Link
Search
Menu
Expand
Document
NIST SP 800-53
Security and Privacy Controls for Information Systems and Organizations
. Table of Contents
. Executive Summary
. Prologue
. Errata
. News
CHAPTER ONE, INTRODUCTION
CHAPTER TWO, THE FUNDAMENTALS
CHAPTER THREE, THE CONTROLS
. 3.1 ACCESS CONTROL
-- AC-1 POLICY AND PROCEDURES
-- AC-2 ACCOUNT MANAGEMENT
-- AC-3 ACCESS ENFORCEMENT
-- AC-4 INFORMATION FLOW ENFORCEMENT
-- AC-5 SEPARATION OF DUTIES
-- AC-6 LEAST PRIVILEGE
-- AC-7 UNSUCCESSFUL LOGON ATTEMPTS
-- AC-8 SYSTEM USE NOTIFICATION
-- AC-9 PREVIOUS LOGON NOTIFICATION
-- AC-10 CONCURRENT SESSION CONTROL
-- AC-11 DEVICE LOCK
-- AC-12 SESSION TERMINATION
-- AC-13 SUPERVISION AND REVIEW — ACCESS CONTROL
-- AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
-- AC-15 AUTOMATED MARKING
-- AC-16 SECURITY AND PRIVACY ATTRIBUTES
-- AC-17 REMOTE ACCESS
-- AC-18 WIRELESS ACCESS
-- AC-19 ACCESS CONTROL FOR MOBILE DEVICES
-- AC-20 USE OF EXTERNAL SYSTEMS
-- AC-21 INFORMATION SHARING
-- AC-22 PUBLICLY ACCESSIBLE CONTENT
-- AC-23 DATA MINING PROTECTION
-- AC-24 ACCESS CONTROL DECISIONS
-- AC-25 REFERENCE MONITOR
. 3.2 AWARENESS AND TRAINING
-- AT-1 POLICY AND PROCEDURES
-- AT-2 LITERACY TRAINING AND AWARENESS
-- AT-3 ROLE-BASED TRAINING
-- AT-4 TRAINING RECORDS
-- AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS
-- AT-6 TRAINING FEEDBACK
. 3.3 AUDIT AND ACCOUNTABILITY
-- AU-1 POLICY AND PROCEDURES
-- AU-2 EVENT LOGGING
-- AU-3 CONTENT OF AUDIT RECORDS
-- AU-4 AUDIT LOG STORAGE CAPACITY
-- AU-5 RESPONSE TO AUDIT LOGGING PROCESS FAILURES
-- AU-6 AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING
-- AU-7 AUDIT RECORD REDUCTION AND REPORT GENERATION
-- AU-8 TIME STAMPS
-- AU-9 PROTECTION OF AUDIT INFORMATION
-- AU-10 NON-REPUDIATION
-- AU-11 AUDIT RECORD RETENTION
-- AU-12 AUDIT RECORD GENERATION
-- AU-13 MONITORING FOR INFORMATION DISCLOSURE
-- AU-14 SESSION AUDIT
-- AU-15 ALTERNATE AUDIT LOGGING CAPABILITY
-- AU-16 CROSS-ORGANIZATIONAL AUDIT LOGGING
. 3.4 ASSESSMENT, AUTHORIZATION, AND MONITORING
-- CA-1 POLICY AND PROCEDURES
-- CA-2 CONTROL ASSESSMENTS
-- CA-3 INFORMATION EXCHANGE
-- CA-4 SECURITY CERTIFICATION
-- CA-5 PLAN OF ACTION AND MILESTONES
-- CA-6 AUTHORIZATION
-- CA-7 CONTINUOUS MONITORING
-- CA-8 PENETRATION TESTING
-- CA-9 INTERNAL SYSTEM CONNECTIONS
. 3.5 CONFIGURATION MANAGEMENT
-- CM-1 POLICY AND PROCEDURES
-- CM-2 BASELINE CONFIGURATION
-- CM-3 CONFIGURATION CHANGE CONTROL
-- CM-4 IMPACT ANALYSES
-- CM-5 ACCESS RESTRICTIONS FOR CHANGE
-- CM-6 CONFIGURATION SETTINGS
-- CM-7 LEAST FUNCTIONALITY
-- CM-8 SYSTEM COMPONENT INVENTORY
-- CM-9 CONFIGURATION MANAGEMENT PLAN
-- CM-10 SOFTWARE USAGE RESTRICTIONS
-- CM-11 USER-INSTALLED SOFTWARE
-- CM-12 INFORMATION LOCATION
-- CM-13 DATA ACTION MAPPING
-- CM-14 SIGNED COMPONENTS
. 3.6 CONTINGENCY PLANNING
-- CP-1 POLICY AND PROCEDURES
-- CP-2 CONTINGENCY PLAN
-- CP-3 CONTINGENCY TRAINING
-- CP-4 CONTINGENCY PLAN TESTING
-- CP-5 CONTINGENCY PLAN UPDATE
-- CP-6 ALTERNATE STORAGE SITE
-- CP-7 ALTERNATE PROCESSING SITE
-- CP-8 TELECOMMUNICATIONS SERVICES
-- CP-9 SYSTEM BACKUP
-- CP-10 SYSTEM RECOVERY AND RECONSTITUTION
-- CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS
-- CP-12 SAFE MODE
-- CP-13 ALTERNATIVE SECURITY MECHANISMS
. 3.7 IDENTIFICATION AND AUTHENTICATION
-- IA-1 POLICY AND PROCEDURES
-- IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
-- IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
-- IA-4 IDENTIFIER MANAGEMENT
-- IA-5 AUTHENTICATOR MANAGEMENT
-- IA-6 AUTHENTICATION FEEDBACK
-- IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION
-- IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
-- IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION
IA-10 ADAPTIVE AUTHENTICATION
IA-11 RE-AUTHENTICATION
IA-12 IDENTITY PROOFING
. 3.8 INCIDENT RESPONSE
-- IR-1 POLICY AND PROCEDURES
-- IR-2 INCIDENT RESPONSE TRAINING
-- IR-3 INCIDENT RESPONSE TESTING
-- IR-4 INCIDENT HANDLING
-- IR-5 INCIDENT MONITORING
-- IR-6 INCIDENT REPORTING
-- IR-7 INCIDENT RESPONSE ASSISTANCE
-- IR-8 INCIDENT RESPONSE PLAN
-- IR-9 INFORMATION SPILLAGE RESPONSE
-- IR-10 INCIDENT ANALYSIS
. 3.9 MAINTENANCE
-- MA-1 POLICY AND PROCEDURES
-- MA-2 CONTROLLED MAINTENANCE
-- MA-3 MAINTENANCE TOOLS
-- MA-4 NONLOCAL MAINTENANCE
-- MA-5 MAINTENANCE PERSONNEL
-- MA-6 TIMELY MAINTENANCE
-- MA-7 FIELD MAINTENANCE
. 3.10 MEDIA PROTECTION
-- MP-1 POLICY AND PROCEDURES
-- MP-2 MEDIA ACCESS
-- MP-3 MEDIA MARKING
-- MP-4 MEDIA STORAGE
-- MP-5 MEDIA TRANSPORT
-- MP-6 MEDIA SANITIZATION
-- MP-7 MEDIA USE
-- MP-8 MEDIA DOWNGRADING
. 3.11 PHYSICAL AND ENVIRONMENTAL PROTECTION
-- PE-1 POLICY AND PROCEDURES
-- PE-2 PHYSICAL ACCESS AUTHORIZATIONS
-- PE-3 PHYSICAL ACCESS CONTROL
-- PE-4 ACCESS CONTROL FOR TRANSMISSION
-- PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
-- PE-6 MONITORING PHYSICAL ACCESS
-- PE-7 VISITOR CONTROL
-- PE-8 VISITOR ACCESS RECORDS
-- PE-9 POWER EQUIPMENT AND CABLING
-- PE-10 EMERGENCY SHUTOFF
-- PE-11 EMERGENCY POWER
-- PE-12 EMERGENCY POWER
-- PE-13 FIRE PROTECTION
-- PE-14 ENVIRONMENTAL CONTROLS
-- PE-15 WATER DAMAGE PROTECTION
-- PE-16 DELIVERY AND REMOVAL
-- PE-17 ALTERNATE WORK SITE
-- PE-18 LOCATION OF SYSTEM COMPONENTS
-- PE-19 INFORMATION LEAKAGE
-- PE-20 ASSET MONITORING AND TRACKING
-- PE-21 ELECTROMAGNETIC PULSE PROTECTION
-- PE-22 COMPONENT MARKING
-- PE-23 FACILITY LOCATION
. 3.12 PLANNING
-- PL-1 POLICY AND PROCEDURES
-- PL-2 SYSTEM SECURITY AND PRIVACY PLANS
-- PL-3 SYSTEM SECURITY PLAN UPDATE
-- PL-4 RULES OF BEHAVIOR
-- PL-5 PRIVACY IMPACT ASSESSMENT
-- PL-6 SECURITY-RELATED ACTIVITY PLANNING
-- PL-7 CONCEPT OF OPERATIONS
-- PL-8 SECURITY AND PRIVACY ARCHITECTURES
-- PL-9 CENTRAL MANAGEMENT
-- PL-10 BASELINE SELECTION
-- PL-11 BASELINE TAILORING
. 3.13 PROGRAM MANAGEMENT
-- PM-1 INFORMATION SECURITY PROGRAM PLAN
-- PM-2 INFORMATION SECURITY PROGRAM LEADERSHIP ROLE
-- PM-3 INFORMATION SECURITY AND PRIVACY RESOURCES
-- PM-4 PLAN OF ACTION AND MILESTONES PROCESS
-- PM-5 SYSTEM INVENTORY
-- PM-6 MEASURES OF PERFORMANCE
-- PM-7 ENTERPRISE ARCHITECTURE
-- PM-8 CRITICAL INFRASTRUCTURE PLAN
-- PM-9 RISK MANAGEMENT STRATEGY
-- PM-10 AUTHORIZATION PROCESS
-- PM-11 MISSION AND BUSINESS PROCESS DEFINITION
-- PM-12 INSIDER THREAT PROGRAM
-- PM-13 SECURITY AND PRIVACY WORKFORCE
-- PM-14 TESTING, TRAINING, AND MONITORING
-- PM-15 SECURITY AND PRIVACY GROUPS AND ASSOCIATIONS
-- PM-16 THREAT AWARENESS PROGRAM
-- PM-17 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION ON EXTERNAL SYSTEMS
-- PM-18 PRIVACY PROGRAM PLAN
-- PM-19 PRIVACY PROGRAM LEADERSHIP ROLE
-- PM-20 DISSEMINATION OF PRIVACY PROGRAM INFORMATION
-- PM-21 ACCOUNTING OF DISCLOSURES
-- PM-22 PERSONALLY IDENTIFIABLE INFORMATION QUALITY MANAGEMENT
-- PM-23 DATA GOVERNANCE BODY
-- PM-24 DATA INTEGRITY BOARD
-- PM-25 MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION USED IN TESTING, TRAINING, AND RESEARCH
-- PM-26 COMPLAINT MANAGEMENT
-- PM-27 PRIVACY REPORTING
-- PM-28 RISK FRAMING
-- PM-29 RISK MANAGEMENT PROGRAM LEADERSHIP ROLES
-- PM-30 SUPPLY CHAIN RISK MANAGEMENT STRATEGY
-- PM-31 CONTINUOUS MONITORING STRATEGY
-- PM-32 PURPOSING
. 3.14 PERSONNEL SECURITY
PS-1 POLICY AND PROCEDURES
PS-2 POSITION RISK DESIGNATION
PS-3 PERSONNEL SCREENING
PS-4 PERSONNEL TERMINATION
PS-5 PERSONNEL TRANSFER
PS-6 ACCESS AGREEMENTS
PS-7 EXTERNAL PERSONNEL SECURITY
PS-8 PERSONNEL SANCTIONS
PS-9 POSITION DESCRIPTIONS
. 3.15 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
-- PT-1 POLICY AND PROCEDURES
-- PT-2 AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION
-- PT-3 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES
-- PT-4 CONSENT
-- PT-5 PRIVACY NOTICE
-- PT-6 SYSTEM OF RECORDS NOTICE
-- PT-7 SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION
-- PT-8 COMPUTER MATCHING REQUIREMENTS
. 3.16 RISK ASSESSMENT
-- RA-1 POLICY AND PROCEDURES
-- RA-2 SECURITY CATEGORIZATION
-- RA-3 RISK ASSESSMENT
-- RA-4 RISK ASSESSMENT UPDATE
-- RA-5 VULNERABILITY MONITORING AND SCANNING
-- RA-6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY
-- RA-7 RISK RESPONSE
-- RA-8 PRIVACY IMPACT ASSESSMENTS
-- RA-9 CRITICALITY ANALYSIS
-- RA-10 THREAT HUNTING
. 3.17 SYSTEM AND SERVICES ACQUISITION
-- SA-1 POLICY AND PROCEDURES
-- SA-2 ALLOCATION OF RESOURCES
-- SA-3 SYSTEM DEVELOPMENT LIFE CYCLE
-- SA-4 ACQUISITION PROCESS
-- SA-5 SYSTEM DOCUMENTATION
-- SA-6 SOFTWARE USAGE RESTRICTIONS
-- SA-7 USER-INSTALLED SOFTWARE
-- SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES
-- SA-9 EXTERNAL SYSTEM SERVICES
-- SA-10 DEVELOPER CONFIGURATION MANAGEMENT
-- SA-11 DEVELOPER TESTING AND EVALUATION
-- SA-12 SUPPLY CHAIN PROTECTION
-- SA-13 TRUSTWORTHINESS
-- SA-14 CRITICALITY ANALYSIS
-- SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS
-- SA-16 DEVELOPER-PROVIDED TRAINING
-- SA-17 DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN
-- SA-18 TAMPER RESISTANCE AND DETECTION
-- SA-19 COMPONENT AUTHENTICITY
-- SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS
-- SA-21 DEVELOPER SCREENING
-- SA-22 UNSUPPORTED SYSTEM COMPONENTS
-- SA-23 SPECIALIZATION
. 3.18 SYSTEM AND COMMUNICATIONS PROTECTION
-- SC-1 POLICY AND PROCEDURES
-- SC-2 SEPARATION OF SYSTEM AND USER FUNCTIONALITY
-- SC-3 SECURITY FUNCTION ISOLATION
-- SC-4 INFORMATION IN SHARED SYSTEM RESOURCES
-- SC-5 DENIAL-OF-SERVICE PROTECTION
-- SC-6 RESOURCE AVAILABILITY
-- SC-7 BOUNDARY PROTECTION
-- SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
-- SC-9 TRANSMISSION CONFIDENTIALITY
-- SC-10 NETWORK DISCONNECT
-- SC-11 TRUSTED PATH
-- SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
-- SC-13 CRYPTOGRAPHIC PROTECTION
-- SC-14 PUBLIC ACCESS PROTECTIONS
-- SC-15 COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS
-- SC-16 TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES
-- SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
-- SC-18 MOBILE CODE
-- SC-19 VOICE OVER INTERNET PROTOCOL
-- SC-20 SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
-- SC-21 SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
-- SC-22 ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE
-- SC-23 SESSION AUTHENTICITY
-- SC-24 FAIL IN KNOWN STATE
-- SC-25 THIN NODES
-- SC-26 DECOYS
-- SC-27 PLATFORM-INDEPENDENT APPLICATIONS
-- SC-28 PROTECTION OF INFORMATION AT REST
-- SC-29 HETEROGENEITY
-- SC-30 CONCEALMENT AND MISDIRECTION
-- SC-31 COVERT CHANNEL ANALYSIS
-- SC-32 SYSTEM PARTITIONING
-- SC-33 TRANSMISSION PREPARATION INTEGRITY
-- SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS
-- SC-35 EXTERNAL MALICIOUS CODE IDENTIFICATION
-- SC-36 DISTRIBUTED PROCESSING AND STORAGE
-- SC-37 OUT-OF-BAND CHANNELS
-- SC-38 OPERATIONS SECURITY
-- SC-39 PROCESS ISOLATION
-- SC-40 WIRELESS LINK PROTECTION
-- SC-41 PORT AND I/O DEVICE ACCESS
-- SC-42 SENSOR CAPABILITY AND DATA
-- SC-43 USAGE RESTRICTIONS
-- SC-44 DETONATION CHAMBERS
-- SC-45 SYSTEM TIME SYNCHRONIZATION
-- SC-46 CROSS DOMAIN POLICY ENFORCEMENT
-- SC-47 ALTERNATE COMMUNICATIONS PATHS
-- SC-48 SENSOR RELOCATION
-- SC-49 HARDWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT
-- SC-50 SOFTWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT
-- SC-51 HARDWARE-BASED PROTECTION
. 3.19 SYSTEM AND INFORMATION INTEGRITY
-- SI-1 POLICY AND PROCEDURES
-- SI-2 FLAW REMEDIATION
-- SI-3 MALICIOUS CODE PROTECTION
-- SI-4 SYSTEM MONITORING
-- SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
-- SI-6 SECURITY AND PRIVACY FUNCTION VERIFICATION
-- SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
-- SI-8 SPAM PROTECTION
-- SI-9 INFORMATION INPUT RESTRICTIONS
-- SI-10 INFORMATION INPUT VALIDATION
-- SI-11 ERROR HANDLING
-- SI-12 INFORMATION MANAGEMENT AND RETENTION
-- SI-13 PREDICTABLE FAILURE PREVENTION
-- SI-14 NON-PERSISTENCE
-- SI-15 INFORMATION OUTPUT FILTERING
-- SI-16 MEMORY PROTECTION
-- SI-17 FAIL-SAFE PROCEDURES
-- SI-18 PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS
-- SI-19 DE-IDENTIFICATION
-- SI-20 TAINTING
-- SI-21 INFORMATION REFRESH
-- SI-22 INFORMATION DIVERSITY
-- SI-23 INFORMATION FRAGMENTATION
. 3.20 SUPPLY CHAIN RISK MANAGEMENT
-- SR-1 POLICY AND PROCEDURES
-- SR-2 SUPPLY CHAIN RISK MANAGEMENT PLAN
-- SR-3 SUPPLY CHAIN CONTROLS AND PROCESSES
-- SR-4 PROVENANCE
-- SR-5 ACQUISITION STRATEGIES, TOOLS, AND METHODS
-- SR-6 SUPPLIER ASSESSMENTS AND REVIEWS
-- SR-7 SUPPLY CHAIN OPERATIONS SECURITY
-- SR-8 NOTIFICATION AGREEMENTS
-- SR-9 TAMPER RESISTANCE AND DETECTION
-- SR-10 INSPECTION OF SYSTEMS OR COMPONENTS
-- SR-11 COMPONENT AUTHENTICITY
-- SR-12 COMPONENT DISPOSAL
. REFERENCES
. GLOSSARY
. ACRONYMS
. CONTROL SUMMARIES
-- TABLE C-1 ACCESS CONTROL FAMILY
Just the Docs on GitHub
. 3.18 SYSTEM AND COMMUNICATIONS PROTECTION
-- SC-14 PUBLIC ACCESS PROTECTIONS
SC-14 PUBLIC ACCESS PROTECTIONS
[Withdrawn: Incorporated into AC-2 , AC-3 , AC-5 , AC-6 , SI-3 , SI-4 , SI-5 , SI-7 , SI-10 .]