NIST SP 800-53 Revision 5
Security and Privacy Controls for Information Systems and Organizations
Showing 149 controls in LOW baseline
AC — Access Control (11 controls)
AC-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
AC-2Account Management
LOW
MODERATE
HIGH
AC-3Access Enforcement
LOW
MODERATE
HIGH
AC-7Unsuccessful Logon Attempts
LOW
MODERATE
HIGH
AC-8System Use Notification
LOW
MODERATE
HIGH
AC-14Permitted Actions Without Identification Or Authentication
LOW
MODERATE
HIGH
AC-17Remote Access
LOW
MODERATE
HIGH
AC-18Wireless Access
LOW
MODERATE
HIGH
AC-19Access Control For Mobile Devices
LOW
MODERATE
HIGH
AC-20Use Of External Systems
LOW
MODERATE
HIGH
AC-22Publicly Accessible Content
LOW
MODERATE
HIGH
AT — Awareness and Training (5 controls)
AU — Audit and Accountability (10 controls)
AU-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
AU-2Event Logging
LOW
MODERATE
HIGH
PRIVACY
AU-3Content Of Audit Records
LOW
MODERATE
HIGH
AU-4Audit Log Storage Capacity
LOW
MODERATE
HIGH
AU-5Response To Audit Logging Process Failures
LOW
MODERATE
HIGH
AU-6Audit Record Review, Analysis, And Reporting
LOW
MODERATE
HIGH
AU-8Time Stamps
LOW
MODERATE
HIGH
AU-9Protection Of Audit Information
LOW
MODERATE
HIGH
AU-11Audit Record Retention
LOW
MODERATE
HIGH
PRIVACY
AU-12Audit Record Generation
LOW
MODERATE
HIGH
CA — Assessment, Authorization, and Monitoring (8 controls)
CA-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
CA-2Control Assessments
LOW
MODERATE
HIGH
PRIVACY
CA-3Information Exchange
LOW
MODERATE
HIGH
CA-5Plan Of Action And Milestones
LOW
MODERATE
HIGH
PRIVACY
CA-6Authorization
LOW
MODERATE
HIGH
PRIVACY
CA-7Continuous Monitoring
LOW
MODERATE
HIGH
PRIVACY
CA-7(4)Risk Monitoring
LOW
MODERATE
HIGH
PRIVACY
CA-9Internal System Connections
LOW
MODERATE
HIGH
CM — Configuration Management (9 controls)
CM-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
CM-2Baseline Configuration
LOW
MODERATE
HIGH
CM-4Impact Analyses
LOW
MODERATE
HIGH
PRIVACY
CM-5Access Restrictions For Change
LOW
MODERATE
HIGH
CM-6Configuration Settings
LOW
MODERATE
HIGH
CM-7Least Functionality
LOW
MODERATE
HIGH
CM-8System Component Inventory
LOW
MODERATE
HIGH
CM-10Software Usage Restrictions
LOW
MODERATE
HIGH
CM-11User-Installed Software
LOW
MODERATE
HIGH
CP — Contingency Planning (6 controls)
IA — Identification and Authentication (16 controls)
IA-1Policy And Procedures
LOW
MODERATE
HIGH
IA-2Identification And Authentication (Organizational Users)
LOW
MODERATE
HIGH
IA-2(1)Multi-Factor Authentication To Privileged Accounts
LOW
MODERATE
HIGH
IA-2(2)Multi-Factor Authentication To Non-Privileged Accounts
LOW
MODERATE
HIGH
IA-2(8)Access To Accounts — Replay Resistant
LOW
MODERATE
HIGH
IA-2(12)Acceptance Of Piv Credentials
LOW
MODERATE
HIGH
IA-4Identifier Management
LOW
MODERATE
HIGH
IA-5Authenticator Management
LOW
MODERATE
HIGH
IA-5(1)Password-Based Authentication
LOW
MODERATE
HIGH
IA-6Authentication Feedback
LOW
MODERATE
HIGH
IA-7Cryptographic Module Authentication
LOW
MODERATE
HIGH
IA-8Identification And Authentication (Non-Organizational Users)
LOW
MODERATE
HIGH
IA-8(1)Acceptance Of Piv Credentials From Other Agencies
LOW
MODERATE
HIGH
IA-8(2)Acceptance Of External Authenticators
LOW
MODERATE
HIGH
IA-8(4)Use Of Defined Profiles
LOW
MODERATE
HIGH
IA-11Re-Authentication
LOW
MODERATE
HIGH
IR — Incident Response (7 controls)
IR-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
IR-2Incident Response Training
LOW
MODERATE
HIGH
PRIVACY
IR-4Incident Handling
LOW
MODERATE
HIGH
PRIVACY
IR-5Incident Monitoring
LOW
MODERATE
HIGH
PRIVACY
IR-6Incident Reporting
LOW
MODERATE
HIGH
PRIVACY
IR-7Incident Response Assistance
LOW
MODERATE
HIGH
PRIVACY
IR-8Incident Response Plan
LOW
MODERATE
HIGH
PRIVACY
MA — Maintenance (4 controls)
MP — Media Protection (4 controls)
PE — Physical and Environmental Protection (10 controls)
PE-1Policy And Procedures
LOW
MODERATE
HIGH
PE-2Physical Access Authorizations
LOW
MODERATE
HIGH
PE-3Physical Access Control
LOW
MODERATE
HIGH
PE-6Monitoring Physical Access
LOW
MODERATE
HIGH
PE-8Visitor Access Records
LOW
MODERATE
HIGH
PE-12Emergency Lighting
LOW
MODERATE
HIGH
PE-13Fire Protection
LOW
MODERATE
HIGH
PE-14Environmental Controls
LOW
MODERATE
HIGH
PE-15Water Damage Protection
LOW
MODERATE
HIGH
PE-16Delivery And Removal
LOW
MODERATE
HIGH
PL — Planning (6 controls)
PL-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
PL-2System Security And Privacy Plans
LOW
MODERATE
HIGH
PRIVACY
PL-4Rules Of Behavior
LOW
MODERATE
HIGH
PRIVACY
PL-4(1)Social Media And External Site/Application Usage Restrictions
LOW
MODERATE
HIGH
PRIVACY
PL-10Baseline Selection
LOW
MODERATE
HIGH
PL-11Baseline Tailoring
LOW
MODERATE
HIGH
PS — Personnel Security (9 controls)
PS-1Policy And Procedures
LOW
MODERATE
HIGH
PS-2Position Risk Designation
LOW
MODERATE
HIGH
PS-3Personnel Screening
LOW
MODERATE
HIGH
PS-4Personnel Termination
LOW
MODERATE
HIGH
PS-5Personnel Transfer
LOW
MODERATE
HIGH
PS-6Access Agreements
LOW
MODERATE
HIGH
PRIVACY
PS-7External Personnel Security
LOW
MODERATE
HIGH
PS-8Personnel Sanctions
LOW
MODERATE
HIGH
PS-9Position Descriptions
LOW
MODERATE
HIGH
RA — Risk Assessment (8 controls)
RA-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
RA-2Security Categorization
LOW
MODERATE
HIGH
RA-3Risk Assessment
LOW
MODERATE
HIGH
PRIVACY
RA-3(1)Supply Chain Risk Assessment
LOW
MODERATE
HIGH
RA-5Vulnerability Monitoring And Scanning
LOW
MODERATE
HIGH
RA-5(2)Update Vulnerabilities To Be Scanned
LOW
MODERATE
HIGH
RA-5(11)Public Disclosure Program
LOW
MODERATE
HIGH
RA-7Risk Response
LOW
MODERATE
HIGH
PRIVACY
SA — System and Services Acquisition (9 controls)
SA-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
SA-2Allocation Of Resources
LOW
MODERATE
HIGH
PRIVACY
SA-3System Development Life Cycle
LOW
MODERATE
HIGH
PRIVACY
SA-4Acquisition Process
LOW
MODERATE
HIGH
PRIVACY
SA-4(10)Use Of Approved Piv Products
LOW
MODERATE
HIGH
SA-5System Documentation
LOW
MODERATE
HIGH
SA-8Security And Privacy Engineering Principles
LOW
MODERATE
HIGH
SA-9External System Services
LOW
MODERATE
HIGH
PRIVACY
SA-22Unsupported System Components
LOW
MODERATE
HIGH
SC — System and Communications Protection (10 controls)
SC-1Policy And Procedures
LOW
MODERATE
HIGH
SC-5Denial-Of-Service Protection
LOW
MODERATE
HIGH
SC-7Boundary Protection
LOW
MODERATE
HIGH
SC-12Cryptographic Key Establishment And Management
LOW
MODERATE
HIGH
SC-13Cryptographic Protection
LOW
MODERATE
HIGH
SC-15Collaborative Computing Devices And Applications
LOW
MODERATE
HIGH
SC-20Secure Name/Address Resolution Service (Authoritative Source)
LOW
MODERATE
HIGH
SC-21Secure Name/Address Resolution Service (Recursive Or Caching Resolver)
LOW
MODERATE
HIGH
SC-22Architecture And Provisioning For Name/Address Resolution Service
LOW
MODERATE
HIGH
SC-39Process Isolation
LOW
MODERATE
HIGH
SI — System and Information Integrity (6 controls)
SR — Supply Chain Risk Management (11 controls)
SR-1Policy And Procedures
LOW
MODERATE
HIGH
SR-2Supply Chain Risk Management Plan
LOW
MODERATE
HIGH
SR-2(1)Establish Scrm Team
LOW
MODERATE
HIGH
SR-3Supply Chain Controls And Processes
LOW
MODERATE
HIGH
SR-5Acquisition Strategies, Tools, And Methods
LOW
MODERATE
HIGH
SR-8Notification Agreements
LOW
MODERATE
HIGH
SR-10Inspection Of Systems Or Components
LOW
MODERATE
HIGH
SR-11Component Authenticity
LOW
MODERATE
HIGH
SR-11(1)Anti-Counterfeit Training
LOW
MODERATE
HIGH
SR-11(2)Configuration Control For Component Service And Repair
LOW
MODERATE
HIGH
SR-12Component Disposal
LOW
MODERATE
HIGH