Open in app

Sign in

Write

Sign in

An Introduction to NIST 800–53

Ben Pournader
35 min readJul 2, 2024

--

NIST Special Publication 800–53 is a publication from the National Institute of Standards and Technology (NIST) that provides a comprehensive set of over 1,000 security and privacy controls for federal information systems and organizations.

NIST creates and releases standards, guidelines, and other publications to aid federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and in managing cost-effective programs to safeguard their information and information systems.

The goal of NIST 800–53 is to help federal agencies and other organizations manage and mitigate cybersecurity and privacy risks to their information systems. In other words, NIST 800–53 provides a catalog of controls that can be applied to information systems to protect them against a wide range of threats. These controls are organized into families, each addressing a different aspect of system security like Access Control, Incident Response, System and Communications Protection and so on.

Uses of NIST 800–53

  1. Risk Management: Organizations use NIST 800–53 to identify and mitigate risks to their information systems.
  2. Compliance: Federal agencies are required to comply with NIST 800–53 to ensure the security of their information systems.
  3. Security Assessment: The controls serve as a baseline for conducting security assessments and audits.
  4. Policy Development: Organizations use the controls to develop their internal security policies and procedures.

Relationship to FEDRAMP

Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.

FedRAMP leverages the security controls from NIST 800–53 as the baseline for assessing the security of cloud services.

This ensures a consistent level of security across all cloud services used by federal agencies. FedRAMP has tailored the NIST 800–53 controls to address the specific requirements and risks associated with cloud computing environments. This tailoring includes adding, removing, or modifying controls as necessary. Cloud service providers (CSPs) seeking FedRAMP authorization must implement, and document controls based on NIST 800–53. They must undergo a rigorous assessment process to demonstrate compliance with these controls.

Latest Version

NIST SP 800–53 Revision 5 removes the term Federal to indicate that these regulations can be applied to all organizations, not just federal ones. The first public draft was published in August 2017. Major changes to the revision 5 include:

  1. Making the security and privacy controls more outcome-based by changing the structure of the controls.
  2. Fully integrating privacy controls into the security control catalog, creating a unified set of controls for systems and organizations.
  3. Separating the control selection process from the actual controls, allowing their use by different communities of interest, including systems engineers, software developers, enterprise architects, and mission/business owners.
  4. Replacing the term “information system” with “system” to ensure applicability to any type of system, such as general-purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices.
  5. Reducing the federal focus to encourage greater use by nonfederal organizations.
  6. Promoting integration with various risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework.
  7. Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks.
  8. Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.

The final version of Revision 5 was released in 2020 and the pdf version is available on the NIST website here. This is not the final final version. At the end of 2023, NIST released a patch update called Release 5.1.1

Release 5.1.1 includes:

  1. Minor grammatical edits and clarifications.
  2. The introduction of “leading zeros” to control identifiers (e.g., AC-1 will be updated to AC-01).
  3. One new control and three supporting control enhancements related to identity providers, authorization servers, the protection of cryptographic keys, the verification of identity assertions and access tokens, and token management.

Controls

NIST Special Publication 800–53 provides a catalog of security and privacy controls for federal information systems and organizations. It categorizes controls into 20 different families. Each family has a two letter code.

A. Access Control (AC)

The Access Control (AC) family of controls in NIST 800–53 is designed to manage who can access which assets and ensure proper account management, system privileges, and remote access logging. It emphasizes restricting access to information systems so that only authorized individuals can access system resources, and it specifies the conditions under which access is granted.

This family includes controls that cover:

  1. Account Management (AC-2): Procedures for managing user accounts, including the creation, management, and disabling of accounts.
  2. Access Enforcement (AC-3): Mechanisms to enforce authorized access to information and system resources.
  3. Information Flow Enforcement (AC-4): Controls to manage the flow of information within the system and between interconnected systems.
  4. Separation of Duties (AC-5): Policies and procedures to ensure that critical functions are divided among different individuals to prevent fraud and error.
  5. Least Privilege (AC-6): Ensuring that users have the minimum level of access necessary to perform their job functions.
  6. Unsuccessful Login Attempts (AC-7): Limits on the number of unsuccessful login attempts and responses to such attempts.
  7. System Use Notification (AC-8): Displaying warning banners before login to inform users of their responsibilities and the consequences of misuse.
  8. Previous Logon (Access) Notification (AC-9): Informing users of the date and time of their last successful logon and any unsuccessful logon attempts since then.
  9. Concurrent Session Control (AC-10): Restrictions on the number of concurrent sessions for a user.
  10. Session Lock (AC-11): Automatically locking sessions after a period of inactivity and requiring re-authentication to resume.
  11. Session Termination (AC-12): Automatically terminating sessions after a defined period of inactivity.
  12. Permitted Actions Without Identification or Authentication (AC-14): Defining and limiting actions that can be performed without identification or authentication.
  13. Remote Access (AC-17): Controls for managing remote access to the system.
  14. Wireless Access (AC-18): Managing and securing wireless access to the system.
  15. Access Control for Mobile Devices (AC-19): Policies and controls for managing access from mobile devices.
  16. Use of External Information Systems (AC-20): Controls for the use of external information systems to access organizational systems.
  17. Publicly Accessible Content (AC-22): Ensuring that publicly accessible content does not compromise the security of the organization.

B. Awareness and Training (AT)

The Awareness and Training (AT) family of controls in NIST 800–53 ensures that all personnel are properly trained and aware of their security responsibilities. These controls aim to enhance security awareness and equip staff with the knowledge to remain vigilant against threats, thereby developing the necessary skills and understanding to protect organizational systems and data.

The AT family includes the following controls:

  1. Security Awareness and Training Policy and Procedures (AT-1): Developing, documenting, and disseminating a security awareness and training policy, along with procedures to facilitate the implementation of the policy.
  2. Security Awareness Training (AT-2): Providing basic security awareness training to all system users, including contractors, to ensure they understand the security policies and procedures and their roles in protecting organizational systems and data.
  3. Role-Based Security Training (AT-3): Offering specialized training tailored to the roles and responsibilities of individuals within the organization, particularly those with significant security responsibilities.
  4. Security Training Records (AT-4): Maintaining records of security awareness and training activities, including the topics covered, attendance, and results of any assessments or evaluations.
  5. Contacts with Security Groups and Associations (AT-5): Establishing and maintaining relationships with security groups and associations to stay informed about current security threats, best practices, and emerging trends.

C. Audit and Accountability (AU)

The Audit and Accountability (AU) family of controls in NIST 800–53 focuses on establishing audit policies and procedures, maintaining audit logs, generating reports, and safeguarding valuable audit information. These controls are designed to ensure accountability and provide a trail of evidence in the event of a security incident. They help organizations monitor system activities, detect security incidents, support forensic investigations, and demonstrate compliance with security policies and regulations. The AU family emphasizes capturing, protecting, and analyzing audit data to maintain system integrity and accountability.

The AU family includes the following controls:

  1. Audit and Accountability Policy and Procedures (AU-1): Developing, documenting, and disseminating an audit and accountability policy and associated procedures that provide guidance for implementing and managing audit controls.
  2. Auditable Events (AU-2): Determining and documenting which events must be auditable on the information system, based on organizational needs and regulatory requirements.
  3. Content of Audit Records (AU-3): Defining the content of audit records to ensure they contain sufficient information to support investigations, including the identity of users, type of event, timestamp, and event outcomes.
  4. Audit Storage Capacity (AU-4): Allocating sufficient audit record storage capacity to support the needs of the organization, ensuring that audit records are retained for an appropriate period.
  5. Response to Audit Processing Failures (AU-5): Implementing measures to handle audit processing failures, such as storage capacity issues or software errors, to ensure continuity of audit logging.
  6. Audit Review, Analysis, and Reporting (AU-6): Regularly reviewing, analyzing, and reporting audit records to detect and respond to inappropriate or unusual activities.
  7. Audit Reduction and Report Generation (AU-7): Using tools to reduce and filter audit records to facilitate analysis and report generation, ensuring that relevant information is available for review.
  8. Time Stamps (AU-8): Ensuring that audit records contain accurate time stamps, which are synchronized with an authoritative time source.
  9. Protection of Audit Information (AU-9): Protecting audit information and audit tools from unauthorized access, modification, and deletion to ensure the integrity and confidentiality of audit records.
  10. Audit Record Retention (AU-11): Retaining audit records for a defined period based on organizational policies and regulatory requirements to support investigations and accountability.
  11. Audit Generation (AU-12): Configuring information systems to generate audit records for defined events, ensuring that systems are capable of producing necessary audit trails.
  12. Monitoring for Information Disclosure (AU-13): Monitoring information systems for potential unauthorized disclosures of sensitive information.
  13. Cross-Organizational Auditing (AU-14): Implementing procedures for conducting audits across different organizational units or with external entities when required.

D. Security Assessment and Authorization (CA)

The Security Assessment and Authorization (CA) family acts as your compliance partner by supporting security assessments, authorizations, and continuous monitoring, while also establishing plans for ongoing security improvements. This family of controls in NIST 800–53 focuses on the processes and procedures for evaluating the security and privacy controls in information systems and authorizing their operation. These controls are designed to ensure that security risks are identified, evaluated, and managed before systems are put into operation and throughout their lifecycle. The CA family emphasizes a structured approach to managing security risks and maintaining compliance with security policies and regulations, ensuring that information systems are thoroughly assessed for security risks before being authorized for operation and continuously monitored to maintain security.

The CA family includes the following controls:

  1. Security Assessment and Authorization Policies and Procedures (CA-1): Developing, documenting, and disseminating security assessment and authorization policies and procedures to manage the security assessment and authorization processes.
  2. Security Assessments (CA-2): Conducting regular assessments of security controls to determine their effectiveness, ensuring they are operating as intended and meeting security requirements. This includes periodic assessments, ongoing assessments, and assessments after significant changes.
  3. Information System Interconnections (CA-3): Ensuring proper authorization and security for information system interconnections, including documentation of interconnection agreements and security measures to protect data in transit.
  4. Plan of Action and Milestones (CA-5): Developing and maintaining a plan of action and milestones (POA&M) to document and manage the remediation of security weaknesses and deficiencies identified during assessments.
  5. Security Authorization (CA-6): Authorizing information systems to operate based on a thorough assessment of risks and the implementation of appropriate security controls. This includes the formal process of granting or denying authorization to operate.
  6. Continuous Monitoring (CA-7): Implementing a continuous monitoring strategy to track the security state of the information system on an ongoing basis. This includes monitoring security controls, assessing vulnerabilities, and responding to changes that affect security.
  7. Internal System Connections (CA-9): Managing and documenting internal connections between information system components to ensure security controls are consistently applied and maintained.
  8. Assessments of Security Controls Effectiveness (CA-5): Conducting ongoing assessments to determine if the security controls implemented are effective in their application and if they continue to meet the intended security requirements.

E. Configuration Management (CM)

The Configuration Management (CM) family of controls in NIST 800–53 establishes policies for system configurations, maintains inventories of information system components, and conducts security impact analysis to ensure a strong foundation for future builds or changes. These controls guide the processes and practices for managing the configuration of information systems, ensuring they are securely configured, changes are properly managed, and system integrity is maintained throughout their lifecycle. This comprehensive framework helps organizations manage changes, reduce the risk of unauthorized modifications, and maintain a known, secure state for their information systems.

Here are the key controls within the CM family:

  1. Configuration Management Policy and Procedures (CM-1): Develop, document, and disseminate a configuration management policy and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  2. Baseline Configuration (CM-2): Establish and maintain baseline configurations for information systems to provide a foundation for future builds, releases, and changes.
  3. Configuration Change Control (CM-3): Implement a change control process for managing changes to information systems. This includes reviewing, approving, and documenting changes.
  4. Impact Analysis (CM-4): Analyze the security impact of changes prior to implementation to ensure that changes do not adversely affect the security of the system.
  5. Access Restrictions for Change (CM-5): Restrict access to information system configuration settings and change management processes to authorized personnel only.
  6. Configuration Settings (CM-6): Establish, document, and maintain configuration settings for information technology products employed within the information system. Configure the systems to reflect the most restrictive mode consistent with operational requirements.
  7. Least Functionality (CM-7): Configure information systems to provide only essential capabilities and to disable or restrict the use of non-essential functions, ports, protocols, and services.
  8. Information System Component Inventory (CM-8): Develop and maintain an inventory of information system components that accurately reflects the current system configuration.
  9. Configuration Management Plan (CM-9): Develop, document, and implement a configuration management plan for the information system that defines the configuration items, configuration settings, and the processes for configuration management.
  10. Software Usage Restrictions (CM-10): Establish usage restrictions and installation guidelines for software within the information system.
  11. User-Installed Software (CM-11): Enforce policies and procedures to control the installation of software by users, ensuring that only authorized software is installed.

F. Contingency Planning (CP)

Preparedness is key, and the Contingency Planning (CP) family is your ally in tackling cybersecurity incidents effectively. It helps create and maintain contingency plans for testing, training, backups, and system recovery to ensure readiness for any unexpected challenges. The Contingency Planning (CP) family of controls in NIST 800–53 focuses on establishing, maintaining, and implementing plans and procedures to ensure the continuity of operations for information systems during disruptions. These controls prepare organizations for unforeseen events such as natural disasters, cyber-attacks, or system failures, ensuring critical operations can continue or be quickly resumed. The CP family emphasizes preparation, training, testing, and continuous improvement to enhance resilience against a wide range of potential threats, maintaining the availability and integrity of critical operations and data.

The CP family includes the following controls:

  1. Contingency Planning Policy and Procedures (CP-1): Developing, documenting, and disseminating a contingency planning policy and associated procedures to guide the contingency planning process.
  2. Contingency Plan (CP-2): Creating a contingency plan that outlines the strategies for responding to disruptions, including roles and responsibilities, recovery objectives, and steps to restore system operations. The plan should address different types of potential disruptions and specify actions for various scenarios.
  3. Contingency Training (CP-3): Providing training for personnel to ensure they understand their roles and responsibilities in executing the contingency plan. This training should be conducted regularly and updated as necessary.
  4. Contingency Plan Testing (CP-4): Regularly testing the contingency plan to evaluate its effectiveness and identify areas for improvement. This includes conducting exercises, simulations, and walkthroughs to validate the plan’s assumptions and procedures.
  5. Contingency Plan Update (CP-5): Reviewing and updating the contingency plan periodically and after significant changes to the system or environment. This ensures the plan remains current and effective in addressing potential disruptions.
  6. Alternate Storage Site (CP-6): Identifying and preparing an alternate storage site where critical data can be securely stored and accessed if the primary site becomes unavailable. This includes ensuring the alternate site meets security and accessibility requirements.
  7. Alternate Processing Site (CP-7): Identifying and preparing an alternate processing site where critical system operations can be performed if the primary site becomes unavailable. This includes ensuring the alternate site has the necessary resources and capabilities.
  8. Telecommunications Services (CP-8): Ensuring the availability of telecommunications services to support contingency operations. This includes identifying alternate communication methods and ensuring they are reliable and secure.
  9. Information System Backup (CP-9): Implementing regular backup procedures to ensure that critical data is protected and can be restored in the event of a disruption. This includes storing backups in a secure location and testing the restoration process.
  10. Information System Recovery and Reconstitution (CP-10): Establishing procedures for recovering and reconstituting information systems to a known state after a disruption. This includes prioritizing the restoration of critical functions and validating the integrity of restored data.
  11. Alternate Communications Protocols (CP-11): Identifying and implementing alternate communication protocols to maintain communication capabilities during a disruption when standard methods are unavailable.
  12. Insurance (CP-12): Maintaining insurance coverage to protect against the financial impact of disruptions and to support recovery efforts.
  13. Safe Mode (CP-13): Establishing procedures for operating information systems in a safe mode during disruptions, ensuring minimal functionality and security while full operations are being restored.

G. Identification and Authentication (IA)

The Identification and Authentication (IA) family ensures that only authorized individuals gain access by focusing on identity verification and authentication processes for both organizational and non-organizational users. The IA family of controls in NIST 800–53 establishes and manages processes for identifying and authenticating users, devices, and systems. These controls are crucial for ensuring that only authorized entities can access information systems and data. They aim to secure and accurately identify and authenticate users, devices, and systems accessing organizational information systems. The IA family emphasizes robust identification and authentication mechanisms to protect against unauthorized access and support accountability and traceability.

The IA family includes the following controls:

  1. Identification and Authentication Policy and Procedures (IA-1): Developing, documenting, and disseminating identification and authentication policies and procedures to manage the identification and authentication process.
  2. Identification and Authentication (Organizational Users) (IA-2): Requiring and enforcing the use of unique identifiers for organizational users to ensure individual accountability and traceability. This includes establishing procedures for issuing, managing, and revoking identifiers.
  3. Device Identification and Authentication (IA-3): Implementing mechanisms to identify and authenticate devices before establishing a connection to the information system, ensuring that only authorized devices can access the system.
  4. Identifier Management (IA-4): Managing identifiers by establishing processes for creating, issuing, using, and retiring identifiers. This includes ensuring that identifiers are unique and not reused.
  5. Authenticator Management (IA-5): Managing authenticators (e.g., passwords, tokens, biometric data) by implementing procedures for generating, distributing, and protecting authenticators. This includes enforcing strong authentication practices and periodically updating authenticators.
  6. Authenticator Feedback (IA-6): Protecting the feedback provided during the authentication process to prevent unauthorized disclosure of authentication information. For example, masking password characters during input.
  7. Cryptographic Module Authentication (IA-7): Using cryptographic modules to authenticate users, devices, and systems, ensuring that authentication data is protected through encryption.
  8. Identification and Authentication (Non-Organizational Users) (IA-8): Implementing identification and authentication mechanisms for non-organizational users (e.g., contractors, external partners) to control access to the information system.
  9. Service Identification and Authentication (IA-9): Ensuring that information system services are uniquely identified and authenticated before establishing a connection, protecting the integrity and confidentiality of communications between services.
  10. Dynamic Identification and Authentication (IA-10): Using dynamic techniques (e.g., risk-based authentication, adaptive authentication) to identify and authenticate users and devices based on contextual information and behavior.
  11. User Identification and Authentication (IA-11): Enforcing the use of multifactor authentication for system access to enhance security by requiring multiple forms of verification.

H. Incident Response (IR)

When trouble strikes, the Incident Response (IR) family springs into action, establishing policies and procedures for incident response, including training, testing, monitoring, reporting, and a comprehensive response plan. The Incident Response (IR) family of controls in NIST 800–53 focuses on creating and implementing processes and procedures for effectively responding to security incidents. These controls ensure organizations can detect, respond to, mitigate, and recover from security incidents in a timely and organized manner. They are designed to minimize the impact of incidents on operations and data integrity. The IR family emphasizes preparation, training, testing, and continuous improvement to enhance an organization’s incident response capabilities.

The IR family includes the following controls:

  1. Incident Response Policy and Procedures (IR-1): Developing, documenting, and disseminating an incident response policy and associated procedures that outline the organization’s approach to incident handling and response.
  2. Incident Response Training (IR-2): Providing incident response training for personnel to ensure they are prepared to recognize and respond to security incidents. Training should be conducted regularly and updated as necessary.
  3. Incident Response Testing (IR-3): Testing and exercising the incident response capability to evaluate the effectiveness of the response procedures and identify areas for improvement. This includes conducting simulations and tabletop exercises.
  4. Incident Handling (IR-4): Implementing procedures for detecting, analyzing, prioritizing, and handling security incidents. This includes identifying and documenting incidents, notifying appropriate personnel, and taking appropriate actions to contain and mitigate incidents.
  5. Incident Monitoring (IR-5): Monitoring information systems and networks to detect security incidents. This includes using automated tools and techniques to continuously monitor for suspicious activities and anomalies.
  6. Incident Reporting (IR-6): Establishing procedures for reporting security incidents to internal and external stakeholders. This includes defining reporting requirements, timelines, and communication channels.
  7. Incident Response Assistance (IR-7): Providing assistance for incident response, which may include establishing an incident response team (IRT) or utilizing external resources. This control ensures that personnel have access to the necessary support and expertise during an incident.
  8. Incident Response Plan (IR-8): Developing and maintaining an incident response plan that outlines the organization’s approach to responding to incidents. The plan should include roles and responsibilities, communication protocols, and procedures for each phase of incident response.
  9. Information Spillage Response (IR-9): Establishing procedures for responding to information spillages, which involve the unauthorized disclosure of sensitive information. This includes identifying, containing, and remediating spillage incidents.
  10. Integrated Information Security Analysis Team (IR-10): Establishing a team that integrates incident response with other security functions, such as vulnerability management and threat intelligence, to provide a comprehensive approach to security.
  11. Incident Response Testing and Exercises (IR-11): Conducting regular testing and exercises to evaluate and improve the incident response capability, ensuring that the organization is prepared to effectively handle security incidents.

I. Maintenance (MA)

The Maintenance (MA) family keeps your systems in top shape by outlining requirements for maintaining organizational systems and the tools used to support them, ensuring their continued reliability and performance. The Maintenance (MA) family of controls in NIST 800–53 focuses on the procedures and controls necessary for the proper upkeep of information systems. These controls aim to ensure that systems operate correctly and securely, and that maintenance activities do not compromise their security. They address both the technical and procedural aspects of system maintenance to support the organization’s overall security posture, ensuring maintenance activities are performed securely and maintaining the integrity and availability of information systems.

The MA family includes the following controls:

  1. System Maintenance Policy and Procedures (MA-1): Developing, documenting, and disseminating a system maintenance policy and procedures that address the roles and responsibilities, scope, and processes for maintaining information systems.
  2. Controlled Maintenance (MA-2): Performing maintenance on organizational information systems in a controlled manner, ensuring that maintenance activities are authorized and documented, and that security requirements are addressed during maintenance.
  3. Maintenance Tools (MA-3): Controlling the use of tools used for system maintenance to ensure they do not introduce vulnerabilities into the system. This includes ensuring that maintenance tools are authorized, inspected, and monitored.
  4. Nonlocal Maintenance (MA-4): Managing nonlocal (remote) maintenance and diagnostic activities, ensuring that remote maintenance is authorized, secure, and monitored. This includes establishing procedures for remote maintenance and ensuring secure communication channels.
  5. Maintenance Personnel (MA-5): Ensuring that personnel performing maintenance on organizational information systems are qualified and authorized to do so. This includes verifying the identity and qualifications of maintenance personnel.
  6. Timely Maintenance (MA-6): Conducting maintenance on organizational information systems promptly to ensure the ongoing security and functionality of the systems. This includes scheduling regular maintenance and addressing maintenance needs as they arise.

J. Media Protection (MP)

The Media Protection (MP) family safeguards physical media, such as storage devices, with controls for access, marking, storage, transport policies, sanitization, and defined organizational media use. The Media Protection (MP) family of controls in NIST 800–53 focuses on the necessary safeguards to protect information system media, including both digital and non-digital forms. These controls are designed to prevent unauthorized access and disclosure of sensitive information stored on media. They ensure that sensitive information is protected throughout its lifecycle, from creation to disposal. The MP family addresses both the physical and technical aspects of media protection to guard against unauthorized access, disclosure, and data breaches.

The MP family includes the following controls:

  1. Media Protection Policy and Procedures (MP-1): Developing, documenting, and disseminating a media protection policy and associated procedures to manage the protection of media within the organization.
  2. Media Access (MP-2): Restricting access to media containing sensitive information to authorized personnel only. This includes implementing physical and logical access controls to safeguard media.
  3. Media Marking (MP-3): Marking media to indicate the sensitivity level of the information it contains. This helps ensure that media is handled and protected in accordance with its sensitivity level.
  4. Media Storage (MP-4): Storing media in secure locations to protect it from unauthorized access and environmental hazards. This includes implementing physical security controls and environmental safeguards.
  5. Media Transport (MP-5): Protecting and controlling media during transport outside of controlled areas. This includes using secure methods for transporting media and ensuring that it is tracked and accounted for during transport.
  6. Media Sanitization (MP-6): Ensuring that media is properly sanitized before disposal or reuse to prevent unauthorized recovery of sensitive information. This includes using approved sanitization methods to render data irretrievable.
  7. Media Use (MP-7): Restricting the use of certain types of media on organizational information systems to prevent the introduction of vulnerabilities. This includes policies on the use of removable media and external devices.
  8. Media Downgrading (MP-8): Implementing procedures for downgrading the classification level of media, if applicable. This involves ensuring that media is properly sanitized before its classification level is reduced.

K. Physical and Environmental Protection (PE)

The Physical and Environmental Protection (PE) family safeguards your organization’s physical assets and infrastructure. From access authorizations to emergency protocols, power management to fire protection, it ensures your systems remain secure in the physical world. The Physical and Environmental Protection (PE) family of controls in NIST 800–53 focuses on implementing measures to protect information systems, equipment, and facilities from physical and environmental threats. These controls are essential for ensuring the physical security of assets and maintaining the operational continuity of information systems. They aim to protect information systems, equipment, and facilities from physical threats, environmental hazards, and unauthorized access, ensuring the integrity, availability, and confidentiality of organizational assets. The PE family emphasizes the importance of comprehensive physical security measures to safeguard against potential risks and disruptions.

The PE family includes the following controls:

  1. Physical and Environmental Protection Policy and Procedures (PE-1): Developing, documenting, and disseminating policies and procedures for physical and environmental protection to manage and mitigate physical security risks.
  2. Physical Access Authorizations (PE-2): Restricting physical access to information systems, equipment, and facilities to authorized personnel only. This includes implementing access control mechanisms, such as badges, locks, and access lists.
  3. Physical Access Control (PE-3): Implementing physical access controls to prevent unauthorized access to information systems and facilities. This includes securing entrances, monitoring access points, and using physical barriers.
  4. Visitor Access Records (PE-4): Maintaining records of visitor access to information systems and facilities to track and audit visitor activities. This includes documenting visitor information, purpose of visit, and duration of access.
  5. Access Control for Transmission Medium (PE-5): Protecting transmission media (e.g., cables, fiber optics) from unauthorized access or tampering to ensure the integrity and confidentiality of data in transit.
  6. Monitoring Physical Access (PE-6): Monitoring physical access to information systems and facilities through surveillance and auditing to detect and respond to unauthorized access attempts.
  7. Access Challenge (PE-7): Challenging individuals without proper identification or credentials when attempting to access information systems or facilities to prevent unauthorized entry.
  8. Access Control for Mobile Devices and Removable Media (PE-9): Implementing controls to secure mobile devices and removable media (e.g., laptops, USB drives) to prevent unauthorized access and protect sensitive information.
  9. Power Equipment and Power Cabling (PE-10): Protecting power equipment and cabling from unauthorized access or tampering to ensure continuous power supply to information systems and equipment.
  10. Emergency Shutoff (PE-11): Implementing emergency shutoff procedures and mechanisms to quickly disable information systems and equipment in case of emergencies or security incidents.
  11. Alternate Work Site (PE-12): Identifying and preparing alternate work sites where critical functions can be performed in case of disruptions to primary facilities. This includes ensuring the availability of necessary resources and infrastructure.
  12. Emergency Lighting (PE-13): Installing emergency lighting in information system facilities to ensure visibility and safety during power outages or emergencies.
  13. Fire Protection (PE-14): Implementing fire protection measures, such as fire detection systems, alarms, and suppression systems, to prevent and mitigate damage to information systems and facilities.
  14. Temperature and Humidity Controls (PE-15): Implementing controls to monitor and maintain appropriate temperature and humidity levels in information system facilities to protect equipment and prevent overheating or damage.
  15. Water Damage Protection (PE-16): Implementing measures to protect information systems and equipment from water damage, such as waterproofing, drainage systems, and moisture detection.

L. Planning (PL)

The Planning (PL) family outlines your organization’s security planning policies, covering the purpose, scope, roles, responsibilities, management commitment, coordination, and organizational compliance necessary for effective security planning. The Planning (PL) family of controls in NIST 800–53 focuses on establishing and maintaining processes and procedures to develop, implement, and manage effective security plans and strategies within an organization. These controls are foundational to integrating security considerations into the organization’s overall planning and strategic management processes. They ensure that security planning is an integral part of organizational processes, with proactive implementation and management of security measures to protect assets and support mission objectives. The PL family emphasizes systematic planning, documentation, and integration of security considerations throughout the lifecycle of information systems and organizational operations.

The PL family includes the following controls:

  1. Security Planning Policy and Procedures (PL-1): Developing, documenting, and disseminating security planning policies and procedures to guide the development and implementation of security plans.
  2. System Security Plan (PL-2): Developing and maintaining a system security plan (SSP) that describes the security controls and safeguards employed within the information system. The SSP serves as a roadmap for implementing, assessing, and monitoring security controls.
  3. System Security Plan Update (PL-3): Reviewing and updating the system security plan periodically and after significant changes to the system. This ensures that the SSP remains accurate and reflective of the current security posture.
  4. Security Concept of Operations (PL-4): Developing and maintaining a security concept of operations (CONOPS) that describes how security controls will be implemented and managed within the organization. The CONOPS aligns security objectives with organizational missions and goals.
  5. Contingency Planning (PL-8): Integrating contingency planning into the overall organizational planning process to ensure that security considerations are incorporated into contingency plans for information systems.
  6. Security Awareness and Training Plan (PL-9): Developing and implementing a security awareness and training plan that outlines objectives, methods, and schedules for educating personnel on security policies, procedures, and practices.
  7. Security Assessment and Authorization Schedule (PL-10): Establishing and maintaining a schedule for conducting security assessments and authorizations for information systems. This ensures that security controls are regularly assessed to verify compliance and effectiveness.
  8. Risk Assessment (PL-9): Conducting regular risk assessments to identify, evaluate, and prioritize risks to organizational operations, assets, individuals, and other organizations. This informs the development of security plans and strategies to mitigate identified risks.

M. Personnel Security (PS)

Your personnel are the frontline defenders of your organization. The Personnel Security (PS) family focuses on protecting them through risk assessment, screening, termination procedures, access agreements, and more. The Personnel Security (PS) family of controls in NIST 800–53 establishes policies and procedures to ensure that individuals with access to organizational systems and assets are trustworthy and meet specified security requirements. These controls are essential for mitigating risks associated with insider threats and unauthorized access due to personnel actions. They ensure that personnel are adequately screened, trustworthy, and aware of their security responsibilities. By implementing robust personnel security measures, organizations can mitigate risks associated with insider threats and unauthorized access, safeguarding sensitive information and maintaining operational continuity.

The PS family includes the following controls:

  1. Personnel Security Policy and Procedures (PS-1): Developing, documenting, and disseminating policies and procedures for personnel security to manage and mitigate risks associated with personnel actions.
  2. Position Risk Designation (PS-2): Assigning risk designations to positions based on the potential impact of personnel actions on organizational operations and assets. This includes identifying positions that require special security considerations.
  3. Personnel Screening (PS-3): Screening individuals prior to authorizing access to organizational systems and assets. This includes conducting background checks, employment verification, and other screening procedures based on the risk level of the position.
  4. Personnel Termination (PS-4): Establishing procedures for terminating personnel access to organizational systems and assets when individuals leave the organization or change positions. This includes revoking access privileges and collecting organizational assets.
  5. Personnel Transfer (PS-5): Establishing procedures for transferring personnel between positions within the organization to ensure that security requirements are maintained during transitions.
  6. Access Agreements (PS-6): Establishing access agreements with individuals granted access to organizational systems and assets. This includes defining access privileges, responsibilities, and obligations related to security.
  7. Employment Agreements (PS-7): Establishing employment agreements that include security requirements and responsibilities for individuals hired by the organization. This ensures that security expectations are clearly communicated and understood.
  8. Personnel Sanctions (PS-8): Implementing sanctions and disciplinary measures for personnel who violate security policies and procedures. This includes enforcing consequences for non-compliance with security requirements.
  9. Personnel Reporting Responsibilities (PS-9): Defining and communicating reporting responsibilities for personnel to report security incidents, violations, or suspicious activities. This promotes a culture of security awareness and accountability.
  10. Personnel Security Awareness and Training (PS-10): Providing personnel with security awareness and training to ensure they understand their roles and responsibilities in protecting organizational systems and assets.

N. Risk Assessment (RA)

The Risk Assessment (RA) family is your risk detective, focusing on assessing vulnerabilities and conducting regular scans to identify potential risks. The Risk Assessment (RA) family of controls in NIST 800–53 focuses on systematically evaluating risks to organizational operations, assets, individuals, and other organizations. These controls are essential for identifying, assessing, prioritizing, and managing risks to ensure that appropriate security measures are implemented to protect organizational resources. By systematically identifying and managing risks to their information systems and assets, organizations can make informed decisions about security investments and priorities. Conducting comprehensive risk assessments and integrating risk management into organizational processes allows organizations to effectively protect against potential threats and vulnerabilities.

The RA family includes the following controls:

  1. Risk Assessment Policy and Procedures (RA-1): Developing, documenting, and disseminating policies and procedures for conducting risk assessments to manage and mitigate risks effectively.
  2. System and Information Integrity (RA-2): Assessing risks to the integrity of information systems and information transmitted or processed by those systems. This includes identifying potential threats to information integrity and evaluating the impact of integrity violations.
  3. Threat and Vulnerability Assessments (RA-3): Conducting assessments to identify and prioritize threats and vulnerabilities that could potentially exploit information systems. This includes evaluating the likelihood and impact of identified threats.
  4. Risk Assessment (RA-4): Conducting regular risk assessments to identify, evaluate, and prioritize risks to organizational operations, assets, individuals, and other organizations. This involves analyzing threats, vulnerabilities, and potential impacts to determine the level of risk.
  5. Risk Assessment Update (RA-5): Reviewing and updating risk assessments periodically and after significant changes to organizational systems or environments. This ensures that risk assessments remain current and reflective of the evolving threat landscape.
  6. Security Categorization (RA-6): Categorizing information systems based on the potential impact of a security breach on organizational operations, assets, and individuals. This helps determine the appropriate security controls and safeguards for each system.
  7. Security Control Selection (RA-7): Selecting and implementing security controls based on the results of risk assessments and security categorizations. This includes determining which controls are necessary to mitigate identified risks effectively.
  8. Security Assessment and Authorization (RA-8): Integrating risk assessments into the security assessment and authorization process to verify compliance with security requirements and ensure that systems are adequately protected.
  9. Security Authorization (RA-9): Authorizing information systems to operate based on an assessment of risks and the implementation of appropriate security controls. This involves evaluating residual risks and determining if they are acceptable within organizational risk tolerance.
  10. Risk Management Strategy (RA-10): Developing and implementing a risk management strategy that outlines how risks will be identified, assessed, monitored, and managed throughout the organization.

O. System and Services Acquisition (SA)

The System and Services Acquisition (SA) family of controls in NIST 800–53 focuses on establishing processes and procedures to ensure that information systems, products, and services acquired or developed by an organization meet specified security requirements. These controls are essential for integrating security considerations into the entire acquisition and development lifecycle of systems and services. They ensure that security is prioritized throughout this lifecycle, promoting the development of secure systems and the protection of organizational assets and data. By integrating security requirements early in the acquisition process, organizations can mitigate risks and ensure that acquired systems effectively meet their security needs.

The SA family includes the following controls:

  1. Acquisition Process (SA-1): Establishing an acquisition process that integrates security requirements into the acquisition lifecycle of information systems, products, and services.
  2. Allocation of Resources (SA-2): Allocating adequate resources, including budget, personnel, and time, to support the acquisition and development of secure information systems and services.
  3. Acquisition Planning (SA-3): Developing acquisition plans that include security requirements, considerations, and criteria for evaluating potential vendors or developers of information systems and services.
  4. Acquisition Risk Management (SA-4): Managing risks associated with the acquisition of information systems and services by conducting risk assessments, implementing risk mitigation measures, and monitoring risks throughout the acquisition process.
  5. Acquisition Monitoring (SA-5): Monitoring the security performance of vendors, suppliers, and developers during the acquisition process to ensure compliance with security requirements and contractual agreements.
  6. Supplier Agreements (SA-6): Establishing agreements with suppliers, vendors, and developers that include security requirements, responsibilities, and expectations for protecting organizational information systems and data.
  7. Acquisition Verification (SA-7): Verifying that acquired information systems, products, and services meet specified security requirements and perform as expected in the intended environment.
  8. Transition to Operations (SA-8): Planning and implementing the transition of acquired systems, products, and services from development and acquisition phases to operational use while ensuring continuity of security controls.
  9. Security Engineering Principles (SA-9): Applying security engineering principles and practices throughout the acquisition lifecycle to design and develop secure information systems and services.
  10. Security Requirements Traceability (SA-10): Establishing and maintaining traceability between security requirements, specifications, and deliverables throughout the acquisition process to ensure that security objectives are met.
  11. Life Cycle Support (SA-11): Providing life cycle support for acquired information systems and services, including maintenance, updates, and upgrades, to address security vulnerabilities and maintain effective security controls.
  12. System and Service Acquisition Security (SA-12): Ensuring that security considerations are integrated into the acquisition of information systems and services to protect against potential threats and vulnerabilities.

P. System and Communications Protection (SC)

The System and Communications Protection (SC) family guards your systems and communications against various threats. From boundary protection to cryptographic measures, and denial of service protection to securing information at rest, it ensures the safety of your digital interactions. The System and Communications Protection (SC) family of controls in NIST 800–53 focuses on implementing measures to protect the confidentiality, integrity, and availability of information systems and communications within an organization. These controls are essential for securing systems from unauthorized access, disruptions, and attacks. By implementing robust security measures within the SC family, organizations can protect information systems and communications from a wide range of threats and vulnerabilities, including unauthorized access, data breaches, and service disruptions, thereby maintaining the confidentiality, integrity, and availability of their critical information and assets.

The SC family includes the following controls:

  1. Cryptographic Protections (SC-1): Implementing cryptographic mechanisms to protect the confidentiality, integrity, and authenticity of information transmitted or stored within information systems. This includes encryption, digital signatures, and key management.
  2. Cryptographic Key Establishment and Management (SC-2): Establishing and managing cryptographic keys used for encryption, decryption, and digital signatures to ensure their confidentiality, integrity, and availability.
  3. Limitations of Interconnections (SC-3): Limiting the types of interconnections between information systems to reduce the risk of unauthorized access or compromise. This includes implementing network segmentation and access controls.
  4. Network Access Control (SC-7): Controlling and monitoring network access to information systems based on established policies and procedures. This includes enforcing access control policies, monitoring network traffic, and preventing unauthorized connections.
  5. Boundary Protection (SC-8): Implementing boundary protection mechanisms to monitor and control communications at the external boundaries of information systems. This includes firewalls, routers, and intrusion detection/prevention systems (IDS/IPS).
  6. Transmission Integrity (SC-9): Implementing mechanisms to ensure the integrity of information transmitted between information systems. This includes error detection and correction, checksums, and data validation techniques.
  7. Transmission Confidentiality and Integrity (SC-10): Implementing mechanisms to protect the confidentiality and integrity of information during transmission. This includes encryption and integrity verification of transmitted data.
  8. Security Function Isolation (SC-11): Isolating security functions to prevent unauthorized access and ensure the integrity and availability of security controls. This includes separating security mechanisms from non-security functions within information systems.
  9. Cryptographic Key Protection (SC-12): Protecting cryptographic keys from unauthorized access, modification, or compromise to maintain their confidentiality and integrity. This includes using secure key management practices and physical protection.
  10. Cryptographic Key Establishment and Maintenance (SC-13): Establishing and maintaining cryptographic keys securely over their entire lifecycle, including generation, distribution, storage, and destruction.
  11. Public Key Infrastructure Certificates (SC-14): Managing and using Public Key Infrastructure (PKI) certificates to verify the authenticity and integrity of parties involved in communications and transactions.
  12. Denial of Service Protection (SC-17): Implementing measures to protect information systems from denial of service (DoS) attacks that can disrupt services and degrade system performance.

Q. System and Information Integrity (SI)

The System and Information Integrity (SI) family ensures the integrity of your systems and information by focusing on vulnerability remediation, monitoring, protection against malicious code, software and firmware integrity, and safeguards. The System and Information Integrity (SI) family of controls in NIST 800–53 emphasizes measures to protect the integrity, availability, and confidentiality of information and systems from unauthorized access, modification, or disruption. These controls are essential for ensuring that systems operate securely and reliably, free from tampering or compromise. By implementing robust measures within the SI family, organizations can enhance the reliability and security of their systems and protect sensitive information from unauthorized access, modification, or disruption.

The SI family includes the following controls:

  1. System and Information Integrity Policy and Procedures (SI-1): Developing, documenting, and disseminating policies and procedures for managing system and information integrity to protect against unauthorized access and ensure data integrity.
  2. Flaw Remediation (SI-2): Identifying, prioritizing, and remedying software and hardware flaws to prevent exploitation that could compromise system integrity. This includes applying patches, updates, and fixes in a timely manner.
  3. Malicious Code Protection (SI-3): Implementing antivirus software, anti-malware tools, and other measures to detect, prevent, and mitigate the impact of malicious code (e.g., viruses, worms, Trojans) that could compromise system integrity.
  4. Information System Monitoring (SI-4): Monitoring information systems to detect and respond to unauthorized activity, anomalies, or changes in system behavior that could indicate a compromise of system integrity.
  5. Security Alerts, Advisories, and Directives (SI-5): Monitoring and implementing security alerts, advisories, and directives issued by authoritative sources to address vulnerabilities and threats that could impact system and information integrity.
  6. Security Functionality Verification (SI-6): Verifying the correct operation and effectiveness of security controls and mechanisms to ensure they provide the intended protection for system and information integrity.
  7. Software, Firmware, and Information Integrity (SI-7): Verifying the integrity of software, firmware, and information before installation, execution, or transmission to prevent unauthorized access, modification, or corruption.
  8. Spam Protection (SI-8): Implementing measures to protect against spam, phishing, and other malicious emails or messages that could compromise system integrity and security.
  9. Information Input Validation (SI-9): Validating the integrity of information inputs to prevent unauthorized or malicious data from entering information systems and potentially compromising system integrity.
  10. Error Handling (SI-10): Implementing error handling mechanisms to detect, respond to, and recover from errors and anomalies that could impact the integrity and availability of information systems.
  11. Non-persistence and Disposal (SI-11): Removing or rendering data and system components unrecoverable when no longer needed to prevent unauthorized access or exposure that could compromise system integrity.
  12. Trustworthiness (SI-12): Establishing and maintaining trustworthiness of information systems, components, and services through secure design, development, testing, and implementation practices.

R. Program Management (PM)

This part acts as the manager of your cybersecurity program, establishing critical infrastructure plans, information security program plans, and risk management strategies, and helping align your enterprise architecture with your security objectives. The Program Management (PM) family of controls in NIST 800–53 focuses on establishing and managing a comprehensive information security program within an organization. These controls are essential for ensuring that information security activities are effectively planned, implemented, and monitored to protect organizational assets and achieve security objectives. By implementing controls within the PM family, organizations can enhance their overall security posture and resilience against evolving cyber threats, ensuring a structured and effective approach to managing information security risks, implementing security controls, and protecting critical assets and operations.

The PM family includes the following controls:

  1. Information Security Program Plan (PM-1): Developing, documenting, and disseminating an information security program plan that outlines the organization’s approach to managing information security risks and implementing security controls.
  2. Senior Information Security Officer (PM-2): Appointing a senior official with responsibility for information security to oversee and manage the organization’s information security program.
  3. Information Security Roles and Responsibilities (PM-3): Defining and assigning information security roles and responsibilities to individuals within the organization to ensure accountability for implementing security controls and managing risks.
  4. Information Security Coordination (PM-4): Establishing and maintaining coordination among organizational entities to manage information security-related activities effectively. This includes collaborating with stakeholders to address security requirements and concerns.
  5. Authorizing Official (PM-5): Designating an authorizing official or approving authority responsible for approving information system authorizations based on risk assessments and security considerations.
  6. Information System Inventory (PM-6): Developing and maintaining an inventory of information systems within the organization to facilitate effective management of security controls and resources.
  7. Information Security Awareness, Training, and Education (PM-7): Providing information security awareness, training, and education programs to ensure that personnel understand their roles and responsibilities in protecting organizational assets and data.
  8. Information Security Workforce (PM-8): Ensuring that the organization’s information security workforce possesses the necessary skills, knowledge, and qualifications to perform their assigned roles effectively.
  9. Security Authorization Process (PM-9): Establishing and implementing a process for authorizing information systems based on risk assessments, security requirements, and organizational policies and procedures.
  10. Security Continuous Monitoring (PM-10): Implementing continuous monitoring activities to assess and track the effectiveness of security controls, detect security incidents, and ensure ongoing compliance with security policies and requirements.
  11. Configuration Management (PM-11): Managing configuration changes to information systems and components to prevent unauthorized modifications and ensure system integrity and availability.
  12. Security Impact Analysis (PM-12): Conducting security impact analyses to assess the potential impact of changes to information systems, environments, or processes on security controls and organizational operations.
  13. Contingency Planning Management (PM-13): Managing contingency planning activities to ensure that information systems can continue to operate effectively in the event of disruptions, disasters, or security incidents.
  14. Incident Response Management (PM-14): Managing incident response activities to detect, respond to, mitigate, and recover from security incidents affecting organizational information systems and assets.
  15. Continuous Improvement (PM-15): Implementing processes for continuous improvement of the organization’s information security program, including reviewing and updating security policies, procedures, and controls based on lessons learned and changing threats.

S. Privacy Control (PT)

The Privacy Control (PT) family of controls in NIST 800–53 focuses on protecting the privacy of individuals’ personal information that is collected, processed, stored, or transmitted by an organization. These controls are designed to ensure compliance with privacy laws, regulations, and organizational policies governing the handling of personal information. By implementing these controls, organizations can protect individuals’ privacy rights and comply with legal and regulatory requirements related to personal information. This helps build trust with individuals, demonstrate a commitment to privacy protection, and mitigate risks associated with unauthorized access or misuse of personal information.

The PT family includes the following controls:

  1. Privacy Policy and Procedures (PT-1): Developing, documenting, and disseminating privacy policies and procedures that define how personal information is collected, used, stored, and protected by the organization.
  2. Privacy Awareness and Training (PT-2): Providing privacy awareness and training programs to ensure that personnel understand their roles and responsibilities in protecting individuals’ privacy and complying with privacy policies.
  3. Privacy Notice (PT-3): Providing individuals with clear and concise notice about the organization’s privacy practices, including the types of personal information collected, how it is used, and with whom it may be shared.
  4. Personally Identifiable Information (PII) Processing and Transparency (PT-4): Ensuring transparency in the processing of personally identifiable information (PII) by informing individuals about how their PII is collected, used, shared, and maintained.
  5. Privacy Impact Assessment (PT-5): Conducting privacy impact assessments (PIAs) to identify and assess privacy risks associated with the collection, use, and disclosure of personal information, and implementing measures to mitigate those risks.
  6. Privacy Engineering (PT-6): Integrating privacy requirements and considerations into the design, development, and implementation of information systems, products, and services to protect individuals’ privacy by default.
  7. Data Minimization and Retention (PT-7): Minimizing the collection and retention of personal information to the minimum necessary for organizational purposes, and establishing procedures for securely disposing of or anonymizing personal information when no longer needed.
  8. Privacy Incident Response (PT-8): Developing and implementing procedures for responding to privacy incidents involving unauthorized access, disclosure, or loss of personal information, and mitigating the impact on affected individuals.
  9. Privacy Auditing and Accountability (PT-9): Conducting privacy audits and assessments to evaluate compliance with privacy policies, procedures, and legal requirements, and holding individuals and entities accountable for adhering to privacy obligations.
  10. Privacy Governance (PT-10): Establishing governance structures and processes to oversee and manage the organization’s privacy program, including assigning roles and responsibilities for privacy management and ensuring accountability.

T. Supply Chain Risk Management (SR)

This control family encompasses a wide range of security measures to protect information systems and ensure privacy and data security. The Supply Chain Risk Management (SR) family of controls in NIST 800–53 focuses on managing risks associated with supply chain processes and activities that impact the security of information systems, products, and services acquired or developed by an organization. These controls are essential for identifying, assessing, mitigating, and monitoring risks posed by suppliers, vendors, and third-party providers throughout the supply chain lifecycle. By implementing these controls, organizations can proactively manage and mitigate risks associated with their supply chain, ensuring the security, integrity, and resilience of information systems and assets acquired or developed through external providers. This strengthens their overall supply chain security posture and reduces vulnerabilities introduced by third-party dependencies.

The SR family includes the following controls:

  1. Supply Chain Risk Management Strategy (SR-1): Developing and implementing a supply chain risk management strategy that outlines the organization’s approach to identifying, assessing, and mitigating supply chain risks.
  2. Supply Chain Risk Assessment (SR-2): Conducting risk assessments to identify and evaluate supply chain risks associated with suppliers, vendors, and third-party providers. This includes assessing risks to information systems, products, and services throughout the supply chain lifecycle.
  3. Supply Chain Risk Mitigation (SR-3): Implementing risk mitigation measures to reduce the likelihood and impact of identified supply chain risks. This includes establishing controls, safeguards, and contractual agreements with suppliers to address security concerns.
  4. Supply Chain Component Authentication (SR-4): Authenticating and verifying the integrity of supply chain components, products, and services to ensure they have not been tampered with or compromised during the acquisition or delivery process.
  5. Supply Chain Criticality (SR-5): Identifying and prioritizing critical elements of the supply chain that could significantly impact organizational operations and security if compromised. This includes assessing the importance of suppliers and dependencies on supply chain components.
  6. Supply Chain Cybersecurity (SR-6): Implementing cybersecurity measures to protect against threats and vulnerabilities introduced through the supply chain, including malware, malicious code, and unauthorized access.
  7. Supply Chain Resilience (SR-7): Enhancing supply chain resilience by developing contingency plans, alternative sourcing strategies, and response measures to mitigate disruptions and maintain continuity of operations.
  8. Trusted Foundry (SR-8): Ensuring that suppliers and vendors are trustworthy and adhere to security and quality standards when manufacturing or providing components, products, or services.
  9. Supply Chain Risk Monitoring (SR-9): Monitoring and assessing supply chain risks on an ongoing basis to identify new threats, vulnerabilities, or changes in risk exposure that could impact organizational security.
  10. Supply Chain Incident Response (SR-10): Developing and implementing incident response procedures to address supply chain incidents, breaches, or disruptions that impact the security or integrity of information systems, products, or services.
Nist
Nist 800 53
Nist Framework
Fedramp
Cybersecurity

--

--

Ben Pournader
Ben Pournader

Written by Ben Pournader

147 Followers
4 Following

Cybersecurity Manager/Engineer/Architect, Author, PCI & ISO Expert, Team Builder, Writer, CISM, CISA, CRISC, CGEIT, MCSE, RHCSA, CDPSE, PMP, MBA

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams