Home / Frameworks / NIST 800-53 / HIGH Baseline

NIST SP 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations

1196 All 149 Low 287 Moderate 370 High 96 Privacy

Showing 370 controls in HIGH baseline

AC — Access Control (46 controls)

AC-1Policy And Procedures

AC-2Account Management

LOW

MODERATE

HIGH

AC-2(1)Automated System Account Management

MODERATE

HIGH

AC-2(2)Automated Temporary And Emergency Account Management

MODERATE

HIGH

AC-2(3)Disable Accounts

MODERATE

HIGH

AC-2(4)Automated Audit Actions

MODERATE

HIGH

AC-2(5)Inactivity Logout

MODERATE

HIGH

AC-2(11)Usage Conditions

HIGH

AC-2(12)Account Monitoring For Atypical Usage

HIGH

AC-2(13)Disable Accounts For High-Risk Individuals

MODERATE

HIGH

AC-3Access Enforcement

LOW

MODERATE

HIGH

AC-4Information Flow Enforcement

MODERATE

HIGH

AC-4(4)Flow Control Of Encrypted Information

HIGH

AC-5Separation Of Duties

AC-6(1)Authorize Access To Security Functions

MODERATE

HIGH

AC-6(2)Non-Privileged Access For Nonsecurity Functions

MODERATE

HIGH

AC-6(3)Network Access To Privileged Commands

HIGH

AC-6(5)Privileged Accounts

MODERATE

HIGH

AC-6(7)Review Of User Privileges

MODERATE

HIGH

AC-6(9)Log Use Of Privileged Functions

MODERATE

HIGH

AC-6(10)Prohibit Non-Privileged Users From Executing Privileged Functions

MODERATE

HIGH

AC-7Unsuccessful Logon Attempts

LOW

MODERATE

HIGH

AC-8System Use Notification

LOW

MODERATE

HIGH

AC-10Concurrent Session Control

AC-11(1)Pattern-Hiding Displays

MODERATE

HIGH

AC-12Session Termination

MODERATE

HIGH

AC-14Permitted Actions Without Identification Or Authentication

AC-17(1)Monitoring And Control

MODERATE

HIGH

AC-17(2)Protection Of Confidentiality And Integrity Using Encryption

MODERATE

HIGH

AC-17(3)Managed Access Control Points

MODERATE

HIGH

AC-17(4)Privileged Commands And Access

AC-18(1)Authentication And Encryption

MODERATE

HIGH

AC-18(3)Disable Wireless Networking

MODERATE

HIGH

AC-18(4)Restrict Configurations By Users

HIGH

AC-18(5)Antennas And Transmission Power Levels

HIGH

AC-19Access Control For Mobile Devices

LOW

MODERATE

HIGH

AC-19(5)Full Device Or Container-Based Encryption

MODERATE

HIGH

AC-20Use Of External Systems

LOW

MODERATE

HIGH

AC-20(1)Limits On Authorized Use

MODERATE

HIGH

AC-20(2)Portable Storage Devices — Restricted Use

MODERATE

HIGH

AC-21Information Sharing

MODERATE

HIGH

AC-22Publicly Accessible Content

LOW

MODERATE

HIGH

AT — Awareness and Training (6 controls)

AT-1Policy And Procedures

AT-2Literacy Training And Awareness

AT-2(2)Insider Threat

LOW

MODERATE

HIGH

AT-2(3)Social Engineering And Mining

MODERATE

HIGH

AT-3Role-Based Training

AU — Audit and Accountability (25 controls)

AU-1Policy And Procedures

AU-3Content Of Audit Records

LOW

MODERATE

HIGH

AU-3(1)Additional Audit Information

MODERATE

HIGH

AU-4Audit Log Storage Capacity

LOW

MODERATE

HIGH

AU-5Response To Audit Logging Process Failures

LOW

MODERATE

HIGH

AU-5(1)Storage Capacity Warning

HIGH

AU-5(2)Real-Time Alerts

HIGH

AU-6Audit Record Review, Analysis, And Reporting

LOW

MODERATE

HIGH

AU-6(1)Automated Process Integration

MODERATE

HIGH

AU-6(3)Correlate Audit Record Repositories

MODERATE

HIGH

AU-6(5)Integrated Analysis Of Audit Records

HIGH

AU-6(6)Correlation With Physical Monitoring

HIGH

AU-7Audit Record Reduction And Report Generation

MODERATE

HIGH

AU-7(1)Automatic Processing

AU-9Protection Of Audit Information

LOW

MODERATE

HIGH

AU-9(2)Store On Separate Physical Systems Or Components

HIGH

AU-9(3)Cryptographic Protection

HIGH

AU-9(4)Access By Subset Of Privileged Users

AU-11Audit Record Retention

AU-12Audit Record Generation

LOW

MODERATE

HIGH

AU-12(1)System-Wide And Time-Correlated Audit Trail

HIGH

AU-12(3)Changes By Authorized Individuals

HIGH

CA — Assessment, Authorization, and Monitoring (14 controls)

CA-1Policy And Procedures

CA-2Control Assessments

CA-2(1)Independent Assessors

MODERATE

HIGH

CA-2(2)Specialized Assessments

HIGH

CA-3Information Exchange

LOW

MODERATE

HIGH

CA-3(6)Transfer Authorizations

HIGH

CA-5Plan Of Action And Milestones

CA-7Continuous Monitoring

CA-7(1)Independent Assessment

MODERATE

HIGH

CA-7(4)Risk Monitoring

CA-8Penetration Testing

HIGH

CA-8(1)Independent Penetration Testing Agent Or Team

HIGH

CA-9Internal System Connections

LOW

MODERATE

HIGH

CM — Configuration Management (32 controls)

CM-1Policy And Procedures

CM-2Baseline Configuration

LOW

MODERATE

HIGH

CM-2(2)Automation Support For Accuracy And Currency

MODERATE

HIGH

CM-2(3)Retention Of Previous Configurations

MODERATE

HIGH

CM-2(7)Configure Systems And Components For High-Risk Areas

MODERATE

HIGH

CM-3Configuration Change Control

MODERATE

HIGH

CM-3(1)Automated Documentation, Notification, And Prohibition Of Changes

HIGH

CM-3(2)Testing, Validation, And Documentation Of Changes

MODERATE

HIGH

CM-3(4)Security And Privacy Representatives

MODERATE

HIGH

CM-3(6)Cryptography Management

CM-4(1)Separate Test Environments

HIGH

CM-4(2)Verification Of Controls

MODERATE

HIGH

CM-5Access Restrictions For Change

LOW

MODERATE

HIGH

CM-5(1)Automated Access Enforcement And Audit Records

HIGH

CM-6Configuration Settings

LOW

MODERATE

HIGH

CM-6(1)Automated Management, Application, And Verification

HIGH

CM-6(2)Respond To Unauthorized Changes

HIGH

CM-7Least Functionality

LOW

MODERATE

HIGH

CM-7(1)Periodic Review

MODERATE

HIGH

CM-7(2)Prevent Program Execution

MODERATE

HIGH

CM-7(5)Authorized Software — Allow-By-Exception

MODERATE

HIGH

CM-8System Component Inventory

LOW

MODERATE

HIGH

CM-8(1)Updates During Installation And Removal

MODERATE

HIGH

CM-8(2)Automated Maintenance

HIGH

CM-8(3)Automated Unauthorized Component Detection

MODERATE

HIGH

CM-8(4)Accountability Information

HIGH

CM-9Configuration Management Plan

MODERATE

HIGH

CM-10Software Usage Restrictions

LOW

MODERATE

HIGH

CM-11User-Installed Software

LOW

MODERATE

HIGH

CM-12Information Location

MODERATE

HIGH

CM-12(1)Automated Tools To Support Information Location

MODERATE

HIGH

CP — Contingency Planning (35 controls)

CP-1Policy And Procedures

CP-2(1)Coordinate With Related Plans

MODERATE

HIGH

CP-2(2)Capacity Planning

HIGH

CP-2(3)Resume Mission And Business Functions

MODERATE

HIGH

CP-2(5)Continue Mission And Business Functions

HIGH

CP-2(8)Identify Critical Assets

MODERATE

HIGH

CP-3Contingency Training

LOW

MODERATE

HIGH

CP-3(1)Simulated Events

HIGH

CP-4Contingency Plan Testing

LOW

MODERATE

HIGH

CP-4(1)Coordinate With Related Plans

MODERATE

HIGH

CP-4(2)Alternate Processing Site

HIGH

CP-6Alternate Storage Site

MODERATE

HIGH

CP-6(1)Separation From Primary Site

MODERATE

HIGH

CP-6(2)Recovery Time And Recovery Point Objectives

CP-7Alternate Processing Site

MODERATE

HIGH

CP-7(1)Separation From Primary Site

CP-7(3)Priority Of Service

MODERATE

HIGH

CP-7(4)Preparation For Use

HIGH

CP-8Telecommunications Services

MODERATE

HIGH

CP-8(1)Priority Of Service Provisions

MODERATE

HIGH

CP-8(2)Single Points Of Failure

MODERATE

HIGH

CP-8(3)Separation Of Primary And Alternate Providers

HIGH

CP-8(4)Provider Contingency Plan

CP-9(1)Testing For Reliability And Integrity

MODERATE

HIGH

CP-9(2)Test Restoration Using Sampling

HIGH

CP-9(3)Separate Storage For Critical Information

HIGH

CP-9(5)Transfer To Alternate Storage Site

HIGH

CP-9(8)Cryptographic Protection

MODERATE

HIGH

CP-10System Recovery And Reconstitution

LOW

MODERATE

HIGH

CP-10(2)Transaction Recovery

MODERATE

HIGH

CP-10(4)Restore Within Time Period

HIGH

IA — Identification and Authentication (26 controls)

IA-1Policy And Procedures

LOW

MODERATE

HIGH

IA-2Identification And Authentication (Organizational Users)

LOW

MODERATE

HIGH

IA-2(1)Multi-Factor Authentication To Privileged Accounts

LOW

MODERATE

HIGH

IA-2(2)Multi-Factor Authentication To Non-Privileged Accounts

LOW

MODERATE

HIGH

IA-2(5)Individual Authentication With Group Authentication

HIGH

IA-2(8)Access To Accounts — Replay Resistant

LOW

MODERATE

HIGH

IA-2(12)Acceptance Of Piv Credentials

LOW

MODERATE

HIGH

IA-3Device Identification And Authentication

MODERATE

HIGH

IA-4Identifier Management

LOW

MODERATE

HIGH

IA-4(4)Identify User Status

MODERATE

HIGH

IA-5Authenticator Management

LOW

MODERATE

HIGH

IA-5(1)Password-Based Authentication

LOW

MODERATE

HIGH

IA-5(2)Public Key-Based Authentication

MODERATE

HIGH

IA-5(6)Protection Of Authenticators

MODERATE

HIGH

IA-6Authentication Feedback

LOW

MODERATE

HIGH

IA-7Cryptographic Module Authentication

LOW

MODERATE

HIGH

IA-8Identification And Authentication (Non-Organizational Users)

LOW

MODERATE

HIGH

IA-8(1)Acceptance Of Piv Credentials From Other Agencies

LOW

MODERATE

HIGH

IA-8(2)Acceptance Of External Authenticators

LOW

MODERATE

HIGH

IA-8(4)Use Of Defined Profiles

LOW

MODERATE

HIGH

IA-11Re-Authentication

LOW

MODERATE

HIGH

IA-12Identity Proofing

MODERATE

HIGH

IA-12(2)Identity Evidence

MODERATE

HIGH

IA-12(3)Identity Evidence Validation And Verification

MODERATE

HIGH

IA-12(4)In-Person Validation And Verification

HIGH

IA-12(5)Address Confirmation

MODERATE

HIGH

IR — Incident Response (18 controls)

IR-1Policy And Procedures

IR-2Incident Response Training

IR-2(1)Simulated Events

HIGH

IR-2(2)Automated Training Environments

HIGH

IR-3Incident Response Testing

MODERATE

HIGH

PRIVACY

IR-3(2)Coordination With Related Plans

MODERATE

HIGH

IR-4Incident Handling

IR-4(1)Automated Incident Handling Processes

MODERATE

HIGH

IR-4(4)Information Correlation

HIGH

IR-4(11)Integrated Incident Response Team

HIGH

IR-5Incident Monitoring

IR-5(1)Automated Tracking, Data Collection, And Analysis

HIGH

IR-6Incident Reporting

IR-6(1)Automated Reporting

MODERATE

HIGH

IR-6(3)Supply Chain Coordination

MODERATE

HIGH

IR-7Incident Response Assistance

IR-7(1)Automation Support For Availability Of Information And Support

MODERATE

HIGH

IR-8Incident Response Plan

MA — Maintenance (12 controls)

MA-1Policy And Procedures

LOW

MODERATE

HIGH

MA-2Controlled Maintenance

LOW

MODERATE

HIGH

MA-2(2)Automated Maintenance Activities

HIGH

MA-3Maintenance Tools

MA-3(3)Prevent Unauthorized Removal

MODERATE

HIGH

MA-4Nonlocal Maintenance

LOW

MODERATE

HIGH

MA-4(3)Comparable Security And Sanitization

HIGH

MA-5Maintenance Personnel

LOW

MODERATE

HIGH

MA-5(1)Individuals Without Appropriate Access

HIGH

MA-6Timely Maintenance

MODERATE

HIGH

MP — Media Protection (10 controls)

MP-1Policy And Procedures

MP-6Media Sanitization

MP-6(1)Review, Approve, Track, Document, And Verify

HIGH

MP-6(2)Equipment Testing

HIGH

MP-6(3)Nondestructive Techniques

PE — Physical and Environmental Protection (25 controls)

PE-1Policy And Procedures

LOW

MODERATE

HIGH

PE-2Physical Access Authorizations

LOW

MODERATE

HIGH

PE-3Physical Access Control

PE-4Access Control For Transmission

MODERATE

HIGH

PE-5Access Control For Output Devices

MODERATE

HIGH

PE-6Monitoring Physical Access

LOW

MODERATE

HIGH

PE-6(1)Intrusion Alarms And Surveillance Equipment

MODERATE

HIGH

PE-6(4)Monitoring Physical Access To Systems

HIGH

PE-8Visitor Access Records

LOW

MODERATE

HIGH

PE-8(1)Automated Records Maintenance And Review

HIGH

PE-9Power Equipment And Cabling

MODERATE

HIGH

PE-10Emergency Shutoff

PE-11(1)Alternate Power Supply — Minimal Operational Capability

HIGH

PE-12Emergency Lighting

PE-13(1)Detection Systems — Automatic Activation And Notification

MODERATE

HIGH

PE-13(2)Suppression Systems — Automatic Activation And Notification

HIGH

PE-14Environmental Controls

LOW

MODERATE

HIGH

PE-15Water Damage Protection

LOW

MODERATE

HIGH

PE-15(1)Automation Support

HIGH

PE-16Delivery And Removal

LOW

MODERATE

HIGH

PE-17Alternate Work Site

MODERATE

HIGH

PE-18Location Of System Components

HIGH

PL — Planning (7 controls)

PL-1Policy And Procedures

PL-2System Security And Privacy Plans

PL-4Rules Of Behavior

PL-4(1)Social Media And External Site/Application Usage Restrictions

PL-8Security And Privacy Architectures

MODERATE

HIGH

PRIVACY

PL-10Baseline Selection

LOW

MODERATE

HIGH

PL-11Baseline Tailoring

LOW

MODERATE

HIGH

PS — Personnel Security (10 controls)

PS-1Policy And Procedures

LOW

MODERATE

HIGH

PS-2Position Risk Designation

LOW

MODERATE

HIGH

PS-3Personnel Screening

LOW

MODERATE

HIGH

PS-4Personnel Termination

LOW

MODERATE

HIGH

PS-4(2)Automated Actions

HIGH

PS-5Personnel Transfer

LOW

MODERATE

HIGH

PS-6Access Agreements

PS-7External Personnel Security

LOW

MODERATE

HIGH

PS-8Personnel Sanctions

LOW

MODERATE

HIGH

PS-9Position Descriptions

LOW

MODERATE

HIGH

RA — Risk Assessment (11 controls)

RA-1Policy And Procedures

RA-2Security Categorization

RA-3(1)Supply Chain Risk Assessment

LOW

MODERATE

HIGH

RA-5Vulnerability Monitoring And Scanning

LOW

MODERATE

HIGH

RA-5(2)Update Vulnerabilities To Be Scanned

LOW

MODERATE

HIGH

RA-5(4)Discoverable Information

HIGH

RA-5(5)Privileged Access

MODERATE

HIGH

RA-5(11)Public Disclosure Program

RA-9Criticality Analysis

MODERATE

HIGH

SA — System and Services Acquisition (21 controls)

SA-1Policy And Procedures

SA-2Allocation Of Resources

SA-3System Development Life Cycle

SA-4Acquisition Process

SA-4(1)Functional Properties Of Controls

MODERATE

HIGH

SA-4(2)Design And Implementation Information For Controls

MODERATE

HIGH

SA-4(5)System, Component, And Service Configurations

HIGH

SA-4(9)Functions, Ports, Protocols, And Services In Use

MODERATE

HIGH

SA-4(10)Use Of Approved Piv Products

LOW

MODERATE

HIGH

SA-5System Documentation

LOW

MODERATE

HIGH

SA-8Security And Privacy Engineering Principles

LOW

MODERATE

HIGH

SA-9External System Services

SA-9(2)Identification Of Functions, Ports, Protocols, And Services

MODERATE

HIGH

SA-10Developer Configuration Management

MODERATE

HIGH

SA-11Developer Testing And Evaluation

MODERATE

HIGH

PRIVACY

SA-15Development Process, Standards, And Tools

MODERATE

HIGH

SA-15(3)Criticality Analysis

MODERATE

HIGH

SA-16Developer-Provided Training

HIGH

SA-17Developer Security And Privacy Architecture And Design

HIGH

SA-21Developer Screening

HIGH

SA-22Unsupported System Components

LOW

MODERATE

HIGH

SC — System and Communications Protection (30 controls)

SC-1Policy And Procedures

LOW

MODERATE

HIGH

SC-2Separation Of System And User Functionality

MODERATE

HIGH

SC-3Security Function Isolation

HIGH

SC-4Information In Shared System Resources

MODERATE

HIGH

SC-5Denial-Of-Service Protection

LOW

MODERATE

HIGH

SC-7Boundary Protection

SC-7(4)External Telecommunications Services

MODERATE

HIGH

SC-7(5)Deny By Default — Allow By Exception

MODERATE

HIGH

SC-7(7)Split Tunneling For Remote Devices

MODERATE

HIGH

SC-7(8)Route Traffic To Authenticated Proxy Servers

SC-7(21)Isolation Of System Components

HIGH

SC-8Transmission Confidentiality And Integrity

MODERATE

HIGH

SC-8(1)Cryptographic Protection

MODERATE

HIGH

SC-10Network Disconnect

MODERATE

HIGH

SC-12Cryptographic Key Establishment And Management

SC-13Cryptographic Protection

LOW

MODERATE

HIGH

SC-15Collaborative Computing Devices And Applications

LOW

MODERATE

HIGH

SC-17Public Key Infrastructure Certificates

SC-20Secure Name/Address Resolution Service (Authoritative Source)

LOW

MODERATE

HIGH

SC-21Secure Name/Address Resolution Service (Recursive Or Caching Resolver)

LOW

MODERATE

HIGH

SC-22Architecture And Provisioning For Name/Address Resolution Service

LOW

MODERATE

HIGH

SC-23Session Authenticity

MODERATE

HIGH

SC-24Fail In Known State

HIGH

SC-28Protection Of Information At Rest

MODERATE

HIGH

SC-28(1)Cryptographic Protection

MODERATE

HIGH

SC-39Process Isolation

LOW

MODERATE

HIGH

SI — System and Information Integrity (28 controls)

SI-1Policy And Procedures

SI-2(2)Automated Flaw Remediation Status

MODERATE

HIGH

SI-3Malicious Code Protection

LOW

MODERATE

HIGH

SI-4System Monitoring

LOW

MODERATE

HIGH

SI-4(2)Automated Tools And Mechanisms For Real-Time Analysis

MODERATE

HIGH

SI-4(4)Inbound And Outbound Communications Traffic

MODERATE

HIGH

SI-4(5)System-Generated Alerts

MODERATE

HIGH

SI-4(10)Visibility Of Encrypted Communications

HIGH

SI-4(12)Automated Organization-Generated Alerts

HIGH

SI-4(14)Wireless Intrusion Detection

HIGH

SI-4(20)Privileged Users

HIGH

SI-4(22)Unauthorized Network Services

HIGH

SI-5Security Alerts, Advisories, And Directives

LOW

MODERATE

HIGH

SI-5(1)Automated Alerts And Advisories

HIGH

SI-6Security And Privacy Function Verification

HIGH

SI-7Software, Firmware, And Information Integrity

MODERATE

HIGH

SI-7(1)Integrity Checks

MODERATE

HIGH

SI-7(2)Automated Notifications Of Integrity Violations

HIGH

SI-7(5)Automated Response To Integrity Violations

HIGH

SI-7(7)Integration Of Detection And Response

MODERATE

HIGH

SI-7(15)Code Authentication

SI-8(2)Automatic Updates

MODERATE

HIGH

SI-10Information Input Validation

SI-12Information Management And Retention

SI-16Memory Protection

MODERATE

HIGH

SR — Supply Chain Risk Management (14 controls)

SR-1Policy And Procedures

LOW

MODERATE

HIGH

SR-2Supply Chain Risk Management Plan

LOW

MODERATE

HIGH

SR-2(1)Establish Scrm Team

LOW

MODERATE

HIGH

SR-3Supply Chain Controls And Processes

LOW

MODERATE

HIGH

SR-5Acquisition Strategies, Tools, And Methods

LOW

MODERATE

HIGH

SR-6Supplier Assessments And Reviews

MODERATE

HIGH

SR-8Notification Agreements

LOW

MODERATE

HIGH

SR-9Tamper Resistance And Detection

HIGH

SR-9(1)Multiple Stages Of System Development Life Cycle

HIGH

SR-10Inspection Of Systems Or Components

LOW

MODERATE

HIGH

SR-11Component Authenticity

LOW

MODERATE

HIGH

SR-11(1)Anti-Counterfeit Training

LOW

MODERATE

HIGH

SR-11(2)Configuration Control For Component Service And Repair

LOW

MODERATE

HIGH

SR-12Component Disposal

LOW

MODERATE

HIGH