NIST SP 800-53 Revision 5
Security and Privacy Controls for Information Systems and Organizations
Showing 287 controls in MODERATE baseline
AC — Access Control (39 controls)
AC-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
AC-2Account Management
LOW
MODERATE
HIGH
AC-2(1)Automated System Account Management
MODERATE
HIGH
AC-2(2)Automated Temporary And Emergency Account Management
MODERATE
HIGH
AC-2(3)Disable Accounts
MODERATE
HIGH
AC-2(4)Automated Audit Actions
MODERATE
HIGH
AC-2(5)Inactivity Logout
MODERATE
HIGH
AC-2(13)Disable Accounts For High-Risk Individuals
MODERATE
HIGH
AC-3Access Enforcement
LOW
MODERATE
HIGH
AC-4Information Flow Enforcement
MODERATE
HIGH
AC-5Separation Of Duties
MODERATE
HIGH
AC-6Least Privilege
MODERATE
HIGH
AC-6(1)Authorize Access To Security Functions
MODERATE
HIGH
AC-6(2)Non-Privileged Access For Nonsecurity Functions
MODERATE
HIGH
AC-6(5)Privileged Accounts
MODERATE
HIGH
AC-6(7)Review Of User Privileges
MODERATE
HIGH
AC-6(9)Log Use Of Privileged Functions
MODERATE
HIGH
AC-6(10)Prohibit Non-Privileged Users From Executing Privileged Functions
MODERATE
HIGH
AC-7Unsuccessful Logon Attempts
LOW
MODERATE
HIGH
AC-8System Use Notification
LOW
MODERATE
HIGH
AC-11Device Lock
MODERATE
HIGH
AC-11(1)Pattern-Hiding Displays
MODERATE
HIGH
AC-12Session Termination
MODERATE
HIGH
AC-14Permitted Actions Without Identification Or Authentication
LOW
MODERATE
HIGH
AC-17Remote Access
LOW
MODERATE
HIGH
AC-17(1)Monitoring And Control
MODERATE
HIGH
AC-17(2)Protection Of Confidentiality And Integrity Using Encryption
MODERATE
HIGH
AC-17(3)Managed Access Control Points
MODERATE
HIGH
AC-17(4)Privileged Commands And Access
MODERATE
HIGH
AC-18Wireless Access
LOW
MODERATE
HIGH
AC-18(1)Authentication And Encryption
MODERATE
HIGH
AC-18(3)Disable Wireless Networking
MODERATE
HIGH
AC-19Access Control For Mobile Devices
LOW
MODERATE
HIGH
AC-19(5)Full Device Or Container-Based Encryption
MODERATE
HIGH
AC-20Use Of External Systems
LOW
MODERATE
HIGH
AC-20(1)Limits On Authorized Use
MODERATE
HIGH
AC-20(2)Portable Storage Devices — Restricted Use
MODERATE
HIGH
AC-21Information Sharing
MODERATE
HIGH
AC-22Publicly Accessible Content
LOW
MODERATE
HIGH
AT — Awareness and Training (6 controls)
AU — Audit and Accountability (16 controls)
AU-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
AU-2Event Logging
LOW
MODERATE
HIGH
PRIVACY
AU-3Content Of Audit Records
LOW
MODERATE
HIGH
AU-3(1)Additional Audit Information
MODERATE
HIGH
AU-4Audit Log Storage Capacity
LOW
MODERATE
HIGH
AU-5Response To Audit Logging Process Failures
LOW
MODERATE
HIGH
AU-6Audit Record Review, Analysis, And Reporting
LOW
MODERATE
HIGH
AU-6(1)Automated Process Integration
MODERATE
HIGH
AU-6(3)Correlate Audit Record Repositories
MODERATE
HIGH
AU-7Audit Record Reduction And Report Generation
MODERATE
HIGH
AU-7(1)Automatic Processing
MODERATE
HIGH
AU-8Time Stamps
LOW
MODERATE
HIGH
AU-9Protection Of Audit Information
LOW
MODERATE
HIGH
AU-9(4)Access By Subset Of Privileged Users
MODERATE
HIGH
AU-11Audit Record Retention
LOW
MODERATE
HIGH
PRIVACY
AU-12Audit Record Generation
LOW
MODERATE
HIGH
CA — Assessment, Authorization, and Monitoring (10 controls)
CA-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
CA-2Control Assessments
LOW
MODERATE
HIGH
PRIVACY
CA-2(1)Independent Assessors
MODERATE
HIGH
CA-3Information Exchange
LOW
MODERATE
HIGH
CA-5Plan Of Action And Milestones
LOW
MODERATE
HIGH
PRIVACY
CA-6Authorization
LOW
MODERATE
HIGH
PRIVACY
CA-7Continuous Monitoring
LOW
MODERATE
HIGH
PRIVACY
CA-7(1)Independent Assessment
MODERATE
HIGH
CA-7(4)Risk Monitoring
LOW
MODERATE
HIGH
PRIVACY
CA-9Internal System Connections
LOW
MODERATE
HIGH
CM — Configuration Management (24 controls)
CM-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
CM-2Baseline Configuration
LOW
MODERATE
HIGH
CM-2(2)Automation Support For Accuracy And Currency
MODERATE
HIGH
CM-2(3)Retention Of Previous Configurations
MODERATE
HIGH
CM-2(7)Configure Systems And Components For High-Risk Areas
MODERATE
HIGH
CM-3Configuration Change Control
MODERATE
HIGH
CM-3(2)Testing, Validation, And Documentation Of Changes
MODERATE
HIGH
CM-3(4)Security And Privacy Representatives
MODERATE
HIGH
CM-4Impact Analyses
LOW
MODERATE
HIGH
PRIVACY
CM-4(2)Verification Of Controls
MODERATE
HIGH
CM-5Access Restrictions For Change
LOW
MODERATE
HIGH
CM-6Configuration Settings
LOW
MODERATE
HIGH
CM-7Least Functionality
LOW
MODERATE
HIGH
CM-7(1)Periodic Review
MODERATE
HIGH
CM-7(2)Prevent Program Execution
MODERATE
HIGH
CM-7(5)Authorized Software — Allow-By-Exception
MODERATE
HIGH
CM-8System Component Inventory
LOW
MODERATE
HIGH
CM-8(1)Updates During Installation And Removal
MODERATE
HIGH
CM-8(3)Automated Unauthorized Component Detection
MODERATE
HIGH
CM-9Configuration Management Plan
MODERATE
HIGH
CM-10Software Usage Restrictions
LOW
MODERATE
HIGH
CM-11User-Installed Software
LOW
MODERATE
HIGH
CM-12Information Location
MODERATE
HIGH
CM-12(1)Automated Tools To Support Information Location
MODERATE
HIGH
CP — Contingency Planning (23 controls)
CP-1Policy And Procedures
LOW
MODERATE
HIGH
CP-2Contingency Plan
LOW
MODERATE
HIGH
CP-2(1)Coordinate With Related Plans
MODERATE
HIGH
CP-2(3)Resume Mission And Business Functions
MODERATE
HIGH
CP-2(8)Identify Critical Assets
MODERATE
HIGH
CP-3Contingency Training
LOW
MODERATE
HIGH
CP-4Contingency Plan Testing
LOW
MODERATE
HIGH
CP-4(1)Coordinate With Related Plans
MODERATE
HIGH
CP-6Alternate Storage Site
MODERATE
HIGH
CP-6(1)Separation From Primary Site
MODERATE
HIGH
CP-6(3)Accessibility
MODERATE
HIGH
CP-7Alternate Processing Site
MODERATE
HIGH
CP-7(1)Separation From Primary Site
MODERATE
HIGH
CP-7(2)Accessibility
MODERATE
HIGH
CP-7(3)Priority Of Service
MODERATE
HIGH
CP-8Telecommunications Services
MODERATE
HIGH
CP-8(1)Priority Of Service Provisions
MODERATE
HIGH
CP-8(2)Single Points Of Failure
MODERATE
HIGH
CP-9System Backup
LOW
MODERATE
HIGH
CP-9(1)Testing For Reliability And Integrity
MODERATE
HIGH
CP-9(8)Cryptographic Protection
MODERATE
HIGH
CP-10System Recovery And Reconstitution
LOW
MODERATE
HIGH
CP-10(2)Transaction Recovery
MODERATE
HIGH
IA — Identification and Authentication (24 controls)
IA-1Policy And Procedures
LOW
MODERATE
HIGH
IA-2Identification And Authentication (Organizational Users)
LOW
MODERATE
HIGH
IA-2(1)Multi-Factor Authentication To Privileged Accounts
LOW
MODERATE
HIGH
IA-2(2)Multi-Factor Authentication To Non-Privileged Accounts
LOW
MODERATE
HIGH
IA-2(8)Access To Accounts — Replay Resistant
LOW
MODERATE
HIGH
IA-2(12)Acceptance Of Piv Credentials
LOW
MODERATE
HIGH
IA-3Device Identification And Authentication
MODERATE
HIGH
IA-4Identifier Management
LOW
MODERATE
HIGH
IA-4(4)Identify User Status
MODERATE
HIGH
IA-5Authenticator Management
LOW
MODERATE
HIGH
IA-5(1)Password-Based Authentication
LOW
MODERATE
HIGH
IA-5(2)Public Key-Based Authentication
MODERATE
HIGH
IA-5(6)Protection Of Authenticators
MODERATE
HIGH
IA-6Authentication Feedback
LOW
MODERATE
HIGH
IA-7Cryptographic Module Authentication
LOW
MODERATE
HIGH
IA-8Identification And Authentication (Non-Organizational Users)
LOW
MODERATE
HIGH
IA-8(1)Acceptance Of Piv Credentials From Other Agencies
LOW
MODERATE
HIGH
IA-8(2)Acceptance Of External Authenticators
LOW
MODERATE
HIGH
IA-8(4)Use Of Defined Profiles
LOW
MODERATE
HIGH
IA-11Re-Authentication
LOW
MODERATE
HIGH
IA-12Identity Proofing
MODERATE
HIGH
IA-12(2)Identity Evidence
MODERATE
HIGH
IA-12(3)Identity Evidence Validation And Verification
MODERATE
HIGH
IA-12(5)Address Confirmation
MODERATE
HIGH
IR — Incident Response (13 controls)
IR-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
IR-2Incident Response Training
LOW
MODERATE
HIGH
PRIVACY
IR-3Incident Response Testing
MODERATE
HIGH
PRIVACY
IR-3(2)Coordination With Related Plans
MODERATE
HIGH
IR-4Incident Handling
LOW
MODERATE
HIGH
PRIVACY
IR-4(1)Automated Incident Handling Processes
MODERATE
HIGH
IR-5Incident Monitoring
LOW
MODERATE
HIGH
PRIVACY
IR-6Incident Reporting
LOW
MODERATE
HIGH
PRIVACY
IR-6(1)Automated Reporting
MODERATE
HIGH
IR-6(3)Supply Chain Coordination
MODERATE
HIGH
IR-7Incident Response Assistance
LOW
MODERATE
HIGH
PRIVACY
IR-7(1)Automation Support For Availability Of Information And Support
MODERATE
HIGH
IR-8Incident Response Plan
LOW
MODERATE
HIGH
PRIVACY
MA — Maintenance (9 controls)
MA-1Policy And Procedures
LOW
MODERATE
HIGH
MA-2Controlled Maintenance
LOW
MODERATE
HIGH
MA-3Maintenance Tools
MODERATE
HIGH
MA-3(1)Inspect Tools
MODERATE
HIGH
MA-3(2)Inspect Media
MODERATE
HIGH
MA-3(3)Prevent Unauthorized Removal
MODERATE
HIGH
MA-4Nonlocal Maintenance
LOW
MODERATE
HIGH
MA-5Maintenance Personnel
LOW
MODERATE
HIGH
MA-6Timely Maintenance
MODERATE
HIGH
MP — Media Protection (7 controls)
PE — Physical and Environmental Protection (18 controls)
PE-1Policy And Procedures
LOW
MODERATE
HIGH
PE-2Physical Access Authorizations
LOW
MODERATE
HIGH
PE-3Physical Access Control
LOW
MODERATE
HIGH
PE-4Access Control For Transmission
MODERATE
HIGH
PE-5Access Control For Output Devices
MODERATE
HIGH
PE-6Monitoring Physical Access
LOW
MODERATE
HIGH
PE-6(1)Intrusion Alarms And Surveillance Equipment
MODERATE
HIGH
PE-8Visitor Access Records
LOW
MODERATE
HIGH
PE-9Power Equipment And Cabling
MODERATE
HIGH
PE-10Emergency Shutoff
MODERATE
HIGH
PE-11Emergency Power
MODERATE
HIGH
PE-12Emergency Lighting
LOW
MODERATE
HIGH
PE-13Fire Protection
LOW
MODERATE
HIGH
PE-13(1)Detection Systems — Automatic Activation And Notification
MODERATE
HIGH
PE-14Environmental Controls
LOW
MODERATE
HIGH
PE-15Water Damage Protection
LOW
MODERATE
HIGH
PE-16Delivery And Removal
LOW
MODERATE
HIGH
PE-17Alternate Work Site
MODERATE
HIGH
PL — Planning (7 controls)
PL-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
PL-2System Security And Privacy Plans
LOW
MODERATE
HIGH
PRIVACY
PL-4Rules Of Behavior
LOW
MODERATE
HIGH
PRIVACY
PL-4(1)Social Media And External Site/Application Usage Restrictions
LOW
MODERATE
HIGH
PRIVACY
PL-8Security And Privacy Architectures
MODERATE
HIGH
PRIVACY
PL-10Baseline Selection
LOW
MODERATE
HIGH
PL-11Baseline Tailoring
LOW
MODERATE
HIGH
PS — Personnel Security (9 controls)
PS-1Policy And Procedures
LOW
MODERATE
HIGH
PS-2Position Risk Designation
LOW
MODERATE
HIGH
PS-3Personnel Screening
LOW
MODERATE
HIGH
PS-4Personnel Termination
LOW
MODERATE
HIGH
PS-5Personnel Transfer
LOW
MODERATE
HIGH
PS-6Access Agreements
LOW
MODERATE
HIGH
PRIVACY
PS-7External Personnel Security
LOW
MODERATE
HIGH
PS-8Personnel Sanctions
LOW
MODERATE
HIGH
PS-9Position Descriptions
LOW
MODERATE
HIGH
RA — Risk Assessment (10 controls)
RA-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
RA-2Security Categorization
LOW
MODERATE
HIGH
RA-3Risk Assessment
LOW
MODERATE
HIGH
PRIVACY
RA-3(1)Supply Chain Risk Assessment
LOW
MODERATE
HIGH
RA-5Vulnerability Monitoring And Scanning
LOW
MODERATE
HIGH
RA-5(2)Update Vulnerabilities To Be Scanned
LOW
MODERATE
HIGH
RA-5(5)Privileged Access
MODERATE
HIGH
RA-5(11)Public Disclosure Program
LOW
MODERATE
HIGH
RA-7Risk Response
LOW
MODERATE
HIGH
PRIVACY
RA-9Criticality Analysis
MODERATE
HIGH
SA — System and Services Acquisition (17 controls)
SA-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
SA-2Allocation Of Resources
LOW
MODERATE
HIGH
PRIVACY
SA-3System Development Life Cycle
LOW
MODERATE
HIGH
PRIVACY
SA-4Acquisition Process
LOW
MODERATE
HIGH
PRIVACY
SA-4(1)Functional Properties Of Controls
MODERATE
HIGH
SA-4(2)Design And Implementation Information For Controls
MODERATE
HIGH
SA-4(9)Functions, Ports, Protocols, And Services In Use
MODERATE
HIGH
SA-4(10)Use Of Approved Piv Products
LOW
MODERATE
HIGH
SA-5System Documentation
LOW
MODERATE
HIGH
SA-8Security And Privacy Engineering Principles
LOW
MODERATE
HIGH
SA-9External System Services
LOW
MODERATE
HIGH
PRIVACY
SA-9(2)Identification Of Functions, Ports, Protocols, And Services
MODERATE
HIGH
SA-10Developer Configuration Management
MODERATE
HIGH
SA-11Developer Testing And Evaluation
MODERATE
HIGH
PRIVACY
SA-15Development Process, Standards, And Tools
MODERATE
HIGH
SA-15(3)Criticality Analysis
MODERATE
HIGH
SA-22Unsupported System Components
LOW
MODERATE
HIGH
SC — System and Communications Protection (25 controls)
SC-1Policy And Procedures
LOW
MODERATE
HIGH
SC-2Separation Of System And User Functionality
MODERATE
HIGH
SC-4Information In Shared System Resources
MODERATE
HIGH
SC-5Denial-Of-Service Protection
LOW
MODERATE
HIGH
SC-7Boundary Protection
LOW
MODERATE
HIGH
SC-7(3)Access Points
MODERATE
HIGH
SC-7(4)External Telecommunications Services
MODERATE
HIGH
SC-7(5)Deny By Default — Allow By Exception
MODERATE
HIGH
SC-7(7)Split Tunneling For Remote Devices
MODERATE
HIGH
SC-7(8)Route Traffic To Authenticated Proxy Servers
MODERATE
HIGH
SC-8Transmission Confidentiality And Integrity
MODERATE
HIGH
SC-8(1)Cryptographic Protection
MODERATE
HIGH
SC-10Network Disconnect
MODERATE
HIGH
SC-12Cryptographic Key Establishment And Management
LOW
MODERATE
HIGH
SC-13Cryptographic Protection
LOW
MODERATE
HIGH
SC-15Collaborative Computing Devices And Applications
LOW
MODERATE
HIGH
SC-17Public Key Infrastructure Certificates
MODERATE
HIGH
SC-18Mobile Code
MODERATE
HIGH
SC-20Secure Name/Address Resolution Service (Authoritative Source)
LOW
MODERATE
HIGH
SC-21Secure Name/Address Resolution Service (Recursive Or Caching Resolver)
LOW
MODERATE
HIGH
SC-22Architecture And Provisioning For Name/Address Resolution Service
LOW
MODERATE
HIGH
SC-23Session Authenticity
MODERATE
HIGH
SC-28Protection Of Information At Rest
MODERATE
HIGH
SC-28(1)Cryptographic Protection
MODERATE
HIGH
SC-39Process Isolation
LOW
MODERATE
HIGH
SI — System and Information Integrity (18 controls)
SI-1Policy And Procedures
LOW
MODERATE
HIGH
PRIVACY
SI-2Flaw Remediation
LOW
MODERATE
HIGH
SI-2(2)Automated Flaw Remediation Status
MODERATE
HIGH
SI-3Malicious Code Protection
LOW
MODERATE
HIGH
SI-4System Monitoring
LOW
MODERATE
HIGH
SI-4(2)Automated Tools And Mechanisms For Real-Time Analysis
MODERATE
HIGH
SI-4(4)Inbound And Outbound Communications Traffic
MODERATE
HIGH
SI-4(5)System-Generated Alerts
MODERATE
HIGH
SI-5Security Alerts, Advisories, And Directives
LOW
MODERATE
HIGH
SI-7Software, Firmware, And Information Integrity
MODERATE
HIGH
SI-7(1)Integrity Checks
MODERATE
HIGH
SI-7(7)Integration Of Detection And Response
MODERATE
HIGH
SI-8Spam Protection
MODERATE
HIGH
SI-8(2)Automatic Updates
MODERATE
HIGH
SI-10Information Input Validation
MODERATE
HIGH
SI-11Error Handling
MODERATE
HIGH
SI-12Information Management And Retention
LOW
MODERATE
HIGH
PRIVACY
SI-16Memory Protection
MODERATE
HIGH
SR — Supply Chain Risk Management (12 controls)
SR-1Policy And Procedures
LOW
MODERATE
HIGH
SR-2Supply Chain Risk Management Plan
LOW
MODERATE
HIGH
SR-2(1)Establish Scrm Team
LOW
MODERATE
HIGH
SR-3Supply Chain Controls And Processes
LOW
MODERATE
HIGH
SR-5Acquisition Strategies, Tools, And Methods
LOW
MODERATE
HIGH
SR-6Supplier Assessments And Reviews
MODERATE
HIGH
SR-8Notification Agreements
LOW
MODERATE
HIGH
SR-10Inspection Of Systems Or Components
LOW
MODERATE
HIGH
SR-11Component Authenticity
LOW
MODERATE
HIGH
SR-11(1)Anti-Counterfeit Training
LOW
MODERATE
HIGH
SR-11(2)Configuration Control For Component Service And Repair
LOW
MODERATE
HIGH
SR-12Component Disposal
LOW
MODERATE
HIGH