NIST 800-53 Low refers to security controls for low-impact systems within the NIST 800-53 framework. These controls focus on safeguarding information systems that handle data with minimal security requirements, ensuring basic protection against threats and vulnerabilities while maintaining operational functionality.
The "Supply Chain Risk Management" control in NIST 800-53 refers to measures organizations take to manage risks associated with their supply chain. This control focuses on ensuring the integrity, security, and resilience of products and services provided by external vendors or partners. It involves assessing and mitigating risks that could impact the organization's information systems and operations. Key aspects include evaluating the security practices of suppliers, monitoring for potential vulnerabilities, and implementing strategies to manage and mitigate supply chain risks.
The Policy and Procedures (SR-1) subcontrol is a fundamental component of the Supply Chain Risk Management (SR) control family within the NIST 800-53 framework. It involves the development and implementation of policies and procedures to govern and guide an organization's supply chain risk management efforts.
The Supply Chain Risk Management Plan (SR-2) is a critical component of the Supply Chain Risk Management (SR) control family within the NIST 800-53 framework. It focuses on the development and implementation of a comprehensive plan to manage and mitigate risks associated with an organization's supply chain.
The Establish SCRM Team subcontrol (SR-2(1)) is a critical component of the Supply Chain Risk Management (SR) control family within the NIST 800-53 framework. It emphasizes the need for organizations to establish a dedicated Supply Chain Risk Management team responsible for overseeing and implementing strategies to mitigate risks associated with the supply chain.
The Supply Chain Controls and Processes (SR-3) subcontrol focuses on the implementation of effective controls and processes within an organization's supply chain to manage and mitigate risks. It addresses the need to establish security measures and resilience strategies to safeguard the supply chain against disruptions and threats
The Acquisition Strategies, Tools, and Methods subcontrol (SR-5) within the Supply Chain Risk Management (SR) category focuses on developing and implementing strategies, tools, and methods to assess and manage supply chain risks effectively. It involves proactive measures to identify, evaluate, and mitigate risks associated with the acquisition of goods and services from suppliers and vendors.
The Component Disposal subcontrol (SR-12) within the Supply Chain Risk Management (SR) category focuses on the secure and responsible disposal of electronic and electromechanical components and associated data. Proper disposal practices help mitigate risks associated with the potential compromise of sensitive information or the reintroduction of components into the supply chain after disposal.
The Configuration Control for Component Service and Repair subcontrol (SR-11(2)) within the Component Authenticity category of Supply Chain Risk Management (SR-11) aims to establish robust configuration control processes for components undergoing service or repair. It ensures that any changes made during service or repair activities do not compromise the authenticity, integrity, or security of the components.
The Anti-counterfeit Training subcontrol (SR-11(1)) under Component Authenticity in Supply Chain Risk Management (SR-11) focuses on providing training to personnel involved in the procurement and supply chain management processes. This training equips them with the knowledge and skills necessary to identify counterfeit components and mitigate the risks associated with counterfeit or compromised hardware and software.
The Component Authenticity subcontrol (SR-11) is a critical element of supply chain risk management. It focuses on ensuring that all hardware and software components used in an organization's systems and products are genuine, free from tampering or counterfeiting, and come from trusted sources.
The Inspection of Systems or Components subcontrol (SR-10) is a critical element of supply chain risk management. It involves a systematic process of inspecting and evaluating systems, components, or software obtained from external sources to ensure their integrity, authenticity, and compliance with established security standards and requirements.
The Notification Agreements subcontrol (SR-8) pertains to establishing agreements with suppliers and partners regarding the timely exchange of information related to security incidents, vulnerabilities, and threats within the supply chain. These agreements facilitate the sharing of critical information, allowing organizations to respond promptly to emerging risks and incidents that may impact the security of their supply chain.
The System and Information Integrity control family is designed to ensure the integrity of information processed within information systems and the integrity of the systems themselves. The controls within this family aim to prevent, detect, and respond to incidents that could compromise the integrity of information or the functionality of information systems. Integrity protections are crucial for maintaining the trustworthiness of data and the overall reliability of systems.
The Information Management and Retention subcontrol, SI-12, is a fundamental component of the System and Information Integrity (SI) control family. It focuses on establishing policies and procedures for the effective management and retention of information assets throughout their lifecycle to ensure their integrity, availability, and confidentiality.
The Security Alerts, Advisories, and Directives (SI-5) control within the System and Information Integrity (SI) family focuses on establishing a mechanism for receiving, interpreting, and acting upon security alerts, advisories, and directives from authoritative sources. This control aims to enhance an organization's ability to respond effectively to emerging threats, vulnerabilities, and cybersecurity guidance.
The System Monitoring (SI-4) control within the System and Information Integrity (SI) family focuses on establishing a comprehensive system monitoring program that enables organizations to continuously observe, detect, and respond to security events and incidents within their information systems. This control encompasses the establishment and maintenance of monitoring capabilities to ensure the security and integrity of an organization's computing environment.
The Malicious Code Protection (SI-3) control within the System and Information Integrity (SI) family focuses on implementing measures to protect information systems and data from malicious code, including viruses, worms, trojans, and other types of malware. This control emphasizes the importance of preventing, detecting, and responding to malicious code threats to ensure the integrity and availability of systems and information.
The Flaw Remediation (SI-2) subcontrol within the System and Information Integrity (SI) family focuses on the identification, prioritization, and timely remediation of software and hardware vulnerabilities in an organization's information systems. This control ensures that vulnerabilities are addressed promptly to prevent potential exploitation, data breaches, or system compromises.
The Policy and Procedures (SI-1) control within the System and Information Integrity (SI) family focuses on the establishment and maintenance of policies and procedures to protect and maintain the integrity of an organization's information systems. This control ensures that formalized policies and procedures are in place to address information system integrity, prevent unauthorized changes, and facilitate timely detection and response to integrity violations.
The System and Communications Protection control family is designed to ensure the security of information systems and the communications that occur within and between systems. This family addresses the protection of information at rest, in transit, and during processing. The controls within this family aim to prevent unauthorized access, detect and respond to security incidents, and establish secure communication channels to safeguard the confidentiality and integrity of information.
Process Isolation (SC-39) is a control within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. It focuses on separating and isolating processes within an information system to prevent unauthorized access and reduce the risk of unauthorized data sharing.
The "Architecture and Provisioning for Name/Address Resolution Service" control (SC-22) is part of the System and Communications Protection (SC) family in NIST 800-53. It focuses on the establishment and maintenance of secure architecture and provisioning for name/address resolution services, such as the Domain Name System (DNS).
The "Secure Name/Address Resolution Service (Recursive or Caching Resolver)" control (SC-21) is part of the System and Communications Protection (SC) family in NIST 800-53. It focuses on the security of recursive or caching resolvers within a DNS (Domain Name System) infrastructure. These resolvers are responsible for caching DNS query results and efficiently resolving domain names to IP addresses.
The Collaborative Computing Devices and Applications subcontrol (SC-15) is part of the System and Communications Protection control family in NIST 800-53. This control addresses security considerations related to collaborative computing environments, including shared devices and applications. It focuses on ensuring that collaborative tools and technologies do not compromise the security and confidentiality of sensitive information.
The "Secure Name/Address Resolution Service (Authoritative Source)" subcontrol (SC-20) falls under the System and Communications Protection (SC) family in NIST 800-53. It addresses the security requirements for ensuring the integrity and authenticity of the Name/Address Resolution Service (NARS), which is an authoritative source for resolving hostnames to IP addresses.
Cryptographic Protection (SC-13) is a main control within the System and Communications Protection family of NIST Special Publication 800-53. This control focuses on the use of cryptographic techniques to protect the confidentiality and integrity of information and communications within an organization's information systems.
Cryptographic Key Establishment and Management (SC-12) is a crucial control within the System and Communications Protection family. This control focuses on the secure generation, distribution, and management of cryptographic keys used to protect sensitive information. Effective key management is essential to maintain the confidentiality and integrity of data in a system.
SC-7 - Boundary Protection: This control is part of the "System and Communications Protection" family and focuses on establishing and maintaining protective measures at system boundaries to prevent unauthorized access and communication. It safeguards the security and integrity of an organization's systems and data.
SC-5 - Denial-of-service Protection: This control falls under the "System and Communications Protection" family and focuses on protecting information systems and their components from denial-of-service (DoS) attacks. A DoS attack aims to disrupt or degrade the availability of an information system, making it inaccessible to users or causing severe performance degradation.
Control SC-1, part of the System and Communications Protection family in NIST 800-53, focuses on the development and implementation of policies and procedures for securing the organization's communication and information systems.
The System and Services Acquisition control family addresses the processes and activities related to the acquisition of information systems, products, and services. The controls within this family are designed to ensure that organizations acquire, develop, and maintain systems that meet security requirements and adhere to established policies and procedures. The goal is to manage risks associated with the acquisition lifecycle, from the initial planning stages through the development, implementation, and ongoing maintenance of systems.
Control SA-22, a part of the System and Services Acquisition family in NIST 800-53, addresses the management of unsupported system components within an organization's information systems. It emphasizes the importance of identifying, assessing, and mitigating risks associated with unsupported hardware or software components.
Control SA-9 within the System and Services Acquisition family of NIST 800-53 addresses the security and privacy concerns associated with external system services. It focuses on managing the risks associated with connecting systems to external services, networks, and providers.
The Security and Privacy Engineering Principles (SA-8) control is a key component of the NIST 800-53 System and Services Acquisition control family. SA-8 emphasizes the incorporation of security and privacy principles into the system development life cycle to ensure that security and privacy controls are integrated from the outset.
The System Documentation (SA-5) control is part of the NIST 800-53 System and Services Acquisition control family. SA-5 focuses on establishing and maintaining comprehensive documentation for the acquired information system, including its design, configuration, and security features.
The Acquisition Process | Use of Approved PIV Products (SA-4(10)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on incorporating approved Personal Identity Verification (PIV) products into the acquisition process for information systems and services.
The Acquisition Process (SA-4) control is a fundamental component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and implementing a structured and comprehensive acquisition process that ensures the successful procurement, development, deployment, and management of information systems and services within an organization.
The System Development Life Cycle (SA-3) control is a foundational component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and managing a structured and well-documented system development life cycle (SDLC) process for the acquisition, development, and deployment of information systems and services.
The Allocation of Resources (SA-2) control is a vital component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that an organization allocates adequate resources, including budget, personnel, and infrastructure, to support the successful acquisition, development, and maintenance of information systems and services.
The Policy and Procedures (SA-1) control is a foundational component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and maintaining comprehensive policies and procedures that govern the acquisition, development, and deployment of information systems and services within an organization. It provides the framework for ensuring that acquisitions align with security, compliance, and operational requirements.
The Risk Assessment control family is designed to ensure that organizations systematically identify, analyze, and manage risks to their information systems and the data they process. The goal is to provide a structured approach to understanding and evaluating the potential impact of risks on organizational operations, assets, individuals, and other critical elements. By conducting risk assessments, organizations can make informed decisions about risk mitigation strategies, prioritize security efforts, and align security measures with organizational goals.
The Risk Response (RA-7) control is a pivotal component of the NIST 800-53 Risk Assessment control family. It focuses on defining and implementing an effective strategy for responding to identified risks and vulnerabilities within an organization's information systems and operations. This control ensures that risks are addressed promptly and efficiently to protect critical assets and data.
The Public Disclosure Program (RA-5(11)) subcontrol is an essential component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on establishing a structured and responsible program for disclosing vulnerabilities that have been identified within an organization's information systems to the public and relevant stakeholders.
The Update Vulnerabilities to Be Scanned (RA-5(2)) subcontrol is a vital component of the NIST 800-53 Risk Assessment control family. This subcontrol emphasizes the importance of maintaining an accurate and up-to-date list of vulnerabilities to be scanned for within an organization's information systems. It ensures that the vulnerability scanning process remains relevant and effective.
The Supply Chain Risk Assessment subcontrol (RA-3(1)) is a specialized component of the Risk Assessment control within the NIST 800-53 framework. RA-3(1) specifically addresses the need to assess and manage risks associated with the supply chain, which can introduce vulnerabilities and threats to an organization's information systems and data.
The Vulnerability Monitoring and Scanning subcontrol (RA-5) is a crucial component of the Risk Assessment control within the NIST 800-53 framework. RA-5 focuses on the continuous monitoring of information systems to identify and address vulnerabilities that may pose risks to the confidentiality, integrity, and availability of data and operations.
The Risk Assessment subcontrol (RA-3) is a fundamental component of the Risk Assessment control within the NIST 800-53 framework. RA-3 focuses on the process of conducting systematic risk assessments for information systems and the data they handle. Risk assessments help organizations identify, analyze, and manage risks effectively to protect their assets, operations, and stakeholders.
The Security Categorization subcontrol (RA-2) is a critical component of the Risk Assessment control within the NIST 800-53 framework. RA-2 focuses on the systematic process of categorizing information systems based on their security requirements. This categorization sets the foundation for determining the appropriate security controls and safeguards needed to protect these systems and the information they handle.
The Policy and Procedures subcontrol (RA-1) is an integral part of the Risk Assessment control within the NIST 800-53 framework. This subcontrol focuses on establishing, documenting, and maintaining comprehensive policies and procedures for conducting risk assessments within an organization. Risk assessments are essential for identifying, evaluating, and managing risks to information systems and data.
The Personnel Security control family is designed to address the security aspects associated with the individuals who have access to information systems and the information processed by those systems. The objective is to ensure that individuals are trustworthy, adequately trained, and aware of their security responsibilities. Effective personnel security controls contribute to the overall protection of information systems and help prevent insider threats, unauthorized access, and other security risks associated with personnel actions.
Control PS-9, "Position Descriptions," is a vital aspect of the Personnel Security family in NIST 800-53. This subcontrol highlights the importance of accurately defining the security roles and responsibilities of personnel within their respective position descriptions.
Control PS-8, "Personnel Sanctions," is a pivotal element of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of implementing sanctions when personnel violate security policies or engage in behavior that poses a risk to the organization's security posture.
Control PS-7, "External Personnel Security," is a critical component of the Personnel Security family in NIST 800-53. This subcontrol addresses the need for organizations to establish security measures when external personnel, such as contractors, consultants, and temporary workers, are granted access to organizational resources, systems, or facilities.
Control PS-6, "Access Agreements," is a crucial aspect of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of formalizing access agreements with personnel who have been granted access to sensitive resources, ensuring that they understand their security responsibilities and obligations.
Control PS-5, "Personnel Transfer," is an integral aspect of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the need for a well-defined process to manage the transfer of personnel within the organization to ensure that access privileges and security measures are appropriately updated to align with their new roles and responsibilities.
Control PS-4, "Personnel Termination," is a crucial component of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the need to have effective processes in place to manage the personnel termination process to prevent unauthorized access, data breaches, and potential security risks upon an individual's departure from the organization.
Control PS-3, "Personnel Screening," is a vital aspect of the Personnel Security family in NIST 800-53. This subcontrol underscores the significance of implementing a thorough and consistent personnel screening process to evaluate the background, trustworthiness, and suitability of individuals before granting them access to sensitive information, systems, and facilities.
Control PS-2, "Position Risk Designation," is a critical component of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of assessing the risk associated with different positions within an organization and designating appropriate levels of security clearance and access privileges based on the sensitivity of the information and systems the individuals in those positions handle.
Control PS-1, "Policy and Procedures," is part of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the establishment of clear and comprehensive policies and procedures that guide the organization's personnel security practices. By defining a structured framework for personnel security, organizations can mitigate risks associated with insider threats, unauthorized access, and other vulnerabilities stemming from human interactions.
The Strategic Planning control family focuses on establishing and implementing processes for strategic planning to guide the overall direction of an organization's information security program. This includes defining the organization's risk tolerance, setting security objectives, and aligning security strategies with broader business goals. The goal is to ensure that information security is integrated into the organization's overarching strategic planning and decision-making processes.
Subcontrol PL-11 emphasizes the process of customizing security and privacy baselines to match the specific requirements and characteristics of information systems. Tailoring baselines ensures that controls are relevant, effective, and appropriate for the unique risks and operational needs of each system.
Subcontrol PL-10 focuses on the process of selecting appropriate security and privacy baselines for information systems. Baselines serve as foundational security configurations that guide the implementation of security controls and ensure a consistent level of protection
Subcontrol PL-4 focuses on establishing and disseminating rules of behavior that define acceptable and expected behavior for individuals accessing and using organizational information systems. These rules help promote proper security practices and reduce the risk of unauthorized actions
Subcontrol PL-4(1) focuses specifically on establishing rules of behavior that address the usage of social media platforms and external websites/applications by individuals who have access to organizational information systems. These rules aim to mitigate risks associated with inappropriate use of external online resources.
Control PL-2 focuses on creating and maintaining comprehensive system security and privacy plans that outline the organization's approach to protecting information systems and the privacy of individuals. This control ensures that security and privacy considerations are integrated from the planning stages.
Control PL-1 focuses on establishing and maintaining policies and procedures that guide the planning, implementation, and management of security controls within an organization. This control ensures a structured approach to achieving security objectives.
The Physical and Environmental Protection control family addresses the safeguarding of information systems, equipment, and facilities from various physical threats and environmental hazards. The goal is to ensure the continued availability, integrity, and confidentiality of information and the supporting infrastructure. These controls encompass a range of protective measures, from controlling access to facilities to implementing safeguards against environmental risks such as fire, flood, and power failures. By implementing effective physical and environmental protection controls, organizations can enhance the resilience of their information systems against both intentional and unintentional physical threats.
Control PE-16 focuses on establishing procedures to control the delivery and removal of equipment and information assets from information systems and facilities. This control safeguards against unauthorized access, theft, and tampering during transportation.
Control PE-14 focuses on implementing measures to control and monitor environmental conditions within information systems and facilities to prevent damage and ensure operational integrity. This control safeguards equipment and data from environmental hazards.
Control PE-15 focuses on implementing measures to prevent and mitigate water damage to information systems and equipment. This control safeguards against water-related incidents that can lead to equipment malfunction, data loss, and operational disruption.
Control PE-13 focuses on implementing fire protection measures to prevent, detect, and respond to fires within information systems and facilities. This control safeguards critical assets and helps prevent damage and disruption.
Control PE-8 focuses on establishing procedures for creating and maintaining records of visitor access to an organization's facilities. This control ensures that accurate and complete records are kept to track visitors' activities and access history.
Control PE-12 focuses on implementing emergency lighting systems to provide illumination during power outages and disruptions. This control enhances the safety and usability of critical information systems and facilities during emergencies.
Control PE-3 addresses the implementation of access controls to prevent unauthorized physical access to an organization's facilities, resources, and information systems. This control ensures that only authorized individuals can enter secure areas.
Control PE-6 focuses on monitoring and logging physical access to facilities and secure areas. This control ensures that activities related to physical access are recorded, analyzed, and reviewed to detect and respond to unauthorized or suspicious activities.
Control PE-2 addresses the need to establish and enforce physical access authorizations to prevent unauthorized individuals from gaining access to an organization's facilities and information systems. This control ensures that only authorized personnel can enter secure areas.
Control PE-1 addresses the establishment of policies and procedures for the physical and environmental protection of an organization's facilities, resources, and information systems. This control ensures that proper measures are in place to safeguard against physical threats and environmental hazards.
The Media Protection control family is designed to safeguard information system media, which includes physical and electronic storage devices, from unauthorized access, disclosure, alteration, destruction, and theft. Media protection measures are critical for preserving the confidentiality and integrity of information stored on various forms of media throughout their lifecycle. By implementing effective media protection controls, organizations can ensure that sensitive information remains secure, whether stored on physical media (e.g., hard drives, tapes) or electronic media (e.g., USB drives, optical discs).
Control MP-7 addresses the secure and appropriate use of media containing sensitive information. This control ensures that media are used in a manner that aligns with security policies and minimizes the risk of unauthorized disclosure, tampering, or loss.
Control MP-6 addresses the proper sanitization of media to ensure that sensitive information is removed from media prior to disposal, reuse, or release for reuse. This control aims to prevent unauthorized disclosure of information that may still reside on media even after its primary use.
The MP-2 control within NIST Special Publication 800-53 focuses on controlling access to media that contain sensitive information. This control ensures that only authorized individuals have access to media, thereby reducing the risk of unauthorized disclosure, loss, or compromise of information stored on the media
The MP-1 control within NIST Special Publication 800-53 focuses on the establishment and implementation of policies and procedures to ensure the proper protection of media containing sensitive information. This control aims to prevent unauthorized access, disclosure, and loss of information stored on various types of media, including physical and digital media.
The Incident Response control family is designed to help organizations develop, implement, and maintain an organized and effective approach to managing and mitigating information security incidents. An incident response capability enables organizations to detect, respond to, and recover from incidents in a manner that minimizes damage, reduces recovery time, and mitigates the potential impact on information systems and data.
The Incident Response Plan (IR-8) control is a foundational component of the Incident Response family in NIST Special Publication 800-53. It emphasizes the development, documentation, and maintenance of a comprehensive incident response plan that outlines the organization's strategies, procedures, and guidelines for addressing and mitigating various types of security incidents.
The Incident Response Assistance (IR-7) control is part of the Incident Response family of controls in NIST Special Publication 800-53. It focuses on establishing mechanisms to provide and receive assistance during incident response activities from external sources and organizations.
The Incident Reporting (IR-6) control is part of the Incident Response family of controls in NIST Special Publication 800-53. This control emphasizes the importance of establishing a formalized process for reporting and documenting security incidents within an organization.
The Incident Monitoring (IR-5) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of monitoring for potential security incidents and unauthorized activities in order to detect and respond to them in a timely manner.
The Incident Handling (IR-4) control is a central component of the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing and maintaining a robust incident handling capability to effectively detect, respond to, and mitigate security incidents within an organization.
The Incident Response Training (IR-2) control is a main control within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing training to personnel involved in incident response activities. The control aims to ensure that individuals are equipped with the necessary knowledge and skills to effectively respond to cybersecurity incidents and mitigate their impact.
The Incident Response Policy and Procedures (IR-1) control is a main control within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing and implementing an organization-wide incident response policy and associated procedures. The control aims to ensure that the organization has a clear framework for detecting, responding to, and mitigating cybersecurity incidents effectively and efficiently.
The Maintenance control family is designed to ensure that information systems are properly maintained, updated, and patched to address vulnerabilities, enhance functionality, and support the overall security of the system throughout its lifecycle. Maintenance activities encompass both routine and emergency procedures, including the application of updates, patches, and configuration changes. By implementing effective maintenance controls, organizations can reduce the risk of security incidents related to unaddressed vulnerabilities and ensure the continued reliability and security of their information systems.
The MA-5 control in NIST Special Publication 800-53 addresses the selection, training, and management of personnel involved in system maintenance activities. This control aims to ensure that maintenance personnel have the appropriate skills, knowledge, and authorization to perform maintenance tasks while minimizing the risk of unauthorized access or unintentional disruptions.
The MA-4 control in NIST Special Publication 800-53 addresses the security aspects of performing maintenance on information systems and components from a nonlocal location. It aims to establish safeguards and controls to ensure that nonlocal maintenance activities do not introduce security risks or compromise the confidentiality, integrity, and availability of the systems.
The MA-2 control is part of the Maintenance family in NIST Special Publication 800-53. It focuses on the implementation of controlled maintenance processes to ensure that changes to information systems and assets are carried out in a planned, coordinated, and secure manner.
The MA-1 control is part of the Maintenance family in NIST Special Publication 800-53. It focuses on the development and implementation of policies and procedures to guide the maintenance of information systems and assets throughout their lifecycle.
The Identification and Authentication control family is designed to ensure that only authorized individuals and entities are granted access to information systems. This is achieved through the unique identification of users and the authentication of their claimed identities before allowing access. By implementing strong identification and authentication controls, organizations can enhance the security of their information systems, protect sensitive data, and prevent unauthorized access.
The Re-authentication (IA-11) control is part of the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on implementing mechanisms for requiring users to re-authenticate during an active session after a certain period of inactivity or based on specific events. The control aims to prevent unauthorized access to sensitive information and actions within an active session.
The Identification and Authentication (non-organizational Users) | Use of Defined Profiles (IA-8(4)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on the use of defined authentication profiles for non-organizational users. The control aims to establish consistent and secure authentication methods based on specific user profiles.
The Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators (IA-8(2)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the acceptance of external authenticators, such as third-party identity providers, for non-organizational users. The control aims to enhance user convenience and streamline access by allowing users to leverage existing external credentials.
The Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies (IA-8(1)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the acceptance of Personal Identity Verification (PIV) credentials issued by other agencies for non-organizational users. The control aims to enhance interoperability and streamline access for users with PIV credentials issued by different entities.
The Identification and Authentication (non-organizational Users) (IA-8) control is part of the Identification and Authentication family of controls within NIST Special Publication 800-53. This control focuses on establishing identification and authentication mechanisms for non-organizational users accessing organizational systems and resources. The control aims to enhance security by ensuring that non-organizational users are appropriately identified and authenticated before gaining access.
The Cryptographic Module Authentication (IA-7) control is part of the Identification and Authentication family of controls within NIST Special Publication 800-53. This control focuses on ensuring the authenticity and integrity of cryptographic modules used in authentication processes. The control aims to enhance security by requiring organizations to verify the authenticity of cryptographic modules to prevent the use of tampered or unauthorized modules.
The Authentication Feedback (IA-6) control is part of the Identification and Authentication family of controls within NIST Special Publication 800-53. This control focuses on providing users with timely feedback during the authentication process. The control aims to enhance user experience and security by informing users about the status of their authentication attempts and guiding them toward successful login or corrective actions.
The Authenticator Management | Password-based Authentication control (IA-5(1)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management and security of password-based authentication methods. The control aims to enhance security by ensuring that passwords, as authenticators, are managed, stored, and used in a secure manner.
The Authenticator Management control (IA-5) is a main control within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management of authenticators, which are credentials used to verify the identity of individuals, devices, or systems. The control aims to enhance security by ensuring the effective management and protection of authenticators to prevent unauthorized access.
The Identifier Management control (IA-4) is a main control within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on managing and controlling user and device identifiers to ensure the accurate and secure identification of individuals and devices accessing organizational systems. The control aims to enhance security by preventing unauthorized access through improper or compromised identifiers.
The Identification and Authentication (organizational Users) | Acceptance of PIV Credentials control (IA-2(12)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to accept Personal Identity Verification (PIV) credentials as a strong form of authentication. The control aims to enhance security by ensuring that PIV credentials are recognized and used for user identification.
The Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant control (IA-2(8)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to implement replay-resistant authentication mechanisms for accessing accounts. The control aims to prevent unauthorized access by ensuring that captured authentication data cannot be reused to gain entry.
The Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts control (IA-2(2)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control underscores the importance of implementing multi-factor authentication (MFA) for accessing non-privileged accounts within an organization. The control aims to enhance security by adding an additional layer of authentication for accounts with standard access privileges.
The Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts control (IA-2(1)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the necessity of implementing multi-factor authentication (MFA) for accessing privileged accounts within an organization. The control aims to enhance security by requiring an additional layer of authentication for accounts with elevated access privileges.
The Identification and Authentication (organizational Users) control (IA-2) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for organizations to establish and implement mechanisms for identifying and authenticating organizational users accessing information systems. The control aims to ensure that only authorized personnel can access sensitive systems and data.
The Identification and Authentication | Policy and Procedures control (IA-1) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control underscores the importance of establishing clear policies and procedures for managing user identification and authentication within an organization. The control aims to ensure consistent and secure access to systems and data by authorized personnel.
The Contingency Planning control family is designed to help organizations prepare for and respond to disruptions in information system operations, ensuring the continued availability and integrity of critical information and services. Contingency planning involves the development, testing, and maintenance of comprehensive plans and procedures to address a range of potential incidents, including but not limited to natural disasters, technological failures, and malicious attacks. The ultimate goal is to minimize the impact of disruptions and facilitate the timely recovery of information systems and data.
The System Recovery and Reconstitution control (CP-10) is part of the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control focuses on ensuring that critical information systems can be effectively recovered and reconstituted after a disruption or disaster. The objective is to minimize the impact of disruptions on organizational operations by establishing comprehensive recovery processes.
The "System Backup" (CP-9) control is part of the "Contingency Planning" (CP) family within the NIST Special Publication 800-53. This control focuses on establishing and maintaining a systematic approach to backup critical system data and information to support data recovery and restoration activities in the event of a contingency or disaster.
This control, part of the Contingency Planning family, focuses on providing training to personnel involved in contingency planning, response, and recovery efforts. Training ensures that individuals understand their roles and responsibilities during disruptions and can effectively execute the organization's contingency plans.
Subcontrol CP-4 focuses on the testing of contingency plans to ensure their effectiveness and the readiness of personnel to respond to disruptive events. Testing involves executing different scenarios, simulating real-life incidents, and evaluating the response procedures and recovery capabilities defined in the contingency plans.
This subcontrol under Contingency Planning (CP-2) focuses on the development and maintenance of a comprehensive contingency plan. A contingency plan outlines the specific actions, procedures, and resources that an organization will use to respond to and recover from unexpected disruptions or disasters that could impact its information systems and data.
This subcontrol under Contingency Planning (CP-1) focuses on establishing and implementing policies and procedures for effective contingency planning. Contingency planning ensures that organizations have a well-defined strategy in place to respond to and recover from unexpected disruptions or disasters that could impact their information systems and data.
The Configuration Management control family is designed to establish and maintain a systematic approach to managing the configuration of information systems. Configuration management involves identifying and documenting system components, controlling changes to those components, and ensuring the integrity and security of the system throughout its lifecycle. By implementing robust configuration management controls, organizations can reduce the risk of unauthorized or unintended changes that could impact the confidentiality, integrity, and availability of their information systems.
This main control under Configuration Management (CM-10) emphasizes the importance of establishing and enforcing software usage restrictions to prevent unauthorized or inappropriate software from being installed and executed on organizational systems.
This main control under Configuration Management (CM-11) focuses on managing user-installed software within the organization. It aims to establish processes and mechanisms to ensure that user-installed software is properly controlled, monitored, and evaluated to prevent security risks and maintain the integrity of organizational systems.
This main control under Configuration Management (CM-7) focuses on ensuring that systems and components are configured with the least functionality necessary for their intended purpose to reduce attack surfaces and minimize potential vulnerabilities.
This control under Configuration Management (CM-8) focuses on maintaining an accurate and up-to-date inventory of system components within an organization's information system to effectively manage and secure its configuration.
This main control under Configuration Management (CM-6) focuses on establishing and maintaining configuration settings for information systems and components to ensure their security and functionality.
This control under Configuration Management (CM) focuses on implementing access restrictions to ensure that only authorized individuals can make changes to configurations. Access restrictions help prevent unauthorized or malicious changes that could compromise system security and stability.
This control falls under the Configuration Management (CM) family and focuses on establishing and maintaining baseline configurations for an organization's information systems. Baseline configurations provide a reference point for authorized and secure system settings.
This control under Configuration Management (CM) focuses on performing impact analyses to assess the potential effects of proposed changes on systems and environments before they are implemented. Impact analyses help organizations make informed decisions and manage risks associated with configuration changes.
This control falls under the Configuration Management (CM) family and emphasizes the need for establishing and implementing configuration management policies and procedures. Configuration management involves managing and controlling the changes made to an organization's information systems and components.
The Audit and Accountability control family is designed to facilitate the creation, collection, and analysis of audit records to support the detection, response to, and investigation of security incidents. By implementing robust auditing mechanisms, organizations can establish a comprehensive and accurate record of activities within their information systems, aiding in the identification of unauthorized access, policy violations, and potential security threats.
This control addresses the requirement for generating audit records that capture relevant information about system activities, events, and user actions. The purpose of this control is to ensure that audit records are generated consistently and comprehensively to provide a reliable record of system behavior and facilitate security monitoring, incident response, and accountability.
This control addresses the retention of audit records, ensuring that these records are maintained for a specified period to facilitate incident response, accountability, and compliance monitoring. Audit records contain valuable information about system activities, user actions, and security events, which are crucial for detecting and investigating security incidents, analyzing trends, and ensuring the accountability of system users and administrators.
The AU-9 control addresses the protection of audit information to ensure the confidentiality, integrity, and availability of audit records and related data. It ensures that organizations implement measures to safeguard audit logs, reports, and associated information from unauthorized access, modification, loss, and tampering.
The AU-8 control focuses on the accurate and consistent time stamping of audit records to establish a reliable timeline of events within information systems. It ensures that organizations maintain an accurate record of when specific actions and activities occurred, supporting incident investigation, accountability, and compliance requirements.
This control focuses on the review, analysis, and reporting of audit records generated by information systems. It ensures that organizations establish processes for regularly examining audit records to detect and respond to security incidents, track system activities, and facilitate compliance monitoring and reporting.
This control ensures that appropriate actions are taken in response to failures in the audit logging process. It focuses on detecting, responding to, and resolving audit logging failures to maintain the integrity and availability of audit records, which are crucial for monitoring and assessing the security of information systems.
The Audit Log Storage Capacity control, categorized under the Audit and Accountability family, pertains to the management of audit logs' storage capacity. It focuses on ensuring that systems have adequate storage space to retain audit records, thereby supporting effective security monitoring, incident response, and compliance with regulatory requirements.
This main control under the Audit and Accountability (AU) control family focuses on specifying the necessary content for audit records to ensure the comprehensive capture of relevant information related to security events and incidents. It ensures that audit records contain essential details that support security monitoring, analysis, and incident response.
The Audit and Accountability (AU) control family focuses on establishing policies and procedures for conducting audits, tracking and monitoring events, and ensuring accountability within an organization's information systems. AU-1 specifically addresses the need to develop and implement policies and procedures that guide the overall audit and accountability program.
The Audit and Accountability (AU) control family focuses on establishing policies and procedures for conducting audits, tracking and monitoring events, and ensuring accountability within an organization's information systems. AU-2 specifically addresses the need to generate, record, and retain audit logs of events to provide an accurate record of system activity.
The Security Assessment and Authorization control family is designed to ensure that information systems are thoroughly assessed for security compliance and authorized to operate based on the results of those assessments. The controls within this family guide organizations in conducting comprehensive security assessments, determining the effectiveness of implemented security controls, and obtaining the necessary authorizations before systems are put into operation. This process supports the ongoing monitoring and management of security controls throughout the system's lifecycle.
This subcontrol under Continuous Monitoring (CA-7) emphasizes the importance of ongoing risk monitoring as part of the continuous monitoring program. Risk monitoring involves regularly assessing and reassessing the organization's risk posture, identifying changes in risk factors, and adapting security measures accordingly.
This control falls under the Security Assessment and Authorization (SA) family and focuses on managing internal system connections within an organization's information systems. Internal system connections involve network connections between components within an organization's infrastructure.
This control falls under the Security Assessment and Authorization (SA) family and focuses on the implementation of a continuous monitoring program. Continuous monitoring involves ongoing assessment of information systems, tracking changes, and identifying potential security risks or vulnerabilities in real time.
This control falls under the Security Assessment and Authorization (SA) family and focuses on the process of authorization. Authorization involves formally approving an information system to operate based on an assessment of its security controls and compliance with established security requirements.
This control falls under the Security Assessment and Authorization (SA&A) family and focuses on establishing processes for the secure exchange of information related to security assessment and authorization activities. It ensures that organizations can effectively share assessment results, authorization decisions, and associated documentation while maintaining confidentiality, integrity, and availability.
This control falls under the Security Assessment and Authorization (SA) family and focuses on the establishment and management of a Plan of Action and Milestones (POA&M). A POA&M is a documented strategy for addressing and resolving weaknesses, vulnerabilities, and deficiencies identified during security assessments and authorizations.
This control is part of the Security Assessment and Authorization (SA&A) family and focuses on conducting control assessments to evaluate the effectiveness of security controls within information systems. It ensures that organizations regularly assess the security controls implemented in their systems to determine whether they are operating as intended and providing the desired level of security.
This control falls under the Security Assessment and Authorization (SA&A) family and focuses on the establishment of security assessment and authorization policies and procedures. It ensures that organizations define and document the processes and guidelines for conducting security assessments, authorizing systems, and managing the associated documentation.
The Awareness and Training control family emphasizes the importance of fostering a security-conscious culture within an organization by promoting awareness and delivering effective training programs. The goal is to ensure that individuals, including employees, contractors, and other users, are equipped with the knowledge and skills necessary to understand and fulfill their roles and responsibilities in safeguarding information systems and sensitive information.
The Training Records (AT-4) subcontrol under Awareness and Training (AT) focuses on maintaining accurate and up-to-date records of training activities and outcomes for individuals within the organization. These records help demonstrate compliance with training requirements, track progress, and ensure that personnel have received the necessary education and awareness to perform their roles securely and effectively.
The Insider Threat (AT-2(2)) subcontrol under Literacy Training and Awareness (AT-2) focuses on providing targeted training and awareness activities to educate personnel about insider threats, their risks, and preventive measures.
The Role-based Training (AT-3) subcontrol under Awareness and Training (AT) focuses on providing training tailored to specific job roles within the organization. This ensures that individuals receive training that is relevant to their responsibilities and helps them better understand their role in maintaining information security.
The Literacy Training and Awareness (AT-2) control focuses on providing security training and awareness programs that cater to individuals with varying levels of technical literacy and expertise.
The Awareness and Training Policy and Procedures (AT-1) control requires the establishment of policies and procedures to ensure that personnel receive appropriate awareness and training on security policies, procedures, and practices.
Access control safeguards are implemented to ensure that only authorized individuals and systems have access to the information system and its resources. The primary goal is to prevent unauthorized access and limit access to only those with the necessary permissions based on their roles and responsibilities within the organization. Effective access control mechanisms contribute to the confidentiality, integrity, and availability of the information system and its data
The Use of External Systems (AC-20) control is designed to establish safeguards and controls when organizations interact with external systems, networks, or services. This control aims to manage and mitigate risks associated with connecting to, sharing information with, or relying on external entities.
The Publicly Accessible Content (AC-22) control focuses on establishing appropriate access controls and security measures to protect information and systems containing publicly accessible content from unauthorized access, modification, or disclosure.
The Access Control for Mobile Devices (AC-19) control focuses on establishing and enforcing access controls for mobile devices to ensure the confidentiality, integrity, and availability of information and systems.
The Remote Access (AC-17) control focuses on managing and controlling remote access to organizational information systems and resources. This control ensures that remote access is securely configured, monitored, and controlled to prevent unauthorized access and protect sensitive information.
The Wireless Access (AC-18) control aims to manage and secure wireless communications within an organization's information system. It focuses on establishing policies, procedures, and technical measures to ensure the appropriate use of wireless technologies and to protect against unauthorized access, data breaches, and other security risks associated with wireless networks.
The Permitted Actions Without Identification or Authentication (AC-14) control addresses the circumstances under which certain actions are allowed without requiring user identification and authentication. This control helps organizations strike a balance between security and operational needs by allowing specific actions to be performed without the overhead of full identification and authentication while still maintaining adequate security measures.
The System Use Notification control (AC-8) focuses on providing users with appropriate notification and warnings regarding the use of information systems before accessing them. This control helps users understand their responsibilities and the conditions under which they are allowed to access and use the systems.
The Unsuccessful Logon Attempts control (AC-7) focuses on monitoring and limiting the number of unsuccessful logon attempts to prevent unauthorized access to information systems. This control helps protect against brute force attacks and unauthorized access attempts.
The Access Enforcement control (AC-3) focuses on enforcing access control policies and mechanisms to ensure that only authorized individuals are granted access to information systems and resources. This control ensures that access decisions are made based on established rules and criteria, reducing the risk of unauthorized access and ensuring the security and confidentiality of sensitive information.
The Access Control Policy and Procedures control (AC-1) focuses on the establishment and documentation of a comprehensive set of policies and procedures that govern the management of access to information systems and resources. This control ensures that access to sensitive data, applications, and systems is appropriately authorized, managed, and audited, thereby reducing the risk of unauthorized access and potential security breaches.
The Account Management control (AC-2) focuses on the establishment and enforcement of policies and procedures for the management of user accounts within an information system. This control ensures that user accounts are created, modified, and terminated in a secure and consistent manner, reducing the risk of unauthorized access and minimizing potential security vulnerabilities.