NIST SP 800-53 (rev. 4)

[toc]

---

NIST special publication 800-53 (rev. 4)

security and privacy controls for federal information systems and organizations

high impact controls

showing 170 controls:

no.	control priority	low moderate	high
ac-1	access control policy and procedures p1 ac-1 ac-1 ac-1
ac-2	account management p1 ac-2 ac-2 (1) (2) (3) (4) ac-2 (1) (2) (3) (4) (5) (11) (12) (13)
ac-3	access enforcement p1 ac-3 ac-3 ac-3
ac-4	information flow enforcement p1 ac-4 ac-4
ac-5	separation of duties p1 ac-5 ac-5
ac-6	least privilege p1 ac-6 (1) (2) (5) (9) (10) ac-6 (1) (2) (3) (5) (9) (10)
ac-7	unsuccessful logon attempts p2 ac-7 ac-7 ac-7
ac-8	system use notification p1 ac-8 ac-8 ac-8
ac-10	concurrent session control p3 ac-10
ac-11	session lock p3 ac-11 (1) ac-11 (1)
ac-12	session termination p2 ac-12 ac-12
ac-14	permitted actions without identification or authentication p3 ac-14 ac-14 ac-14
ac-17	remote access p1 ac-17 ac-17 (1) (2) (3) (4) ac-17 (1) (2) (3) (4)
ac-18	wireless access p1 ac-18 ac-18 (1) ac-18 (1) (4) (5)
ac-19	access control for mobile devices p1 ac-19 ac-19 (5) ac-19 (5)
ac-20	use of external information systems p1 ac-20 ac-20 (1) (2) ac-20 (1) (2)
ac-21	information sharing p2 ac-21 ac-21
ac-22	publicly accessible content p3 ac-22 ac-22 ac-22
at-1	security awareness and training policy and procedures p1 at-1 at-1 at-1
at-2	security awareness training p1 at-2 at-2 (2) at-2 (2)
at-3	role-based security training p1 at-3 at-3 at-3
at-4	security training records p3 at-4 at-4 at-4
au-1	audit and accountability policy and procedures p1 au-1 au-1 au-1
au-2	audit events p1 au-2 au-2 (3) au-2 (3)
au-3	content of audit records p1 au-3 au-3 (1) au-3 (1) (2)
au-4	audit storage capacity p1 au-4 au-4 au-4
au-5	response to audit processing failures p1 au-5 au-5 au-5 (1) (2)
au-6	audit review, analysis, and reporting p1 au-6 au-6 (1) (3) au-6 (1) (3) (5) (6)
au-7	audit reduction and report generation p2 au-7 (1) au-7 (1)
au-8	time stamps p1 au-8 au-8 (1) au-8 (1)
au-9	protection of audit information p1 au-9 au-9 (4) au-9 (2) (3) (4)
au-10	non-repudiation p2 au-10
au-11	audit record retention p3 au-11 au-11 au-11
au-12	audit generation p1 au-12 au-12 au-12 (1) (3)
ca-1	security assessment and authorization policy and procedures p1 ca-1 ca-1 ca-1
ca-2	security assessments p2 ca-2 ca-2 (1) ca-2 (1) (2)
ca-3	system interconnections p1 ca-3 ca-3 (5) ca-3 (5)
ca-5	plan of action and milestones p3 ca-5 ca-5 ca-5
ca-6	security authorization p2 ca-6 ca-6 ca-6
ca-7	continuous monitoring p2 ca-7 ca-7 (1) ca-7 (1)
ca-8	penetration testing p2 ca-8
ca-9	internal system connections p2 ca-9 ca-9 ca-9
cm-1	configuration management policy and procedures p1 cm-1 cm-1 cm-1
cm-2	baseline configuration p1 cm-2 cm-2 (1) (3) (7) cm-2 (1) (2) (3) (7)
cm-3	configuration change control p1 cm-3 (2) cm-3 (1) (2)
cm-4	security impact analysis p2 cm-4 cm-4 cm-4 (1)
cm-5	access restrictions for change p1 cm-5 cm-5 (1) (2) (3)
cm-6	configuration settings p1 cm-6 cm-6 cm-6 (1) (2)
cm-7	least functionality p1 cm-7 cm-7 (1) (2) (4) cm-7 (1) (2) (5)
cm-8	information system component inventory p1 cm-8 cm-8 (1) (3) (5) cm-8 (1) (2) (3) (4) (5)
cm-9	configuration management plan p1 cm-9 cm-9
cm-10	software usage restrictions p2 cm-10 cm-10 cm-10
cm-11	user-installed software p1 cm-11 cm-11 cm-11
cp-1	contingency planning policy and procedures p1 cp-1 cp-1 cp-1
cp-2	contingency plan p1 cp-2 cp-2 (1) (3) (8) cp-2 (1) (2) (3) (4) (5) (8)
cp-3	contingency training p2 cp-3 cp-3 cp-3 (1)
cp-4	contingency plan testing p2 cp-4 cp-4 (1) cp-4 (1) (2)
cp-6	alternate storage site p1 cp-6 (1) (3) cp-6 (1) (2) (3)
cp-7	alternate processing site p1 cp-7 (1) (2) (3) cp-7 (1) (2) (3) (4)
cp-8	telecommunications services p1 cp-8 (1) (2) cp-8 (1) (2) (3) (4)
cp-9	information system backup p1 cp-9 cp-9 (1) cp-9 (1) (2) (3) (5)
cp-10	information system recovery and reconstitution p1 cp-10 cp-10 (2) cp-10 (2) (4)
ia-1	identification and authentication policy and procedures p1 ia-1 ia-1 ia-1
ia-2	identification and authentication (organizational users) p1 ia-2 (1) (12) ia-2 (1) (2) (3) (8) (11) (12) ia-2 (1) (2) (3) (4) (8) (9) (11) (12)
ia-3	device identification and authentication p1 ia-3 ia-3
ia-4	identifier management p1 ia-4 ia-4 ia-4
ia-5	authenticator management p1 ia-5 (1) (11) ia-5 (1) (2) (3) (11) ia-5 (1) (2) (3) (11)
ia-6	authenticator feedback p2 ia-6 ia-6 ia-6
ia-7	cryptographic module authentication p1 ia-7 ia-7 ia-7
ia-8	identification and authentication (non-organizational users) p1 ia-8 (1) (2) (3) (4) ia-8 (1) (2) (3) (4) ia-8 (1) (2) (3) (4)
ir-1	incident response policy and procedures p1 ir-1 ir-1 ir-1
ir-2	incident response training p2 ir-2 ir-2 ir-2 (1) (2)
ir-3	incident response testing p2 ir-3 (2) ir-3 (2)
ir-4	incident handling p1 ir-4 ir-4 (1) ir-4 (1) (4)
ir-5	incident monitoring p1 ir-5 ir-5 ir-5 (1)
ir-6	incident reporting p1 ir-6 ir-6 (1) ir-6 (1)
ir-7	incident response assistance p2 ir-7 ir-7 (1) ir-7 (1)
ir-8	incident response plan p1 ir-8 ir-8 ir-8
ma-1	system maintenance policy and procedures p1 ma-1 ma-1 ma-1
ma-2	controlled maintenance p2 ma-2 ma-2 ma-2 (2)
ma-3	maintenance tools p3 ma-3 (1) (2) ma-3 (1) (2) (3)
ma-4	nonlocal maintenance p2 ma-4 ma-4 (2) ma-4 (2) (3)
ma-5	maintenance personnel p2 ma-5 ma-5 ma-5 (1)
ma-6	timely maintenance p2 ma-6 ma-6
mp-1	media protection policy and procedures p1 mp-1 mp-1 mp-1
mp-2	media access p1 mp-2 mp-2 mp-2
mp-3	media marking p2 mp-3 mp-3
mp-4	media storage p1 mp-4 mp-4
mp-5	media transport p1 mp-5 (4) mp-5 (4)
mp-6	media sanitization p1 mp-6 mp-6 mp-6 (1) (2) (3)
mp-7	media use p1 mp-7 mp-7 (1) mp-7 (1)
pe-1	physical and environmental protection policy and procedures p1 pe-1 pe-1 pe-1
pe-2	physical access authorizations p1 pe-2 pe-2 pe-2
pe-3	physical access control p1 pe-3 pe-3 pe-3 (1)
pe-4	access control for transmission medium p1 pe-4 pe-4
pe-5	access control for output devices p2 pe-5 pe-5
pe-6	monitoring physical access p1 pe-6 pe-6 (1) pe-6 (1) (4)
pe-8	visitor access records p3 pe-8 pe-8 pe-8 (1)
pe-9	power equipment and cabling p1 pe-9 pe-9
pe-10	emergency shutoff p1 pe-10 pe-10
pe-11	emergency power p1 pe-11 pe-11 (1)
pe-12	emergency lighting p1 pe-12 pe-12 pe-12
pe-13	fire protection p1 pe-13 pe-13 (3) pe-13 (1) (2) (3)
pe-14	temperature and humidity controls p1 pe-14 pe-14 pe-14
pe-15	water damage protection p1 pe-15 pe-15 pe-15 (1)
pe-16	delivery and removal p2 pe-16 pe-16 pe-16
pe-17	alternate work site p2 pe-17 pe-17
pe-18	location of information system components p3 pe-18
pl-1	security planning policy and procedures p1 pl-1 pl-1 pl-1
pl-2	system security plan p1 pl-2 pl-2 (3) pl-2 (3)
pl-4	rules of behavior p2 pl-4 pl-4 (1) pl-4 (1)
pl-8	information security architecture p1 pl-8 pl-8
ps-1	personnel security policy and procedures p1 ps-1 ps-1 ps-1
ps-2	position risk designation p1 ps-2 ps-2 ps-2
ps-3	personnel screening p1 ps-3 ps-3 ps-3
ps-4	personnel termination p1 ps-4 ps-4 ps-4 (2)
ps-5	personnel transfer p2 ps-5 ps-5 ps-5
ps-6	access agreements p3 ps-6 ps-6 ps-6
ps-7	third-party personnel security p1 ps-7 ps-7 ps-7
ps-8	personnel sanctions p3 ps-8 ps-8 ps-8
ra-1	risk assessment policy and procedures p1 ra-1 ra-1 ra-1
ra-2	security categorization p1 ra-2 ra-2 ra-2
ra-3	risk assessment p1 ra-3 ra-3 ra-3
ra-5	vulnerability scanning p1 ra-5 ra-5 (1) (2) (5) ra-5 (1) (2) (4) (5)
sa-1	system and services acquisition policy and procedures p1 sa-1 sa-1 sa-1
sa-2	allocation of resources p1 sa-2 sa-2 sa-2
sa-3	system development life cycle p1 sa-3 sa-3 sa-3
sa-4	acquisition process p1 sa-4 (10) sa-4 (1) (2) (9) (10) sa-4 (1) (2) (9) (10)
sa-5	information system documentation p2 sa-5 sa-5 sa-5
sa-8	security engineering principles p1 sa-8 sa-8
sa-9	external information system services p1 sa-9 sa-9 (2) sa-9 (2)
sa-10	developer configuration management p1 sa-10 sa-10
sa-11	developer security testing and evaluation p1 sa-11 sa-11
sa-12	supply chain protection p1 sa-12
sa-15	development process, standards, and tools p2 sa-15
sa-16	developer-provided training p2 sa-16
sa-17	developer security architecture and design p1 sa-17
sc-1	system and communications protection policy and procedures p1 sc-1 sc-1 sc-1
sc-2	application partitioning p1 sc-2 sc-2
sc-3	security function isolation p1 sc-3
sc-4	information in shared resources p1 sc-4 sc-4
sc-5	denial of service protection p1 sc-5 sc-5 sc-5
sc-7	boundary protection p1 sc-7 sc-7 (3) (4) (5) (7) sc-7 (3) (4) (5) (7) (8) (18) (21)
sc-8	transmission confidentiality and integrity p1 sc-8 (1) sc-8 (1)
sc-10	network disconnect p2 sc-10 sc-10
sc-12	cryptographic key establishment and management p1 sc-12 sc-12 sc-12 (1)
sc-13	cryptographic protection p1 sc-13 sc-13 sc-13
sc-15	collaborative computing devices p1 sc-15 sc-15 sc-15
sc-17	public key infrastructure certificates p1 sc-17 sc-17
sc-18	mobile code p2 sc-18 sc-18
sc-19	voice over internet protocol p1 sc-19 sc-19
sc-20	secure name / address resolution service (authoritative source) p1 sc-20 sc-20 sc-20
sc-21	secure name / address resolution service (recursive or caching resolver) p1 sc-21 sc-21 sc-21
sc-22	architecture and provisioning for name / address resolution service p1 sc-22 sc-22 sc-22
sc-23	session authenticity p1 sc-23 sc-23
sc-24	fail in known state p1 sc-24
sc-28	protection of information at rest p1 sc-28 sc-28
sc-39	process isolation p1 sc-39 sc-39 sc-39
si-1	system and information integrity policy and procedures p1 si-1 si-1 si-1
si-2	flaw remediation p1 si-2 si-2 (2) si-2 (1) (2)
si-3	malicious code protection p1 si-3 si-3 (1) (2) si-3 (1) (2)
si-4	information system monitoring p1 si-4 si-4 (2) (4) (5) si-4 (2) (4) (5)
si-5	security alerts, advisories, and directives p1 si-5 si-5 si-5 (1)
si-6	security function verification p1 si-6
si-7	software, firmware, and information integrity p1 si-7 (1) (7) si-7 (1) (2) (5) (7) (14)
si-8	spam protection p2 si-8 (1) (2) si-8 (1) (2)
si-10	information input validation p1 si-10 si-10
si-11	error handling p2 si-11 si-11
si-12	information handling and retention p2 si-12 si-12 si-12
si-16	memory protection p1 si-16 si-16