA-2
SA-2

NIST SP 800-53 R3 CA-2 (1)

NIST SP 800-53 R3 CA-2 (1)
C.2.5.1, C.2.5.2, D.1.3, L.7
6.2.1
Commandment #6
Commandment #10
CIP-007-3 - R1.1 - R1.2
PO 2.3
DS 11.6
A.7.2.1
RA-2
AC-4

9.7.1
9.10
12.3
D.1.3, D.2.2
1.2.3
1.2.6
4.1.2
8.2.1
8.2.5
8.2.6
Commandment #9
CIP-003-3 - R4 - R5
PO 2.3
DS 11.6
A.7.2.2
A.10.7.1
A.10.7.3
A.10.8.1
AC-16
MP-1
MP-3
PE-16
SI-12
SC-9

NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 SI-12

NIST SP 800-53 R3 AC-16
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SI-12
9.5
9.6
9.7.1
9.7.2
9.10
D.2.2
1.1.2
5.1.0
7.1.2
8.1.0
8.2.5
8.2.6
Commandment #8
Commandment #9
Commandment #10
CIP-003-3 - R4 - R4.1
DS 4.1
DS 4.2
DS 4.5
DS 4.9
DS 11.6
45 CFR 164.308 (a)(7)(ii)(A)

Clause 4.3.3
45 CFR 164.310 (d)(2)(iv)
A.10.5.1
45 CFR 164.308(a)(7)(ii)(D)
A.10.7.3
45 CFR 164.316(b)(2)(i) (New)
CP-2
CP-6
CP-7
CP-8
CP-9
SI-12
AU-11


NIST SP 800-53 R3 CP-2 (1)
NIST SP 800-53 R3 CP-2 (2)
NIST SP 800-53 R3 CP-6 (1)
NIST SP 800-53 R3 CP-6 (3)
NIST SP 800-53 R3 CP-7 (1)
NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3)
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2)
NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)
3.1
3.1.1
3.2
9.9.1
9.5
9.6
10.7
D.2.2.9
5.1.0
5.1.1
5.2.2
8.2.6
Commandment #11
CIP-003-3 - R4.1
DS 11.4
45 CFR 164.310 (d)(2)(i)

45 CFR 164.310 (d)(2)(ii)
A.9.2.6
A.10.7.2
MP-6
PE-1


NIST SP 800-53 R3 MP-6 (4)
3.1.1
9.10
9.10.1
9.10.2
3.1
D.2.2.10, D.2.2.11, D.2.2.14,
5.1.0
5.2.3
Commandment #11
CIP-007-3 - R7 - R7.1 - R7.2

R7.3
45 CFR 164.308(a)(4)(ii)(B)
A.7.1.3
A.10.1.4
A.12.4.2
A.12.5.1
SA-11
CM-04
NIST SP 800-53 R3 SA-11

6.4.3
NIST SP 800-53 R3 SA-11 (1)
I.2.18
1.2.6
Commandment #9
Commandment #10
Commandment #11
CIP-003-3 - R6
A.10.6.2
A.12.5.4
AC-2
AC-3
AC-4
AC-6
AC-11
AU-13
PE-19
SC-28
SA-8
SI-7

NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AC-3 (3)
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 AC-11
NIST SP 800-53 R3 AC-11 (1)
NIST SP 800-53 R3 SC-28
NIST SP 800-53 R3 SI-7 (1)
I.2.18
7.2.1
8.1.0
8.1.1
8.2.1
8.2.2
8.2.5
8.2.6
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
Commandment #9
Commandment #10
Commandment #11
DS5.1
PO 2.3
45 CFR 164.308 (a)(2)
(v1.1) Policies and procedures for data

retention and storage shall be established and
backup or redundancy mechanisms
implemented to ensure compliance with
regulatory, statutory, contractual or business
requirements. Testing the recovery of backups
must be implemented at planned intervals.
Data Governance Secure Disposal

DS 11.6
1 of 421

1.2
6.5.5
11.1
11.2
11.3
11.4
A.1
CIP-003-3 - R1.3 - R4.3

CIP-004-3 R4 - R4.2
CIP-005-3a - R1 - R1.1 - R1.2
CIP-001-1a R3 - R4
Commandment #1
Commandment #2
Commandment #3
G.13
Copyright 2010, Cloud Security Alliance
Cloud Controls Matrix (CCM) R1.2

Control Area
Control ID
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data

Applicability
Scope Applicability

SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
PO 9.1
PO 9.2
PO 9.4
DS 5.7
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.308(a)(8)
Clause 4.2.1 c) & g)

Clause 4.2.3 d)
Clause 4.3.1 & 4.3.3
Clause 7.2 & 7.3
A.7.2
A.15.1.1
A.15.1.3
A.15.1.4
CA-3
RA-2
RA-3
MP-8
PM-9
SI-12

NIST SP 800-53 R3 SI-12

NIST SP 800-53 R3 SI-12
12.1
12.1.2
L.4, L.5, L.6, L.7
1.2.4
8.2.1
Commandment #1
Commandment #2
Commandment #3
Commandment #6
Commandment #7
Commandment #9
Commandment #10
Commandment #11
DS5.7
DS 12.1
DS 12.4
DS 4.9
45 CFR 164.310 (a)(1)

45 CFR 164.310 (a)(2)(ii)
45 CFR 164.308(a)(3)(ii)(A)
45 CFR 164.310 (a)(2)(iii)
(New)
A.5.1.1
A.9.1.3
A.9.1.5
CA-2
PE-1
PE-6
PE-7
PE-8

NIST SP 800-53 R3 CA-2 (1)

NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-7 (1)
9.1
9.2
9.3
9.4
F.1.1, F.1.2 F.1.3, F.1.4, F1.5, F.2

F.1.6, F.1.7, F.1.8, F.1.9, F.2.1,
F.2.2, F.2.3, F.2.4, F.2.5, F2.6,
F.2.7, F.2.8, F.2.9, F.2.10,
F.2.11, F.2.12, F.2.13, F.2.14,
F.2.15, F.2.16, F.2.17,
F.2.18,F.2.19, F.2.20
8.1.0
8.1.1
8.2.1
Commandment #1
Commandment #2
Commandment #3
Commandment #5
45 CFR 164.310(a)(1)
45 CFR 164.310(a)(2)(ii)
45 CFR 164.310(b)
45 CFR 164.310 ( c) (New)
A.9.1.1
A.9.1.2
PE-2
PE-3
PE-4
PE-5
PE-6


NIST SP 800-53 R3 PE-6 (1)
9.1
F.1.2.3, F.1.2.4, F.1.2.5, F.1.2.6, H.6

F.1.2.8, F.1.2. 9, F.1.2.10,
F.1.2.11, F.1.2.12, F.1.2.13,
F.1.2.14, F.1.2.15, F.1.2.24,
F.1.4.2, F1.4.6, F.1.4.7, F.1.7,
F.1.8, F.2.13, F.2.14, F.2.15,
F.2.16, F.2.17, F.2.18
8.2.1
8.2.2
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
CIP-006-3c R1.2 - R1.3 - R1.4

-R2 - R2.2
COBIT 4.1
HIPAA / HITECH Act
ISO/IEC 27001-2005
NIST SP800-53 R3
PCI DSS v2.0

SIG v6.0

AUP v5.0
GAPP (Aug 2009)
Jericho Forum
NERC CIP
Data Governance Risk Assessments
DG-08
Risk assessments associated with data

governance requirements shall be conducted at
planned intervals considering the following:
Awareness of where sensitive data is stored
and transmitted across applications, databases,
servers and network infrastructure
Compliance with defined retention periods
and end-of-life disposal requirements
Data classification and protection from
unauthorized use, access, loss, destruction,
and falsification
Facility Security Policy
FS-01
Policies and procedures shall be established for

maintaining a safe and secure working
environment in offices, rooms, facilities and
secure areas.
Facility Security - User

Access
FS-02
Physical access to information assets and

functions by users and support personnel shall
be restricted.
Facility Security Controlled Access

Points
FS-03
Physical security perimeters (fences, walls,

barriers, guards, gates, electronic surveillance,
physical authentication mechanisms, reception
desks and security patrols) shall be
implemented to safeguard sensitive data and
information systems.
DS 12.3
A.9.1.1
PE-2
PE-3
PE-6
PE-18


NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-18
9.1
F.1.2.3, F.1.2.4, F.1.2.5, F.1.2.6, F.2

F.1.2.8, F.1.2. 9, F.1.2.10,
F.1.2.11, F.1.2.12, F.1.2.13,
F.1.2.14, F.1.2.15, F.1.2.24,
F.1.3, F.1.4.2, F1.4.6, F.1.4.7,
F.1.6, F.1.7,F.1.8, F.2.13,
F.2.14, F.2.15, F.2.16, F.2.17,
F.2.18
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
CIP-006-3c R1.2 - R1.3 - R1.4

- R1.6 - R1.6.1 - R2 - R2.2
Facility Security Secure Area

Authorization
FS-04
Ingress and egress to secure areas shall be

constrained and monitored by physical access
control mechanisms to ensure that only
authorized personnel are allowed access.
DS 12.2
DS 12.3
A.9.1.1
A.9.1.2
PE-2
PE-3
PE-6
PE-7
PE-8
PE-18


NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-18
9.1
9.1.1
9.1.2
9.1.3
9.2
F.1.2.3, F.1.2.4, F.1.2.5, F.1.2.6, F.2

F.1.2.8, F.1.2. 9, F.1.2.10,
F.1.2.11, F.1.2.12, F.1.2.13,
F.1.2.14, F.1.2.15, F.1.2.24,
F.1.3, F.1.4.2, F1.4.6, F.1.4.7,
F.1.6, F.1.7,F.1.8, F.2.13,
F.2.14, F.2.15, F.2.16, F.2.17,
F.2.18
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
CIP-006-3c R1.2 - R1.3 - R1.4

- R1.6 - R1.6.1 - R2 - R2.2
DS 12.3
A.9.1.6
PE-7
PE-16
PE-18

NIST SP 800-53 R3 PE-16

NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-18
F.1.2.3, F.1.2.4, F.1.2.5, F.1.2.6, F.2

F.1.2.8, F.1.2. 9, F.1.2.10,
F.1.2.11, F.1.2.12, F.1.2.13,
F.1.2.14, F.1.2.15, F.1.2.24,
F.1.3, F.1.4.2, F1.4.6, F.1.4.7,
F.1.6, F.1.7,F.1.8, F.2.13,
F.2.14, F.2.15, F.2.16, F.2.17,
F.2.18
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
CIP-006-3c R1.2 - R1.3 - R1.4
45 CFR 164.310 (d)(1)
A.9.2.7
A.10.1.2
MA-1
MA-2
PE-16

NIST SP 800-53 R3 PE-16

NIST SP 800-53 R3 MA-2 (1)
NIST SP 800-53 R3 PE-16
F.2.18
8.2.5
8.2.6
Commandment #6
Commandment #7
45 CFR 164.310 (c )
45 CFR 164.310 (d)(1)
45 CFR 164.310 (d)(2)(i)
A.9.2.5
A.9.2.6
AC-17
MA-1
PE-1
PE-16
PE-17
NIST SP 800-53 R3 AC-17

NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 AC-17

9.8
NIST SP 800-53 R3 AC-17 (1) 9.9
NIST SP 800-53 R3 AC-17 (2) 9.10
NIST SP 800-53 R3 AC-17 (3)
NIST SP 800-53 R3 AC-17 (4)
NIST SP 800-53 R3 AC-17 (5)
NIST SP 800-53 R3 AC-17 (7)
NIST SP 800-53 R3 AC-17 (8)
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-17
F.2.18, F.2.19,
45 CFR 164.310 (d)(2)(iii)
A.7.1.1
A.7.1.2
CM-8

NIST SP 800-53 R3 CM-8 (1)
NIST SP 800-53 R3 CM-8 (3)
NIST SP 800-53 R3 CM-8 (5)
9.9.1
12.3.3
12.3.4
D.1.1, D.2.1. D.2.2,
D.1
A.8.1.2
PS-2
PS-3


12.7
12.8.3
E.2
E.2
1.2.9
Commandment #2
Commandment #3
Commandment #6
Commandment #9
12.4
12.8.2
E.3.5
C.1
1.2.9
8.2.6
Commandment #6
Commandment #7
E.6
8.2.2
10.2.5
Commandment #6
Commandment #7
12.1
12.2
A.1, B.1
8.2.1
Commandment #1
Commandment #2
CIP-001-1a - R1 - R2
CIP-003-3 - R1 - R1.1 - R4
CIP-006-3c R1
12.5
C.1
8.2.1
Commandment #3
Commandment #6
CIP-003-3 - R1 - R1.1
Proposed v1.1 control revision redacted until

future revision due to potential mapping impact
not yet considered:
Physical controls and attestation mechanisms
shall be designed to address the requirements
of legislative plurality and their results shared
with tenants.
Facility Security Unauthorized Persons

Entry
FS-05
Ingress and egress points such as service

areas and other points where unauthorized
personnel may enter the premises shall be
monitored, controlled and, if possible, isolated
from data storage and processing facilities to
percent unauthorized data corruption,
compromise and loss.
Facility Security - OffSite Authorization
FS-06
Authorization must be obtained prior to

relocation or transfer of hardware, software or
data to an offsite premises.
Facility Security - OffSite Equipment
FS-07
Policies and procedures shall be established for Proposed v1.1 control revision redacted until
securing and asset management for the use
and secure disposal of equipment maintained not yet considered:
and used outside the organization's premise.
Policies and procedures governing asset
management shall be established for secure
repurposing of equipment and resources prior
to tenant assignment or jurisdictional transport.
Facility Security - Asset

Management
FS-08
A complete inventory of critical assets shall be

maintained with ownership defined and
documented.
Human Resources
Security - Background
Screening
HR-01
Pursuant to local laws, regulations, ethics and

contractual constraints all employment
candidates, contractors and third parties will be
subject to background verification proportional
to the data classification to be accessed, the
business requirements and acceptable risk.
Human Resources
Security - Employment
Agreements
HR-02
(v1.0) Prior to granting individuals physical or

Control revision v1.1 rationale:
logical access to facilities, systems or data,
employees, contractors, third party users and
Added "tenant" into scope of control
customers shall contractually agree and sign
specification.
the terms and conditions of their employment or
service contract, which must explicitly include
the parties responsibility for information
security.
PO 7.6
DS 2.1
45 CFR 164.310(a)(1)
45 CFR 164.308(a)(4)(i)
A.6.1.5
A.8.1.3
PL-4
PS-6
PS-7


PO 7.8
45 CFR 164.308 (a)(3)(ii)(C)
A.8.3.1
PS-4
PS-5


R2 DS5.2
R2 DS5.5
45 CFR 164.308(a)(1)(i)
45 CFR 164.308(a)(1)(ii)(B)
45 CFR 164.316(b)(1)(i)
45 CFR 164.308(a)(3)(i) (New)
45 CFR 164.306(a) (New)
Clause 4.2
Clause 5
A.6.1.1
A.6.1.2
A.6.1.3
A.6.1.4
A.6.1.5
A.6.1.6
A.6.1.7
A.6.1.8
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
DS5.1
45 CFR 164.316 (b)(2)(ii)

45 CFR 164.316 (b)(2)(iii)
Clause 5
A.6.1.1
CM-1
PM-1
PM-11
9.8
9.9
G.21
Commandment #4
Commandment #5
Commandment #11
Commandment #6
Commandment #7
Commandment #8
CIP-004-3 - R2.2
(v1.1) Prior to granting individuals physical or

logical access to facilities, systems or data,
employees, contractors, third party users and
tenants and/or customers shall contractually
agree and sign equivalent terms and conditions
regarding information security responsibilities in
employment or service contract.
Human Resources Employment

Termination
HR-03
Roles and responsibilities for performing

employment termination or change in
employment procedures shall be assigned,
documented and communicated.

not yet considered:
Roles and responsibilities following employment
termination or change in employment
procedures must follow the terms of the master
agreement with the tenant(s).
Information Security Management Program
IS-01
An Information Security Management Program

(ISMP) has been developed, documented,
approved, and implemented that includes
administrative, technical, and physical
safeguards to protect assets and data from
loss, misuse, unauthorized access, disclosure,
alteration, and destruction. The security
program should address, but not be limited to,
the following areas insofar as they relate to the
characteristics of the business:
Risk management
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations
management
Access control
Information systems acquisition,
development, and maintenance
Information Security Management Support /

Involvement
IS-02
Executive and line management shall take

formal action to support information security
through clear documented direction,
commitment, explicit assignment and
verification of assignment execution
02/12/2015
2 of 421

Control Area
Control ID
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App

Applicability
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
Data
Scope Applicability
COBIT 4.1
IS-03
Management shall approve a formal information

security policy document which shall be
communicated and published to employees,
contractors and other relevant external parties.
The Information Security Policy shall establish
the direction of the organization and align to
best practices, regulatory, federal/state and
international laws where applicable. The
Information Security policy shall be supported
by a strategic plan and a security program with
well defined roles and responsibilities for
leadership and officer roles.
Information Security Baseline Requirements
IS-04
Baseline security requirements shall be

established and applied to the design and
implementation of (developed or purchased)
applications, databases, systems, and network
infrastructure and information processing that
comply with policies, standards and applicable
regulatory requirements. Compliance with
security baseline requirements must be
reassessed at least annually or upon significant
changes.
Information Security Policy Reviews
IS-05
Management shall review the information

Proposed v1.1 control revision redacted due to
security policy at planned intervals or as a result potential mapping impact not yet considered:
of changes to the organization to ensure its
continuing effectiveness and accuracy.
Security policy changes with material
operational impact must require formal
notification of subcontractors, tenants,
supporting service tiers and employees of the
impact and ramifications.
DS 5.2
DS 5.4
Information Security Policy Enforcement
IS-06
A formal disciplinary or sanction policy shall be

established for employees who have violated
security policies and procedures. Employees
shall be made aware of what action might be
taken in the event of a violation and stated as
such in the policies and procedures.
Information Security User Access Policy
IS-07
User access policies and procedures shall be

documented, approved and implemented for
granting and revoking normal and privileged
access to applications, databases, and server
and network infrastructure in accordance with
business, security, compliance and service level
agreement (SLA) requirements.
Information Security User Access

Restriction /
Authorization
IS-08
Normal and privileged user access to

applications, systems, databases, network
configurations, and sensitive data and functions
shall be restricted and approved by
management prior to access granted.
Information Security User Access

Revocation
IS-09
Timely deprovisioning, revocation or

modification of user access to the organizations
systems, information assets and data shall be
implemented upon any change in status of
employees, contractors, customers, business
partners or third parties. Any change in status is
intended to include termination of employment,
contract or agreement, change of employment
or transfer within the organization.
Information Security User Access Reviews
IS-10
All levels of user access shall be reviewed by

management at planned intervals and
documented. For access violations identified,
remediation must follow documented access
control policies and procedures.

not yet considered:
A security awareness training program shall be

established for all contractors, third party users
and employees of the organization and
mandated when appropriate. All individuals with
access to organizational data shall receive
appropriate awareness training and regular
updates in organizational procedures, process
and policies, relating to their function relative to
the organization.

not yet considered:
Information Security Training / Awareness
IS-11
Information Security Industry Knowledge /

Benchmarking
IS-12
Industry security knowledge and benchmarking

through networking, specialist security forums,
and professional associations shall be
maintained.
Information Security Roles / Responsibilities
IS-13
Roles and responsibilities of contractors,

employees and third party users shall be
documented as they relate to information
assets and security.
Information Security Management Oversight
IS-14
Managers are responsible for maintaining

awareness of and complying with security
policies, procedures and standards that are
relevant to their area of responsibility.
02/12/2015
ISO/IEC 27001-2005
NIST SP800-53 R3

Information Security Policy
HIPAA / HITECH Act
PCI DSS v2.0

SIG v6.0
Clause 4.2.1
Clause 5
A.5.1.1
A.8.2.2
AC-1
AT-1
AU-1
CA-1
CM-1
IA-1
IR-1
MA-1
MP-1
MP-1
PE-1
PL-1
PS-1
SA-1
SC-1
SI-1


12.1
12.2
B.1
A.12.1.1
A.15.2.2
CM-2
SA-2
SA-4


NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
2.2
2.2.1
2.2.2
2.2.3
2.2.4
L.2, L.5, L.7 L.8, L.9, L.10
45 CFR 164.316 (b)(2)(iii)

45 CFE 164.306
Clause 4.2.3 f)
A.5.1.2
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-5
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
SA-1
SC-1
SI-1

NIST SP 800-53 R3 IA-5 (1)

NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
12.1.3
B.1.33. B.1.34,
PO 7.7
45 CFR 164.308 (a)(1)(ii)(C)
A.8.2.3
PL-4
PS-1
PS-8


DS 5.4
45 CFR 164.308 (a)(3)(i)

45 CFR 164.312 (a)(1)
45 CFR 164.312 (a)(2)(ii)
45 CFR 164.308(a)(4)(ii)(B)
45 CFR 164.308(a)(4)(ii)(c )
A.11.1.1
A.11.2.1
A.11.2.4
A.11.4.1
A.11.5.2
A.11.6.1
AC-1
IA-1


3.5.1
8.5.1
12.5.4
B.1.8, B.1.21, B.1.28, E.6.2,

H.1.1, K.1.4.5,
DS5.4
45 CFR 164.308 (a)(3)(i)

45 CFR 164.308 (a)(3)(ii)(A)
45 CFR 164.308 (a)(4)(i)
45 CFR 164.308 (a)(4)(ii)(B)
45 CFR 164.308 (a)(4)(ii)(C)
45 CFR 164.312 (a)(1)
A.11.2.1
A.11.2.2
A.11.4.1
A 11.4.2
A.11.6.1
AC-3
AC-5
AC-6
IA-2
IA-4
IA-5
IA-8
MA-5
PS-6
SA-7
SI-9

NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-5 (1)

NIST SP 800-53 R3 AC-3 (3)
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 IA-4 (4)
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
7.1
7.1.1
7.1.2
7.1.3
7.2.1
7.2.2
8.5.1
12.5.4
H.2.4, H.2.5,
DS 5.4
45 CFR 164.308(a)(3)(ii)(C)
ISO/IEC 27001:2005
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.2
AC-2
PS-4
PS-5


NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
8.5.4
8.5.5
E.6.2, E.6.3
DS5.2
45 CFR 164.316 (a)

45 CFR 164.316 (b)(1)(i)
45 CFR 164.316 (b)(2)(ii)
45 CFR 164.308(a)(2)

AI2.1
AI2.2
AI3.3
DS2.3
DS11.6

AUP v5.0
GAPP (Aug 2009)
Jericho Forum
Commandment #1
Commandment #2
Commandment #3
L.2
1.2.6
8.2.1
8.2.7
Commandment #2
Commandment #4
Commandment #5
Commandment #11
B.2
1.2.1
8.2.7
10.2.3
Commandment #1
Commandment #2
Commandment #3
10.2.4
Commandment #6
Commandment #7
8.1.0
Commandment #6
Commandment #7
Commandment #8
CIP-007-3 - R5.1 - R5.1.2
8.2.2
Commandment #6
Commandment #7
Commandment #8
Commandment #9
Commandment #10
CIP-003-3 - R5.1.1 - R5.3

CIP-004-3 R2.3
CIP-007-3 R5.1 - R5.1.2
8.2.1
Commandment #6
Commandment #7
Commandment #8
CIP-004-3 R2.2.3
CIP-007-3 - R5.1.3 -R5.2.1 R5.2.3
8.2.1
8.2.7
Commandment #6
Commandment #7
Commandment #8
Commandment #10
CIP-004-3 R2.2.2
CIP-007-3 - R5 - R.1.3
1.2.10
8.2.1
Commandment #3
Commandment #6
CIP-004-3 - R1 - R2 - R2.1
B.1.5
DS5.3
DS5.4
45 CFR 164.308 (a)(3)(ii)(B)

45 CFR 164.308 (a)(4)(ii)(C)
A.11.2.4
AC-2
AU-6
PM-10
PS-6
PS-7


NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
PO 7.4
45 CFR 164.308 (a)(5)(i)

45 CFR 164.308 (a)(5)(ii)(A)
Clause 5.2.2
A.8.2.2
AT-1
AT-2
AT-3
AT-4


A.6.1.7
AT-5
SI-5
C.1.8
DS5.1
Clause 5.1 c)
A.6.1.2
A.6.1.3
A.8.1.1
AT-3
PL-4
PM-10
PS-1
PS-6
PS-7


B.1.5, D.1.1,D.1.3.3, E.1, F.1.1, B.1

H.1.1, K.1.2
1.2.9
8.2.1
Commandment #6
Commandment #7
Commandment #8
DS5.3
DS5.4
DS5.5
Clause 5.2.2
A.8.2.1
A.8.2.2
A 11.2.4
A.15.2.1
AT-2
AT-3
CA-1
CA-5
CA-6
CA-7
PM-10


NIST SP 800-53 R3 CA-7 (2)
E.4
1.1.2
8.2.1
Commandment #6
Commandment #7
Commandment #8
Periodic attestation of entitlement rights for all

system users is required. Attestation for
entitlement rights should extend to users in
supporting service tiers (IaaS, SaaS, PaaS,
IDaaS....). Automatic or manual remediation
shall be implemented for identified violations.
B.1
H.2
H.2.6, H.2.7, H.2.9,
12.6
12.6.1
12.6.2
E.4
NERC CIP
8.1.0
8.1.1
E.1
CIP-003-3 - R1 -R1.1 - R1.2 R2 - R2.1 - R2.2 - R2.3
CIP-003-3 - R3.2 - R3.3 - R1.3

R3 - R3.1 - R3.2 - R3.3
A security awareness training program that

addresses multi-tenant, nationality and cloud
delivery model SOD and conflicts of interest
shall be established for all contractors, third
party users, tenants and employees of the
organization. All individuals with access to
tenant data shall receive appropriate awareness
training and regular updates in organizational
procedures, process and policies, relating to
their function relative to the organization.
3 of 421
12.6.1
12.6.2
Commandment #1
Commandment #2
Commandment #3
E.1

Control Area
Control ID
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data

Applicability
SaaS
PaaS
IaaS
Service
Provider
Information Security Segregation of Duties
IS-15
Policies, process and procedures shall be

implemented to enforce and assure proper
segregation of duties. In those events where
user-role conflict of interest constraint exist,
technical controls shall be in place to mitigate
any risks arising from unauthorized or
unintentional modification or misuse of the
organization's information assets.
Information Security User Responsibility
IS-16
Users shall be made aware of their

responsibilities for:
Maintaining awareness and compliance with
published security policies, procedures,
standards and applicable regulatory
requirements
Maintaining a safe and secure working
environment
Leaving unattended equipment in a secure
manner
Information Security Workspace
IS-17

clearing visible documents containing sensitive
data when a workspace is unattended and
enforcement of workstation session logout for a
period of inactivity.

not yet considered:
COBIT 4.1
HIPAA / HITECH Act
IS-18

and mechanisms implemented for encrypting
sensitive data in storage (e.g., file servers,
databases, and end-user workstations) and
data in transmission (e.g., system interfaces,
over public networks, and electronic
messaging).
Information Security Encryption Key

Management
IS-19

and mechanisms implemented for effective key
management to support encryption of data in
storage and in transmission.
Information Security Vulnerability / Patch

Management
IS-20

and mechanism implemented for vulnerability
and patch management, ensuring that
application, system, and network device
vulnerabilities are evaluated and vendorsupplied security patches applied in a timely
manner taking a risk-based approach for
prioritizing critical patches.
Information Security Anti-Virus / Malicious

Software
IS-21
Ensure that all antivirus programs are capable

of detecting, removing, and protecting against
all known types of malicious or unauthorized
software with antivirus signature updates at
least every 12 hours.
Information Security Incident Management
IS-22
Policies and procedures shall be established to Control revision v1.1 rationale:

triage security related events and ensure timely
and thorough incident management.
Minor editorial correction.
Information Security Incident Reporting
IS-23
Contractors, employees and third party users

shall be made aware of their responsibility to
report all information security events in a timely
manner. Information security events shall be
reported through predefined communications
channels in a prompt and expedient manner in
compliance with statutory, regulatory and
contractual requirements.
ISO/IEC 27001-2005
NIST SP800-53 R3


PCI DSS v2.0

SIG v6.0
DS 5.4
45 CFR 164.308 (a)(1)(ii)(D)

45 CFR 164.308 (a)(3)(ii)(A)
45 CFR 164.308(a)(4)(ii)(A)
45 CFR 164.308 (a)(5)(ii)(C)
45 CFR 164.312 (b)
A.10.1.3
AC-1
AC-2
AC-5
AC-6
AU-1
AU-6
SI-1
SI-4


NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
6.4.2
G.2.13. G.3, G.20.1, G.20.2,

G.20.5
PO 4.6
45 CFR 164.308 (a)(5)(ii)(D)
Clause 5.2.2
A.8.2.2
A.11.3.1
A.11.3.2
AT-2
AT-3
AT-4
PL-4


8.5.7
12.6.1
E.4
Clause 5.2.2
A.8.2.2
A.9.1.5
A.11.3.1
A.11.3.2
A.11.3.3
AC-11
MP-2
MP-3
MP-4

NIST SP 800-53 R3 AC-11

NIST SP 800-53 R3 MP-2 (1)
NIST SP 800-53 R3 MP-4 (1)
E.4

proper data management within the provider
environment. Policies and procedures must
resolve conflicts of interests and include a
tamper audit function, that trips a tamper audit
to the customer if the integrity of the tenant data
has potentially been compromised. (access not
authorized by tenant or data loss)
Information Security Encryption
02/12/2015
Scope Applicability
Tenant /
Consumer

AUP v5.0
GAPP (Aug 2009)
Jericho Forum
8.2.2
Commandment #6
Commandment #7
Commandment #8
Commandment #10
E.1
1.2.10
8.2.1
Commandment #5
Commandment #6
Commandment #7
E.1
8.2.3
Commandment #5
Commandment #6
Commandment #7
Commandment #11
NERC CIP
CIP-007-3 R5.1.1
DS5.8
DS5.10
DS5.11
45 CFR 164.312 (a)(2)(iv)

45 CFR 164.312 (e)(1)
45 CFR 164.312 (e)(2)(ii)
A.10.6.1
A.10.8.3
A.10.8.4
A.10.9.2
A.10.9.3
A.12.3.1
A.15.1.3
A.15.1.4
AC-18
IA-3
IA-7
SC-7
SC-8
SC-9
SC-13
SC-16
SC-23
SI-8

NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 AC-18

NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-23
NIST SP 800-53 R3 SC-28
2.1.1
3.4
3.4.1
4.1
4.1.1
4.2
G.10.4, G.11.1, G.11.2, G.12.1, G.4

G.12.2, G.12.4, G.12.10,
G.15
G.14.18, G.14.19, G.16.2,
I.3
G.16.18, G.16.19, G.17.16,
G.17.17, G.18.13, G.18.14,
G.19.1.1, G.20.14
8.1.1
8.2.1
8.2.5
Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11
DS5.8
45 CFR 164.312 (a)(2)(iv)

45 CFR 164.312(e)(1)
Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6
SC-12
SC-13
SC-17
SC-28
NIST SP 800-53 R3 SC-12

NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-12

NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-17
3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
L.6
8.1.1
8.2.1
8.2.5
Commandment #9
Commandment #10
Commandment #11
AI6.1
AI3.3
DS5.9
45 CFR 164.308 (a)(1)(i)(ii)(A) A.12.5.1

45 CFR 164.308 (a)(1)(i)(ii)(B) A.12.5.2
45 CFR 164.308 (a)(5)(i)(ii)(B) A.12.6.1
CM-3
CM-4
CP-10
RA-5
SA-7
SI-1
SI-2
SI-5


NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 RA-5 (1)
NIST SP 800-53 R3 RA-5 (2)
NIST SP 800-53 R3 RA-5 (3)
NIST SP 800-53 R3 RA-5 (6)
NIST SP 800-53 R3 RA-5 (9)
NIST SP 800-53 R3 SI-2 (2)
2.2
6.1
6.2
6.3.2
6.4.5
6.5
6.6
11.2
11.2.1
11.2.2
11.2.3
G.15.2, I.3
1.2.6
8.2.7
Commandment #4
Commandment #5
CIP-004-3 R4 - 4.1 - 4.2

CIP-005-3a - R1 - R1.1
CIP-007-3 - R3 - R3.1 - R8.4
DS5.9
45 CFR 164.308 (a)(5)(ii)(B)
A.10.4.1
SA-7
SC-5
SI-3
SI-5
SI-7
SI-8


NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-7 (1)
5.1
5.1.1
5.2
G.7
8.2.2
Commandment #4
Commandment #5
CIP-007-3 - R4 - R4.1 - R4.2
DS5.6
45 CFR 164.308 (a)(1)(i)

45 CFR 164.308 (a)(6)(i)
Clause 4.3.3
A.13.1.1
A.13.2.1
IR-1
IR-2
IR-3
IR-4
IR-5
IR-7
IR-8


NIST SP 800-53 R3 IR-4 (1)
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
12.9
12.9.1
12.9.2
12.9.3
12.9.4
12.9.5
12.9.6
J.1.1, J.1.2
J.1
1.2.4
1.2.7
7.1.2
7.2.2
7.2.4
10.2.1
10.2.4
Commandment #2
Commandment #6
Commandment #8
CIP-007-3 - R6.1
CIP-008-3 - R1
DS5.6
45 CFR 164.312 (a)(6)(ii)

16 CFR 318.3 (a)
16 CFR 318.5 (a)
45 CFR 160.410 (a)(1)
Clause 4.3.3
Clause 5.2.2
A.6.1.3
A.8.2.1
A.8.2.2
A.13.1.1
A.13.1.2
A.13.2.1
IR-2
IR-6
IR-7
SI-4
SI-5


NIST SP 800-53 R3 IR-6 (1)
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
12.5.2
12.5.3
J.1.1, E.4
J.1
E.1
1.2.7
1.2.10
7.1.2
7.2.2
7.2.4
10.2.4
Commandment #2
Commandment #6
Commandment #8
CIP-003-3 - R4.1
CIP-004-3 R3.3
4 of 421
I.4
CIP-003-3 - R4.2

Control Area
Control ID
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data

Applicability
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
Scope Applicability
COBIT 4.1
HIPAA / HITECH Act
ISO/IEC 27001-2005
NIST SP800-53 R3


PCI DSS v2.0

SIG v6.0

AUP v5.0
Jericho Forum
NERC CIP
IS-24
In the event a follow-up action concerning a

person or organization after an information
security incident requires legal action proper
forensic procedures including chain of custody
shall be required for collection, retention, and
presentation of evidence to support potential
legal action subject to the relevant jurisdiction.
DS5.6
45 CFR 164.308 (a)(6)(ii)
Clause 4.3.3
Clause 5.2.2
A.8.2.2
A.8.2.3
A.13.2.3
A.15.1.3
AU-6
AU-7
AU-9
AU-11
IR-5
IR-7
IR-8

NIST SP 800-53 R3 AU-11

NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 AU-7 (1)
NIST SP 800-53 R3 AU-9 (2)
NIST SP 800-53 R3 AU-10
NIST SP 800-53 R3 AU-10 (5)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 MP-5 (2)
NIST SP 800-53 R3 MP-5 (4)
Information Security Incident Response

Metrics
IS-25
Mechanisms shall be put in place to monitor

and quantify the types, volumes, and costs of
information security incidents.
DS 4.9
45 CFR 164.308 (a)(1)(ii)(D)
A.13.2.2
IR-4
IR-5
IR-8


NIST SP 800-53 R3 IR-4 (1)
Information Security Acceptable Use
IS-26
Policies and procedures shall be established for Proposed v1.1 control revision redacted until
the acceptable use of information assets.
not yet considered:
DS 5.3
45 CFR 164.310 (b)
A.7.1.3
AC-8
AC-20
PL-4

NIST SP 800-53 R3 AC-20

12.3.5
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 AC-20 (1)
NIST SP 800-53 R3 AC-20 (2)
B.1.7, D.1.3.3, E.3.2, E.3.5.1,

E.3.5.2
B.3
8.1.0
45 CFR 164.308 (a)(3)(ii)(C)
A.7.1.1
A.7.1.2
A.8.3.2
PS-4
E.6.4
D.1
5.2.3
7.2.2
8.2.1
8.2.6
45 CFR 164.312(e)(1)
45 CFR 164.312(e)(2)(i)
A.7.2.1
A.10.6.1
A.10.6.2
A.10.9.1
A.10.9.2
A.15.1.4
AC-14
AC-21
AC-22
IA-8
AU-10
SC-4
SC-8
SC-9

NIST SP 800-53 R3 AC-22
NIST SP 800-53 R3 AC-22

NIST SP 800-53 R3 AU-10
NIST SP 800-53 R3 AU-10 (5)
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9 (1)
2.1.1
4.1
4.1.1
4.2
G.19.1.1, G.19.1.2, G.19.1.3,

G.10.8, G.9.11, G.14, G.15.1
G.4
G.11
G.16
G.18
I.3
I.4
3.2.4
4.2.3
7.1.2
7.2.1
7.2.2
8.2.1
8.2.5
Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11
DS 5.7
A.15.3.2
AU-9
AU-11
AU-14

NIST SP 800-53 R3 AU-9 (2)
10.5.5
8.2.1
Commandment #2
Commandment #5
Commandment #11
CIP-003-3 - R5.2
DS5.7
A.10.6.1
A.11.1.1
A.11.4.4
A.11.5.4
CM-7
MA-3
MA-4
MA-5


NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 MA-3 (1)
NIST SP 800-53 R3 MA-3 (2)
NIST SP 800-53 R3 MA-3 (3)
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
9.1.2
Commandment #3
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
CIP-007-3 - R2
A.6.2.3
A.10.6.2
SC-20
SC-21
SC-22
SC-23
SC-24

A.7.2.1
A.10.7.1
A.10.7.2
A.10.8.3
A.11.7.1
A.11.7.2
A.15.1.4
AC-17
AC-18
AC-19
MP-2
MP-4
MP-6
NIST SP 800-53 R3 AC-17

NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-19

NIST SP 800-53 R3 CP-6 (1)
NIST SP 800-53 R3 CP-6 (3)
NIST SP 800-53 R3 CP-7 (1)
CP-7 (2)
NIST SP 800-53 R3 AC-17
CP-7 (3)
NIST SP 800-53 R3 AC-17
(1)
CP-7 (5)
NIST SP 800-53 R3 AC-17
(2)
CP-8 (3)
NIST SP 800-53 R3 AC-17
CP-8 (1)
NIST SP 800-53 R3 AC-17
(4)
CP-8 (2)
NIST SP 800-53 R3 AC-17
(5)
NIST SP 800-53 R3 AC-17
SA-9 (7)
SA-9 (1)
NIST SP 800-53 R3 AC-17
(8)
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 AC-19
NIST SP 800-53 R3 AC-19 (1)
NIST SP 800-53 R3 AC-19 (2)
NIST SP 800-53 R3 AC-19 (3)
NIST SP 800-53 R3 MP-2 (1)
NIST SP 800-53 R3 MP-4 (1)
NIST SP 800-53 R3 MP-6 (4)
Clause 4.3.3
A.12.4.3
A.15.1.3
CM-5
CM-6
A.11.4.1
A 11.4.4
A.11.5.4
AC-5
AC-6
CM-7
SC-3
SC-19
ISO/IEC 27001:2005
Annex A.6.1.5
PL-4
PS-6
SA-9

the acceptable use of information assets. The
policies shall address acceptable data mining
functionality and Traffic pattern analysis. And
shall inform the tenant who is getting access to
the data analysis output.
Information Security Asset Returns
IS-27
Employees, contractors and third party users

must return all assets owned by the
organization within a defined and documented
time frame once the employment, contract or
agreement has been terminated.

not yet considered:
IS-28
Electronic commerce (e-commerce) related

data traversing public networks shall be
appropriately classified and protected from
fraudulent activity, unauthorized disclosure or
modification in such a manner to prevent
contract dispute and compromise of data.
Information Security Audit Tools Access
IS-29
Access to, and use of, audit tools that interact

with the organizations information systems shall
be appropriately segmented and restricted to
prevent compromise and misuse of log data.
Information Security Diagnostic /

Configuration Ports
Access
IS-30
User access to diagnostic and configuration

ports shall be restricted to authorized
individuals and applications.
Information Security Network / Infrastructure

Services
IS-31
Network and infrastructure service level

agreements (in-house or outsourced) shall
clearly document security controls, capacity and
service levels, and business or customer
requirements.
DS5.10
Information Security Portable / Mobile

Devices
IS-32

and measures implemented to strictly limit
access to sensitive data from portable and
mobile devices, such as laptops, cell phones,
and personal digital assistants (PDAs), which
are generally higher-risk than non-portable
devices (e.g., desktop computers at the
organizations facilities).
DS5.11
DS5.5
Information Security Source Code Access

Restriction
IS-33
Access to application, program or object source

code shall be restricted to authorized personnel
on a need to know basis. Records shall be
maintained regarding the individual granted
access, reason for access and version of
source code exposed.
IS-34

not yet considered:
DS 5.10 5.11
45 CFR 164.310 (d)(1)
02/12/2015
LG-01
Utility programs capable of potentially overriding Proposed v1.1 control revision redacted until
system, object, network, virtual machine and
application controls shall be restricted.
not yet considered:
Requirements for non-disclosure or

confidentiality agreements reflecting the
organization's needs for the protection of data
and operational details shall be identified,
documented and reviewed at planned intervals.
J.1.2
CIP-004-3 R3.3
1.2.7
1.2.10
CIP-008-3 - R1.1
Commandment #1
Commandment #2
Commandment #3
H1.1, H1.2, G.9.15
C.2.6, G.9.9
C.2
8.2.2
8.2.5
Commandment #6
Commandment #7
Commandment #8
9.7
9.7.2
9.8
9.9
11.1
12.3
G.11, G12, G.20.13, G.20.14
1.2.6
3.2.4
8.2.6
All

NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
6.4.1
6.4.2
I.2.7.2, I.2.9, I.2.10, I.2.15
1.2.6
6.2.1
Commandment #6
Commandment #7
Commandment #9
Commandment #10

NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 CM-7 (1)
7.1.2
H.2.16


NIST SP 800-53 R3 SA-9 (1)
12.8.2
12.8.3
12.8.4
C.2.5
CIP-007-3 - R7.1
Access to application, program or object source

code shall be restricted to authorized personnel
based on cloud delivery model (PaaS) on a
need to know basis.
X
DS5.7
Utility programs and privileged management

accounts capable of potentially overriding
system, object, network, virtual machine and
application controls shall be restricted. Utilities
that utilities that can shut down virtualized
partitions shall be disallowed. Attacks that target
the virtual infrastructure (Shimming, Blue Pill,
Hyperjacking, etc.) shall be identified and
remediated with technical and procedural
controls.
Legal - Non-Disclosure
Agreements
12.9.6
1.2.7
Controls shall be put in place to insure privacy

and automate tenant breach formal notification
upon the compromise of a tenant's system(s).
Information Security eCommerce

Transactions
Information Security Utility Programs

Access
J.1.1, J.1.2, E.4
J.1
E.1
GAPP (Aug 2009)
Information Security Incident Response

Legal Preparation
5 of 421
Commandment #1
Commandment #5
Commandment #6
Commandment #7
1.2.5
CIP-007-3 - R2.1 - R2.2 - R2.3
Commandment #6
Commandment #7
Commandment #8
Commandment #9

Control Area
Control ID
Corp Gov
Relevance
Control Notes

Applicability
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
Phys
Network
Compute
Storage
App
Data
Legal - Third Party

Agreements
LG-02
Third party agreements that directly, or

indirectly, impact the organizations information
assets or data are required to include explicit
coverage of all relevant security requirements.
This includes agreements involving processing,
accessing, communicating, hosting or
managing the organization's information assets,
or adding or terminating services or products to
existing information. Assets agreements
provisions shall include security (e.g.,
encryption, access controls, and leakage
prevention) and integrity controls for data
exchanged to prevent improper disclosure,
alteration or destruction.
Operations
Management - Policy
OP-01

and made available for all personnel to
adequately support services operations role.
Operations
Management Documentation
OP-02
Information system documentation (e.g.,

administrator and user guides, architecture
diagrams, etc.) shall be made available to
authorized personnel to ensure the following:
Configuring, installing, and operating the
information system
Effectively using the systems security
features
Operations
Management Capacity / Resource
Planning
OP-03
The availability, quality, and adequate capacity

and resources shall be planned, prepared, and
measured to deliver the required system
performance in accordance with regulatory,
contractual and business requirements.
Projections of future capacity requirements shall
be made to mitigate the risk of system overload.
Operations
Management Equipment
Maintenance
OP-04

equipment maintenance ensuring continuity and
availability of operations.
Risk Management Program
RI-01
Organizations shall develop and maintain an

enterprise risk management framework to
manage risk to an acceptable level.

not yet considered:
Scope Applicability
COBIT 4.1
HIPAA / HITECH Act
Risk Management Mitigation / Acceptance
02/12/2015
RI-02
RI-03
Aligned with the enterprise-wide framework,

formal risk assessments shall be performed at
least annually, or at planned intervals,
determining the likelihood and impact of all
identified risks, using qualitative and
quantitative methods. The likelihood and impact
associated with inherent and residual risk
should be determined independently,
considering all risk categories (e.g., audit
results, threat and vulnerability analysis, and
regulatory compliance).
Risks shall be mitigated to an acceptable level.

Acceptance levels based on risk criteria shall be
established and documented in accordance
with reasonable resolution time frames and
executive approval.

not yet considered:
NIST SP800-53 R3


PCI DSS v2.0

SIG v6.0
A.6.2.3
A10.2.1
A.10.8.2
A.11.4.6
A.11.6.1
A.12.3.1
A.12.5.4
CA-3
MP-5
PS-7
SA-6
SA-7
SA-9


NIST SP 800-53 R3 MP-5 (2)
NIST SP 800-53 R3 MP-5 (4)
NIST SP 800-53 R3 SA-9 (1)
2.4
12.8.2
C.2.4, C.2.6, G.4.1, G.16.3
DS13.1
Clause 5.1
A 8.1.1
A.8.2.1
A 8.2.2
A.10.1.1
CM-2
CM-3
CM-4
CM-5
CM-6
CM-9
MA-4
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-12


NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12
12.1
12.2
12.3
12.4
DS 9
DS 13.1
Clause 4.3.3
A.10.7.4
CP-9
CP-10
SA-5
SA-10
SA-11

NIST SP 800-53 R3 CP-10

NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)
NIST SP 800-53 R3 CP-10
NIST SP 800-53 R3 CP-10 (2)
NIST SP 800-53 R3 CP-10 (3)
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
12.1
12.2
12.3
12.4
DS 3
A.10.3.1
SA-4
DS5.11
45 CFR 164.308 (a)(4)(ii)(A)

45 CFR 164.308 (b)(1)
45 CFR 164.308 (b)(2)(i)
45 CFR 164.308 (b)(2)(ii)
45 CFR 164.308 (b)(2)(iii)
45 CFR 164.308 (b)(3)
45 CFR 164.308 (b)(4)
45 CFR 164.312(e)(2)(i)
45 CFR 164.312 (c)(1)
45 CFR 164.312(e)(2)(ii)
45 CFR 164.314 (a)(1)(i)
45 CFR 164.314 (a)(1)(ii)(A)
45 CFR 164.314 (a)(2)(i)
45 CFR 164.314 (a)(2)(i)(A)
45 CFR 164.314 (a)(2)(i)(B)
45 CFR 164.314 (a)(2)(i)(C)
45 CFR 164.314 (a)(2)(i)(D)
45 CFR 164.314 (a)(2)(ii)(A)
45 CFR 164.314 (a)(2)(ii)(A)(1)
45 CFR 164.314 (a)(2)(ii)(A)(2)
45 CFR 164.314 (a)(2)(ii)(B)
45 CFR 164.314 (a)(2)(ii)(C)
45 CFR 164.314 (b)(1)
45 CFR 164.314 (b)(2)
45 CFR 164.314 (b)(2)(i)
45 CFR 164.314 (b)(2)(ii)
45 CFR 164.314 (b)(2)(iii)
45 CFR 164.314 (b)(2)(iv)

AUP v5.0
GAPP (Aug 2009)
Jericho Forum
1.2.5
Commandment #1
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
G.1.1
8.2.1
Commandment #1
Commandment #2
Commandment #3
Commandment #6
Commandment #7
G.1.1
1.2.6
Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment #11

NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
G.5
1.2.4
Commandment #1
Commandment #2
Commandment #3
F.2.19
5.2.3
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
Commandment #2
Commandment #5
Commandment #11
C.2
NERC CIP
CIP-005-3a - R1.3
CIP-007-3 - R9
A13.3
45 CFR 164.310 (a)(2)(iv)
A.9.2.4
MA-2
MA-3
MA-4
MA-5
MA-6


NIST SP 800-53 R3 MA-2 (1)
NIST SP 800-53 R3 MA-3 (1)
NIST SP 800-53 R3 MA-3 (2)
NIST SP 800-53 R3 MA-3 (3)
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
PO 9.1
45 CFR 164.308 (a)(8)

45 CFR 164.308(a)(1)(ii)(B)
Clause 4.2.1 c) through g)

Clause 4.2.2 b)
Clause 5.1 f)
Clause 7.2 & 7.3
A.6.2.1
A.12.6.1
A.14.1.2
A.15.2.1
A.15.2.2
AC-4
CA-2
CA-6
PM-9
RA-1


NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
12.1.2
A.1, L.1
L.2
1.2.4
CIP-009-3 - R4
PO 9.4
45 CFR 164.308 (a)(1)(ii)(A)

Clause 4.2.3 d)
Clause 5.1 f)
Clause 7.2 & 7.3
A.6.2.1
A.12.5.2
A.12.6.1
A.14.1.2
A.15.1.1
A.15.2.1
A.15.2.2
PL-5
RA-2
RA-3


12.1.2
C.2.1, I.4.1, I.5, G.15.1.3, I.3
I.1
I.4
1.2.4
1.2.5
CIP-002-3 - R1.1 - R1.2

CIP-005-3a - R1 - R1.2
CIP-009-3 - R.1.1
PO 9.5
45 CFR 164.308 (a)(1)(ii)(B)

Clause 4.2.2 b)
Clause 4.3.1
Clause 5.1 f)
Clause 7.3
A.6.2.1
A.12.5.2
A.12.6.1
A.15.1.1
A.15.2.1
A.15.2.2
CA-5
CM-4


I.3, L.9, L.10
I.4
L.2
Organizations shall develop and maintain a

cloud oriented risk management framework to
manage risk as defined in the master
agreement or industry best-practices and
standards.
Risk Management Assessments
ISO/IEC 27001-2005
Service Providers shall implement and

communicate disaster recovery, business
continuity, capacity overflow and operational
redundancy plans to all dependant service tiers.
Service Providers shall perform failure impact
analysis studies and communicate potential
service impacts and reduced capacity
projections to tenants. Tenants shall be afforded
access to operational redundancy and
continuity summaries which shall include
dependant service tier oriented impact analysis.
Security mechanisms and redundancies (at a
minimum of N+2 at all times) shall be
implemented to protect physical and virtual
machines, networks, service providers and
hardware from service outages (e.g., power
failures, network disruptions, etc.). Tenants shall
access to a tenant triggered failover control.
6 of 421
CIP-007-3 - R6.1 - R6.2 - R6.3

- R6.4
CIP-009-3 - R1.2

Control Area
Control ID
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data

Applicability
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
Scope Applicability
COBIT 4.1
HIPAA / HITECH Act
ISO/IEC 27001-2005
NIST SP800-53 R3


PCI DSS v2.0

SIG v6.0

AUP v5.0
GAPP (Aug 2009)
Jericho Forum
Risk Management Business / Policy

Change Impacts
RI-04
Risk assessment results shall include updates

to security policies, procedures, standards and
controls to ensure they remain relevant and
effective.
PO 9.6
Clause 4.2.3
Clause 4.2.4
Clause 4.3.1
Clause 5
Clause 7
A.5.1.2
A.10.1.2
A.10.2.3
A.14.1.2
A.15.2.1
A.15.2.2
CP-2
RA-2
RA-3


12.1.3
B.1.1, B.1.2, B.1.6, B.1.7.2,

G.2, L.9, L.10
B.2
G.21
L.2
Risk Management Third Party Access
RI-05
The identification, assessment, and

prioritization of risks posed by business
processes requiring third party access to the
organization's information systems and data
shall be followed by coordinated application of
resources to minimize, monitor, and measure
likelihood and impact of unauthorized or
inappropriate access. Compensating controls
derived from the risk analysis shall be
implemented prior to provisioning access.
DS 2.3
A.6.2.1
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.4
CA-3
MA-4
RA-3

NIST SP 800-53 R3 IA-5 (1)

NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
12.8.1
12.8.2
12.8.3
12.8.4
B.1.1, B.1.2, D.1.1, E.1, F.1.1,

H.1.1, K.1.1, E.6.2, E.6.3
B.1
H.2
Release Management New Development /

Acquisition
RM-01

management authorization for development or
acquisition of new applications, systems,
databases, infrastructure, services, operations,
and facilities.
A12
A16.1
A.6.1.4
A.6.2.1
A.12.1.1
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.5
A.15.1.3
A.15.1.4
CA-1
CM-1
CM-9
PL-1
PL-2
SA-1
SA-3
SA-4


NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
6.3.2
I.1.1, I.1.2, I.2. 7.2, I.2.8, I.2.9, I.2

I.2.10, I.2.13, I.2.14, I.2.15,
I.2.18, I.2.22.6, L.5
1.2.6
Commandment #1
Commandment #2
Commandment #3
Release Management Production Changes
RM-02
Changes to the production environment shall be

documented, tested and approved prior to
implementation. Production software and
hardware changes may include applications,
systems, databases and network devices
requiring patches, service packs, and other
updates and modifications.
A.10.1.4
A.12.5.1
A.12.5.2
CA-1
CA-6
CA-7
CM-2
CM-3
CM-5
CM-6
CM-9
PL-2
PL-5
SI-2
SI-6
SI-7


NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-7 (1)
1.1.1
6.3.2
6.4
6.1
I.2.17, I.2.20, I.2.22
1.2.6
Commandment #1
Commandment #2
Commandment #3
Commandment #11
Release Management Quality Testing
RM-03
A program for the systematic monitoring and

evaluation to ensure that standards of quality
are being met shall be established for all
software developed by the organization. Quality
evaluation and acceptance criteria for
information systems, upgrades, and new
versions shall be established, documented and
tests of the system(s) shall be carried out both
during development and prior to acceptance to
maintain security. Management shall have a
clear oversight capacity in the quality testing
process with the final product being certified as
"fit for purpose" (the product should be suitable
for the intended purpose) and "right first time"
(mistakes should be eliminated) prior to release.
A.6.1.3
A.10.1.1
A.10.1.4
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
CM-1
CM-2
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-13


1.1.1
6.1
NIST SP 800-53 R3 CM-2 (1) 6.4
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
C.1.7, G.1, G.6, I.1, I.4.5,

I.2.18, I.22.1, I.22.3, I.22.6,
I.2.23, I.2.22.2, I.2.22.4,
I.2.22.7. I.2.22.8, I.2.22.9,
I.2.22.10, I.2.22.11, I.2.22.12,
I.2.22.13, I.2.22.14,I.2.20,
I.2.17, I.2.7.1, I.3, J.2.10, L.9
9.1.0
9.1.1
9.2.1
9.2.2
Commandment #1
Commandment #2
Commandment #3
Release Management Outsourced

Development
RM-04
A program for the systematic monitoring and

evaluation to ensure that standards of quality
are being met shall be established for all
outsourced software development. The
development of all outsourced software shall be
supervised and monitored by the organization
and must include security requirements,
independent security review of the outsourced
environment by a certified individual, certified
security training for outsourced software
developers, and code reviews. Certification for
the purposes of this control shall be defined as
either a ISO/IEC 17024 accredited certification
or a legally recognized license or certification in
the legislative jurisdiction the organization
outsourcing the development has chosen as its
domicile.
A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
SA-12
SA-13


NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12
C.2.4, G.4, G6, I.1, I.4.4, I.4.5,

I.2.7.2, I.2.8, I.2.9, I.2.15,
I.2.18, I.2.22.6, I.2.7.1, I.2.13,
I.2.14, I.2.17, I.2.20, I.2.22.2,
I.2.22.4, I.2.22.7, I.2.22.8,
I.2.22.9, I.2.22.10, I.2.22.11,
I.2.22.12, I.2.22.13, I.2.22.14,
I.3, J.1.2.10, L.7, L.9, L.10
02/12/2015
A16.1
A17.6
45 CFR 164.308 (a)(5)(ii)(C)

45 CFR 164.312 (b)
PO 8.1
7 of 421
3.6.7
6.4.5.2
7.1.3
8.5.1
9.1
9.1.2
9.2b
9.3.1
10.5.2
11.5
12.3.1
12.3.3
C.2
I.1
I.2
I.4
NERC CIP
CIP-009-3 - R2
7.1.1
7.1.2
7.2.1
7.2.2
7.2.3
7.2.4
CIP-003-3 - R6
Commandment #1
Commandment #2
Commandment #3

Control Area
Control ID
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App

Applicability
SaaS
PaaS
IaaS
Service
Provider
Data
Release Management Unauthorized Software

Installations
RM-05

and mechanisms implemented to restrict the
installation of unauthorized software.
Resiliency Management Program
RS-01
Policy, process and procedures defining

business continuity and disaster recovery shall
be put in place to minimize the impact of a
realized risk event on the organization to an
acceptable level and facilitate recovery of
information assets (which may be the result of,
for example, natural disasters, accidents,
equipment failures, and deliberate actions)
through a combination of preventive and
recovery controls, in accordance with
regulatory, statutory, contractual, and business
requirements and consistent with industry
standards. This Resiliency management
program shall be communicated to all
organizational participants with a need to know
basis prior to adoption and shall also be
published, hosted, stored, recorded and
disseminated to multiple facilities which must be
accessible in the event of an incident.
Resiliency - Impact
Analysis
RS-02
There shall be a defined and documented

method for determining the impact of any
disruption to the organization which must
incorporate the following:
Identify critical products and services
Identify all dependencies, including
processes, applications, business partners and
third party service providers
Understand threats to critical products and
services
Determine impacts resulting from planned or
unplanned disruptions and how these vary over
time
Establish the maximum tolerable period for
disruption
Establish priorities for recovery
Establish recovery time objectives for
resumption of critical products and services
within their maximum tolerable period of
disruption
Estimate the resources required for
resumption
Resiliency - Business
Continuity Planning
RS-03
A consistent unified framework for business

continuity planning and plan development shall
be established, documented and adopted to
ensure all business continuity plans are
consistent in addressing priorities for testing
and maintenance and information security
requirements. Requirements for business
continuity plans include the following:
Defined purpose and scope, aligned with
relevant dependencies
Accessible to and understood by those who
will use them
Owned by a named person(s) who is
responsible for their review, update and
approval
Defined lines of communication, roles and
responsibilities
Detailed recovery procedures, manual workaround and reference information
Method for plan invocation
Resiliency - Business
Continuity Testing
RS-04
Business continuity plans shall be subject to

test at planned intervals or upon significant
organizational or environmental changes to
ensure continuing effectiveness.
Resiliency Environmental Risks
RS-05
Physical protection against damage from

natural causes and disasters as well as
deliberate attacks including fire, flood,
atmospheric electrical discharge, solar induced
geomagnetic storm, wind, earthquake, tsunami,
explosion, nuclear mishap, volcanic activity,
biological hazard, civil unrest, mudslide,
tectonic activity, and other forms of natural or
man-made disaster shall be anticipated,
designed and countermeasures applied.
Resiliency - Equipment
Location
RS-06
To reduce the risks from environmental threats,

hazards and opportunities for unauthorized
access equipment shall be located away from
locations subject to high probability
environmental risks and supplemented by
redundant equipment located a reasonable
distance.
Resiliency - Equipment
Power Failures
RS-07
Security mechanisms and redundancies shall

be implemented to protect equipment from
utility service outages (e.g., power failures,
network disruptions, etc.).
02/12/2015
Scope Applicability
Tenant /
Consumer
COBIT 4.1
HIPAA / HITECH Act
ISO/IEC 27001-2005
NIST SP800-53 R3


CM-1
CM-2
CM-3
CM-5
CM-7
CM-8
CM-9
SA-6
SA-7
SI-1
SI-3
SI-4
SI-7


NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 CM-8 (1)
NIST SP 800-53 R3 CM-8 (3)
NIST SP 800-53 R3 CM-8 (5)
NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SI-7 (1)
45 CFR 164.308 (a)(7)(i)

45 CFR 164.308 (a)(7)(ii)(C)
Clause 4.3.2
A.14.1.1
A 14.1.4
CP-1
CP-2


NIST SP 800-53 R3 CP-2 (1)
NIST SP 800-53 R3 CP-2 (2)
45 CFR 164.308 (a)(7)(ii)(E)
ISO/IEC 27001:2005
A.14.1.2
A 14.1.4
RA-3


45 CFR 164.308 (a)(7)(i)

45 CFR 164.308 (a)(7)(ii)(B)
45 CFR 164.308 (a)(7)(ii)(C)
45 CFR 164.308 (a)(7)(ii)(E)
45 CFR 164.310 (a)(2)(i)
45 CFR 164.312 (a)(2)(ii)
Clause 5.1
A.6.1.2
A.14.1.3
A.14.1.4
CP-1
CP-2
CP-3
CP-4
CP-6
CP-7
CP-8
CP-9
CP-10
PE-17
NIST SP800-53 R3 CP-1


NIST SP800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP-2 (2)
NIST SP800-53 R3 CP-4 (1)
NIST SP800-53 R3 CP-6 (1)
NIST SP800-53 R3 CP-6 (3)
NIST SP800-53 R3 CP-7 (1)
NIST SP800-53 R3 CP-7 (2)
NIST SP800-53 R3 CP-7 (3)
NIST SP800-53 R3 CP-7 (5)
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 CP-9 (1)
NIST SP800-53 R3 CP-9 (3)
NIST SP800-53 R3 CP-10 (2)
NIST SP800-53 R3 CP-10 (3)
NIST SP800-53 R3 PE-17
45 CFR 164.308 (a)(7)(ii)(D)
A.14.1.5
CP-2
CP-3
CP-4


NIST SP800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP-2 (2)
NIST SP800-53 R3 CP-4 (1)
45 CFR 164.308 (a)(7)(i)

45 CFR 164.310(a)(2)(ii)
A.9.1.4
A.9.2.1
PE-1
PE-13
PE-14
PE-15
PE-18


NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
45 CFR 164.310 (c)
A.9.2.1
PE-1
PE-5
PE-14
PE-15
PE-18


A.9.2.2
A.9.2.3
A 9.2.4
CP-8
PE-1
PE-9
PE-10
PE-11
PE-12
PE-13
PE-14


NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
PO 9.1
PO 9.2
DS 4.2
8 of 421
PCI DSS v2.0
A.10.1.3
A.10.4.1
A.11.5.4
A.11.6.1
A.12.4.1
A.12.5.3

SIG v6.0

AUP v5.0
G.2.13, G.20.2,G.20.4, G.20.5, G.1

G.7, G.7.1, G.12.11, H.2.16,
I.2
I.2.22.1, I.2.22.3, I.2.22.6,
I.2.23
GAPP (Aug 2009)

3.2.4
8.2.2
Jericho Forum
K.1.2.9, K.1.2.10, K.3.1
Commandment #1
Commandment #2
Commandment #3
K.2
Commandment #1
Commandment #2
Commandment #3
12.9.1
12.9.3
12.9.4
12.9.6
K.1.2.3. K.1.2.4, K.1.2.5,

K.1.2.6, K.1.2.7, K.1.2.11,
K.1.2.13, K.1.2.15
Commandment #1
Commandment #2
Commandment #3
12.9.2
K.1.3, K.1.4.3, K.1.4.6, K.1.4.7,

K.1.4.8, K.1.4.9, K.1.4.10,
K.1.4.11, K.1.4.12
Commandment #1
Commandment #2
Commandment #3
12.9.1
9.1.3
9.5
9.6
9.9
9.9.1
8.2.4
NERC CIP
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #11
F.2.9, F.1.2.21, F.5.1, F.1.5.2,

F.2.1, F.2.7, F.2.8
F.1
Commandment #1
Commandment #2
Commandment #3
F.2.9, F.1.2.21, F.5.1, F.1.5.2,

F.2.1, F.2.7, F.2.8
F.1
Commandment #1
Commandment #2
Commandment #3
F.1.6, F.1.6.1, F.1.6.2, F.1.9.2,

F.2.10, F.2.11, F.2.12
F.1
Commandment #1
Commandment #2
Commandment #3
CIP-007-3 - R8 - R8.1 - R8.2 R8.3
CIP-004-3 R3.2

Control Area
Resiliency - Power /
Telecommunications
Control ID
RS-08
Telecommunications equipment, cabling and

relays transceving data or supporting services
shall be protected from interception or damage
and designed with redundancies, alternative
power source and alternative routing.
Corp Gov
Relevance
Control Notes

not yet considered:
Phys
Network
Compute
Storage
App
Data

Applicability
Scope Applicability
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
DS5.11
AI2.4
COBIT 4.1
HIPAA / HITECH Act
SA-01
Prior to granting customers access to data,

assets and information systems, all identified
security, contractual and regulatory
requirements for customer access shall be
addressed and remediated.
Security Architecture User ID Credentials
SA-02
Implement and enforce (through automation)

user credential and password controls for
applications, databases and server and network
infrastructure, requiring the following minimum
standards:
User identity verification prior to password
resets.
If password reset initiated by personnel other
than user (i.e., administrator), password must
be immediately changed by user upon first use.
Timely access revocation for terminated
users.
Remove/disable inactive user accounts at
least every 90 days.
Unique user IDs and disallow group, shared,
or generic accounts and passwords.
Password expiration at least every 90 days.
Minimum password length of at least seven
(7) characters.
Strong passwords containing both numeric
and alphabetic characters.
Allow password re-use after the last four (4)
passwords used.
User ID lockout after not more than six (6)
attempts.
User ID lockout duration to a minimum of 30
minutes or until administrator enables the user
ID.
Re-enter password to reactivate terminal after
session idle time for more than 15 minutes.
Maintain user activity logs for privileged
access or access to sensitive data.
Security Architecture Data Security / Integrity
SA-03

and mechanisms implemented to ensure
security (e.g., encryption, access controls, and
leakage prevention) and integrity of data
exchanged between one or more system
interfaces, jurisdictions, or with a third party
shared services provider to prevent improper
disclosure, alteration or destruction complying
with legislative, regulatory, and contractual
requirements.
Security Architecture Application Security
SA-04
Applications shall be designed in accordance

with industry accepted security standards (i.e.,
OWASP for web applications) and complies
with applicable regulatory and business
requirements.
X`
Security Architecture Data Integrity
SA-05
Data input and output integrity routines (i.e.,

reconciliation and edit checks) shall be
implemented for application interfaces and
databases to prevent manual or systematic
processing errors or corruption of data.
Security Architecture Production / NonProduction

Environments
SA-06
Production and non-production environments

shall be separated to prevent unauthorized
access or changes to information assets.
Security Architecture Remote User MultiFactor Authentication
SA-07
Multi-factor authentication is required for all

remote user access.

not yet considered:
02/12/2015
Network environments shall be designed and

configured to restrict connections between
trusted and untrusted networks and reviewed at
planned intervals, documenting the business
justification for use of all services, protocols,
and ports allowed, including rationale or
compensating controls implemented for those
protocols considered to be insecure. Network
architecture diagrams must clearly identify highrisk environments and data flows that may have
regulatory compliance impacts.

DS5.3
DS5.4

PCI DSS v2.0

SIG v6.0

AUP v5.0
GAPP (Aug 2009)
Jericho Forum
NERC CIP
A.9.2.2
A.9.2.3
PE-1
PE-4
PE-13

NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)

NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
F.1.6, F.1.6.1, F.1.6.2, F.1.9.2,

F.2.10, F.2.11, F.2.12
A.6.2.1
A.6.2.2
A.11.1.1
CA-1
CA-2
CA-5
CA-6

NIST SP 800-53 R3 CA-2 (1)

NIST SP 800-53 R3 CA-2 (1)
C.2.1, C.2.3, C.2.4, C.2.6.1,

H.1
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.3
A.11.2.4
A.11.5.5
AC-1
AC-2
AC-3
AC-11
AU-2
AU-11
IA-1
IA-2
IA-5
IA-6
IA-8
SC-10

NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-5 (1)

NIST SP 800-53 R3 AC-11
NIST SP 800-53 R3 AC-11 (1)
NIST SP 800-53 R3 AU-2 (3)
NIST SP 800-53 R3 AU-2 (4)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 SC-10
8.1
8.2,
8.3
8.4
8.5
10.1,
12.2,
12.3.8
E.6.2, E.6.3, H.1.1, H.1.2, H.2, B.1

H.3.2, H.4, H.4.1, H.4.5, H.4.8 H.5
A.10.8.1
A.10.8.2
A.11.1.1
A.11.6.1
A.11.4.6
A.12.3.1
A.12.5.4
A.15.1.4
AC-1
AC-4
SC-1
SC-16

NIST SP 800-53 R3 SC-13

2.3
3.4.1
4.1
4.1.1
6.1
6.3.2a
6.5c
8.3
10.5.5
11.5
G.8.2.0.2, G.8.2.0.3, G.12.1,

B.1
G.12.4, G.12.9, G.12.10,
G.16.2, G.19.2.1, G.19.3.2,
G.9.4, G.17.2, G.17.3, G.17.4,
G.20.1
1.1.0
1.2.2
1.2.6
4.2.3
5.2.1
7.1.2
7.2.1
7.2.2
7.2.3
7.2.4
8.2.1
8.2.2
8.2.3
8.2.5
9.2.1
All
45 CFR 164.312(e)(2)(i)
A.11.5.6
A.11.6.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.5.2
A.12.5.4
A.12.5.5
A.12.6.1
A.15.2.1

NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-14
G.16.3, I.3
I.4
1.2.6
Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment #11
CIP-007-3 - R5.1
A.10.9.2
A.10.9.3
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.6.1
A.15.2.1

NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP
SP 800-53
800-53 R3
R3 SI-2
SC-8 (1)
NIST
NIST
NIST SP
SP 800-53
800-53 R3
R3 SC-9
SI-2 (2)
NIST
NIST SP
SP 800-53
800-53 R3
R3 SC-9
SI-3 (1)
NIST
SP
800-53
R3
NIST SP 800-53 R3 SC-10
SI-3 (1)
NIST
NIST SP
SP 800-53
800-53 R3
R3 SC-11
SI-3 (2)
NIST SP
SP 800-53
800-53 R3
R3 SI-3
SC-12
NIST
(3)
NIST SP
SP 800-53
800-53 R3
R3 SI-4
SC-12 (2)
NIST
NIST SP
SP 800-53
800-53 R3
R3 SI-4
SC-12
NIST
(2)(5)
NIST SP
SP 800-53
800-53 R3
R3 SI-4
SC-13
NIST
(4)
NIST SP
SP 800-53
800-53 R3
R3 SI-4
SC-13
NIST
(5)(1)
NIST SP
SP 800-53
800-53 R3
R3 SI-4
SC-14
NIST
(6)
NIST SP 800-53
800-53 R3
R3 SI-6
SC-17
NIST
SP 800-53 R3
SC-2
NIST SP
SP 800-53
800-53 R3
R3 SI-7
SC-18
NIST
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 SI-10
NIST SP 800-53 R3 SI-11
6.5
45 CFR 164.312 (c)(1)

45 CFR 164.312 (c)(2)
45 CFR 164.312(e)(2)(i)
SC-2
SC-3
SC-4
SC-5
SC-6
SC-7
SC-8
SC-9
SC-10
SC-11
SC-12
SC-13
SC-14
SC-17
SC-18
SC-20
SC-21
SC-22
SI-10
SC-23
SI-11
SI-2
SI-3
SI-4
SI-6
SI-7
SI-9
6.3.1
6.3.2
G.16.3, I.3
I.4
1.2.6
Commandment #1
Commandment #9
Commandment #11
CIP-003-3 - R4.2
6.4.1
6.4.2
I.2.7.1, I.2.20, I.2.17, I.2.22.2,

I.2.22.4, I.2.22.10-14, H.1.1
B.1
1.2.6
Commandment #1
Commandment #10
Commandment #11
45 CFR 164.308(a)(5)(ii)(c)
45 CFR 164.308 (a)(5)(ii)(D)
45 CFR 164.312 (a)(2)(i)
45 CFR 164.312 (a)(2)(iii)
45 CFR 164.312 (d)
DS5.7

Commandment #1
Commandment #2
Commandment #3
Commandment #4
Commandment #9
Commandment #11
F.1
1.2.2
1.2.6
6.2.1
6.2.2
Commandment #6
Commandment #7
Commandment #8
Commandment #6
Commandment #7
Commandment #8
Commandment #9
CIP-004-3 R2.2.3
CIP-007-3 - R5.2 - R5.3.1 R5.3.2 - R5.3.3
A.10.1.4
A.10.3.2
A.11.1.1
A.12.5.1
A.12.5.2
A.12.5.3
SC-2
A.11.1.1
A.11.4.1
A.11.4.2
A.11.4.6
A.11.7.1
AC-17
AC-20
IA-1
IA-2
MA-4
NIST SP 800-53 R3 AC-17

NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 AC-17

8.3
NIST SP 800-53 R3 AC-17 (1)
NIST SP 800-53 R3 AC-17 (2)
NIST SP 800-53 R3 AC-17 (3)
NIST SP 800-53 R3 AC-17 (4)
NIST SP 800-53 R3 AC-17 (5)
NIST SP 800-53 R3 AC-17 (7)
NIST SP 800-53 R3 AC-17 (8)
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 AC-20 (1)
NIST SP 800-53 R3 AC-20 (2)
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
H.1.1, G.9.13, G.9.20, G.9.21
B.1
8.2.2
Commandment #6
Commandment #7
Commandment #8
CIP-004-3 R3.1
A.10.6.1
A.10.6.2
A.10.9.1
A.10.10.2
A.11.4.1
A.11.4.5
A.11.4.6
A.11.4.7
A.15.1.4
SC-7


NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
G.9.17, G.9.7, G.10, G.9.11,

G.14.1, G.15.1, G.9.2, G.9.3,
G.9.13
G.2
G.4
G.15
G.16
G.17
G.18
I.3
8.2.5
Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R2.2.4
Tenant authentication requirements must be

met for all data access.
SA-08
NIST SP800-53 R3
Telecommunications equipment, cabling and

relays tranceving data or supporting services
shall be protected from interception unless
legally required (wire taps, etc.). These
systems shall be designed with redundancies,
alternative power source and alternative
routing. Tenants shall have informed consent
over jurisdiction of transport.
Security Architecture Customer Access

Requirements
Security Architecture Network Security
ISO/IEC 27001-2005
9 of 421
1.1
1.1.2
1.1.3
1.1.5
1.1.6
1.2
1.2.1
2.2.2
2.2.3

Control Area
Control ID
Corp Gov
Relevance
Control Notes

Applicability
Scope Applicability

Phys
Network
Compute
Storage
App
Data
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
DS5.10
45 CFR 164.308 (a)(4)(ii)(A)
A.11.4.5
A.11.6.1
A.11.6.2
A.15.1.4
AC-4
SC-2
SC-3
SC-7

NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
1.1
1.2
1.2.1
1.3
1.4
G.9.2, G.9.3, G.9.13
G.17
DS5.5
DS5.7
DS5.8
DS5.10
45 CFR 164.312 (e)(1)(2)(ii)

45 CFR 164.308(a)(5)(ii)(D)
45 CFR 164.312(e)(1)
45 CFR 164.312(e)(2)(ii)
A.7.1.1
A.7.1.2
A.7.1.3
A.9.2.1
A.9.2.4
A.10.6.1
A.10.6.2
A.10.8.1
A.10.8.3
A.10.8.5
A.10.10.2
A.11.2.1
A.11.4.3
A.11.4.5
A.11.4.6
A.11.4.7
A.12.3.1
A.12.3.2
AC-1
AC-18
CM-6
PE-4
SC-3
SC-7

NIST SP 800-53 R3 AC-18

NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
1.2.3
2.1.1
4.1
4.1.1
11.1
9.1.3
E.3.1, F.1.2.4, F.1.2.5, F.1.2.6,

F.1.2.8, F.1.2. 9, F.1.2.10,
F.1.2.11, F.1.2.12, F.1.2.13,
F.1.2.14, F.1.2.15, F.1.2.24,
F.1.3, F.1.4.2, F1.4.6, F.1.4.7,
F.1.6, F.1.7,F.1.8, F.2.13,
F.2.14, F.2.15, F.2.16, F.2.17,
F.2.18 G.9.17, G.9.7, G.10,
G.9.11, G.14.1, G.15.1, G.9.2,
G.9.3, G.9.13
D.1
B.3
F.1
G.4
G.15
G.17
G.18
45 CFR 164.312 (a)(1)
A.10.8.1
A.11.1.1
A.11.6.2
A.11.4.6
PE-4
SC-4
SC-7


1.3.5
2.4
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
D.1.1, E.1, F.1.1, H.1.1
B.1
DS5.7
A.10.10.1
A.10.10.6
AU-1
AU-8


NIST SP 800-53 R3 AU-8 (1)
G.13, G.14.8, G.15.5, G.16.8,

G.17.6, G.18.3, G.19.2.6,
G.19.3.1
G.7
G.8
DS5.7
A.11.4.3
IA-3
IA-4

NIST SP 800-53 R3 IA-4 (4)
D.1.1, D.1.3
D.1
A.10.10.1
A.10.10.2
A.10.10.3
A.10.10.4
A.10.10.5
A.11.2.2
A.11.5.4
A.11.6.1
A.13.1.1
A.13.2.3
A.15.2.2
A.15.1.3
AU-1
AU-2
AU-3
AU-4
AU-5
AU-6
AU-7
AU-9
AU-11
AU-12
AU-14
SI-4

NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 AU-12

NIST SP 800-53 R3 AU-2 (3)
NIST SP 800-53 R3 AU-2 (4)
NIST SP 800-53 R3 AU-3 (1)
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 AU-7 (1)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 AU-12
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SC-18
A.10.4.2
A.12.2.2
SC-18
Security Architecture Segmentation
SA-09
System and network environments are

separated by firewalls to ensure the following
requirements are adhered to:
Business and customer requirements
Security requirements
Compliance with legislative, regulatory, and
contractual requirements
Separation of production and non-production
environments
Preserve protection and isolation of sensitive
data
Security Architecture Wireless Security
SA-10

and mechanisms implemented to protect
wireless network environments, including the
following:
Perimeter firewalls implemented and
configured to restrict unauthorized traffic
Security settings enabled with strong
encryption for authentication and transmission,
replacing vendor default settings (e.g.,
encryption keys, passwords, SNMP community
strings, etc.).
Logical and physical user access to wireless
network devices restricted to authorized
personnel
The capability to detect the presence of
unauthorized (rogue) wireless network devices
for a timely disconnect from the network
Security Architecture Shared Networks
SA-11
Access to systems with shared network

infrastructure shall be restricted to authorized
personnel in accordance with security policies,
procedures and standards. Networks shared
with external entities shall have a documented
plan detailing the compensating controls used
to separate network traffic between
organizations.
Security Architecture Clock Synchronization
SA-12
An external accurate, externally agreed upon,

time source shall be used to synchronize the
system clocks of all relevant information
processing systems within the organization or
explicitly defined security domain to facilitate
tracing and reconstitution of activity timelines.
Note: specific legal jurisdictions and orbital
storage and relay platforms (US GPS & EU
Galileo Satellite Network) may mandate a
reference clock that differs in synchronization
with the organizations domicile time reference,
in this event the jurisdiction or platform is
treated as an explicitly defined security domain.
Security Architecture Equipment

Identification
SA-13
Automated equipment identification shall be

used as a method of connection authentication.
Location-aware technologies may be used to
validate connection authentication integrity
based on known equipment location.
Security Architecture Audit Logging /

Intrusion Detection
SA-14
Audit logs recording privileged user access

activities, authorized and unauthorized access
attempts, system exceptions, and information
security events shall be retained, complying
with applicable policies and regulations. Audit
logs shall be reviewed at least daily and file
integrity (host) and network intrusion detection
(IDS) tools implemented to help facilitate timely
detection, investigation by root cause analysis
and response to incidents. Physical and logical
user access to audit logs shall be restricted to
authorized personnel.
Security Architecture Mobile Code
SA-15
Mobile code shall be authorized before its

installation and use, and the configuration shall
ensure that the authorized mobile code
operates according to a clearly defined security
policy. All unauthorized mobile code shall be
prevented from executing.
COBIT 4.1
HIPAA / HITECH Act
ISO/IEC 27001-2005
NIST SP800-53 R3
DS5.5
DS5.6
DS9.2
45 CFR 164.308 (a)(1)(ii)(D)

45 CFR 164.312 (b)
45 CFR 164.308(a)(5)(ii)
PCI DSS v2.0
10.4
10.1
10.2
10.3
10.5
10.6
10.7
11.4
12.5.2
12.9.5

SIG v6.0

AUP v5.0
G.14.7, G.14.8, G.14.9,

G.7
G.14.10,G.14.11, G.14.12,
G.8
G.15.5, G.15.7, G.15.8, G.16.8, G.9
G.16.9, G.16.10, G.15.9,
J.1
G.17.5, G.17.7, G.17.8, G.17.6, L.2
G.17.9, G.18.2, G.18.3, G.18.5,
G.18.6, G.19.2.6, G.19.3.1,
G.9.6.2, G.9.6.3, G.9.6.4,
G.9.19, H.2.16, H.3.3, J.1, J.2,
L.5, L.9, L.10
G.20.12, I.2.5
GAPP (Aug 2009)
Jericho Forum
NERC CIP
Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R3
8.2.5
Commandment #1
Commandment #2
Commandment #3
Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R3
CIP-007-3 - R6.1
8.2.5
Commandment #5
Commandment #6
Commandment #7
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R3 - R3.2
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #8
8.2.1
8.2.2
Commandment #6
Commandment #7
Commandment #11
CIP-007-3 - R6.5
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #11
Copyright 2012 Cloud Security Alliance. All rights reserved. You may download,
store, display on your computer, view, print, and link to the Cloud Security Alliance
Cloud Controls Matrix (CCM) at http://www.cloudsecurityalliance.org subject to the
following: (a) the Cloud Controls Matrix may be used solely for your personal,
informational, non-commercial use; (b) the Cloud Controls Matrix may not be
modified or altered in any way; (c) the Cloud Controls Matrix may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed.
You may quote portions of the Cloud Controls Matrix as permitted by the Fair Use
provisions of the United States Copyright Act, provided that you attribute the portions
to the Cloud Security Alliance Cloud Controls Matrix Version 1.3 (2012). If you are
interested in obtaining a license to this material for other usages not addresses in
the copyright notice, please contact info@cloudsecurityalliance.org.
02/12/2015
10 of 421
Complianc CO-01
e Audit
Planning
LOW IMPACT LEVEL

Audit
NIST
plans,
SP800-53
activities R3 CA-2
and
operationa
l action
items
focusing
on data
duplication
, access,
and data
boundary
limitations
shall be
designed
to
minimize
the risk of
business
process
disruption.
Audit
activities
must be
planned
and
agreed
upon in
advance
by
stakeholde
rs.
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
SP800-53
R3 CA-7
NIST
SP800-53
R3 CA-7
(2)
NIST
SP800-53
R3 PL-6
Complianc CO-02
e
Independe
nt Audits
Independe NIST
nt reviews SP800-53
and
R3 CA-1
assessme
nts shall
be
performed
at least
annually,
or at
planned
intervals,
to ensure
the
organizati
on is
compliant
with
policies,
procedure
s,
standards
and
applicable
regulatory
requireme
nts (i.e.,
internal/ex
ternal
audits,
certificatio
ns,
vulnerabilit
y and
penetratio
n testing)
NIST
SP800-53
R3 CA-2
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
SP800-53
R3 CA-6
NIST
SP800-53
R3 RA-5
NIST
SP800-53
R3 RA-5
(1)
NIST
SP800-53
R3 RA-5
(2)
NIST
SP800-53
R3 RA-5
(3)
NIST
SP800-53
R3 RA-5
(9)
NIST
SP800-53
R3 RA-5
(6)
Complianc CO-03
e Third
Party
Audits
Third party NIST

service
SP800-53
providers R3 CA-3
shall
demonstra
te
complianc
e with
informatio
n security
and
confidentia
lity, service
definitions
and
delivery
level
agreement
s included
in third
party
contracts.
Third party
reports,
records
and
services
shall
undergo
audit and
review, at
planned
intervals,
to govern
and
maintain
complianc NIST
SP800-53
R3 SA-9
NIST
SP800-53
R3 SA-9
(1)
NIST
SP800-53
R3 SA-12
NIST
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Complianc CO-04
e
Contact /
Authority
Maintenan
ce
Liaisons NIST
and points SP800-53
of contact R3 AT-5
with local
authorities
shall be
maintaine
d in
accordanc
e with
business
and
customer
requireme
nts and
complianc
e with
legislative,
regulatory,
and
contractua
l
requireme
nts. Data,
objects,
application
s,
infrastruct
ure and
hardware
may be
assigned
legislative
domain
and
jurisdiction
to facilitate NIST
SP800-53
R3 IR-6
NIST
SP800-53
R3 IR-6
(1)
NIST
SP800-53
R3 SI-5
Complianc CO-05
e
Informatio
n System
Regulatory
Mapping
Statutory,
regulatory,
and
contractua
l
requireme
nts shall
be defined
for all
elements
of the
informatio
n system.
The
organizati
on's
approach
to meet
known
requireme
nts, and
adapt to
new
mandates
shall be
explicitly
defined,
document
ed, and
kept up to
date for
each
informatio
n system
element in
the
organizati
NIST
SP800-53
R3 AC-1
NIST
SP800-53
R3 AT-1
NIST
SP800-53
R3 AU-1
NIST
SP800-53
R3 CA-1
NIST
SP800-53
R3 CM-1
NIST
SP800-53
R3 CP-1
NIST
SP800-53
R3 IA-1
NIST
SP800-53
R3 IA-7
NIST
SP800-53
R3 IR-1
NIST
SP800-53
R3 MA-1
NIST
SP800-53
R3 MP-1
NIST
SP800-53
R3 PE-1
NIST
SP800-53
R3 PL-1
NIST
SP800-53
R3 PM-1
NIST
SP800-53
R3 PS-1
NIST
SP800-53
R3 RA-1
NIST
SP800-53
R3 RA-2
NIST
SP800-53
R3 SA-1
NIST
SP800-53
R3 SA-6
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 SC-1
NIST
SP800-53
R3 SC-13
NIST
SP800-53
R3 SC-13
(1)
NIST
SP800-53
R3 SI-1
Complianc CO-06
e
Intellectual
Property
Policy,
NIST
process
SP800-53
and
R3 SA-6
procedure
shall be
establishe
d and
implement
ed to
safeguard
intellectual
property
and the
use of
proprietary
software
within the
legislative
jurisdiction
and
contractua
l
constraints
governing
the
organizati
on.
NIST
SP800-53
R3 SA-7
NIST
SP800-53
R3 PM-5
Data
DG-01
Governan
ce
Ownership
/
Stewardsh
ip
All data
NIST
shall be
SP800-53
designate R3 CA-2
d with
stewardshi
p with
assigned
responsibil
ities
defined,
document
ed and
communic
ated.
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
SP800-53
R3 PM-5
NIST
SP800-53
R3 PS-2
NIST
SP800-53
R3 RA-2
NIST
SP800-53
R3 SA-2
Data
DG-02
Governan
ce
Classificati
on

Data, and NIST
objects
SP800-53
containing R3 RA-2
data, shall
be
assigned a
classificati
on based
on data
type,
jurisdiction
of origin,
jurisdiction
domiciled,
context,
legal
constraints
,
contractua
l
constraints
, value,
sensitivity,
criticality
to the
organizati
on and
third party
obligation
for
retention
and
prevention
of
unauthoriz
ed
disclosure NIST
SP800-53
R3 AC-4
Data
DG-03
Governan
ce
Handling /
Labeling /
Security
Policy
Policies
NIST
and
SP800-53
procedure R3 AC-16
s shall be
establishe
d for
labeling,
handling
and
security of
data and
objects
which
contain
data.
Mechanis
ms for
label
inheritanc
e shall be
implement
ed for
objects
that act as
aggregate
containers
for data.
NIST
SP800-53
R3 MP-1
NIST
SP800-53
R3 MP-3
NIST
NIST SP 800-53 R3 PE-16
SP800-53
R3 PE-16
NIST
SP800-53
R3 SI-12
NIST
NIST SP 800-53 R3 SI-12
SP800-53
R3 SC-9
NIST
SP800-53
R3 SC-9
(1)
Data
DG-04
Governan
ce
Retention
Policy
Policies
NIST
and
SP800-53
procedure R3 CP-2
s for data
retention
and
storage
shall be
establishe
d and
backup or
redundanc
y
mechanis
ms
implement
ed to
ensure
complianc
e with
regulatory,
statutory,
contractua
l or
business
requireme
nts.
Testing the
recovery
of backups
must be
implement
ed at
planned
intervals.
NIST
SP800-53
R3 CP-2
(1)
NIST
SP800-53
R3 CP-2
(2)
NIST
SP800-53
R3 CP-6
NIST
SP800-53
R3 CP-6
(1)
NIST
SP800-53
R3 CP-6
(3)
NIST
SP800-53
R3 CP-7
NIST
SP800-53
R3 CP-7
(1)
NIST
SP800-53
R3 CP-7
(2)
NIST
SP800-53
R3 CP-7
(3)
NIST
SP800-53
R3 CP-7
(5)
NIST
SP800-53
R3 CP-8
NIST
SP800-53
R3 CP-8
(1)
NIST
SP800-53
R3 CP-8
(2)
NIST
SP800-53
R3 CP-9
NIST
SP800-53
R3 CP-9
(1)
NIST
SP800-53
R3 CP-9
(3)
NIST
SP800-53
R3 SI-12
NIST
SP800-53
R3 AU-11
Data
DG-05
Governan
ce
Secure
Disposal
Policies
NIST
and
SP800-53
procedure R3 MP-6
s shall be
establishe
d and
mechanis
ms
implement
ed for the
secure
disposal
and
complete
removal of
data from
all storage
media,
ensuring
data is not
recoverabl
e by any
computer
forensic
means.
NIST
SP800-53
R3 MP-6
(4)
NIST
SP800-53
R3 PE-1
Data
DG-06
Governan
ce NonProduction
Data
Production NIST
data shall SP800-53
not be
R3 SA-11
replicated
or used in
nonproduction
environme
nts.
NIST
SP800-53
R3 SA-11
(1)
NIST
SP800-53
R3 CM-04
Data
DG-07
Governan
ce
Informatio
n Leakage
Security NIST
mechanis SP800-53
ms shall R3 AC-2
be
implement
ed to
prevent
data
leakage.
NIST
SP800-53
R3 AC-2
(1)
NIST
SP800-53
R3 AC-2
(2)
NIST
SP800-53
R3 AC-2
(3)
NIST
SP800-53
R3 AC-2
(4)
NIST
SP800-53
R3 AC-2
(7)
NIST
SP800-53
R3 AC-3
NIST
SP800-53
R3 AC-3
(3)
NIST
SP800-53
R3 AC-4
NIST
SP800-53
R3 AC-6
NIST
SP800-53
R3 AC-6
(1)
NIST
SP800-53
R3 AC-6
(2)
NIST
SP800-53
R3 AC-11
NIST
SP800-53
R3 AC-11
(1)
NIST
SP800-53
R3 AU-13
NIST
SP800-53
R3 PE-19
NIST
SP800-53
R3 SC-28
NIST
SP800-53
R3 SC-28
(1)
NIST
SP800-53
R3 SA-8
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
Data
DG-08
Governan
ce Risk
Assessme
nts
Risk
NIST
assessme SP800-53
nts
R3 CA-3
associated
with data
governanc
e
requireme
nts shall
be
conducted
at planned
intervals
considerin
g the
following:

NIST
Awarenes SP800-53
s of where R3 RA-2
sensitive
data is
stored and
transmitte
d across
application
s,
databases
, servers
and
network
infrastruct
ure
NIST
Complianc SP800-53
e with
R3 RA-3
defined
retention
periods
and endof-life
disposal
requireme
nts
NIST
NIST SP 800-53 R3 SI-12
Data
SP800-53
classificati R3 MP-8
on and
protection
from
unauthoriz
ed use,
access,
loss,
destructio
n, and
falsificatio
n
NIST
SP800-53
R3 PM-9
NIST
SP800-53
R3 SI-12
Facility
FS-01
Security
Policy
Policies
NIST
and
SP800-53
procedure R3 CA-2
s shall be
establishe
d for
maintainin
g a safe
and
secure
working
environme
nt in
offices,
rooms,
facilities
and
secure
areas.
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
SP800-53
R3 PE-1
NIST
SP800-53
R3 PE-6
NIST
SP800-53
R3 PE-6
(1)
NIST
SP800-53
R3 PE-7
NIST
SP800-53
R3 PE-7
(1)
NIST
SP800-53
R3 PE-8
Facility
FS-02
Security
User
Access
Physical NIST
access to SP800-53
informatio R3 PE-2
n assets
and
functions
by users
and
support
personnel
shall be
restricted.
NIST
SP800-53
R3 PE-2
(1)
NIST
SP800-53
R3 PE-3
NIST
SP800-53
R3 PE-4
NIST
SP800-53
R3 PE-5
NIST
SP800-53
R3 PE-6
NIST
SP800-53
R3 PE-6
(1)
Facility
FS-03
Security
Controlled
Access
Points
Physical NIST
security
SP800-53
perimeters R3 PE-2
(fences,
walls,
barriers,
guards,
gates,
electronic
surveillanc
e, physical
authentica
tion
mechanis
ms,
reception
desks and
security
patrols)
shall be
implement
ed to
safeguard
sensitive
data and
informatio
n systems.
NIST
SP800-53
R3 PE-2
(1)
NIST
SP800-53
R3 PE-3
NIST
SP800-53
R3 PE-6
NIST
SP800-53
R3 PE-6
(1)
NIST
SP800-53
R3 PE-18
Facility
FS-04
Security
Secure
Area
Authorizati
on
Ingress
NIST
and
SP800-53
egress to R3 PE-2
secure
areas shall
be
constraine
d and
monitored
by
physical
access
control
mechanis
ms to
ensure
that only
authorized
personnel
are
allowed
access.
NIST
SP800-53
R3 PE-2
(1)
NIST
SP800-53
R3 PE-3
NIST
SP800-53
R3 PE-6
NIST
SP800-53
R3 PE-6
(1)
NIST
SP800-53
R3 PE-7
NIST
SP800-53
R3 PE-7
(1)
NIST
SP800-53
R3 PE-8
NIST
SP800-53
R3 PE-18
Facility
FS-05
Security
Unauthoriz
ed
Persons
Entry
Ingress
NIST
and
SP800-53
egress
R3 PE-7
points
such as
service
areas and
other
points
where
unauthoriz
ed
personnel
may enter
the
premises
shall be
monitored,
controlled
and, if
possible,
isolated
from data
storage
and
processing
facilities to
percent
unauthoriz
ed data
corruption,
compromi
se and
loss.
NIST
NIST SP 800-53 R3 PE-16
SP800-53
R3 PE-7
(1)
NIST
SP800-53
R3 PE-16
NIST
SP800-53
R3 PE-18
Facility
FS-06
Security
Offsite
Authorizati
on
Authorizati NIST
on must
SP800-53
be
R3 MA-1
obtained
prior to
relocation
or transfer
of
hardware,
software
or data to
an offsite
premises.
NIST
SP800-53
R3 MA-2
NIST
NIST SP 800-53 R3 PE-16
SP800-53
R3 MA-2
(1)
NIST
SP800-53
R3 PE-16
Facility
FS-07
Security
Off-Site
Equipment
Policies
NIST
NIST SP 800-53 R3 AC-17
and
SP800-53
procedure R3 AC-17
s shall be
establishe
d for
securing
and asset
managem
ent for the
use and
secure
disposal of
equipment
maintaine
d and
used
outside
the
organizati
on's
premise.
NIST
SP800-53
R3 AC-17
(1)
NIST
SP800-53
R3 AC-17
(2)
NIST
NIST SP 800-53 R3 PE-16
SP800-53
R3 AC-17
(3)
NIST
SP800-53
R3 AC-17
(4)
NIST
SP800-53
R3 AC-17
(5)
NIST
SP800-53
R3 AC-17
(7)
NIST
SP800-53
R3 AC-17
(8)
NIST
SP800-53
R3 MA-1
NIST
SP800-53
R3 PE-1
NIST
SP800-53
R3 PE-16
NIST
SP800-53
R3 PE-17
Facility
FS-08
Security
Asset
Managem
ent
A
NIST
complete SP800-53
inventory R3 CM-8
of critical
assets
shall be
maintaine
d with
ownership
defined
and
document
ed.
NIST
SP800-53
R3 CM-8
(1)
NIST
SP800-53
R3 CM-8
(3)
NIST
SP800-53
R3 CM-8
(5)
Human
HR-01
Resources
Security
Backgroun
d
Screening
Pursuant NIST
to local
SP800-53
laws,
R3 PS-2
regulation
s, ethics
and
contractua
l
constraints
all
employme
nt
candidates
,
contractor
s and third
parties will
be subject
to
backgroun
d
verification
proportion
al to the
data
classificati
on to be
accessed,
the
business
requireme
nts and
acceptable
risk.
NIST
SP800-53
R3 PS-3
Human
HR-02
Resources
Security
Employme
nt
Agreemen
ts
Prior to
NIST
granting SP800-53
individuals R3 PL-4
physical or
logical
access to
facilities,
systems or
data,
employees
,
contractor
s, third
party
users and
tenants
and/or
customers
shall
contractua
lly agree
and sign
equivalent
terms and
conditions
regarding
informatio
n security
responsibil
ities in
employme
nt or
service
contract.
NIST
SP800-53
R3 PS-6
NIST
SP800-53
R3 PS-7
Human
HR-03
Resources
Employme
nt
Terminatio
n
Roles and NIST

responsibil SP800-53
ities for
R3 PS-4
performing
employme
nt
terminatio
n or
change in
employme
nt
procedure
s shall be
assigned,
document
ed and
communic
ated.
NIST
SP800-53
R3 PS-5
Informatio IS-01
n Security
Managem
ent
Program
An
NIST
Informatio SP800-53
n Security R3 PM-1
Managem
ent
Program
(ISMP)
has been
developed
,
document
ed,
approved,
and
implement
ed that
includes
administra
tive,
technical,
and
physical
safeguard
s to
protect
assets and
data from
loss,
misuse,
unauthoriz
ed access,
disclosure,
alteration,
and
destructio
n. The
security
Risk NIST
managem SP800-53
ent
R3 PM-2
Security
policy
NIST
SP800-53
R3 PM-3
NIST
Organizati SP800-53
on of
R3 PM-4
informatio
n security
NIST
Asset
SP800-53
managem R3 PM-5
ent
NIST
Human
SP800-53
resources R3 PM-6
security

NIST
Physical SP800-53
and
R3 PM-7
environme
ntal
security
NIST
Communic SP800-53
ations and R3 PM-8
operations
managem
ent
Access
control
NIST
SP800-53
R3 PM-9
NIST
Informatio SP800-53
n systems R3 PM-10
acquisition
,
developm
ent, and
maintenan
ce
NIST
SP800-53
R3 PM-11
Informatio IS-02
n Security
Managem
ent
Support /
Involveme
nt
Executive NIST
and line
SP800-53
managem R3 CM-1
ent shall
take
formal
action to
support
informatio
n security
through
clear
document
ed
direction,
commitme
nt, explicit
assignmen
t and
verification
of
assignmen
t execution
NIST
SP800-53
R3 PM-1
NIST
SP800-53
R3 PM-11
Informatio IS-03
n Security
Policy
Managem NIST
ent shall SP800-53
approve a R3 AC-1
formal
informatio
n security
policy
document
which
shall be
communic
ated and
published
to
employees
,
contractor
s and
other
relevant
external
parties.
The
Informatio
n Security
Policy
shall
establish
the
direction
of the
organizati
on and
align to
best
practices,
regulatory, NIST
SP800-53
R3 AT-1
NIST
SP800-53
R3 AU-1
NIST
SP800-53
R3 CA-1
NIST
SP800-53
R3 CM-1
NIST
SP800-53
R3 IA-1
NIST
SP800-53
R3 IR-1
NIST
SP800-53
R3 MA-1
NIST
SP800-53
R3 MP-1
NIST
SP800-53
R3 MP-1
NIST
SP800-53
R3 PE-1
NIST
SP800-53
R3 PL-1
NIST
SP800-53
R3 PS-1
NIST
SP800-53
R3 SA-1
NIST
SP800-53
R3 SC-1
NIST
SP800-53
R3 SI-1
Informatio IS-04
n Security
Baseline
Requirem
ents
Baseline NIST
security
SP800-53
requireme R3 CM-2
nts shall
be
establishe
d and
applied to
the design
and
implement
ation of
(develope
d or
purchased
)
application
s,
databases
, systems,
and
network
infrastruct
ure and
informatio
n
processing
that
comply
with
policies,
standards
and
applicable
regulatory
requireme
nts.
NIST
SP800-53
R3 CM-2
(1)
NIST
SP800-53
R3 CM-2
(3)
NIST
SP800-53
R3 CM-2
(5)
NIST
SP800-53
R3 SA-2
NIST
SP800-53
R3 SA-4
NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
Informatio IS-05
n Security
Policy
Reviews
Managem NIST
ent shall SP800-53
review the R3 AC-1
informatio
n security
policy at
planned
intervals
or as a
result of
changes
to the
organizati
on to
ensure its
continuing
effectivene
ss and
accuracy.
NIST
SP800-53
R3 AT-1
NIST
SP800-53
R3 AU-1
NIST
SP800-53
R3 CA-1
NIST
SP800-53
R3 CM-1
NIST
SP800-53
R3 CP-1
NIST
SP800-53
R3 IA-1
NIST
SP800-53
R3 IA-5
NIST
NIST SP 800-53 R3 IA-5 (1)
SP800-53
R3 IA-5
(1)
NIST
SP800-53
R3 IA-5
(2)
NIST
SP800-53
R3 IA-5
(3)
NIST
SP800-53
R3 IA-5
(6)
NIST
SP800-53
R3 IA-5
(7)
NIST
SP800-53
R3 IR-1
NIST
SP800-53
R3 MA-1
NIST
SP800-53
R3 MP-1
NIST
SP800-53
R3 PE-1
NIST
SP800-53
R3 PL-1
NIST
SP800-53
R3 PM-1
NIST
SP800-53
R3 PS-1
NIST
SP800-53
R3 RA-1
NIST
SP800-53
R3 SA-1
NIST
SP800-53
R3 SC-1
NIST
SP800-53
R3 SI-1
Informatio IS-06
n Security
Policy
Enforceme
nt
A formal NIST
disciplinar SP800-53
y or
R3 PL-4
sanction
policy
shall be
establishe
d for
employees
who have
violated
security
policies
and
procedure
s.
Employee
s shall be
made
aware of
what
action
might be
taken in
the event
of a
violation
and stated
as such in
the
policies
and
procedure
s.
NIST
SP800-53
R3 PS-1
NIST
SP800-53
R3 PS-8
Informatio IS-07
n Security
User
Access
Policy
User
NIST
access
SP800-53
policies
R3 AC-1
and
procedure
s shall be
document
ed,
approved
and
implement
ed for
granting
and
revoking
normal
and
privileged
access to
application
s,
databases
, and
server and
network
infrastruct
ure in
accordanc
e with
business,
security,
complianc
e and
service
level
agreement
(SLA)
NIST
SP800-53
R3 IA-1
Informatio IS-08
n Security
User
Access
Restriction
/
Authorizati
on
Normal
NIST
and
SP800-53
privileged R3 AC-3
user
access to
application
s,
systems,
databases
, network
configurati
ons, and
sensitive
data and
functions
shall be
restricted
and
approved
by
managem
ent prior to
access
granted.
NIST
SP800-53
R3 AC-3
(3)
NIST
NIST SP 800-53 R3 IA-2 (1)
SP800-53
R3 AC-5
NIST
SP800-53
R3 AC-6
NIST
SP800-53
R3 AC-6
(1)
NIST
NIST SP 800-53 R3 IA-5 (1)
SP800-53
R3 AC-6
(2)
NIST
SP800-53
R3 IA-2
NIST
SP800-53
R3 IA-2
(1)
NIST
SP800-53
R3 IA-2
(2)
NIST
SP800-53
R3 IA-2
(3)
NIST
SP800-53
R3 IA-2
(8)
NIST
SP800-53
R3 IA-4
NIST
SP800-53
R3 IA-4
(4)
NIST
SP800-53
R3 IA-5
NIST
SP800-53
R3 IA-5
(1)
NIST
SP800-53
R3 IA-5
(2)
NIST
SP800-53
R3 IA-5
(3)
NIST
SP800-53
R3 IA-5
(6)
NIST
SP800-53
R3 IA-5
(7)
NIST
SP800-53
R3 IA-8
NIST
SP800-53
R3 MA-5
NIST
SP800-53
R3 PS-6
NIST
SP800-53
R3 SA-7
NIST
SP800-53
R3 SI-9
Informatio IS-09
n Security
User
Access
Revocatio
n
Timely
NIST
deprovisio SP800-53
ning,
R3 AC-2
revocation
or
modificatio
n of user
access to
the
organizati
ons
systems,
informatio
n assets
and data
shall be
implement
ed upon
any
change in
status of
employees
,
contractor
s,
customers
, business
partners or
third
parties.
Any
change in
status is
intended
to include
terminatio
n of
NIST
SP800-53
R3 AC-2
(1)
NIST
SP800-53
R3 AC-2
(2)
NIST
SP800-53
R3 AC-2
(3)
NIST
SP800-53
R3 AC-2
(4)
NIST
SP800-53
R3 AC-2
(7)
NIST
SP800-53
R3 PS-4
NIST
SP800-53
R3 PS-5
Informatio IS-10
n Security
User
Access
Reviews
All levels NIST

of user
SP800-53
access
R3 AC-2
shall be
reviewed
by
managem
ent at
planned
intervals
and
document
ed. For
access
violations
identified,
remediatio
n must
follow
document
ed access
control
policies
and
procedure
s.
NIST
SP800-53
R3 AC-2
(1)
NIST
SP800-53
R3 AC-2
(2)
NIST
SP800-53
R3 AC-2
(3)
NIST
SP800-53
R3 AC-2
(4)
NIST
SP800-53
R3 AC-2
(7)
NIST
SP800-53
R3 AU-6
NIST
SP800-53
R3 AU-6
(1)
NIST
SP800-53
R3 AU-6
(3)
NIST
SP800-53
R3 PM-10
NIST
SP800-53
R3 PS-6
NIST
SP800-53
R3 PS-7
Informatio IS-11
n Security
Training /
Awarenes
s
A security NIST
awareness SP800-53
training
R3 AT-1
program
shall be
establishe
d for all
contractor
s, third
party
users and
employees
of the
organizati
on and
mandated
when
appropriat
e. All
individuals
with
access to
organizati
onal data
shall
receive
appropriat
e
awareness
training
and
regular
updates in
organizati
onal
procedure
s, process NIST
SP800-53
R3 AT-2
NIST
SP800-53
R3 AT-3
NIST
SP800-53
R3 AT-4
Informatio IS-12
n Security
Industry
Knowledg
e/
Benchmar
king
Industry
NIST
security
SP800-53
knowledge R3 AT-5
and
benchmar
king
through
networking
, specialist
security
forums,
and
profession
al
associatio
ns shall be
maintaine
d.
NIST
SP800-53
R3 SI-5
Informatio IS-13
n Security
Roles /
Responsib
ilities
Roles and NIST

responsibil SP800-53
ities of
R3 AT-3
contractor
s,
employees
and third
party
users shall
be
document
ed as they
relate to
informatio
n assets
and
security.
NIST
SP800-53
R3 PL-4
NIST
SP800-53
R3 PM-10
NIST
SP800-53
R3 PS-1
NIST
SP800-53
R3 PS-6
NIST
SP800-53
R3 PS-7
Informatio IS-14
n Security
Managem
ent
Oversight
Managers NIST
are
SP800-53
responsibl R3 AT-2
e for
maintainin
g
awareness
of and
complying
with
security
policies,
procedure
s and
standards
that are
relevant to
their area
of
responsibil
ity.
NIST
SP800-53
R3 AT-3
NIST
SP800-53
R3 CA-1
NIST
SP800-53
R3 CA-5
NIST
SP800-53
R3 CA-6
NIST
SP800-53
R3 CA-7
NIST
SP800-53
R3 CA-7
(2)
NIST
SP800-53
R3 PM-10
Informatio IS-15
n Security
Segregatio
n of Duties
Policies, NIST
process
SP800-53
and
R3 AC-1
procedure
s shall be
implement
ed to
enforce
and
assure
proper
segregatio
n of
duties. In
those
events
where
user-role
conflict-ofinterest
constraints
exist,
technical
controls
shall be in
place to
mitigate
any risks
arising
from
unauthoriz
ed or
unintentio
nal
modificatio
n or
misuse of NIST
SP800-53
R3 AC-2
NIST
SP800-53
R3 AC-2
(1)
NIST
SP800-53
R3 AC-2
(2)
NIST
SP800-53
R3 AC-2
(3)
NIST
SP800-53
R3 AC-2
(4)
NIST
SP800-53
R3 AC-2
(7)
NIST
SP800-53
R3 AC-5
NIST
SP800-53
R3 AC-6
NIST
SP800-53
R3 AC-6
(1)
NIST
SP800-53
R3 AC-6
(2)
NIST
SP800-53
R3 AU-1
NIST
SP800-53
R3 AU-6
NIST
SP800-53
R3 AU-6
(1)
NIST
SP800-53
R3 AU-6
(3)
NIST
SP800-53
R3 SI-1
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
Informatio IS-16
n Security
User
Responsib
ility
Users
NIST
shall be
SP800-53
made
R3 AT-2
aware of
their
responsibil
ities for:
NIST
Maintainin SP800-53
g
R3 AT-3
awareness
and
complianc
e with
published
security
policies,
procedure
s,
standards
and
applicable
regulatory
requireme
nts
NIST
Maintainin SP800-53
g a safe
R3 AT-4
and
secure
working
environme
nt
NIST
Leaving
SP800-53
unattende R3 PL-4
d
equipment
in a
secure
manner
Informatio IS-17
n Security
Workspac
e
Policies
NIST
and
SP800-53
procedure R3 AC-11
s shall be
establishe
d for
clearing
visible
document
s
containing
sensitive
data when
a
workspace
is
unattende
d and
enforceme
nt of
workstatio
n session
logout for
a period of
inactivity.
NIST
SP800-53
R3 AC-11
(1)
NIST
SP800-53
R3 MP-2
NIST
SP800-53
R3 MP-2
(1)
NIST
SP800-53
R3 MP-3
NIST
SP800-53
R3 MP-4
NIST
SP800-53
R3 MP-4
(1)
Informatio IS-18
n Security
Encryption
Policies
NIST
and
SP800-53
procedure R3 AC-18
s shall be
establishe
d and
mechanis
ms
implement
ed for
encrypting
sensitive
data in
storage
(e.g., file
servers,
databases
, and enduser
workstatio
ns) and
data in
transmissi
on (e.g.,
system
interfaces,
over public
networks,
and
electronic
messaging
).
NIST
NIST SP 800-53 R3 AC-18
SP800-53
R3 AC-18
(1)
NIST
SP800-53
R3 AC-18
(2)
NIST
SP800-53
R3 AC-18
(3)
NIST
SP800-53
R3 AC-18
(4)
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 AC-18
(5)
NIST
SP800-53
R3 IA-3
NIST
SP800-53
R3 IA-7
NIST
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
NIST
SP800-53
R3 SC-8
NIST
SP800-53
R3 SC-8
(1)
NIST
SP800-53
R3 SC-9
NIST
SP800-53
R3 SC-9
(1)
NIST
SP800-53
R3 SC-13
NIST
SP800-53
R3 SC-13
(1)
NIST
SP800-53
R3 SC-16
NIST
SP800-53
R3 SC-23
NIST
SP800-53
R3 SI-8
Informatio IS-19
n Security
Encryption
Key
Managem
ent
Policies
NIST
NIST SP 800-53 R3 SC-12
and
SP800-53
procedure R3 SC-12
s shall be
establishe
d and
mechanis
ms
implement
ed for
effective
key
managem
ent to
support
encryption
of data in
storage
and in
transmissi
on.
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 SC-12
(2)
NIST
SP800-53
R3 SC-12
(5)
NIST
SP800-53
R3 SC-13
NIST
SP800-53
R3 SC-13
(1)
NIST
SP800-53
R3 SC-17
NIST
SP800-53
R3 SC-28
NIST
SP800-53
R3 SC-28
(1)
Informatio IS-20
n Security
Vulnerabili
ty / Patch
Managem
ent
Policies
NIST
and
SP800-53
procedure R3 CM-3
s shall be
establishe
d and
mechanis
m
implement
ed for
vulnerabilit
y and
patch
managem
ent,
ensuring
that
application
, system,
and
network
device
vulnerabilit
ies are
evaluated
and
vendorsupplied
security
patches
applied in
a timely
manner
taking a
risk-based
approach
for
NIST
SP800-53
R3 CM-3
(2)
NIST
SP800-53
R3 CM-4
NIST
SP800-53
R3 CP-10
NIST
SP800-53
R3 CP-10
(2)
NIST
SP800-53
R3 CP-10
(3)
NIST
SP800-53
R3 RA-5
NIST
SP800-53
R3 RA-5
(1)
NIST
SP800-53
R3 RA-5
(2)
NIST
SP800-53
R3 RA-5
(3)
NIST
SP800-53
R3 RA-5
(9)
NIST
SP800-53
R3 RA-5
(6)
NIST
SP800-53
R3 SA-7
NIST
SP800-53
R3 SI-1
NIST
SP800-53
R3 SI-2
NIST
SP800-53
R3 SI-2
(2)
NIST
SP800-53
R3 SI-5
Informatio IS-21
n Security
AntiVirus /
Malicious
Software
Ensure
NIST
that all
SP800-53
antivirus R3 SA-7
programs
are
capable of
detecting,
removing,
and
protecting
against all
known
types of
malicious
or
unauthoriz
ed
software
with
antivirus
signature
updates at
least every
12 hours.
NIST
SP800-53
R3 SC-5
NIST
SP800-53
R3 SI-3
NIST
SP800-53
R3 SI-3
(1)
NIST
SP800-53
R3 SI-3
(2)
NIST
SP800-53
R3 SI-3
(3)
NIST
SP800-53
R3 SI-5
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
NIST
SP800-53
R3 SI-8
Informatio IS-22
n Security
Incident
Managem
ent
Policies
NIST
and
SP800-53
procedure R3 IR-1
s shall be
establishe
d to triage
security
related
events
and
ensure
timely and
thorough
incident
managem
ent.
NIST
SP800-53
R3 IR-2
NIST
SP800-53
R3 IR-3
NIST
SP800-53
R3 IR-4
NIST
SP800-53
R3 IR-4
(1)
NIST
SP800-53
R3 IR-5
NIST
SP800-53
R3 IR-7
NIST
SP800-53
R3 IR-7
(1)
NIST
SP800-53
R3 IR-7
(2)
NIST
SP800-53
R3 IR-8
Informatio IS-23
n Security
Incident
Reporting
Contractor NIST
s,
SP800-53
employees R3 IR-2
and third
party
users shall
be made
aware of
their
responsibil
ity to
report all
informatio
n security
events in a
timely
manner.
Informatio
n security
events
shall be
reported
through
predefined
communic
ations
channels
in a
prompt
and
expedient
manner in
complianc
e with
statutory,
regulatory
and
NIST
SP800-53
R3 IR-6
NIST
SP800-53
R3 IR-6
(1)
NIST
SP800-53
R3 IR-7
NIST
SP800-53
R3 IR-7
(1)
NIST
SP800-53
R3 IR-7
(2)
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
NIST
SP800-53
R3 SI-5
Informatio IS-24
n Security
Incident
Response
Legal
Preparatio
n
In the
NIST
event a
SP800-53
follow-up R3 AU-6
action
concernin
g a person
or
organizati
on after an
informatio
n security
incident
requires
legal
action
proper
forensic
procedure
s including
chain of
custody
shall be
required
for
collection,
retention,
and
presentati
on of
evidence
to support
potential
legal
action
subject to
the
relevant
NIST
SP800-53
R3 AU-6
(1)
NIST
NIST SP 800-53 R3 AU-11
SP800-53
R3 AU-6
(3)
NIST
SP800-53
R3 AU-7
NIST
SP800-53
R3 AU-7
(1)
NIST
SP800-53
R3 AU-9
NIST
SP800-53
R3 AU-9
(2)
NIST
SP800-53
R3 AU-11
NIST
SP800-53
R3 IR-5
NIST
SP800-53
R3 IR-7
NIST
SP800-53
R3 IR-7
(1)
NIST
SP800-53
R3 IR-7
(2)
NIST
SP800-53
R3 IR-8
Informatio IS-25
n Security
Incident
Response
Metrics
Mechanis NIST
ms shall SP800-53
be put in R3 IR-4
place to
monitor
and
quantify
the types,
volumes,
and costs
of
informatio
n security
incidents.
NIST
SP800-53
R3 IR-4
(1)
NIST
SP800-53
R3 IR-5
NIST
SP800-53
R3 IR-8
Informatio IS-26
n Security
Acceptabl
e Use
Policies
NIST
and
SP800-53
procedure R3 AC-8
s shall be
establishe
d for the
acceptable
use of
informatio
n assets.
NIST
SP800-53
R3 AC-20
NIST
NIST SP 800-53 R3 AC-20
SP800-53
R3 AC-20
(1)
NIST
SP800-53
R3 AC-20
(2)
NIST
SP800-53
R3 PL-4
Informatio IS-27
n Security
Asset
Returns
Employee NIST
s,
SP800-53
contractor R3 PS-4
s and third
party
users
must
return all
assets
owned by
the
organizati
on within a
defined
and
document
ed time
frame
once the
employme
nt,
contract or
agreement
has been
terminated
.
Informatio IS-28
n Security
eCommer
ce
Transactio
ns
Electronic NIST
commerce SP800-53
(eR3 AC-14
commerce
) related
data
traversing
public
networks
shall be
appropriat
ely
classified
and
protected
from
fraudulent
activity,
unauthoriz
ed
disclosure
or
modificatio
n in such a
manner to
prevent
contract
dispute
and
compromi
se of data.
NIST
SP800-53
R3 AC-14
(1)
NIST
NIST SP 800-53 R3 AC-22
SP800-53
R3 AC-21
NIST
SP800-53
R3 AC-22
NIST
SP800-53
R3 IA-8
NIST
SP800-53
R3 AU-10
NIST
SP800-53
R3 AU-10
(5)
NIST
SP800-53
R3 SC-4
NIST
SP800-53
R3 SC-8
NIST
SP800-53
R3 SC-8
(1)
NIST
SP800-53
R3 SC-9
NIST
SP800-53
R3 SC-9
(1)
Informatio IS-29
n Security
Audit
Tools
Access
Access to, NIST

and use
SP800-53
of, audit R3 AU-9
tools that
interact
with the
organizati
ons
informatio
n systems
shall be
appropriat
ely
segmente
d and
restricted
to prevent
compromi
se and
misuse of
log data.
NIST
SP800-53
R3 AU-9
(2)
NIST
SP800-53
R3 AU-11
NIST
SP800-53
R3 AU-14
Informatio IS-30
n Security
Diagnostic
/
Configurati
on Ports
Access
User
NIST
access to SP800-53
diagnostic R3 CM-7
and
configurati
on ports
shall be
restricted
to
authorized
individuals
and
application
s.
NIST
SP800-53
R3 CM-7
(1)
NIST
SP800-53
R3 MA-3
NIST
SP800-53
R3 MA-3
(1)
NIST
SP800-53
R3 MA-3
(2)
NIST
SP800-53
R3 MA-3
(3)
NIST
SP800-53
R3 MA-4
NIST
SP800-53
R3 MA-4
(1)
NIST
SP800-53
R3 MA-4
(2)
NIST
SP800-53
R3 MA-5
Informatio IS-31
n Security
Network /
Infrastruct
ure
Services
Network NIST
and
SP800-53
infrastruct R3 SC-20
ure
service
level
agreement
s (inhouse or
outsource
d) shall
clearly
document
security
controls,
capacity
and
service
levels, and
business
or
customer
requireme
nts.
NIST
SP800-53
R3 SC-20
(1)
NIST
SP800-53
R3 SC-21
NIST
SP800-53
R3 SC-22
NIST
SP800-53
R3 SC23NIST
SP800-53
R3 SC-24
Informatio IS-32
n Security
Portable /
Mobile
Devices
Policies
and
procedure
s shall be
establishe
d and
measures
implement
ed to
strictly
limit
access to
sensitive
data from
portable
and
mobile
devices,
such as
laptops,
cell
phones,
and
personal
digital
assistants
(PDAs),
which are
generally
higher-risk
than nonportable
devices
(e.g.,
desktop
computers
at the
NIST
NIST SP 800-53 R3 AC-17
SP800-53
R3 AC-17
NIST
NIST SP 800-53 R3 AC-18
SP800-53
R3 AC-17
(1)
NIST
NIST SP 800-53 R3 AC-19
SP800-53
R3 AC-17
(2)
NIST
SP800-53
R3 AC-17
(3)
NIST
SP800-53
R3 AC-17
(4)
NIST
SP800-53
R3 AC-17
(5)
NIST
SP800-53
R3 AC-17
(7)
NIST
SP800-53
R3 AC-17
(8)
NIST
SP800-53
R3 AC-18
NIST
SP800-53
R3 AC-18
(1)
NIST
SP800-53
R3 AC-18
(2)
NIST
SP800-53
R3 AC-18
(3)
NIST
SP800-53
R3 AC-18
(4)
NIST
SP800-53
R3 AC-18
(5)
NIST
SP800-53
R3 AC-19
NIST
SP800-53
R3 AC-19
(1)
NIST
SP800-53
R3 AC-19
(2)
NIST
SP800-53
R3 AC-19
(3)
NIST
SP800-53
R3 MP-2
NIST
SP800-53
R3 MP-2
(1)
NIST
SP800-53
R3 MP-4
NIST
SP800-53
R3 MP-4
(1)
NIST
SP800-53
R3 MP-6
NIST
SP800-53
R3 MP-6
(4)
Informatio IS-33
n Security
Source
Code
Access
Restriction
Access to NIST
application SP800-53
, program R3 CM-5
or object
source
code shall
be
restricted
to
authorized
personnel
on a need
to know
basis.
Records
shall be
maintaine
d
regarding
the
individual
granted
access,
reason for
access
and
version of
source
code
exposed.
NIST
SP800-53
R3 CM-5
(1)
NIST
SP800-53
R3 CM-5
(5)
NIST
SP800-53
R3 CM-6
NIST
SP800-53
R3 CM-6
(1)
NIST
SP800-53
R3 CM-6
(3)
Informatio IS-34
n Security
Utility
Programs
Access
Utility
NIST
programs SP800-53
capable of R3 AC-5
potentially
overriding
system,
object,
network,
virtual
machine
and
application
controls
shall be
restricted.
NIST
SP800-53
R3 AC-6
NIST
SP800-53
R3 AC-6
(1)
NIST
SP800-53
R3 AC-6
(2)
NIST
SP800-53
R3 CM-7
NIST
SP800-53
R3 CM-7
(1)
NIST
SP800-53
R3 SC-3
NIST
SP800-53
R3 SC-19
Legal
LG-01
NonDisclosure
Agreemen
ts
Requirem NIST
ents for
SP800-53
nonR3 PL-4
disclosure
or
confidentia
lity
agreement
s reflecting
the
organizati
on's needs
for the
protection
of data
and
operationa
l details
shall be
identified,
document
ed and
reviewed
at planned
intervals.
NIST
SP800-53
R3 PS-6
NIST
SP800-53
R3 SA-9
NIST
SP800-53
R3 SA-9
(1)
Legal
LG-02
Third
Party
Agreemen
ts
Third party NIST

agreement SP800-53
s that
R3 CA-3
directly, or
indirectly,
impact the
organizati
ons
informatio
n assets
or data are
required to
include
explicit
coverage
of all
relevant
security
requireme
nts. This
includes
agreement
s involving
processing
,
accessing,
communic
ating,
hosting or
managing
the
organizati
on's
informatio
n assets,
or adding
or
NIST
SP800-53
R3 MP-5
NIST
SP800-53
R3 MP-5
(2)
NIST
SP800-53
R3 MP-5
(4)
NIST
SP800-53
R3 PS-7
NIST
SP800-53
R3 SA-6
NIST
SP800-53
R3 SA-7
NIST
SP800-53
R3 SA-9
NIST
SP800-53
R3 SA-9
(1)
Operation OP-01
s
Managem
ent
Policy
Policies
NIST
and
SP800-53
procedure R3 CM-2
s shall be
establishe
d and
made
available
for all
personnel
to
adequatel
y support
services
operations
role.
NIST
SP800-53
R3 CM-2
(1)
NIST
SP800-53
R3 CM-2
(3)
NIST
SP800-53
R3 CM-2
(5)
NIST
SP800-53
R3 CM-3
NIST
SP800-53
R3 CM-3
(2)
NIST
SP800-53
R3 CM-4
NIST
SP800-53
R3 CM-5
NIST
SP800-53
R3 CM-5
(1)
NIST
SP800-53
R3 CM-5
(5)
NIST
SP800-53
R3 CM-6
NIST
SP800-53
R3 CM-6
(1)
NIST
SP800-53
R3 CM-6
(3)
NIST
SP800-53
R3 CM-9
NIST
SP800-53
R3 MA-4
NIST
SP800-53
R3 MA-4
(1)
NIST
SP800-53
R3 MA-4
(2)
NIST
SP800-53
R3 SA-3
NIST
SP800-53
R3 SA-4
NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
NIST
SP800-53
R3 SA-5
NIST
SP800-53
R3 SA-5
(1)
NIST
SP800-53
R3 SA-5
(3)
NIST
SP800-53
R3 SA-8
NIST
SP800-53
R3 SA-10
NIST
SP800-53
R3 SA-11
NIST
SP800-53
R3 SA-11
(1)
NIST
SP800-53
R3 SA-12
Operation OP-02
s
Managem
ent
Document
ation
Informatio NIST
n system SP800-53
document R3 CP-9
ation (e.g.,
administra
tor and
user
guides,
architectur
e
diagrams,
etc.) shall
be made
available
to
authorized
personnel
to ensure
the
following:

Configurin
g,
installing,
and
operating
the
informatio
n system
NIST
NIST SP 800-53 R3 CP-10
SP800-53
R3 CP-9
(1)
Effectively
using the
systems
security
features
NIST
SP800-53
R3 CP-9
(3)
NIST
SP800-53
R3 CP-10
NIST
SP800-53
R3 CP-10
(2)
NIST
SP800-53
R3 CP-10
(3)
NIST
SP800-53
R3 SA-5
NIST
SP800-53
R3 SA-5
(1)
NIST
SP800-53
R3 SA-5
(3)
NIST
SP800-53
R3 SA-10
NIST
SP800-53
R3 SA-11
NIST
SP800-53
R3 SA-11
(1)
Operation OP-03
s
Managem
ent
Capacity /
Resource
Planning
The
NIST
availability, SP800-53
quality,
R3 SA-4
and
adequate
capacity
and
resources
shall be
planned,
prepared,
and
measured
to deliver
the
required
system
performan
ce in
accordanc
e with
regulatory,
contractua
l and
business
requireme
nts.
Projection
s of future
capacity
requireme
nts shall
be made
to mitigate
the risk of
system
overload. NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
Operation OP-04
s
Managem
ent
Equipment
Maintenan
ce
Policies
NIST
and
SP800-53
procedure R3 MA-2
s shall be
establishe
d for
equipment
maintenan
ce
ensuring
continuity
and
availability
of
operations
.
NIST
SP800-53
R3 MA-2
(1)
NIST
SP800-53
R3 MA-3
NIST
SP800-53
R3 MA-3
(1)
NIST
SP800-53
R3 MA-3
(2)
NIST
SP800-53
R3 MA-3
(3)
NIST
SP800-53
R3 MA-4
NIST
SP800-53
R3 MA-4
(1)
NIST
SP800-53
R3 MA-4
(2)
NIST
SP800-53
R3 MA-5
NIST
SP800-53
R3 MA-6
Risk
RI-01
Managem
ent
Program
Organizati NIST
ons shall SP800-53
develop
R3 AC-4
and
maintain
an
enterprise
risk
managem
ent
framework
to manage
risk to an
acceptable
level.
NIST
SP800-53
R3 CA-2
NIST
SP800-53
R3 CA-2
(1)
NIST
SP800-53
R3 CA-6
NIST
SP800-53
R3 PM-9
NIST
SP800-53
R3 RA-1
Risk
RI-02
Managem
ent
Assessme
nts
Aligned
NIST
with the
SP800-53
enterprise- R3 PL-5
wide
framework
, formal
risk
assessme
nts shall
be
performed
at least
annually,
or at
planned
intervals,
determinin
g the
likelihood
and
impact of
all
identified
risks,
using
qualitative
and
quantitativ
e
methods.
The
likelihood
and
impact
associated
with
inherent NIST
SP800-53
R3 RA-2
NIST
SP800-53
R3 RA-3
Risk
RI-03
Managem
ent
Mitigation /
Acceptanc
e
Risks shall NIST

be
SP800-53
mitigated R3 CA-5
to an
acceptable
level.
Acceptanc
e levels
based on
risk criteria
shall be
establishe
d and
document
ed in
accordanc
e with
reasonabl
e
resolution
time
frames
and
executive
approval.
NIST
SP800-53
R3 CM-4
Risk
RI-04
Managem
ent
Business /
Policy
Change
Impacts

Risk
NIST
assessme SP800-53
nt results R3 CP-2
shall
include
updates to
security
policies,
procedure
s,
standards
and
controls to
ensure
they
remain
relevant
and
effective.
NIST
SP800-53
R3 CP-2
(1)
NIST
SP800-53
R3 CP-2
(2)
NIST
SP800-53
R3 RA-2
NIST
SP800-53
R3 RA-3
Risk
RI-05
Managem
ent Third
Party
Access
The
NIST
identificati SP800-53
on,
R3 CA-3
assessme
nt, and
prioritizatio
n of risks
posed by
business
processes
requiring
third party
access to
the
organizati
on's
informatio
n systems
and data
shall be
followed
by
coordinate
d
application
of
resources
to
minimize,
monitor,
and
measure
likelihood
and
impact of
unauthoriz
ed or
NIST
SP800-53
R3 MA-4
NIST
SP800-53
R3 MA-4
(1)
NIST
SP800-53
R3 MA-4
(2)
NIST
SP800-53
R3 RA-3
NIST SP 800-53 R3 IA-5 (1)

Release RM-01
Managem
ent New
Developm
ent /
Acquisition
Policies
NIST
and
SP800-53
procedure R3 CA-1
s shall be
establishe
d for
managem
ent
authorizati
on for
developm
ent or
acquisition
of new
application
s,
systems,
databases
,
infrastruct
ure,
services,
operations
, and
facilities.
NIST
SP800-53
R3 CM-1
NIST
SP800-53
R3 CM-9
NIST
SP800-53
R3 PL-1
NIST
SP800-53
R3 PL-2
NIST
SP800-53
R3 PL-2
(2)
NIST
SP800-53
R3 SA-1
NIST
SP800-53
R3 SA-3
NIST
SP800-53
R3 SA-4
NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
Release RM-02
Managem
ent
Production
Changes
Changes NIST
to the
SP800-53
production R3 CA-1
environme
nt shall be
document
ed, tested
and
approved
prior to
implement
ation.
Production
software
and
hardware
changes
may
include
application
s,
systems,
databases
and
network
devices
requiring
patches,
service
packs, and
other
updates
and
modificatio
ns.
NIST
SP800-53
R3 CA-6
NIST
SP800-53
R3 CA-7
NIST
SP800-53
R3 CA-7
(2)
NIST
SP800-53
R3 CM-2
NIST
SP800-53
R3 CM-2
(1)
NIST
SP800-53
R3 CM-2
(3)
NIST
SP800-53
R3 CM-2
(5)
NIST
SP800-53
R3 CM-3
NIST
SP800-53
R3 CM-3
(2)
NIST
SP800-53
R3 CM-5
NIST
SP800-53
R3 CM-5
(1)
NIST
SP800-53
R3 CM-5
(5)
NIST
SP800-53
R3 CM-6
NIST
SP800-53
R3 CM-6
(1)
NIST
SP800-53
R3 CM-6
(3)
NIST
SP800-53
R3 CM-9
NIST
SP800-53
R3 PL-2
NIST
SP800-53
R3 PL-2
(2)
NIST
SP800-53
R3 PL-5
NIST
SP800-53
R3 SI-2
NIST
SP800-53
R3 SI-2
(2)
NIST
SP800-53
R3 SI-6
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
Release RM-03
Managem
ent
Quality
Testing
A program NIST
for the
SP800-53
systematic R3 CM-1
monitoring
and
evaluation
to ensure
that
standards
of quality
are being
met shall
be
establishe
d for all
software
developed
by the
organizati
on. Quality
evaluation
and
acceptanc
e criteria
for
informatio
n systems,
upgrades,
and new
versions
shall be
establishe
d,
document
ed and
tests of
the
NIST
SP800-53
R3 CM-2
NIST
SP800-53
R3 CM-2
(1)
NIST
SP800-53
R3 CM-2
(3)
NIST
SP800-53
R3 CM-2
(5)
NIST
SP800-53
R3 SA-3
NIST
SP800-53
R3 SA-4
NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
NIST
SP800-53
R3 SA-5
NIST
SP800-53
R3 SA-5
(1)
NIST
SP800-53
R3 SA-5
(3)
NIST
SP800-53
R3 SA-8
NIST
SP800-53
R3 SA-10
NIST
SP800-53
R3 SA-11
NIST
SP800-53
R3 SA-11
(1)
NIST
SP800-53
R3 SA-13
Release RM-04
Managem
ent
Outsource
d
Developm
ent
A program NIST
for the
SP800-53
systematic R3 SA-4
monitoring
and
evaluation
to ensure
that
standards
of quality
are being
met shall
be
establishe
d for all
outsource
d software
developm
ent. The
developm
ent of all
outsource
d software
shall be
supervised
and
monitored
by the
organizati
on and
must
include
security
requireme
nts,
independe
nt security NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
NIST
SP800-53
R3 SA-5
NIST
SP800-53
R3 SA-5
(1)
NIST
SP800-53
R3 SA-5
(3)
NIST
SP800-53
R3 SA-8
NIST
SP800-53
R3 SA-9
NIST
SP800-53
R3 SA-9
(1)
NIST
SP800-53
R3 SA-10
NIST
SP800-53
R3 SA-11
NIST
SP800-53
R3 SA-11
(1)
NIST
SP800-53
R3 SA-12
NIST
SP800-53
R3 SA-13
Release RM-05
Managem
ent
Unauthoriz
ed
Software
Installation
s
Policies
NIST
and
SP800-53
procedure R3 CM-1
s shall be
establishe
d and
mechanis
ms
implement
ed to
restrict the
installation
of
unauthoriz
ed
software.
NIST
SP800-53
R3 CM-2
NIST
SP800-53
R3 CM-2
(1)
NIST
SP800-53
R3 CM-2
(3)
NIST
SP800-53
R3 CM-2
(5)
NIST
SP800-53
R3 CM-3
NIST
SP800-53
R3 CM-3
(2)
NIST
SP800-53
R3 CM-5
NIST
SP800-53
R3 CM-5
(1)
NIST
SP800-53
R3 CM-5
(5)
NIST
SP800-53
R3 CM-7
NIST
SP800-53
R3 CM-7
(1)
NIST
SP800-53
R3 CM-8
NIST
SP800-53
R3 CM-8
(1)
NIST
SP800-53
R3 CM-8
(3)
NIST
SP800-53
R3 CM-8
(5)
NIST
SP800-53
R3 CM-9
NIST
SP800-53
R3 SA-6
NIST
SP800-53
R3 SA-7
NIST
SP800-53
R3 SI-1
NIST
SP800-53
R3 SI-3
NIST
SP800-53
R3 SI-3
(1)
NIST
SP800-53
R3 SI-3
(2)
NIST
SP800-53
R3 SI-3
(3)
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
Resiliency RS-01
Managem
ent
Program
Policy,
NIST
process
SP800-53
and
R3 CP-1
procedure
s defining
business
continuity
and
disaster
recovery
shall be
put in
place to
minimize
the impact
of a
realized
risk event
on the
organizati
on to an
acceptable
level and
facilitate
recovery
of
informatio
n assets
(which
may be
the result
of, for
example,
natural
disasters,
accidents,
equipment NIST
SP800-53
R3 CP-2
NIST
SP800-53
R3 CP-2
(1)
NIST
SP800-53
R3 CP-2
(2)
Resiliency RS-02
Impact
Analysis
There
NIST
shall be a SP800-53
defined
R3 RA-3
and
document
ed method
for
determinin
g the
impact of
any
disruption
to the
organizati
on which
must
incorporat
e the
following:
Identify
critical
products
and
services
Identify all
dependen
cies,
including
processes,
application
s,
business
partners
and third
party
service
providers
Understan
d threats
to critical
products
and
services

Determine
impacts
resulting
from
planned or
unplanned
disruptions
and how
these vary
over time
Establish
the
maximum
tolerable
period for
disruption
Establish
priorities
for
recovery
Establish
recovery
time
objectives
for
resumptio
n of critical
products
and
services
within their
maximum
tolerable
period of
disruption
Estimate
the
resources
required
for
resumptio
n
Resiliency RS-03
Business
Continuity
Planning
A
consistent
unified
framework
for
business
continuity
planning
and plan
developm
ent shall
be
establishe
d,
document
ed and
adopted to
ensure all
business
continuity
plans are
consistent
in
addressin
g priorities
for testing
and
maintenan
ce and
informatio
n security
requireme
nts.
Requirem
ents for
business
continuity
Defined
purpose
and
scope,
aligned
with
relevant
dependen
cies
NIST
SP800-53
R3 CP-1
NIST
SP800-53
R3 CP-2
NIST
Accessible SP800-53
to and
R3 CP-2
understoo (1)
d by those
who will
use them

Owned by
a named
person(s)
who is
responsibl
e for their
review,
update
and
approval
NIST
SP800-53
R3 CP-2
(2)
NIST
Defined
SP800-53
lines of
R3 CP-3
communic
ation,
roles and
responsibil
ities
NIST
Detailed SP800-53
recovery R3 CP-4
procedure
s, manual
workaround
and
reference
informatio
n
NIST
Method for SP800-53
plan
R3 CP-4
invocation (1)
NIST
SP800-53
R3 CP-6
NIST
SP800-53
R3 CP-6
(1)
NIST
SP800-53
R3 CP-6
(3)
NIST
SP800-53
R3 CP-7
NIST
SP800-53
R3 CP-7
(1)
NIST
SP800-53
R3 CP-7
(2)
NIST
SP800-53
R3 CP-7
(3)
NIST
SP800-53
R3 CP-7
(5)
NIST
SP800-53
R3 CP-8
NIST
SP800-53
R3 CP-8
(1)
NIST
SP800-53
R3 CP-8
(2)
NIST
SP800-53
R3 CP-9
NIST
SP800-53
R3 CP-9
(1)
NIST
SP800-53
R3 CP-9
(3)
NIST
SP800-53
R3 CP-10
NIST
SP800-53
R3 CP-10
(2)
NIST
SP800-53
R3 CP-10
(3)
NIST
SP800-53
R3 PE-17
Resiliency RS-04
Business
Continuity
Testing
Business NIST
continuity SP800-53
plans shall R3 CP-2
be subject
to test at
planned
intervals
or upon
significant
organizati
onal or
environme
ntal
changes
to ensure
continuing
effectivene
ss.
NIST
SP800-53
R3 CP-2
(1)
NIST
SP800-53
R3 CP-2
(2)
NIST
SP800-53
R3 CP-3
NIST
SP800-53
R3 CP-4
NIST
SP800-53
R3 CP-4
(1)
Resiliency RS-05
Environme
ntal Risks
Physical
protection
against
damage
from
natural
causes
and
disasters
as well as
deliberate
attacks
including
fire, flood,
atmospher
ic
electrical
discharge,
solar
induced
geomagne
tic storm,
wind,
earthquak
e,
tsunami,
explosion,
nuclear
mishap,
volcanic
activity,
biological
hazard,
civil
unrest,
mudslide,
tectonic
NIST
SP800-53
R3 PE-1
NIST
SP800-53
R3 PE-13
NIST
SP800-53
R3 PE-13
(1)
NIST
SP800-53
R3 PE-13
(2)
NIST
SP800-53
R3 PE-13
(3)
NIST
SP800-53
R3 PE-14
NIST
SP800-53
R3 PE-14
(1)
NIST
SP800-53
R3 PE-15
NIST
SP800-53
R3 PE-18
Resiliency RS-06
Equipment
Location
To reduce NIST
the risks SP800-53
from
R3 PE-1
environme
ntal
threats,
hazards
and
opportuniti
es for
unauthoriz
ed access
equipment
shall be
located
away from
locations
subject to
high
probability
environme
ntal risks
and
suppleme
nted by
redundant
equipment
located a
reasonabl
e distance.
NIST
SP800-53
R3 PE-5
NIST
SP800-53
R3 PE-14
NIST
SP800-53
R3 PE-14
(1)
NIST
SP800-53
R3 PE-15
NIST
SP800-53
R3 PE-18
Resiliency RS-07
Equipment
Power
Failures
Security NIST
mechanis SP800-53
ms and
R3 CP-8
redundanc
ies shall
be
implement
ed to
protect
equipment
from utility
service
outages
(e.g.,
power
failures,
network
disruptions
, etc.).
NIST
SP800-53
R3 CP-8
(1)
NIST
SP800-53
R3 CP-8
(2)
NIST
SP800-53
R3 PE-1
NIST
SP800-53
R3 PE-9
NIST
SP800-53
R3 PE-10
NIST
SP800-53
R3 PE-11
NIST
SP800-53
R3 PE-11
(1)
NIST
SP800-53
R3 PE-12
NIST
SP800-53
R3 PE-13
NIST
SP800-53
R3 PE-13
(1)
NIST
SP800-53
R3 PE-13
(2)
NIST
SP800-53
R3 PE-13
(3)
NIST
SP800-53
R3 PE-14
NIST
SP800-53
R3 PE-14
(1)
Resiliency RS-08
Power /
Telecomm
unications
Telecomm NIST
unications SP800-53
equipment R3 PE-1
, cabling
and relays
transcevin
g data or
supporting
services
shall be
protected
from
interceptio
n or
damage
and
designed
with
redundanc
ies,
alternative
power
source
and
alternative
routing.
NIST
SP800-53
R3 PE-4
NIST
NIST SP800-53 R3 PE-13 (1)
SP800-53
R3 PE-13
NIST
NIST SP800-53 R3 PE-13 (2)
SP800-53
R3 PE-13
(1)
NIST
NIST SP800-53 R3 PE-13 (3)
SP800-53
R3 PE-13
(2)
NIST
SP800-53
R3 PE-13
(3)
Security SA-01
Architectur
e
Customer
Access
Requirem
ents
Prior to
NIST
granting SP800-53
customers R3 CA-1
access to
data,
assets and
informatio
n systems,
all
identified
security,
contractua
l and
regulatory
requireme
nts for
customer
access
shall be
addressed
and
remediate
d.
NIST
SP800-53
R3 CA-2
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
SP800-53
R3 CA-5
NIST
SP800-53
R3 CA-6
Security SA-02
Architectur
e User
ID
Credential
s
Implement NIST
and
SP800-53
enforce
R3 AC-1
(through
automatio
n) user
credential
and
password
controls
for
application
s,
databases
and server
and
network
infrastruct
ure,
requiring
the
following
minimum
standards:
NIST
User
SP800-53
identity
R3 AC-2
verification
prior to
password
resets.

If
NIST
password SP800-53
reset
R3 AC-2
initiated by (1)
personnel
other than
user (i.e.,
administra
tor),
especially
if
communic
ated in
plaintext
(i.e, via
email),
password
must be
immediatel
y changed
by user
upon first
use.
Timely
access
revocation
for
terminated
users.
NIST
SP800-53
R3 AC-2
(2)
NIST
NIST SP 800-53 R3 AU-11
Remove/di SP800-53
sable
R3 AC-2
inactive
(3)
user
accounts
at least
every 90
days.

Unique
user IDs
and
disallow
group,
shared, or
generic
accounts
and
passwords
.
NIST
SP800-53
R3 AC-2
(4)
Password
expiration
at least
every 90
days.
NIST
SP800-53
R3 AC-2
(7)
NIST
NIST SP 800-53 R3 IA-2 (1)
Minimum SP800-53
password R3 AC-3
length of
at least
seven (7)
characters
.
Strong
passwords
containing
both
numeric
and
alphabetic
characters
.
NIST
SP800-53
R3 AC-3
(3)
NIST
NIST SP 800-53 R3 IA-5 (1)
Allow
SP800-53
password R3 AC-11
re-use
after the
last four
(4)
passwords
used.

User ID
lockout
after not
more than
six (6)
attempts.
NIST
SP800-53
R3 AC-11
(1)
NIST
User ID
SP800-53
lockout
R3 AU-2
duration to
a
minimum
of 30
minutes or
until
administra
tor
enables
the user
ID.
Reenter
password
to
reactivate
terminal
after
session
idle time
for more
than 15
minutes.
NIST
SP800-53
R3 AU-2
(3)
Maintain
user
activity
logs for
privileged
access or
access to
sensitive
data.
NIST
SP800-53
R3 AU-2
(4)
NIST
SP800-53
R3 AU-11
NIST
SP800-53
R3 IA-1
NIST
SP800-53
R3 IA-2
NIST
SP800-53
R3 IA-2
(1)
NIST
SP800-53
R3 IA-2
(2)
NIST
SP800-53
R3 IA-2
(3)
NIST
SP800-53
R3 IA-2
(8)
NIST
SP800-53
R3 IA-5
NIST
SP800-53
R3 IA-5
(1)
NIST
SP800-53
R3 IA-5
(2)
NIST
SP800-53
R3 IA-5
(3)
NIST
SP800-53
R3 IA-5
(6)
NIST
SP800-53
R3 IA-5
(7)
NIST
SP800-53
R3 IA-6
NIST
SP800-53
R3 IA-8
NIST
SP800-53
R3 SC-10
Security SA-03
Architectur
e Data
Security /
Integrity
Policies
NIST
and
SP800-53
procedure R3 AC-1
s shall be
establishe
d and
mechanis
ms
implement
ed to
ensure
security
(e.g.,
encryption
, access
controls,
and
leakage
prevention
) and
integrity of
data
exchange
d between
one or
more
system
interfaces,
jurisdiction
s, or with a
third party
shared
services
provider to
prevent
improper
disclosure, NIST
SP800-53
R3 AC-4
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 SC-1
NIST
SP800-53
R3 SC-16
Security SA-04
Architectur
e
Applicatio
n Security
Applicatio NIST
ns shall be SP800-53
designed R3 SC-2
in
accordanc
e with
industry
accepted
security
standards
(i.e.,
OWASP
for web
application
s) and
complies
with
applicable
regulatory
and
business
requireme
nts.
NIST
SP800-53
R3 SC-3
NIST
SP800-53
R3 SC-4
NIST
NIST SP 800-53 R3 SC-12
SP800-53
R3 SC-5
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 SC-6
NIST
NIST SP 800-53 R3 SC-14
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
NIST
SP800-53
R3 SC-8
NIST
SP800-53
R3 SC-8
(1)
NIST
SP800-53
R3 SC-9
NIST
SP800-53
R3 SC-9
(1)
NIST
SP800-53
R3 SC-10
NIST
SP800-53
R3 SC-11
NIST
SP800-53
R3 SC-12
NIST
SP800-53
R3 SC-12
(2)
NIST
SP800-53
R3 SC-12
(5)
NIST
SP800-53
R3 SC-13
NIST
SP800-53
R3 SC-13
(1)
NIST
SP800-53
R3 SC-14
NIST
SP800-53
R3 SC-17
NIST
SP800-53
R3 SC-18
NIST
SP800-53
R3 SC-18
(4)
NIST
SP800-53
R3 SC-20
NIST
SP800-53
R3 SC-20
(1)
NIST
SP800-53
R3 SC-21
NIST
SP800-53
R3 SC-22
NIST
SP800-53
R3 SC-23
Security SA-05
Architectur
e Data
Integrity
Data input NIST

and output SP800-53
integrity
R3 SI-10
routines
(i.e.,
reconciliati
on and
edit
checks)
shall be
implement
ed for
application
interfaces
and
databases
to prevent
manual or
systematic
processing
errors or
corruption
of data.
NIST
SP800-53
R3 SI-11
NIST
SP800-53
R3 SI-2
NIST
SP800-53
R3 SI-2
(2)
NIST
SP800-53
R3 SI-3
NIST
SP800-53
R3 SI-3
(1)
NIST
SP800-53
R3 SI-3
(2)
NIST
SP800-53
R3 SI-3
(3)
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
NIST
SP800-53
R3 SI-6
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
NIST
SP800-53
R3 SI-9
Security SA-06
Architectur
e
Production
/ NonProduction
Environme
nts
Production NIST
and non- SP800-53
production R3 SC-2
environme
nts shall
be
separated
to prevent
unauthoriz
ed access
or
changes
to
informatio
n assets.
Security SA-07
Architectur
e
Remote
User MultiFactor
Authentica
tion
MultiNIST
NIST SP 800-53 R3 AC-17
factor
SP800-53
authentica R3 AC-17
tion is
required
for all
remote
user
access.
NIST
NIST SP 800-53 R3 AC-20
SP800-53
R3 AC-17
(1)
NIST
SP800-53
R3 AC-17
(2)
NIST
SP800-53
R3 AC-17
(3)
NIST
NIST SP 800-53 R3 IA-2 (1)
SP800-53
R3 AC-17
(4)
NIST
SP800-53
R3 AC-17
(5)
NIST
SP800-53
R3 AC-17
(7)
NIST
SP800-53
R3 AC-17
(8)
NIST
SP800-53
R3 AC-20
NIST
SP800-53
R3 AC-20
(1)
NIST
SP800-53
R3 AC-20
(2)
NIST
SP800-53
R3 IA-1
NIST
SP800-53
R3 IA-2
NIST
SP800-53
R3 IA-2
(1)
NIST
SP800-53
R3 IA-2
(2)
NIST
SP800-53
R3 IA-2
(3)
NIST
SP800-53
R3 IA-2
(8)
NIST
SP800-53
R3 MA-4
NIST
SP800-53
R3 MA-4
(1)
NIST
SP800-53
R3 MA-4
(2)
Security SA-08
Architectur
e
Network
Security
Network NIST
environme SP800-53
nts shall R3 SC-7
be
designed
and
configured
to restrict
connection
s between
trusted
and
untrusted
networks
and
reviewed
at planned
intervals,
documenti
ng the
business
justificatio
n for use
of all
services,
protocols,
and ports
allowed,
including
rationale
or
compensa
ting
controls
implement
ed for
those
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Security SA-09
Architectur
e
Segmentat
ion
System
NIST
and
SP800-53
network
R3 AC-4
environme
nts are
separated
by
firewalls to
ensure the
following
requireme
nts are
adhered
to:
NIST
Business SP800-53
and
R3 SC-2
customer
requireme
nts
NIST
Security SP800-53
requireme R3 SC-3
nts

NIST
Complianc SP800-53
e with
R3 SC-7
legislative,
regulatory,
and
contractua
l
requireme
nts
NIST
Separation SP800-53
of
R3 SC-7
production (1)
and nonproduction
environme
nts
NIST
Preserve SP800-53
protection R3 SC-7
and
(2)
isolation of
sensitive
data
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Security SA-10
Architectur
e
Wireless
Security
Policies
NIST
and
SP800-53
procedure R3 AC-1
s shall be
establishe
d and
mechanis
ms
implement
ed to
protect
wireless
network
environme
nts,
including
the
following:
NIST
NIST SP 800-53 R3 AC-18
Perimeter SP800-53
firewalls R3 AC-18
implement
ed and
configured
to restrict
unauthoriz
ed traffic

NIST
Security SP800-53
settings
R3 AC-18
enabled
(1)
with strong
encryption
for
authentica
tion and
transmissi
on,
replacing
vendor
default
settings
(e.g.,
encryption
keys,
passwords
, SNMP
community
strings,
etc.).
Logical
and
physical
user
access to
wireless
network
devices
restricted
to
authorized
personnel
NIST
SP800-53
R3 AC-18
(2)

The NIST
capability SP800-53
to detect R3 AC-18
the
(3)
presence
of
unauthoriz
ed (rogue)
wireless
network
devices for
a timely
disconnect
from the
network
NIST
SP800-53
R3 AC-18
(4)
NIST
SP800-53
R3 AC-18
(5)
NIST
SP800-53
R3 CM-6
NIST
SP800-53
R3 CM-6
(1)
NIST
SP800-53
R3 CM-6
(3)
NIST
SP800-53
R3 PE-4
NIST
SP800-53
R3 SC-3
NIST
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Security SA-11
Architectur
e
Shared
Networks
Access to
systems
with
shared
network
infrastruct
ure shall
be
restricted
to
authorized
personnel
in
accordanc
e with
security
policies,
procedure
s and
standards.
Networks
shared
with
external
entities
shall have
a
document
ed plan
detailing
the
compensa
ting
controls
used to
separate
network
NIST
SP800-53
R3 PE-4
NIST
SP800-53
R3 SC-4
NIST
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Security SA-12
Architectur
e Clock
Synchroni
zation
An
NIST
external
SP800-53
accurate, R3 AU-1
externally
agreed
upon, time
source
shall be
used to
synchroniz
e the
system
clocks of
all relevant
informatio
n
processing
systems
within the
organizati
on or
explicitly
defined
security
domain to
facilitate
tracing
and
reconstituti
on of
activity
timelines.
Note:
specific
legal
jurisdiction
s and
NIST
SP800-53
R3 AU-8
NIST
SP800-53
R3 AU-8
(1)
Security SA-13
Architectur
e
Equipment
Identificati
on
Automated NIST
equipment SP800-53
identificati R3 IA-3
on shall be
used as a
method of
connection
authentica
tion.
Locationaware
technologi
es may be
used to
validate
connection
authentica
tion
integrity
based on
known
equipment
location.
NIST
SP800-53
R3 IA-4
NIST
SP800-53
R3 IA-4
(4)
Security SA-14
Architectur
e Audit
Logging /
Intrusion
Detection
Audit logs NIST

recording SP800-53
privileged R3 AU-1
user
access
activities,
authorized
and
unauthoriz
ed access
attempts,
system
exceptions
, and
informatio
n security
events
shall be
retained,
complying
with
applicable
policies
and
regulation
s. Audit
logs shall
be
reviewed
at least
daily and
file
integrity
(host) and
network
intrusion
detection NIST
SP800-53
R3 AU-2
NIST
SP800-53
R3 AU-2
(3)
NIST
SP800-53
R3 AU-2
(4)
NIST
SP800-53
R3 AU-3
NIST
SP800-53
R3 AU-3
(1)
NIST
SP800-53
R3 AU-4
NIST
NIST SP 800-53 R3 AU-11
SP800-53
R3 AU-5
NIST
NIST SP 800-53 R3 AU-12
SP800-53
R3 AU-6
NIST
SP800-53
R3 AU-6
(1)
NIST
SP800-53
R3 AU-6
(3)
NIST
SP800-53
R3 AU-7
NIST
SP800-53
R3 AU-7
(1)
NIST
SP800-53
R3 AU-9
NIST
SP800-53
R3 AU-9
(2)
NIST
SP800-53
R3 AU-11
NIST
SP800-53
R3 AU-12
NIST
SP800-53
R3 AU-14
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
Security SA-15
Architectur
e Mobile
Code
Mobile
NIST
code shall SP800-53
be
R3 SC-18
authorized
before its
installation
and use,
and the
configurati
on shall
ensure
that the
authorized
mobile
code
operates
according
to a clearly
defined
security
policy. All
unauthoriz
ed mobile
code shall
be
prevented
from
executing.
NIST
SP800-53
R3 SC-18
(4)
MODERATE IMPACT LEVEL

NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 RA-5 (1)
NIST SP 800-53 R3 RA-5 (2)
NIST SP 800-53 R3 RA-5 (3)
NIST SP 800-53 R3 RA-5 (6)
NIST SP 800-53 R3 RA-5 (9)
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SA-12
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 IR-6 (1)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 AC-16
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 SC-9 (1)

NIST SP 800-53 R3 SI-12
NIST SP 800-53 R3 CP-2 (1)
NIST SP 800-53 R3 CP-2 (2)
NIST SP 800-53 R3 CP-6 (1)
NIST SP 800-53 R3 CP-6 (3)
NIST SP 800-53 R3 CP-7 (1)
NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3)
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2)
NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)
NIST SP 800-53 R3 MP-6 (4)
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AC-3 (3)
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 AC-11
NIST SP 800-53 R3 AC-11 (1)
NIST SP 800-53 R3 SC-28
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 SI-12
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-18
NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-18
NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-18
NIST SP 800-53 R3 MA-2 (1)
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 AC-17
NIST SP 800-53 R3 AC-17 (1)
NIST SP 800-53 R3 AC-17 (2)
NIST SP 800-53 R3 AC-17 (3)
NIST SP 800-53 R3 AC-17 (4)
NIST SP 800-53 R3 AC-17 (5)
NIST SP 800-53 R3 AC-17 (7)
NIST SP 800-53 R3 AC-17 (8)
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-17
NIST SP 800-53 R3 CM-8 (1)
NIST SP 800-53 R3 CM-8 (3)
NIST SP 800-53 R3 CM-8 (5)

NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 AC-3 (3)
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 IA-4 (4)
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 AC-2 (1)
NIST SP 800-53 R3 AC-2 (2)
NIST SP 800-53 R3 AC-2 (3)
NIST SP 800-53 R3 AC-2 (4)
NIST SP 800-53 R3 AC-2 (7)
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 AC-11
NIST SP 800-53 R3 MP-2 (1)
NIST SP 800-53 R3 MP-4 (1)
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-23
NIST SP 800-53 R3 SC-28
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-17
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 RA-5 (1)
NIST SP 800-53 R3 RA-5 (2)
NIST SP 800-53 R3 RA-5 (3)
NIST SP 800-53 R3 RA-5 (6)
NIST SP 800-53 R3 RA-5 (9)
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 IR-4 (1)
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 IR-6 (1)
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 AU-7 (1)
NIST SP 800-53 R3 AU-9 (2)
NIST SP 800-53 R3 AU-10
NIST SP 800-53 R3 AU-10 (5)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)

NIST SP 800-53 R3 MP-5 (2)
NIST SP 800-53 R3 MP-5 (4)
NIST SP 800-53 R3 IR-4 (1)
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 AC-20 (1)
NIST SP 800-53 R3 AC-20 (2)
NIST SP 800-53 R3 AC-22
NIST SP 800-53 R3 AU-10
NIST SP 800-53 R3 AU-10 (5)
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 AU-9 (2)
NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 MA-3 (1)
NIST SP 800-53 R3 MA-3 (2)
NIST SP 800-53 R3 MA-3 (3)
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 CP-6 (1)
NIST SP 800-53 R3 CP-6 (3)
NIST SP 800-53 R3 CP-7 (1)

NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3)
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2)
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 AC-17
NIST SP 800-53 R3 AC-17 (1)
NIST SP 800-53 R3 AC-17 (2)
NIST SP 800-53 R3 AC-17 (3)
NIST SP 800-53 R3 AC-17 (4)
NIST SP 800-53 R3 AC-17 (5)
NIST SP 800-53 R3 AC-17 (7)
NIST SP 800-53 R3 AC-17 (8)
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 AC-19
NIST SP 800-53 R3 AC-19 (1)
NIST SP 800-53 R3 AC-19 (2)
NIST SP 800-53 R3 AC-19 (3)
NIST SP 800-53 R3 MP-2 (1)
NIST SP 800-53 R3 MP-4 (1)
NIST SP 800-53 R3 MP-6 (4)
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 MP-5 (2)
NIST SP 800-53 R3 MP-5 (4)
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12
NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)
NIST SP 800-53 R3 CP-10
NIST SP 800-53 R3 CP-10 (2)
NIST SP 800-53 R3 CP-10 (3)
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 MA-2 (1)
NIST SP 800-53 R3 MA-3 (1)
NIST SP 800-53 R3 MA-3 (2)
NIST SP 800-53 R3 MA-3 (3)
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)

NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)



NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)

NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 CM-8 (1)
NIST SP 800-53 R3 CM-8 (3)
NIST SP 800-53 R3 CM-8 (5)
NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 CP-2 (1)
NIST SP 800-53 R3 CP-2 (2)
NIST SP800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP-2 (2)
NIST SP800-53 R3 CP-4 (1)
NIST SP800-53 R3 CP-6 (1)
NIST SP800-53 R3 CP-6 (3)
NIST SP800-53 R3 CP-7 (1)
NIST SP800-53 R3 CP-7 (2)
NIST SP800-53 R3 CP-7 (3)
NIST SP800-53 R3 CP-7 (5)
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 CP-9 (1)
NIST SP800-53 R3 CP-9 (3)
NIST SP800-53 R3 CP-10 (2)
NIST SP800-53 R3 CP-10 (3)
NIST SP800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP-2 (2)
NIST SP800-53 R3 CP-4 (1)
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 AC-11
NIST SP 800-53 R3 AC-11 (1)
NIST SP 800-53 R3 AU-2 (3)
NIST SP 800-53 R3 AU-2 (4)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 SC-10
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SC-10
NIST SP 800-53 R3 SC-11
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-14
NIST SP 800-53 R3 SC-17
NIST SP 800-53 R3 SC-18
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 SI-10
NIST SP 800-53 R3 SI-11
NIST SP 800-53 R3 AC-17
NIST SP 800-53 R3 AC-17 (1)
NIST SP 800-53 R3 AC-17 (2)
NIST SP 800-53 R3 AC-17 (3)
NIST SP 800-53 R3 AC-17 (4)
NIST SP 800-53 R3 AC-17 (5)
NIST SP 800-53 R3 AC-17 (7)
NIST SP 800-53 R3 AC-17 (8)
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 AC-20 (1)
NIST SP 800-53 R3 AC-20 (2)
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)

NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)

NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 AU-8 (1)
NIST SP 800-53 R3 IA-4 (4)
NIST SP 800-53 R3 AU-2 (3)
NIST SP 800-53 R3 AU-2 (4)
NIST SP 800-53 R3 AU-3 (1)
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 AU-7 (1)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 AU-12
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SC-18
Control
Area
CID
Complia
nce
CO-01
Audit
Planning
Complia
CCM
CCM v1.3
v1.2
FedRAM
FedRAMP Final
P Draft
Release (Jan
Control Release
Specific Mappin 2012) Revised
Mappings
ation
gs
MODER
v1.2
LOW
ATE
IMPACT
IMPACT
LEVEL
Audit
LEVEL
plans,
activities
and
operatio
nal
action
items
focusing
on data NIST
duplicati SP800- NIST SP NIST SP
800-53 800-53
on,
53 R3
R3 CA-2 R3 CA-2
access, CA-2
and data
boundar
y
limitatio
ns shall
be
designed
to
minimize
NIST SP NIST SP
the risk NIST
SP800- 800-53 800-53
of
R3 CA-2 R3 CA-2
business 53 R3
(1)
process CA-2 (1) (1)
disruptio NIST
NIST SP NIST SP
n. Audit SP800- 800-53 800-53
activities 53 R3
R3 CA-7 R3 CA-7
must be CA-7
NIST
NIST SP
planned
SP800800-53
and
53 R3
R3 CA-7
agreed
CA-7 (2)
(2)
upon in NIST
NIST SP
advance SP800800-53
by
53 R3
R3 PL-6
stakehol PL-6
dent
NIST
ders.
reviews
NIST SP NIST SP
SP800and
800-53 800-53
53 R3
assessm
R3 CA-1 R3 CA-1
CA-1
NIST
ents
NIST SP NIST SP
shall be SP800- 800-53 800-53
performe 53 R3
R3 CA-2 R3 CA-2
CA-2
d at
NIST
NIST SP NIST SP
least
SP800800-53 800-53
annually,
53
R3
R3 CA-2 R3 CA-2
or at
CA-2
(1)
(1)
(1)
planned
Complia
nce
Indepen CO-02
dent
Audits
Complia
nce
Third
CO-03
Party
Audits
planned NIST
intervals SP800, to
53 R3
ensure CA-6
NIST
the
organiza SP80053 R3
tion is
complian RA-5
NIST
t with
SP800policies,
53 R3
procedur
RA-5 (1)
es,
standard NIST
SP800s and
applicabl 53 R3
RA-5 (2)
e
regulator NIST
y
SP800requirem 53 R3
ents
RA-5 (3)
(i.e.,
NIST
internal/
SP800external
53 R3
audits,
RA-5 (9)
certificat
NIST
ions,
vulnerab SP800ility and 53 R3
penetrati RA-5 (6)
NIST
on
SP80053 R3
CA-3
NIST
SP80053 R3
Third
SA-9
party
service NIST
provider SP80053 R3
s shall
demonst SA-9 (1)
NIST
rate
SP800complian
53 R3
ce with
SA-12
informati NIST
SP800on
security 53 R3
SC-7
and
confiden NIST
SP800tiality,
service 53 R3
definitio SC-7 (1)
NIST
ns and
delivery SP80053 R3
level
agreeme SC-7 (2)
nts
included
in third
party
contract
s. Third
party
reports,
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 RA-5
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 RA-5
NIST SP
800-53
R3 RA-5
(1)
NIST SP
800-53
R3 RA-5
(2)
NIST SP
800-53
R3 RA-5
(3)
NIST SP
800-53
R3 RA-5
(6)
NIST SP
800-53
R3 RA-5
(9)
NIST SP
800-53
R3 CA-3
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 CA-3
NIST SP
800-53
R3 SA-9
NIST SP
NIST SP
800-53
800-53
R3 SA-9
R3 SC-7
(1)
NIST SP
800-53
R3 SA-12
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
(2)
Complia
nce
Third
CO-03
Party
Audits
definitio
ns and
delivery
level
agreeme
nts
NIST
included SP800in third 53 R3
party
SC-7 (3)
contract
s. Third NIST
SP800party
reports, 53 R3
records SC-7 (4)
and
NIST
services SP800shall
53 R3
undergo SC-7 (5)
audit
NIST
and
SP800review, 53 R3
at
SC-7 (7)
planned
intervals NIST
SP800, to
govern 53 R3
SC-7 (8)
and
maintain NIST
SP800complian
53 R3
ce with
SC-7
the
NIST
service (12)
delivery SP800agreeme 53 R3
SC-7
nts.
(13)
NIST
SP80053 R3
SC-7
(18)
NIST SP
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST SP
800-53
R3 SC-7
(5)
NIST SP
800-53
R3 SC-7
(7)
NIST SP
800-53
R3 SC-7
(8)
NIST SP
800-53
R3 SC-7
(12)
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
Complia
nce
Contact /
CO-04
Authority
Maintena
nce
Liaisons
and
points of
contact
with
local
authoriti
es shall
be
maintain
ed in
accordan
ce with
business
and
custome
r
requirem
ents and
complian NIST
ce with SP800legislativ 53 R3
e,
AT-5
regulator
y, and
contract
ual
requirem
ents.
Data,
objects,
applicati
ons,
infrastru
cture
and
hardwar
e may
be
NIST
assigned SP800legislativ 53 R3 IRe
6
NIST
domain
SP800and
53 R3 IRjurisdicti
6
(1)
NIST
on to
facilitate SP80053 R3 SIproper
complian 5
NIST
Statutor
ce points SP800y,
of
53 R3
regulator
contact. AC-1
NIST
y, and
contract SP80053 R3
ual
requirem AT-1
NIST
ents
SP800shall be 53 R3
defined AU-1
NIST
for all
SP800element 53 R3
s of the CA-1
informati
on
system.
The
organiza
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 IR-6
(1)
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
NIST SP
800-53
R3 CA-1
Complia
nce
Informati
on
CO-05
System
Regulato
ry
Mapping
shall be
defined
for all
element
s of the
NIST
informati
NIST SP NIST SP
SP800on
800-53 800-53
53 R3
system.
R3 CM-1 R3 CM-1
CM-1
NIST
The
NIST SP NIST SP
organiza SP800- 800-53 800-53
53 R3
tion's
R3 CP-1 R3 CP-1
CP-1
approac NIST
NIST SP NIST SP
h to
SP800800-53 800-53
meet
53 R3 IAR3 IA-1 R3 IA-1
known
1
NIST
requirem SP800- NIST SP NIST SP
800-53 800-53
ents,
53 R3 IAR3 IA-7 R3 IA-7
and
7
NIST
adapt to
NIST SP NIST SP
SP800new
800-53 800-53
mandate 53 R3 IR- R3 IR-1 R3 IR-1
1
NIST
s shall
NIST SP NIST SP
SP800be
800-53 800-53
explicitly 53 R3
R3 MA-1 R3 MA-1
defined, MA-1
NIST
documen SP800- NIST SP NIST SP
800-53 800-53
ted, and 53 R3
R3 MP-1 R3 MP-1
kept up MP-1
NIST
to date SP800- NIST SP NIST SP
800-53 800-53
for each 53 R3
R3 PE-1 R3 PE-1
informati PE-1
NIST
on
NIST SP NIST SP
system SP800- 800-53 800-53
element 53 R3
R3 PL-1 R3 PL-1
PL-1
NIST
in the
NIST SP NIST SP
organiza SP800800-53 800-53
53 R3
tion.
R3 PS-1 R3 PS-1
Informati PM-1
NIST
NIST SP NIST SP
on
SP800800-53 800-53
system 53 R3
R3 RA-1 R3 RA-1
element PS-1
NIST
NIST SP NIST SP
s may
SP800800-53 800-53
include
53 R3
R3 RA-2 R3 RA-2
data,
RA-1
objects, NIST
NIST SP NIST SP
applicati SP800- 800-53 800-53
53 R3
ons,
R3 SA-1 R3 SA-1
infrastru RA-2
NIST
NIST SP NIST SP
cture
SP800800-53 800-53
and
53 R3
R3 SA-6 R3 SA-6
hardwar SA-1
NIST
e. Each SP800- NIST SP NIST SP
800-53 800-53
element 53 R3
R3 SC-1 R3 SC-1
may be SA-6
NIST
assigned
NIST SP NIST SP
SP800a
800-53 800-53
53 R3
legislativ
R3 SC-13 R3 SC-13
SC-1
NIST
NIST SP
e
NIST SP
SP800800-53
domain
800-53
53
R3
R3 SC-13
and
R3 SI-1
SC-13
(1)
jurisdicti
on to
facilitate
proper
complian
ce
mapping
.
Complia
nce
Intellect CO-06
ual
Property
Data
Governa
nce
Ownersh DG-01
ip /
Stewards
hip
legislativ
e
domain
and
jurisdicti NIST
on to
SP800facilitate 53 R3
proper
SC-13
complian (1)
NIST
ce
SP800mapping
Policy,
53 R3 SI.process
1
and
procedur
e shall
be
establish
ed and
impleme
nted to
safeguar
d
intellect NIST
SP800ual
property 53 R3
and the SA-6
use of
proprieta
ry
software
within
the
legislativ
e
jurisdicti
on and NIST
contract SP800ual
53 R3
constrain SA-7
NIST
ts
governin SP80053 R3
g the
NIST
organiza PM-5
SP800tion.
53 R3
CA-2
All data NIST
shall be SP800designat 53 R3
ed with CA-2 (1)
stewards NIST
hip with SP800assigned 53 R3
responsi PM-5
NIST
bilities
SP800defined, 53 R3
documen NIST
PS-2
ted and SP800communi 53 R3
cated.
RA-2
NIST SP
800-53
R3 SI-1
NIST SP NIST SP
800-53 800-53
R3 SA-6 R3 SA-6
NIST SP NIST SP
800-53 800-53
R3 SA-7 R3 SA-7
NIST SP NIST SP
800-53 800-53
R3 CA-2 R3 CA-2
NIST SP
800-53
R3 CA-2
(1)
NIST SP
800-53
R3 CA-2
(1)
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 SA-2
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 SA-2
hip
Data
Governa
nce
DG-02
Classific
ation
Data
Governa
nce
Handling
/
DG-03
Labeling
/
Security
Policy
defined,
documen
ted and
communi
cated.
Data,
NIST
and
objects SP800containin 53 R3
g data, SA-2
shall be
assigned
a
classifica
tion
based on
data
type,
jurisdicti
on of
origin,
jurisdicti
on
domicile
d,
context, NIST
SP800legal
constrain 53 R3
RA-2
ts,
contract
ual
constrain
ts, value,
sensitivit
y,
criticality
to the
organiza
tion and
third
party
obligatio
n for
retention
and
NIST
preventi SP800on of
53 R3
unauthor AC-4
NIST
and
ized
procedur SP800disclosur
es shall 53 R3
e
AC-16
beor
NIST
misuse.
establish SP800ed for
53 R3
labeling, MP-1
NIST
handling SP800and
53 R3
security MP-3
of data NIST
SP800and
objects 53 R3
PE-16
NIST
which
contain SP80053 R3 SIdata.
Mechani 12
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 AC-4
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PE-16
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AC16
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 MP-3
NIST SP
800-53
R3 PE-16
Governa
nce
Handling
/
DG-03
Labeling
/
Security
Policy
Data
Governa
nce
DG-04
Retentio
n Policy
Mechani
sms for
label
inheritan
ce shall
be
impleme
nted for
objects
that act
as
aggregat
e
containe
rs for
NIST
NIST SP
SP800800-53
53 R3
R3 SI-12
SC-9
NIST
SP80053 R3
SC-9 (1)
NIST SP
800-53
R3 SC-9
NIST SP
800-53
R3 SC-9
(1)
NIST SP
800-53
R3 SI-1
NIST
SP80053 R3
CP-2
NIST
SP80053 R3
CP-2 (1)
NIST
SP80053 R3
CP-2 (2)
NIST
SP80053 R3
CP-6
NIST
Policies SP80053 R3
and
procedur CP-6 (1)
es for
NIST
data
SP800retention 53 R3
and
CP-6 (3)
storage NIST
shall be SP800establish 53 R3
ed and CP-7
backup NIST
SP800or
redunda 53 R3
CP-7 (1)
ncy
mechani NIST
sms
SP800impleme 53 R3
nted to CP-7 (2)
ensure
NIST
complian
SP800ce with
53 R3
regulator
CP-7 (3)
y,
statutory
,
contract
ual or
business
requirem
ents.
Testing
NIST SP
800-53
R3 SI-12
NIST SP NIST SP
800-53 800-53
R3 CP-2 R3 CP-2
NIST SP
NIST SP
800-53
800-53
R3 CP-2
R3 CP-9
(1)
NIST SP
800-53
R3 CP-2
(2)
NIST SP
800-53
R3 CP-6
NIST SP
800-53
R3 CP-6
(1)
NIST SP
800-53
R3 CP-6
(3)
NIST SP
800-53
R3 CP-7
NIST SP
800-53
R3 CP-7
(1)
NIST SP
800-53
R3 CP-7
(2)
NIST SP
800-53
R3 CP-7
(3)
Data
Governa
nce
DG-04
Retentio
n Policy
ensure
complian
ce with
regulator
y,
statutory NIST
SP800,
contract 53 R3
CP-7 (5)
ual or
business NIST
requirem SP80053 R3
ents.
Testing CP-8
NIST
the
SP800recovery
53 R3
of
CP-8 (1)
backups
must be NIST
impleme SP800nted at 53 R3
planned CP-8 (2)
intervals NIST
SP800.
53 R3
CP-9
NIST
SP80053 R3
CP-9 (1)
NIST
SP80053 R3
CP-9 (3)
NIST
SP80053 R3 SI12
NIST
Data
Governa
nce
DG-05
Secure
Disposal
Policies
and
procedur
es shall
be
establish
ed and
mechani
sms
impleme
nted for
the
secure
disposal
and
complet
e
removal
of data
from all
storage
media,
ensuring
data is
not
recovera
ble by
any
compute
r
NIST SP
800-53
R3 CP-7
(5)
NIST SP
800-53
R3 CP-8
NIST SP
800-53
R3 CP-8
(1)
NIST SP
800-53
R3 CP-8
(2)
NIST SP
800-53
R3 CP-9
NIST SP
800-53
R3 CP-9
(1)
NIST SP
800-53
R3 CP-9
(3)
SP80053 R3
AU-11
NIST
SP80053 R3
MP-6
NIST SP NIST SP
800-53 800-53
R3 MP-6 R3 MP-6
Disposal
Data
Governa
nce
DG-06
NonProducti
on Data
removal
of data
from all
storage
media,
ensuring
data is
not
recovera
ble by
any
compute
r
Producti
forensic
on
data
means.
shall not
be
replicate
d or
used in
nonproducti
on
environ
ments.
NIST
NIST SP
SP800800-53
53 R3
R3 PE-1
MP-6 (4)
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
SA-11
NIST
SP80053 R3
SA-11
(1)
NIST
SP80053 R3
CM-04
NIST
SP80053 R3
AC-2
NIST
SP80053 R3
AC-2 (1)
Data
Governa
nce
DG-07
Informati
on
Leakage
NIST SP
800-53
R3 MP-6
(4)
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-2
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 AC-2
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 AC-3
AC-2 (2)
NIST SP
800-53
R3 AC-2
(2)
NIST
SP80053 R3
AC-2 (3)
NIST SP
800-53
R3 AC-2
(3)
NIST
SP80053 R3
AC-2 (4)
NIST SP
800-53
R3 AC-2
(4)
NIST
SP80053 R3
AC-2 (7)
NIST
SP80053 R3
AC-3
NIST
SP80053 R3
AC-3 (3)
NIST
SP80053 R3
Security AC-4
mechani
sms
shall be
impleme
nted to
prevent
data
NIST SP
800-53
R3 AC-2
(7)
NIST SP
800-53
R3 AC-3
NIST SP
800-53
R3 AC-3
(3)
NIST SP
800-53
R3 AC-4
Data
Governa
nce
DG-07
Informati
on
Leakage
Security
mechani
sms
shall be
impleme
nted to
prevent
data
leakage.
NIST
SP80053 R3
AC-6
NIST
SP80053 R3
AC-6 (1)
NIST
SP80053 R3
AC-6 (2)
NIST
SP80053 R3
AC-11
NIST
SP80053 R3
AC-11
(1)
NIST
SP80053 R3
AU-13
NIST
SP80053 R3
PE-19
NIST
SP80053 R3
SC-28
NIST
SP80053 R3
SC-28
(1)
NIST
SP80053 R3
SA-8
NIST
SP80053 R3 SI7
NIST
SP80053 R3 SI7 (1)
NIST SP
800-53
R3 AC-6
NIST SP
800-53
R3 AC-6
(1)
NIST SP
800-53
R3 AC-6
(2)
NIST SP
800-53
R3 AC11
NIST SP
800-53
R3 AC11 (1)
NIST SP
800-53
R3 SA-8
NIST SP
800-53
R3 SC-28
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
Data
Governa
nce
DG-08
Risk
Assessm
ents
Risk
assessm
ents
associat
ed with
data
governa
nce
NIST
requirem
SP800ents
53 R3
shall be
CA-3
conducte
d at
planned
intervals
consideri
ng the
following
:
ere
se
nsi
tiv
e
dat
a
is
sto
red
an
d
tra
ns
mit NIST
ted SP800acr 53 R3
oss RA-2
ap
pli
cat
ion
s,
dat
ab
as
es,
ser
ver
s
an
d
NIST SP NIST SP
800-53 800-53
R3 CA-3 R3 CA-3
NIST SP NIST SP
800-53 800-53
R3 RA-2 R3 RA-2
Data
Governa
nce
DG-08
Risk
Assessm
ents
e
wit
h
de
fin
ed
ret
ent
ion NIST
per SP800iod 53 R3
s RA-3
an
d
en
doflife
dis
po
ati
on
an
d
pro
tec
tio
n
fro
m
un
aut NIST
hor SP800ize 53 R3
d MP-8
us
e,
ac
ce
ss,
los
s,
de
str
uct
ion NIST
SP80053 R3
PM-9
NIST
SP80053 R3 SI12
NIST
SP80053 R3
CA-2
Policies
and
procedur
es shall
be
establish
ed for
NIST SP NIST SP
800-53 800-53
R3 RA-3 R3 RA-3
NIST SP NIST SP
800-53 800-53
R3 SI-12 R3 SI-12
NIST SP NIST SP
800-53 800-53
R3 CA-2 R3 CA-2
Facility
Security FS-01
Policy
Facility
Security
FS-02
User
Access
Policies
and
procedur
es shall
be
establish
ed for
maintain
ing a
safe and
secure
working
environ
ment in
offices,
rooms,
facilities
and
secure
areas.
NIST
SP80053 R3
CA-2 (1)
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-6
NIST
SP80053 R3
PE-6 (1)
NIST
SP80053 R3
PE-7
NIST
SP80053 R3
PE-7 (1)
NIST
SP80053 R3
PE-8
NIST
SP80053 R3
PE-2
NIST
Physical SP800access 53 R3
PE-2 (1)
to
informati NIST
SP800on
53 R3
assets
PE-3
NIST
and
functions SP800by users 53 R3
PE-4
and
NIST
support SP800personn 53 R3
el shall PE-5
NIST
be
SP800restricte
53 R3
d.
PE-6
NIST
SP80053 R3
PE-6 (1)
NIST SP
800-53
R3 CA-2
(1)
NIST SP
800-53
R3 CA-2
(1)
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PE-6
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PE-6
NIST SP
NIST SP
800-53
800-53
R3 PE-6
R3 PE-7
(1)
NIST SP NIST SP
800-53 800-53
R3 PE-8 R3 PE-7
NIST SP
800-53
R3 PE-7
(1)
NIST SP
800-53
R3 PE-8
NIST SP NIST SP
800-53 800-53
R3 PE-2 R3 PE-2
NIST SP NIST SP
800-53 800-53
R3 PE-3 R3 PE-3
NIST SP NIST SP
800-53 800-53
R3 PE-6 R3 PE-4
NIST SP
800-53
R3 PE-5
NIST SP
800-53
R3 PE-6
NIST SP
800-53
R3 PE-6
(1)
Facility
Security
FS-03
Controlle
d Access
Points
Facility
Security
Secure
FS-04
Area
Authoriz
ation
Physical
security
perimete
rs
(fences,
walls,
barriers,
guards,
gates,
electroni
c
surveilla
nce,
physical
authenti
cation
mechani
sms,
receptio
n desks
and
security
patrols)
shall be
impleme
nted to
safeguar
d
sensitive
data and
informati
on
systems.
NIST
SP80053 R3
PE-2
NIST
SP80053 R3
PE-2 (1)
NIST
SP80053 R3
PE-3
NIST
SP80053 R3
PE-6
NIST
SP80053 R3
PE-6 (1)
NIST
SP80053 R3
PE-18
NIST
SP80053 R3
PE-2
NIST
Ingress SP80053 R3
and
(1)
egress to PE-2
NIST
secure
SP800areas
53 R3
shall be PE-3
constrain NIST
ed and SP800monitore 53 R3
PE-6
d by
NIST
physical
SP800access
53 R3
control
PE-6 (1)
mechani NIST
sms to
SP800ensure 53 R3
that only PE-7
authoriz NIST
ed
SP800personn 53 R3
el are
PE-7 (1)
allowed
access.
NIST SP NIST SP
800-53 800-53
R3 PE-2 R3 PE-2
NIST SP NIST SP
800-53 800-53
R3 PE-3 R3 PE-3
NIST SP NIST SP
800-53 800-53
R3 PE-6 R3 PE-6
NIST SP
800-53
R3 PE-6
(1)
NIST SP
800-53
R3 PE-18
NIST SP NIST SP
800-53 800-53
R3 PE-2 R3 PE-2
NIST SP NIST SP
800-53 800-53
R3 PE-3 R3 PE-3
NIST SP
800-53
R3 PE-6
NIST SP
800-53
R3 PE-7
NIST SP
800-53
R3 PE-6
NIST SP
800-53
R3 PE-6
(1)
NIST SP NIST SP
800-53 800-53
R3 PE-8 R3 PE-7
NIST SP
800-53
R3 PE-7
(1)
NIST SP
800-53
R3 PE-8
that only
authoriz
ed
personn
el are
allowed NIST
access. SP80053 R3
PE-8
NIST
NIST SP
800-53
R3 PE-18
SP80053 R3
PE-18
Facility
Security
Unauthor FS-05
ized
Persons
Entry
Facility
Security
Offsite FS-06
Authoriz
ation
Ingress
and
egress
points
such as
service
areas
and
other
points
where
unauthor
ized
NIST
personn
SP800el may
53 R3
enter the
PE-7
premises
shall be
monitore
d,
controlle
d and, if
possible,
isolated
from
data
storage
and
processi NIST
ng
SP800facilities 53 R3
to
PE-7 (1)
percent NIST
unauthor SP800ized data 53 R3
corruptio PE-16
NIST
n,
SP800compro 53 R3
mise and PE-18
ation
NIST
loss.
must be SP800obtained 53 R3
prior to MA-1
NIST
relocatio SP800n or
53 R3
transfer MA-2
of
NIST
hardwar SP800e,
53 R3
software MA-2 (1)
or data
NIST SP NIST SP
800-53 800-53
R3 PE-7 R3 PE-7
NIST SP
NIST SP
800-53
800-53
R3 PE-7
R3 PE-16
(1)
NIST SP
800-53
R3 PE-16
NIST SP
800-53
R3 PE-18
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MA-2
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MA-2
NIST SP
NIST SP
800-53
800-53
R3 MA-2
R3 PE-16
(1)
Security
Offsite FS-06
Authoriz
ation
or data
to an
offsite
premises
NIST
SP80053 R3
PE-16
NIST
SP80053 R3
AC-17
NIST
SP80053 R3
AC-17
(1)
NIST
Facility
Security
Off-Site FS-07
Equipme
nt
Facility
Security
Asset FS-08
Manage
ment
Policies
and
procedur
es shall
be
establish
ed for
securing
and
asset
manage
ment for
the use
and
secure
disposal
of
equipme
nt
maintain
ed and
used
outside
the
organiza
tion's
premise.
A
complet
e
inventor
y of
critical
assets
shall be
maintain
ed with
ownershi
p
SP80053 R3
AC-17
(2)
NIST
SP80053 R3
AC-17
(3)
NIST
NIST SP
800-53
R3 PE-16
NIST SP NIST SP
800-53 800-53
R3 AC- R3 AC17
17
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MA-1
17 (1)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 PE-1
17 (2)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 PE-16
17 (3)
SP80053 R3
AC-17
(4)
NIST
SP80053 R3
AC-17
(5)
NIST
SP80053 R3
AC-17
(7)
NIST
SP80053 R3
AC-17
(8)
NIST
SP80053 R3
MA-1
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-16
NIST
SP80053 R3
PE-17
NIST
SP80053 R3
CM-8
NIST
SP80053 R3
CM-8 (1) NIST SP
800-53
R3 CM-8
NIST SP
800-53
R3 AC17 (4)
NIST SP
800-53
R3 AC17 (5)
NIST SP
800-53
R3 AC17 (7)
NIST SP
800-53
R3 AC17 (8)
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PE-16
NIST SP
800-53
R3 PE-17
NIST SP
800-53
R3 CM-8
NIST SP
800-53
R3 CM-8
(1)
Facility
Security
Asset FS-08
Manage
ment
Human
Resource
s
Security
HR-01
Backgro
und
Screenin
g
inventor
y of
critical
assets
shall be
maintain NIST
ed with SP800ownershi 53 R3
CM-8 (3)
p
defined NIST
SP800and
documen 53 R3
CM-8 (5)
ted.
Pursuant
to local
laws,
regulatio
ns,
ethics
and
contract
ual
constrain
ts all
employ
ment
candidat
es,
contract
ors and NIST
SP800third
parties 53 R3
PS-2
will be
subject
to
backgrou
nd
verificati
on
proportio
nal to
the data
classifica
tion to
be
accessed
, the
business
requirem NIST
ents and SP800acceptab 53 R3
PS-3
le risk.
NIST SP
800-53 NIST SP
R3 CM-8 800-53
R3 CM-8
(3)
NIST SP
800-53
R3 CM-8
(5)
NIST SP NIST SP
800-53 800-53
R3 PS-2 R3 PS-2
NIST SP NIST SP
800-53 800-53
R3 PS-3 R3 PS-3
Human
Resource
s
Security
HR-02
Employ
ment
Agreeme
nts
Human
Resource
s
Employ HR-03
ment
Terminati
on
Prior to
granting
individua
ls
physical
or logical
access
to
facilities,
systems
or data,
employe
es,
contract
ors, third NIST
party
SP800users
53 R3
and
PL-4
tenants
and/or
custome
rs shall
contract
ually
agree
and sign
equivale
nt terms
and
condition NIST
s
SP800regardin 53 R3
g
PS-6
NIST
informati
SP800on
53 R3
security
PS-7
responsi
bilities in
Roles
employ
and
ment or
responsi
service
bilities
contract. NIST
for
SP800performi
53 R3
ng
PS-4
employ
ment
terminati NIST
SP800on or
change 53 R3
PS-5
in
employ
ment
procedur
es shall
be
assigned
,
documen
ted and
communi
cated.
NIST SP NIST SP
800-53 800-53
R3 PS-1 R3 PS-1
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 PS-6
NIST SP NIST SP
800-53 800-53
R3 PS-7 R3 PS-7
NIST SP NIST SP
800-53 800-53
R3 PS-2 R3 PS-2
NIST SP
800-53
R3 PS-4
NIST SP
800-53
R3 PS-5
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-4
NIST SP
800-53
R3 PS-5
NIST SP
800-53
R3 PS-6
NIST SP NIST SP
800-53 800-53
R3 PS-8 R3 PS-8
ted,
approve
d, and
impleme
nted that
includes
administ
rative,
technical
, and
physical
safeguar
ds to
protect
assets
and data
NIST
from
SP800loss,
53 R3
misuse,
PM-1
unauthor
ized
access,
disclosur
e,
alteratio
n, and
destructi
on. The
security
program
should
address,
but not
be
limited
Ris
k NIST
ma SP800na 53 R3
ge PM-2
me
Se NIST
cur SP800ity 53 R3
pol PM-3
Informati
on
Security
IS-01
Manage
ment
Program
icy
ga
niz
ati
on NIST
of SP800inf 53 R3
or PM-4
ma
tio
n
se
Informati
on
Security
IS-01
Manage
ment
Program
As
set NIST
ma SP800na 53 R3
ge PM-5
me
Hu
ma
n NIST
res SP800our 53 R3
ce PM-6
s
se
ysi
cal
an
d NIST
en SP800vir 53 R3
on PM-7
me
nta
l
mu
se
nic
ati
on
s NIST
an SP800d 53 R3
op PM-8
era
tio
ns
ma
na
Ac NIST
ce SP800ss 53 R3
co PM-9
ntr
ma
tio
n
sys
te
ms
ac
qui NIST
siti SP800on, 53 R3
de PM-10
vel
op
me
nt,
an
d
ma
Informati
on
Security
Manage IS-02
ment
Support /
Involvem
ent
NIST
SP800Executiv 53 R3
e and
PM-11
line
manage
ment
shall
take
formal
action to
support
informati NIST
SP800on
security 53 R3
through CM-1
clear
documen
ted
direction
,
commit
ment,
explicit NIST
assignm SP800ent and 53 R3
verificati PM-1
NIST
on of
SP800Manage
assignm 53 R3
ment
ent
PM-11
shall
executio
approve
n
a formal
informati
on
security
policy
documen
t which
NIST
shall be
SP800communi
53 R3
cated
AC-1
and
publishe
d to
employe
es,
contract
ors and
other
relevant NIST
external SP800parties. 53 R3
The
AT-1
Informati NIST
SP800on
Security 53 R3
AU-1
Policy
shall
establish
the
direction
of the
NIST SP NIST SP
800-53 800-53
R3 CM-1 R3 CM-1
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
Informati
on
IS-03
Security
Policy
parties.
The
Informati
on
Security
NIST
Policy
NIST SP
SP800shall
800-53
establish 53 R3
R3 CA-1
CA-1
the
NIST
direction SP800- NIST SP
800-53
of the
53 R3
R3 CM-1
organiza CM-1
NIST
NIST SP
tion and
SP800800-53
align to
53 R3 IAR3 IA-1
best
1
practices NIST
NIST SP
SP800,
800-53
regulator 53 R3 IR- R3 IR-1
1
y,
NIST
NIST SP
federal/s SP800800-53
tate and 53 R3
R3 MA-1
internati MA-1
NIST
NIST SP
onal
SP800800-53
laws
53 R3
R3 MP-1
where
MP-1
NIST
applicabl
NIST SP
SP800e. The
800-53
53 R3
Informati
R3 PE-1
MP-1
NIST
on
NIST SP
Security SP800- 800-53
53 R3
policy
R3 PL-1
shall be PE-1
NIST
supporte SP800- NIST SP
800-53
d by a
53 R3
R3 PS-1
strategic NIST
PL-1
plan and SP800- NIST SP
800-53
a
53 R3
R3 SA-1
security PS-1
program NIST
NIST SP
SP800with
800-53
53 R3
wellR3 SC-1
SA-1
defined NIST
NIST SP
roles and SP800- 800-53
responsi 53 R3
R3 SI-1
SC-1
bilities
NIST
for
SP800leadershi 53 R3 SIp and
1
officer
roles.
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
Informati
on
Security
IS-04
Baseline
Require
ments
Baseline
security
requirem
ents
shall be
establish
ed and
applied
to the
design
and
impleme NIST
ntation SP80053 R3
of
(develop CM-2
ed or
purchase
d)
applicati
ons,
database
s,
systems,
and
network NIST
infrastru SP80053 R3
cture
CM-2 (1)
and
informati NIST
on
SP800processi 53 R3
ng that CM-2 (3)
comply NIST
with
SP800policies, 53 R3
standard CM-2 (5)
s and
NIST
applicabl SP800e
53 R3
regulator SA-2
NIST
y
SP800requirem
53 R3
ents.
SA-4
Complia NIST
nce with SP800security 53 R3
baseline SA-4 (1)
requirem
NIST
ents
must be SP800reassess 53 R3
SA-4 (4)
ed at
least
NIST
annually SP800or upon 53 R3
significa SA-4 (7)
NIST
nt
changes. SP80053 R3
AC-1
NIST SP NIST SP
800-53 800-53
R3 CM-2 R3 CM-2
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-2
(1)
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-4
(3)
NIST SP
800-53
R3 CM-2
(5)
NIST SP
800-53
R3 SA-2
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
Informati
on
Security IS-05
Policy
Reviews
NIST
NIST SP
SP800800-53
53 R3
R3 AT-1
AT-1
NIST
NIST SP
SP800800-53
53 R3
R3 AU-1
AU-1
NIST
NIST SP
SP800800-53
53 R3
R3 CA-1
CA-1
NIST
NIST SP
SP800800-53
53 R3
R3 CM-1
CM-1
NIST
NIST SP
SP800800-53
53 R3
R3 CP-1
CP-1
NIST
NIST SP
SP800800-53
53 R3 IAR3 IA-1
1
NIST
NIST SP
SP800800-53
53 R3 IAR3 IA-5
5
NIST
NIST SP
Manage SP800- 800-53
ment
53 R3 IA- R3 IA-5
shall
5
(1)
(1)
NIST
NIST SP
review
SP800800-53
the
53 R3 IAR3 IR-1
informati 5 (2)
NIST
on
NIST SP
security SP800- 800-53
policy at 53 R3 IA- R3 MA-1
(3)
NIST
planned 5
NIST SP
intervals SP800- 800-53
or as a 53 R3 IA- R3 MP-1
5 (6)
result of NIST
changes SP800- NIST SP
800-53
to the
53 R3 IAR3 PE-1
organiza 5
(7)
NIST
NIST SP
tion to
SP800ensure 53 R3 IR- 800-53
R3 PL-1
its
1
NIST
continuin
NIST SP
SP800g
800-53
effective 53 R3
R3 PS-1
NIST
ness and MA-1
NIST SP
accuracy SP800- 800-53
53 R3
.
R3 RA-1
MP-1
NIST
NIST SP
SP800800-53
53 R3
R3 SA-1
PE-1
NIST
NIST SP
SP800800-53
53 R3
R3 SC-1
PL-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IA-5
(2) SP
NIST
800-53
R3 IA-5
(3)
NIST SP
800-53
R3 IA-5
(6) SP
NIST
800-53
R3 IA-5
(7)
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST
SP80053 R3
PM-1
NIST
SP80053 R3
PS-1
NIST
SP80053 R3
RA-1
NIST
SP80053 R3
SA-1
NIST
SP80053 R3
SC-1
NIST
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PL-4
SP80053 R3 SI1
Informati
on
Security
IS-06
Policy
Enforce
ment
A formal
disciplin
ary or
sanction
policy
shall be
establish
ed for
employe
es who
have
violated
security
policies NIST
and
SP800procedur 53 R3
es.
PL-4
Employe
es shall
be made
aware of
what
action
might be
taken in
the
event of
a
violation
and
stated as NIST
such in SP800the
53 R3
policies PS-1
NIST
and
SP800procedur 53 R3
es.
PS-8
NIST SP NIST SP
800-53 800-53
R3 PS-1 R3 PS-1
NIST SP NIST SP
800-53 800-53
R3 PS-8 R3 PS-8
Informati
on
Security
IS-07
User
Access
Policy
User
access
policies
and
procedur
es shall
be
documen
ted,
approve
d and
impleme
nted for
granting
and
revoking
normal
and
privilege NIST
NIST SP
d access SP800- 800-53
53 R3
to
R3 AC-1
applicati AC-1
ons,
database
s, and
server
and
network
infrastru
cture in
accordan
ce with
business
,
security,
complian
ce and
service NIST
NIST SP
SP800level
800-53
agreeme 53 R3 IAR3 IA-1
1
nt (SLA) NIST
requirem SP800- NIST SP
800-53
ents.
53 R3
R3 AC-3
AC-3
NIST
NIST SP
SP800800-53
53 R3
R3 IA-2
AC-3 (3)
NIST
NIST SP
SP800- 800-53
53 R3
R3 IA-2
AC-5
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 IA-4
AC-6
NIST
NIST SP
SP800800-53
53 R3
R3 IA-5
AC-6 (1)
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 AC-3
NIST SP
800-53
R3 AC-3
(3)
NIST SP
800-53
R3 AC-5
NIST SP
800-53
R3 AC-6
NIST SP
800-53
R3 AC-6
(1)
Informati
on
Security
User
Access IS-08
Restricti
on /
Authoriz
ation
NIST
NIST SP
SP800- 800-53
53 R3
R3 IA-5
AC-6 (2) (1)
NIST
NIST SP
SP800800-53
53 R3 IAR3 IA-8
2
NIST
NIST SP
Normal SP800- 800-53
53 R3 IAand
R3 MA-5
(1)
privilege 2
NIST
NIST SP
d user
SP800access 53 R3 IA- 800-53
R3 PS-6
to
2
(2)
NIST
NIST SP
applicati
SP800800-53
ons,
53 R3 IAR3 SA-7
systems,
2 (3)
database NIST
SP800s,
network 53 R3 IA(8)
NIST
configur 2
ations, SP80053 R3 IAand
4
sensitive NIST
data and SP800functions 53 R3 IAshall be 4 (4)
NIST
restricte
SP800d and
53 R3 IAapprove
5
NIST
d by
manage SP80053 R3 IAment
(1)
prior to 5
NIST
access SP800granted. 53 R3 IA5
(2)
NIST
SP80053 R3 IA5
(3)
NIST
SP80053 R3 IA5
(6)
NIST
SP80053 R3 IA5 (7)
NIST
SP80053 R3 IA8
NIST
SP80053 R3
MA-5
NIST
SP80053 R3
PS-6
NIST SP
800-53
R3 AC-6
(2)
NIST SP
800-53
R3 IA-2
NIST SP
800-53
R3 IA-2
(1)
NIST SP
800-53
R3 IA-2
(2)
NIST SP
800-53
R3 IA-2
(3)
NIST SP
800-53
R3 IA-2
(8)
NIST SP
800-53
R3 IA-4
NIST SP
800-53
R3 IA-4
(4)
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IA-5
(2)
NIST SP
800-53
R3 IA-5
(3)
NIST SP
800-53
R3 IA-5
(6)
NIST SP
800-53
R3 IA-5
(7)
NIST SP
800-53
R3 IA-8
NIST SP
800-53
R3 MA-5
NIST SP
800-53
R3 PS-6
NIST
SP80053 R3
SA-7
NIST
Informati
on
Security
User
IS-09
Access
Revocati
on
Timely
SP800deprovisi 53 R3 SIoning,
9
revocatio
n or
modifica
tion of
user
access
to the
organiza
tions
systems,
informati NIST
on
SP800assets
53 R3
and data AC-2
shall be
impleme
nted
upon
any
change
in status
of
employe
es,
contract
NIST
ors,
custome SP80053 R3
rs,
business AC-2 (1)
partners NIST
or third SP800parties. 53 R3
Any
AC-2 (2)
change
in status NIST
SP800is
intended 53 R3
AC-2 (3)
to
include NIST
terminati SP800on of
53 R3
employ AC-2 (4)
ment,
NIST
contract SP800or
53 R3
agreeme AC-2 (7)
nt,
NIST
change SP800of
53 R3
employ PS-4
ment or
transfer
within
the
organiza
tion.
NIST SP
800-53
R3 SA-7
NIST SP
800-53
R3 SI-9
NIST SP NIST SP
800-53 800-53
R3 AC-2 R3 AC-2
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 PS-4
(1)
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 PS-5
(2)
NIST SP
800-53
R3 AC-2
(3)
NIST SP
800-53
R3 AC-2
(4)
NIST SP
800-53
R3 AC-2
(7)
NIST SP
800-53
R3 PS-4
agreeme
nt,
change
of
employ
ment or
transfer
within
the
organiza
tion.
Informati
on
Security
IS-10
User
Access
Reviews
NIST
SP80053 R3
PS-5
NIST
SP80053 R3
AC-2
NIST
SP80053 R3
AC-2 (1)
NIST
All levels SP800of user 53 R3
access AC-2 (2)
shall be NIST
reviewed SP800by
53 R3
manage AC-2 (3)
ment at
planned NIST
intervals SP80053 R3
and
documen AC-2 (4)
ted. For NIST
access SP800violation 53 R3
AC-2 (7)
s
identifie NIST
SP800d,
remediat 53 R3
ion must AU-6
NIST
follow
SP800documen
53 R3
ted
AU-6 (1)
access
control NIST
policies SP80053 R3
and
procedur AU-6 (3)
NIST
es.
SP80053 R3
PM-10
NIST
SP80053 R3
PS-6
NIST
SP80053 R3
PS-7
NIST SP
800-53
R3 PS-5
NIST SP NIST SP
800-53 800-53
R3 AC-2 R3 AC-2
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 AU-6
(1)
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 PS-6
(2)
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 PS-7
(3)
NIST SP
800-53
R3 AC-2
(4)
NIST SP
800-53
R3 AC-2
(7)
NIST SP
800-53
R3 AU-6
NIST SP
800-53
R3 AU-6
(1)
NIST SP
800-53
R3 AU-6
(3)
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-7
Informati
on
Security
IS-11
Training /
Awarene
ss
A
security
awarene
ss
training
program
shall be
establish
ed for all
contract
ors, third
party
users
and
employe
es of the
organiza
tion and
mandate
d when
appropri NIST
ate. All SP800individua 53 R3
ls with
AT-1
access
to
organiza
tional
data
shall
receive
appropri
ate
awarene
ss
training
and
regular
updates
in
NIST
organiza SP800tional
53 R3
procedur AT-2
NIST
es,
SP800process
53 R3
and
AT-3
policies, NIST
relating SP800to their 53 R3
function AT-4
relative
to the
organiza
tion.
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-4
NIST SP
800-53
R3 AT-4
Informati
on
Security
Industry IS-12
Knowled
ge /
Benchm
arking
Informati
on
Security
IS-13
Roles /
Responsi
bilities
Informati
on
Security
IS-14
Manage
ment
Oversigh
t
Industry
security
knowled
ge and
benchma
rking
through
networki NIST
SP800ng,
specialis 53 R3
AT-5
t
security
forums,
and
professio
nal
associati
ons shall
NIST
be
maintain SP80053 R3 SIed.
Roles
5
NIST
and
SP800responsi 53 R3
bilities of AT-3
NIST
contract
SP800ors,
53 R3
employe
PL-4
NIST
es and
SP800third
53 R3
party
PM-10
users
NIST
shall be SP800documen 53 R3
ted as
PS-1
NIST
they
SP800relate to 53 R3
informati PS-6
NIST
on
SP800assets
53 R3
and
NIST
security. PS-7
SP80053 R3
Manager AT-2
NIST
s are
SP800responsi 53 R3
ble for
AT-3
NIST
maintain
SP800ing
53 R3
awarene
CA-1
ss of and NIST
complyin SP80053 R3
g with
security CA-5
NIST
policies, SP800procedur 53 R3
es and
CA-6
standard
s that
are
relevant
to their
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-7
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-7
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-4
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-5
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-4
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-5
Security
IS-14
Manage
ment
Oversigh
t
Informati
on
Security
IS-15
Segregat
ion of
Duties
g with
security
policies,
procedur
es and
standard
s that
are
relevant
to their
area of
responsi
bility.
NIST
SP80053 R3
CA-7
NIST
SP80053 R3
CA-7 (2)
NIST
SP80053 R3
PM-10
NIST
NIST SP NIST SP
800-53 800-53
R3 CA-6 R3 CA-6
NIST SP NIST SP
800-53 800-53
R3 CA-7 R3 CA-7
NIST SP
800-53
R3 CA-7
(2)
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP NIST SP
800-53 800-53
R3 AC-2 R3 AC-2
SP80053 R3
AC-1
NIST
SP80053 R3
AC-2
NIST
NIST SP
SP800800-53
53 R3
R3 AU-1
AC-2 (1)
NIST SP
800-53
R3 AC-2
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 AU-2
AC-2 (2)
NIST SP
800-53
R3 AC-2
(2)
NIST
Policies, SP800- NIST SP
800-53
process 53 R3
R3 AU-6
and
AC-2 (3)
procedur
NIST
es shall
SP800be
53 R3
impleme
AC-2 (4)
nted to
enforce NIST
SP800and
53 R3
assure
AC-2 (7)
proper
segregat NIST
SP800ion of
duties. In 53 R3
AC-5
NIST
those
events SP80053 R3
where
user-role AC-6
conflict- NIST
SP800ofinterest 53 R3
constrain AC-6 (1)
ts exist, NIST
technical SP800controls 53 R3
shall be AC-6 (2)
in place NIST
SP800to
mitigate 53 R3
any risks AU-1
arising
from
unauthor
ized or
unintenti
NIST SP
800-53
R3 AC-2
(3)
NIST SP
800-53
R3 AC-2
(4)
NIST SP
800-53
R3 AC-2
(7)
NIST SP
800-53
R3 AC-5
NIST SP
800-53
R3 AC-6
NIST SP
800-53
R3 AC-6
(1)
NIST SP
800-53
R3 AC-6
(2)
NIST SP
800-53
R3 AU-1
Duties
shall be
in place
to
mitigate
any risks
arising
from
unauthor
ized or
unintenti
onal
modifica
tion or
misuse
of the
organiza
tion's
informati
on
assets.
Users
shall be
made
aware of
their
responsi
bilities
for:
Informati
NIST
SP80053 R3
AU-6
NIST
SP80053 R3
AU-6 (1)
NIST SP
800-53
R3 AU-2
NIST SP
800-53
R3 AU-6
NIST
SP80053 R3
AU-6 (3)
NIST
SP80053 R3 SI1
NIST
SP80053 R3 SI4
NIST
SP80053 R3 SI4
(2)
NIST
SP80053 R3 SI4
(4)
NIST
SP80053 R3 SI4
(5)
NIST
NIST SP
800-53
R3 AU-6
(1)
NIST SP
800-53
R3 AU-6
(3)
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
SP80053 R3 SI4 (6)
800-53
R3 SI-4
(6)
NIST
SP80053 R3
AT-2
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-2
Informati
on
Security
IS-16
User
Responsi
bility
an
d
co
mp
lia
nc
e
wit
h
pu
bli
sh
ed
se
cur NIST
ity SP800pol 53 R3
ici AT-3
es,
pro
ce
dur
es,
sta
nd
ard
s
an
d
ap
pli
ca
ain
ing
a
saf
e
an NIST
d SP800se 53 R3
cur AT-4
e
wo
rki
ng
en
vir
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-4
NIST SP
800-53
R3 AT-4
Informati
on
Security
IS-17
Workspa
ce
ng
un
att
en
de
d NIST
eq SP800uip 53 R3
me PL-4
nt
in
a
se
Policies
cur
and
NIST
procedur
SP800es shall
53 R3
be
AC-11
establish
NIST
ed for
clearing SP80053 R3
visible
documen AC-11
(1)
ts
NIST
containin SP800g
53 R3
sensitive MP-2
data
NIST
when a SP800workspa 53 R3
ce is
MP-2 (1)
unattend NIST
ed and SP800enforce 53 R3
ment of MP-3
NIST
workstati SP800on
53 R3
session MP-4
NIST
logout
SP800for a
period of 53 R3
inactivity MP-4 (1)
NIST
.
SP80053 R3
AC-18
NIST
SP80053 R3
AC-18
(1)
NIST
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PL-4
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MP-1
11
NIST SP NIST SP
800-53 800-53
R3 MP-2 R3 MP-1
NIST SP
800-53
R3 MP-2
NIST SP
800-53
R3 MP-2
(1)
NIST SP
800-53
R3 MP-3
NIST SP
800-53
R3 MP-4
NIST SP
800-53
R3 MP-4
(1)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 AC-1
18
NIST SP NIST SP
800-53 800-53
R3 AC- R3 AC18
18 (1)
NIST SP
800-53
R3 AC18 (2)
SP80053 R3
AC-18
(2)
NIST
NIST SP
800-53
R3 IA-7
SP80053 R3
AC-18
(3)
NIST SP NIST SP
800-53 800-53
R3 SC-1 R3 IA-7
NIST
SP80053 R3
AC-18
(4)
NIST
SP80053 R3
AC-18
(5)
NIST
SP80053 R3 IA3
NIST
SP80053 R3 IA7
NIST
SP80053 R3
SC-7
NIST
SP80053 R3
SC-7 (1)
Informati
on
Security
IS-18
Encrypti
on
Policies
and
procedur NIST
es shall SP800be
53 R3
establish SC-7 (2)
ed and
mechani NIST
SP800sms
impleme 53 R3
nted for SC-7 (3)
encrypti NIST
ng
SP800sensitive 53 R3
data in SC-7 (4)
storage NIST
(e.g., file SP800servers, 53 R3
database SC-7 (5)
s, and
end-user NIST
workstati SP800ons) and 53 R3
data in SC-7 (7)
transmis NIST
sion
SP800(e.g.,
53 R3
system SC-7 (8)
interface NIST
s, over SP80053 R3
public
networks SC-7
(12)
, and
NIST
electroni SP800c
53 R3
messagi SC-7
ng).
(13)
NIST SP NIST SP
800-53 800-53
R3 SC-7 R3 SC-7
NIST SP
NIST SP
800-53
800-53
R3 SC-7
R3 SC-13
(4)
NIST SP
800-53
R3 SC-8
NIST SP
800-53
R3 SC-8
(1)
NIST SP
800-53
R3 SC-9
NIST SP
800-53
R3 SC-9
(1)
NIST SP
800-53
R3 SC-13
NIST SP
800-53
R3 SC-13
(1)
NIST SP
800-53
R3 SC-23
NIST SP
800-53
R3 SC-28
NIST SP
800-53
R3 SI-8
, and
electroni
c
messagi
ng).
NIST
SP80053 R3
SC-7
(18)
NIST
SP80053 R3
SC-8
NIST
SP80053 R3
SC-8 (1)
NIST
SP80053 R3
SC-9
NIST
SP80053 R3
SC-9 (1)
NIST
SP80053 R3
SC-13
NIST
SP80053 R3
SC-13
(1)
NIST
SP80053 R3
SC-16
NIST
SP80053 R3
SC-23
NIST
SP80053 R3 SI8
NIST
Informati
on
Security
IS-19
Encrypti
on Key
Manage
ment
Policies
and
procedur
es shall
be
establish
ed and
mechani
sms
impleme
nted for
effective
key
manage
ment to
support
encrypti
on of
data in
storage
and in
transmis
SP80053 R3
SC-12
NIST
SP80053 R3
SC-12
(2)
NIST
SP80053 R3
SC-12
(5)
NIST
SP80053 R3
SC-13
NIST
SP80053 R3
SC-13
(1)
NIST SP NIST SP
800-53 800-53
R3 SC-12 R3 SC-12
NIST SP
NIST SP
800-53
800-53
R3 SC-12
R3 SC-13
(2)
NIST SP
800-53
R3 SC-12
(5)
NIST SP
800-53
R3 SC-13
NIST SP
800-53
R3 SC-13
(1)

IS-19
Encrypti
on Key
Manage
ment
effective
key
manage
ment to
support
encrypti
on of
data in
storage
and in
transmis
sion.
NIST
SP80053 R3
SC-17
NIST
SP80053 R3
SC-28
NIST
SP80053 R3
SC-28
(1)
NIST
Informati
on
Security
Vulnerab IS-20
ility /
Patch
Manage
ment
SP80053 R3
CM-3
NIST
SP80053 R3
CM-3 (2)
NIST
SP800Policies 53 R3
CM-4
NIST
and
procedur SP800es shall 53 R3
CP-10
be
NIST
establish SP800ed and 53 R3
mechani CP-10
sm
(2)
NIST
impleme
SP800nted for
53 R3
vulnerab
CP-10
ility and
(3)
NIST
patch
manage SP80053 R3
ment,
ensuring RA-5
NIST
that
applicati SP80053 R3
on,
system, RA-5 (1)
and
NIST
network SP800device
53 R3
vulnerab RA-5 (2)
ilities are NIST
evaluate SP800d and
53 R3
vendor- RA-5 (3)
supplied
security NIST
patches SP800applied 53 R3
RA-5 (9)
in a
timely
manner
taking a
riskbased
approac
h for
prioritizi
NIST SP
800-53
R3 SC-17
NIST SP NIST SP
800-53 800-53
R3 CM-4 R3 CM-3
NIST SP
800-53
R3 CM-3
(2)
NIST SP
800-53
R3 RA-5
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 CM-4
NIST SP
800-53
R3 RA-5
NIST SP
800-53
R3 SI-2
NIST SP
800-53
R3 RA-5
(1)
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 RA-5
(2)
NIST SP
800-53
R3 RA-5
(3)
NIST SP
800-53
R3 RA-5
(6)
NIST SP
800-53
R3 RA-5
(9)
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 SI-2
supplied
security
patches
applied
in a
timely
manner
taking a
riskbased
approac
h for
prioritizi
ng
critical
patches.
NIST
SP80053 R3
RA-5 (6)
NIST
SP80053 R3
SA-7
NIST
SP80053 R3 SI1
NIST
SP80053 R3 SI2
NIST
SP80053 R3 SI2
(2)
NIST
SP80053 R3 SI5
NIST
Informati
on
Security
AntiIS-21
Virus /
Malicious
Software
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 SC-5
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 SC-5
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 SI-3
(1)
NIST SP
800-53
R3 SI-3
(2)
NIST SP
800-53
R3 SI-3
(3)
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
NIST SP
800-53
R3 SI-8
NIST SP
SP800800-53
53 R3 IRR3 IR-1
1
NIST SP
800-53
R3 IR-1
SP800Ensure 53 R3
that all SA-7
NIST
antivirus SP800program 53 R3
s are
SC-5
NIST
capable SP800of
53 R3 SIdetectin 3
NIST
g,
SP800removin
53 R3 SIg, and
3 (1)
protectin NIST
g against SP80053 R3 SIall
3
(2)
known
NIST
types of SP800maliciou 53 R3 SIs or
3 (3)
NIST
unauthor SP800ized
53 R3 SIsoftware 5
NIST
with
antivirus SP800signatur 53 R3 SI7
NIST
e
updates SP800at least 53 R3 SI(1)
every 12 7
NIST
hours.
SP80053 R3 SI8
NIST
Policies
and
NIST SP
800-53
R3 SI-2
(2)
Informati
on
Security
IS-22
Incident
Manage
ment
Informati
on
Security
IS-23
Incident
Reportin
g
Policies
and
procedur
es shall
be
establish
ed to
triage
security
related
events
and
ensure
timely
and
thorough
incident
manage
ment.
NIST
SP80053 R3 IR2
NIST
SP80053 R3 IR3
NIST
SP80053 R3 IR4
NIST
SP80053 R3 IR4
(1)
NIST
SP80053 R3 IR5
NIST
SP80053 R3 IR7
NIST
SP80053 R3 IR7
(1)
NIST
SP80053 R3 IR7
(2)
NIST
SP80053 R3 IRContract
8
ors,
employe
es and
third
NIST
party
SP800users
53 R3 IRshall be 2
made
aware of
their
NIST
responsi
SP800bility to
53 R3 IRreport all
6
informati NIST
SP800on
security 53 R3 IR(1)
events in 6
NIST
a timely SP800manner. 53 R3 IRInformati 7
NIST
on
SP800security 53 R3 IRevents 7 (1)
NIST
shall be
SP800reported
53 R3 IRthrough
7 (2)
predefin
ed
communi
cations
channels
in a
prompt
NIST SP
800-53
R3 IR-2
NIST SP
800-53
R3 IR-4
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 IR-2
NIST SP
800-53
R3 IR-3
NIST SP
800-53
R3 IR-4
NIST SP
800-53
R3 IR-4
(1)
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 IR-7
(1)
NIST SP
800-53
R3 IR-7
(2)
NIST SP
800-53
R3 IR-8
NIST SP
800-53
R3 IR-2
NIST SP
800-53
R3 IR-2
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 IR-6
(1)
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 IR-7
(1)
NIST SP
800-53
R3 IR-7
(2)
Security
IS-23
Incident
Reportin
g
Informati
on
Security
Incident IS-24
Respons
e Legal
Preparati
on
security
events
shall be
reported
through
predefin NIST
SP800ed
communi 53 R3 SIcations 4
NIST
channels SP800in a
53 R3 SIprompt NIST
4 (2)
and
SP800expedien 53 R3 SIt manner 4 (4)
NIST
in
complian SP800ce with 53 R3 SI(5)
NIST
statutory 4
SP800,
regulator 53 R3 SI4
(6)
y and
NIST
contract SP800ual
53 R3 SIrequirem 5
NIST
ents.
SP80053 R3
AU-6
NIST
SP80053 R3
AU-6 (1)
NIST
SP800In the
event a 53 R3
follow-up AU-6 (3)
NIST
action
SP800concerni
53 R3
ng a
AU-7
person NIST
or
SP800organiza 53 R3
tion after AU-7 (1)
an
NIST
informati SP800on
53 R3
security AU-9
incident NIST
requires SP80053 R3
legal
AU-9 (2)
action
NIST
proper
forensic SP800procedur 53 R3
AU-11
es
NIST
including SP800chain of 53 R3 IRcustody 5
NIST
shall be SP800required 53 R3 IRfor
7
collectio
n,
retention
, and
presenta
tion of
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2) SP
NIST
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 SI-5
NIST SP NIST SP
800-53 800-53
R3 AU-6 R3 AU-6
NIST SP
NIST SP
800-53
800-53
R3 AU-6
R3 AU-9
(1)
NIST SP
800-53
R3 AU11
NIST SP
800-53
R3 AU-6
(3)
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 AU-7
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 AU-7
(1)
NIST SP
800-53
R3 IR-8
NIST SP
800-53
R3 AU-9
NIST SP
800-53
R3 AU-9
(2)
NIST SP
800-53
R3 AU10
NIST SP
800-53
R3 AU10
(5)SP
NIST
800-53
R3 AU11
Respons
e Legal
Preparati
on
Informati
on
Security
IS-25
Incident
Respons
e Metrics
Informati
on
Security
IS-26
Acceptab
le Use
chain of
custody
shall be
required
for
NIST
collectio
SP800n,
53 R3 IRretention
7
(1)
NIST
, and
presenta SP80053 R3 IRtion of
7 (2)
evidence NIST
to
SP800support 53 R3 IRpotential 8
legal
action
subject
to the
relevant
jurisdicti
on.
Mechani
sms
shall be
put in
place to
monitor
and
quantify
the
types,
volumes,
and
costs of
informati
on
security
incidents
.
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 IR-7
(1)
NIST SP
800-53
R3 IR-7
(2)
NIST SP
800-53
R3 IR-8
NIST SP
800-53
R3 MP-5
NIST SP
800-53
R3 MP-5
(2)
NIST SP
800-53
R3 MP-5
(4)
NIST
NIST SP
SP800800-53
53 R3 IRR3 IR-4
4
NIST SP
800-53
R3 IR-4
NIST
SP80053 R3 IR4
(1)
NIST
SP80053 R3 IR5
NIST
NIST SP
800-53
R3 IR-4
(1)
NIST SP
800-53
R3 IR-5
SP80053 R3 IR8
NIST
SP80053 R3
Policies AC-8
NIST
and
SP800procedur 53 R3
es shall AC-20
NIST
be
SP800establish 53 R3
ed for
AC-20
the
(1)
acceptab NIST
le use of SP800informati 53 R3
AC-20
on
assets. (2)
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 IR-8
NIST SP
800-53
R3 IR-8
NIST SP
800-53 NIST SP 800-53 R3 AC-8
R3 AC-2
NIST SP
800-53 NIST SP 800-53 R3 AC-20
R3 AC-8
NIST SP
800-53
R3 AC20
NIST SP 800-53 R3 AC-20 (1)
NIST SP
800-53
R3 PL-4
NIST SP 800-53 R3 AC-20 (2)
Acceptab
le Use
Informati
on
Security IS-27
Asset
Returns
Informati
on
Security
IS-28
eComme
rce
Transacti
ons
acceptab
le use of
informati
on
assets. NIST
SP80053 R3
PL-4
Employe
es,
contract
ors and
third
party
users
must
return all
assets
owned
by the
organiza
tion
NIST
NIST SP
within a SP800800-53
defined 53 R3
R3 PS-4
and
PS-4
documen
ted time
frame
once the
employ
ment,
contract
or
agreeme
nt has
been
terminat
ed.
NIST
NIST SP
SP800800-53
53 R3
R3 AC-1
AC-14
Electroni NIST
SP800- NIST SP
c
800-53
commer 53 R3
AC-14
R3 AC-2
ce (e(1)
NIST SP
commer NIST
SP800- 800-53
ce)
R3 ACrelated 53 R3
AC-21
22
data
NIST
traversin SP800- NIST SP
800-53
g public 53 R3
R3 AU-1
networks AC-22
NIST
shall be
SP800appropri
53 R3 IAately
8
classified NIST
SP800and
protecte 53 R3
AU-10
d from
fraudule
nt
activity,
unauthor
ized
disclosur
e or
modifica
NIST SP
800-53
R3 PS-4
NIST SP
800-53
R3 AC22
NIST SP
800-53
R3 AU10
NIST SP
800-53
R3 AU10 (5)
NIST SP
800-53
R3 SC-8
NIST SP
800-53
R3 SC-8
(1)
NIST SP
800-53
R3 SC-9
Informati
on
Security
IS-28
eComme
rce
Transacti
ons
Informati
on
Security
IS-29
Audit
Tools
Access
Informati
on
appropri
ately
classified
and
protecte
d from
NIST
fraudule SP800nt
53 R3
activity, AU-10
unauthor (5)
NIST
ized
SP800disclosur 53 R3
e or
SC-4
modifica NIST
SP800tion in
53 R3
such a
manner SC-8
NIST
to
SP800prevent
53 R3
contract
SC-8 (1)
dispute NIST
and
SP800compro 53 R3
mise of SC-9
data.
NIST
SP80053 R3
Access SC-9 (1)
to, and
use of,
audit
tools
that
NIST
interact
SP800with the
53 R3
organiza
AU-9
tions
informati
on
systems
shall be
appropri NIST
SP800ately
segment 53 R3
ed and AU-9 (2)
NIST
restricte
SP800d to
53 R3
prevent
AU-11
compro NIST
mise and SP800misuse 53 R3
AU-14
of log
NIST
data.
SP80053 R3
CM-7
NIST
SP80053 R3
CM-7 (1)
NIST
SP80053 R3
MA-3
User
access
to
diagnosti
c and
configur
NIST SP
800-53
R3 SC-9
(1)
NIST SP
800-53
R3 AU-9
NIST SP
800-53
R3 AU-9 NIST SP
800-53
R3 AU-9
(2)
NIST SP NIST SP
800-53 800-53
R3 CM-7 R3 CM-7
NIST SP
NIST SP
800-53
800-53
R3 CM-7
R3 MA-4
(1)
NIST SP NIST SP
800-53 800-53
R3 MA-5 R3 MA-3
Informati
on
Security
Diagnost
IS-30
ic /
Configur
ation
Ports
Access
NIST
User
access SP80053 R3
to
diagnosti MA-3 (1)
c and
NIST
configur SP800ation
53 R3
ports
MA-3 (2)
shall be
restricte NIST
SP800d to
authoriz 53 R3
MA-3 (3)
ed
NIST
individua
SP800ls and
53 R3
applicati
MA-4
ons.
NIST
SP80053 R3
MA-4 (1)
NIST SP
800-53
R3 MA-3
(1)
NIST
SP80053 R3
MA-4 (2)
NIST
SP80053 R3
MA-5
NIST
NIST SP
800-53
R3 MA-4
(2)
SP80053 R3
SC-20
NIST
SP80053 R3
SC-20
(1)
NIST
Informati
on
Security
Network IS-31
/
Infrastru
cture
Services
Network
and
infrastru
cture
service
level
agreeme
nts (inhouse or
outsourc
ed) shall
clearly
documen
t
security
controls,
capacity
and
service
levels,
and
business
or
SP80053 R3
SC-21
NIST
SP80053 R3
NIST
SC-22
SP80053 R3
SC23NIST
SP80053 R3
SC-24
NIST SP
800-53
R3 MA-3
(2)
NIST SP
800-53
R3 MA-3
(3)
NIST SP
800-53
R3 MA-4
NIST SP
800-53
R3 MA-4
(1)
NIST SP
800-53
R3 MA-5
NIST SP NIST SP
800-53 800-53
R3 CA-3 R3 CA-3
NIST SP NIST SP
800-53 800-53
R3 SA-9 R3 CP-6
NIST SP
800-53
R3 CP-6
(1)
NIST SP
800-53
R3 CP-6
(3)
NIST SP
800-53
R3 CP-7
NIST SP
800-53
R3 CP-7
(1)
NIST SP
800-53
R3 CP-7
(2)
Security
Network IS-31
/
Infrastru
cture
Services
clearly
documen
t
security
controls,
capacity
and
service
levels,
and
business
or
custome
r
requirem
ents.
NIST
SP80053 R3
AC-17
NIST
SP80053 R3
AC-17
(1)
NIST
SP80053 R3
AC-17
(2)
NIST
SP80053 R3
AC-17
(3)
NIST
SP80053 R3
AC-17
(4)
NIST
Policies
and
procedur
es shall
be
establish
ed and
measure
s
impleme
nted to
strictly
limit
access
SP80053 R3
AC-17
(5)
NIST
SP80053 R3
AC-17
(7)
NIST
SP80053 R3
AC-17
(8)
NIST SP
800-53
R3 AC17
NIST SP
800-53
R3 AC18
NIST SP
800-53
R3 AC19
NIST SP
800-53
R3 CP-7
(3)
NIST SP
800-53
R3 CP-7
(5)
NIST SP
800-53
R3 CP-8
NIST SP
800-53
R3 CP-8
(1)
NIST SP
800-53
R3 CP-8
(2)
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 SA-9
(1)
NIST SP
800-53
R3 AC17
NIST SP
800-53
R3 AC17 (1)
NIST SP
800-53
R3 AC17 (2)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MP-2
17 (3)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MP-6
17 (4)
NIST SP
800-53
R3 AC17 (5)
NIST SP
800-53
R3 AC17 (7)
NIST SP
800-53
R3 AC17 (8)
Informati
on
Security
IS-32
Portable
/ Mobile
Devices
es shall
be
establish
ed and
measure
s
impleme
nted to
strictly
limit
access
to
sensitive
data
from
portable
and
mobile
devices,
such as
laptops,
cell
phones,
and
personal
digital
assistant
s (PDAs),
which
are
generall
y higherrisk than
nonportable
devices
(e.g.,
desktop
compute
rs at the
organiza
tions
facilities)
.
NIST
SP80053 R3
AC-18
NIST
SP80053 R3
AC-18
(1)
NIST
SP80053 R3
AC-18
(2)
NIST
SP80053 R3
AC-18
(3)
NIST
SP80053 R3
AC-18
(4)
NIST
SP80053 R3
AC-18
(5)
NIST
SP80053 R3
AC-19
NIST
SP80053 R3
AC-19
(1)
NIST
SP80053 R3
AC-19
(2)
NIST
SP80053 R3
AC-19
(3)
NIST
SP80053 R3
MP-2
NIST
SP80053 R3
MP-2 (1)
NIST
SP80053 R3
MP-4
NIST
SP80053 R3
MP-4 (1)
NIST SP
800-53
R3 AC18
NIST SP
800-53
R3 AC18 (1)
NIST SP
800-53
R3 AC18 (2)
NIST SP
800-53
R3 AC19
NIST SP
800-53
R3 AC19 (1)
NIST SP
800-53
R3 AC19 (2)
NIST SP
800-53
R3 AC19 (3)
NIST SP
800-53
R3 MP-2
NIST SP
800-53
R3 MP-2
(1)
NIST SP
800-53
R3 MP-4
NIST SP
800-53
R3 MP-4
(1)
NIST SP
800-53
R3 MP-6
NIST SP
800-53
R3 MP-6
(4)
NIST
SP80053 R3
MP-6
NIST
SP80053 R3
MP-6 (4)
Informati
on
Security
Source
IS-33
Code
Access
Restricti
on
Informati
on
Security
IS-34
Utility
Program
s Access
Access
to
applicati
on,
program
or object NIST
source
SP800code
53 R3
shall be CM-5
restricte
d to
authoriz
ed
personn
el on a NIST
need to SP80053 R3
know
CM-5 (1)
basis.
Records NIST
shall be SP800maintain 53 R3
ed
CM-5 (5)
regardin NIST
SP800g the
individua 53 R3
l granted CM-6
access, NIST
reason SP80053 R3
for
access CM-6 (1)
and
NIST
version SP800of source 53 R3
code
CM-6 (3)
exposed. NIST
SP80053 R3
AC-5
NIST
SP800Utility
program 53 R3
AC-6
s
NIST
capable
SP800of
53 R3
potential
AC-6 (1)
ly
overridin NIST
SP800g
system, 53 R3
NIST SP
object, AC-6 (2) 800-53
network,
R3 CM-7
virtual
machine
and
applicati
on
NIST SP
800-53
R3 CM-5
NIST SP
800-53
R3 CM-5
(1)
NIST SP
800-53
R3 CM-5
(5)
NIST SP
800-53
R3 AC-6
NIST SP
800-53
R3 AC-6
(1)
NIST SP
800-53
R3 AC-6
(2)
NIST SP
800-53
R3 CM-7
Informati
on
Security
IS-34
Utility
Program
s Access
ly
overridin
g
system,
object,
network,
virtual
machine
and
applicati
on
controls
shall be
restricte
d.
NIST
SP80053 R3
CM-7
NIST
SP80053 R3
CM-7 (1)
NIST
SP80053 R3
SC-3
NIST
NIST SP
800-53
R3 CM-7 NIST SP
800-53
R3 CM-7
(1)
SP80053 R3
SC-19
Legal
NonDisclosur
LG-01
e
Agreeme
nts
Require
ments
for nondisclosur
e or
confiden
tiality
agreeme
nts
NIST
reflectin SP800g the
53 R3
organiza PL-4
tion's
needs
for the
protectio
n of data
and
operatio NIST
nal
SP800details
53 R3
shall be PS-6
identifie NIST
SP800d,
documen 53 R3
ted and SA-9
NIST
reviewed
SP800at
53 R3
planned
SA-9 (1)
intervals
.
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 SA-9
(1)
Legal
Third
Party
LG-02
Agreeme
nts
indirectly
, impact
the
organiza
tions
informati
on
assets or
data are
required
to
include
explicit
coverage
of all
relevant
security
requirem
ents.
This
includes NIST
agreeme SP800nts
53 R3
involving CA-3
processi
ng,
accessin
g,
communi
cating,
hosting
or
managin
g the
organiza
tion's
informati
on
assets,
or
NIST
adding SP800or
53 R3
terminati MP-5
ng
NIST
services SP800or
53 R3
products MP-5 (2)
to
NIST
existing
SP800informati
53 R3
on.
MP-5 (4)
Assets
NIST
agreeme SP800nts
53 R3
provision PS-7
NIST
s shall
include SP800security 53 R3
SA-6
NIST
(e.g.,
encrypti SP80053 R3
on,
access SA-7
controls,
and
leakage
preventi
on) and
integrity
NIST SP NIST SP
800-53 800-53
R3 CA-3 R3 CA-3
NIST SP NIST SP
800-53 800-53
R3 PS-7 R3 MP-5
NIST SP
NIST SP
800-53
800-53
R3 MP-5
R3 SA-6
(2)
NIST SP
NIST SP
800-53
800-53
R3 MP-5
R3 SA-7
(4)
NIST SP NIST SP
800-53 800-53
R3 SA-9 R3 PS-7
NIST SP
800-53
R3 SA-6
NIST SP
800-53
R3 SA-7
security
(e.g.,
encrypti
on,
access
controls,
and
leakage
preventi
on) and
integrity
controls
for data
exchang
ed to
prevent
improper
disclosur
e,
alteratio
n or
destructi
on.
Policies
and
procedur
es shall
be
establish
NIST
SP80053 R3
SA-9
NIST
SP80053 R3
SA-9 (1)
NIST
SP80053 R3
CM-2
NIST
SP80053 R3
CM-2 (1)
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 SA-9
(1)
NIST SP NIST SP
800-53 800-53
R3 CM-2 R3 CM-2
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 CM-4
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 CM-6
CM-2 (3)
NIST SP
800-53
R3 CM-2
(3)
NIST
SP80053 R3
CM-2 (5)
NIST
SP80053 R3
CM-3
NIST
SP80053 R3
CM-3 (2)
NIST
SP80053 R3
CM-4
NIST
SP80053 R3
CM-5
NIST
SP80053 R3
CM-5 (1)
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 MA-4
(5)
NIST
SP80053 R3
CM-5 (5)
NIST
SP80053 R3
CM-6
NIST
SP80053 R3
CM-6 (1)
NIST SP
800-53
R3 CM-6
(1)
NIST SP
800-53
R3 CM-6
(3)
NIST SP NIST SP
800-53 800-53
R3 SA-3 R3 CM-3
NIST SP
NIST SP
800-53
800-53
R3 CM-3
R3 SA-4
(2)
NIST SP NIST SP
800-53 800-53
R3 SA-5 R3 CM-4
NIST SP
800-53
R3 CM-5
NIST SP
800-53
R3 CM-6
NIST SP
800-53
R3 CM-9
Operatio
ns
Manage OP-01
ment
Policy
Policies
and
procedur
es shall
be
establish
ed and
made
available
for all
personn
el to
adequat
ely
support
services
operatio
ns role.
NIST
SP80053 R3
CM-6 (3)
NIST
SP80053 R3
CM-9
NIST
SP80053 R3
MA-4
NIST
SP80053 R3
MA-4 (1)
NIST
SP80053 R3
MA-4 (2)
NIST
SP80053 R3
SA-3
NIST
SP80053 R3
SA-4
NIST
SP80053 R3
SA-4 (1)
NIST
SP80053 R3
SA-4 (4)
NIST
SP80053 R3
SA-4 (7)
NIST
SP80053 R3
SA-5
NIST
SP80053 R3
SA-5 (1)
NIST
SP80053 R3
SA-5 (3)
NIST
SP80053 R3
SA-8
NIST
SP80053 R3
SA-10
NIST SP
800-53
R3 MA-4
NIST SP
800-53
R3 MA-4
(1)
NIST SP
800-53
R3 MA-4
(2)
NIST SP
800-53
R3 SA-3
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP
800-53
R3 SA-5
NIST SP
800-53
R3 SA-5
(1)
NIST SP
800-53
R3 SA-5
(3)
NIST SP
800-53
R3 SA-8
NIST SP
800-53
R3 SA-10
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
NIST
SP80053 R3
SA-11
NIST
NIST SP
800-53
R3 SA-12
SP80053 R3
SA-11
(1)
NIST
SP80053 R3
SA-12
on
system
documen
tation
(e.g.,
administ
rator and
user
guides,
architect
NIST
ure
diagram SP800s, etc.) 53 R3
shall be CP-9
made
available
to
authoriz
ed
personn
el to
ensure
the gur
following
ing
NIST SP NIST SP
800-53 800-53
R3 CP-9 R3 CP-9
,
ins
tall
ing
,
an NIST
NIST SP
d SP800- NIST SP 800-53
800-53
op 53 R3
R3 CP-9
era CP-9 (1) R3 CP-10 (1)
tin
g
the
inf
or
ma
tio
Operatio
ns
Manage
OP-02
ment
Docume
ntation
Operatio
ns
Manage
OP-02
ment
Docume
ntation
ect
ive
ly
usi
ng
the NIST
NIST SP
sys SP800- 800-53
te 53 R3
R3 SA-5
m CP-9 (3)
s
se
cur
ity NIST
SP80053 R3
CP-10
NIST
SP80053 R3
CP-10
(2)
NIST
SP80053 R3
CP-10
(3)
NIST
SP80053 R3
SA-5
NIST
SP80053 R3
SA-5 (1)
NIST
SP80053 R3
SA-5 (3)
NIST
SP80053 R3
SA-10
NIST
SP80053 R3
SA-11
NIST
SP80053 R3
SA-11
(1)
NIST SP
800-53
R3 CP-9
(3)
NIST SP
800-53
R3 CP-10
NIST SP
800-53
R3 CP-10
(2)
NIST SP
800-53
R3 CP-10
(3)
NIST SP
800-53
R3 SA-5
NIST SP
800-53
R3 SA-5
(1)
NIST SP
800-53
R3 SA-5
(3)
NIST SP
800-53
R3 SA-10
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
Operatio
ns
Manage
ment
OP-03
Capacity
/
Resource
Planning
Operatio
ns
Manage
ment
OP-04
The
availabili
ty,
quality,
and
adequat
e
capacity
and
resource
s shall
be
planned,
prepared
, and
NIST
measure
SP800d to
53 R3
deliver
SA-4
the
required
system
performa
nce in
accordan
ce with
regulator
y,
contract
ual and
business
requirem
NIST
ents.
Projectio SP80053 R3
ns of
SA-4 (1)
future
capacity NIST
requirem SP800ents
53 R3
shall be SA-4 (4)
made to
NIST
mitigate
SP800the risk
53 R3
of
SA-4 (7)
system NIST
overload SP800.
53 R3
MA-2
NIST
SP80053 R3
MA-2 (1)
NIST
SP80053 R3
MA-3
NIST
Policies SP80053 R3
and
procedur MA-3 (1)
es shall
be
establish
ed for
equipme
nt
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP NIST SP
800-53 800-53
R3 MA-2 R3 MA-2
NIST SP
NIST SP
800-53
800-53
R3 MA-2
R3 MA-4
(1)
NIST SP NIST SP
800-53 800-53
R3 MA-5 R3 MA-3
NIST SP
800-53
R3 MA-3
(1)
Operatio
ns
Manage
ment
OP-04
Equipme
nt
Maintena
nce
Policies
and
procedur
es shall
be
establish
ed for
equipme
nt
mainten
ance
ensuring
continuit
y and
availabili
ty of
operatio
ns.
NIST
SP80053 R3
MA-3 (2)
NIST SP
800-53
R3 MA-3
(2)
NIST
SP80053 R3
MA-3 (3)
NIST
SP80053 R3
MA-4
NIST
SP80053 R3
MA-4 (1)
NIST SP
800-53
R3 MA-3
(3)
NIST
SP80053 R3
MA-4 (2)
NIST
SP80053 R3
MA-5
NIST
NIST SP
800-53
R3 MA-4
(2)
SP80053 R3
MA-6
NIST
Risk
Manage
RI-01
ment
Program
SP80053 R3
AC-4
NIST
SP80053 R3
CA-2
NIST
SP80053 R3
CA-2 (1)
NIST
SP80053 R3
CA-6
NIST
SP80053 R3
PM-9
NIST
SP800Organiza 53 R3
RA-1
tions
shall
develop
and
maintain
an
enterpris
e risk
manage
ment
framewo
rk to
manage
risk to
an
NIST SP
800-53
R3 MA-4
NIST SP
800-53
R3 MA-4
(1)
NIST SP
800-53
R3 MA-5
NIST SP
800-53
R3 MA-6
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP NIST SP
800-53 800-53
R3 AU-1 R3 AU-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 CA-7
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 CA-7
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-2
Risk
Manage
RI-01
ment
Program
an
enterpris
e risk
manage
ment
framewo
rk to
manage
risk to
an
acceptab
le level.
NIST SP NIST SP
800-53 800-53
R3 RA-3 R3 RA-3
NIST SP
800-53
R3 SA-9
(1)
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 CM-1
Risk
Manage
ment RI-02
Assessm
ents
formal
risk
assessm
ents
shall be
performe
d at
least
annually,
or at
planned
intervals
,
determin
ing the
likelihoo
d and
impact
of all
identifie
d risks, NIST
using
SP800qualitati 53 R3
ve and PL-5
quantitat
ive
methods
. The
likelihoo
d and
impact
associat
ed with
inherent
and
residual
risk
should
be
determin NIST
ed
SP800indepen 53 R3
dently, RA-2
NIST
consideri
SP800ng all
53 R3
risk
RA-3
categori
es (e.g.,
audit
results,
threat
and
vulnerab
ility
analysis,
and
regulator
y
complian
ce).
NIST SP NIST SP
800-53 800-53
R3 CM-1 R3 RA-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 RA-3
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 RA-3
Risk
Manage
ment
Mitigatio RI-03
n/
Acceptan
ce
Risk
Manage
ment
Business RI-04
/ Policy
Change
Impacts
Risks
shall be
mitigate
d to an
acceptab
le level.
Acceptan
ce levels
based on
NIST
risk
criteria SP800shall be 53 R3
establish CA-5
ed and
documen
ted in
accordan
ce with
reasonab
le
resolutio
n time
NIST
frames SP800and
53 R3
executiv CM-4
e
approval
.
NIST
SP80053 R3
CP-2
NIST
SP80053 R3
CP-2 (1)
Risk
assessm
ent
results
shall
include
updates
to
security
policies,
procedur
es,
standard
s and
controls
to
ensure
NIST
SP80053 R3
CP-2 (2)
NIST
SP80053 R3
RA-2
NIST
SP80053 R3
RA-3
NIST SP NIST SP
800-53 800-53
R3 CA-5 R3 CA-5
NIST SP NIST SP
800-53 800-53
R3 CP-1 R3 CP-1
NIST SP NIST SP
800-53 800-53
R3 RA-1 R3 RA-1
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AT-1
NIST SP NIST SP
800-53 800-53
R3 AU-1 R3 AU-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IR-1
Risk
Manage
ment
Business RI-04
/ Policy
Change
Impacts
updates
to
security
policies,
procedur
es,
standard
s and
controls
to
ensure
they
remain
relevant
and
effective
.
NIST
SP80053 R3
CA-3
NIST
SP80053 R3
MA-4
NIST
SP80053 R3
MA-4 (1)
NIST
The
SP800identifica 53 R3
tion,
MA-4 (2)
assessm NIST
ent, and SP800prioritiza 53 R3
RA-3
tion of
risks
posed by
business
processe
s
requiring
third
party
access
to the
organiza
tion's
informati
on
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-3
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-3
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP NIST SP
800-53 800-53
R3 AU-1 R3 AU-1
NIST SP NIST SP
800-53 800-53
R3 CA-1 R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IA-4
Risk
Manage
ment
RI-05
Third
Party
Access
s
requiring
third
party
access
to the
organiza
tion's
informati
on
systems
and data
shall be
followed
by
coordina
ted
applicati
on of
resource
s to
minimize
,
monitor,
and
measure
likelihoo
d and
impact
of
unauthor
ized or
inapprop
riate
access.
Compen
sating
controls
derived
from the
risk
analysis
shall be
impleme
nted
prior to
provision
ing
access.
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 IA-5
(1) SP
NIST
800-53
R3 IA-5
(2)
NIST SP
800-53
R3 IA-5
(3)
NIST SP
800-53
R3 IA-5
(6)
NIST SP
800-53
R3 IA-5
(7)
NIST SP
800-53
R3 IA-8
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
Release
Manage
ment
New
RM-01
Develop
ment /
Acquisiti
on
NIST
SP80053 R3
CA-1
NIST
SP80053 R3
CM-1
NIST
SP800Policies 53 R3
CM-9
and
NIST
procedur SP800es shall 53 R3
be
PL-1
NIST
establish SP800ed for
53 R3
manage PL-2
ment
NIST
authoriz SP800ation for 53 R3
develop PL-2 (2)
ment or NIST
acquisiti SP800on of
53 R3
new
SA-1
NIST
applicati SP800ons,
53 R3
systems, SA-3
NIST
database
SP800s,
53 R3
infrastru
SA-4
cture,
NIST
services, SP800operatio 53 R3
ns, and SA-4 (1)
facilities.
NIST
SP80053 R3
SA-4 (4)
NIST
SP80053 R3
SA-4 (7)
NIST
SP80053 R3
CA-1
NIST
SP80053 R3
CA-6
NIST
SP80053 R3
CA-7
NIST
SP80053 R3
CA-7 (2)
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PL-2
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CM-9
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PL-2
NIST SP NIST SP
800-53 800-53
R3 SA-3 R3 SA-1
NIST SP NIST SP
800-53 800-53
R3 SA-4 R3 SA-3
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 CA-7
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 CA-7
NIST SP
NIST SP
800-53
800-53
R3 CA-7
R3 CM-2
(2)
NIST
SP80053 R3
CM-2
NIST
SP80053 R3
CM-2 (1)
Release
Manage
ment
RM-02
Producti
on
Changes
NIST SP NIST SP
800-53 800-53
R3 CM-6 R3 CM-2
NIST SP
800-53
R3 PL-2
NIST SP
800-53
R3 CM-2
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 PL-5
CM-2 (3)
NIST SP
800-53
R3 CM-2
(3)
Changes
NIST
to the
NIST SP
SP800producti
800-53
53 R3
on
R3 SI-2
CM-2 (5)
environ NIST
ment
SP800shall be 53 R3
documen CM-3
ted,
NIST
tested
SP800and
53 R3
approve CM-3 (2)
d prior to NIST
impleme SP800ntation. 53 R3
Producti CM-5
NIST
on
software SP80053 R3
and
hardwar CM-5 (1)
e
NIST
changes SP800may
53 R3
include CM-5 (5)
applicati NIST
SP800ons,
systems, 53 R3
database CM-6
NIST
s and
network SP800devices 53 R3
requiring CM-6 (1)
patches, NIST
service SP800packs,
53 R3
and
CM-6 (3)
NIST
other
updates SP80053 R3
and
modifica CM-9
NIST
tions.
SP80053 R3
PL-2
NIST SP
800-53
R3 CM-2
(5)
NIST SP
800-53
R3 CM-3
NIST SP
800-53
R3 CM-3
(2)
NIST SP
800-53
R3 CM-5
NIST SP
800-53
R3 CM-5
(1)
NIST SP
800-53
R3 CM-5
(5)
NIST SP
800-53
R3 CM-6
NIST SP
800-53
R3 CM-6
(1)
NIST SP
800-53
R3 CM-6
(3)
NIST SP
800-53
R3 CM-9
NIST SP
800-53
R3 PL-2
and
modifica
tions.
NIST
SP80053 R3
PL-2 (2)
NIST
SP80053 R3
PL-5
NIST
SP80053 R3 SI2
NIST
SP80053 R3 SI2
(2)
NIST
SP80053 R3 SI6
NIST
SP80053 R3 SI7
NIST
A
program
SP800for the
systemat 53 R3 SI7 (1)
ic
monitori
ng and
evaluatio
n to
ensure
that
standard
s of
quality
NIST
are
SP800being
met shall 53 R3
CM-1
be
establish
ed for all
software
develope
d by the
organiza
tion.
Quality
evaluatio
NIST
n and
acceptan SP80053 R3
ce
criteria CM-2
NIST
for
informati SP80053 R3
on
systems, CM-2 (1)
upgrade
s, and
new
versions
shall be
establish
ed,
documen
NIST SP
800-53
R3 PL-5
NIST SP
800-53
R3 SI-2
NIST SP
800-53
R3 SI-2
(2)
NIST SP
800-53
R3 SI-6
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
NIST SP NIST SP
800-53 800-53
R3 CM-1 R3 CM-1
NIST SP NIST SP
800-53 800-53
R3 CM-2 R3 CM-2
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-3
(1)
Release
Manage
ment RM-03
Quality
Testing
criteria
for
informati
on
systems,
upgrade NIST
s, and
SP800new
53 R3
versions CM-2 (3)
shall be NIST
establish SP800ed,
53 R3
documen CM-2 (5)
ted and NIST
tests of SP800the
53 R3
system(s SA-3
NIST
) shall be
SP800carried
53 R3
out both
SA-4
during
NIST
develop SP800ment
53 R3
and prior SA-4 (1)
to
acceptan NIST
SP800ce to
maintain 53 R3
security. SA-4 (4)
Manage NIST
SP800ment
53 R3
shall
have a SA-4 (7)
NIST
clear
oversigh SP80053 R3
t
capacity SA-5
NIST
in the
quality SP800testing 53 R3
process SA-5 (1)
with the NIST
SP800final
product 53 R3
SA-5 (3)
being
certified NIST
as "fit for SP800purpose" 53 R3
SA-8
(the
NIST
product SP800should
53 R3
be
SA-10
NIST
suitable SP800for the
53 R3
intended SA-11
purpose) NIST
SP800and
53 R3
"right
SA-11
first
(1)
NIST
time"
(mistake SP800s should 53 R3
SA-13
be
eliminat
ed) prior
to
release.
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-4
(3)
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-5
(5)
NIST SP
800-53
R3 SA-3
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP
800-53
R3 SA-5
NIST SP
800-53
R3 SA-5
(1)
NIST SP
800-53
R3 SA-5
(3)
NIST SP
800-53
R3 SA-8
NIST SP
800-53
R3 SA-10
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
Release
Manage
ment
Outsourc RM-04
ed
Develop
ment
ic
monitori
ng and
evaluatio
n to
ensure
that
standard
s of
quality
are
being
met shall
be
establish
ed for all
outsourc
ed
software
develop
ment.
NIST
The
SP800develop 53 R3
ment of SA-4
all
outsourc
ed
software
shall be
supervis
ed and
monitore
d by the
organiza
tion and
must
include
security
requirem
ents,
indepen NIST
SP800dent
security 53 R3
review of SA-4 (1)
the
NIST
outsourc SP800ed
53 R3
environ SA-4 (4)
ment by
NIST
a
certified SP800individua 53 R3
SA-4 (7)
l,
NIST
certified
SP800security
53 R3
training
SA-5
for
NIST
outsourc SP800ed
53 R3
software SA-5 (1)
develope
rs, and
code
reviews.
Certificat
ion for
the
purposes
NIST SP NIST SP
800-53 800-53
R3 SA-4 R3 SA-4
NIST SP
NIST SP
800-53
800-53
R3 SA-4
R3 SA-5
(1)
NIST SP
NIST SP
800-53
800-53
R3 SA-4
R3 SA-9
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP
800-53
R3 SA-5
NIST SP
800-53
R3 SA-5
(1)
for
outsourc
ed
software
develope
rs, and NIST
SP800code
reviews. 53 R3
Certificat SA-5 (3)
NIST
ion for
SP800the
53 R3
purposes
SA-8
NIST
of this
control SP800shall be 53 R3
defined SA-9
NIST
as either
SP800an
53 R3
ISO/IEC
SA-9 (1)
17024
NIST
accredite SP800d
53 R3
certificat SA-10
ion or a NIST
SP800legally
recogniz 53 R3
SA-11
NIST
ed
license SP80053 R3
or
certificat SA-11
(1)
ion in
NIST
the
SP800legislativ 53 R3
e
SA-12
NIST
jurisdicti
SP800on the
53 R3
organiza
SA-13
NIST
tion
outsourci SP80053 R3
ng the
develop CM-1
NIST
ment
SP800has
53 R3
chosen CM-2
NIST
as its
domicile. SP80053 R3
CM-2 (1)
NIST SP
800-53
R3 SA-5
(3)
NIST SP
800-53
R3 SA-8
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 SA-9
(1)
NIST SP
800-53
R3 SA-10
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
NIST SP
800-53
R3 SA-12
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CM-2
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 CM-7
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 CM-8
CM-2 (3)
NIST
SP80053 R3
CM-2 (5)
NIST
SP80053 R3
CM-3
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CM-2
NIST SP
800-53
R3 CM-2
(3)
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-6
(5)
NIST SP NIST SP
800-53 800-53
R3 SA-7 R3 CM-3
NIST
SP80053 R3
CM-3 (2)
NIST
SP80053 R3
CM-5
NIST
SP80053 R3
CM-5 (1)
Release
Manage
ment
Unauthor
RM-05
ized
Software
Installati
ons
NIST
SP80053 R3
CM-5 (5)
NIST
SP80053 R3
CM-7
NIST
SP80053 R3
CM-7 (1)
NIST
Policies SP800and
53 R3
procedur CM-8
es shall NIST
be
SP800establish 53 R3
ed and CM-8 (1)
mechani
NIST
sms
SP800impleme
53 R3
nted to
CM-8 (3)
restrict
NIST
the
installati SP80053 R3
on of
unauthor CM-8 (5)
NIST
ized
software. SP80053 R3
CM-9
NIST
SP80053 R3
SA-6
NIST
SP80053 R3
SA-7
NIST
SP80053 R3 SI1
NIST
SP80053 R3 SI3
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 CM-3
(2)
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 CM-5
NIST SP
800-53
R3 CM-5
(1)
NIST SP
800-53
R3 CM-5
(5)
NIST SP
800-53
R3 CM-7
NIST SP
800-53
R3 CM-7
(1)
NIST SP
800-53
R3 CM-8
NIST SP
800-53
R3 CM-8
(1)
NIST SP
800-53
R3 CM-8
(3)
NIST SP
800-53
R3 CM-8
(5)
NIST SP
800-53
R3 CM-9
NIST SP
800-53
R3 SA-6
NIST SP
800-53
R3 SA-7
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 SI-3
NIST
SP80053 R3 SI3
(1)
NIST
SP80053 R3 SI3 (2)
NIST
SP80053 R3 SI3
(3)
NIST
SP80053 R3 SI4
NIST
SP80053 R3 SI4
(2)
NIST
SP80053 R3 SI4
(4)
NIST
SP80053 R3 SI4
(5)
NIST
SP80053 R3 SI4
(6)
NIST
SP80053 R3 SI7
NIST
SP80053 R3 SI7 (1)
NIST SP
800-53
R3 SI-3
(1)
NIST SP
800-53
R3 SI-3
(2) SP
NIST
800-53
R3 SI-3
(3)
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
Resilienc
y
Manage RS-01
ment
Program
recovery
of
informati
on
assets
(which
may be
the
result of,
for
example,
natural
disasters
,
accident
s,
equipme
nt
failures,
and
deliberat NIST
SP800e
actions) 53 R3
through CP-1
a
combina
tion of
preventi
ve and
recovery
controls,
in
accordan
ce with
regulator
y,
statutory
,
contract
ual, and NIST
business SP800requirem 53 R3
ents and CP-2
consiste NIST
nt with SP800industry 53 R3
standard CP-2 (1)
s. This
NIST
Resilienc SP800y
53 R3
manage CP-2 (2)
ment
program
shall be
communi
cated to
all
organiza
tional
participa
nts with
a need
to know
basis
prior to
adoption
and shall
NIST SP NIST SP
800-53 800-53
R3 CP-1 R3 CP-1
NIST SP NIST SP
800-53 800-53
R3 CP-2 R3 CP-2
NIST SP
800-53
R3 CP-2
(1)
NIST SP
800-53
R3 CP-2
(2)
shall be
a
defined
and
documen
ted
method
for
determin
ing the
impact
of any
disruptio
n to the
organiza
tion
which
must
incorpor
ate the
following
Ide
ntif
y
crit
ica
l
pro
du
cts
an
d
ser
nd
en
cie
s,
inc
lud
ing
pro
ce
sse
s,
ap
pli
cat
ion
s,
bu
sin
ess
par
tne
rs
an
d
thi
rd
par
NIST SP NIST SP
800-53 800-53
R3 CP-1 R3 CP-1
NIST SP NIST SP
800-53 800-53
R3 CP-2 R3 CP-2
NIST SP NIST SP
800-53 800-53
R3 RA-3 R3 RA-3
Resilienc
y
RS-02
Impact
Analysis
sta
nd
thr
eat
s
to
crit
ica
l
pro
du
cts
an
cts
d
res
ulti
ng
fro
m
pla
nn
NIST
ed
SP800or
53 R3
un
RA-3
pla
nn
ed
dis
rup
tio
ns
an
d
ho
w
abl
the
ish
the
ma
xi
mu
m
tol
era
ble
per
iod
for
dis
Est
abl
ish
pri
ori
tie
s
for
rec
ov
tim
e
obj
ect
ive
s
for
res
um
pti
on
of
crit
ica
l
pro
du
cts
an
d
ser
vic
es
wit
hin
the
ir
ma
xi
mu
m
tol
era
Est
im
ate
the
res
our
ce
s
req
uir
ed
for
res
um
y
planning
and plan
develop
ment
shall be
establish
ed,
documen
ted and
adopted
to
ensure
all
business
continuit
NIST
y plans
SP800are
53 R3
consiste
CP-1
nt in
addressi
ng
priorities
for
testing
and
mainten
ance and
informati
on
security
requirem
ents.
Require
mentsed
pur
po
se
an
d
sc
op
e, NIST
ali SP800gn 53 R3
ed CP-2
wit
h
rel
ev
ant
de
pe
NIST
SP80053 R3
CP-1
NIST
SP80053 R3
CP-1
NIST
SP80053 R3
CP-2
NIST
SP80053 R3
CP-2
ssi
ble
to
an
d
un
der NIST
sto SP800od 53 R3
by CP-2 (1)
tho
se
wh
o
will
na
Resilienc
y
Business
RS-03
Continuit
y
Planning
me
d
per
so
n(s
)
wh
o
is NIST
res SP800po 53 R3
nsi CP-2 (2)
ble
for
the
ir
rev
ie
w,
up
lin
dat
es
of
co
m
mu NIST
nic SP800ati 53 R3
on, CP-3
rol
es
an
d
res
po
NIST
SP80053 R3
CP-3
NIST
SP80053 R3
CP-2 (1)
NIST
SP80053 R3
CP-4
NIST
SP80053 R3
CP-2 (2)
NIST
SP80053 R3
CP-9
NIST
SP80053 R3
CP-3
Resilienc
y
Business
RS-03
Continuit
y
Planning
rec
ov
ery
pro
ce
dur
es,
ma
nu
al NIST
wo SP800rk- 53 R3
aro CP-4
un
d
an
d
ref
ere
nc
Me
e
tho
d NIST
for SP800pla 53 R3
n CP-4 (1)
inv
oc NIST
SP80053 R3
CP-6
NIST
SP80053 R3
CP-6 (1)
NIST
SP80053 R3
CP-10
NIST
SP80053 R3
CP-4
NIST
SP80053 R3
CP-4 (1)
NIST
SP80053 R3
CP-6
NIST
SP80053 R3
CP-6 (1)
NIST
SP80053 R3
CP-6 (3)
NIST
SP80053 R3
CP-7
NIST
SP80053 R3
CP-7 (1)
NIST
SP80053 R3
CP-6 (3)
NIST
SP80053 R3
CP-7
NIST
SP80053 R3
CP-7 (1)
NIST
SP80053 R3
CP-7 (2)
NIST
SP80053 R3
CP-7 (2)
NIST
SP80053 R3
CP-7 (3)
NIST
SP80053 R3
CP-7 (3)
Resilienc
y
Business RS-04
Continuit
y Testing
NIST
SP80053 R3
CP-7 (5)
NIST
SP80053 R3
CP-8
NIST
SP80053 R3
CP-8 (1)
NIST
SP80053 R3
CP-7 (5)
NIST
SP80053 R3
CP-8
NIST
SP80053 R3
CP-8 (1)
NIST
SP80053 R3
CP-8 (2)
NIST
SP80053 R3
CP-9
NIST
SP80053 R3
CP-9 (1)
NIST
SP80053 R3
CP-8 (2)
NIST
SP80053 R3
CP-9
NIST
SP80053 R3
CP-9 (1)
NIST
SP80053 R3
CP-9 (3)
NIST
SP80053 R3
CP-10
NIST
NIST
SP80053 R3
CP-9 (3)
NIST
SP80053 R3
CP-10
NIST
SP80053 R3
CP-10
(2)
NIST
SP80053 R3
CP-10
(2)
NIST
SP80053 R3
CP-10
(3)
NIST
SP80053 R3
CP-10
(3)
NIST
SP80053 R3
PE-17
NIST
SP80053 R3
PE-17
NIST
Business SP800continuit 53 R3
y plans CP-2
shall be NIST
subject SP800to test at 53 R3
planned CP-2 (1)
intervals NIST
or upon SP800significa 53 R3
nt
CP-2 (2)
organiza
tional or
environ
mental
changes
to
ensure
continuin
NIST
SP80053 R3
CP-2
NIST
SP80053 R3
CP-3
NIST
SP80053 R3
CP-4
SP80053 R3
CP-2
NIST
SP80053 R3
CP-2 (1)
NIST
SP80053 R3
CP-2 (2)
Resilienc
y
Business RS-04
Continuit
y Testing
Resilienc
y
Environ RS-05
mental
Risks
intervals
or upon
significa
nt
organiza NIST
tional or SP800environ 53 R3
mental CP-3
NIST
changes SP800to
53 R3
ensure CP-4
continuin NIST
g
SP800effective 53 R3
Physical
ness.
CP-4 (1)
protectio
n against
damage
from
natural
causes
and
disasters
as well
as
deliberat
e attacks NIST
NIST
including SP800- SP800fire,
53 R3
53 R3
flood,
PE-1
PE-1
atmosph
eric
electrical
discharg
e, solar
induced
geomag
netic
storm,
wind,
earthqua NIST
NIST
ke,
SP800- SP800tsunami, 53 R3
53 R3
explosio PE-13
PE-13
n,
NIST
NIST
nuclear SP800- SP800mishap, 53 R3
53 R3
volcanic PE-13 (1) PE-14
activity,
NIST
NIST
biologica
SP800- SP800l hazard,
53 R3
53 R3
civil
PE-13 (2) PE-15
unrest,
mudslide NIST
SP800,
tectonic 53 R3
activity, PE-13 (3)
NIST
and
SP800other
forms of 53 R3
natural PE-14
or manmade
disaster
shall be
anticipat
ed,
designed
NIST
SP80053 R3
CP-3
NIST
SP80053 R3
CP-4
NIST
SP80053 R3
CP-4 (1)
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-13
NIST
SP80053 R3
PE-13 (1)
NIST
SP80053 R3
PE-13 (2)
NIST
SP80053 R3
PE-13 (3)
NIST
SP80053 R3
PE-14
Resilienc
y
Equipme RS-06
nt
Location
tectonic
activity,
and
other
forms of
natural
NIST
or manSP800made
53 R3
disaster
PE-14 (1)
shall be NIST
anticipat SP800ed,
53 R3
designed PE-15
NIST
and
counter SP800To
measure 53 R3
reduce
s risks PE-18
the
applied.
from
environ
mental
threats,
hazards
and
NIST
NIST
opportun SP800- SP800ities for 53 R3
53 R3
unauthor PE-1
PE-1
ized
access
equipme
nt shall
be
located
away
NIST
NIST
from
SP800- SP800locations 53 R3
53 R3
subject NIST
PE-5
PE-14
NIST
to high SP800- SP800probabili 53 R3
53 R3
ty
PE-14
PE-15
environ NIST
mental SP800risks and 53 R3
supplem PE-14 (1)
ented by NIST
redunda SP80053 R3
nt
equipme PE-15
NIST
nt
SP800located a 53 R3
reasonab PE-18
NIST
NIST
le
SP800- SP800distance.
53 R3
53 R3
CP-8
PE-1
NIST
NIST
SP800- SP80053 R3
53 R3
CP-8 (1) PE-12
NIST
SP80053 R3
CP-8 (2)
NIST
SP80053 R3
PE-13
NIST
SP80053 R3
PE-15
NIST
SP80053 R3
PE-18
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-5
NIST
SP80053 R3
PE-14
NIST
SP80053 R3
PE-15
NIST
SP80053 R3
PE-18
NIST
SP80053 R3
CP-8
NIST
SP80053 R3
CP-8 (1)
NIST
SP80053 R3
CP-8 (2)
Resilienc
y
Equipme RS-07
nt Power
Failures
NIST
NIST
SP800- SP80053 R3
53 R3
PE-1
PE-14
NIST
SP80053 R3
PE-9
NIST
SP80053 R3
PE-10
NIST
SP80053 R3
PE-11
NIST
SP80053 R3
PE-11 (1)
NIST
SP80053 R3
PE-12
NIST
SP80053 R3
PE-13
Security
mechani
sms and
redunda
ncies
shall be
impleme
nted to
protect
equipme
nt from
utility
service
outages
(e.g.,
power
failures,
network
disruptio NIST
ns, etc.). SP80053 R3
PE-13 (1)
NIST
SP80053 R3
PE-13 (2)
Resilienc
y
Power /
RS-08
Telecom
municati
ons
NIST
SP80053 R3
PE-13 (3)
NIST
SP80053 R3
PE-14
NIST
SP800Telecom 53 R3
municati PE-14 (1)
ons
equipme
NIST
NIST
nt,
SP800SP800cabling
53
R3
53 R3
and
PE-1
PE-1
relays
transcevi
ng data NIST
NIST
or
SP800- SP800supporti 53 R3
53 R3
ng
PE-4
PE-13
services
shall be
protecte
d from
intercept
ion or
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-9
NIST
SP80053 R3
PE-10
NIST
SP80053 R3
PE-11
NIST
SP80053 R3
PE-12
NIST
SP80053 R3
PE-13
NIST
SP80053 R3
PE-13 (1)
NIST
SP80053 R3
PE-13 (2)
NIST
SP80053 R3
PE-13 (3)
NIST
SP80053 R3
PE-14
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-4
Resilienc
y
Power /
RS-08
Telecom
municati
ons
Security
Architect
ure
Custome SA-01
r Access
Require
ments
transcevi
ng data
or
supporti
ng
NIST
NIST
services NIST
shall be SP800- SP800- SP80053 R3
53 R3
protecte 53 R3
PE-13
PE-13 (1) PE-13
d from
intercept NIST
NIST
NIST
ion or
SP800- SP800- SP800damage 53 R3
53 R3
53 R3
and
PE-13 (1) PE-13 (2) PE-13 (1)
designed
NIST
NIST
NIST
with
SP800- SP800- SP800redunda
53 R3
53 R3
53 R3
ncies,
PE-13 (2) PE-13 (3) PE-13 (2)
alternati
NIST
ve power NIST
SP800SP800source
53 R3
53 R3
and
PE-13
(3)
PE-13 (3)
alternati
Prior to
ve
granting
routing.
custome
rs access
to data, NIST
NIST SP NIST SP
assets
SP800800-53 800-53
and
53 R3
R3 CA-1 R3 CA-1
informati CA-1
on
systems,
all
identifie
NIST
NIST SP NIST SP
d
SP800800-53 800-53
security,
53 R3
R3 CA-2 R3 CA-2
contract
CA-2
ual and NIST
NIST SP NIST SP
regulator SP800- 800-53 800-53
y
53 R3
R3 CA-2 R3 CA-2
requirem CA-2 (1) (1)
(1)
ents for NIST
NIST SP NIST SP
custome SP800800-53 800-53
r access 53 R3
R3 CA-5 R3 CA-5
shall be CA-5
NIST
addresse SP800- NIST SP NIST SP
800-53 800-53
d and
53 R3
R3 CA-6 R3 CA-6
remediat CA-6
ed.
Impleme
nt and
enforce
(through
automati
on) user
credenti
al and
passwor
d
controls
for
applicati NIST
ons,
SP800database 53 R3
s and
AC-1
server
and
network
infrastru
cture,
requiring
the
following
minimu
m
standard
s:
er
ide
nti
ty
ver
ific
ati NIST
on SP800pri 53 R3
or AC-2
to
pa
ss
wo
rd
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP NIST SP
800-53 800-53
R3 AC-2 R3 AC-2
us
er
(i.e
.,
ad
mi
nis
tra
tor
),
es
pe
cia
lly
if
co
m NIST
NIST SP NIST SP
mu SP800800-53 800-53
nic 53 R3
R3 AC-3 R3 AC-3
ate AC-2 (1)
d
in
pla
int
ext
(i.e
,
via
em
ail)
,
pa
ss
wo
rd
mu
ly
ac
ce
ss
rev NIST
oc SP800- NIST SP
800-53
ati 53 R3
on AC-2 (2) R3 AU-2
for
ter
mi
nat
ed
NIST SP
800-53
R3 AC11
dis
abl
e
ina
cti
ve
us NIST
er SP800ac 53 R3
co AC-2 (3)
unt
s
at
lea
st
er
NIST SP
800-53
R3 AU11
IDs
an
d
dis
all
ow
gro
up,
sh NIST
NIST SP
are SP800- 800-53
d, 53 R3
R3 IA-1
or AC-2 (4)
ge
ner
ic
ac
co
unt
s
an
ss
d
wo
rd
ex
pir NIST
ati SP800- NIST SP
800-53
on 53 R3
at AC-2 (7) R3 IA-2
lea
st
ev
ery
NIST SP
800-53
R3 AC11 (1)
NIST SP
800-53
R3 AU-2
NIST SP
800-53
R3 AU-2
(3)
Security
Architect
ure
SA-02
User ID
Credenti
als
m
pa
ss
wo
rd
len NIST
gth SP800of 53 R3
at AC-3
lea
st
se
ve
n
pa
(7)
ss
wo
rds
co
nta
ini
ng NIST
bot SP800h 53 R3
nu AC-3 (3)
me
ric
an
d
alp
ha
bet
pa
ss
wo
rd
reus
e
aft NIST
er SP800the 53 R3
las AC-11
t
fou
r
(4)
pa
ss
NIST SP
800-53
R3 IA-2
(1)
NIST SP
800-53
R3 AU-2
(4)
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 AU11
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IA-1
er
ID
loc
ko
ut
aft NIST
er SP800not 53 R3
mo AC-11
re (1)
tha
n
six
(6)
att
ut
dur
ati
on
to
a
mi
ni
mu
m
of NIST
30 SP800mi 53 R3
nut AU-2
es
or
unt
il
ad
mi
nis
tra
tor
en
NIST SP
800-53
R3 IA-6
NIST SP
800-53
R3 IA-2
NIST SP
800-53
R3 IA-8
NIST SP
800-53
R3 IA-2
(1)
ss
wo
rd
to
rea
cti
vat
e
ter
mi
nal NIST
aft SP800er 53 R3
ses AU-2 (3)
sio
n
idl
e
tim
e
for
mo
re
er
tha
act
ivit
y
log
s
for
pri
vil NIST
eg SP800ed 53 R3
ac AU-2 (4)
ce
ss
or
ac
ce
ss
to
NIST
SP80053 R3
AU-11
NIST
SP80053 R3 IA1
NIST
SP80053 R3 IA2
NIST
SP80053 R3 IA2
(1)
NIST
SP80053 R3 IA2 (2)
NIST SP
800-53
R3 IA-2
(2)
NIST SP
800-53
R3 IA-2
(3)
NIST SP
800-53
R3 IA-2
(8)
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IA-5
(2)
NIST SP
800-53
R3 IA-5
(3)
NIST
SP80053 R3 IA2
(3)
NIST
SP80053 R3 IA2 (8)
NIST
SP80053 R3 IA5
NIST
SP80053 R3 IA5
(1)
NIST
SP80053 R3 IA5
(2)
NIST
SP80053 R3 IA5
(3)
NIST
SP80053 R3 IA5
(6)
NIST
SP80053 R3 IA5
(7)
NIST
SP80053 R3 IA6
NIST
SP80053 R3 IA8
NIST
SP80053 R3
SC-10
NIST SP
800-53
R3 IA-5
(6)
NIST SP
800-53
R3 IA-5
(7)
NIST SP
800-53
R3 IA-6
NIST SP
800-53
R3 IA-8
NIST SP
800-53
R3 SC-10
Security
Architect
ure
Data
SA-03
Security
/
Integrity
procedur
es shall
be
establish
ed and
mechani
sms
impleme
nted to
ensure
security
(e.g.,
encrypti
on,
access
controls,
and
leakage
preventi
on) and
integrity
of data NIST
exchang SP80053 R3
ed
AC-1
between
one or
more
system
interface
s,
jurisdicti
ons, or
with a
third
party
shared
services
provider
to
prevent
improper NIST
disclosur SP80053 R3
e,
NIST
alteratio AC-4
SP800n or
destructi 53 R3
SC-1
on
NIST
complyin SP800g with
53 R3
legislativ SC-16
NIST
e,
SP800regulator
53 R3
y, and
SC-2
contract NIST
SP800ual
requirem 53 R3
SC-3
ents.
NIST
SP80053 R3
SC-4
NIST
SP80053 R3
SC-5
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP NIST SP
800-53 800-53
R3 SC-1 R3 AC-4
NIST SP NIST SP
800-53 800-53
R3 SC-13 R3 SC-1
NIST SP
800-53
R3 SC-8
NIST SP NIST SP
800-53 800-53
R3 SC-5 R3 SA-8
NIST SP NIST SP
800-53 800-53
R3 SC-6 R3 SC-2
NIST SP NIST SP
800-53 800-53
R3 SC-7 R3 SC-4
NIST SP NIST SP
800-53 800-53
R3 SC-12 R3 SC-5
NIST
SP80053 R3
SC-6
NIST
SP80053 R3
SC-7
NIST
SP80053 R3
SC-7 (1)
Security
Architect
ure
SA-04
Applicati
on
Security
NIST SP NIST SP
800-53 800-53
R3 SC-13 R3 SC-6
NIST SP NIST SP
800-53 800-53
R3 SC-14 R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST
SP80053 R3
SC-7 (2)
NIST SP
800-53
R3 SC-7
(2)
NIST
SP80053 R3
SC-7 (3)
NIST SP
800-53
R3 SC-7
(3)
NIST
SP80053 R3
SC-7 (4)
NIST SP
800-53
R3 SC-7
(4)
NIST
SP80053 R3
SC-7 (5)
NIST SP
800-53
R3 SC-7
(5)
NIST
SP80053 R3
SC-7 (7)
NIST SP
800-53
R3 SC-7
(7)
NIST
SP80053 R3
SC-7 (8)
NIST
SP80053 R3
SC-7
(12)
NIST
NIST SP
800-53
R3 SC-7
(8)
SP800Applicati
53 R3
ons shall
SC-7
be
(13)
designed NIST
SP800in
accordan 53 R3
ce with SC-7
industry (18)
NIST
accepted SP800security 53 R3
standard SC-8
s (i.e.,
NIST
OWASP SP800for web 53 R3
applicati SC-8 (1)
ons) and
complies
with
applicabl
e
NIST SP
800-53
R3 SC-7
(12)
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
NIST SP
800-53
R3 SC-8
NIST SP
800-53
R3 SC-8
(1)
Architect
ure
SA-04
Applicati
on
Security
standard
s (i.e.,
OWASP
for web
applicati
ons) and NIST
complies SP80053 R3
with
applicabl SC-9
NIST
e
regulator SP80053 R3
y and
business SC-9 (1)
NIST
requirem
SP800ents.
53 R3
SC-10
NIST
SP80053 R3
SC-11
NIST
SP80053 R3
SC-12
NIST
SP80053 R3
SC-12
(2)
NIST
SP80053 R3
SC-12
(5)
NIST
SP80053 R3
SC-13
NIST
SP80053 R3
SC-13
(1)
NIST
SP80053 R3
SC-14
NIST
SP80053 R3
SC-17
NIST
SP80053 R3
SC-18
NIST
SP80053 R3
SC-18
(4)
NIST
SP80053 R3
SC-20
NIST
SP80053 R3
SC-20
(1)
NIST SP
800-53
R3 SC-9
NIST SP
800-53
R3 SC-9
(1)
NIST SP
800-53
R3 SC-10
NIST SP
800-53
R3 SC-11
NIST SP
800-53
R3 SC-12
NIST SP
800-53
R3 SC-12
(2)
NIST SP
800-53
R3 SC-12
(5)
NIST SP
800-53
R3 SC-13
NIST SP
800-53
R3 SC-13
(1)
NIST SP
800-53
R3 SC-14
NIST SP
800-53
R3 SC-17
NIST SP
800-53
R3 SC-18
NIST
SP80053 R3
SC-21
NIST
SP80053 R3
SC-22
NIST
SP80053 R3
SC-23
NIST
Security
Architect
ure
SA-05
Data
Integrity
SP80053 R3 SI10
NIST
SP80053 R3 SI11
NIST
SP80053 R3 SI2
NIST
SP80053 R3 SIData
2 (2)
NIST
input
SP800and
53 R3 SIoutput
3
integrity NIST
routines SP80053 R3 SI(i.e.,
3 (1)
reconcili NIST
SP800ation
and edit 53 R3 SI(2)
checks) 3
NIST
shall be SP800impleme 53 R3 SInted for 3 (3)
NIST
applicati
SP800on
53 R3 SIinterface
4
NIST
s and
database SP80053 R3 SIs to
(2)
prevent 4
NIST
manual SP80053 R3 SIor
(4)
systemat 4
NIST
ic
SP800processi 53 R3 SIng errors 4 (5)
NIST
or
SP800corruptio
53 R3 SIn of
4 (6)
NIST
data.
SP80053 R3 SI6
NIST SP
800-53
R3 SI-2
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 SI-2
NIST SP
800-53
R3 SI-2
(2)
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 SI-3
(1) SP
NIST
800-53
R3 SI-3
(2)
NIST SP
800-53
R3 SI-3
(3)
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 SI-6
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
n of
data.
NIST
SP80053 R3 SI7
NIST
SP80053 R3 SI7 (1)
NIST
Security
Architect
ure
Producti
on / Non- SA-06
Producti
on
Environ
ments
on and
nonproducti
on
environ
ments
shall be
separate
d to
prevent
unauthor
ized
access
or
changes
to
informati
on
NIST
SP80053 R3
SC-2
NIST
SP80053 R3
AC-17
NIST
NIST SP
800-53
R3 SC-2
NIST SP
800-53
R3 AC17
NIST SP
800-53
R3 AC20
NIST SP
800-53
R3 AC17
NIST SP
800-53
R3 AC17 (1)
SP80053 R3
AC-17
(2)
NIST
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 AC17 (2)
SP80053 R3
AC-17
(3)
NIST
NIST SP
800-53
R3 IA-2
NIST SP
800-53
R3 AC17 (3)
NIST SP
800-53
R3 IA-2
(1)
NIST SP
800-53
R3 AC17 (4)
SP80053 R3
AC-17
(4)
NIST
SP80053 R3
AC-17
(5)
NIST
SP80053 R3
AC-17
(7)
Multi-
NIST SP
800-53
R3 SI-11
SP80053 R3 SI9
SP80053 R3
AC-17
(1)
NIST
Security
NIST SP
800-53
R3 SI-9
NIST SP
800-53
R3 SI-10
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MA-4
17 (5)
NIST SP
800-53
R3 AC17 (7)
Security
Architect
ure
Remote
User
SA-07
MultiFactor
Authenti
cation
Multifactor
authenti
cation is
required
for all
remote
user
access.
NIST
SP80053 R3
AC-17
(8)
NIST
SP80053 R3
AC-20
NIST
SP80053 R3
AC-20
(1)
NIST
SP80053 R3
AC-20
(2)
NIST
SP80053 R3 IA1
NIST
SP80053 R3 IA2
NIST
SP80053 R3 IA2
(1)
NIST
SP80053 R3 IA2 (2)
NIST
SP80053 R3 IA2
(3)
NIST
SP80053 R3 IA2 (8)
NIST
SP80053 R3
MA-4
NIST
SP80053 R3
MA-4 (1)
NIST
SP80053 R3
MA-4 (2)
NIST SP
800-53
R3 AC17 (8)
NIST SP
800-53
R3 AC20
NIST SP
800-53
R3 AC20 (1)
NIST SP
800-53
R3 AC20 (2)
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IA-2
NIST SP
800-53
R3 IA-2
(1)
NIST SP
800-53
R3 IA-2
(2) SP
NIST
800-53
R3 IA-2
(3)
NIST SP
800-53
R3 IA-2
(8)
NIST SP
800-53
R3 MA-4
NIST SP
800-53
R3 MA-4
(1)
NIST SP
800-53
R3 MA-4
(2)
Security
Architect
ure
SA-08
Network
Security
Network
environ
ments
shall be
designed
and
configur NIST
SP800ed to
restrict 53 R3
connecti SC-7
ons
between
trusted
and
untruste
NIST
d
networks SP80053 R3
and
reviewed SC-7 (1)
NIST
at
planned SP800intervals 53 R3
SC-7 (2)
,
documen NIST
ting the SP800business 53 R3
justificati SC-7 (3)
on for
use of all NIST
services, SP800protocols 53 R3
SC-7 (4)
, and
ports
NIST
allowed, SP800including 53 R3
rationale SC-7 (5)
or
NIST
compens SP800ating
53 R3
controls SC-7 (7)
impleme
nted for NIST
SP800those
protocols 53 R3
consider SC-7 (8)
ed to be NIST
insecure. SP800Network 53 R3
architect SC-7
(12)
NIST
ure
diagram SP80053 R3
s must
SC-7
clearly
identify (13)
NIST
high-risk SP800environ 53 R3
ments
SC-7
and data (18)
flows
that may
have
regulator
y
complian
NIST SP NIST SP
800-53 800-53
R3 CM-7 R3 CM-7
NIST SP
NIST SP
800-53
800-53
R3 CM-7
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
(2)
NIST SP
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST SP
800-53
R3 SC-7
(5)
NIST SP
800-53
R3 SC-7
(7)
NIST SP
800-53
R3 SC-7
(8)
NIST SP
800-53
R3 SC-7
(12)
identify
high-risk
environ
ments
and data
flows
that may
have
regulator
y
complian
ce
System
impacts.
and
network
environ
ments
are
separate
NIST
d by
SP800firewalls
53 R3
to
AC-4
ensure
the
following
requirem
ents are
adhered
to:
sin
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
NIST SP
800-53
R3 AC-4
ess
an
d NIST
cu SP800sto 53 R3
me SC-2
r
req
uir
em
Se
cur NIST
ity SP800req 53 R3
uir SC-3
em
nc
ent
e
wit
h
leg
isl
ati
ve, NIST
reg SP800ula 53 R3
tor SC-7
y,
an
d
co
ntr
act
ual
Security
Architect
ure
SA-09
Segment
NIST SP
800-53
R3 SC-2
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
Security
Architect
ure
SA-09
Segment
ation
on
of
pro
du
cti
NIST SP
on NIST
an SP800- 800-53
R3 SC-7
d 53 R3
no SC-7 (1)
npro
du
cti
on
ve
en
pro
tec
tio
n
an NIST
d SP800iso 53 R3
lati SC-7 (2)
on
of
se
nsi
NIST
SP80053 R3
SC-7 (3)
NIST SP
800-53
R3 SC-7
(2)
NIST SP
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST
SP80053 R3
SC-7 (4)
NIST SP
800-53
R3 SC-7
(5)
NIST
SP80053 R3
SC-7 (5)
NIST SP
800-53
R3 SC-7
(7)
NIST
SP80053 R3
SC-7 (7)
NIST SP
800-53
R3 SC-7
(8)
NIST
SP80053 R3
SC-7 (8)
NIST
SP80053 R3
SC-7
(12)
NIST
NIST SP
800-53
R3 SC-7
(12)
SP80053 R3
SC-7
(13)
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
NIST
SP80053 R3
SC-7
(18)
Policies
and
procedur
es shall
be
establish
ed and
mechani
sms
NIST
impleme SP800nted to 53 R3
protect AC-1
wireless
network
environ
ments,
including
the
following
r
:
fire
wa
lls
im
ple
me
nte
d
an NIST
d SP800co 53 R3
nfi AC-18
gur
ed
to
res
tric
t
un
aut
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP
800-53
R3 AC18
NIST SP
800-53
R3 AC18
cry
pti
on
for
aut
he
nti
cat
ion
an
d
tra
ns
mi
ssi
on,
rep NIST
lac SP800ing 53 R3
ve AC-18
nd (1)
or
def
aul
t
set
tin
gs
(e.
g.,
en
cry
pti
on
ke
ys,
Security
Architect
ure
SA-10
NIST SP
NIST SP
800-53
800-53
R3 ACR3 CM-6
18 (1)
Security
Architect
ure
SA-10
Wireless
Security
d
ph
ysi
cal
us
er
ac
ce
ss
to
wir NIST
ele SP800ss 53 R3
net AC-18
wo (2)
rk
de
vic
es
res
tric
ted
to
aut
hor
to
det
ect
the
pre
se
nc
e
of
un
aut
hor
ize
d
(ro NIST
gu SP800e) 53 R3
wir AC-18
ele (3)
ss
net
wo
rk
de
vic
es
for
a
tim
ely
dis
co
NIST SP
NIST SP
800-53
800-53
R3 ACR3 SC-7
18 (2)
NIST SP
800-53
R3 CM-6
NIST
SP80053 R3
AC-18
(4)
NIST
SP80053 R3
AC-18
(5)
NIST
SP80053 R3
CM-6
NIST
SP80053 R3
CM-6 (1)
NIST SP
800-53
R3 CM-6
(1)
NIST SP
800-53
R3 CM-6
(3)
NIST SP
800-53
R3 PE-4
NIST SP
800-53
R3 SC-7
NIST
SP80053 R3
CM-6 (3)
NIST
SP80053 R3
PE-4
NIST
SP80053 R3
SC-3
NIST
SP80053 R3
SC-7
NIST
SP80053 R3
SC-7 (1)
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
(2) SP
NIST
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST SP
800-53
R3 SC-7
(5)
NIST
SP80053 R3
SC-7 (2)
NIST SP
800-53
R3 SC-7
(7)
NIST
SP80053 R3
SC-7 (3)
NIST SP
800-53
R3 SC-7
(8)
NIST
SP80053 R3
SC-7 (4)
NIST SP
800-53
R3 SC-7
(12)
NIST
SP80053 R3
SC-7 (5)
NIST SP
800-53
R3 SC-7
(13)
NIST
SP80053 R3
SC-7 (7)
NIST SP
800-53
R3 SC-7
(18)
NIST
SP80053 R3
SC-7 (8)
NIST
SP80053 R3
SC-7
(12)
NIST
SP80053 R3
SC-7
(13)
NIST
SP80053 R3
SC-7
(18)
NIST
Security
Architect
ure
SA-11
Shared
Network
s
SP80053 R3
PE-4
NIST
SP80053 R3
SC-4
NIST
SP800Access 53 R3
to
SC-7
systems NIST
with
SP800shared 53 R3
network SC-7 (1)
infrastru NIST
cture
SP800shall be 53 R3
restricte SC-7 (2)
d to
authoriz NIST
SP800ed
personn 53 R3
SC-7 (3)
el in
accordan NIST
ce with SP800security 53 R3
policies, SC-7 (4)
procedur NIST
es and
SP800standard 53 R3
s.
SC-7 (5)
Network
s shared NIST
SP800with
external 53 R3
entities SC-7 (7)
shall
NIST
have a SP800documen 53 R3
ted plan SC-7 (8)
detailing
the
compens
ating
controls
NIST SP
800-53
R3 PL-2
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 PE-4
NIST SP
800-53
R3 PL-2
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SC-4
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
(2)
NIST SP
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST SP
800-53
R3 SC-7
(5)
Security
Architect
ure
SA-12
Clock
Synchro
nization
entities
shall
have a
documen
ted plan
NIST
detailing
An
the
external SP800compens
accurate 53 R3
SC-7
ating
,
controls
externall (12)
NIST
used
to SP800y agreed
separate
upon,
53 R3
network
time
SC-7
traffic
source
(13)
NIST
between
shall be SP800organiza
used to 53 R3
tions.
synchron SC-7
ize the (18)
system
clocks of
all
relevant
informati
on
processi
ng
systems
within
the
organiza
tion or
explicitly
defined
security
domain
to
facilitate
tracing
and
reconstit
ution of NIST
activity SP800timelines 53 R3
. Note:
AU-1
specific
legal
jurisdicti
ons and
orbital
storage
and
relay
platform
s (US
GPS &
EU
Galileo
Satellite
Network)
may
NIST
mandate SP800a
53 R3
referenc AU-8
e clock
that
differs in
synchron
ization
NIST SP
800-53
R3 SC-7
(7)
NIST SP
800-53
R3 SC-7
(8)
NIST SP
800-53
R3 SC-7
(12)
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
NIST SP NIST SP
800-53 800-53
R3 AU-1 R3 AU-1
NIST SP NIST SP
800-53 800-53
R3 AU-8 R3 AU-8
Security
Architect
ure
Equipme SA-13
nt
Identifica
tion
Network)
may
mandate
a
referenc
e clock NIST
that
SP800differs in 53 R3
Automat
synchron AU-8 (1)
ed
ization
equipme
with the
nt
organiza
identifica
tions
tion
shall
domicile
be
used
time
as
a
referenc
method
e, in this
of
event
connecti
the
NIST
on
jurisdicti SP800authenti
on or
53 R3 IAcation.
platform 3
LocationNIST SP
is
aware
800-53
treated
technolo
R3 IA-4
as an
gies
may
explicitly
be
used
defined
to
security
validate
domain.
connecti
on
authenti NIST
SP800cation
integrity 53 R3 IA4
based on NIST
known
equipme
nt
location.
Audit
logs
recordin
g
privilege
d user
access
activities
,
authoriz
ed and
unauthor
ized
access
attempts
, system
exceptio
ns, and
informati
on
security
events
shall be
retained,
complyin
NIST SP
800-53
R3 AU-8
(1)
NIST SP
800-53
R3 IA-3
NIST SP
800-53
R3 IA-4
NIST SP
SP800800-53
53 R3 IAR3 IA-4
4
(4)
(4)
NIST
NIST SP NIST SP
SP800800-53 800-53
53 R3
R3 AU-1 R3 AU-1
AU-1
NIST
NIST SP NIST SP
SP800800-53 800-53
53 R3
R3 AU-2 R3 AU-2
AU-2
NIST
NIST SP
NIST SP
SP800800-53
800-53
53 R3
R3 AU-2
R3 AU-3
AU-2 (3)
(3)
NIST
SP80053 R3
AU-2 (4)
NIST
SP80053 R3
AU-3
NIST
SP80053 R3
AU-3 (1)
NIST SP
NIST SP
800-53
800-53
R3 AU-2
R3 AU-4
(4)
NIST SP NIST SP
800-53 800-53
R3 AU-5 R3 AU-3
NIST SP
NIST SP
800-53
800-53
R3 AU-3
R3 AU-6
(1)
Security
Architect
ure
Audit
SA-14
Logging /
Intrusion
Detectio
n
access
attempts
, system
exceptio
ns, and
informati NIST
SP800on
security 53 R3
events AU-4
NIST
shall be SP800retained, 53 R3
complyin AU-5
NIST
g with
SP800applicabl
53 R3
e
AU-6
policies NIST
and
SP800regulatio 53 R3
ns. Audit AU-6 (1)
logs
shall be NIST
reviewed SP800at least 53 R3
daily and AU-6 (3)
NIST
file
SP800integrity
53 R3
(host)
AU-7
and
NIST
network SP800intrusion 53 R3
detectio AU-7 (1)
n (IDS) NIST
tools
SP800impleme 53 R3
nted to AU-9
NIST
help
facilitate SP80053 R3
timely
detectio AU-9 (2)
NIST
n,
investiga SP800tion by 53 R3
AU-11
NIST
root
SP800cause
analysis 53 R3
AU-12
and
NIST
response SP800to
53 R3
incidents AU-14
NIST
.
SP800Physical
53 R3 SIand
4
NIST
logical
SP800user
access 53 R3 SI(2)
to audit 4
NIST
logs
SP800shall be 53 R3 SIrestricte NIST
4 (4)
d to
SP800authoriz 53 R3 SIed
4 (5)
personn
el.
NIST SP
800-53
R3 AU-9
NIST SP
800-53
R3 AU11 SP
NIST
800-53
R3 AU12
NIST SP
800-53
R3 AU-4
NIST SP
800-53
R3 AU-5
NIST SP
800-53
R3 AU-6
NIST SP
NIST SP
800-53
800-53
R3 AU-6
R3 PE-2
(1)
NIST SP
NIST SP
800-53
800-53
R3 AU-6
R3 PE-3
(3)
NIST SP
800-53
R3 AU-7
NIST SP
800-53
R3 AU-7
(1)
NIST SP
800-53
R3 AU-9
NIST SP
800-53
R3 AU11
NIST SP
800-53
R3 AU12
NIST SP
800-53
R3 PE-2
NIST SP
800-53
R3 PE-3
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4) SP
NIST
800-53
R3 SI-4
(5)
Security
Architect
ure
SA-15
Mobile
Code
shall be
restricte
d to
authoriz
ed
personn NIST
SP800el.
53 R3 SI4 (6)
Mobile
code
shall be
authoriz
ed
before
its
installati
on and
use, and
the
configur
ation
shall
ensure NIST
that the SP800authoriz 53 R3
ed
SC-18
mobile
code
operates
accordin
g to a
clearly
defined
security
policy.
All
unauthor
ized
mobile NIST
SP800code
shall be 53 R3
prevente SC-18
(4)
d from
executin
g.
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 SC-18
Control AreCID
ComplianceCO-01
ComplianceCO-02
ComplianceCO-03
ComplianceCO-04
ComplianceCO-05
Control SpeCCM v1.2 CCM v1.3

FedRAMP F
DedRAMP Final Release (Jan 2012) Revised Mappings
LOW IMPAMODERATE IMPACT LEVEL
Audit plansNIST SP80NIST SP 8 NIST SP 800-53 R3 CA-2
NIST SP800
NIST SP 80NIST SP 800-53 R3 CA-2 (1)
NIST SP80NIST SP 8 NIST SP 800-53 R3 CA-7
NIST SP800-53 R3 CA
NIST SP 800-53 R3 CA-7 (2)
NIST SP800-53 R3 PLNIST SP 800-53 R3 PL-6
Independent
NIST SP800
NIST SP80NIST SP 8 NIST SP 800-53 R3 RA-5
NIST SP800-53 R3 RA
NIST SP 800-53 R3 RA-5 (1)
NIST SP800-53 R3 RA
NIST SP 800-53 R3 RA-5 (2)
NIST SP800-53 R3 RA
NIST SP 800-53 R3 RA-5 (3)
NIST SP800-53 R3 RA
NIST SP 800-53 R3 RA-5 (6)
NIST SP800-53 R3 RA
NIST SP 800-53 R3 RA-5 (9)
Third partyNIST SP80NIST SP 8 NIST SP 800-53 R3 CA-3
NIST SP80NIST SP 80NIST SP 800-53 R3 SA-9
NIST SP800
NIST SP 8 NIST SP 800-53 R3 SA-9 (1)
NIST SP800-53 R3 S NIST SP 800-53 R3 SA-12
NIST SP800-53 R3 S NIST SP 800-53 R3 SC-7
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (2)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (3)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (7)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (13)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (18)
Liaisons anNIST SP800
NIST SP 80NIST SP 800-53 R3 IR-6
NIST SP800
NIST SP 80NIST SP 800-53 R3 IR-6 (1)
NIST SP800-53 R3 IR-NIST SP 800-53 R3 SI-5
NIST SP800-53 R3 SI-5
Statutory, NIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 AT-1
NIST SP80NIST SP 80NIST SP 800-53 R3 AU-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 CM-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 CP-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 IA-1
NIST SP800
NIST SP800
NIST SP80NIST SP 8 NIST SP 800-53 R3 MA-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 MP-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PL-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PS-1
ComplianceCO-06
Data GoverDG-01
Data GoverDG-02
Data Govern
DG-03
Data GoverDG-04
Data GoverDG-05
Data GoverDG-06
Data GoverDG-07

NIST SP80NIST SP 8 NIST SP 800-53 R3 SC-1
NIST SP80NIST SP 80NIST SP 800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC
Policy, pro NIST SP80NIST SP 80NIST SP 800-53 R3 SA-6
NIST SP800-53 R3 PM-5
All data sh NIST SP80NIST SP 8 NIST SP 800-53 R3 CA-2
NIST SP800
NIST SP800-53 R3 SA-2
Data, and ob
NIST SP800-53 R3 A NIST SP 800-53 R3 AC-4
Policies anNIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 AC-16
NIST SP80NIST SP 80NIST SP 800-53 R3 MP-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 PE-16
NIST SP80NIST SP 80NIST SP 800-53 R3 SC-9
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SI-12
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 CP-2
NIST SP800
NIST SP 8 NIST SP 800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-2 (2)
NIST SP800-53 R3 C NIST SP 800-53 R3 CP-6
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-6 (1)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-6 (3)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-7 (1)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-7 (2)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-7 (3)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-7 (5)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-8 (2)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-9 (1)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-9 (3)
NIST SP800-53 R3 AU-11
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 MP-6
NIST SP800
NIST SP 80NIST SP 800-53 R3 MP-6 (4)
NIST SP800-53 R3 P NIST SP 800-53 R3 PE-1
Production NIST SP800-53 R3 SANIST SP 800-53 R3 SA-11
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-11 (1)
NIST SP800-53 R3 CM-04
Security m NIST SP80NIST SP 80NIST SP 800-53 R3 AC-2
Data GoverDG-08
Facility SecFS-01
Facility Se FS-02
Facility Se FS-03
Facility Se FS-04
NIST SP800
NIST SP 80NIST SP 800-53 R3 AC-2 (1)
NIST SP800
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-2 (3)
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-11
NIST SP800-53 R3 A NIST SP 800-53 R3 SA-8
NIST SP800-53 R3 P NIST SP 800-53 R3 SC-28
NIST SP800-53 R3 S NIST SP 800-53 R3 SI-7
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SI-7 (1)
NIST SP800-53 R3 SI-7 (1)
Risk NIST
assessments
SP80NIST
associated
SP 8 NIST
with
SPdata
800-53
governance
R3 CA-3 requirements shall be conducted at planned in
AwarenessNIST
o
SP80NIST SP 8 NIST SP 800-53 R3 RA-2
ComplianceNIST SP80NIST SP 8 NIST SP 800-53 R3 RA-3
Data classiNIST SP80NIST SP 80NIST SP 800-53 R3 SI-12
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 CA-2
NIST SP800
NIST SP800
NIST SP 80NIST SP 800-53 R3 PE-6 (1)
NIST SP800-53 R3 PENIST SP 800-53 R3 PE-7 (1)
Physical acNIST SP80NIST SP 80NIST SP 800-53 R3 PE-2
NIST SP800
NIST SP800-53 R3 P NIST SP 800-53 R3 PE-6 (1)
NIST SP800-53 R3 PE-6 (1)
Physical seNIST SP80NIST SP 80NIST SP 800-53 R3 PE-2
NIST SP800
NIST SP800-53 R3 PENIST SP 800-53 R3 PE-18
Ingress andNIST SP80NIST SP 80NIST SP 800-53 R3 PE-2
NIST SP800
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-6 (1)
NIST SP800
Facility Se FS-05
Facility SecFS-06
Facility Se FS-07
Facility Se FS-08
Human Reso
HR-01
Human Reso
HR-02
Human Reso
HR-03
Informatio IS-01
Informatio IS-02
InformationIS-03
NIST SP800-53 R3 PENIST SP 800-53 R3 PE-8

Ingress andNIST SP80NIST SP 80NIST SP 800-53 R3 PE-7
NIST SP800
NIST SP 8 NIST SP 800-53 R3 PE-7 (1)
Authorizati NIST SP80NIST SP 8 NIST SP 800-53 R3 MA-1
NIST SP800
NIST SP 8 NIST SP 800-53 R3 MA-2 (1)
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 AC-17
NIST SP800
NIST SP 8 NIST SP 800-53 R3 AC-17 (1)
NIST SP800
NIST SP800
NIST SP800-53 R3 MNIST SP 800-53 R3 MA-1
A completeNIST SP80NIST SP 8 NIST SP 800-53 R3 CM-8
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-8 (1)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-8 (3)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-8 (5)
Pursuant toNIST SP80NIST SP 80NIST SP 800-53 R3 PS-2
Prior to gr NIST SP80NIST SP 80NIST SP 800-53 R3 PS-1
NIST SP 80NIST SP 800-53 R3 PS-7
Roles and NIST SP80NIST SP 80NIST SP 800-53 R3 PS-2
An Information
Security
Program (ISMP) has been developed, documented, approve
NIST SP800-53
R3 Management
PM-1
Risk mana NIST SP800-53 R3 PM-2
Security poNIST SP800-53 R3 PM-3
OrganizatioNIST SP800-53 R3 PM-4
Asset man NIST SP800-53 R3 PM-5
Human reso
Physical anNIST SP800-53 R3 PM-7
Communicat
Access conNIST SP800-53 R3 PM-9
Informatio NIST SP800-53 R3 PM-10
Executive aNIST SP80NIST SP 8 NIST SP 800-53 R3 CM-1
Management
NIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
InformationIS-04
InformationIS-05
InformationIS-06
InformationIS-07
NIST SP800
NIST SP800
NIST SP800
NIST SP80NIST SP 80NIST SP 800-53 R3 SI-1
Baseline seNIST SP80NIST SP 8 NIST SP 800-53 R3 CM-2
NIST SP800
NIST SP 80NIST SP 800-53 R3 CM-2 (1)
NIST SP800
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-2 (5)
Management
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP 80NIST SP 800-53 R3 IA-5 (1)
NIST SP800
NIST SP800
NIST SP 8 NIST SP 800-53 R3 IA-5 (3)
NIST SP800
NIST SP800
NIST SP800
NIST SP80NIST SP 80NIST SP 800-53 R3 MA-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 PL-1
NIST SP800-53 R3 P NIST SP 800-53 R3 RA-1
NIST SP800-53 R3 R NIST SP 800-53 R3 SA-1
A formal di NIST SP80NIST SP 80NIST SP 800-53 R3 PL-4
User access
NIST SP800
InformationIS-08
InformationIS-09
Informatio IS-10
InformationIS-11
Informatio IS-12
InformationIS-13
Normal andNIST SP80NIST SP 80NIST SP 800-53 R3 AC-3

NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800-53 R3 IA-NIST SP 800-53 R3 IA-2 (8)
NIST SP800-53 R3 IANIST SP 800-53 R3 IA-4
NIST SP800-53 R3 P NIST SP 800-53 R3 PS-6
NIST SP800-53 R3 SINIST SP 800-53 R3 SI-9
Timely deprNIST SP80NIST SP 80NIST SP 800-53 R3 AC-2
NIST SP800
NIST SP800
All levels NIST SP80NIST SP 80NIST SP 800-53 R3 AC-2
NIST SP800
NIST SP800
NIST SP800
NIST SP800-53 R3 A NIST SP 800-53 R3 AU-6
NIST SP800-53 R3 AUNIST SP 800-53 R3 AU-6 (1)
NIST SP800-53 R3 PS-7
A security NIST SP800
NIST SP800
NIST SP800
NIST SP800
Industry seNIST SP800
NIST SP 80NIST SP 800-53 R3 SI-5
Roles and rNIST SP800
NIST SP 80NIST SP 800-53 R3 PL-4
Informatio IS-14
InformationIS-15
InformationIS-16
Informatio IS-17
InformationIS-18

NIST SP800-53 R3 PS-7
Managers ar
NIST SP800
NIST SP800
NIST SP80NIST SP 80NIST SP 800-53 R3 AT-4
NIST SP800
NIST SP 8 NIST SP 800-53 R3 CA-7
NIST SP800-53 R3 P NIST SP 800-53 R3 CA-7 (2)
Policies, p NIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
NIST SP800
NIST SP800
NIST SP800
NIST SP800-53 R3 AUNIST SP 800-53 R3 AU-6
NIST SP800-53 R3 SINIST SP 800-53 R3 AU-6 (3)
NIST SP800-53 R3 SI-NIST SP 800-53 R3 SI-4 (2)
Users
NIST
shallSP800
be made
NIST SP
aware
80NIST
of their
SP responsibilities
800-53 R3 AT-2for:
MaintainingNIST SP800
Maintainin NIST SP800
Leaving unNIST SP80NIST SP 80NIST SP 800-53 R3 PL-4
NIST SP800
NIST SP 8 NIST SP 800-53 R3 MP-1
NIST SP800-53 R3 MNIST SP 800-53 R3 MP-2
NIST SP800-53 R3 MP
NIST SP 800-53 R3 MP-2 (1)
NIST SP800-53 R3 MP
NIST SP 800-53 R3 MP-4 (1)
NIST SP800
NIST SP800
NIST SP800
NIST SP 8 NIST SP 800-53 R3 IA-7
NIST SP800
NIST SP 8 NIST SP 800-53 R3 SC-7
NIST SP800
NIST SP 8 NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 IANIST SP 800-53 R3 SC-8
NIST SP800-53 R3 IANIST SP 800-53 R3 SC-8 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-9 (1)
Informatio IS-19
InformationIS-20
InformationIS-21
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-13
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-23
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-28
NIST SP800-53 R3 SC
NIST SP800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC-7 (13)
NIST SP800-53 R3 SC-7 (18)
NIST SP800-53 R3 SC-8
NIST SP800-53 R3 SC-8 (1)
NIST SP800-53 R3 SC-9 (1)
NIST SP800-53 R3 SC-13 (1)
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 SC-12
NIST SP800
NIST SP 8 NIST SP 800-53 R3 SC-12 (2)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-12 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC-28 (1)
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 CM-3
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-3 (2)
NIST SP80NIST SP 80NIST SP 800-53 R3 RA-5
NIST SP800
NIST SP 80NIST SP 800-53 R3 RA-5 (1)
NIST SP800
NIST SP 80NIST SP 800-53 R3 RA-5 (2)
NIST SP800-53 R3 R NIST SP 800-53 R3 RA-5 (3)
NIST SP800-53 R3 RA
NIST SP 800-53 R3 RA-5 (6)
NIST SP800-53 R3 RA
NIST SP 800-53 R3 RA-5 (9)
NIST SP800-53 R3 RA
NIST SP800-53 R3 RA
NIST SP800-53 R3 RA
NIST SP 800-53 R3 SI-2 (2)
NIST SP800-53 R3 SI-2 (2)
Ensure thatNIST SP80NIST SP 8 NIST SP 800-53 R3 SC-5
NIST SP80NIST SP 80NIST SP 800-53 R3 SI-3
NIST SP800
NIST SP 80NIST SP 800-53 R3 SI-3 (1)
NIST SP800-53 R3 SI-NIST SP 800-53 R3 SI-5
NIST SP800-53 R3 SINIST SP 800-53 R3 SI-7 (1)
Informatio IS-22
InformationIS-23
InformationIS-24
InformationIS-25
InformationIS-26
InformationIS-27
Informatio IS-28
Policies anNIST SP800

NIST SP800
NIST SP800-53 R3 IRNIST SP 800-53 R3 IR-3
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800-53 R3 IR-NIST SP 800-53 R3 IR-7 (1)
ContractorsNIST SP800
NIST SP800
NIST SP800
NIST SP800
In the evenNIST SP80NIST SP 80NIST SP 800-53 R3 AU-6
NIST SP800
NIST SP 80NIST SP 800-53 R3 AU-6 (1)
NIST SP800
NIST SP800
NIST SP800-53 R3 IRNIST SP 800-53 R3 AU-10 (5)
NIST SP800-53 R3 IRNIST SP 800-53 R3 AU-11
NIST SP800-53 R3 IR-NIST SP 800-53 R3 IR-5
NIST SP800-53 R3 IR-NIST SP 800-53 R3 IR-7
NIST SP800-53 R3 IRNIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 MP-5 (2)
NIST SP 800-53 R3 MP-5 (4)
Mechanisms
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800
Employees,NIST SP80NIST SP 80NIST SP 800-53 R3 PS-4
Electronic NIST SP80NIST SP 80NIST SP 800-53 R3 AC-22
NIST SP800
NIST SP 80NIST SP 800-53 R3 AU-10
NIST SP80NIST SP 8 NIST SP 800-53 R3 AU-10 (5)
InformationIS-29
InformationIS-30
InformationIS-31
InformationIS-32
NIST SP80NIST SP 80NIST SP 800-53 R3 SC-8

NIST SP800-53 R3 IANIST SP 800-53 R3 SC-8 (1)
NIST SP800-53 R3 A NIST SP 800-53 R3 SC-9
NIST SP800-53 R3 AUNIST SP 800-53 R3 SC-9 (1)
NIST SP800-53 R3 SC-8 (1)
NIST SP800-53 R3 SC-9 (1)
Access to, NIST SP80NIST SP 80NIST SP 800-53 R3 AU-9
User access
NIST SP800
NIST SP 8 NIST SP 800-53 R3 CM-7 (1)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-3 (1)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-3 (2)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-3 (3)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-4 (1)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-4 (2)
Network and
NIST SP800
NIST SP 80NIST SP 800-53 R3 CP-6
NIST SP800-53 R3 S NIST SP 800-53 R3 CP-6 (1)
NIST SP800-53 R3 S NIST SP 800-53 R3 CP-6 (3)
NIST SP800-53 R3 S NIST SP 800-53 R3 CP-7
NIST SP 800-53 R3 CP-7 (1)
NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3)
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2)
NIST SP 800-53 R3 SA-9 (1)
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-19
NIST SP800-53 R3 A NIST SP 800-53 R3 AC-19 (3)
NIST SP800-53 R3 ACNIST SP 800-53 R3 MP-2
InformationIS-33
InformationIS-34
Legal NoLG-01
Legal Th LG-02
OperationsOP-01
NIST SP800-53 R3 ACNIST SP 800-53 R3 MP-2 (1)

NIST SP800-53 R3 ACNIST SP 800-53 R3 MP-4
NIST SP800-53 R3 MNIST SP 800-53 R3 MP-4 (1)
NIST SP800-53 R3 MP
NIST SP800-53 R3 MNIST SP 800-53 R3 MP-6 (4)
NIST SP800-53 R3 MP-4 (1)
NIST SP800-53 R3 MP-6
NIST SP800-53 R3 MP-6 (4)
Access to aNIST SP800-53 R3 C NIST SP 800-53 R3 CM-5
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-5 (1)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-5 (5)
NIST SP800-53 R3 CM-6
NIST SP800-53 R3 CM-6 (1)
NIST SP800-53 R3 CM-6 (3)
Utility pro NIST SP80NIST SP 8 NIST SP 800-53 R3 AC-6
NIST SP800-53 R3 A NIST SP 800-53 R3 AC-6 (1)
NIST SP800-53 R3 ACNIST SP 800-53 R3 CM-7
NIST SP800-53 R3 C NIST SP 800-53 R3 CM-7 (1)
NIST SP800-53 R3 CM-7 (1)
Requirement
Third partyNIST SP80NIST SP 8 NIST SP 800-53 R3 CA-3
NIST SP80NIST SP 80NIST SP 800-53 R3 MP-5
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP80NIST SP 80NIST SP 800-53 R3 CM-3
NIST SP800
NIST SP800-53 R3 C NIST SP 800-53 R3 CM-5
NIST SP800-53 R3 CM
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-6 (1)
NIST SP800-53 R3 C NIST SP 800-53 R3 CM-6 (3)
NIST SP800-53 R3 CM
NIST SP800-53 R3 CM
NIST SP800-53 R3 C NIST SP 800-53 R3 MA-4 (1)
NIST SP800-53 R3 MNIST SP 800-53 R3 MA-4 (2)
NIST SP800-53 R3 MA
NIST SP800-53 R3 MA
NIST SP800-53 R3 S NIST SP 800-53 R3 SA-4 (1)
OperationsOP-02
OperationsOP-03
OperationsOP-04
Risk Mana RI-01

NIST SP800-53 R3 SANIST SP 800-53 R3 SA-5
NIST SP800-53 R3 SA-11 (1)
Information
system documentation
administrator
NIST SP80NIST
SP 8 NIST SP (e.g.,
800-53
R3 CP-9 and user guides, architecture diagrams, etc.
ConfiguringNIST SP800
NIST SP 8 NIST SP 800-53 R3 CP-9 (1)
Effectively NIST SP800
NIST SP 80NIST SP 800-53 R3 CP-9 (3)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-10 (2)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-10 (3)
The availabNIST SP80NIST SP 80NIST SP 800-53 R3 SA-4
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 MA-2
NIST SP800
NIST SP 8 NIST SP 800-53 R3 MA-2 (1)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-3 (1)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-3 (2)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-3 (3)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-4 (1)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-4 (2)
OrganizatioNIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
NIST SP800
NIST SP 8 NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
Risk Mana RI-02
Risk ManagRI-03
Risk ManagRI-04
Risk ManagRI-05
Release MaRM-01
NIST SP 800-53 R3 SI-4 (5)

NIST SP 800-53 R3 SI-4 (6)
Aligned witNIST SP80NIST SP 8 NIST SP 800-53 R3 RA-1
Risks shallNIST SP80NIST SP 8 NIST SP 800-53 R3 CA-5
Risk assessNIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
NIST SP800
NIST SP800
NIST SP 8 NIST SP 800-53 R3 CP-1
NIST SP 8 NIST SP 800-53 R3 MA-1
NIST SP 8 NIST SP 800-53 R3 SC-1
The identif NIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
NIST SP800
NIST SP800
NIST SP 8 NIST SP 800-53 R3 CA-1
NIST SP 8 NIST SP 800-53 R3 CP-1
NIST SP 8 NIST SP 800-53 R3 IR-1
NIST SP 80NIST SP 800-53 R3 MA-1
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 CA-1
Release MaRM-02
Release MaRM-03

NIST SP800
NIST SP 80NIST SP 800-53 R3 SA-1
NIST SP800-53 R3 SA-4 (7)
Changes toNIST SP80NIST SP 8 NIST SP 800-53 R3 CA-1
NIST SP800
NIST SP 8 NIST SP 800-53 R3 CA-7 (2)
NIST SP800
NIST SP800
NIST SP800
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-3 (2)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-5 (1)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-5 (5)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-6 (1)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-6 (3)
NIST SP800-53 R3 PLNIST SP 800-53 R3 SI-2
NIST SP800-53 R3 SI-7 (1)
A program N
f IST SP80NIST SP 8 NIST SP 800-53 R3 CM-1
NIST SP800
NIST SP800
NIST SP800
Release MRM-04
Release MaRM-05
Resiliency RS-01
Resiliency RS-02

A program N
f IST SP80NIST SP 80NIST SP 800-53 R3 SA-4
NIST SP800
NIST SP 80NIST SP 800-53 R3 SA-4 (1)
NIST SP800
NIST SP 80NIST SP 800-53 R3 SA-4 (4)
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-5 (1)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-5 (5)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-7 (1)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-8 (1)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-8 (3)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-8 (5)
Policy, pro NIST SP80NIST SP 8 NIST SP 800-53 R3 CP-1
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-2 (2)
There
NIST
shallSP80NIST
be a defined
SP 8and
NIST
documented
SP 800-53method
R3 CP-1
for determining the impact of any disruption to th
Identify critical produ NIST SP 8 NIST SP 800-53 R3 CP-2
Resiliency RS-03
Resiliency RS-04
Resiliency RS-05
Resiliency RS-06
Identify all dependencNIST SP 8 NIST SP 800-53 R3 RA-3

Understand threats to critical products and services
Determine impacts resulting from planned or unplanned disruptions and how these vary over time
Establish the maximum tolerable period for disruption
Establish priorities for recovery
Establish recovery time objectives for resumption of critical products and services within their maximum to
Estimate the resources required for resumption
A consistent
NIST SP80NIST
unified framework
SP80NISTfor
SP800-53
businessR3
continuity
CP-1 planning and plan development shall be esta
Defined puNIST SP80NIST SP80NIST SP800-53 R3 CP-2
Accessible NIST SP800
NIST SP80NIST SP800-53 R3 CP-2 (1)
Owned by aNIST SP800
Defined lin NIST SP80NIST SP80NIST SP800-53 R3 CP-3
Detailed r NIST SP80NIST SP80NIST SP800-53 R3 CP-4
Method for NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-4 (1)
NIST SP800-53 R3 C NIST SP800-53 R3 CP-6
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-6 (1)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-6 (3)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-7 (1)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-7 (2)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-7 (3)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-7 (5)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-9 (1)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-9 (3)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-10 (2)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-10 (3)
NIST SP800-53 R3 P NIST SP800-53 R3 PE-17
Business co
NIST SP80NIST SP80NIST SP800-53 R3 CP-2
NIST SP800
NIST SP800
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-4 (1)
Physical prNIST SP80NIST SP80NIST SP800-53 R3 PE-1
NIST SP80NIST SP80NIST SP800-53 R3 PE-13
NIST SP800
NIST SP80NIST SP800-53 R3 PE-13 (1)
NIST SP800
NIST SP80NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PENIST SP800-53 R3 PE-13 (3)
NIST SP800-53 R3 PENIST SP800-53 R3 PE-15
To reduce tNIST SP80NIST SP80NIST SP800-53 R3 PE-1
Resiliency RS-07
Resiliency RS-08
Security A SA-01
Security ArSA-02
Security meNIST SP80NIST SP80NIST SP800-53 R3 CP-8

NIST SP800
NIST SP800
NIST SP800-53 R3 P NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-14 (1)
Telecommuni
NIST SP80NIST SP800
NIST SP800
NIST SP800
NIST SP800-53 R3 PE-13 (1)
NIST SP800
NIST SP800
NIST SP800-53 R3 PE-13 (2)
Prior to gr NIST SP80NIST SP 8 NIST SP 800-53 R3 CA-1
NIST SP800
Implement
NIST SP80NIST
and enforce
SP(through
80NIST SP
automation)
800-53 R3user
AC-1
credential and password controls for application
User identitNIST SP80NIST SP 80NIST SP 800-53 R3 AC-2
If passwordNIST SP800
NIST SP 80NIST SP 800-53 R3 AC-3
Timely acceNIST SP800
NIST SP 80NIST SP 800-53 R3 AC-11
Remove/disa
NIST SP800
Unique user
NIST SP800
Password ex
NIST SP800
Minimum pas
NIST SP80NIST SP 80NIST SP 800-53 R3 AU-2 (4)
Strong passNIST SP800
Allow passw
NIST SP80NIST SP 80NIST SP 800-53 R3 IA-1
User ID locNIST SP800
User ID locNIST SP80NIST SP 80NIST SP 800-53 R3 IA-2 (1)
Re-enter paNIST SP800-53 R3 AUNIST SP 800-53 R3 IA-2 (2)
Maintain usNIST SP800-53 R3 AUNIST SP 800-53 R3 IA-2 (3)
NIST SP800-53 R3 AUNIST SP 800-53 R3 IA-2 (8)
NIST SP800-53 R3 IANIST SP 800-53 R3 IA-5 (1)
NIST SP800-53 R3 IA-NIST SP 800-53 R3 IA-8
NIST SP800-53 R3 IA-NIST SP 800-53 R3 SC-10
NIST SP800-53 R3 IA-5 (3)
NIST SP800-53 R3 IA-5 (6)
NIST SP800-53 R3 IA-5 (7)
Security ArSA-03
Security ArSA-04
Security ArSA-05
NIST SP800-53 R3 IA-6

NIST SP800-53 R3 IA-8
NIST SP80NIST SP 8 NIST SP 800-53 R3 AC-4
ApplicationNIST SP80NIST SP 8 NIST SP 800-53 R3 SA-8
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (2)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (3)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (7)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (13)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (18)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-8 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-9 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-12 (2)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-12 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC-18 (4)
NIST SP800-53 R3 SC-20 (1)
Data input NIST SP800
NIST SP800
NIST SP 80NIST SP 800-53 R3 SI-2 (2)
Security ArSA-06
Security ArSA-07
Security ArSA-08
Security ArSA-09

Production NIST SP800-53 R3 S NIST SP 800-53 R3 SC-2
Multi-facto NIST SP80NIST SP 8 NIST SP 800-53 R3 AC-17
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-4 (1)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-4 (2)
Network env
NIST SP800
NIST SP800-53 R3 SC
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (2)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (3)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (7)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
System
and
network environments
separated
by firewalls to ensure the following requirements
NIST
SP80NIST
SP 8 NIST SP are
800-53
R3 AC-4
Business aNIST SP800-53 R3 S NIST SP 800-53 R3 SC-2
Security reNIST SP800-53 R3 S NIST SP 800-53 R3 SC-7
ComplianceNIST SP800-53 R3 S NIST SP 800-53 R3 SC-7 (1)
SeparationNIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (2)
Preserve prNIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (3)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (7)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (13)
Security ArSA-10
Security ArSA-11
Security ArSA-12
Security ArSA-13
Security ArSA-14
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (18)
NIST SP800-53 R3 SC-7 (18)
Policies
NIST
and
SP80NIST
procedures
SP shall
80NIST
beSP
established
800-53 R3and
AC-1
mechanisms implemented to protect wireless net
Perimeter fNIST SP80NIST SP 8 NIST SP 800-53 R3 AC-18
Security seNIST SP800
Logical andNIST SP800
The capabilNIST SP800-53 R3 ACNIST SP 800-53 R3 CM-6
NIST SP800-53 R3 ACNIST SP 800-53 R3 CM-6 (1)
NIST SP800-53 R3 ACNIST SP 800-53 R3 CM-6 (3)
NIST SP800-53 R3 C NIST SP 800-53 R3 PE-4
NIST SP800-53 R3 CM
NIST SP800-53 R3 CM
NIST SP 800-53 R3 SC-7 (1)
NIST SP800-53 R3 P NIST SP 800-53 R3 SC-7 (2)
NIST SP800-53 R3 S NIST SP 800-53 R3 SC-7 (3)
NIST SP800-53 R3 S NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (7)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (13)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (18)
NIST SP800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC-7 (13)
NIST SP800-53 R3 SC-7 (18)
Access to sNIST SP80NIST SP 80NIST SP 800-53 R3 PE-4
NIST SP80NIST SP 8 NIST SP 800-53 R3 PL-2
NIST SP800-53 R3 SC
NIST SP800-53 R3 SC
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (2)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (3)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (7)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
An externalNIST SP80NIST SP 80NIST SP 800-53 R3 AU-1
AutomatedNIST
e
SP800
Audit logs NIST SP80NIST SP 80NIST SP 800-53 R3 AU-1
NIST SP800
NIST SP800
NIST SP800
Security ArSA-15

NIST SP80NIST SP 8 NIST SP 800-53 R3 AU-6
NIST SP800
NIST SP800
NIST SP800-53 R3 A NIST SP 800-53 R3 PE-2
NIST SP800-53 R3 A NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 SC-18
Mobile code
NIST SP800-53 R3 SC-18 (4)
w these vary over time
rvices within their maximum tolerable period of disruption

CSA CCM v1.3

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CSA CCM v1.3

Загружено:

Авторское право:

Доступные форматы

Cloud Controls Matrix (CCM) R1.

Cloud Service Delivery Model

Audit plans, activities and operational action

Compliance Independent Audits

Independent reviews and assessments shall be

Third party service providers shall demonstrate

Liaisons and points of contact with local

Compliance Information System

Statutory, regulatory, and contractual

Compliance Intellectual Property

Policy, process and procedure shall be

Data Governance Ownership /

All data shall be designated with stewardship

Data Governance Classification

Data, and objects containing data, shall be

Data Governance Handling / Labeling /

Polices and procedures shall be established for

Data Governance Retention Policy

(v1.0) Policies and procedures for data

HIPAA / HITECH Act

FedRAMP Security Controls

Policies and procedures shall be established

Data Governance Non-Production Data

Production data shall not be replicated or used

Data Governance Information Leakage

Security mechanisms shall be implemented to

PCI DSS v2.0

--MODERATE IMPACT LEVEL--

BITS Shared Assessments

BITS Shared Assessments

GAPP (Aug 2009)

NIST SP 800-53 R3 CA-2

NIST SP 800-53 R3 CA-2

L.1, L.2, L.7, L.9, L.11

45 CFR 164.308 (a)(8)

NIST SP 800-53 R3 CA-1

NIST SP 800-53 R3 CA-1

L.2, L.4, L.7, L.9, L.11

NIST SP 800-53 R3 CA-3

NIST SP 800-53 R3 CA-3

C.2.4,C.2.6, G.4.1, G.4.2, L.2, C.2

NIST SP 800-53 R3 IR-6

NIST SP 800-53 R3 IR-6

NIST SP 800-53 R3 AC-1

NIST SP 800-53 R3 AC-1

L.1, L.2, L.4, L.7, L.9

NIST SP 800-53 R3 SA-6

NIST SP 800-53 R3 SA-6

NIST SP 800-53 R3 CA-2

NIST SP 800-53 R3 CA-2

C.2.5.1, C.2.5.2, D.1.3, L.7

CIP-007-3 - R1.1 - R1.2

NIST SP 800-53 R3 RA-2

NIST SP 800-53 R3 RA-2

NIST SP 800-53 R3 AC-1

NIST SP 800-53 R3 AC-1

45 CFR 164.308 (a)(7)(ii)(A)

NIST SP 800-53 R3 CP-2

NIST SP 800-53 R3 CP-2

45 CFR 164.310 (d)(2)(i)

NIST SP 800-53 R3 MP-6

NIST SP 800-53 R3 MP-6