Академический Документы
Профессиональный Документы
Культура Документы
2
Architectural Relevance
Control Area
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Scope Applicability
Tenant /
Consumer
Compliance - Audit
Planning
CO-01
CO-02
Compliance - Third
Party Audits
CO-03
Compliance - Contact /
Authority Maintenance
CO-04
CO-05
CO-06
DG-01
DG-02
DG-03
DG-04
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
DG-05
DG-06
DG-07
02/12/2015
Jericho Forum
NERC CIP
ME 2.1
ME 2.2
PO 9.5
PO 9.6
45 CFR 164.312(b)
Clause 4.2.3 e)
Clause 4.2.3b
Clause 5.1 g
Clause 6
A.15.3.1
CA-2
CA-7
PL-6
2.1.2.b
10.2.5
Commandment #1
Commandment #2
Commandment #3
DS5.5
ME2.5
ME 3.1
PO 9.6
Clause 4.2.3e
Clause 5.1 g
Clause 5.2.1 d)
Clause 6
A.6.1.8
CA-1
CA-2
CA-6
RA-5
11.2
11.3
6.6
12.1.2.b
1.2.5
1.2.7
4.2.1
8.2.7
10.2.3
10.2.5
Commandment #1
Commandment #2
Commandment #3
ME 2.6
DS 2.1
DS 2.4
45 CFR 164.308(b)(1)
45 CFR 164.308 (b)(4)
A.6.2.3
A.10.2.1
A.10.2.2
A.10.6.2
CA-3
SA-9
SA-12
SC-7
2.4
12.8.2
12.8.3
12.8.4
Appendix A
1.2.11
4.2.3
7.2.4
10.2.3
10.2.4
Commandment #1
Commandment #2
Commandment #3
ME 3.1
A.6.1.6
A.6.1.7
AT-5
IR-6
SI-5
11.1.e
12.5.3
12.9
L1
1.2.7
10.1.1
10.2.4
Commandment #1
Commandment #2
Commandment #3
ME 3.1
ISO/IEC 27001:2005
Clause 4.2.1 b) 2)
Clause 4.2.1 c) 1)
Clause 4.2.1 g)
Clause 4.2.3 d) 6)
Clause 4.3.3
Clause 5.2.1 a - f
Clause 7.3 c) 4)
A.7.2.1
A.15.1.1
A.15.1.3
A.15.1.4
A.15.1.6
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-7
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
RA-2
SA-1
SA-6
SC-1
SC-13
SI-1
1.2.2
1.2.4
1.2.6
1.2.11
3.2.4
5.2.1
Commandment #1
Commandment #2
Commandment #3
Clause 4.2.1
A.6.1.5
A.7.1.3
A.10.8.2
A.12.4.3
A.15.1.2
SA-6
SA-7
PM-5
L.4
A.6.1.3
A.7.1.2
A.15.1.4
CA-2
PM-5
PS-2
RA-2
SA-2
6.2.1
Commandment #6
Commandment #10
PO 2.3
DS 11.6
A.7.2.1
RA-2
AC-4
9.7.1
9.10
12.3
D.1.3, D.2.2
1.2.3
1.2.6
4.1.2
8.2.1
8.2.5
8.2.6
Commandment #9
CIP-003-3 - R4 - R5
PO 2.3
DS 11.6
A.7.2.2
A.10.7.1
A.10.7.3
A.10.8.1
AC-16
MP-1
MP-3
PE-16
SI-12
SC-9
9.5
9.6
9.7.1
9.7.2
9.10
D.2.2
1.1.2
5.1.0
7.1.2
8.1.0
8.2.5
8.2.6
Commandment #8
Commandment #9
Commandment #10
CIP-003-3 - R4 - R4.1
DS 4.1
DS 4.2
DS 4.5
DS 4.9
DS 11.6
CP-2
CP-6
CP-7
CP-8
CP-9
SI-12
AU-11
3.1
3.1.1
3.2
9.9.1
9.5
9.6
10.7
D.2.2.9
5.1.0
5.1.1
5.2.2
8.2.6
Commandment #11
CIP-003-3 - R4.1
DS 11.4
A.9.2.6
A.10.7.2
MP-6
PE-1
3.1.1
9.10
9.10.1
9.10.2
3.1
5.1.0
5.2.3
Commandment #11
45 CFR 164.308(a)(4)(ii)(B)
A.7.1.3
A.10.1.4
A.12.4.2
A.12.5.1
SA-11
CM-04
I.2.18
1.2.6
Commandment #9
Commandment #10
Commandment #11
CIP-003-3 - R6
A.10.6.2
A.12.5.4
AC-2
AC-3
AC-4
AC-6
AC-11
AU-13
PE-19
SC-28
SA-8
SI-7
I.2.18
7.2.1
8.1.0
8.1.1
8.2.1
8.2.2
8.2.5
8.2.6
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
Commandment #9
Commandment #10
Commandment #11
DS5.1
PO 2.3
DS 11.6
1 of 421
1.2
6.5.5
11.1
11.2
11.3
11.4
A.1
CIP-001-1a R3 - R4
Commandment #1
Commandment #2
Commandment #3
G.13
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Supplier Relationship
Scope Applicability
FedRAMP Security Controls
(Final Release, Jan 2012)
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
PO 9.1
PO 9.2
PO 9.4
DS 5.7
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.308(a)(8)
CA-3
RA-2
RA-3
MP-8
PM-9
SI-12
12.1
12.1.2
1.2.4
8.2.1
Commandment #1
Commandment #2
Commandment #3
Commandment #6
Commandment #7
Commandment #9
Commandment #10
Commandment #11
DS5.7
DS 12.1
DS 12.4
DS 4.9
A.5.1.1
A.9.1.3
A.9.1.5
CA-2
PE-1
PE-6
PE-7
PE-8
9.1
9.2
9.3
9.4
8.1.0
8.1.1
8.2.1
Commandment #1
Commandment #2
Commandment #3
Commandment #5
45 CFR 164.310(a)(1)
45 CFR 164.310(a)(2)(ii)
45 CFR 164.310(b)
45 CFR 164.310 ( c) (New)
A.9.1.1
A.9.1.2
PE-2
PE-3
PE-4
PE-5
PE-6
9.1
8.2.1
8.2.2
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
Jericho Forum
NERC CIP
DG-08
FS-01
FS-02
FS-03
DS 12.3
A.9.1.1
PE-2
PE-3
PE-6
PE-18
9.1
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
FS-04
DS 12.2
DS 12.3
A.9.1.1
A.9.1.2
PE-2
PE-3
PE-6
PE-7
PE-8
PE-18
9.1
9.1.1
9.1.2
9.1.3
9.2
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
DS 12.3
A.9.1.6
PE-7
PE-16
PE-18
8.2.3
Commandment #1
Commandment #2
Commandment #3
Commandment #5
A.9.2.7
A.10.1.2
MA-1
MA-2
PE-16
F.2.18
8.2.5
8.2.6
Commandment #6
Commandment #7
45 CFR 164.310 (c )
45 CFR 164.310 (d)(1)
45 CFR 164.310 (d)(2)(i)
A.9.2.5
A.9.2.6
AC-17
MA-1
PE-1
PE-16
PE-17
F.2.18, F.2.19,
A.7.1.1
A.7.1.2
CM-8
9.9.1
12.3.3
12.3.4
D.1
A.8.1.2
PS-2
PS-3
12.7
12.8.3
E.2
E.2
1.2.9
Commandment #2
Commandment #3
Commandment #6
Commandment #9
12.4
12.8.2
E.3.5
C.1
1.2.9
8.2.6
Commandment #6
Commandment #7
E.6
8.2.2
10.2.5
Commandment #6
Commandment #7
12.1
12.2
A.1, B.1
8.2.1
Commandment #1
Commandment #2
CIP-001-1a - R1 - R2
CIP-003-3 - R1 - R1.1 - R4
CIP-006-3c R1
12.5
C.1
8.2.1
Commandment #3
Commandment #6
CIP-003-3 - R1 - R1.1
FS-05
FS-06
FS-07
Policies and procedures shall be established for Proposed v1.1 control revision redacted until
securing and asset management for the use
future revision due to potential mapping impact
and secure disposal of equipment maintained not yet considered:
and used outside the organization's premise.
Policies and procedures governing asset
management shall be established for secure
repurposing of equipment and resources prior
to tenant assignment or jurisdictional transport.
FS-08
Human Resources
Security - Background
Screening
HR-01
Human Resources
Security - Employment
Agreements
HR-02
PO 7.6
DS 2.1
45 CFR 164.310(a)(1)
45 CFR 164.308(a)(4)(i)
A.6.1.5
A.8.1.3
PL-4
PS-6
PS-7
PO 7.8
A.8.3.1
PS-4
PS-5
R2 DS5.2
R2 DS5.5
45 CFR 164.308(a)(1)(i)
45 CFR 164.308(a)(1)(ii)(B)
45 CFR 164.316(b)(1)(i)
45 CFR 164.308(a)(3)(i) (New)
45 CFR 164.306(a) (New)
Clause 4.2
Clause 5
A.6.1.1
A.6.1.2
A.6.1.3
A.6.1.4
A.6.1.5
A.6.1.6
A.6.1.7
A.6.1.8
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
DS5.1
Clause 5
A.6.1.1
CM-1
PM-1
PM-11
9.8
9.9
G.21
Commandment #4
Commandment #5
Commandment #11
Commandment #6
Commandment #7
Commandment #8
CIP-004-3 - R2.2
HR-03
IS-01
IS-02
02/12/2015
2 of 421
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
Data
Scope Applicability
COBIT 4.1
IS-03
IS-04
IS-05
DS 5.2
DS 5.4
IS-06
IS-07
IS-08
IS-09
IS-10
IS-11
IS-12
IS-13
IS-14
02/12/2015
ISO/IEC 27001-2005
NIST SP800-53 R3
Clause 4.2.1
Clause 5
A.5.1.1
A.8.2.2
AC-1
AT-1
AU-1
CA-1
CM-1
IA-1
IR-1
MA-1
MP-1
MP-1
PE-1
PL-1
PS-1
SA-1
SC-1
SI-1
12.1
12.2
B.1
A.12.1.1
A.15.2.2
CM-2
SA-2
SA-4
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
2.2
2.2.1
2.2.2
2.2.3
2.2.4
Clause 4.2.3 f)
A.5.1.2
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IA-5
IR-1
MA-1
MP-1
PE-1
PL-1
PM-1
PS-1
RA-1
SA-1
SC-1
SI-1
12.1.3
B.1.33. B.1.34,
PO 7.7
A.8.2.3
PL-4
PS-1
PS-8
DS 5.4
A.11.1.1
A.11.2.1
A.11.2.4
A.11.4.1
A.11.5.2
A.11.6.1
AC-1
IA-1
3.5.1
8.5.1
12.5.4
DS5.4
A.11.2.1
A.11.2.2
A.11.4.1
A 11.4.2
A.11.6.1
AC-3
AC-5
AC-6
IA-2
IA-4
IA-5
IA-8
MA-5
PS-6
SA-7
SI-9
7.1
7.1.1
7.1.2
7.1.3
7.2.1
7.2.2
8.5.1
12.5.4
H.2.4, H.2.5,
DS 5.4
45 CFR 164.308(a)(3)(ii)(C)
ISO/IEC 27001:2005
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.2
AC-2
PS-4
PS-5
8.5.4
8.5.5
E.6.2, E.6.3
DS5.2
AI2.1
AI2.2
AI3.3
DS2.3
DS11.6
Jericho Forum
Commandment #1
Commandment #2
Commandment #3
L.2
1.2.6
8.2.1
8.2.7
Commandment #2
Commandment #4
Commandment #5
Commandment #11
B.2
1.2.1
8.2.7
10.2.3
Commandment #1
Commandment #2
Commandment #3
10.2.4
Commandment #6
Commandment #7
8.1.0
Commandment #6
Commandment #7
Commandment #8
8.2.2
Commandment #6
Commandment #7
Commandment #8
Commandment #9
Commandment #10
8.2.1
Commandment #6
Commandment #7
Commandment #8
CIP-004-3 R2.2.3
CIP-007-3 - R5.1.3 -R5.2.1 R5.2.3
8.2.1
8.2.7
Commandment #6
Commandment #7
Commandment #8
Commandment #10
CIP-004-3 R2.2.2
CIP-007-3 - R5 - R.1.3
1.2.10
8.2.1
Commandment #3
Commandment #6
CIP-004-3 - R1 - R2 - R2.1
B.1.5
DS5.3
DS5.4
A.11.2.4
AC-2
AU-6
PM-10
PS-6
PS-7
PO 7.4
Clause 5.2.2
A.8.2.2
AT-1
AT-2
AT-3
AT-4
A.6.1.7
AT-5
SI-5
C.1.8
DS5.1
Clause 5.1 c)
A.6.1.2
A.6.1.3
A.8.1.1
AT-3
PL-4
PM-10
PS-1
PS-6
PS-7
1.2.9
8.2.1
Commandment #6
Commandment #7
Commandment #8
DS5.3
DS5.4
DS5.5
Clause 5.2.2
A.8.2.1
A.8.2.2
A 11.2.4
A.15.2.1
AT-2
AT-3
CA-1
CA-5
CA-6
CA-7
PM-10
E.4
1.1.2
8.2.1
Commandment #6
Commandment #7
Commandment #8
B.1
H.2
12.6
12.6.1
12.6.2
E.4
NERC CIP
8.1.0
8.1.1
E.1
3 of 421
12.6.1
12.6.2
Commandment #1
Commandment #2
Commandment #3
E.1
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
IS-15
IS-16
IS-17
COBIT 4.1
IS-18
IS-19
IS-20
IS-21
IS-22
IS-23
ISO/IEC 27001-2005
NIST SP800-53 R3
DS 5.4
A.10.1.3
AC-1
AC-2
AC-5
AC-6
AU-1
AU-6
SI-1
SI-4
6.4.2
PO 4.6
Clause 5.2.2
A.8.2.2
A.11.3.1
A.11.3.2
AT-2
AT-3
AT-4
PL-4
8.5.7
12.6.1
E.4
Clause 5.2.2
A.8.2.2
A.9.1.5
A.11.3.1
A.11.3.2
A.11.3.3
AC-11
MP-2
MP-3
MP-4
E.4
02/12/2015
Scope Applicability
Tenant /
Consumer
Jericho Forum
8.2.2
Commandment #6
Commandment #7
Commandment #8
Commandment #10
E.1
1.2.10
8.2.1
Commandment #5
Commandment #6
Commandment #7
E.1
8.2.3
Commandment #5
Commandment #6
Commandment #7
Commandment #11
NERC CIP
CIP-007-3 R5.1.1
DS5.8
DS5.10
DS5.11
A.10.6.1
A.10.8.3
A.10.8.4
A.10.9.2
A.10.9.3
A.12.3.1
A.15.1.3
A.15.1.4
AC-18
IA-3
IA-7
SC-7
SC-8
SC-9
SC-13
SC-16
SC-23
SI-8
2.1.1
3.4
3.4.1
4.1
4.1.1
4.2
8.1.1
8.2.1
8.2.5
Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11
DS5.8
Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6
SC-12
SC-13
SC-17
SC-28
3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
L.6
8.1.1
8.2.1
8.2.5
Commandment #9
Commandment #10
Commandment #11
AI6.1
AI3.3
DS5.9
CM-3
CM-4
CP-10
RA-5
SA-7
SI-1
SI-2
SI-5
2.2
6.1
6.2
6.3.2
6.4.5
6.5
6.6
11.2
11.2.1
11.2.2
11.2.3
G.15.2, I.3
1.2.6
8.2.7
Commandment #4
Commandment #5
DS5.9
A.10.4.1
SA-7
SC-5
SI-3
SI-5
SI-7
SI-8
5.1
5.1.1
5.2
G.7
8.2.2
Commandment #4
Commandment #5
DS5.6
Clause 4.3.3
A.13.1.1
A.13.2.1
IR-1
IR-2
IR-3
IR-4
IR-5
IR-7
IR-8
12.9
12.9.1
12.9.2
12.9.3
12.9.4
12.9.5
12.9.6
J.1.1, J.1.2
J.1
1.2.4
1.2.7
7.1.2
7.2.2
7.2.4
10.2.1
10.2.4
Commandment #2
Commandment #6
Commandment #8
CIP-007-3 - R6.1
CIP-008-3 - R1
DS5.6
Clause 4.3.3
Clause 5.2.2
A.6.1.3
A.8.2.1
A.8.2.2
A.13.1.1
A.13.1.2
A.13.2.1
IR-2
IR-6
IR-7
SI-4
SI-5
12.5.2
12.5.3
J.1.1, E.4
J.1
E.1
1.2.7
1.2.10
7.1.2
7.2.2
7.2.4
10.2.4
Commandment #2
Commandment #6
Commandment #8
CIP-003-3 - R4.1
CIP-004-3 R3.3
4 of 421
I.4
CIP-003-3 - R4.2
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
Scope Applicability
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
Jericho Forum
NERC CIP
IS-24
DS5.6
Clause 4.3.3
Clause 5.2.2
A.8.2.2
A.8.2.3
A.13.2.3
A.15.1.3
AU-6
AU-7
AU-9
AU-11
IR-5
IR-7
IR-8
IS-25
DS 4.9
A.13.2.2
IR-4
IR-5
IR-8
IS-26
Policies and procedures shall be established for Proposed v1.1 control revision redacted until
the acceptable use of information assets.
future revision due to potential mapping impact
not yet considered:
DS 5.3
A.7.1.3
AC-8
AC-20
PL-4
B.3
8.1.0
A.7.1.1
A.7.1.2
A.8.3.2
PS-4
E.6.4
D.1
5.2.3
7.2.2
8.2.1
8.2.6
45 CFR 164.312(e)(1)
45 CFR 164.312(e)(2)(i)
A.7.2.1
A.10.6.1
A.10.6.2
A.10.9.1
A.10.9.2
A.15.1.4
AC-14
AC-21
AC-22
IA-8
AU-10
SC-4
SC-8
SC-9
2.1.1
4.1
4.1.1
4.2
G.4
G.11
G.16
G.18
I.3
I.4
3.2.4
4.2.3
7.1.2
7.2.1
7.2.2
8.2.1
8.2.5
Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11
DS 5.7
A.15.3.2
AU-9
AU-11
AU-14
10.5.5
8.2.1
Commandment #2
Commandment #5
Commandment #11
CIP-003-3 - R5.2
DS5.7
A.10.6.1
A.11.1.1
A.11.4.4
A.11.5.4
CM-7
MA-3
MA-4
MA-5
9.1.2
Commandment #3
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
CIP-007-3 - R2
A.6.2.3
A.10.6.2
SC-20
SC-21
SC-22
SC-23
SC-24
A.7.2.1
A.10.7.1
A.10.7.2
A.10.8.3
A.11.7.1
A.11.7.2
A.15.1.4
AC-17
AC-18
AC-19
MP-2
MP-4
MP-6
Clause 4.3.3
A.12.4.3
A.15.1.3
CM-5
CM-6
A.11.4.1
A 11.4.4
A.11.5.4
AC-5
AC-6
CM-7
SC-3
SC-19
ISO/IEC 27001:2005
Annex A.6.1.5
PL-4
PS-6
SA-9
IS-27
IS-28
IS-29
IS-30
IS-31
DS5.10
IS-32
DS5.11
DS5.5
IS-33
IS-34
DS 5.10 5.11
02/12/2015
LG-01
Utility programs capable of potentially overriding Proposed v1.1 control revision redacted until
system, object, network, virtual machine and
future revision due to potential mapping impact
application controls shall be restricted.
not yet considered:
J.1.2
CIP-004-3 R3.3
1.2.7
1.2.10
CIP-008-3 - R1.1
Commandment #1
Commandment #2
Commandment #3
C.2.6, G.9.9
C.2
8.2.2
8.2.5
Commandment #6
Commandment #7
Commandment #8
9.7
9.7.2
9.8
9.9
11.1
12.3
1.2.6
3.2.4
8.2.6
All
6.4.1
6.4.2
1.2.6
6.2.1
Commandment #6
Commandment #7
Commandment #9
Commandment #10
7.1.2
H.2.16
12.8.2
12.8.3
12.8.4
C.2.5
CIP-007-3 - R7.1
DS5.7
Legal - Non-Disclosure
Agreements
12.9.6
1.2.7
J.1
E.1
5 of 421
Commandment #1
Commandment #5
Commandment #6
Commandment #7
1.2.5
Commandment #6
Commandment #7
Commandment #8
Commandment #9
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
Phys
Network
Compute
Storage
App
Data
LG-02
Operations
Management - Policy
OP-01
Operations
Management Documentation
OP-02
Operations
Management Capacity / Resource
Planning
OP-03
Operations
Management Equipment
Maintenance
OP-04
RI-01
Scope Applicability
COBIT 4.1
02/12/2015
RI-02
RI-03
NIST SP800-53 R3
A.6.2.3
A10.2.1
A.10.8.2
A.11.4.6
A.11.6.1
A.12.3.1
A.12.5.4
CA-3
MP-5
PS-7
SA-6
SA-7
SA-9
2.4
12.8.2
DS13.1
Clause 5.1
A 8.1.1
A.8.2.1
A 8.2.2
A.10.1.1
CM-2
CM-3
CM-4
CM-5
CM-6
CM-9
MA-4
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-12
12.1
12.2
12.3
12.4
DS 9
DS 13.1
Clause 4.3.3
A.10.7.4
CP-9
CP-10
SA-5
SA-10
SA-11
12.1
12.2
12.3
12.4
DS 3
A.10.3.1
SA-4
DS5.11
Jericho Forum
1.2.5
Commandment #1
Commandment #4
Commandment #5
Commandment #6
Commandment #7
Commandment #8
G.1.1
8.2.1
Commandment #1
Commandment #2
Commandment #3
Commandment #6
Commandment #7
G.1.1
1.2.6
Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment #11
G.5
1.2.4
Commandment #1
Commandment #2
Commandment #3
F.2.19
5.2.3
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
Commandment #2
Commandment #5
Commandment #11
C.2
NERC CIP
CIP-005-3a - R1.3
CIP-007-3 - R9
A13.3
A.9.2.4
MA-2
MA-3
MA-4
MA-5
MA-6
PO 9.1
AC-4
CA-2
CA-6
PM-9
RA-1
12.1.2
A.1, L.1
L.2
1.2.4
CIP-009-3 - R4
PO 9.4
PL-5
RA-2
RA-3
12.1.2
I.1
I.4
1.2.4
1.2.5
PO 9.5
CA-5
CM-4
I.4
L.2
ISO/IEC 27001-2005
6 of 421
CIP-009-3 - R1.2
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
Scope Applicability
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
Jericho Forum
RI-04
PO 9.6
Clause 4.2.3
Clause 4.2.4
Clause 4.3.1
Clause 5
Clause 7
A.5.1.2
A.10.1.2
A.10.2.3
A.14.1.2
A.15.2.1
A.15.2.2
CP-2
RA-2
RA-3
12.1.3
B.2
G.21
L.2
RI-05
DS 2.3
A.6.2.1
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.4
CA-3
MA-4
RA-3
12.8.1
12.8.2
12.8.3
12.8.4
B.1
H.2
RM-01
A12
A16.1
A.6.1.4
A.6.2.1
A.12.1.1
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.5
A.15.1.3
A.15.1.4
CA-1
CM-1
CM-9
PL-1
PL-2
SA-1
SA-3
SA-4
6.3.2
1.2.6
Commandment #1
Commandment #2
Commandment #3
RM-02
A.10.1.4
A.12.5.1
A.12.5.2
CA-1
CA-6
CA-7
CM-2
CM-3
CM-5
CM-6
CM-9
PL-2
PL-5
SI-2
SI-6
SI-7
1.1.1
6.3.2
6.4
6.1
1.2.6
Commandment #1
Commandment #2
Commandment #3
Commandment #11
RM-03
A.6.1.3
A.10.1.1
A.10.1.4
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
CM-1
CM-2
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-13
9.1.0
9.1.1
9.2.1
9.2.2
Commandment #1
Commandment #2
Commandment #3
RM-04
A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
SA-12
SA-13
02/12/2015
A16.1
A17.6
PO 8.1
7 of 421
3.6.7
6.4.5.2
7.1.3
8.5.1
9.1
9.1.2
9.2b
9.3.1
10.5.2
11.5
12.3.1
12.3.3
C.2
I.1
I.2
I.4
NERC CIP
CIP-009-3 - R2
7.1.1
7.1.2
7.2.1
7.2.2
7.2.3
7.2.4
CIP-003-3 - R6
Commandment #1
Commandment #2
Commandment #3
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Supplier Relationship
SaaS
PaaS
IaaS
Service
Provider
Data
RM-05
RS-01
Resiliency - Impact
Analysis
RS-02
Resiliency - Business
Continuity Planning
RS-03
Resiliency - Business
Continuity Testing
RS-04
RS-05
Resiliency - Equipment
Location
RS-06
Resiliency - Equipment
Power Failures
RS-07
02/12/2015
Scope Applicability
Tenant /
Consumer
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
CM-1
CM-2
CM-3
CM-5
CM-7
CM-8
CM-9
SA-6
SA-7
SI-1
SI-3
SI-4
SI-7
Clause 4.3.2
A.14.1.1
A 14.1.4
CP-1
CP-2
ISO/IEC 27001:2005
A.14.1.2
A 14.1.4
RA-3
Clause 5.1
A.6.1.2
A.14.1.3
A.14.1.4
CP-1
CP-2
CP-3
CP-4
CP-6
CP-7
CP-8
CP-9
CP-10
PE-17
A.14.1.5
CP-2
CP-3
CP-4
A.9.1.4
A.9.2.1
PE-1
PE-13
PE-14
PE-15
PE-18
A.9.2.1
PE-1
PE-5
PE-14
PE-15
PE-18
A.9.2.2
A.9.2.3
A 9.2.4
CP-8
PE-1
PE-9
PE-10
PE-11
PE-12
PE-13
PE-14
PO 9.1
PO 9.2
DS 4.2
8 of 421
A.10.1.3
A.10.4.1
A.11.5.4
A.11.6.1
A.12.4.1
A.12.5.3
Jericho Forum
Commandment #1
Commandment #2
Commandment #3
K.2
Commandment #1
Commandment #2
Commandment #3
12.9.1
12.9.3
12.9.4
12.9.6
Commandment #1
Commandment #2
Commandment #3
12.9.2
Commandment #1
Commandment #2
Commandment #3
12.9.1
9.1.3
9.5
9.6
9.9
9.9.1
8.2.4
NERC CIP
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #11
F.1
Commandment #1
Commandment #2
Commandment #3
F.1
Commandment #1
Commandment #2
Commandment #3
F.1
Commandment #1
Commandment #2
Commandment #3
CIP-004-3 R3.2
Resiliency - Power /
Telecommunications
Control ID
RS-08
Control Specification
Corp Gov
Relevance
Control Notes
Phys
Network
Compute
Storage
App
Data
Supplier Relationship
Scope Applicability
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
DS5.11
AI2.4
COBIT 4.1
SA-01
SA-02
SA-03
SA-04
X`
SA-05
SA-06
SA-07
02/12/2015
DS5.3
DS5.4
Jericho Forum
NERC CIP
A.9.2.2
A.9.2.3
PE-1
PE-4
PE-13
A.6.2.1
A.6.2.2
A.11.1.1
CA-1
CA-2
CA-5
CA-6
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.3
A.11.2.4
A.11.5.5
AC-1
AC-2
AC-3
AC-11
AU-2
AU-11
IA-1
IA-2
IA-5
IA-6
IA-8
SC-10
8.1
8.2,
8.3
8.4
8.5
10.1,
12.2,
12.3.8
A.10.8.1
A.10.8.2
A.11.1.1
A.11.6.1
A.11.4.6
A.12.3.1
A.12.5.4
A.15.1.4
AC-1
AC-4
SC-1
SC-16
2.3
3.4.1
4.1
4.1.1
6.1
6.3.2a
6.5c
8.3
10.5.5
11.5
1.1.0
1.2.2
1.2.6
4.2.3
5.2.1
7.1.2
7.2.1
7.2.2
7.2.3
7.2.4
8.2.1
8.2.2
8.2.3
8.2.5
9.2.1
All
45 CFR 164.312(e)(2)(i)
A.11.5.6
A.11.6.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.5.2
A.12.5.4
A.12.5.5
A.12.6.1
A.15.2.1
G.16.3, I.3
I.4
1.2.6
Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment #11
CIP-007-3 - R5.1
A.10.9.2
A.10.9.3
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.6.1
A.15.2.1
6.5
SC-2
SC-3
SC-4
SC-5
SC-6
SC-7
SC-8
SC-9
SC-10
SC-11
SC-12
SC-13
SC-14
SC-17
SC-18
SC-20
SC-21
SC-22
SI-10
SC-23
SI-11
SI-2
SI-3
SI-4
SI-6
SI-7
SI-9
6.3.1
6.3.2
G.16.3, I.3
I.4
1.2.6
Commandment #1
Commandment #9
Commandment #11
CIP-003-3 - R4.2
6.4.1
6.4.2
B.1
1.2.6
Commandment #1
Commandment #10
Commandment #11
45 CFR 164.308(a)(5)(ii)(c)
45 CFR 164.308 (a)(5)(ii)(D)
45 CFR 164.312 (a)(2)(i)
45 CFR 164.312 (a)(2)(iii)
45 CFR 164.312 (d)
DS5.7
Commandment #1
Commandment #2
Commandment #3
Commandment #4
Commandment #9
Commandment #11
F.1
1.2.2
1.2.6
6.2.1
6.2.2
Commandment #6
Commandment #7
Commandment #8
Commandment #6
Commandment #7
Commandment #8
Commandment #9
CIP-004-3 R2.2.3
CIP-007-3 - R5.2 - R5.3.1 R5.3.2 - R5.3.3
A.10.1.4
A.10.3.2
A.11.1.1
A.12.5.1
A.12.5.2
A.12.5.3
SC-2
A.11.1.1
A.11.4.1
A.11.4.2
A.11.4.6
A.11.7.1
AC-17
AC-20
IA-1
IA-2
MA-4
B.1
8.2.2
Commandment #6
Commandment #7
Commandment #8
CIP-004-3 R3.1
A.10.6.1
A.10.6.2
A.10.9.1
A.10.10.2
A.11.4.1
A.11.4.5
A.11.4.6
A.11.4.7
A.15.1.4
SC-7
G.2
G.4
G.15
G.16
G.17
G.18
I.3
8.2.5
Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R2.2.4
SA-08
NIST SP800-53 R3
ISO/IEC 27001-2005
9 of 421
1.1
1.1.2
1.1.3
1.1.5
1.1.6
1.2
1.2.1
2.2.2
2.2.3
Control ID
Control Specification
Corp Gov
Relevance
Control Notes
Supplier Relationship
Scope Applicability
FedRAMP Security Controls
(Final Release, Jan 2012)
Phys
Network
Compute
Storage
App
Data
SaaS
PaaS
IaaS
Service
Provider
Tenant /
Consumer
DS5.10
A.11.4.5
A.11.6.1
A.11.6.2
A.15.1.4
AC-4
SC-2
SC-3
SC-7
1.1
1.2
1.2.1
1.3
1.4
G.17
DS5.5
DS5.7
DS5.8
DS5.10
A.7.1.1
A.7.1.2
A.7.1.3
A.9.2.1
A.9.2.4
A.10.6.1
A.10.6.2
A.10.8.1
A.10.8.3
A.10.8.5
A.10.10.2
A.11.2.1
A.11.4.3
A.11.4.5
A.11.4.6
A.11.4.7
A.12.3.1
A.12.3.2
AC-1
AC-18
CM-6
PE-4
SC-3
SC-7
1.2.3
2.1.1
4.1
4.1.1
11.1
9.1.3
D.1
B.3
F.1
G.4
G.15
G.17
G.18
A.10.8.1
A.11.1.1
A.11.6.2
A.11.4.6
PE-4
SC-4
SC-7
B.1
DS5.7
A.10.10.1
A.10.10.6
AU-1
AU-8
G.7
G.8
DS5.7
A.11.4.3
IA-3
IA-4
D.1.1, D.1.3
D.1
A.10.10.1
A.10.10.2
A.10.10.3
A.10.10.4
A.10.10.5
A.11.2.2
A.11.5.4
A.11.6.1
A.13.1.1
A.13.2.3
A.15.2.2
A.15.1.3
AU-1
AU-2
AU-3
AU-4
AU-5
AU-6
AU-7
AU-9
AU-11
AU-12
AU-14
SI-4
A.10.4.2
A.12.2.2
SC-18
SA-09
SA-10
SA-11
SA-12
SA-13
SA-14
SA-15
COBIT 4.1
ISO/IEC 27001-2005
NIST SP800-53 R3
DS5.5
DS5.6
DS9.2
10.4
10.1
10.2
10.3
10.5
10.6
10.7
11.4
12.5.2
12.9.5
G.20.12, I.2.5
Jericho Forum
NERC CIP
Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R3
8.2.5
Commandment #1
Commandment #2
Commandment #3
Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R3
CIP-007-3 - R6.1
8.2.5
Commandment #5
Commandment #6
Commandment #7
Commandment #9
Commandment #10
Commandment #11
CIP-004-3 R3 - R3.2
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #8
8.2.1
8.2.2
Commandment #6
Commandment #7
Commandment #11
CIP-007-3 - R6.5
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #11
Copyright 2012 Cloud Security Alliance. All rights reserved. You may download,
store, display on your computer, view, print, and link to the Cloud Security Alliance
Cloud Controls Matrix (CCM) at http://www.cloudsecurityalliance.org subject to the
following: (a) the Cloud Controls Matrix may be used solely for your personal,
informational, non-commercial use; (b) the Cloud Controls Matrix may not be
modified or altered in any way; (c) the Cloud Controls Matrix may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed.
You may quote portions of the Cloud Controls Matrix as permitted by the Fair Use
provisions of the United States Copyright Act, provided that you attribute the portions
to the Cloud Security Alliance Cloud Controls Matrix Version 1.3 (2012). If you are
interested in obtaining a license to this material for other usages not addresses in
the copyright notice, please contact info@cloudsecurityalliance.org.
02/12/2015
10 of 421
Complianc CO-01
e Audit
Planning
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
NIST SP 800-53 R3 CA-7
SP800-53
R3 CA-7
NIST
SP800-53
R3 CA-7
(2)
NIST
SP800-53
R3 PL-6
Complianc CO-02
e
Independe
nt Audits
Independe NIST
NIST SP 800-53 R3 CA-1
nt reviews SP800-53
and
R3 CA-1
assessme
nts shall
be
performed
at least
annually,
or at
planned
intervals,
to ensure
the
organizati
on is
compliant
with
policies,
procedure
s,
standards
and
applicable
regulatory
requireme
nts (i.e.,
internal/ex
ternal
audits,
certificatio
ns,
vulnerabilit
y and
penetratio
n testing)
NIST
NIST SP 800-53 R3 CA-2
SP800-53
R3 CA-2
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
NIST SP 800-53 R3 CA-6
SP800-53
R3 CA-6
NIST
NIST SP 800-53 R3 RA-5
SP800-53
R3 RA-5
NIST
SP800-53
R3 RA-5
(1)
NIST
SP800-53
R3 RA-5
(2)
NIST
SP800-53
R3 RA-5
(3)
NIST
SP800-53
R3 RA-5
(9)
NIST
SP800-53
R3 RA-5
(6)
Complianc CO-03
e Third
Party
Audits
NIST
SP800-53
R3 SA-12
NIST
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Complianc CO-04
e
Contact /
Authority
Maintenan
ce
Liaisons NIST
NIST SP 800-53 R3 IR-6
and points SP800-53
of contact R3 AT-5
with local
authorities
shall be
maintaine
d in
accordanc
e with
business
and
customer
requireme
nts and
complianc
e with
legislative,
regulatory,
and
contractua
l
requireme
nts. Data,
objects,
application
s,
infrastruct
ure and
hardware
may be
assigned
legislative
domain
and
jurisdiction
to facilitate NIST
NIST SP 800-53 R3 SI-5
SP800-53
R3 IR-6
NIST
SP800-53
R3 IR-6
(1)
NIST
SP800-53
R3 SI-5
Complianc CO-05
e
Informatio
n System
Regulatory
Mapping
Statutory,
regulatory,
and
contractua
l
requireme
nts shall
be defined
for all
elements
of the
informatio
n system.
The
organizati
on's
approach
to meet
known
requireme
nts, and
adapt to
new
mandates
shall be
explicitly
defined,
document
ed, and
kept up to
date for
each
informatio
n system
element in
the
organizati
NIST
NIST SP 800-53 R3 AC-1
SP800-53
R3 AC-1
NIST
NIST SP 800-53 R3 AT-1
SP800-53
R3 AT-1
NIST
NIST SP 800-53 R3 AU-1
SP800-53
R3 AU-1
NIST
NIST SP 800-53 R3 CA-1
SP800-53
R3 CA-1
NIST
NIST SP 800-53 R3 CM-1
SP800-53
R3 CM-1
NIST
NIST SP 800-53 R3 CP-1
SP800-53
R3 CP-1
NIST
NIST SP 800-53 R3 IA-1
SP800-53
R3 IA-1
NIST
NIST SP 800-53 R3 IA-7
SP800-53
R3 IA-7
NIST
NIST SP 800-53 R3 IR-1
SP800-53
R3 IR-1
NIST
NIST SP 800-53 R3 MA-1
SP800-53
R3 MA-1
NIST
NIST SP 800-53 R3 MP-1
SP800-53
R3 MP-1
NIST
NIST SP 800-53 R3 PE-1
SP800-53
R3 PE-1
NIST
NIST SP 800-53 R3 PL-1
SP800-53
R3 PL-1
NIST
NIST SP 800-53 R3 PS-1
SP800-53
R3 PM-1
NIST
NIST SP 800-53 R3 RA-1
SP800-53
R3 PS-1
NIST
NIST SP 800-53 R3 RA-2
SP800-53
R3 RA-1
NIST
NIST SP 800-53 R3 SA-1
SP800-53
R3 RA-2
NIST
NIST SP 800-53 R3 SA-6
SP800-53
R3 SA-1
NIST
NIST SP 800-53 R3 SC-1
SP800-53
R3 SA-6
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 SC-1
NIST
NIST SP 800-53 R3 SI-1
SP800-53
R3 SC-13
NIST
SP800-53
R3 SC-13
(1)
NIST
SP800-53
R3 SI-1
Complianc CO-06
e
Intellectual
Property
Policy,
NIST
NIST SP 800-53 R3 SA-6
process
SP800-53
and
R3 SA-6
procedure
shall be
establishe
d and
implement
ed to
safeguard
intellectual
property
and the
use of
proprietary
software
within the
legislative
jurisdiction
and
contractua
l
constraints
governing
the
organizati
on.
NIST
NIST SP 800-53 R3 SA-7
SP800-53
R3 SA-7
NIST
SP800-53
R3 PM-5
Data
DG-01
Governan
ce
Ownership
/
Stewardsh
ip
All data
NIST
NIST SP 800-53 R3 CA-2
shall be
SP800-53
designate R3 CA-2
d with
stewardshi
p with
assigned
responsibil
ities
defined,
document
ed and
communic
ated.
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
NIST SP 800-53 R3 PS-2
SP800-53
R3 PM-5
NIST
NIST SP 800-53 R3 RA-2
SP800-53
R3 PS-2
NIST
NIST SP 800-53 R3 SA-2
SP800-53
R3 RA-2
NIST
SP800-53
R3 SA-2
Data
DG-02
Governan
ce
Classificati
on
Data
DG-03
Governan
ce
Handling /
Labeling /
Security
Policy
Policies
NIST
NIST SP 800-53 R3 AC-1
and
SP800-53
procedure R3 AC-16
s shall be
establishe
d for
labeling,
handling
and
security of
data and
objects
which
contain
data.
Mechanis
ms for
label
inheritanc
e shall be
implement
ed for
objects
that act as
aggregate
containers
for data.
NIST
NIST SP 800-53 R3 MP-1
SP800-53
R3 MP-1
NIST
NIST SP 800-53 R3 PE-1
SP800-53
R3 MP-3
NIST
NIST SP 800-53 R3 PE-16
SP800-53
R3 PE-16
NIST
NIST SP 800-53 R3 SI-1
SP800-53
R3 SI-12
NIST
NIST SP 800-53 R3 SI-12
SP800-53
R3 SC-9
NIST
SP800-53
R3 SC-9
(1)
Data
DG-04
Governan
ce
Retention
Policy
Policies
NIST
NIST SP 800-53 R3 CP-2
and
SP800-53
procedure R3 CP-2
s for data
retention
and
storage
shall be
establishe
d and
backup or
redundanc
y
mechanis
ms
implement
ed to
ensure
complianc
e with
regulatory,
statutory,
contractua
l or
business
requireme
nts.
Testing the
recovery
of backups
must be
implement
ed at
planned
intervals.
NIST
NIST SP 800-53 R3 CP-9
SP800-53
R3 CP-2
(1)
NIST
SP800-53
R3 CP-2
(2)
NIST
SP800-53
R3 CP-6
NIST
SP800-53
R3 CP-6
(1)
NIST
SP800-53
R3 CP-6
(3)
NIST
SP800-53
R3 CP-7
NIST
SP800-53
R3 CP-7
(1)
NIST
SP800-53
R3 CP-7
(2)
NIST
SP800-53
R3 CP-7
(3)
NIST
SP800-53
R3 CP-7
(5)
NIST
SP800-53
R3 CP-8
NIST
SP800-53
R3 CP-8
(1)
NIST
SP800-53
R3 CP-8
(2)
NIST
SP800-53
R3 CP-9
NIST
SP800-53
R3 CP-9
(1)
NIST
SP800-53
R3 CP-9
(3)
NIST
SP800-53
R3 SI-12
NIST
SP800-53
R3 AU-11
Data
DG-05
Governan
ce
Secure
Disposal
Policies
NIST
NIST SP 800-53 R3 MP-6
and
SP800-53
procedure R3 MP-6
s shall be
establishe
d and
mechanis
ms
implement
ed for the
secure
disposal
and
complete
removal of
data from
all storage
media,
ensuring
data is not
recoverabl
e by any
computer
forensic
means.
NIST
NIST SP 800-53 R3 PE-1
SP800-53
R3 MP-6
(4)
NIST
SP800-53
R3 PE-1
Data
DG-06
Governan
ce NonProduction
Data
Production NIST
data shall SP800-53
not be
R3 SA-11
replicated
or used in
nonproduction
environme
nts.
NIST
SP800-53
R3 SA-11
(1)
NIST
SP800-53
R3 CM-04
Data
DG-07
Governan
ce
Informatio
n Leakage
Security NIST
NIST SP 800-53 R3 AC-1
mechanis SP800-53
ms shall R3 AC-2
be
implement
ed to
prevent
data
leakage.
NIST
NIST SP 800-53 R3 AC-2
SP800-53
R3 AC-2
(1)
NIST
NIST SP 800-53 R3 AC-3
SP800-53
R3 AC-2
(2)
NIST
SP800-53
R3 AC-2
(3)
NIST
SP800-53
R3 AC-2
(4)
NIST
SP800-53
R3 AC-2
(7)
NIST
SP800-53
R3 AC-3
NIST
SP800-53
R3 AC-3
(3)
NIST
SP800-53
R3 AC-4
NIST
SP800-53
R3 AC-6
NIST
SP800-53
R3 AC-6
(1)
NIST
SP800-53
R3 AC-6
(2)
NIST
SP800-53
R3 AC-11
NIST
SP800-53
R3 AC-11
(1)
NIST
SP800-53
R3 AU-13
NIST
SP800-53
R3 PE-19
NIST
SP800-53
R3 SC-28
NIST
SP800-53
R3 SC-28
(1)
NIST
SP800-53
R3 SA-8
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
Data
DG-08
Governan
ce Risk
Assessme
nts
Risk
NIST
NIST SP 800-53 R3 CA-3
assessme SP800-53
nts
R3 CA-3
associated
with data
governanc
e
requireme
nts shall
be
conducted
at planned
intervals
considerin
g the
following:
NIST
NIST SP 800-53 R3 RA-2
Awarenes SP800-53
s of where R3 RA-2
sensitive
data is
stored and
transmitte
d across
application
s,
databases
, servers
and
network
infrastruct
ure
NIST
NIST SP 800-53 R3 RA-3
Complianc SP800-53
e with
R3 RA-3
defined
retention
periods
and endof-life
disposal
requireme
nts
NIST
NIST SP 800-53 R3 SI-12
Data
SP800-53
classificati R3 MP-8
on and
protection
from
unauthoriz
ed use,
access,
loss,
destructio
n, and
falsificatio
n
NIST
SP800-53
R3 PM-9
NIST
SP800-53
R3 SI-12
Facility
FS-01
Security
Policy
Policies
NIST
NIST SP 800-53 R3 CA-2
and
SP800-53
procedure R3 CA-2
s shall be
establishe
d for
maintainin
g a safe
and
secure
working
environme
nt in
offices,
rooms,
facilities
and
secure
areas.
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
NIST SP 800-53 R3 PE-1
SP800-53
R3 PE-1
NIST
NIST SP 800-53 R3 PE-6
SP800-53
R3 PE-6
NIST
NIST SP 800-53 R3 PE-7
SP800-53
R3 PE-6
(1)
NIST
NIST SP 800-53 R3 PE-8
SP800-53
R3 PE-7
NIST
SP800-53
R3 PE-7
(1)
NIST
SP800-53
R3 PE-8
Facility
FS-02
Security
User
Access
Physical NIST
NIST SP 800-53 R3 PE-2
access to SP800-53
informatio R3 PE-2
n assets
and
functions
by users
and
support
personnel
shall be
restricted.
NIST
NIST SP 800-53 R3 PE-3
SP800-53
R3 PE-2
(1)
NIST
NIST SP 800-53 R3 PE-6
SP800-53
R3 PE-3
NIST
SP800-53
R3 PE-4
NIST
SP800-53
R3 PE-5
NIST
SP800-53
R3 PE-6
NIST
SP800-53
R3 PE-6
(1)
Facility
FS-03
Security
Controlled
Access
Points
Physical NIST
NIST SP 800-53 R3 PE-2
security
SP800-53
perimeters R3 PE-2
(fences,
walls,
barriers,
guards,
gates,
electronic
surveillanc
e, physical
authentica
tion
mechanis
ms,
reception
desks and
security
patrols)
shall be
implement
ed to
safeguard
sensitive
data and
informatio
n systems.
NIST
NIST SP 800-53 R3 PE-3
SP800-53
R3 PE-2
(1)
NIST
NIST SP 800-53 R3 PE-6
SP800-53
R3 PE-3
NIST
SP800-53
R3 PE-6
NIST
SP800-53
R3 PE-6
(1)
NIST
SP800-53
R3 PE-18
Facility
FS-04
Security
Secure
Area
Authorizati
on
Ingress
NIST
NIST SP 800-53 R3 PE-2
and
SP800-53
egress to R3 PE-2
secure
areas shall
be
constraine
d and
monitored
by
physical
access
control
mechanis
ms to
ensure
that only
authorized
personnel
are
allowed
access.
NIST
NIST SP 800-53 R3 PE-3
SP800-53
R3 PE-2
(1)
NIST
NIST SP 800-53 R3 PE-6
SP800-53
R3 PE-3
NIST
NIST SP 800-53 R3 PE-7
SP800-53
R3 PE-6
NIST
NIST SP 800-53 R3 PE-8
SP800-53
R3 PE-6
(1)
NIST
SP800-53
R3 PE-7
NIST
SP800-53
R3 PE-7
(1)
NIST
SP800-53
R3 PE-8
NIST
SP800-53
R3 PE-18
Facility
FS-05
Security
Unauthoriz
ed
Persons
Entry
Ingress
NIST
NIST SP 800-53 R3 PE-7
and
SP800-53
egress
R3 PE-7
points
such as
service
areas and
other
points
where
unauthoriz
ed
personnel
may enter
the
premises
shall be
monitored,
controlled
and, if
possible,
isolated
from data
storage
and
processing
facilities to
percent
unauthoriz
ed data
corruption,
compromi
se and
loss.
NIST
NIST SP 800-53 R3 PE-16
SP800-53
R3 PE-7
(1)
NIST
SP800-53
R3 PE-16
NIST
SP800-53
R3 PE-18
Facility
FS-06
Security
Offsite
Authorizati
on
Authorizati NIST
NIST SP 800-53 R3 MA-1
on must
SP800-53
be
R3 MA-1
obtained
prior to
relocation
or transfer
of
hardware,
software
or data to
an offsite
premises.
NIST
NIST SP 800-53 R3 MA-2
SP800-53
R3 MA-2
NIST
NIST SP 800-53 R3 PE-16
SP800-53
R3 MA-2
(1)
NIST
SP800-53
R3 PE-16
Facility
FS-07
Security
Off-Site
Equipment
Policies
NIST
NIST SP 800-53 R3 AC-17
and
SP800-53
procedure R3 AC-17
s shall be
establishe
d for
securing
and asset
managem
ent for the
use and
secure
disposal of
equipment
maintaine
d and
used
outside
the
organizati
on's
premise.
NIST
NIST SP 800-53 R3 MA-1
SP800-53
R3 AC-17
(1)
NIST
NIST SP 800-53 R3 PE-1
SP800-53
R3 AC-17
(2)
NIST
NIST SP 800-53 R3 PE-16
SP800-53
R3 AC-17
(3)
NIST
SP800-53
R3 AC-17
(4)
NIST
SP800-53
R3 AC-17
(5)
NIST
SP800-53
R3 AC-17
(7)
NIST
SP800-53
R3 AC-17
(8)
NIST
SP800-53
R3 MA-1
NIST
SP800-53
R3 PE-1
NIST
SP800-53
R3 PE-16
NIST
SP800-53
R3 PE-17
Facility
FS-08
Security
Asset
Managem
ent
A
NIST
NIST SP 800-53 R3 CM-8
complete SP800-53
inventory R3 CM-8
of critical
assets
shall be
maintaine
d with
ownership
defined
and
document
ed.
NIST
SP800-53
R3 CM-8
(1)
NIST
SP800-53
R3 CM-8
(3)
NIST
SP800-53
R3 CM-8
(5)
Human
HR-01
Resources
Security
Backgroun
d
Screening
Pursuant NIST
NIST SP 800-53 R3 PS-2
to local
SP800-53
laws,
R3 PS-2
regulation
s, ethics
and
contractua
l
constraints
all
employme
nt
candidates
,
contractor
s and third
parties will
be subject
to
backgroun
d
verification
proportion
al to the
data
classificati
on to be
accessed,
the
business
requireme
nts and
acceptable
risk.
NIST
NIST SP 800-53 R3 PS-3
SP800-53
R3 PS-3
Human
HR-02
Resources
Security
Employme
nt
Agreemen
ts
Prior to
NIST
NIST SP 800-53 R3 PS-1
granting SP800-53
individuals R3 PL-4
physical or
logical
access to
facilities,
systems or
data,
employees
,
contractor
s, third
party
users and
tenants
and/or
customers
shall
contractua
lly agree
and sign
equivalent
terms and
conditions
regarding
informatio
n security
responsibil
ities in
employme
nt or
service
contract.
NIST
NIST SP 800-53 R3 PS-2
SP800-53
R3 PS-6
NIST
NIST SP 800-53 R3 PS-6
SP800-53
R3 PS-7
NIST SP 800-53 R3 PS-7
Human
HR-03
Resources
Employme
nt
Terminatio
n
NIST
NIST SP 800-53 R3 PS-4
SP800-53
R3 PS-5
NIST SP 800-53 R3 PS-5
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-8
Informatio IS-01
n Security
Managem
ent
Program
An
NIST
Informatio SP800-53
n Security R3 PM-1
Managem
ent
Program
(ISMP)
has been
developed
,
document
ed,
approved,
and
implement
ed that
includes
administra
tive,
technical,
and
physical
safeguard
s to
protect
assets and
data from
loss,
misuse,
unauthoriz
ed access,
disclosure,
alteration,
and
destructio
n. The
security
Risk NIST
managem SP800-53
ent
R3 PM-2
Security
policy
NIST
SP800-53
R3 PM-3
NIST
Organizati SP800-53
on of
R3 PM-4
informatio
n security
NIST
Asset
SP800-53
managem R3 PM-5
ent
NIST
Human
SP800-53
resources R3 PM-6
security
NIST
Physical SP800-53
and
R3 PM-7
environme
ntal
security
NIST
Communic SP800-53
ations and R3 PM-8
operations
managem
ent
Access
control
NIST
SP800-53
R3 PM-9
NIST
Informatio SP800-53
n systems R3 PM-10
acquisition
,
developm
ent, and
maintenan
ce
NIST
SP800-53
R3 PM-11
Informatio IS-02
n Security
Managem
ent
Support /
Involveme
nt
Executive NIST
NIST SP 800-53 R3 CM-1
and line
SP800-53
managem R3 CM-1
ent shall
take
formal
action to
support
informatio
n security
through
clear
document
ed
direction,
commitme
nt, explicit
assignmen
t and
verification
of
assignmen
t execution
NIST
SP800-53
R3 PM-1
NIST
SP800-53
R3 PM-11
Informatio IS-03
n Security
Policy
Managem NIST
NIST SP 800-53 R3 AC-1
ent shall SP800-53
approve a R3 AC-1
formal
informatio
n security
policy
document
which
shall be
communic
ated and
published
to
employees
,
contractor
s and
other
relevant
external
parties.
The
Informatio
n Security
Policy
shall
establish
the
direction
of the
organizati
on and
align to
best
practices,
regulatory, NIST
NIST SP 800-53 R3 AT-1
SP800-53
R3 AT-1
NIST
NIST SP 800-53 R3 AU-1
SP800-53
R3 AU-1
NIST
NIST SP 800-53 R3 CA-1
SP800-53
R3 CA-1
NIST
NIST SP 800-53 R3 CM-1
SP800-53
R3 CM-1
NIST
NIST SP 800-53 R3 IA-1
SP800-53
R3 IA-1
NIST
NIST SP 800-53 R3 IR-1
SP800-53
R3 IR-1
NIST
NIST SP 800-53 R3 MA-1
SP800-53
R3 MA-1
NIST
NIST SP 800-53 R3 MP-1
SP800-53
R3 MP-1
NIST
NIST SP 800-53 R3 PE-1
SP800-53
R3 MP-1
NIST
NIST SP 800-53 R3 PL-1
SP800-53
R3 PE-1
NIST
NIST SP 800-53 R3 PS-1
SP800-53
R3 PL-1
NIST
NIST SP 800-53 R3 SA-1
SP800-53
R3 PS-1
NIST
NIST SP 800-53 R3 SC-1
SP800-53
R3 SA-1
NIST
NIST SP 800-53 R3 SI-1
SP800-53
R3 SC-1
NIST
SP800-53
R3 SI-1
Informatio IS-04
n Security
Baseline
Requirem
ents
Baseline NIST
NIST SP 800-53 R3 CM-2
security
SP800-53
requireme R3 CM-2
nts shall
be
establishe
d and
applied to
the design
and
implement
ation of
(develope
d or
purchased
)
application
s,
databases
, systems,
and
network
infrastruct
ure and
informatio
n
processing
that
comply
with
policies,
standards
and
applicable
regulatory
requireme
nts.
NIST
NIST SP 800-53 R3 SA-2
SP800-53
R3 CM-2
(1)
NIST
NIST SP 800-53 R3 SA-4
SP800-53
R3 CM-2
(3)
NIST
SP800-53
R3 CM-2
(5)
NIST
SP800-53
R3 SA-2
NIST
SP800-53
R3 SA-4
NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
Informatio IS-05
n Security
Policy
Reviews
Managem NIST
NIST SP 800-53 R3 AC-1
ent shall SP800-53
review the R3 AC-1
informatio
n security
policy at
planned
intervals
or as a
result of
changes
to the
organizati
on to
ensure its
continuing
effectivene
ss and
accuracy.
NIST
NIST SP 800-53 R3 AT-1
SP800-53
R3 AT-1
NIST
NIST SP 800-53 R3 AU-1
SP800-53
R3 AU-1
NIST
NIST SP 800-53 R3 CA-1
SP800-53
R3 CA-1
NIST
NIST SP 800-53 R3 CM-1
SP800-53
R3 CM-1
NIST
NIST SP 800-53 R3 CP-1
SP800-53
R3 CP-1
NIST
NIST SP 800-53 R3 IA-1
SP800-53
R3 IA-1
NIST
NIST SP 800-53 R3 IA-5
SP800-53
R3 IA-5
NIST
NIST SP 800-53 R3 IA-5 (1)
SP800-53
R3 IA-5
(1)
NIST
NIST SP 800-53 R3 IR-1
SP800-53
R3 IA-5
(2)
NIST
NIST SP 800-53 R3 MA-1
SP800-53
R3 IA-5
(3)
NIST
NIST SP 800-53 R3 MP-1
SP800-53
R3 IA-5
(6)
NIST
NIST SP 800-53 R3 PE-1
SP800-53
R3 IA-5
(7)
NIST
NIST SP 800-53 R3 PL-1
SP800-53
R3 IR-1
NIST
NIST SP 800-53 R3 PS-1
SP800-53
R3 MA-1
NIST
NIST SP 800-53 R3 RA-1
SP800-53
R3 MP-1
NIST
NIST SP 800-53 R3 SA-1
SP800-53
R3 PE-1
NIST
NIST SP 800-53 R3 SC-1
SP800-53
R3 PL-1
NIST
NIST SP 800-53 R3 SI-1
SP800-53
R3 PM-1
NIST
SP800-53
R3 PS-1
NIST
SP800-53
R3 RA-1
NIST
SP800-53
R3 SA-1
NIST
SP800-53
R3 SC-1
NIST
SP800-53
R3 SI-1
Informatio IS-06
n Security
Policy
Enforceme
nt
A formal NIST
NIST SP 800-53 R3 PL-4
disciplinar SP800-53
y or
R3 PL-4
sanction
policy
shall be
establishe
d for
employees
who have
violated
security
policies
and
procedure
s.
Employee
s shall be
made
aware of
what
action
might be
taken in
the event
of a
violation
and stated
as such in
the
policies
and
procedure
s.
NIST
NIST SP 800-53 R3 PS-1
SP800-53
R3 PS-1
NIST
NIST SP 800-53 R3 PS-8
SP800-53
R3 PS-8
Informatio IS-07
n Security
User
Access
Policy
User
NIST
NIST SP 800-53 R3 AC-1
access
SP800-53
policies
R3 AC-1
and
procedure
s shall be
document
ed,
approved
and
implement
ed for
granting
and
revoking
normal
and
privileged
access to
application
s,
databases
, and
server and
network
infrastruct
ure in
accordanc
e with
business,
security,
complianc
e and
service
level
agreement
(SLA)
NIST
NIST SP 800-53 R3 IA-1
SP800-53
R3 IA-1
Informatio IS-08
n Security
User
Access
Restriction
/
Authorizati
on
Normal
NIST
NIST SP 800-53 R3 AC-3
and
SP800-53
privileged R3 AC-3
user
access to
application
s,
systems,
databases
, network
configurati
ons, and
sensitive
data and
functions
shall be
restricted
and
approved
by
managem
ent prior to
access
granted.
NIST
NIST SP 800-53 R3 IA-2
SP800-53
R3 AC-3
(3)
NIST
NIST SP 800-53 R3 IA-2 (1)
SP800-53
R3 AC-5
NIST
NIST SP 800-53 R3 IA-4
SP800-53
R3 AC-6
NIST
NIST SP 800-53 R3 IA-5
SP800-53
R3 AC-6
(1)
NIST
NIST SP 800-53 R3 IA-5 (1)
SP800-53
R3 AC-6
(2)
NIST
NIST SP 800-53 R3 IA-8
SP800-53
R3 IA-2
NIST
NIST SP 800-53 R3 MA-5
SP800-53
R3 IA-2
(1)
NIST
NIST SP 800-53 R3 PS-6
SP800-53
R3 IA-2
(2)
NIST
NIST SP 800-53 R3 SA-7
SP800-53
R3 IA-2
(3)
NIST
SP800-53
R3 IA-2
(8)
NIST
SP800-53
R3 IA-4
NIST
SP800-53
R3 IA-4
(4)
NIST
SP800-53
R3 IA-5
NIST
SP800-53
R3 IA-5
(1)
NIST
SP800-53
R3 IA-5
(2)
NIST
SP800-53
R3 IA-5
(3)
NIST
SP800-53
R3 IA-5
(6)
NIST
SP800-53
R3 IA-5
(7)
NIST
SP800-53
R3 IA-8
NIST
SP800-53
R3 MA-5
NIST
SP800-53
R3 PS-6
NIST
SP800-53
R3 SA-7
NIST
SP800-53
R3 SI-9
Informatio IS-09
n Security
User
Access
Revocatio
n
Timely
NIST
NIST SP 800-53 R3 AC-2
deprovisio SP800-53
ning,
R3 AC-2
revocation
or
modificatio
n of user
access to
the
organizati
ons
systems,
informatio
n assets
and data
shall be
implement
ed upon
any
change in
status of
employees
,
contractor
s,
customers
, business
partners or
third
parties.
Any
change in
status is
intended
to include
terminatio
n of
NIST
NIST SP 800-53 R3 PS-4
SP800-53
R3 AC-2
(1)
NIST
NIST SP 800-53 R3 PS-5
SP800-53
R3 AC-2
(2)
NIST
SP800-53
R3 AC-2
(3)
NIST
SP800-53
R3 AC-2
(4)
NIST
SP800-53
R3 AC-2
(7)
NIST
SP800-53
R3 PS-4
NIST
SP800-53
R3 PS-5
Informatio IS-10
n Security
User
Access
Reviews
NIST
NIST SP 800-53 R3 AU-6
SP800-53
R3 AC-2
(1)
NIST
NIST SP 800-53 R3 PS-6
SP800-53
R3 AC-2
(2)
NIST
NIST SP 800-53 R3 PS-7
SP800-53
R3 AC-2
(3)
NIST
SP800-53
R3 AC-2
(4)
NIST
SP800-53
R3 AC-2
(7)
NIST
SP800-53
R3 AU-6
NIST
SP800-53
R3 AU-6
(1)
NIST
SP800-53
R3 AU-6
(3)
NIST
SP800-53
R3 PM-10
NIST
SP800-53
R3 PS-6
NIST
SP800-53
R3 PS-7
Informatio IS-11
n Security
Training /
Awarenes
s
A security NIST
NIST SP 800-53 R3 AT-1
awareness SP800-53
training
R3 AT-1
program
shall be
establishe
d for all
contractor
s, third
party
users and
employees
of the
organizati
on and
mandated
when
appropriat
e. All
individuals
with
access to
organizati
onal data
shall
receive
appropriat
e
awareness
training
and
regular
updates in
organizati
onal
procedure
s, process NIST
NIST SP 800-53 R3 AT-2
SP800-53
R3 AT-2
NIST
NIST SP 800-53 R3 AT-3
SP800-53
R3 AT-3
NIST
NIST SP 800-53 R3 AT-4
SP800-53
R3 AT-4
Informatio IS-12
n Security
Industry
Knowledg
e/
Benchmar
king
Industry
NIST
NIST SP 800-53 R3 SI-5
security
SP800-53
knowledge R3 AT-5
and
benchmar
king
through
networking
, specialist
security
forums,
and
profession
al
associatio
ns shall be
maintaine
d.
NIST
SP800-53
R3 SI-5
Informatio IS-13
n Security
Roles /
Responsib
ilities
NIST
NIST SP 800-53 R3 PS-1
SP800-53
R3 PL-4
NIST
NIST SP 800-53 R3 PS-2
SP800-53
R3 PM-10
NIST
NIST SP 800-53 R3 PS-6
SP800-53
R3 PS-1
NIST
NIST SP 800-53 R3 PS-7
SP800-53
R3 PS-6
NIST
SP800-53
R3 PS-7
Informatio IS-14
n Security
Managem
ent
Oversight
Managers NIST
NIST SP 800-53 R3 AT-2
are
SP800-53
responsibl R3 AT-2
e for
maintainin
g
awareness
of and
complying
with
security
policies,
procedure
s and
standards
that are
relevant to
their area
of
responsibil
ity.
NIST
NIST SP 800-53 R3 AT-3
SP800-53
R3 AT-3
NIST
NIST SP 800-53 R3 AT-4
SP800-53
R3 CA-1
NIST
NIST SP 800-53 R3 CA-1
SP800-53
R3 CA-5
NIST
NIST SP 800-53 R3 CA-5
SP800-53
R3 CA-6
NIST
NIST SP 800-53 R3 CA-6
SP800-53
R3 CA-7
NIST
NIST SP 800-53 R3 CA-7
SP800-53
R3 CA-7
(2)
NIST
SP800-53
R3 PM-10
Informatio IS-15
n Security
Segregatio
n of Duties
Policies, NIST
NIST SP 800-53 R3 AC-1
process
SP800-53
and
R3 AC-1
procedure
s shall be
implement
ed to
enforce
and
assure
proper
segregatio
n of
duties. In
those
events
where
user-role
conflict-ofinterest
constraints
exist,
technical
controls
shall be in
place to
mitigate
any risks
arising
from
unauthoriz
ed or
unintentio
nal
modificatio
n or
misuse of NIST
NIST SP 800-53 R3 AC-2
SP800-53
R3 AC-2
NIST
NIST SP 800-53 R3 AU-1
SP800-53
R3 AC-2
(1)
NIST
NIST SP 800-53 R3 AU-2
SP800-53
R3 AC-2
(2)
NIST
NIST SP 800-53 R3 AU-6
SP800-53
R3 AC-2
(3)
NIST
SP800-53
R3 AC-2
(4)
NIST
SP800-53
R3 AC-2
(7)
NIST
SP800-53
R3 AC-5
NIST
SP800-53
R3 AC-6
NIST
SP800-53
R3 AC-6
(1)
NIST
SP800-53
R3 AC-6
(2)
NIST
SP800-53
R3 AU-1
NIST
SP800-53
R3 AU-6
NIST
SP800-53
R3 AU-6
(1)
NIST
SP800-53
R3 AU-6
(3)
NIST
SP800-53
R3 SI-1
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
Informatio IS-16
n Security
User
Responsib
ility
Users
NIST
NIST SP 800-53 R3 AT-2
shall be
SP800-53
made
R3 AT-2
aware of
their
responsibil
ities for:
NIST
NIST SP 800-53 R3 AT-3
Maintainin SP800-53
g
R3 AT-3
awareness
and
complianc
e with
published
security
policies,
procedure
s,
standards
and
applicable
regulatory
requireme
nts
NIST
NIST SP 800-53 R3 AT-4
Maintainin SP800-53
g a safe
R3 AT-4
and
secure
working
environme
nt
NIST
NIST SP 800-53 R3 PL-4
Leaving
SP800-53
unattende R3 PL-4
d
equipment
in a
secure
manner
Informatio IS-17
n Security
Workspac
e
Policies
NIST
NIST SP 800-53 R3 MP-1
and
SP800-53
procedure R3 AC-11
s shall be
establishe
d for
clearing
visible
document
s
containing
sensitive
data when
a
workspace
is
unattende
d and
enforceme
nt of
workstatio
n session
logout for
a period of
inactivity.
NIST
NIST SP 800-53 R3 MP-2
SP800-53
R3 AC-11
(1)
NIST
SP800-53
R3 MP-2
NIST
SP800-53
R3 MP-2
(1)
NIST
SP800-53
R3 MP-3
NIST
SP800-53
R3 MP-4
NIST
SP800-53
R3 MP-4
(1)
Informatio IS-18
n Security
Encryption
Policies
NIST
NIST SP 800-53 R3 AC-1
and
SP800-53
procedure R3 AC-18
s shall be
establishe
d and
mechanis
ms
implement
ed for
encrypting
sensitive
data in
storage
(e.g., file
servers,
databases
, and enduser
workstatio
ns) and
data in
transmissi
on (e.g.,
system
interfaces,
over public
networks,
and
electronic
messaging
).
NIST
NIST SP 800-53 R3 AC-18
SP800-53
R3 AC-18
(1)
NIST
NIST SP 800-53 R3 IA-7
SP800-53
R3 AC-18
(2)
NIST
NIST SP 800-53 R3 SC-1
SP800-53
R3 AC-18
(3)
NIST
NIST SP 800-53 R3 SC-7
SP800-53
R3 AC-18
(4)
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 AC-18
(5)
NIST
SP800-53
R3 IA-3
NIST
SP800-53
R3 IA-7
NIST
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
NIST
SP800-53
R3 SC-8
NIST
SP800-53
R3 SC-8
(1)
NIST
SP800-53
R3 SC-9
NIST
SP800-53
R3 SC-9
(1)
NIST
SP800-53
R3 SC-13
NIST
SP800-53
R3 SC-13
(1)
NIST
SP800-53
R3 SC-16
NIST
SP800-53
R3 SC-23
NIST
SP800-53
R3 SI-8
Informatio IS-19
n Security
Encryption
Key
Managem
ent
Policies
NIST
NIST SP 800-53 R3 SC-12
and
SP800-53
procedure R3 SC-12
s shall be
establishe
d and
mechanis
ms
implement
ed for
effective
key
managem
ent to
support
encryption
of data in
storage
and in
transmissi
on.
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 SC-12
(2)
NIST
SP800-53
R3 SC-12
(5)
NIST
SP800-53
R3 SC-13
NIST
SP800-53
R3 SC-13
(1)
NIST
SP800-53
R3 SC-17
NIST
SP800-53
R3 SC-28
NIST
SP800-53
R3 SC-28
(1)
Informatio IS-20
n Security
Vulnerabili
ty / Patch
Managem
ent
Policies
NIST
NIST SP 800-53 R3 CM-4
and
SP800-53
procedure R3 CM-3
s shall be
establishe
d and
mechanis
m
implement
ed for
vulnerabilit
y and
patch
managem
ent,
ensuring
that
application
, system,
and
network
device
vulnerabilit
ies are
evaluated
and
vendorsupplied
security
patches
applied in
a timely
manner
taking a
risk-based
approach
for
NIST
SP800-53
R3 CM-3
(2)
NIST
NIST SP 800-53 R3 RA-5
SP800-53
R3 CM-4
NIST
NIST SP 800-53 R3 SI-1
SP800-53
R3 CP-10
NIST
NIST SP 800-53 R3 SI-2
SP800-53
R3 CP-10
(2)
NIST
NIST SP 800-53 R3 SI-5
SP800-53
R3 CP-10
(3)
NIST
SP800-53
R3 RA-5
NIST
SP800-53
R3 RA-5
(1)
NIST
SP800-53
R3 RA-5
(2)
NIST
SP800-53
R3 RA-5
(3)
NIST
SP800-53
R3 RA-5
(9)
NIST
SP800-53
R3 RA-5
(6)
NIST
SP800-53
R3 SA-7
NIST
SP800-53
R3 SI-1
NIST
SP800-53
R3 SI-2
NIST
SP800-53
R3 SI-2
(2)
NIST
SP800-53
R3 SI-5
Informatio IS-21
n Security
AntiVirus /
Malicious
Software
Ensure
NIST
NIST SP 800-53 R3 SC-5
that all
SP800-53
antivirus R3 SA-7
programs
are
capable of
detecting,
removing,
and
protecting
against all
known
types of
malicious
or
unauthoriz
ed
software
with
antivirus
signature
updates at
least every
12 hours.
NIST
NIST SP 800-53 R3 SI-3
SP800-53
R3 SC-5
NIST
NIST SP 800-53 R3 SI-5
SP800-53
R3 SI-3
NIST
SP800-53
R3 SI-3
(1)
NIST
SP800-53
R3 SI-3
(2)
NIST
SP800-53
R3 SI-3
(3)
NIST
SP800-53
R3 SI-5
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
NIST
SP800-53
R3 SI-8
Informatio IS-22
n Security
Incident
Managem
ent
Policies
NIST
NIST SP 800-53 R3 IR-1
and
SP800-53
procedure R3 IR-1
s shall be
establishe
d to triage
security
related
events
and
ensure
timely and
thorough
incident
managem
ent.
NIST
NIST SP 800-53 R3 IR-2
SP800-53
R3 IR-2
NIST
SP800-53
R3 IR-3
NIST
NIST SP 800-53 R3 IR-4
SP800-53
R3 IR-4
NIST
NIST SP 800-53 R3 IR-5
SP800-53
R3 IR-4
(1)
NIST
NIST SP 800-53 R3 IR-6
SP800-53
R3 IR-5
NIST
NIST SP 800-53 R3 IR-7
SP800-53
R3 IR-7
NIST
SP800-53
R3 IR-7
(1)
NIST
SP800-53
R3 IR-7
(2)
NIST
SP800-53
R3 IR-8
Informatio IS-23
n Security
Incident
Reporting
Contractor NIST
NIST SP 800-53 R3 IR-2
s,
SP800-53
employees R3 IR-2
and third
party
users shall
be made
aware of
their
responsibil
ity to
report all
informatio
n security
events in a
timely
manner.
Informatio
n security
events
shall be
reported
through
predefined
communic
ations
channels
in a
prompt
and
expedient
manner in
complianc
e with
statutory,
regulatory
and
NIST
NIST SP 800-53 R3 IR-6
SP800-53
R3 IR-6
NIST
NIST SP 800-53 R3 IR-7
SP800-53
R3 IR-6
(1)
NIST
NIST SP 800-53 R3 SI-5
SP800-53
R3 IR-7
NIST
SP800-53
R3 IR-7
(1)
NIST
SP800-53
R3 IR-7
(2)
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
NIST
SP800-53
R3 SI-5
Informatio IS-24
n Security
Incident
Response
Legal
Preparatio
n
In the
NIST
NIST SP 800-53 R3 AU-6
event a
SP800-53
follow-up R3 AU-6
action
concernin
g a person
or
organizati
on after an
informatio
n security
incident
requires
legal
action
proper
forensic
procedure
s including
chain of
custody
shall be
required
for
collection,
retention,
and
presentati
on of
evidence
to support
potential
legal
action
subject to
the
relevant
NIST
NIST SP 800-53 R3 AU-9
SP800-53
R3 AU-6
(1)
NIST
NIST SP 800-53 R3 AU-11
SP800-53
R3 AU-6
(3)
NIST
NIST SP 800-53 R3 IR-5
SP800-53
R3 AU-7
NIST
NIST SP 800-53 R3 IR-7
SP800-53
R3 AU-7
(1)
NIST
NIST SP 800-53 R3 IR-8
SP800-53
R3 AU-9
NIST
SP800-53
R3 AU-9
(2)
NIST
SP800-53
R3 AU-11
NIST
SP800-53
R3 IR-5
NIST
SP800-53
R3 IR-7
NIST
SP800-53
R3 IR-7
(1)
NIST
SP800-53
R3 IR-7
(2)
NIST
SP800-53
R3 IR-8
Informatio IS-25
n Security
Incident
Response
Metrics
Mechanis NIST
NIST SP 800-53 R3 IR-4
ms shall SP800-53
be put in R3 IR-4
place to
monitor
and
quantify
the types,
volumes,
and costs
of
informatio
n security
incidents.
NIST
NIST SP 800-53 R3 IR-5
SP800-53
R3 IR-4
(1)
NIST
NIST SP 800-53 R3 IR-8
SP800-53
R3 IR-5
NIST
SP800-53
R3 IR-8
Informatio IS-26
n Security
Acceptabl
e Use
Policies
NIST
NIST SP 800-53 R3 AC-2
and
SP800-53
procedure R3 AC-8
s shall be
establishe
d for the
acceptable
use of
informatio
n assets.
NIST
NIST SP 800-53 R3 AC-8
SP800-53
R3 AC-20
NIST
NIST SP 800-53 R3 AC-20
SP800-53
R3 AC-20
(1)
NIST
NIST SP 800-53 R3 PL-4
SP800-53
R3 AC-20
(2)
NIST
SP800-53
R3 PL-4
Informatio IS-27
n Security
Asset
Returns
Employee NIST
NIST SP 800-53 R3 PS-4
s,
SP800-53
contractor R3 PS-4
s and third
party
users
must
return all
assets
owned by
the
organizati
on within a
defined
and
document
ed time
frame
once the
employme
nt,
contract or
agreement
has been
terminated
.
Informatio IS-28
n Security
eCommer
ce
Transactio
ns
Electronic NIST
NIST SP 800-53 R3 AC-1
commerce SP800-53
(eR3 AC-14
commerce
) related
data
traversing
public
networks
shall be
appropriat
ely
classified
and
protected
from
fraudulent
activity,
unauthoriz
ed
disclosure
or
modificatio
n in such a
manner to
prevent
contract
dispute
and
compromi
se of data.
NIST
NIST SP 800-53 R3 AC-2
SP800-53
R3 AC-14
(1)
NIST
NIST SP 800-53 R3 AC-22
SP800-53
R3 AC-21
NIST
NIST SP 800-53 R3 AU-1
SP800-53
R3 AC-22
NIST
SP800-53
R3 IA-8
NIST
SP800-53
R3 AU-10
NIST
SP800-53
R3 AU-10
(5)
NIST
SP800-53
R3 SC-4
NIST
SP800-53
R3 SC-8
NIST
SP800-53
R3 SC-8
(1)
NIST
SP800-53
R3 SC-9
NIST
SP800-53
R3 SC-9
(1)
Informatio IS-29
n Security
Audit
Tools
Access
NIST
SP800-53
R3 AU-9
(2)
NIST
SP800-53
R3 AU-11
NIST
SP800-53
R3 AU-14
Informatio IS-30
n Security
Diagnostic
/
Configurati
on Ports
Access
User
NIST
NIST SP 800-53 R3 CM-7
access to SP800-53
diagnostic R3 CM-7
and
configurati
on ports
shall be
restricted
to
authorized
individuals
and
application
s.
NIST
NIST SP 800-53 R3 MA-4
SP800-53
R3 CM-7
(1)
NIST
NIST SP 800-53 R3 MA-5
SP800-53
R3 MA-3
NIST
SP800-53
R3 MA-3
(1)
NIST
SP800-53
R3 MA-3
(2)
NIST
SP800-53
R3 MA-3
(3)
NIST
SP800-53
R3 MA-4
NIST
SP800-53
R3 MA-4
(1)
NIST
SP800-53
R3 MA-4
(2)
NIST
SP800-53
R3 MA-5
Informatio IS-31
n Security
Network /
Infrastruct
ure
Services
Network NIST
NIST SP 800-53 R3 CA-3
and
SP800-53
infrastruct R3 SC-20
ure
service
level
agreement
s (inhouse or
outsource
d) shall
clearly
document
security
controls,
capacity
and
service
levels, and
business
or
customer
requireme
nts.
NIST
NIST SP 800-53 R3 SA-9
SP800-53
R3 SC-20
(1)
NIST
SP800-53
R3 SC-21
NIST
SP800-53
R3 SC-22
NIST
SP800-53
R3 SC23NIST
SP800-53
R3 SC-24
Informatio IS-32
n Security
Portable /
Mobile
Devices
Policies
and
procedure
s shall be
establishe
d and
measures
implement
ed to
strictly
limit
access to
sensitive
data from
portable
and
mobile
devices,
such as
laptops,
cell
phones,
and
personal
digital
assistants
(PDAs),
which are
generally
higher-risk
than nonportable
devices
(e.g.,
desktop
computers
at the
NIST
NIST SP 800-53 R3 AC-17
SP800-53
R3 AC-17
NIST
NIST SP 800-53 R3 AC-18
SP800-53
R3 AC-17
(1)
NIST
NIST SP 800-53 R3 AC-19
SP800-53
R3 AC-17
(2)
NIST
NIST SP 800-53 R3 MP-2
SP800-53
R3 AC-17
(3)
NIST
NIST SP 800-53 R3 MP-6
SP800-53
R3 AC-17
(4)
NIST
SP800-53
R3 AC-17
(5)
NIST
SP800-53
R3 AC-17
(7)
NIST
SP800-53
R3 AC-17
(8)
NIST
SP800-53
R3 AC-18
NIST
SP800-53
R3 AC-18
(1)
NIST
SP800-53
R3 AC-18
(2)
NIST
SP800-53
R3 AC-18
(3)
NIST
SP800-53
R3 AC-18
(4)
NIST
SP800-53
R3 AC-18
(5)
NIST
SP800-53
R3 AC-19
NIST
SP800-53
R3 AC-19
(1)
NIST
SP800-53
R3 AC-19
(2)
NIST
SP800-53
R3 AC-19
(3)
NIST
SP800-53
R3 MP-2
NIST
SP800-53
R3 MP-2
(1)
NIST
SP800-53
R3 MP-4
NIST
SP800-53
R3 MP-4
(1)
NIST
SP800-53
R3 MP-6
NIST
SP800-53
R3 MP-6
(4)
Informatio IS-33
n Security
Source
Code
Access
Restriction
Access to NIST
application SP800-53
, program R3 CM-5
or object
source
code shall
be
restricted
to
authorized
personnel
on a need
to know
basis.
Records
shall be
maintaine
d
regarding
the
individual
granted
access,
reason for
access
and
version of
source
code
exposed.
NIST
SP800-53
R3 CM-5
(1)
NIST
SP800-53
R3 CM-5
(5)
NIST
SP800-53
R3 CM-6
NIST
SP800-53
R3 CM-6
(1)
NIST
SP800-53
R3 CM-6
(3)
Informatio IS-34
n Security
Utility
Programs
Access
Utility
NIST
NIST SP 800-53 R3 CM-7
programs SP800-53
capable of R3 AC-5
potentially
overriding
system,
object,
network,
virtual
machine
and
application
controls
shall be
restricted.
NIST
SP800-53
R3 AC-6
NIST
SP800-53
R3 AC-6
(1)
NIST
SP800-53
R3 AC-6
(2)
NIST
SP800-53
R3 CM-7
NIST
SP800-53
R3 CM-7
(1)
NIST
SP800-53
R3 SC-3
NIST
SP800-53
R3 SC-19
Legal
LG-01
NonDisclosure
Agreemen
ts
Requirem NIST
NIST SP 800-53 R3 PL-4
ents for
SP800-53
nonR3 PL-4
disclosure
or
confidentia
lity
agreement
s reflecting
the
organizati
on's needs
for the
protection
of data
and
operationa
l details
shall be
identified,
document
ed and
reviewed
at planned
intervals.
NIST
NIST SP 800-53 R3 PS-6
SP800-53
R3 PS-6
NIST
NIST SP 800-53 R3 SA-9
SP800-53
R3 SA-9
NIST
SP800-53
R3 SA-9
(1)
Legal
LG-02
Third
Party
Agreemen
ts
NIST
SP800-53
R3 SA-9
NIST
SP800-53
R3 SA-9
(1)
Operation OP-01
s
Managem
ent
Policy
Policies
NIST
NIST SP 800-53 R3 CM-2
and
SP800-53
procedure R3 CM-2
s shall be
establishe
d and
made
available
for all
personnel
to
adequatel
y support
services
operations
role.
NIST
NIST SP 800-53 R3 CM-4
SP800-53
R3 CM-2
(1)
NIST
NIST SP 800-53 R3 CM-6
SP800-53
R3 CM-2
(3)
NIST
NIST SP 800-53 R3 MA-4
SP800-53
R3 CM-2
(5)
NIST
NIST SP 800-53 R3 SA-3
SP800-53
R3 CM-3
NIST
NIST SP 800-53 R3 SA-4
SP800-53
R3 CM-3
(2)
NIST
NIST SP 800-53 R3 SA-5
SP800-53
R3 CM-4
NIST
SP800-53
R3 CM-5
NIST
SP800-53
R3 CM-5
(1)
NIST
SP800-53
R3 CM-5
(5)
NIST
SP800-53
R3 CM-6
NIST
SP800-53
R3 CM-6
(1)
NIST
SP800-53
R3 CM-6
(3)
NIST
SP800-53
R3 CM-9
NIST
SP800-53
R3 MA-4
NIST
SP800-53
R3 MA-4
(1)
NIST
SP800-53
R3 MA-4
(2)
NIST
SP800-53
R3 SA-3
NIST
SP800-53
R3 SA-4
NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
NIST
SP800-53
R3 SA-5
NIST
SP800-53
R3 SA-5
(1)
NIST
SP800-53
R3 SA-5
(3)
NIST
SP800-53
R3 SA-8
NIST
SP800-53
R3 SA-10
NIST
SP800-53
R3 SA-11
NIST
SP800-53
R3 SA-11
(1)
NIST
SP800-53
R3 SA-12
Operation OP-02
s
Managem
ent
Document
ation
Informatio NIST
NIST SP 800-53 R3 CP-9
n system SP800-53
document R3 CP-9
ation (e.g.,
administra
tor and
user
guides,
architectur
e
diagrams,
etc.) shall
be made
available
to
authorized
personnel
to ensure
the
following:
Configurin
g,
installing,
and
operating
the
informatio
n system
NIST
NIST SP 800-53 R3 CP-10
SP800-53
R3 CP-9
(1)
Effectively
using the
systems
security
features
NIST
NIST SP 800-53 R3 SA-5
SP800-53
R3 CP-9
(3)
NIST
SP800-53
R3 CP-10
NIST
SP800-53
R3 CP-10
(2)
NIST
SP800-53
R3 CP-10
(3)
NIST
SP800-53
R3 SA-5
NIST
SP800-53
R3 SA-5
(1)
NIST
SP800-53
R3 SA-5
(3)
NIST
SP800-53
R3 SA-10
NIST
SP800-53
R3 SA-11
NIST
SP800-53
R3 SA-11
(1)
Operation OP-03
s
Managem
ent
Capacity /
Resource
Planning
The
NIST
NIST SP 800-53 R3 SA-4
availability, SP800-53
quality,
R3 SA-4
and
adequate
capacity
and
resources
shall be
planned,
prepared,
and
measured
to deliver
the
required
system
performan
ce in
accordanc
e with
regulatory,
contractua
l and
business
requireme
nts.
Projection
s of future
capacity
requireme
nts shall
be made
to mitigate
the risk of
system
overload. NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
Operation OP-04
s
Managem
ent
Equipment
Maintenan
ce
Policies
NIST
NIST SP 800-53 R3 MA-2
and
SP800-53
procedure R3 MA-2
s shall be
establishe
d for
equipment
maintenan
ce
ensuring
continuity
and
availability
of
operations
.
NIST
NIST SP 800-53 R3 MA-4
SP800-53
R3 MA-2
(1)
NIST
NIST SP 800-53 R3 MA-5
SP800-53
R3 MA-3
NIST
SP800-53
R3 MA-3
(1)
NIST
SP800-53
R3 MA-3
(2)
NIST
SP800-53
R3 MA-3
(3)
NIST
SP800-53
R3 MA-4
NIST
SP800-53
R3 MA-4
(1)
NIST
SP800-53
R3 MA-4
(2)
NIST
SP800-53
R3 MA-5
NIST
SP800-53
R3 MA-6
Risk
RI-01
Managem
ent
Program
Organizati NIST
NIST SP 800-53 R3 AC-1
ons shall SP800-53
develop
R3 AC-4
and
maintain
an
enterprise
risk
managem
ent
framework
to manage
risk to an
acceptable
level.
NIST
NIST SP 800-53 R3 AT-1
SP800-53
R3 CA-2
NIST
NIST SP 800-53 R3 AU-1
SP800-53
R3 CA-2
(1)
NIST
NIST SP 800-53 R3 CA-1
SP800-53
R3 CA-6
NIST
NIST SP 800-53 R3 CA-6
SP800-53
R3 PM-9
NIST
NIST SP 800-53 R3 CA-7
SP800-53
R3 RA-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
Risk
RI-02
Managem
ent
Assessme
nts
Aligned
NIST
NIST SP 800-53 R3 CM-1
with the
SP800-53
enterprise- R3 PL-5
wide
framework
, formal
risk
assessme
nts shall
be
performed
at least
annually,
or at
planned
intervals,
determinin
g the
likelihood
and
impact of
all
identified
risks,
using
qualitative
and
quantitativ
e
methods.
The
likelihood
and
impact
associated
with
inherent NIST
NIST SP 800-53 R3 RA-1
SP800-53
R3 RA-2
NIST
NIST SP 800-53 R3 RA-2
SP800-53
R3 RA-3
NIST SP 800-53 R3 RA-3
Risk
RI-03
Managem
ent
Mitigation /
Acceptanc
e
NIST
NIST SP 800-53 R3 CP-1
SP800-53
R3 CM-4
Risk
RI-04
Managem
ent
Business /
Policy
Change
Impacts
NIST
NIST SP 800-53 R3 AT-1
SP800-53
R3 CP-2
(1)
NIST
NIST SP 800-53 R3 AU-1
SP800-53
R3 CP-2
(2)
NIST
NIST SP 800-53 R3 CA-1
SP800-53
R3 RA-2
NIST
NIST SP 800-53 R3 CM-1
SP800-53
R3 RA-3
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
Risk
RI-05
Managem
ent Third
Party
Access
The
NIST
NIST SP 800-53 R3 AC-1
identificati SP800-53
on,
R3 CA-3
assessme
nt, and
prioritizatio
n of risks
posed by
business
processes
requiring
third party
access to
the
organizati
on's
informatio
n systems
and data
shall be
followed
by
coordinate
d
application
of
resources
to
minimize,
monitor,
and
measure
likelihood
and
impact of
unauthoriz
ed or
NIST
NIST SP 800-53 R3 AT-1
SP800-53
R3 MA-4
NIST
NIST SP 800-53 R3 AU-1
SP800-53
R3 MA-4
(1)
NIST
NIST SP 800-53 R3 CA-1
SP800-53
R3 MA-4
(2)
NIST
NIST SP 800-53 R3 CM-1
SP800-53
R3 RA-3
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
Release RM-01
Managem
ent New
Developm
ent /
Acquisition
Policies
NIST
NIST SP 800-53 R3 CA-1
and
SP800-53
procedure R3 CA-1
s shall be
establishe
d for
managem
ent
authorizati
on for
developm
ent or
acquisition
of new
application
s,
systems,
databases
,
infrastruct
ure,
services,
operations
, and
facilities.
NIST
NIST SP 800-53 R3 CM-1
SP800-53
R3 CM-1
NIST
NIST SP 800-53 R3 PL-1
SP800-53
R3 CM-9
NIST
NIST SP 800-53 R3 PL-2
SP800-53
R3 PL-1
NIST
NIST SP 800-53 R3 SA-1
SP800-53
R3 PL-2
NIST
NIST SP 800-53 R3 SA-3
SP800-53
R3 PL-2
(2)
NIST
NIST SP 800-53 R3 SA-4
SP800-53
R3 SA-1
NIST
SP800-53
R3 SA-3
NIST
SP800-53
R3 SA-4
NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
Release RM-02
Managem
ent
Production
Changes
Changes NIST
NIST SP 800-53 R3 CA-1
to the
SP800-53
production R3 CA-1
environme
nt shall be
document
ed, tested
and
approved
prior to
implement
ation.
Production
software
and
hardware
changes
may
include
application
s,
systems,
databases
and
network
devices
requiring
patches,
service
packs, and
other
updates
and
modificatio
ns.
NIST
NIST SP 800-53 R3 CA-6
SP800-53
R3 CA-6
NIST
NIST SP 800-53 R3 CA-7
SP800-53
R3 CA-7
NIST
NIST SP 800-53 R3 CM-2
SP800-53
R3 CA-7
(2)
NIST
NIST SP 800-53 R3 CM-6
SP800-53
R3 CM-2
NIST
NIST SP 800-53 R3 PL-2
SP800-53
R3 CM-2
(1)
NIST
NIST SP 800-53 R3 PL-5
SP800-53
R3 CM-2
(3)
NIST
NIST SP 800-53 R3 SI-2
SP800-53
R3 CM-2
(5)
NIST
SP800-53
R3 CM-3
NIST
SP800-53
R3 CM-3
(2)
NIST
SP800-53
R3 CM-5
NIST
SP800-53
R3 CM-5
(1)
NIST
SP800-53
R3 CM-5
(5)
NIST
SP800-53
R3 CM-6
NIST
SP800-53
R3 CM-6
(1)
NIST
SP800-53
R3 CM-6
(3)
NIST
SP800-53
R3 CM-9
NIST
SP800-53
R3 PL-2
NIST
SP800-53
R3 PL-2
(2)
NIST
SP800-53
R3 PL-5
NIST
SP800-53
R3 SI-2
NIST
SP800-53
R3 SI-2
(2)
NIST
SP800-53
R3 SI-6
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
Release RM-03
Managem
ent
Quality
Testing
A program NIST
NIST SP 800-53 R3 CM-1
for the
SP800-53
systematic R3 CM-1
monitoring
and
evaluation
to ensure
that
standards
of quality
are being
met shall
be
establishe
d for all
software
developed
by the
organizati
on. Quality
evaluation
and
acceptanc
e criteria
for
informatio
n systems,
upgrades,
and new
versions
shall be
establishe
d,
document
ed and
tests of
the
NIST
NIST SP 800-53 R3 CM-2
SP800-53
R3 CM-2
NIST
NIST SP 800-53 R3 SA-3
SP800-53
R3 CM-2
(1)
NIST
NIST SP 800-53 R3 SA-4
SP800-53
R3 CM-2
(3)
NIST
NIST SP 800-53 R3 SA-5
SP800-53
R3 CM-2
(5)
NIST
SP800-53
R3 SA-3
NIST
SP800-53
R3 SA-4
NIST
SP800-53
R3 SA-4
(1)
NIST
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
NIST
SP800-53
R3 SA-5
NIST
SP800-53
R3 SA-5
(1)
NIST
SP800-53
R3 SA-5
(3)
NIST
SP800-53
R3 SA-8
NIST
SP800-53
R3 SA-10
NIST
SP800-53
R3 SA-11
NIST
SP800-53
R3 SA-11
(1)
NIST
SP800-53
R3 SA-13
Release RM-04
Managem
ent
Outsource
d
Developm
ent
A program NIST
NIST SP 800-53 R3 SA-4
for the
SP800-53
systematic R3 SA-4
monitoring
and
evaluation
to ensure
that
standards
of quality
are being
met shall
be
establishe
d for all
outsource
d software
developm
ent. The
developm
ent of all
outsource
d software
shall be
supervised
and
monitored
by the
organizati
on and
must
include
security
requireme
nts,
independe
nt security NIST
NIST SP 800-53 R3 SA-5
SP800-53
R3 SA-4
(1)
NIST
NIST SP 800-53 R3 SA-9
SP800-53
R3 SA-4
(4)
NIST
SP800-53
R3 SA-4
(7)
NIST
SP800-53
R3 SA-5
NIST
SP800-53
R3 SA-5
(1)
NIST
SP800-53
R3 SA-5
(3)
NIST
SP800-53
R3 SA-8
NIST
SP800-53
R3 SA-9
NIST
SP800-53
R3 SA-9
(1)
NIST
SP800-53
R3 SA-10
NIST
SP800-53
R3 SA-11
NIST
SP800-53
R3 SA-11
(1)
NIST
SP800-53
R3 SA-12
NIST
SP800-53
R3 SA-13
Release RM-05
Managem
ent
Unauthoriz
ed
Software
Installation
s
Policies
NIST
NIST SP 800-53 R3 CM-1
and
SP800-53
procedure R3 CM-1
s shall be
establishe
d and
mechanis
ms
implement
ed to
restrict the
installation
of
unauthoriz
ed
software.
NIST
NIST SP 800-53 R3 CM-2
SP800-53
R3 CM-2
NIST
NIST SP 800-53 R3 CM-7
SP800-53
R3 CM-2
(1)
NIST
NIST SP 800-53 R3 CM-8
SP800-53
R3 CM-2
(3)
NIST
NIST SP 800-53 R3 SA-6
SP800-53
R3 CM-2
(5)
NIST
NIST SP 800-53 R3 SA-7
SP800-53
R3 CM-3
NIST
NIST SP 800-53 R3 SI-1
SP800-53
R3 CM-3
(2)
NIST
NIST SP 800-53 R3 SI-3
SP800-53
R3 CM-5
NIST
SP800-53
R3 CM-5
(1)
NIST
SP800-53
R3 CM-5
(5)
NIST
SP800-53
R3 CM-7
NIST
SP800-53
R3 CM-7
(1)
NIST
SP800-53
R3 CM-8
NIST
SP800-53
R3 CM-8
(1)
NIST
SP800-53
R3 CM-8
(3)
NIST
SP800-53
R3 CM-8
(5)
NIST
SP800-53
R3 CM-9
NIST
SP800-53
R3 SA-6
NIST
SP800-53
R3 SA-7
NIST
SP800-53
R3 SI-1
NIST
SP800-53
R3 SI-3
NIST
SP800-53
R3 SI-3
(1)
NIST
SP800-53
R3 SI-3
(2)
NIST
SP800-53
R3 SI-3
(3)
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
Resiliency RS-01
Managem
ent
Program
Policy,
NIST
NIST SP 800-53 R3 CP-1
process
SP800-53
and
R3 CP-1
procedure
s defining
business
continuity
and
disaster
recovery
shall be
put in
place to
minimize
the impact
of a
realized
risk event
on the
organizati
on to an
acceptable
level and
facilitate
recovery
of
informatio
n assets
(which
may be
the result
of, for
example,
natural
disasters,
accidents,
equipment NIST
NIST SP 800-53 R3 CP-2
SP800-53
R3 CP-2
NIST
SP800-53
R3 CP-2
(1)
NIST
SP800-53
R3 CP-2
(2)
Resiliency RS-02
Impact
Analysis
There
NIST
NIST SP 800-53 R3 CP-1
shall be a SP800-53
defined
R3 RA-3
and
document
ed method
for
determinin
g the
impact of
any
disruption
to the
organizati
on which
must
incorporat
e the
following:
Identify
critical
products
and
services
Identify all
dependen
cies,
including
processes,
application
s,
business
partners
and third
party
service
providers
Understan
d threats
to critical
products
and
services
Determine
impacts
resulting
from
planned or
unplanned
disruptions
and how
these vary
over time
Establish
the
maximum
tolerable
period for
disruption
Establish
priorities
for
recovery
Establish
recovery
time
objectives
for
resumptio
n of critical
products
and
services
within their
maximum
tolerable
period of
disruption
Estimate
the
resources
required
for
resumptio
n
Resiliency RS-03
Business
Continuity
Planning
A
consistent
unified
framework
for
business
continuity
planning
and plan
developm
ent shall
be
establishe
d,
document
ed and
adopted to
ensure all
business
continuity
plans are
consistent
in
addressin
g priorities
for testing
and
maintenan
ce and
informatio
n security
requireme
nts.
Requirem
ents for
business
continuity
Defined
purpose
and
scope,
aligned
with
relevant
dependen
cies
NIST
NIST SP800-53 R3 CP-1
SP800-53
R3 CP-1
NIST
NIST SP800-53 R3 CP-2
SP800-53
R3 CP-2
NIST
NIST SP800-53 R3 CP-3
Accessible SP800-53
to and
R3 CP-2
understoo (1)
d by those
who will
use them
Owned by
a named
person(s)
who is
responsibl
e for their
review,
update
and
approval
NIST
NIST SP800-53 R3 CP-4
SP800-53
R3 CP-2
(2)
NIST
NIST SP800-53 R3 CP-9
Defined
SP800-53
lines of
R3 CP-3
communic
ation,
roles and
responsibil
ities
NIST
NIST SP800-53 R3 CP-10
Detailed SP800-53
recovery R3 CP-4
procedure
s, manual
workaround
and
reference
informatio
n
NIST
Method for SP800-53
plan
R3 CP-4
invocation (1)
NIST
SP800-53
R3 CP-6
NIST
SP800-53
R3 CP-6
(1)
NIST
SP800-53
R3 CP-6
(3)
NIST
SP800-53
R3 CP-7
NIST
SP800-53
R3 CP-7
(1)
NIST
SP800-53
R3 CP-7
(2)
NIST
SP800-53
R3 CP-7
(3)
NIST
SP800-53
R3 CP-7
(5)
NIST
SP800-53
R3 CP-8
NIST
SP800-53
R3 CP-8
(1)
NIST
SP800-53
R3 CP-8
(2)
NIST
SP800-53
R3 CP-9
NIST
SP800-53
R3 CP-9
(1)
NIST
SP800-53
R3 CP-9
(3)
NIST
SP800-53
R3 CP-10
NIST
SP800-53
R3 CP-10
(2)
NIST
SP800-53
R3 CP-10
(3)
NIST
SP800-53
R3 PE-17
Resiliency RS-04
Business
Continuity
Testing
Business NIST
NIST SP800-53 R3 CP-2
continuity SP800-53
plans shall R3 CP-2
be subject
to test at
planned
intervals
or upon
significant
organizati
onal or
environme
ntal
changes
to ensure
continuing
effectivene
ss.
NIST
NIST SP800-53 R3 CP-3
SP800-53
R3 CP-2
(1)
NIST
NIST SP800-53 R3 CP-4
SP800-53
R3 CP-2
(2)
NIST
SP800-53
R3 CP-3
NIST
SP800-53
R3 CP-4
NIST
SP800-53
R3 CP-4
(1)
Resiliency RS-05
Environme
ntal Risks
Physical
protection
against
damage
from
natural
causes
and
disasters
as well as
deliberate
attacks
including
fire, flood,
atmospher
ic
electrical
discharge,
solar
induced
geomagne
tic storm,
wind,
earthquak
e,
tsunami,
explosion,
nuclear
mishap,
volcanic
activity,
biological
hazard,
civil
unrest,
mudslide,
tectonic
NIST
NIST SP800-53 R3 PE-1
SP800-53
R3 PE-1
NIST
NIST SP800-53 R3 PE-13
SP800-53
R3 PE-13
NIST
NIST SP800-53 R3 PE-14
SP800-53
R3 PE-13
(1)
NIST
NIST SP800-53 R3 PE-15
SP800-53
R3 PE-13
(2)
NIST
SP800-53
R3 PE-13
(3)
NIST
SP800-53
R3 PE-14
NIST
SP800-53
R3 PE-14
(1)
NIST
SP800-53
R3 PE-15
NIST
SP800-53
R3 PE-18
Resiliency RS-06
Equipment
Location
To reduce NIST
NIST SP800-53 R3 PE-1
the risks SP800-53
from
R3 PE-1
environme
ntal
threats,
hazards
and
opportuniti
es for
unauthoriz
ed access
equipment
shall be
located
away from
locations
subject to
high
probability
environme
ntal risks
and
suppleme
nted by
redundant
equipment
located a
reasonabl
e distance.
NIST
NIST SP800-53 R3 PE-14
SP800-53
R3 PE-5
NIST
NIST SP800-53 R3 PE-15
SP800-53
R3 PE-14
NIST
SP800-53
R3 PE-14
(1)
NIST
SP800-53
R3 PE-15
NIST
SP800-53
R3 PE-18
Resiliency RS-07
Equipment
Power
Failures
Security NIST
NIST SP800-53 R3 PE-1
mechanis SP800-53
ms and
R3 CP-8
redundanc
ies shall
be
implement
ed to
protect
equipment
from utility
service
outages
(e.g.,
power
failures,
network
disruptions
, etc.).
NIST
NIST SP800-53 R3 PE-12
SP800-53
R3 CP-8
(1)
NIST
NIST SP800-53 R3 PE-13
SP800-53
R3 CP-8
(2)
NIST
NIST SP800-53 R3 PE-14
SP800-53
R3 PE-1
NIST
SP800-53
R3 PE-9
NIST
SP800-53
R3 PE-10
NIST
SP800-53
R3 PE-11
NIST
SP800-53
R3 PE-11
(1)
NIST
SP800-53
R3 PE-12
NIST
SP800-53
R3 PE-13
NIST
SP800-53
R3 PE-13
(1)
NIST
SP800-53
R3 PE-13
(2)
NIST
SP800-53
R3 PE-13
(3)
NIST
SP800-53
R3 PE-14
NIST
SP800-53
R3 PE-14
(1)
Resiliency RS-08
Power /
Telecomm
unications
Telecomm NIST
NIST SP800-53 R3 PE-1
unications SP800-53
equipment R3 PE-1
, cabling
and relays
transcevin
g data or
supporting
services
shall be
protected
from
interceptio
n or
damage
and
designed
with
redundanc
ies,
alternative
power
source
and
alternative
routing.
NIST
NIST SP800-53 R3 PE-13
SP800-53
R3 PE-4
NIST
NIST SP800-53 R3 PE-13 (1)
SP800-53
R3 PE-13
NIST
NIST SP800-53 R3 PE-13 (2)
SP800-53
R3 PE-13
(1)
NIST
NIST SP800-53 R3 PE-13 (3)
SP800-53
R3 PE-13
(2)
NIST
SP800-53
R3 PE-13
(3)
Security SA-01
Architectur
e
Customer
Access
Requirem
ents
Prior to
NIST
NIST SP 800-53 R3 CA-1
granting SP800-53
customers R3 CA-1
access to
data,
assets and
informatio
n systems,
all
identified
security,
contractua
l and
regulatory
requireme
nts for
customer
access
shall be
addressed
and
remediate
d.
NIST
NIST SP 800-53 R3 CA-2
SP800-53
R3 CA-2
NIST
NIST SP 800-53 R3 CA-2 (1)
SP800-53
R3 CA-2
(1)
NIST
NIST SP 800-53 R3 CA-5
SP800-53
R3 CA-5
NIST
NIST SP 800-53 R3 CA-6
SP800-53
R3 CA-6
Security SA-02
Architectur
e User
ID
Credential
s
Implement NIST
NIST SP 800-53 R3 AC-1
and
SP800-53
enforce
R3 AC-1
(through
automatio
n) user
credential
and
password
controls
for
application
s,
databases
and server
and
network
infrastruct
ure,
requiring
the
following
minimum
standards:
NIST
NIST SP 800-53 R3 AC-2
User
SP800-53
identity
R3 AC-2
verification
prior to
password
resets.
If
NIST
NIST SP 800-53 R3 AC-3
password SP800-53
reset
R3 AC-2
initiated by (1)
personnel
other than
user (i.e.,
administra
tor),
especially
if
communic
ated in
plaintext
(i.e, via
email),
password
must be
immediatel
y changed
by user
upon first
use.
Timely
access
revocation
for
terminated
users.
NIST
NIST SP 800-53 R3 AU-2
SP800-53
R3 AC-2
(2)
NIST
NIST SP 800-53 R3 AU-11
Remove/di SP800-53
sable
R3 AC-2
inactive
(3)
user
accounts
at least
every 90
days.
Unique
user IDs
and
disallow
group,
shared, or
generic
accounts
and
passwords
.
NIST
NIST SP 800-53 R3 IA-1
SP800-53
R3 AC-2
(4)
Password
expiration
at least
every 90
days.
NIST
NIST SP 800-53 R3 IA-2
SP800-53
R3 AC-2
(7)
NIST
NIST SP 800-53 R3 IA-2 (1)
Minimum SP800-53
password R3 AC-3
length of
at least
seven (7)
characters
.
Strong
passwords
containing
both
numeric
and
alphabetic
characters
.
NIST
NIST SP 800-53 R3 IA-5
SP800-53
R3 AC-3
(3)
NIST
NIST SP 800-53 R3 IA-5 (1)
Allow
SP800-53
password R3 AC-11
re-use
after the
last four
(4)
passwords
used.
User ID
lockout
after not
more than
six (6)
attempts.
NIST
NIST SP 800-53 R3 IA-6
SP800-53
R3 AC-11
(1)
NIST
NIST SP 800-53 R3 IA-8
User ID
SP800-53
lockout
R3 AU-2
duration to
a
minimum
of 30
minutes or
until
administra
tor
enables
the user
ID.
Reenter
password
to
reactivate
terminal
after
session
idle time
for more
than 15
minutes.
NIST
SP800-53
R3 AU-2
(3)
Maintain
user
activity
logs for
privileged
access or
access to
sensitive
data.
NIST
SP800-53
R3 AU-2
(4)
NIST
SP800-53
R3 AU-11
NIST
SP800-53
R3 IA-1
NIST
SP800-53
R3 IA-2
NIST
SP800-53
R3 IA-2
(1)
NIST
SP800-53
R3 IA-2
(2)
NIST
SP800-53
R3 IA-2
(3)
NIST
SP800-53
R3 IA-2
(8)
NIST
SP800-53
R3 IA-5
NIST
SP800-53
R3 IA-5
(1)
NIST
SP800-53
R3 IA-5
(2)
NIST
SP800-53
R3 IA-5
(3)
NIST
SP800-53
R3 IA-5
(6)
NIST
SP800-53
R3 IA-5
(7)
NIST
SP800-53
R3 IA-6
NIST
SP800-53
R3 IA-8
NIST
SP800-53
R3 SC-10
Security SA-03
Architectur
e Data
Security /
Integrity
Policies
NIST
NIST SP 800-53 R3 AC-1
and
SP800-53
procedure R3 AC-1
s shall be
establishe
d and
mechanis
ms
implement
ed to
ensure
security
(e.g.,
encryption
, access
controls,
and
leakage
prevention
) and
integrity of
data
exchange
d between
one or
more
system
interfaces,
jurisdiction
s, or with a
third party
shared
services
provider to
prevent
improper
disclosure, NIST
NIST SP 800-53 R3 SC-1
SP800-53
R3 AC-4
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 SC-1
NIST
SP800-53
R3 SC-16
Security SA-04
Architectur
e
Applicatio
n Security
Applicatio NIST
NIST SP 800-53 R3 SC-5
ns shall be SP800-53
designed R3 SC-2
in
accordanc
e with
industry
accepted
security
standards
(i.e.,
OWASP
for web
application
s) and
complies
with
applicable
regulatory
and
business
requireme
nts.
NIST
NIST SP 800-53 R3 SC-6
SP800-53
R3 SC-3
NIST
NIST SP 800-53 R3 SC-7
SP800-53
R3 SC-4
NIST
NIST SP 800-53 R3 SC-12
SP800-53
R3 SC-5
NIST
NIST SP 800-53 R3 SC-13
SP800-53
R3 SC-6
NIST
NIST SP 800-53 R3 SC-14
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
NIST
SP800-53
R3 SC-8
NIST
SP800-53
R3 SC-8
(1)
NIST
SP800-53
R3 SC-9
NIST
SP800-53
R3 SC-9
(1)
NIST
SP800-53
R3 SC-10
NIST
SP800-53
R3 SC-11
NIST
SP800-53
R3 SC-12
NIST
SP800-53
R3 SC-12
(2)
NIST
SP800-53
R3 SC-12
(5)
NIST
SP800-53
R3 SC-13
NIST
SP800-53
R3 SC-13
(1)
NIST
SP800-53
R3 SC-14
NIST
SP800-53
R3 SC-17
NIST
SP800-53
R3 SC-18
NIST
SP800-53
R3 SC-18
(4)
NIST
SP800-53
R3 SC-20
NIST
SP800-53
R3 SC-20
(1)
NIST
SP800-53
R3 SC-21
NIST
SP800-53
R3 SC-22
NIST
SP800-53
R3 SC-23
Security SA-05
Architectur
e Data
Integrity
NIST
NIST SP 800-53 R3 SI-3
SP800-53
R3 SI-11
NIST
SP800-53
R3 SI-2
NIST
SP800-53
R3 SI-2
(2)
NIST
SP800-53
R3 SI-3
NIST
SP800-53
R3 SI-3
(1)
NIST
SP800-53
R3 SI-3
(2)
NIST
SP800-53
R3 SI-3
(3)
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
NIST
SP800-53
R3 SI-6
NIST
SP800-53
R3 SI-7
NIST
SP800-53
R3 SI-7
(1)
NIST
SP800-53
R3 SI-9
Security SA-06
Architectur
e
Production
/ NonProduction
Environme
nts
Production NIST
and non- SP800-53
production R3 SC-2
environme
nts shall
be
separated
to prevent
unauthoriz
ed access
or
changes
to
informatio
n assets.
Security SA-07
Architectur
e
Remote
User MultiFactor
Authentica
tion
MultiNIST
NIST SP 800-53 R3 AC-17
factor
SP800-53
authentica R3 AC-17
tion is
required
for all
remote
user
access.
NIST
NIST SP 800-53 R3 AC-20
SP800-53
R3 AC-17
(1)
NIST
NIST SP 800-53 R3 IA-1
SP800-53
R3 AC-17
(2)
NIST
NIST SP 800-53 R3 IA-2
SP800-53
R3 AC-17
(3)
NIST
NIST SP 800-53 R3 IA-2 (1)
SP800-53
R3 AC-17
(4)
NIST
NIST SP 800-53 R3 MA-4
SP800-53
R3 AC-17
(5)
NIST
SP800-53
R3 AC-17
(7)
NIST
SP800-53
R3 AC-17
(8)
NIST
SP800-53
R3 AC-20
NIST
SP800-53
R3 AC-20
(1)
NIST
SP800-53
R3 AC-20
(2)
NIST
SP800-53
R3 IA-1
NIST
SP800-53
R3 IA-2
NIST
SP800-53
R3 IA-2
(1)
NIST
SP800-53
R3 IA-2
(2)
NIST
SP800-53
R3 IA-2
(3)
NIST
SP800-53
R3 IA-2
(8)
NIST
SP800-53
R3 MA-4
NIST
SP800-53
R3 MA-4
(1)
NIST
SP800-53
R3 MA-4
(2)
Security SA-08
Architectur
e
Network
Security
Network NIST
NIST SP 800-53 R3 CM-7
environme SP800-53
nts shall R3 SC-7
be
designed
and
configured
to restrict
connection
s between
trusted
and
untrusted
networks
and
reviewed
at planned
intervals,
documenti
ng the
business
justificatio
n for use
of all
services,
protocols,
and ports
allowed,
including
rationale
or
compensa
ting
controls
implement
ed for
those
NIST
NIST SP 800-53 R3 SC-7
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Security SA-09
Architectur
e
Segmentat
ion
System
NIST
NIST SP 800-53 R3 SC-7
and
SP800-53
network
R3 AC-4
environme
nts are
separated
by
firewalls to
ensure the
following
requireme
nts are
adhered
to:
NIST
Business SP800-53
and
R3 SC-2
customer
requireme
nts
NIST
Security SP800-53
requireme R3 SC-3
nts
NIST
Complianc SP800-53
e with
R3 SC-7
legislative,
regulatory,
and
contractua
l
requireme
nts
NIST
Separation SP800-53
of
R3 SC-7
production (1)
and nonproduction
environme
nts
NIST
Preserve SP800-53
protection R3 SC-7
and
(2)
isolation of
sensitive
data
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Security SA-10
Architectur
e
Wireless
Security
Policies
NIST
NIST SP 800-53 R3 AC-1
and
SP800-53
procedure R3 AC-1
s shall be
establishe
d and
mechanis
ms
implement
ed to
protect
wireless
network
environme
nts,
including
the
following:
NIST
NIST SP 800-53 R3 AC-18
Perimeter SP800-53
firewalls R3 AC-18
implement
ed and
configured
to restrict
unauthoriz
ed traffic
NIST
NIST SP 800-53 R3 CM-6
Security SP800-53
settings
R3 AC-18
enabled
(1)
with strong
encryption
for
authentica
tion and
transmissi
on,
replacing
vendor
default
settings
(e.g.,
encryption
keys,
passwords
, SNMP
community
strings,
etc.).
Logical
and
physical
user
access to
wireless
network
devices
restricted
to
authorized
personnel
NIST
NIST SP 800-53 R3 SC-7
SP800-53
R3 AC-18
(2)
The NIST
capability SP800-53
to detect R3 AC-18
the
(3)
presence
of
unauthoriz
ed (rogue)
wireless
network
devices for
a timely
disconnect
from the
network
NIST
SP800-53
R3 AC-18
(4)
NIST
SP800-53
R3 AC-18
(5)
NIST
SP800-53
R3 CM-6
NIST
SP800-53
R3 CM-6
(1)
NIST
SP800-53
R3 CM-6
(3)
NIST
SP800-53
R3 PE-4
NIST
SP800-53
R3 SC-3
NIST
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Security SA-11
Architectur
e
Shared
Networks
Access to
systems
with
shared
network
infrastruct
ure shall
be
restricted
to
authorized
personnel
in
accordanc
e with
security
policies,
procedure
s and
standards.
Networks
shared
with
external
entities
shall have
a
document
ed plan
detailing
the
compensa
ting
controls
used to
separate
network
NIST
NIST SP 800-53 R3 PL-2
SP800-53
R3 PE-4
NIST
NIST SP 800-53 R3 SC-1
SP800-53
R3 SC-4
NIST
NIST SP 800-53 R3 SC-7
SP800-53
R3 SC-7
NIST
SP800-53
R3 SC-7
(1)
NIST
SP800-53
R3 SC-7
(2)
NIST
SP800-53
R3 SC-7
(3)
NIST
SP800-53
R3 SC-7
(4)
NIST
SP800-53
R3 SC-7
(5)
NIST
SP800-53
R3 SC-7
(7)
NIST
SP800-53
R3 SC-7
(8)
NIST
SP800-53
R3 SC-7
(12)
NIST
SP800-53
R3 SC-7
(13)
NIST
SP800-53
R3 SC-7
(18)
Security SA-12
Architectur
e Clock
Synchroni
zation
An
NIST
NIST SP 800-53 R3 AU-1
external
SP800-53
accurate, R3 AU-1
externally
agreed
upon, time
source
shall be
used to
synchroniz
e the
system
clocks of
all relevant
informatio
n
processing
systems
within the
organizati
on or
explicitly
defined
security
domain to
facilitate
tracing
and
reconstituti
on of
activity
timelines.
Note:
specific
legal
jurisdiction
s and
NIST
NIST SP 800-53 R3 AU-8
SP800-53
R3 AU-8
NIST
SP800-53
R3 AU-8
(1)
Security SA-13
Architectur
e
Equipment
Identificati
on
Automated NIST
NIST SP 800-53 R3 IA-4
equipment SP800-53
identificati R3 IA-3
on shall be
used as a
method of
connection
authentica
tion.
Locationaware
technologi
es may be
used to
validate
connection
authentica
tion
integrity
based on
known
equipment
location.
NIST
SP800-53
R3 IA-4
NIST
SP800-53
R3 IA-4
(4)
Security SA-14
Architectur
e Audit
Logging /
Intrusion
Detection
NIST
NIST SP 800-53 R3 AU-11
SP800-53
R3 AU-5
NIST
NIST SP 800-53 R3 AU-12
SP800-53
R3 AU-6
NIST
NIST SP 800-53 R3 PE-2
SP800-53
R3 AU-6
(1)
NIST
NIST SP 800-53 R3 PE-3
SP800-53
R3 AU-6
(3)
NIST
SP800-53
R3 AU-7
NIST
SP800-53
R3 AU-7
(1)
NIST
SP800-53
R3 AU-9
NIST
SP800-53
R3 AU-9
(2)
NIST
SP800-53
R3 AU-11
NIST
SP800-53
R3 AU-12
NIST
SP800-53
R3 AU-14
NIST
SP800-53
R3 SI-4
NIST
SP800-53
R3 SI-4
(2)
NIST
SP800-53
R3 SI-4
(4)
NIST
SP800-53
R3 SI-4
(5)
NIST
SP800-53
R3 SI-4
(6)
Security SA-15
Architectur
e Mobile
Code
Mobile
NIST
code shall SP800-53
be
R3 SC-18
authorized
before its
installation
and use,
and the
configurati
on shall
ensure
that the
authorized
mobile
code
operates
according
to a clearly
defined
security
policy. All
unauthoriz
ed mobile
code shall
be
prevented
from
executing.
NIST
SP800-53
R3 SC-18
(4)
Control
Area
CID
Complia
nce
CO-01
Audit
Planning
Complia
CCM
CCM v1.3
v1.2
FedRAM
FedRAMP Final
P Draft
Release (Jan
Control Release
Specific Mappin 2012) Revised
Mappings
ation
gs
MODER
v1.2
LOW
ATE
IMPACT
IMPACT
LEVEL
Audit
LEVEL
plans,
activities
and
operatio
nal
action
items
focusing
on data NIST
duplicati SP800- NIST SP NIST SP
800-53 800-53
on,
53 R3
R3 CA-2 R3 CA-2
access, CA-2
and data
boundar
y
limitatio
ns shall
be
designed
to
minimize
NIST SP NIST SP
the risk NIST
SP800- 800-53 800-53
of
R3 CA-2 R3 CA-2
business 53 R3
(1)
process CA-2 (1) (1)
disruptio NIST
NIST SP NIST SP
n. Audit SP800- 800-53 800-53
activities 53 R3
R3 CA-7 R3 CA-7
must be CA-7
NIST
NIST SP
planned
SP800800-53
and
53 R3
R3 CA-7
agreed
CA-7 (2)
(2)
upon in NIST
NIST SP
advance SP800800-53
by
53 R3
R3 PL-6
stakehol PL-6
dent
NIST
ders.
reviews
NIST SP NIST SP
SP800and
800-53 800-53
53 R3
assessm
R3 CA-1 R3 CA-1
CA-1
NIST
ents
NIST SP NIST SP
shall be SP800- 800-53 800-53
performe 53 R3
R3 CA-2 R3 CA-2
CA-2
d at
NIST
NIST SP NIST SP
least
SP800800-53 800-53
annually,
53
R3
R3 CA-2 R3 CA-2
or at
CA-2
(1)
(1)
(1)
planned
Complia
nce
Indepen CO-02
dent
Audits
Complia
nce
Third
CO-03
Party
Audits
planned NIST
intervals SP800, to
53 R3
ensure CA-6
NIST
the
organiza SP80053 R3
tion is
complian RA-5
NIST
t with
SP800policies,
53 R3
procedur
RA-5 (1)
es,
standard NIST
SP800s and
applicabl 53 R3
RA-5 (2)
e
regulator NIST
y
SP800requirem 53 R3
ents
RA-5 (3)
(i.e.,
NIST
internal/
SP800external
53 R3
audits,
RA-5 (9)
certificat
NIST
ions,
vulnerab SP800ility and 53 R3
penetrati RA-5 (6)
NIST
on
SP80053 R3
CA-3
NIST
SP80053 R3
Third
SA-9
party
service NIST
provider SP80053 R3
s shall
demonst SA-9 (1)
NIST
rate
SP800complian
53 R3
ce with
SA-12
informati NIST
SP800on
security 53 R3
SC-7
and
confiden NIST
SP800tiality,
service 53 R3
definitio SC-7 (1)
NIST
ns and
delivery SP80053 R3
level
agreeme SC-7 (2)
nts
included
in third
party
contract
s. Third
party
reports,
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 RA-5
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 RA-5
NIST SP
800-53
R3 RA-5
(1)
NIST SP
800-53
R3 RA-5
(2)
NIST SP
800-53
R3 RA-5
(3)
NIST SP
800-53
R3 RA-5
(6)
NIST SP
800-53
R3 RA-5
(9)
NIST SP
800-53
R3 CA-3
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 CA-3
NIST SP
800-53
R3 SA-9
NIST SP
NIST SP
800-53
800-53
R3 SA-9
R3 SC-7
(1)
NIST SP
800-53
R3 SA-12
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
(2)
Complia
nce
Third
CO-03
Party
Audits
definitio
ns and
delivery
level
agreeme
nts
NIST
included SP800in third 53 R3
party
SC-7 (3)
contract
s. Third NIST
SP800party
reports, 53 R3
records SC-7 (4)
and
NIST
services SP800shall
53 R3
undergo SC-7 (5)
audit
NIST
and
SP800review, 53 R3
at
SC-7 (7)
planned
intervals NIST
SP800, to
govern 53 R3
SC-7 (8)
and
maintain NIST
SP800complian
53 R3
ce with
SC-7
the
NIST
service (12)
delivery SP800agreeme 53 R3
SC-7
nts.
(13)
NIST
SP80053 R3
SC-7
(18)
NIST SP
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST SP
800-53
R3 SC-7
(5)
NIST SP
800-53
R3 SC-7
(7)
NIST SP
800-53
R3 SC-7
(8)
NIST SP
800-53
R3 SC-7
(12)
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
Complia
nce
Contact /
CO-04
Authority
Maintena
nce
Liaisons
and
points of
contact
with
local
authoriti
es shall
be
maintain
ed in
accordan
ce with
business
and
custome
r
requirem
ents and
complian NIST
ce with SP800legislativ 53 R3
e,
AT-5
regulator
y, and
contract
ual
requirem
ents.
Data,
objects,
applicati
ons,
infrastru
cture
and
hardwar
e may
be
NIST
assigned SP800legislativ 53 R3 IRe
6
NIST
domain
SP800and
53 R3 IRjurisdicti
6
(1)
NIST
on to
facilitate SP80053 R3 SIproper
complian 5
NIST
Statutor
ce points SP800y,
of
53 R3
regulator
contact. AC-1
NIST
y, and
contract SP80053 R3
ual
requirem AT-1
NIST
ents
SP800shall be 53 R3
defined AU-1
NIST
for all
SP800element 53 R3
s of the CA-1
informati
on
system.
The
organiza
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 IR-6
(1)
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
NIST SP
800-53
R3 CA-1
Complia
nce
Informati
on
CO-05
System
Regulato
ry
Mapping
shall be
defined
for all
element
s of the
NIST
informati
NIST SP NIST SP
SP800on
800-53 800-53
53 R3
system.
R3 CM-1 R3 CM-1
CM-1
NIST
The
NIST SP NIST SP
organiza SP800- 800-53 800-53
53 R3
tion's
R3 CP-1 R3 CP-1
CP-1
approac NIST
NIST SP NIST SP
h to
SP800800-53 800-53
meet
53 R3 IAR3 IA-1 R3 IA-1
known
1
NIST
requirem SP800- NIST SP NIST SP
800-53 800-53
ents,
53 R3 IAR3 IA-7 R3 IA-7
and
7
NIST
adapt to
NIST SP NIST SP
SP800new
800-53 800-53
mandate 53 R3 IR- R3 IR-1 R3 IR-1
1
NIST
s shall
NIST SP NIST SP
SP800be
800-53 800-53
explicitly 53 R3
R3 MA-1 R3 MA-1
defined, MA-1
NIST
documen SP800- NIST SP NIST SP
800-53 800-53
ted, and 53 R3
R3 MP-1 R3 MP-1
kept up MP-1
NIST
to date SP800- NIST SP NIST SP
800-53 800-53
for each 53 R3
R3 PE-1 R3 PE-1
informati PE-1
NIST
on
NIST SP NIST SP
system SP800- 800-53 800-53
element 53 R3
R3 PL-1 R3 PL-1
PL-1
NIST
in the
NIST SP NIST SP
organiza SP800800-53 800-53
53 R3
tion.
R3 PS-1 R3 PS-1
Informati PM-1
NIST
NIST SP NIST SP
on
SP800800-53 800-53
system 53 R3
R3 RA-1 R3 RA-1
element PS-1
NIST
NIST SP NIST SP
s may
SP800800-53 800-53
include
53 R3
R3 RA-2 R3 RA-2
data,
RA-1
objects, NIST
NIST SP NIST SP
applicati SP800- 800-53 800-53
53 R3
ons,
R3 SA-1 R3 SA-1
infrastru RA-2
NIST
NIST SP NIST SP
cture
SP800800-53 800-53
and
53 R3
R3 SA-6 R3 SA-6
hardwar SA-1
NIST
e. Each SP800- NIST SP NIST SP
800-53 800-53
element 53 R3
R3 SC-1 R3 SC-1
may be SA-6
NIST
assigned
NIST SP NIST SP
SP800a
800-53 800-53
53 R3
legislativ
R3 SC-13 R3 SC-13
SC-1
NIST
NIST SP
e
NIST SP
SP800800-53
domain
800-53
53
R3
R3 SC-13
and
R3 SI-1
SC-13
(1)
jurisdicti
on to
facilitate
proper
complian
ce
mapping
.
Complia
nce
Intellect CO-06
ual
Property
Data
Governa
nce
Ownersh DG-01
ip /
Stewards
hip
legislativ
e
domain
and
jurisdicti NIST
on to
SP800facilitate 53 R3
proper
SC-13
complian (1)
NIST
ce
SP800mapping
Policy,
53 R3 SI.process
1
and
procedur
e shall
be
establish
ed and
impleme
nted to
safeguar
d
intellect NIST
SP800ual
property 53 R3
and the SA-6
use of
proprieta
ry
software
within
the
legislativ
e
jurisdicti
on and NIST
contract SP800ual
53 R3
constrain SA-7
NIST
ts
governin SP80053 R3
g the
NIST
organiza PM-5
SP800tion.
53 R3
CA-2
All data NIST
shall be SP800designat 53 R3
ed with CA-2 (1)
stewards NIST
hip with SP800assigned 53 R3
responsi PM-5
NIST
bilities
SP800defined, 53 R3
documen NIST
PS-2
ted and SP800communi 53 R3
cated.
RA-2
NIST SP
800-53
R3 SI-1
NIST SP NIST SP
800-53 800-53
R3 SA-6 R3 SA-6
NIST SP NIST SP
800-53 800-53
R3 SA-7 R3 SA-7
NIST SP NIST SP
800-53 800-53
R3 CA-2 R3 CA-2
NIST SP
800-53
R3 CA-2
(1)
NIST SP
800-53
R3 CA-2
(1)
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 SA-2
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 SA-2
hip
Data
Governa
nce
DG-02
Classific
ation
Data
Governa
nce
Handling
/
DG-03
Labeling
/
Security
Policy
defined,
documen
ted and
communi
cated.
Data,
NIST
and
objects SP800containin 53 R3
g data, SA-2
shall be
assigned
a
classifica
tion
based on
data
type,
jurisdicti
on of
origin,
jurisdicti
on
domicile
d,
context, NIST
SP800legal
constrain 53 R3
RA-2
ts,
contract
ual
constrain
ts, value,
sensitivit
y,
criticality
to the
organiza
tion and
third
party
obligatio
n for
retention
and
NIST
preventi SP800on of
53 R3
unauthor AC-4
NIST
and
ized
procedur SP800disclosur
es shall 53 R3
e
AC-16
beor
NIST
misuse.
establish SP800ed for
53 R3
labeling, MP-1
NIST
handling SP800and
53 R3
security MP-3
of data NIST
SP800and
objects 53 R3
PE-16
NIST
which
contain SP80053 R3 SIdata.
Mechani 12
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 AC-4
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PE-16
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AC16
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 MP-3
NIST SP
800-53
R3 PE-16
Governa
nce
Handling
/
DG-03
Labeling
/
Security
Policy
Data
Governa
nce
DG-04
Retentio
n Policy
Mechani
sms for
label
inheritan
ce shall
be
impleme
nted for
objects
that act
as
aggregat
e
containe
rs for
NIST
NIST SP
SP800800-53
53 R3
R3 SI-12
SC-9
NIST
SP80053 R3
SC-9 (1)
NIST SP
800-53
R3 SC-9
NIST SP
800-53
R3 SC-9
(1)
NIST SP
800-53
R3 SI-1
NIST
SP80053 R3
CP-2
NIST
SP80053 R3
CP-2 (1)
NIST
SP80053 R3
CP-2 (2)
NIST
SP80053 R3
CP-6
NIST
Policies SP80053 R3
and
procedur CP-6 (1)
es for
NIST
data
SP800retention 53 R3
and
CP-6 (3)
storage NIST
shall be SP800establish 53 R3
ed and CP-7
backup NIST
SP800or
redunda 53 R3
CP-7 (1)
ncy
mechani NIST
sms
SP800impleme 53 R3
nted to CP-7 (2)
ensure
NIST
complian
SP800ce with
53 R3
regulator
CP-7 (3)
y,
statutory
,
contract
ual or
business
requirem
ents.
Testing
NIST SP
800-53
R3 SI-12
NIST SP NIST SP
800-53 800-53
R3 CP-2 R3 CP-2
NIST SP
NIST SP
800-53
800-53
R3 CP-2
R3 CP-9
(1)
NIST SP
800-53
R3 CP-2
(2)
NIST SP
800-53
R3 CP-6
NIST SP
800-53
R3 CP-6
(1)
NIST SP
800-53
R3 CP-6
(3)
NIST SP
800-53
R3 CP-7
NIST SP
800-53
R3 CP-7
(1)
NIST SP
800-53
R3 CP-7
(2)
NIST SP
800-53
R3 CP-7
(3)
Data
Governa
nce
DG-04
Retentio
n Policy
ensure
complian
ce with
regulator
y,
statutory NIST
SP800,
contract 53 R3
CP-7 (5)
ual or
business NIST
requirem SP80053 R3
ents.
Testing CP-8
NIST
the
SP800recovery
53 R3
of
CP-8 (1)
backups
must be NIST
impleme SP800nted at 53 R3
planned CP-8 (2)
intervals NIST
SP800.
53 R3
CP-9
NIST
SP80053 R3
CP-9 (1)
NIST
SP80053 R3
CP-9 (3)
NIST
SP80053 R3 SI12
NIST
Data
Governa
nce
DG-05
Secure
Disposal
Policies
and
procedur
es shall
be
establish
ed and
mechani
sms
impleme
nted for
the
secure
disposal
and
complet
e
removal
of data
from all
storage
media,
ensuring
data is
not
recovera
ble by
any
compute
r
NIST SP
800-53
R3 CP-7
(5)
NIST SP
800-53
R3 CP-8
NIST SP
800-53
R3 CP-8
(1)
NIST SP
800-53
R3 CP-8
(2)
NIST SP
800-53
R3 CP-9
NIST SP
800-53
R3 CP-9
(1)
NIST SP
800-53
R3 CP-9
(3)
SP80053 R3
AU-11
NIST
SP80053 R3
MP-6
NIST SP NIST SP
800-53 800-53
R3 MP-6 R3 MP-6
Disposal
Data
Governa
nce
DG-06
NonProducti
on Data
removal
of data
from all
storage
media,
ensuring
data is
not
recovera
ble by
any
compute
r
Producti
forensic
on
data
means.
shall not
be
replicate
d or
used in
nonproducti
on
environ
ments.
NIST
NIST SP
SP800800-53
53 R3
R3 PE-1
MP-6 (4)
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
SA-11
NIST
SP80053 R3
SA-11
(1)
NIST
SP80053 R3
CM-04
NIST
SP80053 R3
AC-2
NIST
SP80053 R3
AC-2 (1)
Data
Governa
nce
DG-07
Informati
on
Leakage
NIST SP
800-53
R3 MP-6
(4)
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-2
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 AC-2
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 AC-3
AC-2 (2)
NIST SP
800-53
R3 AC-2
(2)
NIST
SP80053 R3
AC-2 (3)
NIST SP
800-53
R3 AC-2
(3)
NIST
SP80053 R3
AC-2 (4)
NIST SP
800-53
R3 AC-2
(4)
NIST
SP80053 R3
AC-2 (7)
NIST
SP80053 R3
AC-3
NIST
SP80053 R3
AC-3 (3)
NIST
SP80053 R3
Security AC-4
mechani
sms
shall be
impleme
nted to
prevent
data
NIST SP
800-53
R3 AC-2
(7)
NIST SP
800-53
R3 AC-3
NIST SP
800-53
R3 AC-3
(3)
NIST SP
800-53
R3 AC-4
Data
Governa
nce
DG-07
Informati
on
Leakage
Security
mechani
sms
shall be
impleme
nted to
prevent
data
leakage.
NIST
SP80053 R3
AC-6
NIST
SP80053 R3
AC-6 (1)
NIST
SP80053 R3
AC-6 (2)
NIST
SP80053 R3
AC-11
NIST
SP80053 R3
AC-11
(1)
NIST
SP80053 R3
AU-13
NIST
SP80053 R3
PE-19
NIST
SP80053 R3
SC-28
NIST
SP80053 R3
SC-28
(1)
NIST
SP80053 R3
SA-8
NIST
SP80053 R3 SI7
NIST
SP80053 R3 SI7 (1)
NIST SP
800-53
R3 AC-6
NIST SP
800-53
R3 AC-6
(1)
NIST SP
800-53
R3 AC-6
(2)
NIST SP
800-53
R3 AC11
NIST SP
800-53
R3 AC11 (1)
NIST SP
800-53
R3 SA-8
NIST SP
800-53
R3 SC-28
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
Data
Governa
nce
DG-08
Risk
Assessm
ents
Risk
assessm
ents
associat
ed with
data
governa
nce
NIST
requirem
SP800ents
53 R3
shall be
CA-3
conducte
d at
planned
intervals
consideri
ng the
following
:
ere
se
nsi
tiv
e
dat
a
is
sto
red
an
d
tra
ns
mit NIST
ted SP800acr 53 R3
oss RA-2
ap
pli
cat
ion
s,
dat
ab
as
es,
ser
ver
s
an
d
NIST SP NIST SP
800-53 800-53
R3 CA-3 R3 CA-3
NIST SP NIST SP
800-53 800-53
R3 RA-2 R3 RA-2
Data
Governa
nce
DG-08
Risk
Assessm
ents
e
wit
h
de
fin
ed
ret
ent
ion NIST
per SP800iod 53 R3
s RA-3
an
d
en
doflife
dis
po
ati
on
an
d
pro
tec
tio
n
fro
m
un
aut NIST
hor SP800ize 53 R3
d MP-8
us
e,
ac
ce
ss,
los
s,
de
str
uct
ion NIST
SP80053 R3
PM-9
NIST
SP80053 R3 SI12
NIST
SP80053 R3
CA-2
Policies
and
procedur
es shall
be
establish
ed for
NIST SP NIST SP
800-53 800-53
R3 RA-3 R3 RA-3
NIST SP NIST SP
800-53 800-53
R3 SI-12 R3 SI-12
NIST SP NIST SP
800-53 800-53
R3 CA-2 R3 CA-2
Facility
Security FS-01
Policy
Facility
Security
FS-02
User
Access
Policies
and
procedur
es shall
be
establish
ed for
maintain
ing a
safe and
secure
working
environ
ment in
offices,
rooms,
facilities
and
secure
areas.
NIST
SP80053 R3
CA-2 (1)
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-6
NIST
SP80053 R3
PE-6 (1)
NIST
SP80053 R3
PE-7
NIST
SP80053 R3
PE-7 (1)
NIST
SP80053 R3
PE-8
NIST
SP80053 R3
PE-2
NIST
Physical SP800access 53 R3
PE-2 (1)
to
informati NIST
SP800on
53 R3
assets
PE-3
NIST
and
functions SP800by users 53 R3
PE-4
and
NIST
support SP800personn 53 R3
el shall PE-5
NIST
be
SP800restricte
53 R3
d.
PE-6
NIST
SP80053 R3
PE-6 (1)
NIST SP
800-53
R3 CA-2
(1)
NIST SP
800-53
R3 CA-2
(1)
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PE-6
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PE-6
NIST SP
NIST SP
800-53
800-53
R3 PE-6
R3 PE-7
(1)
NIST SP NIST SP
800-53 800-53
R3 PE-8 R3 PE-7
NIST SP
800-53
R3 PE-7
(1)
NIST SP
800-53
R3 PE-8
NIST SP NIST SP
800-53 800-53
R3 PE-2 R3 PE-2
NIST SP NIST SP
800-53 800-53
R3 PE-3 R3 PE-3
NIST SP NIST SP
800-53 800-53
R3 PE-6 R3 PE-4
NIST SP
800-53
R3 PE-5
NIST SP
800-53
R3 PE-6
NIST SP
800-53
R3 PE-6
(1)
Facility
Security
FS-03
Controlle
d Access
Points
Facility
Security
Secure
FS-04
Area
Authoriz
ation
Physical
security
perimete
rs
(fences,
walls,
barriers,
guards,
gates,
electroni
c
surveilla
nce,
physical
authenti
cation
mechani
sms,
receptio
n desks
and
security
patrols)
shall be
impleme
nted to
safeguar
d
sensitive
data and
informati
on
systems.
NIST
SP80053 R3
PE-2
NIST
SP80053 R3
PE-2 (1)
NIST
SP80053 R3
PE-3
NIST
SP80053 R3
PE-6
NIST
SP80053 R3
PE-6 (1)
NIST
SP80053 R3
PE-18
NIST
SP80053 R3
PE-2
NIST
Ingress SP80053 R3
and
(1)
egress to PE-2
NIST
secure
SP800areas
53 R3
shall be PE-3
constrain NIST
ed and SP800monitore 53 R3
PE-6
d by
NIST
physical
SP800access
53 R3
control
PE-6 (1)
mechani NIST
sms to
SP800ensure 53 R3
that only PE-7
authoriz NIST
ed
SP800personn 53 R3
el are
PE-7 (1)
allowed
access.
NIST SP NIST SP
800-53 800-53
R3 PE-2 R3 PE-2
NIST SP NIST SP
800-53 800-53
R3 PE-3 R3 PE-3
NIST SP NIST SP
800-53 800-53
R3 PE-6 R3 PE-6
NIST SP
800-53
R3 PE-6
(1)
NIST SP
800-53
R3 PE-18
NIST SP NIST SP
800-53 800-53
R3 PE-2 R3 PE-2
NIST SP NIST SP
800-53 800-53
R3 PE-3 R3 PE-3
NIST SP
800-53
R3 PE-6
NIST SP
800-53
R3 PE-7
NIST SP
800-53
R3 PE-6
NIST SP
800-53
R3 PE-6
(1)
NIST SP NIST SP
800-53 800-53
R3 PE-8 R3 PE-7
NIST SP
800-53
R3 PE-7
(1)
NIST SP
800-53
R3 PE-8
that only
authoriz
ed
personn
el are
allowed NIST
access. SP80053 R3
PE-8
NIST
NIST SP
800-53
R3 PE-18
SP80053 R3
PE-18
Facility
Security
Unauthor FS-05
ized
Persons
Entry
Facility
Security
Offsite FS-06
Authoriz
ation
Ingress
and
egress
points
such as
service
areas
and
other
points
where
unauthor
ized
NIST
personn
SP800el may
53 R3
enter the
PE-7
premises
shall be
monitore
d,
controlle
d and, if
possible,
isolated
from
data
storage
and
processi NIST
ng
SP800facilities 53 R3
to
PE-7 (1)
percent NIST
unauthor SP800ized data 53 R3
corruptio PE-16
NIST
n,
SP800compro 53 R3
mise and PE-18
ation
NIST
loss.
must be SP800obtained 53 R3
prior to MA-1
NIST
relocatio SP800n or
53 R3
transfer MA-2
of
NIST
hardwar SP800e,
53 R3
software MA-2 (1)
or data
NIST SP NIST SP
800-53 800-53
R3 PE-7 R3 PE-7
NIST SP
NIST SP
800-53
800-53
R3 PE-7
R3 PE-16
(1)
NIST SP
800-53
R3 PE-16
NIST SP
800-53
R3 PE-18
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MA-2
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MA-2
NIST SP
NIST SP
800-53
800-53
R3 MA-2
R3 PE-16
(1)
Security
Offsite FS-06
Authoriz
ation
or data
to an
offsite
premises
NIST
SP80053 R3
PE-16
NIST
SP80053 R3
AC-17
NIST
SP80053 R3
AC-17
(1)
NIST
Facility
Security
Off-Site FS-07
Equipme
nt
Facility
Security
Asset FS-08
Manage
ment
Policies
and
procedur
es shall
be
establish
ed for
securing
and
asset
manage
ment for
the use
and
secure
disposal
of
equipme
nt
maintain
ed and
used
outside
the
organiza
tion's
premise.
A
complet
e
inventor
y of
critical
assets
shall be
maintain
ed with
ownershi
p
SP80053 R3
AC-17
(2)
NIST
SP80053 R3
AC-17
(3)
NIST
NIST SP
800-53
R3 PE-16
NIST SP NIST SP
800-53 800-53
R3 AC- R3 AC17
17
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MA-1
17 (1)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 PE-1
17 (2)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 PE-16
17 (3)
SP80053 R3
AC-17
(4)
NIST
SP80053 R3
AC-17
(5)
NIST
SP80053 R3
AC-17
(7)
NIST
SP80053 R3
AC-17
(8)
NIST
SP80053 R3
MA-1
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-16
NIST
SP80053 R3
PE-17
NIST
SP80053 R3
CM-8
NIST
SP80053 R3
CM-8 (1) NIST SP
800-53
R3 CM-8
NIST SP
800-53
R3 AC17 (4)
NIST SP
800-53
R3 AC17 (5)
NIST SP
800-53
R3 AC17 (7)
NIST SP
800-53
R3 AC17 (8)
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PE-16
NIST SP
800-53
R3 PE-17
NIST SP
800-53
R3 CM-8
NIST SP
800-53
R3 CM-8
(1)
Facility
Security
Asset FS-08
Manage
ment
Human
Resource
s
Security
HR-01
Backgro
und
Screenin
g
inventor
y of
critical
assets
shall be
maintain NIST
ed with SP800ownershi 53 R3
CM-8 (3)
p
defined NIST
SP800and
documen 53 R3
CM-8 (5)
ted.
Pursuant
to local
laws,
regulatio
ns,
ethics
and
contract
ual
constrain
ts all
employ
ment
candidat
es,
contract
ors and NIST
SP800third
parties 53 R3
PS-2
will be
subject
to
backgrou
nd
verificati
on
proportio
nal to
the data
classifica
tion to
be
accessed
, the
business
requirem NIST
ents and SP800acceptab 53 R3
PS-3
le risk.
NIST SP
800-53 NIST SP
R3 CM-8 800-53
R3 CM-8
(3)
NIST SP
800-53
R3 CM-8
(5)
NIST SP NIST SP
800-53 800-53
R3 PS-2 R3 PS-2
NIST SP NIST SP
800-53 800-53
R3 PS-3 R3 PS-3
Human
Resource
s
Security
HR-02
Employ
ment
Agreeme
nts
Human
Resource
s
Employ HR-03
ment
Terminati
on
Prior to
granting
individua
ls
physical
or logical
access
to
facilities,
systems
or data,
employe
es,
contract
ors, third NIST
party
SP800users
53 R3
and
PL-4
tenants
and/or
custome
rs shall
contract
ually
agree
and sign
equivale
nt terms
and
condition NIST
s
SP800regardin 53 R3
g
PS-6
NIST
informati
SP800on
53 R3
security
PS-7
responsi
bilities in
Roles
employ
and
ment or
responsi
service
bilities
contract. NIST
for
SP800performi
53 R3
ng
PS-4
employ
ment
terminati NIST
SP800on or
change 53 R3
PS-5
in
employ
ment
procedur
es shall
be
assigned
,
documen
ted and
communi
cated.
NIST SP NIST SP
800-53 800-53
R3 PS-1 R3 PS-1
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 PS-6
NIST SP NIST SP
800-53 800-53
R3 PS-7 R3 PS-7
NIST SP NIST SP
800-53 800-53
R3 PS-2 R3 PS-2
NIST SP
800-53
R3 PS-4
NIST SP
800-53
R3 PS-5
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-4
NIST SP
800-53
R3 PS-5
NIST SP
800-53
R3 PS-6
NIST SP NIST SP
800-53 800-53
R3 PS-8 R3 PS-8
ted,
approve
d, and
impleme
nted that
includes
administ
rative,
technical
, and
physical
safeguar
ds to
protect
assets
and data
NIST
from
SP800loss,
53 R3
misuse,
PM-1
unauthor
ized
access,
disclosur
e,
alteratio
n, and
destructi
on. The
security
program
should
address,
but not
be
limited
Ris
k NIST
ma SP800na 53 R3
ge PM-2
me
Se NIST
cur SP800ity 53 R3
pol PM-3
Informati
on
Security
IS-01
Manage
ment
Program
icy
ga
niz
ati
on NIST
of SP800inf 53 R3
or PM-4
ma
tio
n
se
Informati
on
Security
IS-01
Manage
ment
Program
As
set NIST
ma SP800na 53 R3
ge PM-5
me
Hu
ma
n NIST
res SP800our 53 R3
ce PM-6
s
se
ysi
cal
an
d NIST
en SP800vir 53 R3
on PM-7
me
nta
l
mu
se
nic
ati
on
s NIST
an SP800d 53 R3
op PM-8
era
tio
ns
ma
na
Ac NIST
ce SP800ss 53 R3
co PM-9
ntr
ma
tio
n
sys
te
ms
ac
qui NIST
siti SP800on, 53 R3
de PM-10
vel
op
me
nt,
an
d
ma
Informati
on
Security
Manage IS-02
ment
Support /
Involvem
ent
NIST
SP800Executiv 53 R3
e and
PM-11
line
manage
ment
shall
take
formal
action to
support
informati NIST
SP800on
security 53 R3
through CM-1
clear
documen
ted
direction
,
commit
ment,
explicit NIST
assignm SP800ent and 53 R3
verificati PM-1
NIST
on of
SP800Manage
assignm 53 R3
ment
ent
PM-11
shall
executio
approve
n
a formal
informati
on
security
policy
documen
t which
NIST
shall be
SP800communi
53 R3
cated
AC-1
and
publishe
d to
employe
es,
contract
ors and
other
relevant NIST
external SP800parties. 53 R3
The
AT-1
Informati NIST
SP800on
Security 53 R3
AU-1
Policy
shall
establish
the
direction
of the
NIST SP NIST SP
800-53 800-53
R3 CM-1 R3 CM-1
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
Informati
on
IS-03
Security
Policy
parties.
The
Informati
on
Security
NIST
Policy
NIST SP
SP800shall
800-53
establish 53 R3
R3 CA-1
CA-1
the
NIST
direction SP800- NIST SP
800-53
of the
53 R3
R3 CM-1
organiza CM-1
NIST
NIST SP
tion and
SP800800-53
align to
53 R3 IAR3 IA-1
best
1
practices NIST
NIST SP
SP800,
800-53
regulator 53 R3 IR- R3 IR-1
1
y,
NIST
NIST SP
federal/s SP800800-53
tate and 53 R3
R3 MA-1
internati MA-1
NIST
NIST SP
onal
SP800800-53
laws
53 R3
R3 MP-1
where
MP-1
NIST
applicabl
NIST SP
SP800e. The
800-53
53 R3
Informati
R3 PE-1
MP-1
NIST
on
NIST SP
Security SP800- 800-53
53 R3
policy
R3 PL-1
shall be PE-1
NIST
supporte SP800- NIST SP
800-53
d by a
53 R3
R3 PS-1
strategic NIST
PL-1
plan and SP800- NIST SP
800-53
a
53 R3
R3 SA-1
security PS-1
program NIST
NIST SP
SP800with
800-53
53 R3
wellR3 SC-1
SA-1
defined NIST
NIST SP
roles and SP800- 800-53
responsi 53 R3
R3 SI-1
SC-1
bilities
NIST
for
SP800leadershi 53 R3 SIp and
1
officer
roles.
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
Informati
on
Security
IS-04
Baseline
Require
ments
Baseline
security
requirem
ents
shall be
establish
ed and
applied
to the
design
and
impleme NIST
ntation SP80053 R3
of
(develop CM-2
ed or
purchase
d)
applicati
ons,
database
s,
systems,
and
network NIST
infrastru SP80053 R3
cture
CM-2 (1)
and
informati NIST
on
SP800processi 53 R3
ng that CM-2 (3)
comply NIST
with
SP800policies, 53 R3
standard CM-2 (5)
s and
NIST
applicabl SP800e
53 R3
regulator SA-2
NIST
y
SP800requirem
53 R3
ents.
SA-4
Complia NIST
nce with SP800security 53 R3
baseline SA-4 (1)
requirem
NIST
ents
must be SP800reassess 53 R3
SA-4 (4)
ed at
least
NIST
annually SP800or upon 53 R3
significa SA-4 (7)
NIST
nt
changes. SP80053 R3
AC-1
NIST SP NIST SP
800-53 800-53
R3 CM-2 R3 CM-2
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-2
(1)
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-4
(3)
NIST SP
800-53
R3 CM-2
(5)
NIST SP
800-53
R3 SA-2
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
Informati
on
Security IS-05
Policy
Reviews
NIST
NIST SP
SP800800-53
53 R3
R3 AT-1
AT-1
NIST
NIST SP
SP800800-53
53 R3
R3 AU-1
AU-1
NIST
NIST SP
SP800800-53
53 R3
R3 CA-1
CA-1
NIST
NIST SP
SP800800-53
53 R3
R3 CM-1
CM-1
NIST
NIST SP
SP800800-53
53 R3
R3 CP-1
CP-1
NIST
NIST SP
SP800800-53
53 R3 IAR3 IA-1
1
NIST
NIST SP
SP800800-53
53 R3 IAR3 IA-5
5
NIST
NIST SP
Manage SP800- 800-53
ment
53 R3 IA- R3 IA-5
shall
5
(1)
(1)
NIST
NIST SP
review
SP800800-53
the
53 R3 IAR3 IR-1
informati 5 (2)
NIST
on
NIST SP
security SP800- 800-53
policy at 53 R3 IA- R3 MA-1
(3)
NIST
planned 5
NIST SP
intervals SP800- 800-53
or as a 53 R3 IA- R3 MP-1
5 (6)
result of NIST
changes SP800- NIST SP
800-53
to the
53 R3 IAR3 PE-1
organiza 5
(7)
NIST
NIST SP
tion to
SP800ensure 53 R3 IR- 800-53
R3 PL-1
its
1
NIST
continuin
NIST SP
SP800g
800-53
effective 53 R3
R3 PS-1
NIST
ness and MA-1
NIST SP
accuracy SP800- 800-53
53 R3
.
R3 RA-1
MP-1
NIST
NIST SP
SP800800-53
53 R3
R3 SA-1
PE-1
NIST
NIST SP
SP800800-53
53 R3
R3 SC-1
PL-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AU-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IA-5
(2) SP
NIST
800-53
R3 IA-5
(3)
NIST SP
800-53
R3 IA-5
(6) SP
NIST
800-53
R3 IA-5
(7)
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST
SP80053 R3
PM-1
NIST
SP80053 R3
PS-1
NIST
SP80053 R3
RA-1
NIST
SP80053 R3
SA-1
NIST
SP80053 R3
SC-1
NIST
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PL-4
SP80053 R3 SI1
Informati
on
Security
IS-06
Policy
Enforce
ment
A formal
disciplin
ary or
sanction
policy
shall be
establish
ed for
employe
es who
have
violated
security
policies NIST
and
SP800procedur 53 R3
es.
PL-4
Employe
es shall
be made
aware of
what
action
might be
taken in
the
event of
a
violation
and
stated as NIST
such in SP800the
53 R3
policies PS-1
NIST
and
SP800procedur 53 R3
es.
PS-8
NIST SP NIST SP
800-53 800-53
R3 PS-1 R3 PS-1
NIST SP NIST SP
800-53 800-53
R3 PS-8 R3 PS-8
Informati
on
Security
IS-07
User
Access
Policy
User
access
policies
and
procedur
es shall
be
documen
ted,
approve
d and
impleme
nted for
granting
and
revoking
normal
and
privilege NIST
NIST SP
d access SP800- 800-53
53 R3
to
R3 AC-1
applicati AC-1
ons,
database
s, and
server
and
network
infrastru
cture in
accordan
ce with
business
,
security,
complian
ce and
service NIST
NIST SP
SP800level
800-53
agreeme 53 R3 IAR3 IA-1
1
nt (SLA) NIST
requirem SP800- NIST SP
800-53
ents.
53 R3
R3 AC-3
AC-3
NIST
NIST SP
SP800800-53
53 R3
R3 IA-2
AC-3 (3)
NIST
NIST SP
SP800- 800-53
53 R3
R3 IA-2
AC-5
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 IA-4
AC-6
NIST
NIST SP
SP800800-53
53 R3
R3 IA-5
AC-6 (1)
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 AC-3
NIST SP
800-53
R3 AC-3
(3)
NIST SP
800-53
R3 AC-5
NIST SP
800-53
R3 AC-6
NIST SP
800-53
R3 AC-6
(1)
Informati
on
Security
User
Access IS-08
Restricti
on /
Authoriz
ation
NIST
NIST SP
SP800- 800-53
53 R3
R3 IA-5
AC-6 (2) (1)
NIST
NIST SP
SP800800-53
53 R3 IAR3 IA-8
2
NIST
NIST SP
Normal SP800- 800-53
53 R3 IAand
R3 MA-5
(1)
privilege 2
NIST
NIST SP
d user
SP800access 53 R3 IA- 800-53
R3 PS-6
to
2
(2)
NIST
NIST SP
applicati
SP800800-53
ons,
53 R3 IAR3 SA-7
systems,
2 (3)
database NIST
SP800s,
network 53 R3 IA(8)
NIST
configur 2
ations, SP80053 R3 IAand
4
sensitive NIST
data and SP800functions 53 R3 IAshall be 4 (4)
NIST
restricte
SP800d and
53 R3 IAapprove
5
NIST
d by
manage SP80053 R3 IAment
(1)
prior to 5
NIST
access SP800granted. 53 R3 IA5
(2)
NIST
SP80053 R3 IA5
(3)
NIST
SP80053 R3 IA5
(6)
NIST
SP80053 R3 IA5 (7)
NIST
SP80053 R3 IA8
NIST
SP80053 R3
MA-5
NIST
SP80053 R3
PS-6
NIST SP
800-53
R3 AC-6
(2)
NIST SP
800-53
R3 IA-2
NIST SP
800-53
R3 IA-2
(1)
NIST SP
800-53
R3 IA-2
(2)
NIST SP
800-53
R3 IA-2
(3)
NIST SP
800-53
R3 IA-2
(8)
NIST SP
800-53
R3 IA-4
NIST SP
800-53
R3 IA-4
(4)
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IA-5
(2)
NIST SP
800-53
R3 IA-5
(3)
NIST SP
800-53
R3 IA-5
(6)
NIST SP
800-53
R3 IA-5
(7)
NIST SP
800-53
R3 IA-8
NIST SP
800-53
R3 MA-5
NIST SP
800-53
R3 PS-6
NIST
SP80053 R3
SA-7
NIST
Informati
on
Security
User
IS-09
Access
Revocati
on
Timely
SP800deprovisi 53 R3 SIoning,
9
revocatio
n or
modifica
tion of
user
access
to the
organiza
tions
systems,
informati NIST
on
SP800assets
53 R3
and data AC-2
shall be
impleme
nted
upon
any
change
in status
of
employe
es,
contract
NIST
ors,
custome SP80053 R3
rs,
business AC-2 (1)
partners NIST
or third SP800parties. 53 R3
Any
AC-2 (2)
change
in status NIST
SP800is
intended 53 R3
AC-2 (3)
to
include NIST
terminati SP800on of
53 R3
employ AC-2 (4)
ment,
NIST
contract SP800or
53 R3
agreeme AC-2 (7)
nt,
NIST
change SP800of
53 R3
employ PS-4
ment or
transfer
within
the
organiza
tion.
NIST SP
800-53
R3 SA-7
NIST SP
800-53
R3 SI-9
NIST SP NIST SP
800-53 800-53
R3 AC-2 R3 AC-2
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 PS-4
(1)
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 PS-5
(2)
NIST SP
800-53
R3 AC-2
(3)
NIST SP
800-53
R3 AC-2
(4)
NIST SP
800-53
R3 AC-2
(7)
NIST SP
800-53
R3 PS-4
agreeme
nt,
change
of
employ
ment or
transfer
within
the
organiza
tion.
Informati
on
Security
IS-10
User
Access
Reviews
NIST
SP80053 R3
PS-5
NIST
SP80053 R3
AC-2
NIST
SP80053 R3
AC-2 (1)
NIST
All levels SP800of user 53 R3
access AC-2 (2)
shall be NIST
reviewed SP800by
53 R3
manage AC-2 (3)
ment at
planned NIST
intervals SP80053 R3
and
documen AC-2 (4)
ted. For NIST
access SP800violation 53 R3
AC-2 (7)
s
identifie NIST
SP800d,
remediat 53 R3
ion must AU-6
NIST
follow
SP800documen
53 R3
ted
AU-6 (1)
access
control NIST
policies SP80053 R3
and
procedur AU-6 (3)
NIST
es.
SP80053 R3
PM-10
NIST
SP80053 R3
PS-6
NIST
SP80053 R3
PS-7
NIST SP
800-53
R3 PS-5
NIST SP NIST SP
800-53 800-53
R3 AC-2 R3 AC-2
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 AU-6
(1)
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 PS-6
(2)
NIST SP
NIST SP
800-53
800-53
R3 AC-2
R3 PS-7
(3)
NIST SP
800-53
R3 AC-2
(4)
NIST SP
800-53
R3 AC-2
(7)
NIST SP
800-53
R3 AU-6
NIST SP
800-53
R3 AU-6
(1)
NIST SP
800-53
R3 AU-6
(3)
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-7
Informati
on
Security
IS-11
Training /
Awarene
ss
A
security
awarene
ss
training
program
shall be
establish
ed for all
contract
ors, third
party
users
and
employe
es of the
organiza
tion and
mandate
d when
appropri NIST
ate. All SP800individua 53 R3
ls with
AT-1
access
to
organiza
tional
data
shall
receive
appropri
ate
awarene
ss
training
and
regular
updates
in
NIST
organiza SP800tional
53 R3
procedur AT-2
NIST
es,
SP800process
53 R3
and
AT-3
policies, NIST
relating SP800to their 53 R3
function AT-4
relative
to the
organiza
tion.
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-4
NIST SP
800-53
R3 AT-4
Informati
on
Security
Industry IS-12
Knowled
ge /
Benchm
arking
Informati
on
Security
IS-13
Roles /
Responsi
bilities
Informati
on
Security
IS-14
Manage
ment
Oversigh
t
Industry
security
knowled
ge and
benchma
rking
through
networki NIST
SP800ng,
specialis 53 R3
AT-5
t
security
forums,
and
professio
nal
associati
ons shall
NIST
be
maintain SP80053 R3 SIed.
Roles
5
NIST
and
SP800responsi 53 R3
bilities of AT-3
NIST
contract
SP800ors,
53 R3
employe
PL-4
NIST
es and
SP800third
53 R3
party
PM-10
users
NIST
shall be SP800documen 53 R3
ted as
PS-1
NIST
they
SP800relate to 53 R3
informati PS-6
NIST
on
SP800assets
53 R3
and
NIST
security. PS-7
SP80053 R3
Manager AT-2
NIST
s are
SP800responsi 53 R3
ble for
AT-3
NIST
maintain
SP800ing
53 R3
awarene
CA-1
ss of and NIST
complyin SP80053 R3
g with
security CA-5
NIST
policies, SP800procedur 53 R3
es and
CA-6
standard
s that
are
relevant
to their
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-7
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 PS-2
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 PS-7
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-4
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-5
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-4
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-5
Security
IS-14
Manage
ment
Oversigh
t
Informati
on
Security
IS-15
Segregat
ion of
Duties
g with
security
policies,
procedur
es and
standard
s that
are
relevant
to their
area of
responsi
bility.
NIST
SP80053 R3
CA-7
NIST
SP80053 R3
CA-7 (2)
NIST
SP80053 R3
PM-10
NIST
NIST SP NIST SP
800-53 800-53
R3 CA-6 R3 CA-6
NIST SP NIST SP
800-53 800-53
R3 CA-7 R3 CA-7
NIST SP
800-53
R3 CA-7
(2)
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP NIST SP
800-53 800-53
R3 AC-2 R3 AC-2
SP80053 R3
AC-1
NIST
SP80053 R3
AC-2
NIST
NIST SP
SP800800-53
53 R3
R3 AU-1
AC-2 (1)
NIST SP
800-53
R3 AC-2
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 AU-2
AC-2 (2)
NIST SP
800-53
R3 AC-2
(2)
NIST
Policies, SP800- NIST SP
800-53
process 53 R3
R3 AU-6
and
AC-2 (3)
procedur
NIST
es shall
SP800be
53 R3
impleme
AC-2 (4)
nted to
enforce NIST
SP800and
53 R3
assure
AC-2 (7)
proper
segregat NIST
SP800ion of
duties. In 53 R3
AC-5
NIST
those
events SP80053 R3
where
user-role AC-6
conflict- NIST
SP800ofinterest 53 R3
constrain AC-6 (1)
ts exist, NIST
technical SP800controls 53 R3
shall be AC-6 (2)
in place NIST
SP800to
mitigate 53 R3
any risks AU-1
arising
from
unauthor
ized or
unintenti
NIST SP
800-53
R3 AC-2
(3)
NIST SP
800-53
R3 AC-2
(4)
NIST SP
800-53
R3 AC-2
(7)
NIST SP
800-53
R3 AC-5
NIST SP
800-53
R3 AC-6
NIST SP
800-53
R3 AC-6
(1)
NIST SP
800-53
R3 AC-6
(2)
NIST SP
800-53
R3 AU-1
Duties
shall be
in place
to
mitigate
any risks
arising
from
unauthor
ized or
unintenti
onal
modifica
tion or
misuse
of the
organiza
tion's
informati
on
assets.
Users
shall be
made
aware of
their
responsi
bilities
for:
Informati
NIST
SP80053 R3
AU-6
NIST
SP80053 R3
AU-6 (1)
NIST SP
800-53
R3 AU-2
NIST SP
800-53
R3 AU-6
NIST
SP80053 R3
AU-6 (3)
NIST
SP80053 R3 SI1
NIST
SP80053 R3 SI4
NIST
SP80053 R3 SI4
(2)
NIST
SP80053 R3 SI4
(4)
NIST
SP80053 R3 SI4
(5)
NIST
NIST SP
800-53
R3 AU-6
(1)
NIST SP
800-53
R3 AU-6
(3)
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
800-53
R3 SI-4
(6)
NIST
SP80053 R3
AT-2
NIST SP
800-53
R3 AT-2
NIST SP
800-53
R3 AT-2
Informati
on
Security
IS-16
User
Responsi
bility
an
d
co
mp
lia
nc
e
wit
h
pu
bli
sh
ed
se
cur NIST
ity SP800pol 53 R3
ici AT-3
es,
pro
ce
dur
es,
sta
nd
ard
s
an
d
ap
pli
ca
ain
ing
a
saf
e
an NIST
d SP800se 53 R3
cur AT-4
e
wo
rki
ng
en
vir
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-3
NIST SP
800-53
R3 AT-4
NIST SP
800-53
R3 AT-4
Informati
on
Security
IS-17
Workspa
ce
ng
un
att
en
de
d NIST
eq SP800uip 53 R3
me PL-4
nt
in
a
se
Policies
cur
and
NIST
procedur
SP800es shall
53 R3
be
AC-11
establish
NIST
ed for
clearing SP80053 R3
visible
documen AC-11
(1)
ts
NIST
containin SP800g
53 R3
sensitive MP-2
data
NIST
when a SP800workspa 53 R3
ce is
MP-2 (1)
unattend NIST
ed and SP800enforce 53 R3
ment of MP-3
NIST
workstati SP800on
53 R3
session MP-4
NIST
logout
SP800for a
period of 53 R3
inactivity MP-4 (1)
NIST
.
SP80053 R3
AC-18
NIST
SP80053 R3
AC-18
(1)
NIST
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PL-4
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MP-1
11
NIST SP NIST SP
800-53 800-53
R3 MP-2 R3 MP-1
NIST SP
800-53
R3 MP-2
NIST SP
800-53
R3 MP-2
(1)
NIST SP
800-53
R3 MP-3
NIST SP
800-53
R3 MP-4
NIST SP
800-53
R3 MP-4
(1)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 AC-1
18
NIST SP NIST SP
800-53 800-53
R3 AC- R3 AC18
18 (1)
NIST SP
800-53
R3 AC18 (2)
SP80053 R3
AC-18
(2)
NIST
NIST SP
800-53
R3 IA-7
SP80053 R3
AC-18
(3)
NIST SP NIST SP
800-53 800-53
R3 SC-1 R3 IA-7
NIST
SP80053 R3
AC-18
(4)
NIST
SP80053 R3
AC-18
(5)
NIST
SP80053 R3 IA3
NIST
SP80053 R3 IA7
NIST
SP80053 R3
SC-7
NIST
SP80053 R3
SC-7 (1)
Informati
on
Security
IS-18
Encrypti
on
Policies
and
procedur NIST
es shall SP800be
53 R3
establish SC-7 (2)
ed and
mechani NIST
SP800sms
impleme 53 R3
nted for SC-7 (3)
encrypti NIST
ng
SP800sensitive 53 R3
data in SC-7 (4)
storage NIST
(e.g., file SP800servers, 53 R3
database SC-7 (5)
s, and
end-user NIST
workstati SP800ons) and 53 R3
data in SC-7 (7)
transmis NIST
sion
SP800(e.g.,
53 R3
system SC-7 (8)
interface NIST
s, over SP80053 R3
public
networks SC-7
(12)
, and
NIST
electroni SP800c
53 R3
messagi SC-7
ng).
(13)
NIST SP NIST SP
800-53 800-53
R3 SC-7 R3 SC-7
NIST SP
NIST SP
800-53
800-53
R3 SC-7
R3 SC-13
(4)
NIST SP
800-53
R3 SC-8
NIST SP
800-53
R3 SC-8
(1)
NIST SP
800-53
R3 SC-9
NIST SP
800-53
R3 SC-9
(1)
NIST SP
800-53
R3 SC-13
NIST SP
800-53
R3 SC-13
(1)
NIST SP
800-53
R3 SC-23
NIST SP
800-53
R3 SC-28
NIST SP
800-53
R3 SI-8
, and
electroni
c
messagi
ng).
NIST
SP80053 R3
SC-7
(18)
NIST
SP80053 R3
SC-8
NIST
SP80053 R3
SC-8 (1)
NIST
SP80053 R3
SC-9
NIST
SP80053 R3
SC-9 (1)
NIST
SP80053 R3
SC-13
NIST
SP80053 R3
SC-13
(1)
NIST
SP80053 R3
SC-16
NIST
SP80053 R3
SC-23
NIST
SP80053 R3 SI8
NIST
Informati
on
Security
IS-19
Encrypti
on Key
Manage
ment
Policies
and
procedur
es shall
be
establish
ed and
mechani
sms
impleme
nted for
effective
key
manage
ment to
support
encrypti
on of
data in
storage
and in
transmis
SP80053 R3
SC-12
NIST
SP80053 R3
SC-12
(2)
NIST
SP80053 R3
SC-12
(5)
NIST
SP80053 R3
SC-13
NIST
SP80053 R3
SC-13
(1)
NIST SP NIST SP
800-53 800-53
R3 SC-12 R3 SC-12
NIST SP
NIST SP
800-53
800-53
R3 SC-12
R3 SC-13
(2)
NIST SP
800-53
R3 SC-12
(5)
NIST SP
800-53
R3 SC-13
NIST SP
800-53
R3 SC-13
(1)
IS-19
Encrypti
on Key
Manage
ment
effective
key
manage
ment to
support
encrypti
on of
data in
storage
and in
transmis
sion.
NIST
SP80053 R3
SC-17
NIST
SP80053 R3
SC-28
NIST
SP80053 R3
SC-28
(1)
NIST
Informati
on
Security
Vulnerab IS-20
ility /
Patch
Manage
ment
SP80053 R3
CM-3
NIST
SP80053 R3
CM-3 (2)
NIST
SP800Policies 53 R3
CM-4
NIST
and
procedur SP800es shall 53 R3
CP-10
be
NIST
establish SP800ed and 53 R3
mechani CP-10
sm
(2)
NIST
impleme
SP800nted for
53 R3
vulnerab
CP-10
ility and
(3)
NIST
patch
manage SP80053 R3
ment,
ensuring RA-5
NIST
that
applicati SP80053 R3
on,
system, RA-5 (1)
and
NIST
network SP800device
53 R3
vulnerab RA-5 (2)
ilities are NIST
evaluate SP800d and
53 R3
vendor- RA-5 (3)
supplied
security NIST
patches SP800applied 53 R3
RA-5 (9)
in a
timely
manner
taking a
riskbased
approac
h for
prioritizi
NIST SP
800-53
R3 SC-17
NIST SP NIST SP
800-53 800-53
R3 CM-4 R3 CM-3
NIST SP
800-53
R3 CM-3
(2)
NIST SP
800-53
R3 RA-5
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 CM-4
NIST SP
800-53
R3 RA-5
NIST SP
800-53
R3 SI-2
NIST SP
800-53
R3 RA-5
(1)
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 RA-5
(2)
NIST SP
800-53
R3 RA-5
(3)
NIST SP
800-53
R3 RA-5
(6)
NIST SP
800-53
R3 RA-5
(9)
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 SI-2
supplied
security
patches
applied
in a
timely
manner
taking a
riskbased
approac
h for
prioritizi
ng
critical
patches.
NIST
SP80053 R3
RA-5 (6)
NIST
SP80053 R3
SA-7
NIST
SP80053 R3 SI1
NIST
SP80053 R3 SI2
NIST
SP80053 R3 SI2
(2)
NIST
SP80053 R3 SI5
NIST
Informati
on
Security
AntiIS-21
Virus /
Malicious
Software
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 SC-5
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 SC-5
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 SI-3
(1)
NIST SP
800-53
R3 SI-3
(2)
NIST SP
800-53
R3 SI-3
(3)
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
NIST SP
800-53
R3 SI-8
NIST SP
SP800800-53
53 R3 IRR3 IR-1
1
NIST SP
800-53
R3 IR-1
SP800Ensure 53 R3
that all SA-7
NIST
antivirus SP800program 53 R3
s are
SC-5
NIST
capable SP800of
53 R3 SIdetectin 3
NIST
g,
SP800removin
53 R3 SIg, and
3 (1)
protectin NIST
g against SP80053 R3 SIall
3
(2)
known
NIST
types of SP800maliciou 53 R3 SIs or
3 (3)
NIST
unauthor SP800ized
53 R3 SIsoftware 5
NIST
with
antivirus SP800signatur 53 R3 SI7
NIST
e
updates SP800at least 53 R3 SI(1)
every 12 7
NIST
hours.
SP80053 R3 SI8
NIST
Policies
and
NIST SP
800-53
R3 SI-2
(2)
Informati
on
Security
IS-22
Incident
Manage
ment
Informati
on
Security
IS-23
Incident
Reportin
g
Policies
and
procedur
es shall
be
establish
ed to
triage
security
related
events
and
ensure
timely
and
thorough
incident
manage
ment.
NIST
SP80053 R3 IR2
NIST
SP80053 R3 IR3
NIST
SP80053 R3 IR4
NIST
SP80053 R3 IR4
(1)
NIST
SP80053 R3 IR5
NIST
SP80053 R3 IR7
NIST
SP80053 R3 IR7
(1)
NIST
SP80053 R3 IR7
(2)
NIST
SP80053 R3 IRContract
8
ors,
employe
es and
third
NIST
party
SP800users
53 R3 IRshall be 2
made
aware of
their
NIST
responsi
SP800bility to
53 R3 IRreport all
6
informati NIST
SP800on
security 53 R3 IR(1)
events in 6
NIST
a timely SP800manner. 53 R3 IRInformati 7
NIST
on
SP800security 53 R3 IRevents 7 (1)
NIST
shall be
SP800reported
53 R3 IRthrough
7 (2)
predefin
ed
communi
cations
channels
in a
prompt
NIST SP
800-53
R3 IR-2
NIST SP
800-53
R3 IR-4
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 IR-2
NIST SP
800-53
R3 IR-3
NIST SP
800-53
R3 IR-4
NIST SP
800-53
R3 IR-4
(1)
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 IR-7
(1)
NIST SP
800-53
R3 IR-7
(2)
NIST SP
800-53
R3 IR-8
NIST SP
800-53
R3 IR-2
NIST SP
800-53
R3 IR-2
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 SI-5
NIST SP
800-53
R3 IR-6
NIST SP
800-53
R3 IR-6
(1)
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 IR-7
(1)
NIST SP
800-53
R3 IR-7
(2)
Security
IS-23
Incident
Reportin
g
Informati
on
Security
Incident IS-24
Respons
e Legal
Preparati
on
security
events
shall be
reported
through
predefin NIST
SP800ed
communi 53 R3 SIcations 4
NIST
channels SP800in a
53 R3 SIprompt NIST
4 (2)
and
SP800expedien 53 R3 SIt manner 4 (4)
NIST
in
complian SP800ce with 53 R3 SI(5)
NIST
statutory 4
SP800,
regulator 53 R3 SI4
(6)
y and
NIST
contract SP800ual
53 R3 SIrequirem 5
NIST
ents.
SP80053 R3
AU-6
NIST
SP80053 R3
AU-6 (1)
NIST
SP800In the
event a 53 R3
follow-up AU-6 (3)
NIST
action
SP800concerni
53 R3
ng a
AU-7
person NIST
or
SP800organiza 53 R3
tion after AU-7 (1)
an
NIST
informati SP800on
53 R3
security AU-9
incident NIST
requires SP80053 R3
legal
AU-9 (2)
action
NIST
proper
forensic SP800procedur 53 R3
AU-11
es
NIST
including SP800chain of 53 R3 IRcustody 5
NIST
shall be SP800required 53 R3 IRfor
7
collectio
n,
retention
, and
presenta
tion of
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2) SP
NIST
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 SI-5
NIST SP NIST SP
800-53 800-53
R3 AU-6 R3 AU-6
NIST SP
NIST SP
800-53
800-53
R3 AU-6
R3 AU-9
(1)
NIST SP
800-53
R3 AU11
NIST SP
800-53
R3 AU-6
(3)
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 AU-7
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 AU-7
(1)
NIST SP
800-53
R3 IR-8
NIST SP
800-53
R3 AU-9
NIST SP
800-53
R3 AU-9
(2)
NIST SP
800-53
R3 AU10
NIST SP
800-53
R3 AU10
(5)SP
NIST
800-53
R3 AU11
Respons
e Legal
Preparati
on
Informati
on
Security
IS-25
Incident
Respons
e Metrics
Informati
on
Security
IS-26
Acceptab
le Use
chain of
custody
shall be
required
for
NIST
collectio
SP800n,
53 R3 IRretention
7
(1)
NIST
, and
presenta SP80053 R3 IRtion of
7 (2)
evidence NIST
to
SP800support 53 R3 IRpotential 8
legal
action
subject
to the
relevant
jurisdicti
on.
Mechani
sms
shall be
put in
place to
monitor
and
quantify
the
types,
volumes,
and
costs of
informati
on
security
incidents
.
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 IR-7
NIST SP
800-53
R3 IR-7
(1)
NIST SP
800-53
R3 IR-7
(2)
NIST SP
800-53
R3 IR-8
NIST SP
800-53
R3 MP-5
NIST SP
800-53
R3 MP-5
(2)
NIST SP
800-53
R3 MP-5
(4)
NIST
NIST SP
SP800800-53
53 R3 IRR3 IR-4
4
NIST SP
800-53
R3 IR-4
NIST
SP80053 R3 IR4
(1)
NIST
SP80053 R3 IR5
NIST
NIST SP
800-53
R3 IR-4
(1)
NIST SP
800-53
R3 IR-5
SP80053 R3 IR8
NIST
SP80053 R3
Policies AC-8
NIST
and
SP800procedur 53 R3
es shall AC-20
NIST
be
SP800establish 53 R3
ed for
AC-20
the
(1)
acceptab NIST
le use of SP800informati 53 R3
AC-20
on
assets. (2)
NIST SP
800-53
R3 IR-5
NIST SP
800-53
R3 IR-8
NIST SP
800-53
R3 IR-8
NIST SP
800-53 NIST SP 800-53 R3 AC-8
R3 AC-2
NIST SP
800-53 NIST SP 800-53 R3 AC-20
R3 AC-8
NIST SP
800-53
R3 AC20
NIST SP
800-53
R3 PL-4
Acceptab
le Use
Informati
on
Security IS-27
Asset
Returns
Informati
on
Security
IS-28
eComme
rce
Transacti
ons
acceptab
le use of
informati
on
assets. NIST
SP80053 R3
PL-4
Employe
es,
contract
ors and
third
party
users
must
return all
assets
owned
by the
organiza
tion
NIST
NIST SP
within a SP800800-53
defined 53 R3
R3 PS-4
and
PS-4
documen
ted time
frame
once the
employ
ment,
contract
or
agreeme
nt has
been
terminat
ed.
NIST
NIST SP
SP800800-53
53 R3
R3 AC-1
AC-14
Electroni NIST
SP800- NIST SP
c
800-53
commer 53 R3
AC-14
R3 AC-2
ce (e(1)
NIST SP
commer NIST
SP800- 800-53
ce)
R3 ACrelated 53 R3
AC-21
22
data
NIST
traversin SP800- NIST SP
800-53
g public 53 R3
R3 AU-1
networks AC-22
NIST
shall be
SP800appropri
53 R3 IAately
8
classified NIST
SP800and
protecte 53 R3
AU-10
d from
fraudule
nt
activity,
unauthor
ized
disclosur
e or
modifica
NIST SP
800-53
R3 PS-4
NIST SP
800-53
R3 AC22
NIST SP
800-53
R3 AU10
NIST SP
800-53
R3 AU10 (5)
NIST SP
800-53
R3 SC-8
NIST SP
800-53
R3 SC-8
(1)
NIST SP
800-53
R3 SC-9
Informati
on
Security
IS-28
eComme
rce
Transacti
ons
Informati
on
Security
IS-29
Audit
Tools
Access
Informati
on
appropri
ately
classified
and
protecte
d from
NIST
fraudule SP800nt
53 R3
activity, AU-10
unauthor (5)
NIST
ized
SP800disclosur 53 R3
e or
SC-4
modifica NIST
SP800tion in
53 R3
such a
manner SC-8
NIST
to
SP800prevent
53 R3
contract
SC-8 (1)
dispute NIST
and
SP800compro 53 R3
mise of SC-9
data.
NIST
SP80053 R3
Access SC-9 (1)
to, and
use of,
audit
tools
that
NIST
interact
SP800with the
53 R3
organiza
AU-9
tions
informati
on
systems
shall be
appropri NIST
SP800ately
segment 53 R3
ed and AU-9 (2)
NIST
restricte
SP800d to
53 R3
prevent
AU-11
compro NIST
mise and SP800misuse 53 R3
AU-14
of log
NIST
data.
SP80053 R3
CM-7
NIST
SP80053 R3
CM-7 (1)
NIST
SP80053 R3
MA-3
User
access
to
diagnosti
c and
configur
NIST SP
800-53
R3 SC-9
(1)
NIST SP
800-53
R3 AU-9
NIST SP
800-53
R3 AU-9 NIST SP
800-53
R3 AU-9
(2)
NIST SP NIST SP
800-53 800-53
R3 CM-7 R3 CM-7
NIST SP
NIST SP
800-53
800-53
R3 CM-7
R3 MA-4
(1)
NIST SP NIST SP
800-53 800-53
R3 MA-5 R3 MA-3
Informati
on
Security
Diagnost
IS-30
ic /
Configur
ation
Ports
Access
NIST
User
access SP80053 R3
to
diagnosti MA-3 (1)
c and
NIST
configur SP800ation
53 R3
ports
MA-3 (2)
shall be
restricte NIST
SP800d to
authoriz 53 R3
MA-3 (3)
ed
NIST
individua
SP800ls and
53 R3
applicati
MA-4
ons.
NIST
SP80053 R3
MA-4 (1)
NIST SP
800-53
R3 MA-3
(1)
NIST
SP80053 R3
MA-4 (2)
NIST
SP80053 R3
MA-5
NIST
NIST SP
800-53
R3 MA-4
(2)
SP80053 R3
SC-20
NIST
SP80053 R3
SC-20
(1)
NIST
Informati
on
Security
Network IS-31
/
Infrastru
cture
Services
Network
and
infrastru
cture
service
level
agreeme
nts (inhouse or
outsourc
ed) shall
clearly
documen
t
security
controls,
capacity
and
service
levels,
and
business
or
SP80053 R3
SC-21
NIST
SP80053 R3
NIST
SC-22
SP80053 R3
SC23NIST
SP80053 R3
SC-24
NIST SP
800-53
R3 MA-3
(2)
NIST SP
800-53
R3 MA-3
(3)
NIST SP
800-53
R3 MA-4
NIST SP
800-53
R3 MA-4
(1)
NIST SP
800-53
R3 MA-5
NIST SP NIST SP
800-53 800-53
R3 CA-3 R3 CA-3
NIST SP NIST SP
800-53 800-53
R3 SA-9 R3 CP-6
NIST SP
800-53
R3 CP-6
(1)
NIST SP
800-53
R3 CP-6
(3)
NIST SP
800-53
R3 CP-7
NIST SP
800-53
R3 CP-7
(1)
NIST SP
800-53
R3 CP-7
(2)
Security
Network IS-31
/
Infrastru
cture
Services
clearly
documen
t
security
controls,
capacity
and
service
levels,
and
business
or
custome
r
requirem
ents.
NIST
SP80053 R3
AC-17
NIST
SP80053 R3
AC-17
(1)
NIST
SP80053 R3
AC-17
(2)
NIST
SP80053 R3
AC-17
(3)
NIST
SP80053 R3
AC-17
(4)
NIST
Policies
and
procedur
es shall
be
establish
ed and
measure
s
impleme
nted to
strictly
limit
access
SP80053 R3
AC-17
(5)
NIST
SP80053 R3
AC-17
(7)
NIST
SP80053 R3
AC-17
(8)
NIST SP
800-53
R3 AC17
NIST SP
800-53
R3 AC18
NIST SP
800-53
R3 AC19
NIST SP
800-53
R3 CP-7
(3)
NIST SP
800-53
R3 CP-7
(5)
NIST SP
800-53
R3 CP-8
NIST SP
800-53
R3 CP-8
(1)
NIST SP
800-53
R3 CP-8
(2)
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 SA-9
(1)
NIST SP
800-53
R3 AC17
NIST SP
800-53
R3 AC17 (1)
NIST SP
800-53
R3 AC17 (2)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MP-2
17 (3)
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MP-6
17 (4)
NIST SP
800-53
R3 AC17 (5)
NIST SP
800-53
R3 AC17 (7)
NIST SP
800-53
R3 AC17 (8)
Informati
on
Security
IS-32
Portable
/ Mobile
Devices
es shall
be
establish
ed and
measure
s
impleme
nted to
strictly
limit
access
to
sensitive
data
from
portable
and
mobile
devices,
such as
laptops,
cell
phones,
and
personal
digital
assistant
s (PDAs),
which
are
generall
y higherrisk than
nonportable
devices
(e.g.,
desktop
compute
rs at the
organiza
tions
facilities)
.
NIST
SP80053 R3
AC-18
NIST
SP80053 R3
AC-18
(1)
NIST
SP80053 R3
AC-18
(2)
NIST
SP80053 R3
AC-18
(3)
NIST
SP80053 R3
AC-18
(4)
NIST
SP80053 R3
AC-18
(5)
NIST
SP80053 R3
AC-19
NIST
SP80053 R3
AC-19
(1)
NIST
SP80053 R3
AC-19
(2)
NIST
SP80053 R3
AC-19
(3)
NIST
SP80053 R3
MP-2
NIST
SP80053 R3
MP-2 (1)
NIST
SP80053 R3
MP-4
NIST
SP80053 R3
MP-4 (1)
NIST SP
800-53
R3 AC18
NIST SP
800-53
R3 AC18 (1)
NIST SP
800-53
R3 AC18 (2)
NIST SP
800-53
R3 AC19
NIST SP
800-53
R3 AC19 (1)
NIST SP
800-53
R3 AC19 (2)
NIST SP
800-53
R3 AC19 (3)
NIST SP
800-53
R3 MP-2
NIST SP
800-53
R3 MP-2
(1)
NIST SP
800-53
R3 MP-4
NIST SP
800-53
R3 MP-4
(1)
NIST SP
800-53
R3 MP-6
NIST SP
800-53
R3 MP-6
(4)
NIST
SP80053 R3
MP-6
NIST
SP80053 R3
MP-6 (4)
Informati
on
Security
Source
IS-33
Code
Access
Restricti
on
Informati
on
Security
IS-34
Utility
Program
s Access
Access
to
applicati
on,
program
or object NIST
source
SP800code
53 R3
shall be CM-5
restricte
d to
authoriz
ed
personn
el on a NIST
need to SP80053 R3
know
CM-5 (1)
basis.
Records NIST
shall be SP800maintain 53 R3
ed
CM-5 (5)
regardin NIST
SP800g the
individua 53 R3
l granted CM-6
access, NIST
reason SP80053 R3
for
access CM-6 (1)
and
NIST
version SP800of source 53 R3
code
CM-6 (3)
exposed. NIST
SP80053 R3
AC-5
NIST
SP800Utility
program 53 R3
AC-6
s
NIST
capable
SP800of
53 R3
potential
AC-6 (1)
ly
overridin NIST
SP800g
system, 53 R3
NIST SP
object, AC-6 (2) 800-53
network,
R3 CM-7
virtual
machine
and
applicati
on
NIST SP
800-53
R3 CM-5
NIST SP
800-53
R3 CM-5
(1)
NIST SP
800-53
R3 CM-5
(5)
NIST SP
800-53
R3 AC-6
NIST SP
800-53
R3 AC-6
(1)
NIST SP
800-53
R3 AC-6
(2)
NIST SP
800-53
R3 CM-7
Informati
on
Security
IS-34
Utility
Program
s Access
ly
overridin
g
system,
object,
network,
virtual
machine
and
applicati
on
controls
shall be
restricte
d.
NIST
SP80053 R3
CM-7
NIST
SP80053 R3
CM-7 (1)
NIST
SP80053 R3
SC-3
NIST
NIST SP
800-53
R3 CM-7 NIST SP
800-53
R3 CM-7
(1)
SP80053 R3
SC-19
Legal
NonDisclosur
LG-01
e
Agreeme
nts
Require
ments
for nondisclosur
e or
confiden
tiality
agreeme
nts
NIST
reflectin SP800g the
53 R3
organiza PL-4
tion's
needs
for the
protectio
n of data
and
operatio NIST
nal
SP800details
53 R3
shall be PS-6
identifie NIST
SP800d,
documen 53 R3
ted and SA-9
NIST
reviewed
SP800at
53 R3
planned
SA-9 (1)
intervals
.
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PL-4
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 PS-6
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 SA-9
(1)
Legal
Third
Party
LG-02
Agreeme
nts
indirectly
, impact
the
organiza
tions
informati
on
assets or
data are
required
to
include
explicit
coverage
of all
relevant
security
requirem
ents.
This
includes NIST
agreeme SP800nts
53 R3
involving CA-3
processi
ng,
accessin
g,
communi
cating,
hosting
or
managin
g the
organiza
tion's
informati
on
assets,
or
NIST
adding SP800or
53 R3
terminati MP-5
ng
NIST
services SP800or
53 R3
products MP-5 (2)
to
NIST
existing
SP800informati
53 R3
on.
MP-5 (4)
Assets
NIST
agreeme SP800nts
53 R3
provision PS-7
NIST
s shall
include SP800security 53 R3
SA-6
NIST
(e.g.,
encrypti SP80053 R3
on,
access SA-7
controls,
and
leakage
preventi
on) and
integrity
NIST SP NIST SP
800-53 800-53
R3 CA-3 R3 CA-3
NIST SP NIST SP
800-53 800-53
R3 PS-7 R3 MP-5
NIST SP
NIST SP
800-53
800-53
R3 MP-5
R3 SA-6
(2)
NIST SP
NIST SP
800-53
800-53
R3 MP-5
R3 SA-7
(4)
NIST SP NIST SP
800-53 800-53
R3 SA-9 R3 PS-7
NIST SP
800-53
R3 SA-6
NIST SP
800-53
R3 SA-7
security
(e.g.,
encrypti
on,
access
controls,
and
leakage
preventi
on) and
integrity
controls
for data
exchang
ed to
prevent
improper
disclosur
e,
alteratio
n or
destructi
on.
Policies
and
procedur
es shall
be
establish
NIST
SP80053 R3
SA-9
NIST
SP80053 R3
SA-9 (1)
NIST
SP80053 R3
CM-2
NIST
SP80053 R3
CM-2 (1)
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 SA-9
(1)
NIST SP NIST SP
800-53 800-53
R3 CM-2 R3 CM-2
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 CM-4
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 CM-6
CM-2 (3)
NIST SP
800-53
R3 CM-2
(3)
NIST
SP80053 R3
CM-2 (5)
NIST
SP80053 R3
CM-3
NIST
SP80053 R3
CM-3 (2)
NIST
SP80053 R3
CM-4
NIST
SP80053 R3
CM-5
NIST
SP80053 R3
CM-5 (1)
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 MA-4
(5)
NIST
SP80053 R3
CM-5 (5)
NIST
SP80053 R3
CM-6
NIST
SP80053 R3
CM-6 (1)
NIST SP
800-53
R3 CM-6
(1)
NIST SP
800-53
R3 CM-6
(3)
NIST SP NIST SP
800-53 800-53
R3 SA-3 R3 CM-3
NIST SP
NIST SP
800-53
800-53
R3 CM-3
R3 SA-4
(2)
NIST SP NIST SP
800-53 800-53
R3 SA-5 R3 CM-4
NIST SP
800-53
R3 CM-5
NIST SP
800-53
R3 CM-6
NIST SP
800-53
R3 CM-9
Operatio
ns
Manage OP-01
ment
Policy
Policies
and
procedur
es shall
be
establish
ed and
made
available
for all
personn
el to
adequat
ely
support
services
operatio
ns role.
NIST
SP80053 R3
CM-6 (3)
NIST
SP80053 R3
CM-9
NIST
SP80053 R3
MA-4
NIST
SP80053 R3
MA-4 (1)
NIST
SP80053 R3
MA-4 (2)
NIST
SP80053 R3
SA-3
NIST
SP80053 R3
SA-4
NIST
SP80053 R3
SA-4 (1)
NIST
SP80053 R3
SA-4 (4)
NIST
SP80053 R3
SA-4 (7)
NIST
SP80053 R3
SA-5
NIST
SP80053 R3
SA-5 (1)
NIST
SP80053 R3
SA-5 (3)
NIST
SP80053 R3
SA-8
NIST
SP80053 R3
SA-10
NIST SP
800-53
R3 MA-4
NIST SP
800-53
R3 MA-4
(1)
NIST SP
800-53
R3 MA-4
(2)
NIST SP
800-53
R3 SA-3
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP
800-53
R3 SA-5
NIST SP
800-53
R3 SA-5
(1)
NIST SP
800-53
R3 SA-5
(3)
NIST SP
800-53
R3 SA-8
NIST SP
800-53
R3 SA-10
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
NIST
SP80053 R3
SA-11
NIST
NIST SP
800-53
R3 SA-12
SP80053 R3
SA-11
(1)
NIST
SP80053 R3
SA-12
on
system
documen
tation
(e.g.,
administ
rator and
user
guides,
architect
NIST
ure
diagram SP800s, etc.) 53 R3
shall be CP-9
made
available
to
authoriz
ed
personn
el to
ensure
the gur
following
ing
NIST SP NIST SP
800-53 800-53
R3 CP-9 R3 CP-9
,
ins
tall
ing
,
an NIST
NIST SP
d SP800- NIST SP 800-53
800-53
op 53 R3
R3 CP-9
era CP-9 (1) R3 CP-10 (1)
tin
g
the
inf
or
ma
tio
Operatio
ns
Manage
OP-02
ment
Docume
ntation
Operatio
ns
Manage
OP-02
ment
Docume
ntation
ect
ive
ly
usi
ng
the NIST
NIST SP
sys SP800- 800-53
te 53 R3
R3 SA-5
m CP-9 (3)
s
se
cur
ity NIST
SP80053 R3
CP-10
NIST
SP80053 R3
CP-10
(2)
NIST
SP80053 R3
CP-10
(3)
NIST
SP80053 R3
SA-5
NIST
SP80053 R3
SA-5 (1)
NIST
SP80053 R3
SA-5 (3)
NIST
SP80053 R3
SA-10
NIST
SP80053 R3
SA-11
NIST
SP80053 R3
SA-11
(1)
NIST SP
800-53
R3 CP-9
(3)
NIST SP
800-53
R3 CP-10
NIST SP
800-53
R3 CP-10
(2)
NIST SP
800-53
R3 CP-10
(3)
NIST SP
800-53
R3 SA-5
NIST SP
800-53
R3 SA-5
(1)
NIST SP
800-53
R3 SA-5
(3)
NIST SP
800-53
R3 SA-10
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
Operatio
ns
Manage
ment
OP-03
Capacity
/
Resource
Planning
Operatio
ns
Manage
ment
OP-04
The
availabili
ty,
quality,
and
adequat
e
capacity
and
resource
s shall
be
planned,
prepared
, and
NIST
measure
SP800d to
53 R3
deliver
SA-4
the
required
system
performa
nce in
accordan
ce with
regulator
y,
contract
ual and
business
requirem
NIST
ents.
Projectio SP80053 R3
ns of
SA-4 (1)
future
capacity NIST
requirem SP800ents
53 R3
shall be SA-4 (4)
made to
NIST
mitigate
SP800the risk
53 R3
of
SA-4 (7)
system NIST
overload SP800.
53 R3
MA-2
NIST
SP80053 R3
MA-2 (1)
NIST
SP80053 R3
MA-3
NIST
Policies SP80053 R3
and
procedur MA-3 (1)
es shall
be
establish
ed for
equipme
nt
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP NIST SP
800-53 800-53
R3 MA-2 R3 MA-2
NIST SP
NIST SP
800-53
800-53
R3 MA-2
R3 MA-4
(1)
NIST SP NIST SP
800-53 800-53
R3 MA-5 R3 MA-3
NIST SP
800-53
R3 MA-3
(1)
Operatio
ns
Manage
ment
OP-04
Equipme
nt
Maintena
nce
Policies
and
procedur
es shall
be
establish
ed for
equipme
nt
mainten
ance
ensuring
continuit
y and
availabili
ty of
operatio
ns.
NIST
SP80053 R3
MA-3 (2)
NIST SP
800-53
R3 MA-3
(2)
NIST
SP80053 R3
MA-3 (3)
NIST
SP80053 R3
MA-4
NIST
SP80053 R3
MA-4 (1)
NIST SP
800-53
R3 MA-3
(3)
NIST
SP80053 R3
MA-4 (2)
NIST
SP80053 R3
MA-5
NIST
NIST SP
800-53
R3 MA-4
(2)
SP80053 R3
MA-6
NIST
Risk
Manage
RI-01
ment
Program
SP80053 R3
AC-4
NIST
SP80053 R3
CA-2
NIST
SP80053 R3
CA-2 (1)
NIST
SP80053 R3
CA-6
NIST
SP80053 R3
PM-9
NIST
SP800Organiza 53 R3
RA-1
tions
shall
develop
and
maintain
an
enterpris
e risk
manage
ment
framewo
rk to
manage
risk to
an
NIST SP
800-53
R3 MA-4
NIST SP
800-53
R3 MA-4
(1)
NIST SP
800-53
R3 MA-5
NIST SP
800-53
R3 MA-6
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP NIST SP
800-53 800-53
R3 AU-1 R3 AU-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 CA-7
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 CA-7
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-2
Risk
Manage
RI-01
ment
Program
an
enterpris
e risk
manage
ment
framewo
rk to
manage
risk to
an
acceptab
le level.
NIST SP NIST SP
800-53 800-53
R3 RA-3 R3 RA-3
NIST SP
800-53
R3 SA-9
(1)
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 CM-1
Risk
Manage
ment RI-02
Assessm
ents
formal
risk
assessm
ents
shall be
performe
d at
least
annually,
or at
planned
intervals
,
determin
ing the
likelihoo
d and
impact
of all
identifie
d risks, NIST
using
SP800qualitati 53 R3
ve and PL-5
quantitat
ive
methods
. The
likelihoo
d and
impact
associat
ed with
inherent
and
residual
risk
should
be
determin NIST
ed
SP800indepen 53 R3
dently, RA-2
NIST
consideri
SP800ng all
53 R3
risk
RA-3
categori
es (e.g.,
audit
results,
threat
and
vulnerab
ility
analysis,
and
regulator
y
complian
ce).
NIST SP NIST SP
800-53 800-53
R3 CM-1 R3 RA-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 RA-3
NIST SP
800-53
R3 RA-2
NIST SP
800-53
R3 RA-3
Risk
Manage
ment
Mitigatio RI-03
n/
Acceptan
ce
Risk
Manage
ment
Business RI-04
/ Policy
Change
Impacts
Risks
shall be
mitigate
d to an
acceptab
le level.
Acceptan
ce levels
based on
NIST
risk
criteria SP800shall be 53 R3
establish CA-5
ed and
documen
ted in
accordan
ce with
reasonab
le
resolutio
n time
NIST
frames SP800and
53 R3
executiv CM-4
e
approval
.
NIST
SP80053 R3
CP-2
NIST
SP80053 R3
CP-2 (1)
Risk
assessm
ent
results
shall
include
updates
to
security
policies,
procedur
es,
standard
s and
controls
to
ensure
NIST
SP80053 R3
CP-2 (2)
NIST
SP80053 R3
RA-2
NIST
SP80053 R3
RA-3
NIST SP NIST SP
800-53 800-53
R3 CA-5 R3 CA-5
NIST SP NIST SP
800-53 800-53
R3 CP-1 R3 CP-1
NIST SP NIST SP
800-53 800-53
R3 RA-1 R3 RA-1
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AT-1
NIST SP NIST SP
800-53 800-53
R3 AU-1 R3 AU-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IR-1
Risk
Manage
ment
Business RI-04
/ Policy
Change
Impacts
updates
to
security
policies,
procedur
es,
standard
s and
controls
to
ensure
they
remain
relevant
and
effective
.
NIST
SP80053 R3
CA-3
NIST
SP80053 R3
MA-4
NIST
SP80053 R3
MA-4 (1)
NIST
The
SP800identifica 53 R3
tion,
MA-4 (2)
assessm NIST
ent, and SP800prioritiza 53 R3
RA-3
tion of
risks
posed by
business
processe
s
requiring
third
party
access
to the
organiza
tion's
informati
on
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-3
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 RA-3
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP
800-53
R3 AC-1
NIST SP
800-53
R3 AT-1
NIST SP NIST SP
800-53 800-53
R3 AU-1 R3 AU-1
NIST SP NIST SP
800-53 800-53
R3 CA-1 R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CP-1
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IA-4
Risk
Manage
ment
RI-05
Third
Party
Access
s
requiring
third
party
access
to the
organiza
tion's
informati
on
systems
and data
shall be
followed
by
coordina
ted
applicati
on of
resource
s to
minimize
,
monitor,
and
measure
likelihoo
d and
impact
of
unauthor
ized or
inapprop
riate
access.
Compen
sating
controls
derived
from the
risk
analysis
shall be
impleme
nted
prior to
provision
ing
access.
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 IA-5
(1) SP
NIST
800-53
R3 IA-5
(2)
NIST SP
800-53
R3 IA-5
(3)
NIST SP
800-53
R3 IA-5
(6)
NIST SP
800-53
R3 IA-5
(7)
NIST SP
800-53
R3 IA-8
NIST SP
800-53
R3 IR-1
NIST SP
800-53
R3 MA-1
NIST SP
800-53
R3 MP-1
NIST SP
800-53
R3 PE-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PS-1
NIST SP
800-53
R3 RA-1
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SI-1
Release
Manage
ment
New
RM-01
Develop
ment /
Acquisiti
on
NIST
SP80053 R3
CA-1
NIST
SP80053 R3
CM-1
NIST
SP800Policies 53 R3
CM-9
and
NIST
procedur SP800es shall 53 R3
be
PL-1
NIST
establish SP800ed for
53 R3
manage PL-2
ment
NIST
authoriz SP800ation for 53 R3
develop PL-2 (2)
ment or NIST
acquisiti SP800on of
53 R3
new
SA-1
NIST
applicati SP800ons,
53 R3
systems, SA-3
NIST
database
SP800s,
53 R3
infrastru
SA-4
cture,
NIST
services, SP800operatio 53 R3
ns, and SA-4 (1)
facilities.
NIST
SP80053 R3
SA-4 (4)
NIST
SP80053 R3
SA-4 (7)
NIST
SP80053 R3
CA-1
NIST
SP80053 R3
CA-6
NIST
SP80053 R3
CA-7
NIST
SP80053 R3
CA-7 (2)
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PL-2
NIST SP
800-53
R3 SA-1
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CM-9
NIST SP
800-53
R3 PL-1
NIST SP
800-53
R3 PL-2
NIST SP NIST SP
800-53 800-53
R3 SA-3 R3 SA-1
NIST SP NIST SP
800-53 800-53
R3 SA-4 R3 SA-3
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 CA-7
NIST SP
800-53
R3 CA-1
NIST SP
800-53
R3 CA-6
NIST SP
800-53
R3 CA-7
NIST SP
NIST SP
800-53
800-53
R3 CA-7
R3 CM-2
(2)
NIST
SP80053 R3
CM-2
NIST
SP80053 R3
CM-2 (1)
Release
Manage
ment
RM-02
Producti
on
Changes
NIST SP NIST SP
800-53 800-53
R3 CM-6 R3 CM-2
NIST SP
800-53
R3 PL-2
NIST SP
800-53
R3 CM-2
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 PL-5
CM-2 (3)
NIST SP
800-53
R3 CM-2
(3)
Changes
NIST
to the
NIST SP
SP800producti
800-53
53 R3
on
R3 SI-2
CM-2 (5)
environ NIST
ment
SP800shall be 53 R3
documen CM-3
ted,
NIST
tested
SP800and
53 R3
approve CM-3 (2)
d prior to NIST
impleme SP800ntation. 53 R3
Producti CM-5
NIST
on
software SP80053 R3
and
hardwar CM-5 (1)
e
NIST
changes SP800may
53 R3
include CM-5 (5)
applicati NIST
SP800ons,
systems, 53 R3
database CM-6
NIST
s and
network SP800devices 53 R3
requiring CM-6 (1)
patches, NIST
service SP800packs,
53 R3
and
CM-6 (3)
NIST
other
updates SP80053 R3
and
modifica CM-9
NIST
tions.
SP80053 R3
PL-2
NIST SP
800-53
R3 CM-2
(5)
NIST SP
800-53
R3 CM-3
NIST SP
800-53
R3 CM-3
(2)
NIST SP
800-53
R3 CM-5
NIST SP
800-53
R3 CM-5
(1)
NIST SP
800-53
R3 CM-5
(5)
NIST SP
800-53
R3 CM-6
NIST SP
800-53
R3 CM-6
(1)
NIST SP
800-53
R3 CM-6
(3)
NIST SP
800-53
R3 CM-9
NIST SP
800-53
R3 PL-2
and
modifica
tions.
NIST
SP80053 R3
PL-2 (2)
NIST
SP80053 R3
PL-5
NIST
SP80053 R3 SI2
NIST
SP80053 R3 SI2
(2)
NIST
SP80053 R3 SI6
NIST
SP80053 R3 SI7
NIST
A
program
SP800for the
systemat 53 R3 SI7 (1)
ic
monitori
ng and
evaluatio
n to
ensure
that
standard
s of
quality
NIST
are
SP800being
met shall 53 R3
CM-1
be
establish
ed for all
software
develope
d by the
organiza
tion.
Quality
evaluatio
NIST
n and
acceptan SP80053 R3
ce
criteria CM-2
NIST
for
informati SP80053 R3
on
systems, CM-2 (1)
upgrade
s, and
new
versions
shall be
establish
ed,
documen
NIST SP
800-53
R3 PL-5
NIST SP
800-53
R3 SI-2
NIST SP
800-53
R3 SI-2
(2)
NIST SP
800-53
R3 SI-6
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
NIST SP NIST SP
800-53 800-53
R3 CM-1 R3 CM-1
NIST SP NIST SP
800-53 800-53
R3 CM-2 R3 CM-2
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-3
(1)
Release
Manage
ment RM-03
Quality
Testing
criteria
for
informati
on
systems,
upgrade NIST
s, and
SP800new
53 R3
versions CM-2 (3)
shall be NIST
establish SP800ed,
53 R3
documen CM-2 (5)
ted and NIST
tests of SP800the
53 R3
system(s SA-3
NIST
) shall be
SP800carried
53 R3
out both
SA-4
during
NIST
develop SP800ment
53 R3
and prior SA-4 (1)
to
acceptan NIST
SP800ce to
maintain 53 R3
security. SA-4 (4)
Manage NIST
SP800ment
53 R3
shall
have a SA-4 (7)
NIST
clear
oversigh SP80053 R3
t
capacity SA-5
NIST
in the
quality SP800testing 53 R3
process SA-5 (1)
with the NIST
SP800final
product 53 R3
SA-5 (3)
being
certified NIST
as "fit for SP800purpose" 53 R3
SA-8
(the
NIST
product SP800should
53 R3
be
SA-10
NIST
suitable SP800for the
53 R3
intended SA-11
purpose) NIST
SP800and
53 R3
"right
SA-11
first
(1)
NIST
time"
(mistake SP800s should 53 R3
SA-13
be
eliminat
ed) prior
to
release.
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-4
(3)
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-5
(5)
NIST SP
800-53
R3 SA-3
NIST SP
800-53
R3 SA-4
NIST SP
800-53
R3 SA-4
(1)
NIST SP
800-53
R3 SA-4
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP
800-53
R3 SA-5
NIST SP
800-53
R3 SA-5
(1)
NIST SP
800-53
R3 SA-5
(3)
NIST SP
800-53
R3 SA-8
NIST SP
800-53
R3 SA-10
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
Release
Manage
ment
Outsourc RM-04
ed
Develop
ment
ic
monitori
ng and
evaluatio
n to
ensure
that
standard
s of
quality
are
being
met shall
be
establish
ed for all
outsourc
ed
software
develop
ment.
NIST
The
SP800develop 53 R3
ment of SA-4
all
outsourc
ed
software
shall be
supervis
ed and
monitore
d by the
organiza
tion and
must
include
security
requirem
ents,
indepen NIST
SP800dent
security 53 R3
review of SA-4 (1)
the
NIST
outsourc SP800ed
53 R3
environ SA-4 (4)
ment by
NIST
a
certified SP800individua 53 R3
SA-4 (7)
l,
NIST
certified
SP800security
53 R3
training
SA-5
for
NIST
outsourc SP800ed
53 R3
software SA-5 (1)
develope
rs, and
code
reviews.
Certificat
ion for
the
purposes
NIST SP NIST SP
800-53 800-53
R3 SA-4 R3 SA-4
NIST SP
NIST SP
800-53
800-53
R3 SA-4
R3 SA-5
(1)
NIST SP
NIST SP
800-53
800-53
R3 SA-4
R3 SA-9
(4)
NIST SP
800-53
R3 SA-4
(7)
NIST SP
800-53
R3 SA-5
NIST SP
800-53
R3 SA-5
(1)
for
outsourc
ed
software
develope
rs, and NIST
SP800code
reviews. 53 R3
Certificat SA-5 (3)
NIST
ion for
SP800the
53 R3
purposes
SA-8
NIST
of this
control SP800shall be 53 R3
defined SA-9
NIST
as either
SP800an
53 R3
ISO/IEC
SA-9 (1)
17024
NIST
accredite SP800d
53 R3
certificat SA-10
ion or a NIST
SP800legally
recogniz 53 R3
SA-11
NIST
ed
license SP80053 R3
or
certificat SA-11
(1)
ion in
NIST
the
SP800legislativ 53 R3
e
SA-12
NIST
jurisdicti
SP800on the
53 R3
organiza
SA-13
NIST
tion
outsourci SP80053 R3
ng the
develop CM-1
NIST
ment
SP800has
53 R3
chosen CM-2
NIST
as its
domicile. SP80053 R3
CM-2 (1)
NIST SP
800-53
R3 SA-5
(3)
NIST SP
800-53
R3 SA-8
NIST SP
800-53
R3 SA-9
NIST SP
800-53
R3 SA-9
(1)
NIST SP
800-53
R3 SA-10
NIST SP
800-53
R3 SA-11
NIST SP
800-53
R3 SA-11
(1)
NIST SP
800-53
R3 SA-12
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CM-2
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 CM-7
(1)
NIST
NIST SP
SP800800-53
53 R3
R3 CM-8
CM-2 (3)
NIST
SP80053 R3
CM-2 (5)
NIST
SP80053 R3
CM-3
NIST SP
800-53
R3 CM-1
NIST SP
800-53
R3 CM-2
NIST SP
800-53
R3 CM-2
(3)
NIST SP
NIST SP
800-53
800-53
R3 CM-2
R3 SA-6
(5)
NIST SP NIST SP
800-53 800-53
R3 SA-7 R3 CM-3
NIST
SP80053 R3
CM-3 (2)
NIST
SP80053 R3
CM-5
NIST
SP80053 R3
CM-5 (1)
Release
Manage
ment
Unauthor
RM-05
ized
Software
Installati
ons
NIST
SP80053 R3
CM-5 (5)
NIST
SP80053 R3
CM-7
NIST
SP80053 R3
CM-7 (1)
NIST
Policies SP800and
53 R3
procedur CM-8
es shall NIST
be
SP800establish 53 R3
ed and CM-8 (1)
mechani
NIST
sms
SP800impleme
53 R3
nted to
CM-8 (3)
restrict
NIST
the
installati SP80053 R3
on of
unauthor CM-8 (5)
NIST
ized
software. SP80053 R3
CM-9
NIST
SP80053 R3
SA-6
NIST
SP80053 R3
SA-7
NIST
SP80053 R3 SI1
NIST
SP80053 R3 SI3
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 CM-3
(2)
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 CM-5
NIST SP
800-53
R3 CM-5
(1)
NIST SP
800-53
R3 CM-5
(5)
NIST SP
800-53
R3 CM-7
NIST SP
800-53
R3 CM-7
(1)
NIST SP
800-53
R3 CM-8
NIST SP
800-53
R3 CM-8
(1)
NIST SP
800-53
R3 CM-8
(3)
NIST SP
800-53
R3 CM-8
(5)
NIST SP
800-53
R3 CM-9
NIST SP
800-53
R3 SA-6
NIST SP
800-53
R3 SA-7
NIST SP
800-53
R3 SI-1
NIST SP
800-53
R3 SI-3
NIST
SP80053 R3 SI3
(1)
NIST
SP80053 R3 SI3 (2)
NIST
SP80053 R3 SI3
(3)
NIST
SP80053 R3 SI4
NIST
SP80053 R3 SI4
(2)
NIST
SP80053 R3 SI4
(4)
NIST
SP80053 R3 SI4
(5)
NIST
SP80053 R3 SI4
(6)
NIST
SP80053 R3 SI7
NIST
SP80053 R3 SI7 (1)
NIST SP
800-53
R3 SI-3
(1)
NIST SP
800-53
R3 SI-3
(2) SP
NIST
800-53
R3 SI-3
(3)
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
Resilienc
y
Manage RS-01
ment
Program
recovery
of
informati
on
assets
(which
may be
the
result of,
for
example,
natural
disasters
,
accident
s,
equipme
nt
failures,
and
deliberat NIST
SP800e
actions) 53 R3
through CP-1
a
combina
tion of
preventi
ve and
recovery
controls,
in
accordan
ce with
regulator
y,
statutory
,
contract
ual, and NIST
business SP800requirem 53 R3
ents and CP-2
consiste NIST
nt with SP800industry 53 R3
standard CP-2 (1)
s. This
NIST
Resilienc SP800y
53 R3
manage CP-2 (2)
ment
program
shall be
communi
cated to
all
organiza
tional
participa
nts with
a need
to know
basis
prior to
adoption
and shall
NIST SP NIST SP
800-53 800-53
R3 CP-1 R3 CP-1
NIST SP NIST SP
800-53 800-53
R3 CP-2 R3 CP-2
NIST SP
800-53
R3 CP-2
(1)
NIST SP
800-53
R3 CP-2
(2)
shall be
a
defined
and
documen
ted
method
for
determin
ing the
impact
of any
disruptio
n to the
organiza
tion
which
must
incorpor
ate the
following
Ide
ntif
y
crit
ica
l
pro
du
cts
an
d
ser
nd
en
cie
s,
inc
lud
ing
pro
ce
sse
s,
ap
pli
cat
ion
s,
bu
sin
ess
par
tne
rs
an
d
thi
rd
par
NIST SP NIST SP
800-53 800-53
R3 CP-1 R3 CP-1
NIST SP NIST SP
800-53 800-53
R3 CP-2 R3 CP-2
NIST SP NIST SP
800-53 800-53
R3 RA-3 R3 RA-3
Resilienc
y
RS-02
Impact
Analysis
sta
nd
thr
eat
s
to
crit
ica
l
pro
du
cts
an
cts
d
res
ulti
ng
fro
m
pla
nn
NIST
ed
SP800or
53 R3
un
RA-3
pla
nn
ed
dis
rup
tio
ns
an
d
ho
w
abl
the
ish
the
ma
xi
mu
m
tol
era
ble
per
iod
for
dis
Est
abl
ish
pri
ori
tie
s
for
rec
ov
tim
e
obj
ect
ive
s
for
res
um
pti
on
of
crit
ica
l
pro
du
cts
an
d
ser
vic
es
wit
hin
the
ir
ma
xi
mu
m
tol
era
Est
im
ate
the
res
our
ce
s
req
uir
ed
for
res
um
y
planning
and plan
develop
ment
shall be
establish
ed,
documen
ted and
adopted
to
ensure
all
business
continuit
NIST
y plans
SP800are
53 R3
consiste
CP-1
nt in
addressi
ng
priorities
for
testing
and
mainten
ance and
informati
on
security
requirem
ents.
Require
mentsed
pur
po
se
an
d
sc
op
e, NIST
ali SP800gn 53 R3
ed CP-2
wit
h
rel
ev
ant
de
pe
NIST
SP80053 R3
CP-1
NIST
SP80053 R3
CP-1
NIST
SP80053 R3
CP-2
NIST
SP80053 R3
CP-2
ssi
ble
to
an
d
un
der NIST
sto SP800od 53 R3
by CP-2 (1)
tho
se
wh
o
will
na
Resilienc
y
Business
RS-03
Continuit
y
Planning
me
d
per
so
n(s
)
wh
o
is NIST
res SP800po 53 R3
nsi CP-2 (2)
ble
for
the
ir
rev
ie
w,
up
lin
dat
es
of
co
m
mu NIST
nic SP800ati 53 R3
on, CP-3
rol
es
an
d
res
po
NIST
SP80053 R3
CP-3
NIST
SP80053 R3
CP-2 (1)
NIST
SP80053 R3
CP-4
NIST
SP80053 R3
CP-2 (2)
NIST
SP80053 R3
CP-9
NIST
SP80053 R3
CP-3
Resilienc
y
Business
RS-03
Continuit
y
Planning
rec
ov
ery
pro
ce
dur
es,
ma
nu
al NIST
wo SP800rk- 53 R3
aro CP-4
un
d
an
d
ref
ere
nc
Me
e
tho
d NIST
for SP800pla 53 R3
n CP-4 (1)
inv
oc NIST
SP80053 R3
CP-6
NIST
SP80053 R3
CP-6 (1)
NIST
SP80053 R3
CP-10
NIST
SP80053 R3
CP-4
NIST
SP80053 R3
CP-4 (1)
NIST
SP80053 R3
CP-6
NIST
SP80053 R3
CP-6 (1)
NIST
SP80053 R3
CP-6 (3)
NIST
SP80053 R3
CP-7
NIST
SP80053 R3
CP-7 (1)
NIST
SP80053 R3
CP-6 (3)
NIST
SP80053 R3
CP-7
NIST
SP80053 R3
CP-7 (1)
NIST
SP80053 R3
CP-7 (2)
NIST
SP80053 R3
CP-7 (2)
NIST
SP80053 R3
CP-7 (3)
NIST
SP80053 R3
CP-7 (3)
Resilienc
y
Business RS-04
Continuit
y Testing
NIST
SP80053 R3
CP-7 (5)
NIST
SP80053 R3
CP-8
NIST
SP80053 R3
CP-8 (1)
NIST
SP80053 R3
CP-7 (5)
NIST
SP80053 R3
CP-8
NIST
SP80053 R3
CP-8 (1)
NIST
SP80053 R3
CP-8 (2)
NIST
SP80053 R3
CP-9
NIST
SP80053 R3
CP-9 (1)
NIST
SP80053 R3
CP-8 (2)
NIST
SP80053 R3
CP-9
NIST
SP80053 R3
CP-9 (1)
NIST
SP80053 R3
CP-9 (3)
NIST
SP80053 R3
CP-10
NIST
NIST
SP80053 R3
CP-9 (3)
NIST
SP80053 R3
CP-10
NIST
SP80053 R3
CP-10
(2)
NIST
SP80053 R3
CP-10
(2)
NIST
SP80053 R3
CP-10
(3)
NIST
SP80053 R3
CP-10
(3)
NIST
SP80053 R3
PE-17
NIST
SP80053 R3
PE-17
NIST
Business SP800continuit 53 R3
y plans CP-2
shall be NIST
subject SP800to test at 53 R3
planned CP-2 (1)
intervals NIST
or upon SP800significa 53 R3
nt
CP-2 (2)
organiza
tional or
environ
mental
changes
to
ensure
continuin
NIST
SP80053 R3
CP-2
NIST
SP80053 R3
CP-3
NIST
SP80053 R3
CP-4
SP80053 R3
CP-2
NIST
SP80053 R3
CP-2 (1)
NIST
SP80053 R3
CP-2 (2)
Resilienc
y
Business RS-04
Continuit
y Testing
Resilienc
y
Environ RS-05
mental
Risks
intervals
or upon
significa
nt
organiza NIST
tional or SP800environ 53 R3
mental CP-3
NIST
changes SP800to
53 R3
ensure CP-4
continuin NIST
g
SP800effective 53 R3
Physical
ness.
CP-4 (1)
protectio
n against
damage
from
natural
causes
and
disasters
as well
as
deliberat
e attacks NIST
NIST
including SP800- SP800fire,
53 R3
53 R3
flood,
PE-1
PE-1
atmosph
eric
electrical
discharg
e, solar
induced
geomag
netic
storm,
wind,
earthqua NIST
NIST
ke,
SP800- SP800tsunami, 53 R3
53 R3
explosio PE-13
PE-13
n,
NIST
NIST
nuclear SP800- SP800mishap, 53 R3
53 R3
volcanic PE-13 (1) PE-14
activity,
NIST
NIST
biologica
SP800- SP800l hazard,
53 R3
53 R3
civil
PE-13 (2) PE-15
unrest,
mudslide NIST
SP800,
tectonic 53 R3
activity, PE-13 (3)
NIST
and
SP800other
forms of 53 R3
natural PE-14
or manmade
disaster
shall be
anticipat
ed,
designed
NIST
SP80053 R3
CP-3
NIST
SP80053 R3
CP-4
NIST
SP80053 R3
CP-4 (1)
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-13
NIST
SP80053 R3
PE-13 (1)
NIST
SP80053 R3
PE-13 (2)
NIST
SP80053 R3
PE-13 (3)
NIST
SP80053 R3
PE-14
Resilienc
y
Equipme RS-06
nt
Location
tectonic
activity,
and
other
forms of
natural
NIST
or manSP800made
53 R3
disaster
PE-14 (1)
shall be NIST
anticipat SP800ed,
53 R3
designed PE-15
NIST
and
counter SP800To
measure 53 R3
reduce
s risks PE-18
the
applied.
from
environ
mental
threats,
hazards
and
NIST
NIST
opportun SP800- SP800ities for 53 R3
53 R3
unauthor PE-1
PE-1
ized
access
equipme
nt shall
be
located
away
NIST
NIST
from
SP800- SP800locations 53 R3
53 R3
subject NIST
PE-5
PE-14
NIST
to high SP800- SP800probabili 53 R3
53 R3
ty
PE-14
PE-15
environ NIST
mental SP800risks and 53 R3
supplem PE-14 (1)
ented by NIST
redunda SP80053 R3
nt
equipme PE-15
NIST
nt
SP800located a 53 R3
reasonab PE-18
NIST
NIST
le
SP800- SP800distance.
53 R3
53 R3
CP-8
PE-1
NIST
NIST
SP800- SP80053 R3
53 R3
CP-8 (1) PE-12
NIST
SP80053 R3
CP-8 (2)
NIST
SP80053 R3
PE-13
NIST
SP80053 R3
PE-15
NIST
SP80053 R3
PE-18
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-5
NIST
SP80053 R3
PE-14
NIST
SP80053 R3
PE-15
NIST
SP80053 R3
PE-18
NIST
SP80053 R3
CP-8
NIST
SP80053 R3
CP-8 (1)
NIST
SP80053 R3
CP-8 (2)
Resilienc
y
Equipme RS-07
nt Power
Failures
NIST
NIST
SP800- SP80053 R3
53 R3
PE-1
PE-14
NIST
SP80053 R3
PE-9
NIST
SP80053 R3
PE-10
NIST
SP80053 R3
PE-11
NIST
SP80053 R3
PE-11 (1)
NIST
SP80053 R3
PE-12
NIST
SP80053 R3
PE-13
Security
mechani
sms and
redunda
ncies
shall be
impleme
nted to
protect
equipme
nt from
utility
service
outages
(e.g.,
power
failures,
network
disruptio NIST
ns, etc.). SP80053 R3
PE-13 (1)
NIST
SP80053 R3
PE-13 (2)
Resilienc
y
Power /
RS-08
Telecom
municati
ons
NIST
SP80053 R3
PE-13 (3)
NIST
SP80053 R3
PE-14
NIST
SP800Telecom 53 R3
municati PE-14 (1)
ons
equipme
NIST
NIST
nt,
SP800SP800cabling
53
R3
53 R3
and
PE-1
PE-1
relays
transcevi
ng data NIST
NIST
or
SP800- SP800supporti 53 R3
53 R3
ng
PE-4
PE-13
services
shall be
protecte
d from
intercept
ion or
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-9
NIST
SP80053 R3
PE-10
NIST
SP80053 R3
PE-11
NIST
SP80053 R3
PE-12
NIST
SP80053 R3
PE-13
NIST
SP80053 R3
PE-13 (1)
NIST
SP80053 R3
PE-13 (2)
NIST
SP80053 R3
PE-13 (3)
NIST
SP80053 R3
PE-14
NIST
SP80053 R3
PE-1
NIST
SP80053 R3
PE-4
Resilienc
y
Power /
RS-08
Telecom
municati
ons
Security
Architect
ure
Custome SA-01
r Access
Require
ments
transcevi
ng data
or
supporti
ng
NIST
NIST
services NIST
shall be SP800- SP800- SP80053 R3
53 R3
protecte 53 R3
PE-13
PE-13 (1) PE-13
d from
intercept NIST
NIST
NIST
ion or
SP800- SP800- SP800damage 53 R3
53 R3
53 R3
and
PE-13 (1) PE-13 (2) PE-13 (1)
designed
NIST
NIST
NIST
with
SP800- SP800- SP800redunda
53 R3
53 R3
53 R3
ncies,
PE-13 (2) PE-13 (3) PE-13 (2)
alternati
NIST
ve power NIST
SP800SP800source
53 R3
53 R3
and
PE-13
(3)
PE-13 (3)
alternati
Prior to
ve
granting
routing.
custome
rs access
to data, NIST
NIST SP NIST SP
assets
SP800800-53 800-53
and
53 R3
R3 CA-1 R3 CA-1
informati CA-1
on
systems,
all
identifie
NIST
NIST SP NIST SP
d
SP800800-53 800-53
security,
53 R3
R3 CA-2 R3 CA-2
contract
CA-2
ual and NIST
NIST SP NIST SP
regulator SP800- 800-53 800-53
y
53 R3
R3 CA-2 R3 CA-2
requirem CA-2 (1) (1)
(1)
ents for NIST
NIST SP NIST SP
custome SP800800-53 800-53
r access 53 R3
R3 CA-5 R3 CA-5
shall be CA-5
NIST
addresse SP800- NIST SP NIST SP
800-53 800-53
d and
53 R3
R3 CA-6 R3 CA-6
remediat CA-6
ed.
Impleme
nt and
enforce
(through
automati
on) user
credenti
al and
passwor
d
controls
for
applicati NIST
ons,
SP800database 53 R3
s and
AC-1
server
and
network
infrastru
cture,
requiring
the
following
minimu
m
standard
s:
er
ide
nti
ty
ver
ific
ati NIST
on SP800pri 53 R3
or AC-2
to
pa
ss
wo
rd
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP NIST SP
800-53 800-53
R3 AC-2 R3 AC-2
us
er
(i.e
.,
ad
mi
nis
tra
tor
),
es
pe
cia
lly
if
co
m NIST
NIST SP NIST SP
mu SP800800-53 800-53
nic 53 R3
R3 AC-3 R3 AC-3
ate AC-2 (1)
d
in
pla
int
ext
(i.e
,
via
em
ail)
,
pa
ss
wo
rd
mu
ly
ac
ce
ss
rev NIST
oc SP800- NIST SP
800-53
ati 53 R3
on AC-2 (2) R3 AU-2
for
ter
mi
nat
ed
NIST SP
800-53
R3 AC11
dis
abl
e
ina
cti
ve
us NIST
er SP800ac 53 R3
co AC-2 (3)
unt
s
at
lea
st
er
NIST SP
800-53
R3 AU11
IDs
an
d
dis
all
ow
gro
up,
sh NIST
NIST SP
are SP800- 800-53
d, 53 R3
R3 IA-1
or AC-2 (4)
ge
ner
ic
ac
co
unt
s
an
ss
d
wo
rd
ex
pir NIST
ati SP800- NIST SP
800-53
on 53 R3
at AC-2 (7) R3 IA-2
lea
st
ev
ery
NIST SP
800-53
R3 AC11 (1)
NIST SP
800-53
R3 AU-2
NIST SP
800-53
R3 AU-2
(3)
Security
Architect
ure
SA-02
User ID
Credenti
als
m
pa
ss
wo
rd
len NIST
gth SP800of 53 R3
at AC-3
lea
st
se
ve
n
pa
(7)
ss
wo
rds
co
nta
ini
ng NIST
bot SP800h 53 R3
nu AC-3 (3)
me
ric
an
d
alp
ha
bet
pa
ss
wo
rd
reus
e
aft NIST
er SP800the 53 R3
las AC-11
t
fou
r
(4)
pa
ss
NIST SP
800-53
R3 IA-2
(1)
NIST SP
800-53
R3 AU-2
(4)
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 AU11
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IA-1
er
ID
loc
ko
ut
aft NIST
er SP800not 53 R3
mo AC-11
re (1)
tha
n
six
(6)
att
ut
dur
ati
on
to
a
mi
ni
mu
m
of NIST
30 SP800mi 53 R3
nut AU-2
es
or
unt
il
ad
mi
nis
tra
tor
en
NIST SP
800-53
R3 IA-6
NIST SP
800-53
R3 IA-2
NIST SP
800-53
R3 IA-8
NIST SP
800-53
R3 IA-2
(1)
ss
wo
rd
to
rea
cti
vat
e
ter
mi
nal NIST
aft SP800er 53 R3
ses AU-2 (3)
sio
n
idl
e
tim
e
for
mo
re
er
tha
act
ivit
y
log
s
for
pri
vil NIST
eg SP800ed 53 R3
ac AU-2 (4)
ce
ss
or
ac
ce
ss
to
NIST
SP80053 R3
AU-11
NIST
SP80053 R3 IA1
NIST
SP80053 R3 IA2
NIST
SP80053 R3 IA2
(1)
NIST
SP80053 R3 IA2 (2)
NIST SP
800-53
R3 IA-2
(2)
NIST SP
800-53
R3 IA-2
(3)
NIST SP
800-53
R3 IA-2
(8)
NIST SP
800-53
R3 IA-5
NIST SP
800-53
R3 IA-5
(1)
NIST SP
800-53
R3 IA-5
(2)
NIST SP
800-53
R3 IA-5
(3)
NIST
SP80053 R3 IA2
(3)
NIST
SP80053 R3 IA2 (8)
NIST
SP80053 R3 IA5
NIST
SP80053 R3 IA5
(1)
NIST
SP80053 R3 IA5
(2)
NIST
SP80053 R3 IA5
(3)
NIST
SP80053 R3 IA5
(6)
NIST
SP80053 R3 IA5
(7)
NIST
SP80053 R3 IA6
NIST
SP80053 R3 IA8
NIST
SP80053 R3
SC-10
NIST SP
800-53
R3 IA-5
(6)
NIST SP
800-53
R3 IA-5
(7)
NIST SP
800-53
R3 IA-6
NIST SP
800-53
R3 IA-8
NIST SP
800-53
R3 SC-10
Security
Architect
ure
Data
SA-03
Security
/
Integrity
procedur
es shall
be
establish
ed and
mechani
sms
impleme
nted to
ensure
security
(e.g.,
encrypti
on,
access
controls,
and
leakage
preventi
on) and
integrity
of data NIST
exchang SP80053 R3
ed
AC-1
between
one or
more
system
interface
s,
jurisdicti
ons, or
with a
third
party
shared
services
provider
to
prevent
improper NIST
disclosur SP80053 R3
e,
NIST
alteratio AC-4
SP800n or
destructi 53 R3
SC-1
on
NIST
complyin SP800g with
53 R3
legislativ SC-16
NIST
e,
SP800regulator
53 R3
y, and
SC-2
contract NIST
SP800ual
requirem 53 R3
SC-3
ents.
NIST
SP80053 R3
SC-4
NIST
SP80053 R3
SC-5
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP NIST SP
800-53 800-53
R3 SC-1 R3 AC-4
NIST SP NIST SP
800-53 800-53
R3 SC-13 R3 SC-1
NIST SP
800-53
R3 SC-8
NIST SP NIST SP
800-53 800-53
R3 SC-5 R3 SA-8
NIST SP NIST SP
800-53 800-53
R3 SC-6 R3 SC-2
NIST SP NIST SP
800-53 800-53
R3 SC-7 R3 SC-4
NIST SP NIST SP
800-53 800-53
R3 SC-12 R3 SC-5
NIST
SP80053 R3
SC-6
NIST
SP80053 R3
SC-7
NIST
SP80053 R3
SC-7 (1)
Security
Architect
ure
SA-04
Applicati
on
Security
NIST SP NIST SP
800-53 800-53
R3 SC-13 R3 SC-6
NIST SP NIST SP
800-53 800-53
R3 SC-14 R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST
SP80053 R3
SC-7 (2)
NIST SP
800-53
R3 SC-7
(2)
NIST
SP80053 R3
SC-7 (3)
NIST SP
800-53
R3 SC-7
(3)
NIST
SP80053 R3
SC-7 (4)
NIST SP
800-53
R3 SC-7
(4)
NIST
SP80053 R3
SC-7 (5)
NIST SP
800-53
R3 SC-7
(5)
NIST
SP80053 R3
SC-7 (7)
NIST SP
800-53
R3 SC-7
(7)
NIST
SP80053 R3
SC-7 (8)
NIST
SP80053 R3
SC-7
(12)
NIST
NIST SP
800-53
R3 SC-7
(8)
SP800Applicati
53 R3
ons shall
SC-7
be
(13)
designed NIST
SP800in
accordan 53 R3
ce with SC-7
industry (18)
NIST
accepted SP800security 53 R3
standard SC-8
s (i.e.,
NIST
OWASP SP800for web 53 R3
applicati SC-8 (1)
ons) and
complies
with
applicabl
e
NIST SP
800-53
R3 SC-7
(12)
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
NIST SP
800-53
R3 SC-8
NIST SP
800-53
R3 SC-8
(1)
Architect
ure
SA-04
Applicati
on
Security
standard
s (i.e.,
OWASP
for web
applicati
ons) and NIST
complies SP80053 R3
with
applicabl SC-9
NIST
e
regulator SP80053 R3
y and
business SC-9 (1)
NIST
requirem
SP800ents.
53 R3
SC-10
NIST
SP80053 R3
SC-11
NIST
SP80053 R3
SC-12
NIST
SP80053 R3
SC-12
(2)
NIST
SP80053 R3
SC-12
(5)
NIST
SP80053 R3
SC-13
NIST
SP80053 R3
SC-13
(1)
NIST
SP80053 R3
SC-14
NIST
SP80053 R3
SC-17
NIST
SP80053 R3
SC-18
NIST
SP80053 R3
SC-18
(4)
NIST
SP80053 R3
SC-20
NIST
SP80053 R3
SC-20
(1)
NIST SP
800-53
R3 SC-9
NIST SP
800-53
R3 SC-9
(1)
NIST SP
800-53
R3 SC-10
NIST SP
800-53
R3 SC-11
NIST SP
800-53
R3 SC-12
NIST SP
800-53
R3 SC-12
(2)
NIST SP
800-53
R3 SC-12
(5)
NIST SP
800-53
R3 SC-13
NIST SP
800-53
R3 SC-13
(1)
NIST SP
800-53
R3 SC-14
NIST SP
800-53
R3 SC-17
NIST SP
800-53
R3 SC-18
NIST
SP80053 R3
SC-21
NIST
SP80053 R3
SC-22
NIST
SP80053 R3
SC-23
NIST
Security
Architect
ure
SA-05
Data
Integrity
SP80053 R3 SI10
NIST
SP80053 R3 SI11
NIST
SP80053 R3 SI2
NIST
SP80053 R3 SIData
2 (2)
NIST
input
SP800and
53 R3 SIoutput
3
integrity NIST
routines SP80053 R3 SI(i.e.,
3 (1)
reconcili NIST
SP800ation
and edit 53 R3 SI(2)
checks) 3
NIST
shall be SP800impleme 53 R3 SInted for 3 (3)
NIST
applicati
SP800on
53 R3 SIinterface
4
NIST
s and
database SP80053 R3 SIs to
(2)
prevent 4
NIST
manual SP80053 R3 SIor
(4)
systemat 4
NIST
ic
SP800processi 53 R3 SIng errors 4 (5)
NIST
or
SP800corruptio
53 R3 SIn of
4 (6)
NIST
data.
SP80053 R3 SI6
NIST SP
800-53
R3 SI-2
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 SI-2
NIST SP
800-53
R3 SI-2
(2)
NIST SP
800-53
R3 SI-3
NIST SP
800-53
R3 SI-3
(1) SP
NIST
800-53
R3 SI-3
(2)
NIST SP
800-53
R3 SI-3
(3)
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4)
NIST SP
800-53
R3 SI-4
(5)
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 SI-6
NIST SP
800-53
R3 SI-7
NIST SP
800-53
R3 SI-7
(1)
n of
data.
NIST
SP80053 R3 SI7
NIST
SP80053 R3 SI7 (1)
NIST
Security
Architect
ure
Producti
on / Non- SA-06
Producti
on
Environ
ments
on and
nonproducti
on
environ
ments
shall be
separate
d to
prevent
unauthor
ized
access
or
changes
to
informati
on
NIST
SP80053 R3
SC-2
NIST
SP80053 R3
AC-17
NIST
NIST SP
800-53
R3 SC-2
NIST SP
800-53
R3 AC17
NIST SP
800-53
R3 AC20
NIST SP
800-53
R3 AC17
NIST SP
800-53
R3 AC17 (1)
SP80053 R3
AC-17
(2)
NIST
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 AC17 (2)
SP80053 R3
AC-17
(3)
NIST
NIST SP
800-53
R3 IA-2
NIST SP
800-53
R3 AC17 (3)
NIST SP
800-53
R3 IA-2
(1)
NIST SP
800-53
R3 AC17 (4)
SP80053 R3
AC-17
(4)
NIST
SP80053 R3
AC-17
(5)
NIST
SP80053 R3
AC-17
(7)
Multi-
NIST SP
800-53
R3 SI-11
SP80053 R3 SI9
SP80053 R3
AC-17
(1)
NIST
Security
NIST SP
800-53
R3 SI-9
NIST SP
800-53
R3 SI-10
NIST SP
NIST SP
800-53
800-53
R3 ACR3 MA-4
17 (5)
NIST SP
800-53
R3 AC17 (7)
Security
Architect
ure
Remote
User
SA-07
MultiFactor
Authenti
cation
Multifactor
authenti
cation is
required
for all
remote
user
access.
NIST
SP80053 R3
AC-17
(8)
NIST
SP80053 R3
AC-20
NIST
SP80053 R3
AC-20
(1)
NIST
SP80053 R3
AC-20
(2)
NIST
SP80053 R3 IA1
NIST
SP80053 R3 IA2
NIST
SP80053 R3 IA2
(1)
NIST
SP80053 R3 IA2 (2)
NIST
SP80053 R3 IA2
(3)
NIST
SP80053 R3 IA2 (8)
NIST
SP80053 R3
MA-4
NIST
SP80053 R3
MA-4 (1)
NIST
SP80053 R3
MA-4 (2)
NIST SP
800-53
R3 AC17 (8)
NIST SP
800-53
R3 AC20
NIST SP
800-53
R3 AC20 (1)
NIST SP
800-53
R3 AC20 (2)
NIST SP
800-53
R3 IA-1
NIST SP
800-53
R3 IA-2
NIST SP
800-53
R3 IA-2
(1)
NIST SP
800-53
R3 IA-2
(2) SP
NIST
800-53
R3 IA-2
(3)
NIST SP
800-53
R3 IA-2
(8)
NIST SP
800-53
R3 MA-4
NIST SP
800-53
R3 MA-4
(1)
NIST SP
800-53
R3 MA-4
(2)
Security
Architect
ure
SA-08
Network
Security
Network
environ
ments
shall be
designed
and
configur NIST
SP800ed to
restrict 53 R3
connecti SC-7
ons
between
trusted
and
untruste
NIST
d
networks SP80053 R3
and
reviewed SC-7 (1)
NIST
at
planned SP800intervals 53 R3
SC-7 (2)
,
documen NIST
ting the SP800business 53 R3
justificati SC-7 (3)
on for
use of all NIST
services, SP800protocols 53 R3
SC-7 (4)
, and
ports
NIST
allowed, SP800including 53 R3
rationale SC-7 (5)
or
NIST
compens SP800ating
53 R3
controls SC-7 (7)
impleme
nted for NIST
SP800those
protocols 53 R3
consider SC-7 (8)
ed to be NIST
insecure. SP800Network 53 R3
architect SC-7
(12)
NIST
ure
diagram SP80053 R3
s must
SC-7
clearly
identify (13)
NIST
high-risk SP800environ 53 R3
ments
SC-7
and data (18)
flows
that may
have
regulator
y
complian
NIST SP NIST SP
800-53 800-53
R3 CM-7 R3 CM-7
NIST SP
NIST SP
800-53
800-53
R3 CM-7
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
(2)
NIST SP
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST SP
800-53
R3 SC-7
(5)
NIST SP
800-53
R3 SC-7
(7)
NIST SP
800-53
R3 SC-7
(8)
NIST SP
800-53
R3 SC-7
(12)
identify
high-risk
environ
ments
and data
flows
that may
have
regulator
y
complian
ce
System
impacts.
and
network
environ
ments
are
separate
NIST
d by
SP800firewalls
53 R3
to
AC-4
ensure
the
following
requirem
ents are
adhered
to:
sin
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
NIST SP
800-53
R3 AC-4
ess
an
d NIST
cu SP800sto 53 R3
me SC-2
r
req
uir
em
Se
cur NIST
ity SP800req 53 R3
uir SC-3
em
nc
ent
e
wit
h
leg
isl
ati
ve, NIST
reg SP800ula 53 R3
tor SC-7
y,
an
d
co
ntr
act
ual
Security
Architect
ure
SA-09
Segment
NIST SP
800-53
R3 SC-2
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
Security
Architect
ure
SA-09
Segment
ation
on
of
pro
du
cti
NIST SP
on NIST
an SP800- 800-53
R3 SC-7
d 53 R3
no SC-7 (1)
npro
du
cti
on
ve
en
pro
tec
tio
n
an NIST
d SP800iso 53 R3
lati SC-7 (2)
on
of
se
nsi
NIST
SP80053 R3
SC-7 (3)
NIST SP
800-53
R3 SC-7
(2)
NIST SP
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST
SP80053 R3
SC-7 (4)
NIST SP
800-53
R3 SC-7
(5)
NIST
SP80053 R3
SC-7 (5)
NIST SP
800-53
R3 SC-7
(7)
NIST
SP80053 R3
SC-7 (7)
NIST SP
800-53
R3 SC-7
(8)
NIST
SP80053 R3
SC-7 (8)
NIST
SP80053 R3
SC-7
(12)
NIST
NIST SP
800-53
R3 SC-7
(12)
SP80053 R3
SC-7
(13)
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
NIST
SP80053 R3
SC-7
(18)
Policies
and
procedur
es shall
be
establish
ed and
mechani
sms
NIST
impleme SP800nted to 53 R3
protect AC-1
wireless
network
environ
ments,
including
the
following
r
:
fire
wa
lls
im
ple
me
nte
d
an NIST
d SP800co 53 R3
nfi AC-18
gur
ed
to
res
tric
t
un
aut
NIST SP NIST SP
800-53 800-53
R3 AC-1 R3 AC-1
NIST SP
800-53
R3 AC18
NIST SP
800-53
R3 AC18
cry
pti
on
for
aut
he
nti
cat
ion
an
d
tra
ns
mi
ssi
on,
rep NIST
lac SP800ing 53 R3
ve AC-18
nd (1)
or
def
aul
t
set
tin
gs
(e.
g.,
en
cry
pti
on
ke
ys,
Security
Architect
ure
SA-10
NIST SP
NIST SP
800-53
800-53
R3 ACR3 CM-6
18 (1)
Security
Architect
ure
SA-10
Wireless
Security
d
ph
ysi
cal
us
er
ac
ce
ss
to
wir NIST
ele SP800ss 53 R3
net AC-18
wo (2)
rk
de
vic
es
res
tric
ted
to
aut
hor
to
det
ect
the
pre
se
nc
e
of
un
aut
hor
ize
d
(ro NIST
gu SP800e) 53 R3
wir AC-18
ele (3)
ss
net
wo
rk
de
vic
es
for
a
tim
ely
dis
co
NIST SP
NIST SP
800-53
800-53
R3 ACR3 SC-7
18 (2)
NIST SP
800-53
R3 CM-6
NIST
SP80053 R3
AC-18
(4)
NIST
SP80053 R3
AC-18
(5)
NIST
SP80053 R3
CM-6
NIST
SP80053 R3
CM-6 (1)
NIST SP
800-53
R3 CM-6
(1)
NIST SP
800-53
R3 CM-6
(3)
NIST SP
800-53
R3 PE-4
NIST SP
800-53
R3 SC-7
NIST
SP80053 R3
CM-6 (3)
NIST
SP80053 R3
PE-4
NIST
SP80053 R3
SC-3
NIST
SP80053 R3
SC-7
NIST
SP80053 R3
SC-7 (1)
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
(2) SP
NIST
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST SP
800-53
R3 SC-7
(5)
NIST
SP80053 R3
SC-7 (2)
NIST SP
800-53
R3 SC-7
(7)
NIST
SP80053 R3
SC-7 (3)
NIST SP
800-53
R3 SC-7
(8)
NIST
SP80053 R3
SC-7 (4)
NIST SP
800-53
R3 SC-7
(12)
NIST
SP80053 R3
SC-7 (5)
NIST SP
800-53
R3 SC-7
(13)
NIST
SP80053 R3
SC-7 (7)
NIST SP
800-53
R3 SC-7
(18)
NIST
SP80053 R3
SC-7 (8)
NIST
SP80053 R3
SC-7
(12)
NIST
SP80053 R3
SC-7
(13)
NIST
SP80053 R3
SC-7
(18)
NIST
Security
Architect
ure
SA-11
Shared
Network
s
SP80053 R3
PE-4
NIST
SP80053 R3
SC-4
NIST
SP800Access 53 R3
to
SC-7
systems NIST
with
SP800shared 53 R3
network SC-7 (1)
infrastru NIST
cture
SP800shall be 53 R3
restricte SC-7 (2)
d to
authoriz NIST
SP800ed
personn 53 R3
SC-7 (3)
el in
accordan NIST
ce with SP800security 53 R3
policies, SC-7 (4)
procedur NIST
es and
SP800standard 53 R3
s.
SC-7 (5)
Network
s shared NIST
SP800with
external 53 R3
entities SC-7 (7)
shall
NIST
have a SP800documen 53 R3
ted plan SC-7 (8)
detailing
the
compens
ating
controls
NIST SP
800-53
R3 PL-2
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 PE-4
NIST SP
800-53
R3 PL-2
NIST SP
800-53
R3 SC-1
NIST SP
800-53
R3 SC-4
NIST SP
800-53
R3 SC-7
NIST SP
800-53
R3 SC-7
(1)
NIST SP
800-53
R3 SC-7
(2)
NIST SP
800-53
R3 SC-7
(3)
NIST SP
800-53
R3 SC-7
(4)
NIST SP
800-53
R3 SC-7
(5)
Security
Architect
ure
SA-12
Clock
Synchro
nization
entities
shall
have a
documen
ted plan
NIST
detailing
An
the
external SP800compens
accurate 53 R3
SC-7
ating
,
controls
externall (12)
NIST
used
to SP800y agreed
separate
upon,
53 R3
network
time
SC-7
traffic
source
(13)
NIST
between
shall be SP800organiza
used to 53 R3
tions.
synchron SC-7
ize the (18)
system
clocks of
all
relevant
informati
on
processi
ng
systems
within
the
organiza
tion or
explicitly
defined
security
domain
to
facilitate
tracing
and
reconstit
ution of NIST
activity SP800timelines 53 R3
. Note:
AU-1
specific
legal
jurisdicti
ons and
orbital
storage
and
relay
platform
s (US
GPS &
EU
Galileo
Satellite
Network)
may
NIST
mandate SP800a
53 R3
referenc AU-8
e clock
that
differs in
synchron
ization
NIST SP
800-53
R3 SC-7
(7)
NIST SP
800-53
R3 SC-7
(8)
NIST SP
800-53
R3 SC-7
(12)
NIST SP
800-53
R3 SC-7
(13)
NIST SP
800-53
R3 SC-7
(18)
NIST SP NIST SP
800-53 800-53
R3 AU-1 R3 AU-1
NIST SP NIST SP
800-53 800-53
R3 AU-8 R3 AU-8
Security
Architect
ure
Equipme SA-13
nt
Identifica
tion
Network)
may
mandate
a
referenc
e clock NIST
that
SP800differs in 53 R3
Automat
synchron AU-8 (1)
ed
ization
equipme
with the
nt
organiza
identifica
tions
tion
shall
domicile
be
used
time
as
a
referenc
method
e, in this
of
event
connecti
the
NIST
on
jurisdicti SP800authenti
on or
53 R3 IAcation.
platform 3
LocationNIST SP
is
aware
800-53
treated
technolo
R3 IA-4
as an
gies
may
explicitly
be
used
defined
to
security
validate
domain.
connecti
on
authenti NIST
SP800cation
integrity 53 R3 IA4
based on NIST
known
equipme
nt
location.
Audit
logs
recordin
g
privilege
d user
access
activities
,
authoriz
ed and
unauthor
ized
access
attempts
, system
exceptio
ns, and
informati
on
security
events
shall be
retained,
complyin
NIST SP
800-53
R3 AU-8
(1)
NIST SP
800-53
R3 IA-3
NIST SP
800-53
R3 IA-4
NIST SP
SP800800-53
53 R3 IAR3 IA-4
4
(4)
(4)
NIST
NIST SP NIST SP
SP800800-53 800-53
53 R3
R3 AU-1 R3 AU-1
AU-1
NIST
NIST SP NIST SP
SP800800-53 800-53
53 R3
R3 AU-2 R3 AU-2
AU-2
NIST
NIST SP
NIST SP
SP800800-53
800-53
53 R3
R3 AU-2
R3 AU-3
AU-2 (3)
(3)
NIST
SP80053 R3
AU-2 (4)
NIST
SP80053 R3
AU-3
NIST
SP80053 R3
AU-3 (1)
NIST SP
NIST SP
800-53
800-53
R3 AU-2
R3 AU-4
(4)
NIST SP NIST SP
800-53 800-53
R3 AU-5 R3 AU-3
NIST SP
NIST SP
800-53
800-53
R3 AU-3
R3 AU-6
(1)
Security
Architect
ure
Audit
SA-14
Logging /
Intrusion
Detectio
n
access
attempts
, system
exceptio
ns, and
informati NIST
SP800on
security 53 R3
events AU-4
NIST
shall be SP800retained, 53 R3
complyin AU-5
NIST
g with
SP800applicabl
53 R3
e
AU-6
policies NIST
and
SP800regulatio 53 R3
ns. Audit AU-6 (1)
logs
shall be NIST
reviewed SP800at least 53 R3
daily and AU-6 (3)
NIST
file
SP800integrity
53 R3
(host)
AU-7
and
NIST
network SP800intrusion 53 R3
detectio AU-7 (1)
n (IDS) NIST
tools
SP800impleme 53 R3
nted to AU-9
NIST
help
facilitate SP80053 R3
timely
detectio AU-9 (2)
NIST
n,
investiga SP800tion by 53 R3
AU-11
NIST
root
SP800cause
analysis 53 R3
AU-12
and
NIST
response SP800to
53 R3
incidents AU-14
NIST
.
SP800Physical
53 R3 SIand
4
NIST
logical
SP800user
access 53 R3 SI(2)
to audit 4
NIST
logs
SP800shall be 53 R3 SIrestricte NIST
4 (4)
d to
SP800authoriz 53 R3 SIed
4 (5)
personn
el.
NIST SP
800-53
R3 AU-9
NIST SP
800-53
R3 AU11 SP
NIST
800-53
R3 AU12
NIST SP
800-53
R3 AU-4
NIST SP
800-53
R3 AU-5
NIST SP
800-53
R3 AU-6
NIST SP
NIST SP
800-53
800-53
R3 AU-6
R3 PE-2
(1)
NIST SP
NIST SP
800-53
800-53
R3 AU-6
R3 PE-3
(3)
NIST SP
800-53
R3 AU-7
NIST SP
800-53
R3 AU-7
(1)
NIST SP
800-53
R3 AU-9
NIST SP
800-53
R3 AU11
NIST SP
800-53
R3 AU12
NIST SP
800-53
R3 PE-2
NIST SP
800-53
R3 PE-3
NIST SP
800-53
R3 SI-4
NIST SP
800-53
R3 SI-4
(2)
NIST SP
800-53
R3 SI-4
(4) SP
NIST
800-53
R3 SI-4
(5)
Security
Architect
ure
SA-15
Mobile
Code
shall be
restricte
d to
authoriz
ed
personn NIST
SP800el.
53 R3 SI4 (6)
Mobile
code
shall be
authoriz
ed
before
its
installati
on and
use, and
the
configur
ation
shall
ensure NIST
that the SP800authoriz 53 R3
ed
SC-18
mobile
code
operates
accordin
g to a
clearly
defined
security
policy.
All
unauthor
ized
mobile NIST
SP800code
shall be 53 R3
prevente SC-18
(4)
d from
executin
g.
NIST SP
800-53
R3 SI-4
(6)
NIST SP
800-53
R3 SC-18
Control AreCID
ComplianceCO-01
ComplianceCO-02
ComplianceCO-03
ComplianceCO-04
ComplianceCO-05
ComplianceCO-06
Data GoverDG-01
Data GoverDG-02
Data Govern
DG-03
Data GoverDG-04
Data GoverDG-05
Data GoverDG-06
Data GoverDG-07
Data GoverDG-08
Facility SecFS-01
Facility Se FS-02
Facility Se FS-03
Facility Se FS-04
NIST SP800
NIST SP 80NIST SP 800-53 R3 AC-2 (1)
NIST SP800
NIST SP 80NIST SP 800-53 R3 AC-2 (2)
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-2 (3)
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-2 (4)
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-2 (7)
NIST SP800-53 R3 A NIST SP 800-53 R3 AC-3
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-3 (3)
NIST SP800-53 R3 A NIST SP 800-53 R3 AC-4
NIST SP800-53 R3 A NIST SP 800-53 R3 AC-6
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-6 (1)
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-6 (2)
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-11
NIST SP800-53 R3 ACNIST SP 800-53 R3 AC-11 (1)
NIST SP800-53 R3 A NIST SP 800-53 R3 SA-8
NIST SP800-53 R3 P NIST SP 800-53 R3 SC-28
NIST SP800-53 R3 S NIST SP 800-53 R3 SI-7
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SI-7 (1)
NIST SP800-53 R3 SA-8
NIST SP800-53 R3 SI-7
NIST SP800-53 R3 SI-7 (1)
Risk NIST
assessments
SP80NIST
associated
SP 8 NIST
with
SPdata
800-53
governance
R3 CA-3 requirements shall be conducted at planned in
AwarenessNIST
o
SP80NIST SP 8 NIST SP 800-53 R3 RA-2
ComplianceNIST SP80NIST SP 8 NIST SP 800-53 R3 RA-3
Data classiNIST SP80NIST SP 80NIST SP 800-53 R3 SI-12
NIST SP800-53 R3 PM-9
NIST SP800-53 R3 SI-12
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 CA-2
NIST SP800
NIST SP 80NIST SP 800-53 R3 CA-2 (1)
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-6
NIST SP800
NIST SP 80NIST SP 800-53 R3 PE-6 (1)
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-7
NIST SP800-53 R3 PENIST SP 800-53 R3 PE-7 (1)
NIST SP800-53 R3 P NIST SP 800-53 R3 PE-8
Physical acNIST SP80NIST SP 80NIST SP 800-53 R3 PE-2
NIST SP800
NIST SP 80NIST SP 800-53 R3 PE-3
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-4
NIST SP800-53 R3 P NIST SP 800-53 R3 PE-5
NIST SP800-53 R3 P NIST SP 800-53 R3 PE-6
NIST SP800-53 R3 P NIST SP 800-53 R3 PE-6 (1)
NIST SP800-53 R3 PE-6 (1)
Physical seNIST SP80NIST SP 80NIST SP 800-53 R3 PE-2
NIST SP800
NIST SP 80NIST SP 800-53 R3 PE-3
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-6
NIST SP800-53 R3 P NIST SP 800-53 R3 PE-6 (1)
NIST SP800-53 R3 PENIST SP 800-53 R3 PE-18
NIST SP800-53 R3 PE-18
Ingress andNIST SP80NIST SP 80NIST SP 800-53 R3 PE-2
NIST SP800
NIST SP 80NIST SP 800-53 R3 PE-3
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-6
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-6 (1)
NIST SP800
NIST SP 80NIST SP 800-53 R3 PE-7
NIST SP800-53 R3 P NIST SP 800-53 R3 PE-7 (1)
Facility Se FS-05
Facility SecFS-06
Facility Se FS-07
Facility Se FS-08
Human Reso
HR-01
Human Reso
HR-02
Human Reso
HR-03
Informatio IS-01
Informatio IS-02
InformationIS-03
An Information
Security
Program (ISMP) has been developed, documented, approve
NIST SP800-53
R3 Management
PM-1
Risk mana NIST SP800-53 R3 PM-2
Security poNIST SP800-53 R3 PM-3
OrganizatioNIST SP800-53 R3 PM-4
Asset man NIST SP800-53 R3 PM-5
Human reso
NIST SP800-53 R3 PM-6
Physical anNIST SP800-53 R3 PM-7
Communicat
NIST SP800-53 R3 PM-8
Access conNIST SP800-53 R3 PM-9
Informatio NIST SP800-53 R3 PM-10
NIST SP800-53 R3 PM-11
Executive aNIST SP80NIST SP 8 NIST SP 800-53 R3 CM-1
NIST SP800-53 R3 PM-1
NIST SP800-53 R3 PM-11
Management
NIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
InformationIS-04
InformationIS-05
InformationIS-06
InformationIS-07
NIST SP800
NIST SP 80NIST SP 800-53 R3 AT-1
NIST SP80NIST SP 80NIST SP 800-53 R3 AU-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 CA-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 CM-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 IA-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 IR-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 MA-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 MP-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PL-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PS-1
NIST SP80NIST SP 80NIST SP 800-53 R3 SA-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 SC-1
NIST SP80NIST SP 80NIST SP 800-53 R3 SI-1
NIST SP800-53 R3 SI-1
Baseline seNIST SP80NIST SP 8 NIST SP 800-53 R3 CM-2
NIST SP800
NIST SP 80NIST SP 800-53 R3 CM-2 (1)
NIST SP800
NIST SP 80NIST SP 800-53 R3 CM-2 (3)
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-2 (5)
NIST SP800-53 R3 S NIST SP 800-53 R3 SA-2
NIST SP800-53 R3 S NIST SP 800-53 R3 SA-4
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-4 (1)
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-4 (4)
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-4 (7)
Management
NIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 AT-1
NIST SP80NIST SP 80NIST SP 800-53 R3 AU-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 CA-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 CM-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 CP-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 IA-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 IA-5
NIST SP800
NIST SP 80NIST SP 800-53 R3 IA-5 (1)
NIST SP800
NIST SP 80NIST SP 800-53 R3 IA-5 (2)
NIST SP800
NIST SP 8 NIST SP 800-53 R3 IA-5 (3)
NIST SP800
NIST SP 8 NIST SP 800-53 R3 IA-5 (6)
NIST SP800
NIST SP 80NIST SP 800-53 R3 IA-5 (7)
NIST SP800
NIST SP 80NIST SP 800-53 R3 IR-1
NIST SP80NIST SP 80NIST SP 800-53 R3 MA-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 MP-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PE-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 PL-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PS-1
NIST SP800-53 R3 P NIST SP 800-53 R3 RA-1
NIST SP800-53 R3 R NIST SP 800-53 R3 SA-1
NIST SP800-53 R3 S NIST SP 800-53 R3 SC-1
NIST SP800-53 R3 S NIST SP 800-53 R3 SI-1
NIST SP800-53 R3 SI-1
A formal di NIST SP80NIST SP 80NIST SP 800-53 R3 PL-4
NIST SP80NIST SP 80NIST SP 800-53 R3 PS-1
NIST SP80NIST SP 80NIST SP 800-53 R3 PS-8
User access
NIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 IA-1
InformationIS-08
InformationIS-09
Informatio IS-10
InformationIS-11
Informatio IS-12
InformationIS-13
Informatio IS-14
InformationIS-15
InformationIS-16
Informatio IS-17
InformationIS-18
Users
NIST
shallSP800
be made
NIST SP
aware
80NIST
of their
SP responsibilities
800-53 R3 AT-2for:
MaintainingNIST SP800
NIST SP 80NIST SP 800-53 R3 AT-3
Maintainin NIST SP800
NIST SP 80NIST SP 800-53 R3 AT-4
Leaving unNIST SP80NIST SP 80NIST SP 800-53 R3 PL-4
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 AC-11
NIST SP800
NIST SP 8 NIST SP 800-53 R3 MP-1
NIST SP800-53 R3 MNIST SP 800-53 R3 MP-2
NIST SP800-53 R3 MP
NIST SP 800-53 R3 MP-2 (1)
NIST SP800-53 R3 MNIST SP 800-53 R3 MP-3
NIST SP800-53 R3 MNIST SP 800-53 R3 MP-4
NIST SP800-53 R3 MP
NIST SP 800-53 R3 MP-4 (1)
Policies anNIST SP80NIST SP 80NIST SP 800-53 R3 AC-18
NIST SP800
NIST SP 8 NIST SP 800-53 R3 AC-18 (1)
NIST SP800
NIST SP 80NIST SP 800-53 R3 AC-18 (2)
NIST SP800
NIST SP 8 NIST SP 800-53 R3 IA-7
NIST SP800
NIST SP 8 NIST SP 800-53 R3 SC-7
NIST SP800
NIST SP 8 NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 IANIST SP 800-53 R3 SC-8
NIST SP800-53 R3 IANIST SP 800-53 R3 SC-8 (1)
NIST SP800-53 R3 S NIST SP 800-53 R3 SC-9
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-9 (1)
Informatio IS-19
InformationIS-20
InformationIS-21
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-13
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-23
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-28
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SI-8
NIST SP800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC-7 (13)
NIST SP800-53 R3 SC-7 (18)
NIST SP800-53 R3 SC-8
NIST SP800-53 R3 SC-8 (1)
NIST SP800-53 R3 SC-9
NIST SP800-53 R3 SC-9 (1)
NIST SP800-53 R3 SC-13
NIST SP800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC-16
NIST SP800-53 R3 SC-23
NIST SP800-53 R3 SI-8
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 SC-12
NIST SP800
NIST SP 8 NIST SP 800-53 R3 SC-12 (2)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-12 (5)
NIST SP800-53 R3 S NIST SP 800-53 R3 SC-13
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-13 (1)
NIST SP800-53 R3 S NIST SP 800-53 R3 SC-17
NIST SP800-53 R3 SC-28
NIST SP800-53 R3 SC-28 (1)
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 CM-3
NIST SP800-53 R3 CM
NIST SP 800-53 R3 CM-3 (2)
NIST SP80NIST SP 8 NIST SP 800-53 R3 CM-4
NIST SP80NIST SP 80NIST SP 800-53 R3 RA-5
NIST SP800
NIST SP 80NIST SP 800-53 R3 RA-5 (1)
NIST SP800
NIST SP 80NIST SP 800-53 R3 RA-5 (2)
NIST SP800-53 R3 R NIST SP 800-53 R3 RA-5 (3)
NIST SP800-53 R3 RA
NIST SP 800-53 R3 RA-5 (6)
NIST SP800-53 R3 RA
NIST SP 800-53 R3 RA-5 (9)
NIST SP800-53 R3 RA
NIST SP 800-53 R3 SI-1
NIST SP800-53 R3 RA
NIST SP 800-53 R3 SI-2
NIST SP800-53 R3 RA
NIST SP 800-53 R3 SI-2 (2)
NIST SP800-53 R3 S NIST SP 800-53 R3 SI-4
NIST SP800-53 R3 SINIST SP 800-53 R3 SI-5
NIST SP800-53 R3 SI-2
NIST SP800-53 R3 SI-2 (2)
NIST SP800-53 R3 SI-5
Ensure thatNIST SP80NIST SP 8 NIST SP 800-53 R3 SC-5
NIST SP80NIST SP 80NIST SP 800-53 R3 SI-3
NIST SP800
NIST SP 80NIST SP 800-53 R3 SI-3 (1)
NIST SP800-53 R3 SI-NIST SP 800-53 R3 SI-3 (2)
NIST SP800-53 R3 SI-NIST SP 800-53 R3 SI-3 (3)
NIST SP800-53 R3 SI-NIST SP 800-53 R3 SI-5
NIST SP800-53 R3 SINIST SP 800-53 R3 SI-7
NIST SP800-53 R3 SINIST SP 800-53 R3 SI-7 (1)
NIST SP800-53 R3 SI-NIST SP 800-53 R3 SI-8
NIST SP800-53 R3 SI-8
Informatio IS-22
InformationIS-23
InformationIS-24
InformationIS-25
InformationIS-26
InformationIS-27
Informatio IS-28
InformationIS-29
InformationIS-30
InformationIS-31
InformationIS-32
InformationIS-33
InformationIS-34
Legal NoLG-01
Legal Th LG-02
OperationsOP-01
OperationsOP-02
OperationsOP-03
OperationsOP-04
Information
system documentation
administrator
NIST SP80NIST
SP 8 NIST SP (e.g.,
800-53
R3 CP-9 and user guides, architecture diagrams, etc.
ConfiguringNIST SP800
NIST SP 8 NIST SP 800-53 R3 CP-9 (1)
Effectively NIST SP800
NIST SP 80NIST SP 800-53 R3 CP-9 (3)
NIST SP800-53 R3 C NIST SP 800-53 R3 CP-10
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-10 (2)
NIST SP800-53 R3 CP
NIST SP 800-53 R3 CP-10 (3)
NIST SP800-53 R3 S NIST SP 800-53 R3 SA-5
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-5 (1)
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-5 (3)
NIST SP800-53 R3 S NIST SP 800-53 R3 SA-10
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-11
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-11 (1)
The availabNIST SP80NIST SP 80NIST SP 800-53 R3 SA-4
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-4 (1)
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-4 (4)
NIST SP800-53 R3 SANIST SP 800-53 R3 SA-4 (7)
Policies anNIST SP80NIST SP 8 NIST SP 800-53 R3 MA-2
NIST SP800
NIST SP 8 NIST SP 800-53 R3 MA-2 (1)
NIST SP80NIST SP 8 NIST SP 800-53 R3 MA-3
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-3 (1)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-3 (2)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-3 (3)
NIST SP800-53 R3 MNIST SP 800-53 R3 MA-4
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-4 (1)
NIST SP800-53 R3 MA
NIST SP 800-53 R3 MA-4 (2)
NIST SP800-53 R3 MNIST SP 800-53 R3 MA-5
NIST SP800-53 R3 MNIST SP 800-53 R3 MA-6
OrganizatioNIST SP80NIST SP 80NIST SP 800-53 R3 AC-1
NIST SP80NIST SP 80NIST SP 800-53 R3 AT-1
NIST SP800
NIST SP 80NIST SP 800-53 R3 AU-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 CA-1
NIST SP80NIST SP 8 NIST SP 800-53 R3 CA-6
NIST SP80NIST SP 8 NIST SP 800-53 R3 CA-7
NIST SP 80NIST SP 800-53 R3 PL-1
NIST SP 8 NIST SP 800-53 R3 RA-1
NIST SP 8 NIST SP 800-53 R3 RA-2
NIST SP 8 NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
Risk ManagRI-03
Risk ManagRI-04
Risk ManagRI-05
Release MaRM-01
Release MaRM-02
Release MaRM-03
Release MRM-04
Release MaRM-05
Resiliency RS-01
Resiliency RS-02
There
NIST
shallSP80NIST
be a defined
SP 8and
NIST
documented
SP 800-53method
R3 CP-1
for determining the impact of any disruption to th
Identify critical produ NIST SP 8 NIST SP 800-53 R3 CP-2
Resiliency RS-03
Resiliency RS-04
Resiliency RS-05
Resiliency RS-06
A consistent
NIST SP80NIST
unified framework
SP80NISTfor
SP800-53
businessR3
continuity
CP-1 planning and plan development shall be esta
Defined puNIST SP80NIST SP80NIST SP800-53 R3 CP-2
Accessible NIST SP800
NIST SP80NIST SP800-53 R3 CP-2 (1)
Owned by aNIST SP800
NIST SP80NIST SP800-53 R3 CP-2 (2)
Defined lin NIST SP80NIST SP80NIST SP800-53 R3 CP-3
Detailed r NIST SP80NIST SP80NIST SP800-53 R3 CP-4
Method for NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-4 (1)
NIST SP800-53 R3 C NIST SP800-53 R3 CP-6
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-6 (1)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-6 (3)
NIST SP800-53 R3 C NIST SP800-53 R3 CP-7
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-7 (1)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-7 (2)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-7 (3)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-7 (5)
NIST SP800-53 R3 C NIST SP800-53 R3 CP-8
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 C NIST SP800-53 R3 CP-9
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-9 (1)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-9 (3)
NIST SP800-53 R3 C NIST SP800-53 R3 CP-10
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-10 (2)
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-10 (3)
NIST SP800-53 R3 P NIST SP800-53 R3 PE-17
Business co
NIST SP80NIST SP80NIST SP800-53 R3 CP-2
NIST SP800
NIST SP80NIST SP800-53 R3 CP-2 (1)
NIST SP800
NIST SP80NIST SP800-53 R3 CP-2 (2)
NIST SP800-53 R3 C NIST SP800-53 R3 CP-3
NIST SP800-53 R3 C NIST SP800-53 R3 CP-4
NIST SP800-53 R3 CP
NIST SP800-53 R3 CP-4 (1)
Physical prNIST SP80NIST SP80NIST SP800-53 R3 PE-1
NIST SP80NIST SP80NIST SP800-53 R3 PE-13
NIST SP800
NIST SP80NIST SP800-53 R3 PE-13 (1)
NIST SP800
NIST SP80NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PENIST SP800-53 R3 PE-13 (3)
NIST SP800-53 R3 P NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PENIST SP800-53 R3 PE-15
NIST SP800-53 R3 P NIST SP800-53 R3 PE-18
NIST SP800-53 R3 PE-18
To reduce tNIST SP80NIST SP80NIST SP800-53 R3 PE-1
NIST SP80NIST SP80NIST SP800-53 R3 PE-5
NIST SP80NIST SP80NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PENIST SP800-53 R3 PE-15
NIST SP800-53 R3 P NIST SP800-53 R3 PE-18
NIST SP800-53 R3 PE-18
Resiliency RS-07
Resiliency RS-08
Security A SA-01
Security ArSA-02
Implement
NIST SP80NIST
and enforce
SP(through
80NIST SP
automation)
800-53 R3user
AC-1
credential and password controls for application
User identitNIST SP80NIST SP 80NIST SP 800-53 R3 AC-2
If passwordNIST SP800
NIST SP 80NIST SP 800-53 R3 AC-3
Timely acceNIST SP800
NIST SP 80NIST SP 800-53 R3 AC-11
Remove/disa
NIST SP800
NIST SP 80NIST SP 800-53 R3 AC-11 (1)
Unique user
NIST SP800
NIST SP 80NIST SP 800-53 R3 AU-2
Password ex
NIST SP800
NIST SP 80NIST SP 800-53 R3 AU-2 (3)
Minimum pas
NIST SP80NIST SP 80NIST SP 800-53 R3 AU-2 (4)
Strong passNIST SP800
NIST SP 80NIST SP 800-53 R3 AU-11
Allow passw
NIST SP80NIST SP 80NIST SP 800-53 R3 IA-1
User ID locNIST SP800
NIST SP 80NIST SP 800-53 R3 IA-2
User ID locNIST SP80NIST SP 80NIST SP 800-53 R3 IA-2 (1)
Re-enter paNIST SP800-53 R3 AUNIST SP 800-53 R3 IA-2 (2)
Maintain usNIST SP800-53 R3 AUNIST SP 800-53 R3 IA-2 (3)
NIST SP800-53 R3 AUNIST SP 800-53 R3 IA-2 (8)
NIST SP800-53 R3 IANIST SP 800-53 R3 IA-5
NIST SP800-53 R3 IANIST SP 800-53 R3 IA-5 (1)
NIST SP800-53 R3 IA-NIST SP 800-53 R3 IA-5 (2)
NIST SP800-53 R3 IA-NIST SP 800-53 R3 IA-5 (3)
NIST SP800-53 R3 IA-NIST SP 800-53 R3 IA-5 (6)
NIST SP800-53 R3 IA-NIST SP 800-53 R3 IA-5 (7)
NIST SP800-53 R3 IANIST SP 800-53 R3 IA-6
NIST SP800-53 R3 IA-NIST SP 800-53 R3 IA-8
NIST SP800-53 R3 IA-NIST SP 800-53 R3 SC-10
NIST SP800-53 R3 IA-5 (3)
NIST SP800-53 R3 IA-5 (6)
NIST SP800-53 R3 IA-5 (7)
Security ArSA-03
Security ArSA-04
Security ArSA-05
Security ArSA-06
Security ArSA-07
Security ArSA-08
Security ArSA-09
System
and
network environments
separated
by firewalls to ensure the following requirements
NIST
SP80NIST
SP 8 NIST SP are
800-53
R3 AC-4
Business aNIST SP800-53 R3 S NIST SP 800-53 R3 SC-2
Security reNIST SP800-53 R3 S NIST SP 800-53 R3 SC-7
ComplianceNIST SP800-53 R3 S NIST SP 800-53 R3 SC-7 (1)
SeparationNIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (2)
Preserve prNIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (3)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (7)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (13)
Security ArSA-10
Security ArSA-11
Security ArSA-12
Security ArSA-13
Security ArSA-14
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (18)
NIST SP800-53 R3 SC-7 (18)
Policies
NIST
and
SP80NIST
procedures
SP shall
80NIST
beSP
established
800-53 R3and
AC-1
mechanisms implemented to protect wireless net
Perimeter fNIST SP80NIST SP 8 NIST SP 800-53 R3 AC-18
Security seNIST SP800
NIST SP 8 NIST SP 800-53 R3 AC-18 (1)
Logical andNIST SP800
NIST SP 8 NIST SP 800-53 R3 AC-18 (2)
The capabilNIST SP800-53 R3 ACNIST SP 800-53 R3 CM-6
NIST SP800-53 R3 ACNIST SP 800-53 R3 CM-6 (1)
NIST SP800-53 R3 ACNIST SP 800-53 R3 CM-6 (3)
NIST SP800-53 R3 C NIST SP 800-53 R3 PE-4
NIST SP800-53 R3 CM
NIST SP 800-53 R3 SC-7
NIST SP800-53 R3 CM
NIST SP 800-53 R3 SC-7 (1)
NIST SP800-53 R3 P NIST SP 800-53 R3 SC-7 (2)
NIST SP800-53 R3 S NIST SP 800-53 R3 SC-7 (3)
NIST SP800-53 R3 S NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (7)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (13)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (18)
NIST SP800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC-7 (12)
NIST SP800-53 R3 SC-7 (13)
NIST SP800-53 R3 SC-7 (18)
Access to sNIST SP80NIST SP 80NIST SP 800-53 R3 PE-4
NIST SP80NIST SP 8 NIST SP 800-53 R3 PL-2
NIST SP80NIST SP 8 NIST SP 800-53 R3 SC-1
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-4
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (1)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (2)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (3)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (4)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (5)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (7)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (8)
NIST SP800-53 R3 SC
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
An externalNIST SP80NIST SP 80NIST SP 800-53 R3 AU-1
NIST SP80NIST SP 80NIST SP 800-53 R3 AU-8
NIST SP800-53 R3 AUNIST SP 800-53 R3 AU-8 (1)
AutomatedNIST
e
SP800
NIST SP 80NIST SP 800-53 R3 IA-3
NIST SP800-53 R3 IANIST SP 800-53 R3 IA-4
NIST SP800-53 R3 IA-NIST SP 800-53 R3 IA-4 (4)
Audit logs NIST SP80NIST SP 80NIST SP 800-53 R3 AU-1
NIST SP80NIST SP 80NIST SP 800-53 R3 AU-2
NIST SP800
NIST SP 80NIST SP 800-53 R3 AU-2 (3)
NIST SP800
NIST SP 80NIST SP 800-53 R3 AU-2 (4)
NIST SP80NIST SP 80NIST SP 800-53 R3 AU-3
NIST SP800
NIST SP 80NIST SP 800-53 R3 AU-3 (1)
NIST SP80NIST SP 80NIST SP 800-53 R3 AU-4
Security ArSA-15