>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Home / Crosswalk / CSF ↔ NIST 800-53

CSF 2.0 ↔ NIST 800-53 Crosswalk

Official NIST mapping between Cybersecurity Framework 2.0 subcategories and NIST SP 800-53 Rev 5 security controls. 746 mappings connecting 108 CSF subcategories to 214 NIST controls.

CSF v2.0 800-53 r5.2.0 Draft
Showing 746 of 746 mappings
CSF SubcategoryCSF TitleNIST ControlNIST Title
GV.OC-01
The organizational mission is understood and informs cybersecurity risk management
PM-11
Mission And Business Process Definition
GV.OC-02
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
PM-09
Risk Management Strategy
GV.OC-02
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
PM-18
Privacy Program Plan
GV.OC-02
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
PM-30
Supply Chain Risk Management Strategy
GV.OC-02
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
SR-03
Supply Chain Controls And Processes
GV.OC-02
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
SR-05
Acquisition Strategies, Tools, And Methods
GV.OC-02
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
SR-06
Supplier Assessments And Reviews
GV.OC-02
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
SR-08
Notification Agreements
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
AC-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
AT-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
AU-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
CA-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
CM-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
CP-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
IA-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
IR-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
MA-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
MP-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
PE-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
PL-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
PM-01
Information Security Program Plan
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
PM-28
Risk Framing
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
PS-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
PT
PT
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
PT-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
RA-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
SA-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
SC-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
SI-01
Policy And Procedures
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
SR-01
Policy And Procedures
GV.OC-04
Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
CP-02(08)
Identify Critical Assets
GV.OC-04
Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
PM-08
Critical Infrastructure Plan
GV.OC-04
Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
PM-11
Mission And Business Process Definition
GV.OC-04
Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
PM-30(01)
Suppliers Of Critical Or Mission-Essential Items
GV.OC-04
Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
RA-09
Criticality Analysis
GV.OC-05
Outcomes, capabilities, and services that the organization depends on are understood and communicated
PM-11
Mission And Business Process Definition
GV.OC-05
Outcomes, capabilities, and services that the organization depends on are understood and communicated
PM-30
Supply Chain Risk Management Strategy
GV.OC-05
Outcomes, capabilities, and services that the organization depends on are understood and communicated
RA-07
Risk Response
GV.OC-05
Outcomes, capabilities, and services that the organization depends on are understood and communicated
SA-09
External System Services
GV.OC-05
Outcomes, capabilities, and services that the organization depends on are understood and communicated
SR-05
Acquisition Strategies, Tools, And Methods
GV.RM-01
Risk management objectives are established and agreed to by organizational stakeholders
PM-09
Risk Management Strategy
GV.RM-01
Risk management objectives are established and agreed to by organizational stakeholders
RA-07
Risk Response
GV.RM-01
Risk management objectives are established and agreed to by organizational stakeholders
SR-02
Supply Chain Risk Management Plan
GV.RM-02
Risk appetite and risk tolerance statements are established, communicated, and maintained
PM-09
Risk Management Strategy
GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
PM-03
Information Security And Privacy Resources
GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
PM-09
Risk Management Strategy
GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
PM-30
Supply Chain Risk Management Strategy
GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
RA-07
Risk Response
GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
SA-24
Design For Cyber Resiliency
GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
SR-02
Supply Chain Risk Management Plan
GV.RM-04
Strategic direction that describes appropriate risk response options is established and communicated
PM-09
Risk Management Strategy
GV.RM-04
Strategic direction that describes appropriate risk response options is established and communicated
PM-28
Risk Framing
GV.RM-04
Strategic direction that describes appropriate risk response options is established and communicated
PM-30
Supply Chain Risk Management Strategy
GV.RM-04
Strategic direction that describes appropriate risk response options is established and communicated
SR-02
Supply Chain Risk Management Plan
GV.RM-05
Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
PM-09
Risk Management Strategy
GV.RM-05
Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
PM-30
Supply Chain Risk Management Strategy
GV.RM-06
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
PM-09
Risk Management Strategy
GV.RM-06
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
PM-18
Privacy Program Plan
GV.RM-06
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
PM-28
Risk Framing
GV.RM-06
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
PM-30
Supply Chain Risk Management Strategy
GV.RM-06
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
RA-03
Risk Assessment
GV.RM-07
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
PM-09
Risk Management Strategy
GV.RM-07
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
PM-18
Privacy Program Plan
GV.RM-07
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
PM-28
Risk Framing
GV.RM-07
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
PM-30
Supply Chain Risk Management Strategy
GV.RM-07
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
RA-03
Risk Assessment
GV.RR-01
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
PM-02
Information Security Program Leadership Role
GV.RR-01
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
PM-19
Privacy Program Leadership Role
GV.RR-01
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
PM-23
Data Governance Body
GV.RR-01
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
PM-24
Data Integrity Board
GV.RR-01
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
PM-29
Risk Management Program Leadership Roles
GV.RR-02
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
PM-02
Information Security Program Leadership Role
GV.RR-02
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
PM-13
Security And Privacy Workforce
GV.RR-02
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
PM-19
Privacy Program Leadership Role
GV.RR-02
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
PM-23
Data Governance Body
GV.RR-02
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
PM-24
Data Integrity Board
GV.RR-02
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
PM-29
Risk Management Program Leadership Roles
GV.RR-03
Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
PM-03
Information Security And Privacy Resources
GV.RR-04
Cybersecurity is included in human resources practices
PM-13
Security And Privacy Workforce
GV.RR-04
Cybersecurity is included in human resources practices
PS-01
Policy And Procedures
GV.RR-04
Cybersecurity is included in human resources practices
PS-07
External Personnel Security
GV.RR-04
Cybersecurity is included in human resources practices
PS-09
Position Descriptions
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
AC-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
AT-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
AU-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
CA-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
CM-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
CP-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
IA-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
IR-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
MA-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
MP-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
PE-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
PL-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
PM-01
Information Security Program Plan
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
PS-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
PT-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
RA-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
SA-01
Policy And Procedures
GV.PO-01
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
SC-01
Policy And Procedures
Showing first 100 results. Use filters to narrow down.