Withdrawn Draft

Warning Notice

The attached draft document has been withdrawn, and is provided solely for historical purposes.
It has been superseded by the document identified below.

Withdrawal Date September 23, 2020

Original Release Date March 16, 2020

Superseding Document

Status Final

Series/Number NIST Special Publication 800-53 Revision 5

Title Security and Privacy Controls for Information Systems and

Organizations

Publication Date September 2020

DOI https://doi.org/10.6028/NIST.SP.800-53r5

CSRC URL https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Additional Information FISMA Implementation Project

https://csrc.nist.gov/projects/risk-management
 Draft NIST Special Publication 800-53
Revision 5

Security and Privacy Controls for

Information Systems and Organizations

JOINT TASK FORCE

This publication contains a consolidated catalog
of security and privacy controls for information
systems and organizations. Federal security and
privacy control baselines will be published in NIST
Special Publication 800-53B. FINAL PUBLIC DRAFT

This publication is available free of charge from:

https://doi.org/10.6028/NIST.SP.800-53r5-draft
 Draft NIST Special Publication 800-53
Revision 5

Security and Privacy Controls for

Information Systems and Organizations

JOINT TASK FORCE

This publication is available free of charge from:

https://doi.org/10.6028/NIST.SP.800-53r5-draft

March 2020

U.S. Department of Commerce

Wilbur L. Ross, Jr., Secretary

National Institute of Standards and Technology

Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1 Authority
2 This publication has been developed by NIST to further its statutory responsibilities under the
3 Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law
4 (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines,
5 including minimum requirements for federal information systems. Such information security
6 standards and guidelines shall not apply to national security systems without the express
7 approval of the appropriate federal officials exercising policy authority over such systems. This
8 guideline is consistent with the requirements of the Office of Management and Budget (OMB)
9 Circular A-130.

10 Nothing in this publication should be taken to contradict the standards and guidelines made
11 mandatory and binding on federal agencies by the Secretary of Commerce under statutory
12 authority. Nor should these guidelines be interpreted as altering or superseding the existing
13 authorities of the Secretary of Commerce, OMB Director, or any other federal official. This
14 publication may be used by nongovernmental organizations on a voluntary basis and is not
15 subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

16 National Institute of Standards and Technology Special Publication 800-53, Revision 5

17 Natl. Inst. Stand. Technol. Spec. Publ. 800-53, Rev. 5, 480 pages (March 2020)
18 CODEN: NSPUE2
19 This publication is available free of charge from:
20 https://doi.org/10.6028/NIST.SP.800-53r5-draft
21
22
Certain commercial entities, equipment, or materials may be identified in this document to describe
23 an experimental procedure or concept adequately. Such identification is not intended to imply
24 recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.
25
There may be references in this publication to other publications currently under development by
26
NIST in accordance with its assigned statutory responsibilities. The information in this publication,
27 including concepts, practices, and methodologies may be used by federal agencies even before the
28 completion of such companion publications. Thus, until each publication is completed, current
requirements, guidelines, and procedures, where they exist, remain operative. For planning and
29 transition purposes, federal agencies may wish to closely follow the development of these new
30 publications by NIST.
31 Organizations are encouraged to review draft publications during the designated public comment
periods and provide feedback to NIST. Many NIST publications, other than the ones noted above,
32 are available at https://csrc.nist.gov/publications.
33
34
35 Public comment period: March 16 through May 15, 2020
36 National Institute of Standards and Technology
37 Attn: Computer Security Division, Information Technology Laboratory
38 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
39 Email: sec-cert@nist.gov

40 All comments are subject to release under the Freedom of Information Act (FOIA) [FOIA96].

PAGE i
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

41 Reports on Computer Systems Technology

42 The National Institute of Standards and Technology (NIST) Information Technology Laboratory
43 (ITL) promotes the U.S. economy and public welfare by providing technical leadership for the
44 Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference
45 data, proof of concept implementations, and technical analyses to advance the development
46 and productive use of information technology (IT). ITL’s responsibilities include the development
47 of management, administrative, technical, and physical standards and guidelines for the cost-
48 effective security of other than national security-related information in federal information
49 systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach
50 efforts in information systems security and privacy and its collaborative activities with industry,
51 government, and academic organizations.

52 Abstract
53 This publication provides a catalog of security and privacy controls for federal information
54 systems and organizations to protect organizational operations and assets, individuals, other
55 organizations, and the Nation from a diverse set of threats and risks, including hostile attacks,
56 natural disasters, structural failures, human errors, and privacy risks. The controls are flexible
57 and customizable and implemented as part of an organization-wide process to manage risk. The
58 controls address diverse requirements derived from mission and business needs, laws, executive
59 orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated
60 catalog of controls addresses security and privacy from a functionality perspective (i.e., the
61 strength of functions and mechanisms provided by the controls) and an assurance perspective
62 (i.e., the measure of confidence in the security or privacy capability provided by the controls).
63 Addressing both functionality and assurance ensures that information technology products and
64 the information systems that rely on those products are sufficiently trustworthy.

65 Keywords
66 Assurance; availability; computer security; confidentiality; control; cybersecurity; FISMA;
67 information security; information system; integrity; personally identifiable information; Privacy
68 Act; privacy controls; privacy functions; privacy requirements; Risk Management Framework;
69 security controls; security functions; security requirements; system; system security.

PAGE ii
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

70 Acknowledgements
71 This publication was developed by the Joint Task Force Interagency Working Group. The group
72 includes representatives from the Civil, Defense, and Intelligence Communities. The National
73 Institute of Standards and Technology wishes to acknowledge and thank the senior leaders from
74 the Departments of Commerce and Defense, the Office of the Director of National Intelligence,
75 the Committee on National Security Systems, and the members of the interagency working
76 group whose dedicated efforts contributed significantly to the publication.

77 Department of Defense Office of the Director of National

78 Intelligence
79 Dana Deasy John Sherman
80 Chief Information Officer Chief Information Officer
81 Essye B. Miller La’nala Jones
82 Principal Deputy CIO Deputy Chief Information Officer
83 Jack Wilmer Ben Phelps
84 Deputy CIO for Cybersecurity and CISO Acting Director, Cybersecurity Division and CISO
85 Donald Heckman Vacant
86 Principal Deputy CIO for Cybersecurity Director, Security Coordination Center
87 Kevin Dulany
88 Director, Cybersecurity Policy and Partnerships

89 National Institute of Standards Committee on National Security

90 and Technology Systems
91 Charles H. Romine Jack Wilmer
92 Director, Information Technology Laboratory Chair
93 Donna Dodson Susan Dorr
94 Cybersecurity Advisor, Information Technology Laboratory Co-Chair
95 Matt Scholl Kevin Dulany
96 Chief, Computer Security Division Tri-Chair—Defense Community
97 Kevin Stine Chris Johnson
98 Chief, Applied Cybersecurity Division Tri-Chair—Intelligence Community
99 Ron Ross Vicki Michetti
100 FISMA Implementation Project Leader Tri-Chair—Civil Agencies

101 Joint Task Force Working Group

102 Ron Ross Kevin Dulany Dorian Pappas Kelley Dempsey
103 NIST, JTF Leader DoD Intelligence Community NIST
104 Jody Jacobs Victoria Pillitteri Daniel Faigin Naomi Lefkovitz
105 NIST NIST Aerospace Corporation NIST
106 Esten Porter Ned Goren Christina Sames Christian Enloe
107 The MITRE Corporation NIST The MITRE Corporation NIST
108 David Black Rich Graubart Peter Duspiva Kaitlin Boeckl
109 The MITRE Corporation The MITRE Corporation Intelligence Community NIST
110 Dominic Cussatt Deb Bodeau Andrew Regenscheid Celia Paulsen
111 Veterans Affairs The MITRE Corporation NIST NIST
112 Eduardo Takamura Ryan Wagner Julie Snyder Jon Boyens
113 NIST Institute for Defense Analyses The MITRE Corporation NIST

PAGE iii
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

114 In addition to the above acknowledgments, a special note of thanks goes to Jeff Brewer, Jim Foti
115 and the NIST web team for their outstanding administrative support. The authors also wish to
116 recognize Kristen Baldwin, Carol Bales, John Bazile, Jennifer Besceglie, Sean Brooks, Ruth
117 Cannatti, Kathleen Coupe, Keesha Crosby, Charles Cutshall, Ja’Nelle DeVore, Jennifer Fabius, Jim
118 Fenton, Matthew Halstead, Kevin Herms, Hildy Ferraiolo, Ryan Galluzzo, Robin Gandhi, Mike
119 Garcia, Paul Grassi, Marc Groman, Matthew Halstead, Scott Hill, Ralph Jones, Martin Kihiko,
120 Raquel Leone, Jason Marsico, Kirsten Moncada, Ellen Nadeau, Elaine Newton, Michael Nieles,
121 Michael Nussdorfer, Taylor Roberts, Jasmeet Seehra, Joe Stuntz, the Federal Privacy Council’s
122 Risk Management Subcommittee, the professional staff from the NIST Computer Security
123 Division and Applied Cybersecurity Division, and representatives from the Federal CIO Council
124 and Interagency Working Group for their ongoing contributions in helping to improve the
125 content of the publication. Finally, the authors gratefully acknowledge the significant
126 contributions from individuals and organizations in the public and private sectors, nationally and
127 internationally, whose insightful and constructive comments improved the overall quality,
128 thoroughness, and usefulness of this publication.

HISTORICAL CONTRIBUTIONS TO NIST SPECIAL PUBLICATION 800-53

The authors wanted to acknowledge the many individuals who contributed to previous versions
of Special Publication 800-53 since its inception in 2005. They include Marshall Abrams, Dennis
Bailey, Lee Badger, Curt Barker, Matthew Barrett, Nadya Bartol, Frank Belz, Paul Bicknell, Deb
Bodeau, Paul Brusil, Brett Burley, Bill Burr, Dawn Cappelli, Roger Caslow, Corinne Castanza, Mike
Cooper, Matt Coose, George Dinolt, Randy Easter, Kurt Eleam, Denise Farrar, Dave Ferraiolo,
Cita Furlani, Harriett Goldman, Peter Gouldmann, Tim Grance, Jennifer Guild, Gary Guissanie,
Sarbari Gupta, Priscilla Guthrie, Richard Hale, Peggy Himes, Bennett Hodge, William Hunteman,
Cynthia Irvine, Arnold Johnson, Roger Johnson, Donald Jones, Lisa Kaiser, Stu Katzke, Sharon
Keller, Tom Kellermann, Cass Kelly, Eustace King, Steve LaFountain, Annabelle Lee, Robert Lentz,
Steven Lipner, William MacGregor, Thomas Macklin, Thomas Madden, Robert Martin, Erika
McCallister, Tim McChesney, Michael McEvilley, Rosalie McQuaid, Peter Mell, John Mildner,
Pam Miller, Sandra Miravalle, Joji Montelibano, Douglas Montgomery, George Moore, Rama
Moorthy, Mark Morrison, Harvey Newstrom, Sherrill Nicely, Robert Niemeyer, LouAnna
Notargiacomo, Pat O’Reilly, Tim Polk, Karen Quigg, Steve Quinn, Mark Riddle, Ed Roback, Cheryl
Roby, George Rogers, Scott Rose, Mike Rubin, Karen Scarfone, Roger Schell, Jackie Snouffer, Ray
Snouffer, Murugiah Souppaya, Gary Stoneburner, Keith Stouffer, Marianne Swanson, Pat Toth,
Glenda Turner, Patrick Viscuso, Joe Weiss, Richard Wilsher, Mark Wilson, John Woodward, and
Carol Woody.

PAGE iv
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

129 Notes to Reviewers

130 General Overview
131 As we push computers to “the edge,” building an increasingly complex world of interconnected
132 information systems and devices, security and privacy continue to dominate the national dialog.
133 The Defense Science Board in its 2017 report, Task Force on Cyber Defense, provides a sobering
134 assessment of the current vulnerabilities in the U.S. critical infrastructure and the information
135 systems that support mission essential operations.
136 “...The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce
137 pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on
138 deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more
139 proactive and systematic approach to U.S. cyber deterrence is urgently needed...”

140 There is an urgent need to strengthen the underlying information systems, component
141 products, and services that we depend on in every sector of the critical infrastructure to help
142 ensure those systems, components, and services are sufficiently trustworthy and provide the
143 necessary resilience to support the economic and national security interests of the United
144 States.

145 This update to NIST Special Publication 800-53 responds to the call by the Defense Science
146 Board by embarking on a proactive and systemic approach to develop comprehensive
147 safeguarding measures for all types of computing platforms, including general purpose
148 computing systems, cyber-physical systems, cloud and mobile systems, industrial/process
149 control systems, and Internet of Things (IoT) devices. Those safeguarding measures include
150 security and privacy controls to protect the critical and essential mission and business
151 operations of organizations, the organization’s high value assets, and the personal privacy of
152 individuals. The objective is to make the information systems we depend on more penetration
153 resistant to cyber-attacks; limit the damage from those attacks when they occur; make the
154 systems cyber resilient and survivable; and protect the security and privacy of information.

155 Revision 5 of this foundational NIST publication represents a multi-year effort to develop the
156 next generation security and privacy controls that will be needed to accomplish the above
157 objectives. It includes changes to make the controls more consumable by diverse consumer
158 groups including, for example, enterprises conducting mission and business operations;
159 engineering organizations developing all types of information systems and systems-of-systems;
160 and industry partners developing system components, products, and services. The major
161 changes to the publication include:
162 • Creating security and privacy controls that are more outcome-based by changing the
163 structure of the controls;
164 • Fully integrating privacy controls into the security control catalog creating a consolidated
165 and unified set of controls;
166 • Adding two new control families for privacy and supply chain risk management;
167 • Integrating the Program Management control family into the consolidated catalog of
168 controls;

PAGE v
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

169 • Separating the control selection process from the controls—allowing controls to be used by
170 different communities of interest including systems engineers, systems security engineers,
171 privacy engineers; software developers, enterprise architects; and mission/business owners;
172 • Separating the control catalog from the control baselines;
173 • Promoting alignment with different risk management and cybersecurity approaches and
174 lexicons, including the Cybersecurity Framework and Privacy Framework;
175 • Clarifying the relationship between security and privacy to improve the selection of controls
176 necessary to address the full scope of security and privacy risks; and
177 • Incorporating new, state-of-the-practice controls based on threat intelligence, empirical
178 attack data, and systems engineering and supply chain risk management best practices
179 including controls to strengthen cybersecurity and privacy governance and accountability;
180 controls to support secure system design; and controls to support cyber resiliency and
181 system survivability.

182 Privacy Integration

183 NIST began work to incorporate privacy controls into the existing security control catalog in the
184 Special Publication 800-53, Revision 4 (circa 2013). Revision 4 added a new appendix of privacy
185 controls and related implementation guidance (Appendix J) based on the Fair Information
186 Practice Principles. Revision 5 continues the incorporation of privacy into the control catalog by
187 expanding the suite of privacy controls and moving them from an appendix into the fully
188 integrated main catalog. The expanded control catalog also includes specific references to
189 OMB’s guidance on breach response and the Foundations for Evidence-Based Policymaking Act
190 of 2018.

191 Security and Privacy Collaboration Index

192 The integration of security and privacy controls into one catalog recognizes the essential
193 relationship between security and privacy objectives. This relationship requires security and
194 privacy officials to collaborate across the system development life cycle. In particular, control
195 implementation is one area in which collaboration is important. Because security and privacy
196 objectives are aligned in many circumstances, the implementation of a particular control can
197 support achievement of both sets of objectives. However, there are also circumstances when
198 controls are implemented differently to achieve the respective objectives, or the method of
199 implementation can impact the objectives of the other program. Thus, it is important that
200 security and privacy programs collaborate effectively with respect to the implementation of
201 controls to ensure that both programs’ objectives are met appropriately.

202 In an attempt to provide better guidance on implementation collaboration, NIST requests

203 feedback on the concept of a collaboration index for each control. The index is intended to
204 indicate the degree of collaboration between security and privacy programs for each control.
205 Criteria for selecting controls (control baselines) will be addressed separately in forthcoming
206 NIST Special Publication 800-53B.

PAGE vi
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

207 The following options are proposed for a collaboration index:

OPTION 1 OPTION 2

Controls are primarily implemented by security Security programs have primary

S programs – minimal collaboration needed responsibility for implementation – minimal
between security and privacy programs. collaboration needed between security and
S privacy programs.
Controls are generally implemented by security
SP programs – moderate collaboration needed
between security and privacy programs.
Controls are implemented by security and privacy Security and privacy programs both have
programs – full collaboration needed between responsibilities for implementation – more
SP security and privacy programs. SP than minimal collaboration is needed
between security and privacy programs.
Controls are generally implemented by privacy Privacy programs have primary responsibility
PS programs – moderate collaboration needed for implementation – minimal collaboration
between security and privacy programs. needed between security and privacy
P programs.
Controls are primarily implemented by privacy
P programs – minimal collaboration needed
between security and privacy programs.
208

209 This collaboration index is a starting point to facilitate discussion between security and privacy
210 programs since the degree of collaboration needed for control implementation for specific
211 systems depends on many factors.
212
213 For purposes of review and comment, three control families are identified as notional examples:
214 Access Control (AC); Program Management (PM); and Personally Identifiable Information
215 Processing and Transparency (PT). The notional examples are provided as a Notes to Reviewers
216 Supplement following Appendix D.

217 We are interested in comments in the following areas.

218 • Does an implementation collaboration index for each control provide meaningful guidance
219 to both privacy and security professionals? If so, how? If not, what are potential issues and
220 concerns?
221 • Which option (3-gradient scale or 5-gradient scale) is preferred and why?
222 • Are there other recommendations for a collaboration index?
223 • Are there recommendations on other ways to provide more guidance on collaboration?
224 • Are there recommendations for how the collaboration index should be integrated with the
225 controls? For example, should the collaboration index be included as an Appendix to SP 800-
226 53, included as a section of the control, included in related publication, or some other
227 method?

PAGE vii
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

228 Summary
229 For ease of review, a short summary of all significant changes made to SP 800-53 from Revision
230 4 to Revision 5 is provided at the publication landing page under Supplemental Material. A
231 number of controls have changed, been renamed, and/or have additional discussion for context
232 for better privacy integration.

233 As part of the project to develop the next generation controls, some of the content in previous
234 versions of Special Publication 800-53 will be moved to other publications, new publications,
235 and the NIST web site. For example, control baselines can be found in a new publication, NIST
236 Special Publication 800-53B, Control Baselines for Information Systems and Organizations.
237 Control mapping tables and keywords can be found on the NIST web site as part of the new
238 automated control delivery system debuting in the near future. The content in NIST Special
239 Publication 800-53, Revision 4, will remain active for one year after the new and the updated
240 publications are finalized.

241 We encourage you to use the comment template provided when submitting your comments.
242 Comments on Draft Special Publication 800-53, Revision 5 must be received by May 15. Please
243 submit comments to sec-cert@nist.gov.

244 Your feedback on this draft publication is important to us. We appreciate each contribution
245 from our reviewers. The very insightful comments from both the public and private sectors,
246 nationally and internationally, continue to help shape the final publication to ensure that it
247 meets the needs and expectations of our customers.

248 - RON ROSS

249 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

PAGE viii
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

250 Call for Patent Claims

251 This public review includes a call for information on essential patent claims (claims whose use
252 would be required for compliance with the guidance or requirements in this Information
253 Technology Laboratory (ITL) draft publication). Such guidance and/or requirements may be
254 directly stated in this ITL Publication or by reference to another publication. This call includes
255 disclosure, where known, of the existence of pending U.S. or foreign patent applications relating
256 to this ITL draft publication and of any relevant unexpired U.S. or foreign patents.

257 ITL may require from the patent holder, or a party authorized to make assurances on its behalf,
258 in written or electronic form, either:
259 a) assurance in the form of a general disclaimer to the effect that such party does not hold
260 and does not currently intend holding any essential patent claim(s); or
261 b) assurance that a license to such essential patent claim(s) will be made available to
262 applicants desiring to utilize the license for the purpose of complying with the guidance
263 or requirements in this ITL draft publication either:
264 i) under reasonable terms and conditions that are demonstrably free of any unfair
265 discrimination; or
266 ii) without compensation and under reasonable terms and conditions that are
267 demonstrably free of any unfair discrimination.

268 Such assurance shall indicate that the patent holder (or third party authorized to make
269 assurances on its behalf) will include in any documents transferring ownership of patents
270 subject to the assurance, provisions sufficient to ensure that the commitments in the assurance
271 are binding on the transferee, and that the transferee will similarly include appropriate
272 provisions in the event of future transfers with the goal of binding each successor-in-interest.
273
274 The assurance shall also indicate that it is intended to be binding on successors-in-interest
275 regardless of whether such provisions are included in the relevant transfer documents.

276 Such statements should be addressed to: sec-cert@nist.gov.

PAGE ix
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

277

COMPLIANCE AND DUE DILIGENCE

Compliance necessitates organizations exercise due diligence regarding information security and
privacy risk management. Security and privacy due diligence requires organizations to establish
a comprehensive risk management program, in part, that uses the flexibility in NIST publications
to categorize systems, select and implement security and privacy controls that meet mission and
business needs, assess the effectiveness of the controls, and authorize and monitor the system.
Risk management frameworks and risk management processes are essential in developing,
implementing, and maintaining the protection measures that are necessary to address
stakeholder needs and the current threats to organizational operations and assets, individuals,
other organizations, and the Nation. Employing effective risk-based processes, procedures,
methods, and technologies ensures that information systems and organizations have the
necessary trustworthiness and resiliency to support essential missions and business functions,
the U.S. critical infrastructure, and continuity of government.

PAGE x
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

278

COMMON SECURITY AND PRIVACY FOUNDATIONS

In working with the Office of Management and Budget to develop standards and guidelines
required by FISMA, NIST consults with federal agencies, state, local, and tribal governments, and
private sector organizations to improve information security and privacy; avoid unnecessary and
costly duplication of effort; and ensure that its publications are complementary with the
standards and guidelines used for the protection of national security systems. In addition to a
comprehensive and transparent public review and vetting process, NIST is engaged in a
collaborative partnership with the Office of Management and Budget, Office of the Director of
National Intelligence, Department of Defense, Committee on National Security Systems, Federal
CIO Council, and Federal Privacy Council—establishing a Risk Management Framework for
information security and privacy for the federal government. This common foundation provides
the federal government and their contractors, cost-effective, flexible, and consistent ways to
manage security and privacy risks to organizational operations and assets, individuals, other
organizations, and the Nation. The framework provides a basis for reciprocal acceptance of
security and privacy control assessment evidence and authorization decisions and facilitates
information sharing and collaboration. NIST continues to work with public and private sector
entities to establish mappings and relationships between the standards and guidelines
developed by NIST and those developed by other organizations. NIST anticipates using these
mappings, and the gaps they identify, to improve the control catalog.

PAGE xi
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

279

DEVELOPMENT OF INFORMATION SYSTEMS, COMPONENTS, AND SERVICES

With a renewed nation-wide emphasis on the use of trustworthy, secure information systems
and supply chain security, it is essential that organizations express their security and privacy
requirements with clarity and specificity to obtain from industry the systems, components, and
services necessary for mission and business success. Accordingly, this publication provides
controls in the System and Services Acquisition (SA) and Supply Chain Risk Management (SR)
families that are directed at developers. The scope of the controls in those families includes
information system, system component, and system service development and the associated
developers whether the development is conducted internally by organizations or externally
through the contracting and acquisition processes. The affected controls in the control catalog
include SA-8, SA-10, SA-11, SA-15, SA-16, SA-17, SA-20, SA-21, SR-3, SR-4, SR-5, SR-6, SR-7, SR-8,
SR-9, and SR-11.

PAGE xii
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

280

INFORMATION SYSTEMS — A BROAD-BASED PERSPECTIVE

As we push computers to “the edge” building an increasingly complex world of interconnected
information systems and devices, security and privacy continue to dominate the national
dialogue. There is an urgent need to further strengthen the underlying information systems,
products, and services that we depend on in every sector of the critical infrastructure—ensuring
those systems, components, and services are sufficiently trustworthy and provide the necessary
resilience to support the economic and national security interests of the United States. NIST
Special Publication 800-53 (Revision 5) responds to this need by embarking on a proactive and
systemic approach to develop and make available to a broad base of public and private sector
organizations, a comprehensive set of security and privacy safeguarding measures for all types
of computing platforms, including general purpose computing systems; cyber-physical systems;
cloud and mobile systems; industrial and process control systems; and Internet of Things (IoT)
devices. Those safeguarding measures include both security and privacy controls to protect the
critical and essential operations and assets of organizations and the privacy of individuals. The
ultimate objective is to make the information systems we depend on more penetration resistant
to attacks; limit the damage from attacks when they occur; and make the systems resilient,
survivable, and protective of individuals’ privacy.

PAGE xiii
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

281

CONTROL BASELINES
The control baselines that have previously been included in NIST Special Publication 800-53 have
been relocated to NIST Special Publication 800-53B. Special Publication 800-53B contains control
baselines for federal information systems and organizations. It provides guidance for tailoring
control baselines and for developing overlays to support security and privacy requirements of
stakeholders and their organizations.

PAGE xiv
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

282

USE OF EXAMPLES IN THIS PUBLICATION

Throughout this publication, examples are used to illustrate, clarify, or explain certain items in
chapter sections, controls, and control enhancements. These examples are illustrative in nature
and are not intended to limit or constrain the application of controls or control enhancements
by organizations.

PAGE xv
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

283

FEDERAL RECORDS MANAGEMENT COLLABORATION

Federal records management processes have a nexus with certain information security and
privacy requirements and controls. For example, records officers may be managing records
retention, including when records will be deleted. Collaborating with records officers on the
selection and implementation of security and privacy controls related to records management
can support consistency and efficiency and ultimately strengthen the organization’s security and
privacy posture.

PAGE xvi
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

284 Table of Contents

285 CHAPTER ONE INTRODUCTION ...................................................................................................... 1
286 1.1 PURPOSE AND APPLICABILITY ................................................................................................... 2
287 1.2 TARGET AUDIENCE .................................................................................................................. 3
288 1.3 ORGANIZATIONAL RESPONSIBILITIES......................................................................................... 3
289 1.4 RELATIONSHIP TO OTHER PUBLICATIONS................................................................................... 5
290 1.5 REVISIONS AND EXTENSIONS .................................................................................................... 5
291 1.6 PUBLICATION ORGANIZATION .................................................................................................. 5
292 CHAPTER TWO THE FUNDAMENTALS ............................................................................................ 7
293 2.1 REQUIREMENTS AND CONTROLS .............................................................................................. 7
294 2.2 STRUCTURE AND ORGANIZATION ............................................................................................. 8
295 2.3 CONTROL DESIGNATIONS ....................................................................................................... 11
296 2.4 SECURITY AND PRIVACY CONTROLS ......................................................................................... 12
297 2.5 TRUSTWORTHINESS AND ASSURANCE ..................................................................................... 13
298 CHAPTER THREE THE CONTROLS ................................................................................................. 15
299 3.1 ACCESS CONTROL .................................................................................................................. 17
300 3.2 AWARENESS AND TRAINING ................................................................................................... 58
301 3.3 AUDIT AND ACCOUNTABILITY ................................................................................................. 64
302 3.4 ASSESSMENT, AUTHORIZATION, AND MONITORING ................................................................. 82
303 3.5 CONFIGURATION MANAGEMENT ........................................................................................... 94
304 3.6 CONTINGENCY PLANNING .................................................................................................... 112
305 3.7 IDENTIFICATION AND AUTHENTICATION ............................................................................... 127
306 3.8 INCIDENT RESPONSE ............................................................................................................ 145
307 3.9 MAINTENANCE.................................................................................................................... 157
308 3.10 MEDIA PROTECTION .......................................................................................................... 166
309 3.11 PHYSICAL AND ENVIRONMENTAL PROTECTION .................................................................... 174
310 3.12 PLANNING ........................................................................................................................ 189
311 3.13 PROGRAM MANAGEMENT ................................................................................................. 197
312 3.14 PERSONNEL SECURITY ........................................................................................................ 215
313 3.15 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY ....................... 221
314 3.16 RISK ASSESSMENT.............................................................................................................. 230
315 3.17 SYSTEM AND SERVICES ACQUISITION .................................................................................. 241
316 3.18 SYSTEM AND COMMUNICATIONS PROTECTION ................................................................... 283
317 3.19 SYSTEM AND INFORMATION INTEGRITY .............................................................................. 323
318 3.20 SUPPLY CHAIN RISK MANAGEMENT..................................................................................... 354
319 APPENDIX A REFERENCES .......................................................................................................... 364
320 APPENDIX B GLOSSARY .............................................................................................................. 382
321 APPENDIX C ACRONYMS ............................................................................................................ 411
322 APPENDIX D CONTROL SUMMARIES.......................................................................................... 414
323

PAGE xvii
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

324 Executive Summary

325 As we continue to push computers to “the edge,” building an increasingly complex world of
326 connected information systems and devices, security and privacy continue to dominate the
327 national dialogue. The Defense Science Board (DSB) in its 2017 report entitled, Task Force on
328 Cyber Deterrence [DSB 2017], provides a sobering assessment of the current vulnerabilities in
329 the U.S. critical infrastructure and the information systems that support the mission-essential
330 operations and assets in the public and private sectors.
331 “…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing
332 efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States
333 must lean significantly on deterrence to address the cyber threat posed by the most capable
334 U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber
335 deterrence is urgently needed…”

336 There is an urgent need to further strengthen the underlying information systems, component
337 products, and services that the nation depends on in every sector of the critical infrastructure—
338 ensuring those systems, components, and services are sufficiently trustworthy and provide the
339 necessary resilience to support the economic and national security interests of the United
340 States. This update to NIST Special Publication 800-53 responds to the call by the DSB by
341 embarking on a proactive and systemic approach to develop and make available to a broad base
342 of public and private sector organizations, a comprehensive set of safeguarding measures for all
343 types of computing platforms, including general purpose computing systems, cyber-physical
344 systems, cloud-based systems, mobile devices, and industrial and process control systems.
345 Those safeguarding measures include implementing security and privacy controls to protect the
346 critical and essential operations and assets of organizations and the privacy of individuals. The
347 objective is to make the information systems we depend on more penetration resistant; limit
348 the damage from attacks when they occur; make the systems cyber resilient and survivable; and
349 protect individuals’ privacy.

350 Revision 5 of this foundational NIST publication represents a multi-year effort to develop the
351 next generation of security and privacy controls that will be needed to accomplish the above
352 objectives. It includes changes to make the controls more usable by diverse consumer groups
353 (e.g., enterprises conducting mission and business operations; engineering organizations
354 developing information systems, IoT devices, and systems-of-systems; and industry partners
355 building system components, products, and services). The most significant changes to the
356 publication include:
357 • Making the controls more outcome-based by changing the control structure to eliminate the
358 distinction within each control statement regarding whether the control is expected to be
359 satisfied by an information system (i.e., using information technology or other information
360 resources) or by an organization (i.e., through policies or procedures);
361 • Integrating information security and privacy controls into a seamless, consolidated control
362 catalog for information systems and organizations;
363 • Establishing a new supply chain risk management control family;
364 • Separating control selection processes from the controls, thereby allowing the controls to be
365 used by different communities of interest, including systems engineers, security architects,

PAGE xviii
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

366 software developers, enterprise architects, systems security and privacy engineers, and
367 mission or business owners;
368 • Removing control baselines and tailoring guidance from the publication and transferring the
369 content to NIST Special Publication 800-53B, Security and Privacy Control Baselines for
370 Information Systems and Organizations (Projected for publication in 2019);
371 • Clarifying the relationship between requirements and controls and the relationship between
372 security and privacy controls; and
373 • Incorporating new, state-of-the-practice controls (e.g., controls to support cyber resiliency,
374 controls to support secure systems design, and controls to strengthen security and privacy
375 governance and accountability)—all based on the latest threat intelligence and cyber-attack
376 data.

377 In separating the process of control selection from the actual controls and removing the control
378 baselines, a significant amount of guidance and other informative material previously contained
379 in Special Publication 800-53 was eliminated from the publication. That content will be moved
380 to other NIST publications such as Special Publication 800-37 (Risk Management Framework)
381 and Special Publication 800-53B during the next update cycle. In the near future, NIST also plans
382 to transition the content of Special Publications 800-53, 800-53A, and 800-53B to a web-based
383 portal to provide its customers interactive, online access to all control, control baseline, overlay,
384 and assessment information.

PAGE xix
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

385 Prologue
386 “…Through the process of risk management, leaders must consider risk to US interests from
387 adversaries using cyberspace to their advantage and from our own efforts to employ the global
388 nature of cyberspace to achieve objectives in military, intelligence, and business operations… “
389 “…For operational plans development, the combination of threats, vulnerabilities, and impacts
390 must be evaluated in order to identify important trends and decide where effort should be
391 applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess,
392 coordinate, and deconflict all cyberspace operations…”
393 “…Leaders at all levels are accountable for ensuring readiness and security to the same degree as
394 in any other domain…"

395 THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS

396 OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE
397
398 __________
399
400 “Networking and information technology [are] transforming life in the 21st century, changing
401 the way people, businesses, and government interact. Vast improvements in computing, storage,
402 and communications are creating new opportunities for enhancing our social wellbeing;
403 improving health and health care; eliminating barriers to education and employment; and
404 increasing efficiencies in many sectors such as manufacturing, transportation, and agriculture.

405 The promise of these new applications often stems from their ability to create, collect, transmit,
406 process, and archive information on a massive scale. However, the vast increase in the quantity
407 of personal information that is being collected and retained, combined with the increased ability
408 to analyze it and combine it with other information, is creating valid concerns about privacy and
409 about the ability of entities to manage these unprecedented volumes of data responsibly…. A key
410 challenge of this era is to assure that growing capabilities to create, capture, store, and process
411 vast quantities of information will not damage the core values of the country….”

412 “…When systems process personal information, whether by collecting, analyzing, generating,
413 disclosing, retaining, or otherwise using the information, they can impact privacy of individuals.
414 System designers need to account for individuals as stakeholders in the overall development of
415 the solution. …Designing for privacy must connect individuals’ privacy desires with system
416 requirements and controls in a way that effectively bridges the aspirations with development….”

417 THE NATIONAL PRIVACY RESEARCH STRATEGY

418 NATIONAL SCIENCE AND TECHNOLOGY COUNCIL, NETWORKING AND INFORMATION TECHNOLOGY RESEARCH AND DEVELOPMENT PROGRAM

PAGE xx
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

419 Errata
420 This table contains changes that have been incorporated into Special Publication 800-53. Errata
421 updates can include corrections, clarifications, or other minor changes in the publication that
422 are either editorial or substantive in nature.

DATE TYPE REVISION PAGE

423

PAGE xxi
 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

424 CHAPTER ONE

425 INTRODUCTION
426 THE NEED TO PROTECT INFORMATION, SYSTEMS, ORGANIZATIONS, AND INDIVIDUALS

427 Modern information systems 1 can include a variety of computing platforms (e.g., industrial and
428 process control systems; general purpose computing systems; cyber-physical systems; super
429 computers; weapons systems; communications systems; environmental control systems;
430 embedded devices; sensors; medical devices; and mobile devices such as smart phones and
431 tablets). The various platforms all share a common foundation—computers with complex
432 software and firmware providing a capability that supports the essential missions and business
433 functions of organizations.

434 Security controls are the safeguards or countermeasures selected and implemented within an
435 information system or an organization to protect the confidentiality, integrity, and availability of
436 the system and its information and to manage information security risk. Privacy controls are the
437 administrative, technical, and physical safeguards employed within a system or an organization
438 to ensure compliance with applicable privacy requirements and to manage privacy risks. 2
439 Security and privacy controls are selected and implemented to satisfy security and privacy
440 requirements levied on an information system or organization. The requirements are derived
441 from applicable laws, executive orders, directives, regulations, policies, standards, and mission
442 needs to ensure the confidentiality, integrity, and availability of information processed, stored,
443 or transmitted, and to manage risks to individual privacy. The selection, design, and effective
444 implementation of controls 3 are important tasks that have significant implications for the
445 operations and assets of organizations as well as the welfare of individuals and the Nation. 4

446 There are several key questions that should be answered by organizations when addressing
447 information security and privacy requirements:
448 • What security and privacy controls are needed to satisfy security and privacy requirements
449 and to adequately manage risk? 5
450 • Have the selected controls been designed and implemented or is there a design and
451 implementation plan in place?
452 • What is the required level of assurance (i.e., grounds for confidence) that the selected
453 controls, as designed and implemented, are effective? 6

1 An information system is a discrete set of information resources organized for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of information.
2 [OMB A-130] defines security controls and privacy controls.

3 In addition to viewing controls solely from a compliance perspective, controls are important tools that provide

safeguards and countermeasures in systems security and privacy engineering processes to reduce risk during the
system development life cycle.
4 Organizational operations include mission, functions, image, and reputation.

5 Security and privacy risks are ultimately mission/business risks or risks to individuals and must be considered early

and throughout the system development life cycle.

6 Security and privacy control effectiveness addresses the extent to which the controls are designed and implemented

correctly, operating as intended, and producing the desired outcome with respect to meeting the designated security
and privacy requirements for the system.

CHAPTER ONE PAGE 1

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

454 The answers to these questions are not given in isolation, but rather in the context of an
455 effective risk management process for the organization that identifies, assesses, responds to,
456 and monitors on an ongoing basis, security and privacy risks arising from its information and
457 systems. The security and privacy controls in this publication are recommended for use by
458 organizations to satisfy their information security and privacy requirements. The control catalog
459 can be viewed as a toolbox containing a collection of mitigations, techniques, and processes to
460 address threats, vulnerabilities, and risk. The controls are employed as part of a well-defined
461 and effective risk management process that supports organizational information security and
462 privacy programs. In turn, those information security and privacy programs are a significant
463 foundation for the success of the missions and business functions of the organization.

464 It is of paramount importance that responsible officials understand the security and privacy risks
465 that could adversely affect organizational operations, organizational assets, individuals, other
466 organizations, and the Nation. 7 These officials must also understand the current status of their
467 security and privacy programs and the controls planned or in place to protect information,
468 information systems, and organizations in order to make informed judgments and investments
469 that respond to identified risks in an acceptable manner. The objective is to manage these risks
470 through the selection and implementation of security and privacy controls.

471 1.1 PURPOSE AND APPLICABILITY

472 This publication establishes controls for federal information systems 8 and organizations. The use
473 of these controls is mandatory, in accordance with OMB Circular A-130 [OMB A-130] and the
474 provisions of the Federal Information Security Modernization Act 9 [FISMA], which requires the
475 implementation of minimum controls to protect federal information and information systems. 10
476 The controls can be implemented within any organization or information system that processes,
477 stores, or transmits information. This publication, along with other supporting NIST publications,
478 is designed to help organizations identify the security and privacy controls needed to manage
479 risk and to satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974
480 [PRIVACT], OMB policies (e.g., [OMB A-130]), and designated Federal Information Processing
481 Standards (FIPS), among others. It accomplishes this objective by providing a comprehensive
482 and flexible catalog of security and privacy controls to meet current and future protection needs
483 based on changing threats, vulnerabilities, requirements, and technologies. The publication also
484 improves communication among organizations by providing a common lexicon that supports
485 discussion of security, privacy, and risk management concepts.

7 This includes risk to critical infrastructure and key resources described in [HSPD-7].
8A federal information system is an information system used or operated by an agency, by a contractor of an agency,
or by another organization on behalf of an agency.
9 Information systems that have been designated as national security systems, as defined in 44 U.S.C., Section 3542,

are not subject to the requirements in [FISMA]. However, the controls established in this publication may be selected
for national security systems as otherwise required (e.g., the Privacy Act of 1974) or with the approval of federal
officials exercising policy authority over such systems. [CNSSP 22] and [CNSSI 1253] provide guidance for national
security systems. [DODI 8510.01] provides guidance for the Department of Defense.
10 While the controls established in this publication are mandatory for federal information systems and organizations,

other organizations such as state, local, and tribal governments, as well as private sector organizations are
encouraged to consider using these guidelines, as appropriate. See [SP 800-53B] for federal control baselines.

CHAPTER ONE PAGE 2

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

486 Finally, the controls in the catalog are independent of the process employed to select those
487 controls. Such selection processes can be part of an organization-wide risk management
488 process, a systems engineering process, 11 the Risk Management Framework (RMF), or the
489 Cybersecurity Framework. 12 The control selection criteria can be guided and informed by many
490 factors, including mission and business needs; stakeholder protection needs; vulnerabilities;
491 threats; and requirements to comply with laws, executive orders, directives, regulations,
492 policies, standards, and guidelines. The combination of a comprehensive set of the security
493 and privacy controls and a risk-based control selection process can help organizations comply
494 with stated security and privacy requirements, obtain adequate security for their information
495 systems, and protect privacy for individuals.

496 1.2 TARGET AUDIENCE

497 This publication is intended to serve a diverse audience including:
498 • Individuals with system, information security, privacy, or risk management and oversight
499 responsibilities, including authorizing officials, chief information officers, senior agency
500 information security officers, and senior agency officials for privacy;
501 • Individuals with system development responsibilities, including mission owners, program
502 managers, system engineers, system security engineers, privacy engineers, hardware and
503 software developers, system integrators, and acquisition or procurement officials;
504 • Individuals with logistical or disposition-related responsibilities, including program
505 managers, procurement officials, system integrators, and property managers;
506 • Individuals with security and privacy implementation and operations responsibilities,
507 including mission or business owners, system owners, information owners or stewards,
508 system administrators, system security or privacy officers;
509 • Individuals with security and privacy assessment and monitoring responsibilities, including
510 auditors, Inspectors General, system evaluators, control assessors, independent verifiers
511 and validators, and analysts; and
512 • Commercial entities, including industry partners, producing component products and
513 systems, creating security and privacy technologies, or providing services or capabilities that
514 support information security or privacy.

515 1.3 ORGANIZATIONAL RESPONSIBILITIES

516 Managing security and privacy risks is a complex, multifaceted undertaking that requires:
517 • Well-defined security and privacy requirements for systems and organizations;
518 • Rigorous security and privacy planning and system life cycle management;
519 • The use of trustworthy information system components based on state-of-the-practice
520 hardware, firmware, and software development and acquisition processes;

11Risk management is an integral part of systems engineering, systems security engineering, and privacy engineering.
12[OMB A-130] requires federal agencies to implement the NIST Risk Management Framework for the selection of
controls for federal information systems. [EO 13800] requires federal agencies to implement the NIST Framework for
Improving Critical Infrastructure Cybersecurity to manage cybersecurity risk.

CHAPTER ONE PAGE 3

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

521 • The application of system security and privacy engineering principles and practices to
522 securely integrate system components into information systems;
523 • The employment of security and privacy practices that are well documented and integrated
524 into and supportive of the institutional and operational processes of organizations; and
525 • Continuous monitoring of information systems and organizations to determine the ongoing
526 effectiveness of controls, changes in information systems and environments of operation,
527 and the state of security and privacy organization-wide.

528 Organizations continuously assess the security and privacy risks to organizational operations and
529 assets, individuals, other organizations, and the Nation. These risks arise from the planning and
530 execution of their missions and business functions and by placing information systems into
531 operation or continuing system operations. Realistic assessments of risk require a thorough
532 understanding of the susceptibility to threats based on the vulnerabilities in information
533 systems and organizations and the likelihood and potential adverse impacts of successful
534 exploitations of such vulnerabilities by those threats. 13 Risk assessments also require an
535 understanding of privacy risks. 14 To address these concerns, security and privacy requirements
536 are satisfied with the knowledge and understanding of the organizational risk management
537 strategy 15 considering the cost, schedule, and performance issues associated with the design,
538 development, acquisition, deployment, operation, and sustainment of the organizational
539 information systems.

540 The catalog of security and privacy controls can be effectively used to protect organizations,
541 individuals, and information systems from traditional and advanced persistent threats and
542 privacy risks arising from the processing of personally identifiable information in varied
543 operational, environmental, and technical scenarios. The controls can be used to demonstrate
544 compliance with a variety of governmental, organizational, or institutional security and privacy
545 requirements. Organizations have the responsibility to select the appropriate security and
546 privacy controls, to implement the controls correctly, and to demonstrate the effectiveness of
547 the controls in satisfying security and privacy requirements. 16

548 Organizational risk assessments are used, in part, to inform the security and privacy control
549 selection process. The selection process results in an agreed-upon set of security and privacy
550 controls addressing specific mission or business needs consistent with organizational risk
551 tolerance. 17 The process preserves, to the greatest extent possible, the agility and flexibility that
552 organizations need to address an increasingly sophisticated and hostile threat space, mission
553 and business requirements, rapidly changing technologies, complex supply chains, and many
554 types of operational environments. Security and privacy controls can also be used in developing
555 specialized baselines or overlays for unique or specialized missions or business applications,

13 [SP 800-30] provides guidance on the risk assessment process.

14 [IR 8062] introduces privacy risk concepts.
15 [SP 800-39] provides guidance on risk management strategy.

16 [SP 800-53A] provides guidance on assessing the effectiveness of controls.

17 Authorizing officials or their designated representatives, by accepting the security and privacy plans, agree to the

security and privacy controls proposed to meet the security and privacy requirements for organizations and systems.

CHAPTER ONE PAGE 4

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

556 information systems, threat concerns, operational environments, technologies, or communities

557 of interest. 18

558 1.4 RELATIONSHIP TO OTHER PUBLICATIONS

559 This publication defines controls to satisfy a diverse set of security and privacy requirements
560 that have been levied on information systems and organizations—and that are consistent with
561 and complementary to other recognized national and international information security and
562 privacy standards. To develop a broadly applicable and technically sound set of controls for
563 information systems and organizations, many sources were considered during the development
564 of this publication. These sources included requirements and controls from the manufacturing,
565 defense, financial, healthcare, transportation, energy, intelligence, industrial control, and audit
566 communities as well as national and international standards organizations. Whenever possible,
567 the controls in this publication have been mapped to international standards to help ensure
568 maximum usability and applicability. 19 The controls have also been mapped to the requirements
569 for federal information systems included in [OMB A-130]. 20

570 1.5 REVISIONS AND EXTENSIONS

571 The security and privacy controls described in this publication represent the state-of-the-
572 practice protection measures for individuals, information systems, and organizations. The
573 controls are reviewed and revised periodically to reflect the experience gained from using the
574 controls; new or revised laws, executive orders, directives, regulations, policies, and standards;
575 changing security and privacy requirements; emerging threats, vulnerabilities, attack and
576 information processing methods; and the availability of new technologies. The security and
577 privacy controls in the control catalog are also expected to change over time as controls are
578 withdrawn, revised, and added. In addition to the need for change, the need for stability is
579 addressed by requiring that proposed modifications to security and privacy controls go through
580 a rigorous and transparent public review process to obtain public and private sector feedback
581 and to build a consensus for such change. This provides a stable, flexible, and technically sound
582 set of security and privacy controls for the organizations that use the control catalog.

583 1.6 PUBLICATION ORGANIZATION

584 The remainder of this special publication is organized as follows:
585 • Chapter Two describes the fundamental concepts associated with security and privacy
586 controls, including the structure of controls and how the controls are organized in the
587 consolidated catalog; control designations; the relationship between security and privacy
588 controls; and trustworthiness and assurance.
589 • Chapter Three provides a consolidated catalog of security and privacy controls including a
590 discussion section to explain the purpose of each control and to provide useful information

18 [SP 800-53B] provides guidance for tailoring security and privacy control baselines and for developing overlays to
support the specific protection needs and requirements of stakeholders and their organizations.
19 Mapping tables and related information are available at https://csrc.nist.gov.

20 [OMB A-130] establishes policy for the planning, budgeting, governance, acquisition, and management of federal

information, personnel, equipment, funds, IT resources and supporting infrastructure and services.

CHAPTER ONE PAGE 5

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

591 regarding control implementation and assessment; a list of related controls to show the
592 relationships and dependencies among controls; and a list of references to supporting
593 publications that may be helpful to organizations.
594 • Supporting appendices provide additional information on the use of security and privacy
595 controls including:
596 - General references; 21
597 - Definitions and terms;
598 - Acronyms; and
599 - Summary tables for controls.

21 Unless otherwise stated, all references to NIST publications refer to the most recent version of those publications.

CHAPTER ONE PAGE 6

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

600 CHAPTER TWO

601 THE FUNDAMENTALS

602 STRUCTURE, TYPE, AND ORGANIZATION OF SECURITY AND PRIVACY CONTROLS

603 This chapter presents the fundamental concepts associated with security and privacy controls,
604 including the relationship between requirements and controls; the structure of controls; how
605 control flexibility is achieved through well-defined tailoring actions; how controls are organized
606 in the consolidated control catalog; the different ways to designate the types of controls for
607 information systems and organizations; the relationship between security and privacy controls;
608 the purpose of control baselines and how tailoring is used to customize controls and baselines;
609 and the importance of the concepts of trustworthiness and assurance for both security and
610 privacy controls and the effect on achieving trustworthy, secure, and resilient systems.

611 2.1 REQUIREMENTS AND CONTROLS

612 It is important to understand the relationship between requirements and controls. The term
613 requirements can be used in different contexts. In the context of federal information security
614 and privacy policies, the term is generally used to refer to information security and privacy
615 obligations imposed on organizations. For example, [OMB A-130] imposes information security
616 and privacy requirements with which federal agencies must comply when managing information
617 resources. In addition to the use of the term requirements in the context of federal policy, the
618 term requirements can be used in a broader sense to refer to an expression of stakeholder
619 protection needs for a particular system or organization. Stakeholder protection needs and the
620 corresponding security and privacy requirements may be derived from many sources (e.g., laws,
621 executive orders, directives, regulations, policies, standards, mission and business needs, or risk
622 assessments). The term requirements, as used in this guideline, includes both legal and policy
623 requirements, as well as an expression of the broader set of stakeholder protection needs that
624 may be derived from other sources. All of these requirements, when applied to a system, help
625 determine the required characteristics of the system—encompassing security, privacy, and
626 assurance.

627 Organizations may divide security and privacy requirements into more granular categories
628 depending on where the requirements are employed in the System Development Life Cycle
629 (SDLC) and for what purpose. Organizations may use the term capability requirement to describe
630 a capability that the system or organization must provide to satisfy a stakeholder protection
631 need. In addition, organizations may refer to system requirements that pertain to particular
632 hardware, software, and firmware components of a system as specification requirements—that
633 is, capabilities that implement all or part of a control and that may be assessed (i.e., as part of
634 the verification, validation, testing, and evaluation processes). Finally, organizations may use the
635 term statement of work requirements to refer to actions that must be performed operationally
636 or during system development.

637 Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate
638 for achieving the particular security and privacy objectives of the organization and reflecting the
639 protection needs of organizational stakeholders. Controls are selected and implemented by the
640 organization in order to satisfy the system requirements. Controls can include technical aspects,
641 administrative aspects, and physical aspects. In some cases, the selection and implementation of

CHAPTER TWO PAGE 7

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

642 a control may necessitate additional specification by the organization in the form of derived
643 requirements or instantiated control parameter values. The derived requirements and control
644 parameter values may be necessary to provide the appropriate level of implementation detail
645 for particular controls within the SDLC.

646 2.2 STRUCTURE AND ORGANIZATION

647 Security and privacy controls described in this publication have a well-defined organization and
648 structure. For ease of use in the security and privacy control selection and specification process,
649 controls are organized into twenty families. 22 Each family contains security and privacy controls
650 related to the specific topic of the family. A two-character identifier uniquely identifies each
651 control family, for example, PS (Personnel Security). Security and privacy controls may involve
652 aspects of policy, oversight, supervision, manual processes, and automated mechanisms that
653 are implemented by systems or actions by individuals. Table 1 lists the security and privacy
654 control families and their associated family identifiers.

655 TABLE 1: SECURITY AND PRIVACY CONTROL FAMILIES

ID FAMILY ID FAMILY
AC Access Control PE Physical and Environmental Protection
AT Awareness and Training PL Planning
AU Audit and Accountability PM Program Management
CA Assessment, Authorization, and Monitoring PS Personnel Security
CM Configuration Management PT PII Processing and Transparency
CP Contingency Planning RA Risk Assessment
IA Identification and Authentication SA System and Services Acquisition
IR Incident Response SC System and Communications Protection
MA Maintenance SI System and Information Integrity
MP Media Protection SR Supply Chain Risk Management

656

657 Families of controls contain base controls and control enhancements, which are directly related
658 to their base controls. Control enhancements either add functionality or specificity to a base
659 control or increase the strength of a base control. In both cases, control enhancements are used
660 in information systems and environments of operation that require greater protection than
661 provided by the base control due to the potential adverse organizational or individual impacts or
662 when organizations require additions to the base control functionality or assurance based on
663 organizational assessments of risk. The use of control enhancements always requires the use of
664 the base control.

665 Security and privacy controls have the following structure: a base control section; a discussion
666 section; a related controls section; a control enhancements section; and a references section.

22 Seventeen of the twenty control families in NIST Special Publication 800-53 are aligned with the minimum security
requirements in [FIPS 200]. The Program Management (PM) and Supply Chain Risk Management (SR) families address
enterprise-level program management and supply chain risk considerations pertaining to federal mandates emergent
since FIPS Publication 200.

CHAPTER TWO PAGE 8

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

667 Figure 1 illustrates the structure of a typical control.

668
669
Organization-defined Parameter
670 AU-4 AUDIT STORAGE CAPACITY
671 Base Control: Allocate audit record storage capacity to accommodate [Assignment: organization-
defined audit record retention requirements].
672 Control
Discussion: Organizations consider the types of auditing to be performed and the audit
673 processing requirements when allocating audit storage capacity. Allocating sufficient audit
674 storage capacity reduces the likelihood of such capacity being exceeded and resulting in the
potential loss or reduction of auditing capability.
675
676 Related Controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, AU-14, SI-4.

677 Control Enhancements:

Organization-defined Parameter
678 (1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Control Off-load audit records [Assignment: organization-defined frequency] onto a different
679Enhancement
system or media than the system being audited.
680 Discussion: Off-loading is a process designed to preserve the confidentiality and
681 integrity of audit records by moving the records from the primary system to a secondary
or alternate system. It is a common process in systems with limited audit storage
682 capacity; the audit storage is used only in a transitory fashion until the system can
683 communicate with the secondary or alternate system designated for storing the audit
records, at which point the information is transferred.
684
Related Controls: None.
685
References: None.
686 Sources for additional information related to the control

687
688
689 FIGURE 1: CONTROL STRUCTURE

690 The control section prescribes a security or privacy capability to be implemented. Such capability
691 is achieved by the activities or actions, automated or nonautomated, carried out by information
692 systems and organizations. Organizations designate the responsibility for control development,
693 implementation, assessment, and monitoring. Organizations have flexibility to implement the
694 controls selected in whatever manner that satisfies organizational missions or business needs,
695 consistent with law, regulation, and policy.

696 For some controls, additional flexibility is provided by allowing organizations to define specific
697 values for designated parameters associated with the controls. Flexibility is achieved as part of a
698 tailoring process using assignment and selection statements embedded within the controls and
699 enclosed by brackets. The assignment and selection statements give organizations the capability
700 to customize controls based on stakeholder security and privacy requirements. Determination of
701 the organization-defined parameters can evolve from many sources, including laws, executive
702 orders, directives, regulations, policies, standards, guidance, and mission or business needs.
703 Organizational risk assessments and risk tolerance are also important factors in defining the

CHAPTER TWO PAGE 9

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

704 values for control parameters. 23 Organizations are responsible for assigning the parameter
705 values for each selected control. Once specified, the values for the assignment and selection
706 statements become a part of the control. The implementation of the control is assessed against
707 the completed control statement. In contrast to assignment statements which allow complete
708 flexibility in the designation of parameter values, selection statements narrow the range of
709 potential values by providing a specific list of items from which organizations must choose.

710 In addition to assignment and selection statements embedded in a control, additional flexibility
711 is achieved through iteration and refinement actions. Iteration allows organizations to use a
712 control multiple times, with different assignment and selection values, perhaps being applied in
713 different situations or when implementing multiple policies. For example, an organization may
714 have multiple systems implementing a control, but with different parameters established to
715 address different risks for each system and environment of operation. Refinement is the process
716 of providing additional implementation detail to a control. Refinement can also be used to
717 narrow the scope of a control in conjunction with iteration to cover all applicable scopes (e.g.,
718 applying different authentication mechanisms to different system interfaces). The combination
719 of assignment and selection statements and iteration and refinement actions when applied to
720 controls, provides the needed flexibility to allow organizations to satisfy a broad base of security
721 and privacy requirements at the organization, mission/business process, and system levels of
722 implementation.

723 The discussion section provides additional information about a control. Organizations can use
724 the information as needed, when developing, implementing, assessing, or monitoring controls.
725 The information provides important considerations for implementing controls based on mission
726 or business requirements, operational environments, or assessments of risk. The additional
727 information can also explain the purpose of controls and often includes examples. Control
728 enhancements may also include a separate discussion section when the discussion information
729 is applicable only to a specific control enhancement.

730 The related controls section provides a list of controls from the control catalog that impact or
731 support the implementation of a particular control or control enhancement, address a related
732 security or privacy capability, or are referenced in the discussion section. Control enhancements
733 are inherently related to their base control—thus, related controls that are referenced in the
734 base control are not repeated in the control enhancements. However, there may be related
735 controls identified for control enhancements that are not referenced in the base control (i.e.,
736 the related control is only associated with the specific control enhancement). Controls may also
737 be related to enhancements of other base controls. When a control is designated as a related
738 control, a corresponding designation is made on that control in its source location in the catalog
739 to illustrate the two-way relationship.

740 The control enhancements section provides statements of security and privacy capability that
741 augment a base control. The control enhancements are numbered sequentially within each
742 control so that the enhancements can be easily identified when selected to supplement the
743 base control. 24 Each control enhancement has a short subtitle to indicate the intended function

23 In general, organization-defined control parameters used in assignment and selection statements in the base
security and privacy controls apply also to the control enhancements associated with those controls.
24 The numbering or order of the control enhancements does not imply priority or level of importance.

CHAPTER TWO PAGE 10

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

744 or capability provided by the enhancement. In the AU-4 example, if the control enhancement is
745 selected, the control designation becomes AU-4(1). The numerical designation of a control
746 enhancement is used only to identify that enhancement within the control. The designation is
747 not indicative of the strength of the control enhancement, level or degree of protection, or any
748 hierarchical relationship among the enhancements. Control enhancements are not intended to
749 be selected independently. That is, if a control enhancement is selected, then the corresponding
750 base control must also be selected and implemented.

751 The references section includes a list of applicable laws, policies, standards, guidelines, websites,
752 and other useful references that are relevant to a specific control or control enhancement. 25 The
753 references section also contains hyperlinks to specific publications for obtaining additional
754 information for control development, implementation, assessment, and monitoring.
755
756
757
758 SECURITY AS A DESIGN PROBLEM
759 “Providing satisfactory security controls in a computer system is …. a system design problem. A
760 combination of hardware, software, communications, physical, personnel and administrative-
761 procedural safeguards is required for comprehensive security…. software safeguards alone are
762 not sufficient.”
763 -- The Ware Report
764 Defense Science Board Task Force on Computer Security, 1970.
765
766
767

768 2.3 CONTROL DESIGNATIONS

769 There are three types of controls in Chapter Three: common (inheritable) controls, system-
770 specific controls, and hybrid controls. The control types define the scope of applicability for the
771 control; the shared nature or inheritability of the control; and the responsibility for control
772 development, implementation, assessment, and authorization. Each control type has a specific
773 objective and focus that helps organizations select the appropriate controls, implement the
774 controls in an effective manner, and satisfy security and privacy requirements. Implementing
775 certain control types may achieve cost benefits by leveraging security and privacy capabilities
776 across multiple information systems and environments of operation. 26

777 Common controls are security or privacy controls whose implementation results in a capability
778 that is inheritable by multiple information systems or programs. A control is deemed inheritable
779 when the information system or program receives protection from the implemented control,
780 but the control is developed, implemented, assessed, authorized, and monitored by an internal
781 or external entity other than the entity responsible for the system or program. The security and
782 privacy capabilities provided by common controls can be inherited from many sources, including

25 References are provided to assist organizations in applying the security and privacy controls and are not intended

to be inclusive or complete.
26 [SP 800-37] provides additional guidance on control designations and how the different types of controls are used

in the Risk Management Framework.

CHAPTER TWO PAGE 11

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

783 mission or business lines, organizations, enclaves, environments of operation, sites, or other
784 information systems or programs. However, the use of common controls can introduce the risk
785 of a single point of failure.

786 Many of the controls needed to protect organizational information systems, including many
787 physical and environmental protection controls, personnel security controls, and incident
788 response controls are inheritable—and therefore, are good candidates for common control
789 status. Common controls can include technology-based controls, for example, boundary
790 protection controls, access controls, audit and accountability controls, and identification and
791 authentication controls. The cost of development, implementation, assessment, authorization,
792 and monitoring can be amortized across multiple information systems, organizational elements,
793 and programs.

794 Controls not designated as common controls are considered system-specific or hybrid controls.
795 System-specific controls are the primary responsibility of information system owners and the
796 authorizing officials for those systems. Organizations can designate a control as hybrid if a part
797 of the control is common (inheritable) and a part of the control is system-specific. For example,
798 an organization may implement control CP-2 using a predefined template for the contingency
799 plan for all organizational information systems with individual system owners tailoring the plan
800 for system-specific uses, where appropriate. The division of a hybrid control into its common
801 (inheritable) and system-specific parts may vary by organization, depending on the types of
802 information technologies employed, the approach used by the organization to manage its
803 controls, and assignment of responsibilities. When a control is designated as a hybrid control,
804 the common control provider is responsible for implementing, assessing, and monitoring the
805 common part of the hybrid control and the system owner is responsible for implementing,
806 assessing, and monitoring the system-specific part of the hybrid control.

807 The determination as to whether a control is common, hybrid, or system-specific is context-

808 dependent. Controls cannot be determined to be common, hybrid, or system-specific simply
809 based on the language of the control. Identifying controls as common, hybrid, and system-
810 specific can result in significant savings to organizations in implementation and assessment costs
811 and a more consistent application of the controls organization-wide. The identification of
812 controls as common, hybrid, or system-specific is straightforward—however, the actual
813 application takes significant planning and coordination.

814 The planning for a control to be common, hybrid, or system specific is best carried out early in
815 the system development life cycle and is coordinated with the entities providing the control [SP
816 800-37]. Similarly, if a control is to be inheritable, coordination is required with the inheriting
817 entity to ensure the control meets its needs. This is especially important given the nature of
818 control parameters. An inheriting entity cannot assume controls are the same and mitigate the
819 appropriate risk to the system just because the control identifiers (e.g., AC-1) are the same. It is
820 essential to examine the control parameters (e.g., assignment or selection statements) when
821 determining if the control is adequate to mitigate system-specific risks.

822 2.4 SECURITY AND PRIVACY CONTROLS

823 Information security programs are responsible for protecting information and information
824 systems from unauthorized access, use, disclosure, disruption, modification, or destruction (i.e.,
825 unauthorized activity or system behavior) to provide confidentiality, integrity, and availability.

CHAPTER TWO PAGE 12

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

826 Privacy programs are responsible for ensuring compliance with applicable privacy requirements
827 and for managing risks to individuals associated with the creation, collection, use, processing,
828 storage, maintenance, dissemination, disclosure, or disposal (collectively referred to as
829 “processing”) of personally identifiable information. 27 Security and privacy program objectives
830 overlap with respect to the security of personally identifiable information; therefore, many
831 controls are selected to meet both sets of objectives and are considered both security controls
832 and privacy controls. Moreover, even when an organization selects a particular control to meet
833 security objectives only, the way the control is implemented may impact aspects of individuals’
834 privacy. Therefore, controls may include privacy considerations in the discussion section so that
835 organizations can take the potential risks for individuals’ privacy into account as they determine
836 the best way to implement the controls.

837 Selecting and implementing the appropriate controls require close collaboration between
838 information security programs and privacy programs when information systems are processing
839 personally identifiable information. Organizations consider how to promote and institutionalize
840 collaboration between the two programs to help ensure that the objectives of both disciplines
841 are met. When a system processes personally identifiable information, the organizations’
842 information security program and privacy program have a shared responsibility for managing
843 the security risks to the personally identifiable information in the system. Due to this shared
844 responsibility, controls that achieve both security and privacy objectives are considered both
845 privacy and security controls. Identification and Authentication (IA) controls are examples of
846 such controls.

847 2.5 TRUSTWORTHINESS AND ASSURANCE

848 The trustworthiness of systems, system components, and system services is an important part
849 of the risk management strategies developed by organizations. 28 Trustworthiness, in this
850 context, means worthy of being trusted to fulfill whatever requirements may be needed for a
851 component, subsystem, system, network, application, mission, business function, enterprise, or
852 other entity. 29 Trustworthiness requirements can include attributes of reliability, dependability,
853 performance, resilience, safety, security, privacy, and survivability under a range of potential
854 adversity in the form of disruptions, hazards, threats, and privacy risks. Effective measures of
855 trustworthiness are meaningful only to the extent the requirements are sufficiently complete
856 and well-defined and can be accurately assessed.

857 Two fundamental components affecting the trustworthiness of systems are functionality and
858 assurance. Functionality is defined in terms of the security and privacy features, functions,
859 mechanisms, services, procedures, and architectures implemented within organizational
860 systems and programs, and the environments in which those systems and programs operate.
861 Assurance is the measure of confidence that the system functionality is implemented correctly,
862 operating as intended, and producing the desired outcome with respect to meeting the security

27 Privacy programs may also choose to consider the risks to individuals that may arise from their interactions with

information systems, where the processing of personally identifiable information may be less impactful than the
effect the system has on individuals’ behavior or activities. Such effects would constitute risks to individual autonomy
and organizations may need to take steps to manage those risks in addition to information security and privacy risks.
28 [SP 800-160 v1] provides guidance on systems security engineering and the application of security design principles

to achieve trustworthy systems.

29 See [NEUM04].

CHAPTER TWO PAGE 13

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

863 and privacy requirements for the system—thus possessing the capability to accurately mediate
864 and enforce established security and privacy policies.

865 In general, the task of providing meaningful assurance that a system is likely to do what is
866 expected of it can be enhanced by techniques that simplify or narrow the analysis, for example,
867 by increasing the discipline applied to the system architecture, software design, specifications,
868 code style, and configuration management. Security and privacy controls address functionality
869 and assurance. Certain controls focus primarily on functionality while other controls focus
870 primarily on assurance. Some controls can support functionality and assurance. Organizations
871 can select assurance-related controls to define system development activities, to generate
872 evidence about the functionality and behavior of the system, and to trace the evidence to the
873 specific system elements that provide such functionality or exhibit such behavior. The evidence
874 is used to obtain a degree of confidence that the system satisfies the stated security and privacy
875 requirements—while supporting the organization’s missions and business functions. Assurance-
876 related controls are identified in the control summary tables in Appendix D.

EVIDENCE OF CONTROL IMPLEMENTATION

It is important for organizations to consider during control development and implementation,
the evidence (e.g., artifacts, documentation) that will be needed to support current and future
control assessments. Such assessments help determine whether the controls are implemented
correctly, operating as intended, and satisfying security and privacy policies—thus, providing
essential information for senior leaders to make credible risk-based decisions.

CHAPTER TWO PAGE 14

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

877 CHAPTER THREE

878 THE CONTROLS

879 SECURITY AND PRIVACY CONTROLS AND CONTROL ENHANCEMENTS

880 This catalog of security and privacy controls provides protective measures for systems,
881 organizations, and individuals. 30 The controls are designed to facilitate compliance with
882 applicable laws, executive orders, directives, regulations, policies, and standards. The security
883 and privacy controls in the catalog, with few exceptions, are policy, technology, and sector
884 neutral—meaning the controls focus on the fundamental measures necessary to protect
885 information and the privacy of individuals across the information life cycle. While security and
886 privacy controls are largely policy, technology, and sector neutral, that does not imply that the
887 controls are policy, technology, and sector unaware. Understanding policies, technologies, and
888 sectors is necessary so that the controls are relevant when implemented. Employing a policy,
889 technology, and sector neutral control catalog has many benefits. It encourages organizations
890 to:
891 • Focus on the security and privacy functions and capabilities required for mission and
892 business success and the protection of information and the privacy of individuals,
893 irrespective of the technologies that are employed in organizational systems;
894 • Analyze each security and privacy control for its applicability to specific technologies,
895 environments of operation, missions and business functions, and communities of interest;
896 and
897 • Specify security and privacy policies as part of the tailoring process for controls that have
898 variable parameters.

899 In the few cases where specific technologies are referenced in controls, organizations are
900 cautioned that the need to manage security and privacy risks in all likelihood goes beyond the
901 requirements in a single control associated with a technology. The additional needed protection
902 measures are obtained from the other controls in the catalog. Federal Information Processing
903 Standards, Special Publications, and Interagency/Internal Reports provide guidance on security
904 and privacy controls for specific technologies and sector-specific applications, including smart
905 grid, cloud, healthcare, mobile, industrial and process control systems, and IoT devices. NIST
906 publications are cited as references as applicable to specific controls in sections 3.1 through
907 3.20.

908 Security and privacy controls in the catalog are expected to change over time, as controls are
909 withdrawn, revised, and added. To maintain stability in security and privacy plans, controls are
910 not renumbered each time a control is withdrawn. Rather, notations of the controls that have
911 been withdrawn are maintained in the control catalog for historical purposes. Controls may be
912 withdrawn for a variety of reasons, including the function or capability provided by the control
913 has been incorporated into another control; the control is redundant to an existing control; or
914 the control is deemed to be no longer necessary or effective.

30 The controls in this publication are available online and can be obtained in various formats. See [NVD 800-53].

CHAPTER THREE PAGE 15

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

915 New controls are developed on a regular basis using threat and vulnerability information and
916 information on the tactics, techniques, and procedures used by adversaries. In addition, new
917 controls are developed based on a better understanding of how to mitigate information security
918 risks to systems and organizations and risks to the privacy of individuals arising from information
919 processing. Finally, new controls are developed based on new or changing requirements in laws,
920 executive orders, regulations, policies, standards, or guidelines. Proposed modifications to the
921 controls are carefully analyzed during each revision cycle, considering the need for stability of
922 controls and the need to be responsive to changing technologies, threats, vulnerabilities, types
923 of attack, and processing methods. The objective is to raise the level of information security and
924 privacy over time to meet the needs of organizations and individuals.

CHAPTER THREE PAGE 16

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

925 3.1 ACCESS CONTROL

926 Quick link to Access Control summary table

927 AC-1 POLICY AND PROCEDURES

928 Control:
929 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
930 roles]:
931 1. [Selection (one or more): organization-level; mission/business process-level; system-
932 level] access control policy that:
933 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
934 coordination among organizational entities, and compliance; and
935 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
936 standards, and guidelines; and
937 2. Procedures to facilitate the implementation of the access control policy and the
938 associated access controls;
939 b. Designate an [Assignment: organization-defined official] to manage the development,
940 documentation, and dissemination of the access control policy and procedures; and
941 c. Review and update the current access control:
942 1. Policy [Assignment: organization-defined frequency]; and
943 2. Procedures [Assignment: organization-defined frequency].
944 Discussion: This control addresses policy and procedures for the controls in the AC family
945 implemented within systems and organizations. The risk management strategy is an important
946 factor in establishing such policies and procedures. Policies and procedures help provide security
947 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
948 on their development. Security and privacy program policies and procedures at the organization
949 level are preferable, in general, and may obviate the need for system-specific policies and
950 procedures. The policy can be included as part of the general security and privacy policy or can
951 be represented by multiple policies reflecting the complex nature of organizations. Procedures
952 can be established for security and privacy programs and for systems, if needed. Procedures
953 describe how the policies or controls are implemented and can be directed at the individual or
954 role that is the object of the procedure. Procedures can be documented in system security and
955 privacy plans or in one or more separate documents. Restating controls does not constitute an
956 organizational policy or procedure.
957 Related Controls: IA-1, PM-9, PM-24, PS-8, SI-12.
958 Control Enhancements: None.
959 References: [OMB A-130]; [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100]; [IR 7874].

960 AC-2 ACCOUNT MANAGEMENT

961 Control:
962 a. Define and document the types of accounts allowed for use within the system;
963 b. Assign account managers;
964 c. Establish conditions for group and role membership;

CHAPTER THREE PAGE 17

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

965 d. Specify:
966 1. Authorized users of the system;
967 2. Group and role membership; and
968 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes
969 (as required)] for each account;
970 e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to
971 create accounts;
972 f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment:
973 organization-defined policy, procedures, and conditions];
974 g. Monitor the use of accounts;
975 h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
976 1. [Assignment: organization-defined time-period] when accounts are no longer required;
977 2. [Assignment: organization-defined time-period] when users are terminated or
978 transferred; and
979 3. [Assignment: organization-defined time-period] when system usage or need-to-know
980 changes for an individual;
981 i. Authorize access to the system based on:
982 1. A valid access authorization;
983 2. Intended system usage; and
984 3. [Assignment: organization-defined attributes (as required)];
985 j. Review accounts for compliance with account management requirements [Assignment:
986 organization-defined frequency];
987 k. Establish and implement a process for changing shared or group account credentials (if
988 deployed) when individuals are removed from the group; and
989 l. Align account management processes with personnel termination and transfer processes.
990 Discussion: Examples of system account types include individual, shared, group, system, guest,
991 anonymous, emergency, developer, temporary, and service. Identification of authorized system
992 users and the specification of access privileges reflects the requirements in other controls in the
993 security plan. Users requiring administrative privileges on system accounts receive additional
994 scrutiny by organizational personnel responsible for approving such accounts and privileged
995 access, including system owner, mission or business owner, senior agency information security
996 officer, or senior agency official for privacy. External system accounts are not included in the
997 scope of this control. Organizations address external system accounts through organizational
998 policy.
999 Where access involves personally identifiable information, security programs collaborate with
1000 the senior agency official for privacy on establishing the specific conditions for group and role
1001 membership; specifying for each account, authorized users, group and role membership, and
1002 access authorizations; and creating, adjusting, or removing system accounts in accordance with
1003 organizational policies. Policies can include such information as account expiration dates or other
1004 factors triggering the disabling of accounts. Organizations may choose to define access privileges
1005 or other attributes by account, by type of account, or a combination of the two. Examples of
1006 other attributes required for authorizing access include restrictions on time-of-day, day-of-week,
1007 and point-of-origin. In defining other system account attributes, organizations consider system-

CHAPTER THREE PAGE 18

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1008 related requirements and mission/business requirements. Failure to consider these factors could
1009 affect system availability.
1010 Temporary and emergency accounts are intended for short-term use. Organizations establish
1011 temporary accounts as a part of normal account activation procedures when there is a need for
1012 short-term accounts without the demand for immediacy in account activation. Organizations
1013 establish emergency accounts in response to crisis situations and with the need for rapid account
1014 activation. Therefore, emergency account activation may bypass normal account authorization
1015 processes. Emergency and temporary accounts are not to be confused with infrequently used
1016 accounts, including local logon accounts used for special tasks or when network resources are
1017 unavailable (may also be known as accounts of last resort). Such accounts remain available and
1018 are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating
1019 accounts include when shared/group, emergency, or temporary accounts are no longer required;
1020 and when individuals are transferred or terminated. Changing shared/group account credentials
1021 when members leave the group is intended to ensure that former group members do not retain
1022 access to the shared or group account. Some types of system accounts may require specialized
1023 training.
1024 Related Controls: AC-3, AC-5, AC-6, AC-17, AC-18, AC-20, AC-24, AU-2, AU-12, CM-5, IA-2, IA-4,
1025 IA-5, IA-8, MA-3, MA-5, PE-2, PL-4, PS-2, PS-4, PS-5, PS-7, SC-7, SC-13, SC-37.
1026 Control Enhancements:
1027 (1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT
1028 Support the management of system accounts using [Assignment: organization-defined
1029 automated mechanisms].
1030 Discussion: Automated mechanisms include using email or text messaging to automatically
1031 notify account managers when users are terminated or transferred; using the system to
1032 monitor account usage; and using telephonic notification to report atypical system account
1033 usage.
1034 Related Controls: None.
1035 (2) ACCOUNT MANAGEMENT | AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENT
1036 Automatically [Selection: remove; disable] temporary and emergency accounts after
1037 [Assignment: organization-defined time-period for each type of account].
1038 Discussion: Management of temporary and emergency accounts includes the removal or
1039 disabling of such accounts automatically after a predefined time-period, rather than at the
1040 convenience of the systems administrator. Automatic removal or disabling of accounts
1041 provides a more consistent implementation.
1042 Related Controls: None.
1043 (3) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS
1044 Disable accounts when the accounts:
1045 (a) Have expired;
1046 (b) Are no longer associated with a user or individual;
1047 (c) Are in violation of organizational policy; or
1048 (d) Have been inactive for [Assignment: organization-defined time-period].
1049 Discussion: Disabling expired, inactive, or otherwise anomalous accounts supports the
1050 concept of least privilege and least functionality which reduces the attack surface of the
1051 system.
1052 Related Controls: None.

CHAPTER THREE PAGE 19

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1053 (4) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS

1054 Automatically audit account creation, modification, enabling, disabling, and removal
1055 actions.
1056 Discussion: Account management audit records are defined in accordance with AU-2 and
1057 reviewed, analyzed, and reported in accordance with AU-6.
1058 Related Controls: AU-2, AU-6.
1059 (5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT
1060 Require that users log out when [Assignment: organization-defined time-period of
1061 expected inactivity or description of when to log out].
1062 Discussion: Inactivity logout is behavior or policy-based and requires users to take physical
1063 action to log out when they are expecting inactivity longer than the defined period.
1064 Automatic enforcement of this control enhancement is addressed by AC-11.
1065 Related Controls: AC-11.
1066 (6) ACCOUNT MANAGEMENT | DYNAMIC PRIVILEGE MANAGEMENT
1067 Implement [Assignment: organization-defined dynamic privilege management
1068 capabilities].
1069 Discussion: In contrast to access control approaches that employ static accounts and
1070 predefined user privileges, dynamic access control approaches rely on run time access
1071 control decisions facilitated by dynamic privilege management such as attribute-based
1072 access control. While user identities remain relatively constant over time, user privileges
1073 typically change more frequently based on ongoing mission or business requirements and
1074 operational needs of organizations. An example of dynamic privilege management is the
1075 immediate revocation of privileges from users, as opposed to requiring that users terminate
1076 and restart their sessions to reflect changes in privileges. Dynamic privilege management can
1077 also include mechanisms that change user privileges based on dynamic rules as opposed to
1078 editing specific user profiles. Examples include automatic adjustments of user privileges if
1079 they are operating out of their normal work times, their job function or assignment changes,
1080 or if systems are under duress or in emergency situations. Dynamic privilege management
1081 includes the effects of privilege changes, for example, when there are changes to encryption
1082 keys used for communications.
1083 Related Controls: AC-16.
1084 (7) ACCOUNT MANAGEMENT | PRIVILEGED USER ACCOUNTS
1085 (a) Establish and administer privileged user accounts in accordance with [Selection: a role-
1086 based access scheme; an attribute-based access scheme];
1087 (b) Monitor privileged role or attribute assignments;
1088 (c) Monitor changes to roles or attributes; and
1089 (d) Revoke access when privileged role or attribute assignments are no longer
1090 appropriate.
1091 Discussion: Privileged roles are organization-defined roles assigned to individuals that allow
1092 those individuals to perform certain security-relevant functions that ordinary users are not
1093 authorized to perform. Privileged roles include key management, account management,
1094 database administration, system and network administration, and web administration. A
1095 role-based access scheme organizes permitted system access and privileges into roles. In
1096 contrast, an attribute-based access scheme specifies allowed system access and privileges
1097 based on attributes.
1098 Related Controls: AC-3.

CHAPTER THREE PAGE 20

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1099 (8) ACCOUNT MANAGEMENT | DYNAMIC ACCOUNT MANAGEMENT

1100 Create, activate, manage, and deactivate [Assignment: organization-defined system
1101 accounts] dynamically.
1102 Discussion: Approaches for dynamically creating, activating, managing, and deactivating
1103 system accounts rely on automatically provisioning the accounts at run time for entities that
1104 were previously unknown. Organizations plan for the dynamic management, creation,
1105 activation, and deactivation of system accounts by establishing trust relationships, business
1106 rules, and mechanisms with appropriate authorities to validate related authorizations and
1107 privileges.
1108 Related Controls: AC-16.
1109 (9) ACCOUNT MANAGEMENT | RESTRICTIONS ON USE OF SHARED AND GROUP ACCOUNTS
1110 Only permit the use of shared and group accounts that meet [Assignment: organization-
1111 defined conditions for establishing shared and group accounts].
1112 Discussion: Before permitting the use of shared or group accounts, organizations consider
1113 the increased risk due to the lack of accountability with such accounts.
1114 Related Controls: None.
1115 (10) ACCOUNT MANAGEMENT | SHARED AND GROUP ACCOUNT CREDENTIAL CHANGE
1116 [Withdrawn: Incorporated into AC-2k.]
1117 (11) ACCOUNT MANAGEMENT | USAGE CONDITIONS
1118 Enforce [Assignment: organization-defined circumstances and/or usage conditions] for
1119 [Assignment: organization-defined system accounts].
1120 Discussion: Specifying and enforcing usage conditions helps to enforce the principle of least
1121 privilege, increase user accountability, and enable effective account monitoring. Account
1122 monitoring includes alerts generated if the account is used in violation of organizational
1123 parameters. Organizations can describe specific conditions or circumstances under which
1124 system accounts can be used, for example, by restricting usage to certain days of the week,
1125 time of day, or specific durations of time.
1126 Related Controls: None.
1127 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING FOR ATYPICAL USAGE
1128 (a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and
1129 (b) Report atypical usage of system accounts to [Assignment: organization-defined
1130 personnel or roles].
1131 Discussion: Atypical usage includes accessing systems at certain times of the day or from
1132 locations that are not consistent with the normal usage patterns of individuals working in
1133 organizations. Account monitoring may inadvertently create privacy risks. Data collected to
1134 identify atypical usage may reveal previously unknown information about the behavior of
1135 individuals. Organizations assess and document privacy risks from monitoring accounts for
1136 atypical usage in their privacy impact assessment and make determinations that are in
1137 alignment with their privacy program plan.
1138 Related Controls: AU-6, AU-7, CA-7, IR-8, SI-4.
1139 (13) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS
1140 Disable accounts of users within [Assignment: organization-defined time-period] of
1141 discovery of [Assignment: organization-defined significant risks].
1142 Discussion: Users posing a significant security and/or privacy risk include individuals for
1143 whom reliable evidence indicates either the intention to use authorized access to systems to
1144 cause harm or through whom adversaries will cause harm. Such harm includes the adverse

CHAPTER THREE PAGE 21

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1145 impacts to organizational operations, organizational assets, individuals, other organizations,

1146 or the Nation. Close coordination among system administrators, legal staff, human resource
1147 managers, and authorizing officials is essential for execution of this control enhancement.
1148 Related Controls: AU-6, SI-4.
1149 (14) ACCOUNT MANAGEMENT | PROHIBIT SPECIFIC ACCOUNT TYPES
1150 Prohibit the use of [Selection (one or more): shared; guest; anonymous; temporary;
1151 emergency] accounts for access to [Assignment: organization-defined information types].
1152 Discussion: Organizations determine what types of accounts are prohibited based on the
1153 security and privacy risk.
1154 Related Controls: PS-4.
1155 References: [SP 800-162]; [SP 800-178]; [SP 800-192].

1156 AC-3 ACCESS ENFORCEMENT

1157 Control: Enforce approved authorizations for logical access to information and system resources
1158 in accordance with applicable access control policies.
1159 Discussion: Access control policies control access between active entities or subjects (i.e., users
1160 or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records,
1161 domains) in organizational systems. In addition to enforcing authorized access at the system level
1162 and recognizing that systems can host many applications and services in support of missions and
1163 business functions, access enforcement mechanisms can also be employed at the application and
1164 service level to provide increased information security and privacy. In contrast to logical access
1165 controls that are implemented within the system, physical access controls are addressed by the
1166 controls in the Physical and Environmental Protection (PE) family.
1167 Related Controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AC-
1168 24, AC-25, AT-2, AT-3, AU-9, CA-9, CM-5, CM-11, IA-2, IA-5, IA-6, IA-7, IA-11, MA-3, MA-4, MA-5,
1169 MP-4, PM-2, PS-3, SA-17, SC-2, SC-3, SC-4, SC-13, SC-28, SC-31, SC-34, SI-4.
1170 Control Enhancements:
1171 (1) ACCESS ENFORCEMENT | RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS
1172 [Withdrawn: Incorporated into AC-6.]
1173 (2) ACCESS ENFORCEMENT | DUAL AUTHORIZATION
1174 Enforce dual authorization for [Assignment: organization-defined privileged commands
1175 and/or other organization-defined actions].
1176 Discussion: Dual authorization, also known as two-person control, reduces risk related to
1177 insider threat. Dual authorization mechanisms require the approval of two authorized
1178 individuals to execute. To reduce the risk of collusion, organizations consider rotating dual
1179 authorization duties to other individuals. Organizations do not require dual authorization
1180 mechanisms when immediate responses are necessary to ensure public and environmental
1181 safety.
1182 Related Controls: CP-9, MP-6.
1183 (3) ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL
1184 Enforce [Assignment: organization-defined mandatory access control policy] over the set
1185 of covered subjects and objects specified in the policy, and where the policy:
1186 (a) Is uniformly enforced across the covered subjects and objects within the system;
1187 (b) Specifies that a subject that has been granted access to information is constrained
1188 from doing any of the following;

CHAPTER THREE PAGE 22

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1189 (1) Passing the information to unauthorized subjects or objects;

1190 (2) Granting its privileges to other subjects;
1191 (3) Changing one or more security attributes (specified by the policy) on subjects,
1192 objects, the system, or system components;
1193 (4) Choosing the security attributes and attribute values (specified by the policy) to
1194 be associated with newly created or modified objects; and
1195 (5) Changing the rules governing access control; and
1196 (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted
1197 [Assignment: organization-defined privileges] such that they are not limited by any
1198 defined subset (or all) of the above constraints.
1199 Discussion: Mandatory access control is a type of nondiscretionary access control.
1200 Mandatory access control policies constrain what actions subjects can take with information
1201 obtained from objects for which they have already been granted access. This prevents the
1202 subjects from passing the information to unauthorized subjects and objects. Mandatory
1203 access control policies constrain actions subjects can take with respect to the propagation of
1204 access control privileges; that is, a subject with a privilege cannot pass that privilege to other
1205 subjects. The policy is uniformly enforced over all subjects and objects to which the system
1206 has control; otherwise, the access control policy can be circumvented. This enforcement is
1207 provided by an implementation that meets the reference monitor concept as described in
1208 AC-25. The policy is bounded by the system (i.e., once the information is passed outside of
1209 the control of the system, additional means may be required to ensure that the constraints
1210 on the information remain in effect).
1211 The trusted subjects described above are granted privileges consistent with the concept of
1212 least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to
1213 the above policy necessary for satisfying organizational mission/business needs. The control
1214 is most applicable when there is a mandate that establishes a policy regarding access to
1215 controlled unclassified information or classified information and some users of the system
1216 are not authorized access to all such information resident in the system. Mandatory access
1217 control can operate in conjunction with discretionary access control as described in AC-3(4).
1218 A subject constrained in its operation by policies governed by this control can still operate
1219 under the less rigorous constraints of AC-3(4), but mandatory access control policies take
1220 precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory
1221 access control policy imposes a constraint preventing a subject from passing information to
1222 another subject operating at a different sensitivity level, AC-3(4) permits the subject to pass
1223 the information to any subject with the same sensitivity level as the subject. Examples of
1224 mandatory access control policies include the Bell-La Padula policy to protect confidentiality
1225 of information and the Biba policy to protect the integrity of information.
1226 Related Controls: SC-7.
1227 (4) ACCESS ENFORCEMENT | DISCRETIONARY ACCESS CONTROL
1228 Enforce [Assignment: organization-defined discretionary access control policy] over the set
1229 of covered subjects and objects specified in the policy, and where the policy specifies that
1230 a subject that has been granted access to information can do one or more of the following:
1231 (a) Pass the information to any other subjects or objects;
1232 (b) Grant its privileges to other subjects;
1233 (c) Change security attributes on subjects, objects, the system, or the system’s
1234 components;
1235 (d) Choose the security attributes to be associated with newly created or revised objects;
1236 or

CHAPTER THREE PAGE 23

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1237 (e) Change the rules governing access control.

1238 Discussion: When discretionary access control policies are implemented, subjects are not
1239 constrained regarding what actions they can take with information for which they have
1240 already been granted access. Thus, subjects that have been granted access to information
1241 are not prevented from passing the information to other subjects or objects (i.e., subjects
1242 have the discretion to pass). Discretionary access control can operate in conjunction with
1243 mandatory access control as described in AC-3(3) and AC-3(15). A subject that is constrained
1244 in its operation by mandatory access control policies can still operate under the less rigorous
1245 constraints of discretionary access control. Therefore, while AC-3(3) imposes constraints
1246 preventing a subject from passing information to another subject operating at a different
1247 sensitivity level, AC-3(4) permits the subject to pass the information to any subject at the
1248 same sensitivity level. The policy is bounded by the system. Once the information is passed
1249 outside of system control, additional means may be required to ensure that the constraints
1250 remain in effect. While traditional definitions of discretionary access control require identity-
1251 based access control, that limitation is not required for this particular use of discretionary
1252 access control.
1253 Related Controls: None.
1254 (5) ACCESS ENFORCEMENT | SECURITY-RELEVANT INFORMATION
1255 Prevent access to [Assignment: organization-defined security-relevant information] except
1256 during secure, non-operable system states.
1257 Discussion: Security-relevant information is information within systems that can potentially
1258 impact the operation of security functions or the provision of security services in a manner
1259 that could result in failure to enforce system security policies or maintain the separation of
1260 code and data. Security-relevant information includes access control lists, filtering rules for
1261 routers or firewalls, configuration parameters for security services, and cryptographic key
1262 management information. Secure, non-operable system states include the times in which
1263 systems are not performing mission or business-related processing such as when the system
1264 is off-line for maintenance, boot-up, troubleshooting, or shut down.
1265 Related Controls: CM-6, SC-39.
1266 (6) ACCESS ENFORCEMENT | PROTECTION OF USER AND SYSTEM INFORMATION
1267 [Withdrawn: Incorporated into MP-4 and SC-28.]
1268 (7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
1269 Enforce a role-based access control policy over defined subjects and objects and control
1270 access based upon [Assignment: organization-defined roles and users authorized to
1271 assume such roles].
1272 Discussion: Role-based access control (RBAC) is an access control policy that enforces access
1273 to objects and system functions based on the defined role (i.e., job function) of the subject.
1274 Organizations can create specific roles based on job functions and the authorizations (i.e.,
1275 privileges) to perform needed operations on the systems associated with the organization-
1276 defined roles. When users are assigned to the specific roles, they inherit the authorizations
1277 or privileges defined for those roles. RBAC simplifies privilege administration for because
1278 privileges are not assigned directly to every user (which can potentially be a large number of
1279 individuals) but are instead acquired through role assignments. RBAC can be implemented as
1280 a mandatory or discretionary form of access control. For those organizations implementing
1281 RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the
1282 subjects and objects covered by the policy.
1283 Related Controls: None.

CHAPTER THREE PAGE 24

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1284 (8) ACCESS ENFORCEMENT | REVOCATION OF ACCESS AUTHORIZATIONS

1285 Enforce the revocation of access authorizations resulting from changes to the security
1286 attributes of subjects and objects based on [Assignment: organization-defined rules
1287 governing the timing of revocations of access authorizations].
1288 Discussion: Revocation of access rules may differ based on the types of access revoked. For
1289 example, if a subject (i.e., user or process acting on behalf of a user) is removed from a
1290 group, access may not be revoked until the next time the object is opened or the next time
1291 the subject attempts a new access to the object. Revocation based on changes to security
1292 labels may take effect immediately. Organizations provide alternative approaches on how to
1293 make revocations immediate if systems cannot provide such capability and immediate
1294 revocation is necessary.
1295 Related Controls: None.
1296 (9) ACCESS ENFORCEMENT | CONTROLLED RELEASE
1297 Release information outside of the system only if:
1298 (a) The receiving [Assignment: organization-defined system or system component]
1299 provides [Assignment: organization-defined controls]; and
1300 (b) [Assignment: organization-defined controls] are used to validate the appropriateness
1301 of the information designated for release.
1302 Discussion: Systems can only protect organizational information within the confines of
1303 established system boundaries. Additional controls may be needed to ensure that such
1304 information is adequately protected once it is passed beyond the established system
1305 boundaries. In situations where the system is unable to determine the adequacy of the
1306 protections provided by external entities, as a mitigating control, organizations determine
1307 procedurally whether the external systems are providing adequate controls. The means used
1308 to determine the adequacy of controls provided by external systems include conducting
1309 periodic assessments (inspections/tests); establishing agreements between the organization
1310 and its counterpart organizations; or some other process. The means used by external
1311 entities to protect the information received need not be the same as those used by the
1312 organization, but the means employed are sufficient to provide consistent adjudication of
1313 the security and privacy policy to protect the information and individuals’ privacy.
1314 Controlled release of information requires systems to implement technical or procedural
1315 means to validate the information prior to releasing it to external systems. For example, if
1316 the system passes information to a system controlled by another organization, technical
1317 means are employed to validate that the security and privacy attributes associated with the
1318 exported information are appropriate for the receiving system. Alternatively, if the system
1319 passes information to a printer in organization-controlled space, procedural means can be
1320 employed to ensure that only authorized individuals gain access to the printer.
1321 Related Controls: CA-3, PT-2, PT-3, PT-8, SA-9, SC-16.
1322 (10) ACCESS ENFORCEMENT | AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS
1323 Employ an audited override of automated access control mechanisms under [Assignment:
1324 organization-defined conditions] by [Assignment: organization-defined roles].
1325 Discussion: In certain situations, for example, where there is a threat to human life or an
1326 event that threatens the organization’s ability to carry out critical missions or business
1327 functions, an override capability for access control mechanisms may be needed. Override
1328 conditions are defined by organizations and are used only in those limited circumstances.
1329 Audit events are defined in AU-2. Audit records are generated in AU-12.
1330 Related Controls: AU-2, AU-6, AU-10, AU-12, AU-14.

CHAPTER THREE PAGE 25

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1331 (11) ACCESS ENFORCEMENT | RESTRICT ACCESS TO SPECIFIC INFORMATION TYPES

1332 Restrict access to data repositories containing [Assignment: organization-defined
1333 information types].
1334 Discussion: Restricting access to specific information is intended to provide flexibility
1335 regarding access control of specific information types within a system. For example, role-
1336 based access could be employed to allow access to only a specific type of personally
1337 identifiable information within a database rather than allowing access to the database in its
1338 entirety. Other examples include restricting access to cryptographic keys, authentication
1339 information, and selected system information.
1340 Related Controls: None.
1341 (12) ACCESS ENFORCEMENT | ASSERT AND ENFORCE APPLICATION ACCESS
1342 (a) Require applications to assert, as part of the installation process, the access needed to
1343 the following system applications and functions: [Assignment: organization-defined
1344 system applications and functions];
1345 (b) Provide an enforcement mechanism to prevent unauthorized access; and
1346 (c) Approve access changes after initial installation of the application.
1347 Discussion: Asserting and enforcing application access is intended to address applications
1348 that need to access existing system applications and functions, including user contacts,
1349 global positioning system, camera, keyboard, microphone, network, phones, or other files.
1350 Related Controls: CM-7.
1351 (13) ACCESS ENFORCEMENT | ATTRIBUTE-BASED ACCESS CONTROL
1352 Enforce attribute-based access control policy over defined subjects and objects and control
1353 access based upon [Assignment: organization-defined attributes to assume access
1354 permissions].
1355 Discussion: Attribute-based access control is an access control policy that restricts system
1356 access to authorized users based on specified organizational attributes (e.g., job function,
1357 identity); action attributes (e.g., read, write, delete); environmental attributes (e.g., time of
1358 day, location); and resource attributes (e.g., classification of a document). Organizations can
1359 create rules based on attributes and the authorizations (i.e., privileges) to perform needed
1360 operations on the systems associated with the organization-defined attributes and rules.
1361 When users are assigned to attributes defined in attribute-based access control policies or
1362 rules, they can be provisioned to a system with the appropriate privileges or dynamically
1363 granted access to a protected resource upon access. Attribute-based access control can be
1364 implemented as a mandatory or discretionary form of access control. For attribute-based
1365 access control implemented with mandatory access controls, the requirements in AC-3(3)
1366 define the scope of the subjects and objects covered by the policy.
1367 Related Controls: None.
1368 (14) ACCESS ENFORCEMENT | INDIVIDUAL ACCESS
1369 Provide [Assignment: organization-defined mechanisms] to enable individuals to have
1370 access to the following elements of their personally identifiable information: [Assignment:
1371 organization-defined elements].
1372 Discussion: Individual access affords individuals the ability to review personally identifiable
1373 information about them held within organizational records, regardless of format. Access
1374 helps individuals to develop an understanding about how their personally identifiable
1375 information is being processed. It can also help individuals ensure that their data is accurate.
1376 Access mechanisms can include request forms and application interfaces. Access to certain
1377 types of records may not be appropriate or may require certain levels of authentication

CHAPTER THREE PAGE 26

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1378 assurance. Organizational personnel consult with the senior agency official for privacy and
1379 legal counsel to determine appropriate mechanisms and access rights or limitations.
1380 Related Controls: IA-8, PM-22, PT-3, SI-18.
1381 (15) ACCESS ENFORCEMENT | DISCRETIONARY AND MANDATORY ACCESS CONTROL
1382 (a) Enforce [Assignment: organization-defined mandatory access control policy] over the
1383 set of covered subjects and objects specified in the policy; and
1384 (b) Enforce [Assignment: organization-defined discretionary access control policy] over
1385 the set of covered subjects and objects specified in the policy.
1386 Discussion: Implementing a mandatory access control policy and a discretionary access
1387 control policy simultaneously can provide additional protection against the unauthorized
1388 execution of code by users or processes acting on behalf of users. This helps prevent a single
1389 compromised user or process from compromising the entire system.
1390 Related Controls: SC-2, SC-3, AC-4.
1391 References: [OMB A-130]; [SP 800-57-1]; [SP 800-57-2]; [SP 800-57-3]; [SP 800-162]; [SP 800-
1392 178]; [IR 7874].

1393 AC-4 INFORMATION FLOW ENFORCEMENT

1394 Control: Enforce approved authorizations for controlling the flow of information within the
1395 system and between connected systems based on [Assignment: organization-defined
1396 information flow control policies].
1397 Discussion: Information flow control regulates where information can travel within a system and
1398 between systems (in contrast to who is allowed to access the information) and without regard to
1399 subsequent accesses to that information. Flow control restrictions include blocking external
1400 traffic that claims to be from within the organization; keeping export-controlled information
1401 from being transmitted in the clear to the Internet; restricting web requests that are not from
1402 the internal web proxy server; and limiting information transfers between organizations based
1403 on data structures and content. Transferring information between organizations may require an
1404 agreement specifying how the information flow is enforced (see CA-3). Transferring information
1405 between systems in different security or privacy domains with different security or privacy
1406 policies introduces risk that such transfers violate one or more domain security or privacy
1407 policies. In such situations, information owners/stewards provide guidance at designated policy
1408 enforcement points between connected systems. Organizations consider mandating specific
1409 architectural solutions to enforce specific security and privacy policies. Enforcement includes
1410 prohibiting information transfers between connected systems (i.e., allowing access only);
1411 verifying write permissions before accepting information from another security or privacy
1412 domain or connected system; employing hardware mechanisms to enforce one-way information
1413 flows; and implementing trustworthy regrading mechanisms to reassign security or privacy
1414 attributes and security or privacy labels.
1415 Organizations commonly employ information flow control policies and enforcement mechanisms
1416 to control the flow of information between designated sources and destinations within systems
1417 and between connected systems. Flow control is based on the characteristics of the information
1418 and/or the information path. Enforcement occurs, for example, in boundary protection devices
1419 that employ rule sets or establish configuration settings that restrict system services, provide a
1420 packet-filtering capability based on header information, or message-filtering capability based on
1421 message content. Organizations also consider the trustworthiness of filtering and/or inspection
1422 mechanisms (i.e., hardware, firmware, and software components) that are critical to information
1423 flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution
1424 needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow
1425 enforcement mechanisms implemented in cross-domain products, for example, high-assurance

CHAPTER THREE PAGE 27

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1426 guards. Such capabilities are generally not available in commercial off-the-shelf information
1427 technology products. This control also applies to control plane traffic (e.g., routing and DNS).
1428 Related Controls: AC-3, AC-6, AC-16, AC-17, AC-19, AC-21, AU-10, CA-3, CA-9, CM-7, PM-24, SA-
1429 17, SC-4, SC-7, SC-16, SC-31.
1430 Control Enhancements:
1431 (1) INFORMATION FLOW ENFORCEMENT | OBJECT SECURITY AND PRIVACY ATTRIBUTES
1432 Use [Assignment: organization-defined security and privacy attributes] associated with
1433 [Assignment: organization-defined information, source, and destination objects] to enforce
1434 [Assignment: organization-defined information flow control policies] as a basis for flow
1435 control decisions.
1436 Discussion: Information flow enforcement mechanisms compare security and privacy
1437 attributes associated with information (i.e., data content and structure) and source and
1438 destination objects and respond appropriately when the enforcement mechanisms
1439 encounter information flows not explicitly allowed by information flow policies. For
1440 example, an information object labeled Secret would be allowed to flow to a destination
1441 object labeled Secret, but an information object labeled Top Secret would not be allowed to
1442 flow to a destination object labeled Secret. A dataset of personally identifiable information
1443 may be tagged with restrictions against combining with other types of datasets, and
1444 therefore, would not be allowed to flow to the restricted dataset. Security and privacy
1445 attributes can also include source and destination addresses employed in traffic filter
1446 firewalls. Flow enforcement using explicit security or privacy attributes can be used, for
1447 example, to control the release of certain types of information.
1448 Related Controls: None.
1449 (2) INFORMATION FLOW ENFORCEMENT | PROCESSING DOMAINS
1450 Use protected processing domains to enforce [Assignment: organization-defined
1451 information flow control policies] as a basis for flow control decisions.
1452 Discussion: Protected processing domains within systems are processing spaces that have
1453 controlled interactions with other processing spaces, enabling control of information flows
1454 between these spaces and to/from information objects. A protected processing domain can
1455 be provided, for example, by implementing domain and type enforcement. In domain and
1456 type enforcement, system processes are assigned to domains; information is identified by
1457 types; and information flows are controlled based on allowed information accesses (i.e.,
1458 determined by domain and type), allowed signaling among domains, and allowed process
1459 transitions to other domains.
1460 Related Controls: SC-39.
1461 (3) INFORMATION FLOW ENFORCEMENT | DYNAMIC INFORMATION FLOW CONTROL
1462 Enforce [Assignment: organization-defined information flow control policies].
1463 Discussion: Organizational policies regarding dynamic information flow control include
1464 allowing or disallowing information flows based on changing conditions or mission or
1465 operational considerations. Changing conditions include changes in risk tolerance due to
1466 changes in the immediacy of mission or business needs, changes in the threat environment,
1467 and detection of potentially harmful or adverse events.
1468 Related Controls: SI-4.
1469 (4) INFORMATION FLOW ENFORCEMENT | FLOW CONTROL OF ENCRYPTED INFORMATION
1470 Prevent encrypted information from bypassing [Assignment: organization-defined
1471 information flow control mechanisms] by [Selection (one or more): decrypting the
1472 information; blocking the flow of the encrypted information; terminating communications

CHAPTER THREE PAGE 28

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1473 sessions attempting to pass encrypted information; [Assignment: organization-defined

1474 procedure or method]].
1475 Discussion: Flow control mechanisms include content checking, security policy filters, and
1476 data type identifiers. The term encryption is extended to cover encoded data not recognized
1477 by filtering mechanisms.
1478 Related Controls: SI-4.
1479 (5) INFORMATION FLOW ENFORCEMENT | EMBEDDED DATA TYPES
1480 Enforce [Assignment: organization-defined limitations] on embedding data types within
1481 other data types.
1482 Discussion: Embedding data types within other data types may result in reduced flow
1483 control effectiveness. Data type embedding includes inserting files as objects within other
1484 files and using compressed or archived data types that may include multiple embedded data
1485 types. Limitations on data type embedding consider the levels of embedding and prohibit
1486 levels of data type embedding that are beyond the capability of the inspection tools.
1487 Related Controls: None.
1488 (6) INFORMATION FLOW ENFORCEMENT | METADATA
1489 Enforce information flow control based on [Assignment: organization-defined metadata].
1490 Discussion: Metadata is information that describes the characteristics of data. Metadata can
1491 include structural metadata describing data structures or descriptive metadata describing
1492 data content. Enforcement of allowed information flows based on metadata enables simpler
1493 and more effective flow control. Organizations consider the trustworthiness of metadata
1494 regarding data accuracy (i.e., knowledge that the metadata values are correct with respect
1495 to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags),
1496 and the binding of metadata to the data payload (i.e., ensuring sufficiently strong binding
1497 techniques with appropriate levels of assurance).
1498 Related Controls: AC-16, SI-7.
1499 (7) INFORMATION FLOW ENFORCEMENT | ONE-WAY FLOW MECHANISMS
1500 Enforce one-way information flows through hardware-based flow control mechanisms.
1501 Discussion: One-way flow mechanisms may also be referred to as a unidirectional network,
1502 unidirectional security gateway, or data diode. One-way flow mechanisms can be used to
1503 prevent data from being exported from a higher impact or classified domain or system, while
1504 permitting data from a lower impact or unclassified domain or system to be imported.
1505 Related Controls: None.
1506 (8) INFORMATION FLOW ENFORCEMENT | SECURITY AND PRIVACY POLICY FILTERS
1507 (a) Enforce information flow control using [Assignment: organization-defined security or
1508 privacy policy filters] as a basis for flow control decisions for [Assignment:
1509 organization-defined information flows]; and
1510 (b) [Selection (one or more): block; strip; modify; quarantine] data after a filter processing
1511 failure in accordance with [Assignment: organization-defined security or privacy
1512 policy].
1513 Discussion: Organization-defined security or privacy policy filters can address data
1514 structures and content. For example, security or privacy policy filters for data structures can
1515 check for maximum file lengths, maximum field sizes, and data/file types (for structured and
1516 unstructured data). Security or privacy policy filters for data content can check for specific
1517 words enumerated values or data value ranges, and hidden content. Structured data permits
1518 the interpretation of data content by applications. Unstructured data refers to digital
1519 information without a data structure or with a data structure that does not facilitate the

CHAPTER THREE PAGE 29

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1520 development of rule sets to address the sensitivity of the information conveyed by the data
1521 or the flow enforcement decisions. Unstructured data consists of bitmap objects that are
1522 inherently non-language-based (i.e., image, video, or audio files); and textual objects that
1523 are based on written or printed languages. Organizations can implement more than one
1524 security or privacy policy filter to meet information flow control objectives.
1525 Related Controls: None.
1526 (9) INFORMATION FLOW ENFORCEMENT | HUMAN REVIEWS
1527 Enforce the use of human reviews for [Assignment: organization-defined information
1528 flows] under the following conditions: [Assignment: organization-defined conditions].
1529 Discussion: Organizations define security or privacy policy filters for all situations where
1530 automated flow control decisions are possible. When a fully automated flow control decision
1531 is not possible, then a human review may be employed in lieu of, or as a complement to,
1532 automated security or privacy policy filtering. Human reviews may also be employed as
1533 deemed necessary by organizations.
1534 Related Controls: None.
1535 (10) INFORMATION FLOW ENFORCEMENT | ENABLE AND DISABLE SECURITY OR PRIVACY POLICY FILTERS
1536 Provide the capability for privileged administrators to enable and disable [Assignment:
1537 organization-defined security or privacy policy filters] under the following conditions:
1538 [Assignment: organization-defined conditions].
1539 Discussion: For example, as allowed by the system authorization, administrators can enable
1540 security or privacy policy filters to accommodate approved data types. Administrators also
1541 have the capability to select the filters that are executed on a specific data flow based on the
1542 type of data that is being transferred, the source and destination security or privacy
1543 domains, and other security or privacy relevant features, as needed.
1544 Related Controls: None.
1545 (11) INFORMATION FLOW ENFORCEMENT | CONFIGURATION OF SECURITY OR PRIVACY POLICY FILTERS
1546 Provide the capability for privileged administrators to configure [Assignment:
1547 organization-defined security or privacy policy filters] to support different security or
1548 privacy policies.
1549 Discussion: Documentation contains detailed information for configuring security or privacy
1550 policy filters. For example, administrators can configure security or privacy policy filters to
1551 include the list of “dirty words” that security or privacy policy mechanisms check in
1552 accordance with the definitions provided by organizations.
1553 Related Controls: None.
1554 (12) INFORMATION FLOW ENFORCEMENT | DATA TYPE IDENTIFIERS
1555 When transferring information between different security or privacy domains, use
1556 [Assignment: organization-defined data type identifiers] to validate data essential for
1557 information flow decisions.
1558 Discussion: Data type identifiers include filenames, file types, file signatures or tokens, and
1559 multiple internal file signatures or tokens. Systems allow transfer of data only if compliant
1560 with data type format specifications. Identification and validation of data types is based on
1561 defined specifications associated with each allowed data format. The filename and number
1562 alone are not used for data type identification. Content is validated syntactically and
1563 semantically against its specification to ensure it is the proper data type.
1564 Related Controls: None.

CHAPTER THREE PAGE 30

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1565 (13) INFORMATION FLOW ENFORCEMENT | DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS

1566 When transferring information between different security or privacy domains, decompose
1567 information into [Assignment: organization-defined policy-relevant subcomponents] for
1568 submission to policy enforcement mechanisms.
1569 Discussion: Decomposing information into policy-relevant subcomponents prior to
1570 information transfer facilitates policy decisions on source, destination, certificates,
1571 classification, attachments, and other security- or privacy-related component differentiators.
1572 Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the
1573 policy-relevant subcomponents of information to facilitate flow enforcement prior to
1574 transferring such information to different security or privacy domains.
1575 Related Controls: None.
1576 (14) INFORMATION FLOW ENFORCEMENT | SECURITY OR PRIVACY POLICY FILTER CONSTRAINTS
1577 When transferring information between different security or privacy domains, implement
1578 [Assignment: organization-defined security or privacy policy filters] requiring fully
1579 enumerated formats that restrict data structure and content.
1580 Discussion: Data structure and content restrictions reduce the range of potential malicious
1581 or unsanctioned content in cross-domain transactions. Security or privacy policy filters that
1582 restrict data structures include restricting file sizes and field lengths. Data content policy
1583 filters include encoding formats for character sets; restricting character data fields to only
1584 contain alpha-numeric characters; prohibiting special characters; and validating schema
1585 structures.
1586 Related Controls: None.
1587 (15) INFORMATION FLOW ENFORCEMENT | DETECTION OF UNSANCTIONED INFORMATION
1588 When transferring information between different security or privacy domains, examine
1589 the information for the presence of [Assignment: organization-defined unsanctioned
1590 information] and prohibit the transfer of such information in accordance with the
1591 [Assignment: organization-defined security or privacy policy].
1592 Discussion: Unsanctioned information includes malicious code, dirty words, sensitive
1593 information inappropriate for release from the source network, or executable code that
1594 could disrupt or harm the services or systems on the destination network.
1595 Related Controls: SI-3.
1596 (16) INFORMATION FLOW ENFORCEMENT | INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS
1597 [Withdrawn: Incorporated into AC-4.]
1598 (17) INFORMATION FLOW ENFORCEMENT | DOMAIN AUTHENTICATION
1599 Uniquely identify and authenticate source and destination points by [Selection (one or
1600 more): organization, system, application, service, individual] for information transfer.
1601 Discussion: Attribution is a critical component of a security and privacy concept of
1602 operations. The ability to identify source and destination points for information flowing
1603 within systems, allows the forensic reconstruction of events, and encourages policy
1604 compliance by attributing policy violations to specific organizations or individuals. Successful
1605 domain authentication requires that system labels distinguish among systems, organizations,
1606 and individuals involved in preparing, sending, receiving, or disseminating information.
1607 Attribution also allows organizations to better maintain the lineage of personally identifiable
1608 information processing as it flows through systems and can facilitate consent tracking, as
1609 well as correction, deletion, or access requests from individuals.
1610 Related Controls: IA-2, IA-3, IA-9.

CHAPTER THREE PAGE 31

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1611 (18) INFORMATION FLOW ENFORCEMENT | SECURITY ATTRIBUTE BINDING

1612 [Withdrawn: Incorporated into AC-16.]
1613 (19) INFORMATION FLOW ENFORCEMENT | VALIDATION OF METADATA
1614 When transferring information between different security or privacy domains, implement
1615 [Assignment: organization-defined security or privacy policy filters] on metadata.
1616 Discussion: All information (including metadata and the data to which the metadata applies)
1617 is subject to filtering and inspection. Some organizations distinguish between metadata and
1618 data payloads (i.e., only the data to which the metadata is bound). Other organizations do
1619 not make such distinctions, considering metadata and the data to which the metadata
1620 applies as part of the payload.
1621 Related Controls: None.
1622 (20) INFORMATION FLOW ENFORCEMENT | APPROVED SOLUTIONS
1623 Employ [Assignment: organization-defined solutions in approved configurations] to control
1624 the flow of [Assignment: organization-defined information] across security or privacy
1625 domains.
1626 Discussion: Organizations define approved solutions and configurations in cross-domain
1627 policies and guidance in accordance with the types of information flows across classification
1628 boundaries. The NSA National Cross Domain Strategy and Management Office provides a
1629 baseline listing of approved cross-domain solutions.
1630 Related Controls: None.
1631 (21) INFORMATION FLOW ENFORCEMENT | PHYSICAL OR LOGICAL SEPARATION OF INFORMATION FLOWS
1632 Separate information flows logically or physically using [Assignment: organization-defined
1633 mechanisms and/or techniques] to accomplish [Assignment: organization-defined required
1634 separations by types of information].
1635 Discussion: Enforcing the separation of information flows associated with defined types of
1636 data can enhance protection by ensuring that information is not commingled while in transit
1637 and by enabling flow control by transmission paths perhaps not otherwise achievable. Types
1638 of separable information include inbound and outbound communications traffic, service
1639 requests and responses, and information of differing security categories.
1640 Related Controls: SC-32.
1641 (22) INFORMATION FLOW ENFORCEMENT | ACCESS ONLY
1642 Provide access from a single device to computing platforms, applications, or data residing
1643 in multiple different security domains, while preventing any information flow between the
1644 different security domains.
1645 Discussion: The system provides a capability for users to access each connected security
1646 domain without providing any mechanisms to allow transfer of data or information between
1647 the different security domains. An example of an access-only solution is a terminal that
1648 provides a user access to information with different security classifications while assuredly
1649 keeping the information separate.
1650 Related Controls: None.
1651 (23) INFORMATION FLOW ENFORCEMENT | MODIFY NON-RELEASABLE INFORMATION
1652 When transferring information between different security domains, modify non-releasable
1653 information by implementing [Assignment: organization-defined modification action].
1654 Discussion: Modifying non-releasable information can help prevent a data spill or attack
1655 when information is transferred across security domains. Modification actions include
1656 masking, permutation, alteration, removal, or redaction.

CHAPTER THREE PAGE 32

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1657 Related Controls: None.

1658 (24) INFORMATION FLOW ENFORCEMENT | INTERNAL NORMALIZED FORMAT
1659 When transferring information between different security domains, parse incoming data
1660 into an internal normalized format and regenerate the data to be consistent with its
1661 intended specification.
1662 Discussion: Converting data into normalized forms is one of most of effective mechanisms
1663 to stop malicious attacks and large classes of data exfiltration.
1664 Related Controls: None.
1665 (25) INFORMATION FLOW ENFORCEMENT | DATA SANITIZATION
1666 When transferring information between different security domains, sanitize data to
1667 minimize [Selection (one or more: delivery of malicious content, command and control of
1668 malicious code, malicious code augmentation, and steganography encoded data; spillage
1669 of sensitive information] in accordance with [Assignment: organization-defined policy]].
1670 Discussion: Data sanitization is the process of irreversibly removing or destroying data
1671 stored on a memory device (e.g., hard drives, flash memory/SSDs, mobile devices, CDs, and
1672 DVDs) or in hard copy form.
1673 Related Controls: None.
1674 (26) INFORMATION FLOW ENFORCEMENT | AUDIT FILTERING ACTIONS
1675 When transferring information between different security domains, record and audit
1676 content filtering actions and results for the information being filtered.
1677 Discussion: Content filtering is the process of inspecting information as it traverses a cross
1678 domain solution and determines if the information meets a pre-defined policy. Content
1679 filtering actions and results of filtering actions are recorded for individual messages to
1680 ensure the correct filter actions were applied. Content filter reports are used to assist in
1681 troubleshooting actions, for example, determining why message content was modified
1682 and/or why it failed the filtering process. Audit events are defined in AU-2. Audit records are
1683 generated in AU-12.
1684 Related Controls: AU-2, AU-3, AU-12.
1685 (27) INFORMATION FLOW ENFORCEMENT | REDUNDANT/INDEPENDENT FILTERING MECHANISMS
1686 When transferring information between different security or privacy domains, implement
1687 content filtering solutions that provide redundant and independent filtering mechanisms
1688 for each data type.
1689 Discussion: Content filtering is the process of inspecting information as it traverses a cross
1690 domain solution and determines if the information meets a pre-defined policy. Redundant
1691 and independent content filtering eliminates a single point of failure filtering system.
1692 Independence is defined as implementation of a content filter that uses a different code
1693 base and supporting libraries (e.g., two JPEG filters using different vendors’ JPEG libraries)
1694 and multiple, independent system processes.
1695 Related Controls: None.
1696 (28) INFORMATION FLOW ENFORCEMENT | LINEAR FILTER PIPELINES
1697 When transferring information between different security or privacy domains, implement
1698 a linear content filter pipeline that is enforced with discretionary and mandatory access
1699 controls.
1700 Discussion: Content filtering is the process of inspecting information as it traverses a cross
1701 domain solution and determines if the information meets a pre-defined policy. The use of
1702 linear content filter pipelines ensures that filter processes are non-bypassable and always

CHAPTER THREE PAGE 33

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1703 invoked. In general, the use of parallel filtering architectures for content filtering of a single
1704 data type introduces by-pass and non-invocation issues.
1705 Related Controls: None.
1706 (29) INFORMATION FLOW ENFORCEMENT | FILTER ORCHESTRATION ENGINES
1707 When transferring information between different security or privacy domains, employ
1708 content filter orchestration engines to ensure that:
1709 (a) Content filtering mechanisms successfully complete execution without errors; and
1710 (b) Content filtering actions occur in the correct order and comply with [Assignment:
1711 organization-defined policy].
1712 Discussion: Content filtering is the process of inspecting information as it traverses a cross
1713 domain solution and determines if the information meets a pre-defined security policy. An
1714 orchestration engine coordinates the sequencing of activities (manual and automated) in a
1715 content filtering process. Errors are defined as either anomalous actions or unexpected
1716 termination of the content filter process. This is not the same as a filter failing content due
1717 non-compliance with policy. Content filter reports are a commonly used mechanism to
1718 ensure expected filtering actions are completed successfully.
1719 Related Controls: None.
1720 (30) INFORMATION FLOW ENFORCEMENT | FILTER MECHANISMS USING MULTIPLE PROCESSES
1721 When transferring information between different security or privacy domains, implement
1722 content filtering mechanisms using multiple processes.
1723 Discussion: The use of multiple processes to implement content filtering mechanisms
1724 reduces the likelihood of a single point of failure.
1725 Related Controls: None.
1726 (31) INFORMATION FLOW ENFORCEMENT | FAILED CONTENT TRANSFER PREVENTION
1727 When transferring information between different security or privacy domains, prevent the
1728 transfer of failed content to the receiving domain.
1729 Discussion: Content that failed filtering checks, can corrupt the system if transferred to the
1730 receiving domain.
1731 Related Controls: None.
1732 (32) INFORMATION FLOW ENFORCEMENT | PROCESS REQUIREMENTS FOR INFORMATION TRANSFER
1733 When transferring information between different security or privacy domains, the process
1734 that transfers information between filter pipelines:
1735 (a) Does not filter message content;
1736 (b) Validates filtering metadata;
1737 (c) Ensures the content associated with the filtering metadata has successfully completed
1738 filtering; and
1739 (d) Transfers the content to the destination filter pipeline.
1740 Discussion: The processes transferring information between filter pipelines have minimum
1741 complexity and functionality to provide assurance that the processes operate correctly.
1742 Related Controls: None.
1743 References: [SP-800-160 v1]; [SP 800-162]; [SP 800-178].

CHAPTER THREE PAGE 34

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1744 AC-5 SEPARATION OF DUTIES

1745 Control:
1746 a. Identify and document [Assignment: organization-defined duties of individuals requiring
1747 separation]; and
1748 b. Define system access authorizations to support separation of duties.
1749 Discussion: Separation of duties addresses the potential for abuse of authorized privileges and
1750 helps to reduce the risk of malevolent activity without collusion. Separation of duties includes
1751 dividing mission or business functions and support functions among different individuals or roles;
1752 conducting system support functions with different individuals; and ensuring security personnel
1753 administering access control functions do not also administer audit functions. Because
1754 separation of duty violations can span systems and application domains, organizations consider
1755 the entirety of systems and system components when developing policy on separation of duties.
1756 This control is enforced through the account management activities in AC-2 and access control
1757 mechanisms in AC-3.
1758 Related Controls: AC-2, AC-3, AC-6, AU-9, CM-5, CM-11, CP-9, IA-2, IA-5, MA-3, MA-5, PS-2, SA-8,
1759 SA-17.
1760 Control Enhancements: None.
1761 References: None.

1762 AC-6 LEAST PRIVILEGE

1763 Control: Employ the principle of least privilege, allowing only authorized accesses for users (or
1764 processes acting on behalf of users) that are necessary to accomplish assigned organizational
1765 tasks.
1766 Discussion: Organizations employ least privilege for specific duties and systems. The principle of
1767 least privilege is also applied to system processes, ensuring that the processes have access to
1768 systems and operate at privilege levels no higher than necessary to accomplish organizational
1769 missions or business functions. Organizations consider the creation of additional processes, roles,
1770 and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the
1771 development, implementation, and operation of organizational systems.
1772 Related Controls: AC-2, AC-3, AC-5, AC-16, CM-5, CM-11, PL-2, PM-12, SA-8, SA-15, SA-17, SC-38.
1773 Control Enhancements:
1774 (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS
1775 Explicitly authorize access for [Assignment: organization-defined individuals or roles] to:
1776 (a) [Assignment: organization-defined security functions (deployed in hardware, software,
1777 and firmware)]; and
1778 (b) [Assignment: organization-defined security-relevant information].
1779 Discussion: Security functions include establishing system accounts; configuring access
1780 authorizations (i.e., permissions, privileges), configuring settings for events to be audited,
1781 and establishing intrusion detection parameters. Security-relevant information includes
1782 filtering rules for routers or firewalls, configuration parameters for security services,
1783 cryptographic key management information, and access control lists. Explicitly authorized
1784 personnel include security administrators, system administrators, system security officers,
1785 system programmers, and other privileged users.
1786 Related Controls: AC-17, AC-18, AC-19, AU-9, PE-2.

CHAPTER THREE PAGE 35

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1787 (2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

1788 Require that users of system accounts (or roles) with access to [Assignment: organization-
1789 defined security functions or security-relevant information], use non-privileged accounts or
1790 roles, when accessing nonsecurity functions.
1791 Discussion: Requiring use of non-privileged accounts when accessing nonsecurity functions
1792 limits exposure when operating from within privileged accounts or roles. The inclusion of
1793 roles addresses situations where organizations implement access control policies such as
1794 role-based access control and where a change of role provides the same degree of assurance
1795 in the change of access authorizations for both the user and all processes acting on behalf of
1796 the user as would be provided by a change between a privileged and non-privileged account.
1797 Related Controls: AC-17, AC-18, AC-19, PL-4.
1798 (3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS
1799 Authorize network access to [Assignment: organization-defined privileged commands]
1800 only for [Assignment: organization-defined compelling operational needs] and document
1801 the rationale for such access in the security plan for the system.
1802 Discussion: Network access is any access across a network connection in lieu of local access
1803 (i.e., user being physically present at the device).
1804 Related Controls: AC-17, AC-18, AC-19.
1805 (4) LEAST PRIVILEGE | SEPARATE PROCESSING DOMAINS
1806 Provide separate processing domains to enable finer-grained allocation of user privileges.
1807 Discussion: Providing separate processing domains for finer-grained allocation of user
1808 privileges includes using virtualization techniques to permit additional user privileges within
1809 a virtual machine while restricting privileges to other virtual machines or to the underlying
1810 physical machine; implementing separate physical domains, and employing hardware or
1811 software domain separation mechanisms.
1812 Related Controls: AC-4, SC-2, SC-3, SC-30, SC-32, SC-39.
1813 (5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS
1814 Restrict privileged accounts on the system to [Assignment: organization-defined personnel
1815 or roles].
1816 Discussion: Privileged accounts, including super user accounts, are typically described as
1817 system administrator for various types of commercial off-the-shelf operating systems.
1818 Restricting privileged accounts to specific personnel or roles prevents day-to-day users from
1819 accessing privileged information or privileged functions. Organizations may differentiate in
1820 the application of this control enhancement between allowed privileges for local accounts
1821 and for domain accounts provided they retain the ability to control system configurations for
1822 key security parameters and as otherwise necessary to sufficiently mitigate risk.
1823 Related Controls: IA-2, MA-3, MA-4.
1824 (6) LEAST PRIVILEGE | PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS
1825 Prohibit privileged access to the system by non-organizational users.
1826 Discussion: An organizational user is an employee or an individual considered by the
1827 organization to have the equivalent status of an employee. Organizational users include
1828 contractors, guest researchers, or individuals detailed from other organizations. A non-
1829 organizational user is a user who is not an organizational user. Policy and procedures for
1830 granting equivalent status of employees to individuals include a need-to-know, citizenship,
1831 and the relationship to the organization.
1832 Related Controls: AC-18, AC-19, IA-2, IA-8.

CHAPTER THREE PAGE 36

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1833 (7) LEAST PRIVILEGE | REVIEW OF USER PRIVILEGES

1834 (a) Review [Assignment: organization-defined frequency] the privileges assigned to
1835 [Assignment: organization-defined roles or classes of users] to validate the need for
1836 such privileges; and
1837 (b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission
1838 and business needs.
1839 Discussion: The need for certain assigned user privileges may change over time reflecting
1840 changes in organizational missions and business functions, environments of operation,
1841 technologies, or threat. Periodic review of assigned user privileges is necessary to determine
1842 if the rationale for assigning such privileges remains valid. If the need cannot be revalidated,
1843 organizations take appropriate corrective actions.
1844 Related Controls: CA-7.
1845 (8) LEAST PRIVILEGE | PRIVILEGE LEVELS FOR CODE EXECUTION
1846 Prevent the following software from executing at higher privilege levels than users
1847 executing the software: [Assignment: organization-defined software].
1848 Discussion: In certain situations, software applications or programs need to execute with
1849 elevated privileges to perform required functions. However, depending on the software
1850 functionality and configuration, if the privileges required for execution are at a higher level
1851 than the privileges assigned to organizational users invoking such applications or programs,
1852 those users may indirectly be provided with greater privileges than assigned.
1853 Related Controls: None.
1854 (9) LEAST PRIVILEGE | LOG USE OF PRIVILEGED FUNCTIONS
1855 Audit the execution of privileged functions.
1856 Discussion: The misuse of privileged functions, either intentionally or unintentionally by
1857 authorized users, or by unauthorized external entities that have compromised system
1858 accounts, is a serious and ongoing concern and can have significant adverse impacts on
1859 organizations. Capturing the use of privileged functions in audit logs is one way to detect
1860 such misuse, and in doing so, help mitigate the risk from insider threats and the advanced
1861 persistent threat.
1862 Related Controls: AU-2, AU-3, AU-12.
1863 (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS
1864 Prevent non-privileged users from executing privileged functions.
1865 Discussion: Privileged functions include disabling, circumventing, or altering implemented
1866 security or privacy controls; establishing system accounts; performing system integrity
1867 checks; and administering cryptographic key management activities. Non-privileged users
1868 are individuals that do not possess appropriate authorizations. Privileged functions that
1869 require protection from non-privileged users include circumventing intrusion detection and
1870 prevention mechanisms or malicious code protection mechanisms. This control
1871 enhancement is enforced by AC-3.
1872 Related Controls: None.
1873 References: None.

1874 AC-7 UNSUCCESSFUL LOGON ATTEMPTS

1875 Control:
1876 a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon
1877 attempts by a user during a [Assignment: organization-defined time-period]; and

CHAPTER THREE PAGE 37

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1878 b. Automatically [Selection (one or more): lock the account or node for an [Assignment:
1879 organization-defined time-period]; lock the account or node until released by an
1880 administrator; delay next logon prompt per [Assignment: organization-defined delay
1881 algorithm]; notify system administrator; take other [Assignment: organization-defined
1882 action]] when the maximum number of unsuccessful attempts is exceeded.
1883 Discussion: This control applies regardless of whether the logon occurs via a local or network
1884 connection. Due to the potential for denial of service, automatic lockouts initiated by systems are
1885 usually temporary and automatically release after a predetermined, organization-defined time
1886 period. If a delay algorithm is selected, organizations may employ different algorithms for
1887 different components of the system based on the capabilities of those components. Responses
1888 to unsuccessful logon attempts may be implemented at the operating system and the application
1889 levels. Organization-defined actions that may be taken when the number of allowed consecutive
1890 invalid logon attempts is exceeded include prompting the user to answer a secret question in
1891 addition to the username and password; invoking a lockdown mode with limited user capabilities
1892 (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user
1893 and then allowing additional logon attempts if the attempts are from a known IP address.
1894 Techniques to help prevent brute force attacks in lieu of an automatic system lockout or the
1895 execution of delay algorithms support the objective of availability while still protecting against
1896 such attacks. Techniques that are effective when used in combination include prompting the user
1897 to respond to a secret question before the number of allowed unsuccessful logon attempts is
1898 exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to
1899 prevent automated attacks; or applying user profiles such as location, time of day, IP address,
1900 device, or MAC address. Automatically unlocking an account after a specified period of time is
1901 generally not permitted. However, exceptions may be required based on operational mission or
1902 need.
1903 Related Controls: AC-2, AC-9, AU-2, AU-6, IA-5.
1904 Control Enhancements:
1905 (1) UNSUCCESSFUL LOGON ATTEMPTS | AUTOMATIC ACCOUNT LOCK
1906 [Withdrawn: Incorporated into AC-7.]
1907 (2) UNSUCCESSFUL LOGON ATTEMPTS | PURGE OR WIPE MOBILE DEVICE
1908 Purge or wipe information from [Assignment: organization-defined mobile devices] based
1909 on [Assignment: organization-defined purging or wiping requirements and techniques]
1910 after [Assignment: organization-defined number] consecutive, unsuccessful device logon
1911 attempts.
1912 Discussion: A mobile device is a computing device that has a small form factor such that it
1913 can be carried by a single individual; is designed to operate without a physical connection;
1914 possesses local, non-removable or removable data storage; and includes a self-contained
1915 power source. Purging or wiping the device applies only to mobile devices for which the
1916 organization-defined number of unsuccessful logons occurs. The logon is to the mobile
1917 device, not to any one account on the device. Successful logons to accounts on mobile
1918 devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if
1919 the information on the device is protected with sufficiently strong encryption mechanisms.
1920 Related Controls: AC-19, MP-5, MP-6.
1921 (3) UNSUCCESSFUL LOGON ATTEMPTS | BIOMETRIC ATTEMPT LIMITING
1922 Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-
1923 defined number].

CHAPTER THREE PAGE 38

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1924 Discussion: Biometrics are probabilistic in nature. The ability to successfully authenticate
1925 can be impacted by many factors, including matching performance and presentation attack
1926 detection mechanisms. Organizations select the appropriate number of attempts and fall
1927 back mechanisms for users based on organizationally-defined factors.
1928 Related Controls: IA-3.
1929 (4) UNSUCCESSFUL LOGON ATTEMPTS | USE OF ALTERNATE FACTOR
1930 (a) Allow the use of [Assignment: organization-defined authentication factors] that are
1931 different from the primary authentication factors after the number of organization-
1932 defined consecutive invalid logon attempts have been exceeded; and
1933 (b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid
1934 logon attempts through use of the alternative factors by a user during a [Assignment:
1935 organization-defined time-period].
1936 Discussion: The use of alternate authentication factors supports the objective of availability
1937 and allows a user that has inadvertently been locked out to use additional authentication
1938 factors to bypass the lockout.
1939 Related Controls: IA-3.
1940 References: [SP 800-63-3]; [SP 800-124].

1941 AC-8 SYSTEM USE NOTIFICATION

1942 Control:
1943 a. Display [Assignment: organization-defined system use notification message or banner] to
1944 users before granting access to the system that provides privacy and security notices
1945 consistent with applicable laws, executive orders, directives, regulations, policies, standards,
1946 and guidelines and state that:
1947 1. Users are accessing a U.S. Government system;
1948 2. System usage may be monitored, recorded, and subject to audit;
1949 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties;
1950 and
1951 4. Use of the system indicates consent to monitoring and recording;
1952 b. Retain the notification message or banner on the screen until users acknowledge the usage
1953 conditions and take explicit actions to log on to or further access the system; and
1954 c. For publicly accessible systems:
1955 1. Display system use information [Assignment: organization-defined conditions], before
1956 granting further access to the publicly accessible system;
1957 2. Display references, if any, to monitoring, recording, or auditing that are consistent with
1958 privacy accommodations for such systems that generally prohibit those activities; and
1959 3. Include a description of the authorized uses of the system.
1960 Discussion: System use notifications can be implemented using messages or warning banners
1961 displayed before individuals log in to systems. System use notifications are used only for access
1962 via logon interfaces with human users. Notifications are not required when human interfaces do
1963 not exist. Based on an assessment of risk, organizations consider whether or not a secondary
1964 system use notification is needed to access applications or other system resources after the
1965 initial network logon. Organizations consider system use notification messages or banners
1966 displayed in multiple languages based on organizational needs and the demographics of system

CHAPTER THREE PAGE 39

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

1967 users. Organizations also consult with the Office of the General Counsel for legal review and
1968 approval of warning banner content.
1969 Related Controls: AC-14, PL-4, SI-4.
1970 Control Enhancements: None.
1971 References: None.

1972 AC-9 PREVIOUS LOGON NOTIFICATION

1973 Control: Notify the user, upon successful logon to the system, of the date and time of the last
1974 logon.
1975 Discussion: Previous logon notification is applicable to system access via human user interfaces
1976 and access to systems that occurs in other types of architectures. Information about the last
1977 successful logon allows the user to recognize if the date and time provided is not consistent with
1978 the user’s last access.
1979 Related Controls: AC-7, PL-4.
1980 Control Enhancements:
1981 (1) PREVIOUS LOGON NOTIFICATION | UNSUCCESSFUL LOGONS
1982 Notify the user, upon successful logon, of the number of unsuccessful logon attempts since
1983 the last successful logon.
1984 Discussion: Information about the number of unsuccessful logon attempts since the last
1985 successful logon allows the user to recognize if the number of unsuccessful logon attempts is
1986 consistent with the user’s actual logon attempts.
1987 Related Controls: None.
1988 (2) PREVIOUS LOGON NOTIFICATION | SUCCESSFUL AND UNSUCCESSFUL LOGONS
1989 Notify the user, upon successful logon, of the number of [Selection: successful logons;
1990 unsuccessful logon attempts; both] during [Assignment: organization-defined time-period].
1991 Discussion: Information about the number of successful and unsuccessful logon attempts
1992 within a specified time period allows the user to recognize if the number and type of logon
1993 attempts is consistent with the user’s actual logon attempts.
1994 Related Controls: None.
1995 (3) PREVIOUS LOGON NOTIFICATION | NOTIFICATION OF ACCOUNT CHANGES
1996 Notify the user, upon successful logon, of changes to [Assignment: organization-defined
1997 security-related characteristics or parameters of the user’s account] during [Assignment:
1998 organization-defined time-period].
1999 Discussion: Information about changes to security-related account characteristics within a
2000 specified time period allows users to recognize if changes were made without their
2001 knowledge.
2002 Related Controls: None.
2003 (4) PREVIOUS LOGON NOTIFICATION | ADDITIONAL LOGON INFORMATION
2004 Notify the user, upon successful logon, of the following additional information:
2005 [Assignment: organization-defined additional information].
2006 Discussion: Organizations can specify additional information to be provided to users upon
2007 logon, including the location of last logon. User location is defined as that information which
2008 can be determined by systems, for example, Internet Protocol (IP) addresses from which
2009 network logons occurred, notifications of local logons, or device identifiers.

CHAPTER THREE PAGE 40

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2010 Related Controls: None.

2011 References: None.

2012 AC-10 CONCURRENT SESSION CONTROL

2013 Control: Limit the number of concurrent sessions for each [Assignment: organization-defined
2014 account and/or account type] to [Assignment: organization-defined number].
2015 Discussion: Organizations may define the maximum number of concurrent sessions for system
2016 accounts globally, by account type, by account, or any combination thereof. For example,
2017 organizations may limit the number of concurrent sessions for system administrators or other
2018 individuals working in particularly sensitive domains or mission-critical applications. This control
2019 addresses concurrent sessions for system accounts and does not address concurrent sessions by
2020 single users via multiple system accounts.
2021 Related Controls: SC-23.
2022 Control Enhancements: None.
2023 References: None.

2024 AC-11 DEVICE LOCK

2025 Control:
2026 a. Prevent further access to the system by [Selection (one or more): initiating a device lock after
2027 [Assignment: organization-defined time-period] of inactivity; requiring the user to initiate a
2028 device lock before leaving the system unattended]; and
2029 b. Retain the device lock until the user reestablishes access using established identification and
2030 authentication procedures.
2031 Discussion: Device locks are temporary actions taken to prevent logical access to organizational
2032 systems when users stop work and move away from the immediate vicinity of those systems but
2033 do not want to log out because of the temporary nature of their absences. Device locks can be
2034 implemented at the operating system level or at the application level. A proximity lock may be
2035 used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated
2036 device locking is behavior or policy-based and as such, requires users to take physical action to
2037 initiate the device lock. Device locks are not an acceptable substitute for logging out of systems,
2038 for example, if organizations require users to log out at the end of workdays.
2039 Related Controls: AC-2, AC-7, IA-11, PL-4.
2040 Control Enhancements:
2041 (1) DEVICE LOCK | PATTERN-HIDING DISPLAYS
2042 Conceal, via the device lock, information previously visible on the display with a publicly
2043 viewable image.
2044 Discussion: The pattern-hiding display can include static or dynamic images, for example,
2045 patterns used with screen savers, photographic images, solid colors, clock, battery life
2046 indicator, or a blank screen, with the caveat that controlled unclassified information is not
2047 displayed.
2048 Related Controls: None.
2049 References: None.

CHAPTER THREE PAGE 41

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2050 AC-12 SESSION TERMINATION

2051 Control: Automatically terminate a user session after [Assignment: organization-defined
2052 conditions or trigger events requiring session disconnect].
2053 Discussion: Session termination addresses the termination of user-initiated logical sessions (in
2054 contrast to SC-10, which addresses the termination of network connections associated with
2055 communications sessions (i.e., network disconnect)). A logical session (for local, network, and
2056 remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an
2057 organizational system. Such user sessions can be terminated without terminating network
2058 sessions. Session termination ends all processes associated with a user’s logical session except
2059 those processes that are specifically created by the user (i.e., session owner) to continue after
2060 the session is terminated. Conditions or trigger events requiring automatic session termination
2061 include organization-defined periods of user inactivity, targeted responses to certain types of
2062 incidents, or time-of-day restrictions on system use.
2063 Related Controls: MA-4, SC-10, SC-23.
2064 Control Enhancements:
2065 (1) SESSION TERMINATION | USER-INITIATED LOGOUTS
2066 Provide a logout capability for user-initiated communications sessions whenever
2067 authentication is used to gain access to [Assignment: organization-defined information
2068 resources].
2069 Discussion: Information resources to which users gain access via authentication include local
2070 workstations, databases, and password-protected websites or web-based services.
2071 Related Controls: None.
2072 (2) SESSION TERMINATION | TERMINATION MESSAGE
2073 Display an explicit logout message to users indicating the termination of authenticated
2074 communications sessions.
2075 Discussion: Logout messages for web access can be displayed after authenticated sessions
2076 have been terminated. However, for certain types of sessions, including file transfer protocol
2077 (FTP) sessions, systems typically send logout messages as final messages prior to terminating
2078 sessions.
2079 Related Controls: None.
2080 (3) SESSION TERMINATION | TIMEOUT WARNING MESSAGE
2081 Display an explicit message to users indicating that the session will end in [Assignment:
2082 organization-defined time until end of session].
2083 Discussion: To increase usability, notify users of pending session termination and prompt
2084 users to continue the session.
2085 Related Controls: None.
2086 References: None.

2087 AC-13 SUPERVISION AND REVIEW — ACCESS CONTROL

2088 [Withdrawn: Incorporated into AC-2 and AU-6.]

CHAPTER THREE PAGE 42

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2089 AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION

2090 Control:
2091 a. Identify [Assignment: organization-defined user actions] that can be performed on the
2092 system without identification or authentication consistent with organizational missions and
2093 business functions; and
2094 b. Document and provide supporting rationale in the security plan for the system, user actions
2095 not requiring identification or authentication.
2096 Discussion: Specific user actions may be permitted without identification or authentication if
2097 organizations determine that identification and authentication is not required for the specified
2098 user actions. Organizations may allow a limited number of user actions without identification or
2099 authentication, including when individuals access public websites or other publicly accessible
2100 federal systems; when individuals use mobile phones to receive calls; or when facsimiles are
2101 received. Organizations identify actions that normally require identification or authentication but
2102 may under certain circumstances, allow identification or authentication mechanisms to be
2103 bypassed. Such bypasses may occur, for example, via a software-readable physical switch that
2104 commands bypass of the logon functionality and is protected from accidental or unmonitored
2105 use. This control does not apply to situations where identification and authentication have
2106 already occurred and are not repeated, but rather to situations where identification and
2107 authentication have not yet occurred. Organizations may decide that there are no user actions
2108 that can be performed on organizational systems without identification and authentication and
2109 therefore, the value for the assignment can be none.
2110 Related Controls: AC-8, IA-2, PL-2.
2111 Control Enhancements: None.
2112 (1) PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | NECESSARY USES
2113 [Withdrawn: Incorporated into AC-14.]
2114 References: None.

2115 AC-15 AUTOMATED MARKING

2116 [Withdrawn: Incorporated into MP-3.]

2117 AC-16 SECURITY AND PRIVACY ATTRIBUTES

2118 Control:
2119 a. Provide the means to associate [Assignment: organization-defined types of security and
2120 privacy attributes] having [Assignment: organization-defined security and privacy attribute
2121 values] with information in storage, in process, and/or in transmission;
2122 b. Ensure that the attribute associations are made and retained with the information;
2123 c. Establish the permitted [Assignment: organization-defined security and privacy attributes]
2124 for [Assignment: organization-defined systems];
2125 d. Determine the permitted [Assignment: organization-defined values or ranges] for each of
2126 the established attributes;
2127 e. Audit changes to attributes; and
2128 f. Review [Assignment: organization-defined security and privacy attributes] for applicability
2129 [Assignment: organization-defined frequency].

CHAPTER THREE PAGE 43

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2130 Discussion: Information is represented internally within systems using abstractions known as
2131 data structures. Internal data structures can represent different types of entities, both active and
2132 passive. Active entities, also known as subjects, are typically associated with individuals, devices,
2133 or processes acting on behalf of individuals. Passive entities, also known as objects, are typically
2134 associated with data structures such as records, buffers, tables, files, inter-process pipes, and
2135 communications ports. Security attributes, a form of metadata, are abstractions representing the
2136 basic properties or characteristics of active and passive entities with respect to safeguarding
2137 information. Privacy attributes, which may be used independently, or in conjunction with
2138 security attributes, represent the basic properties or characteristics of active or passive entities
2139 with respect to the management of personally identifiable information. Attributes can be either
2140 explicitly or implicitly associated with the information contained in organizational systems or
2141 system components.
2142 Attributes may be associated with active entities (i.e., subjects) that have the potential to send or
2143 receive information, to cause information to flow among objects, or to change the system state.
2144 These attributes may also be associated with passive entities (i.e., objects) that contain or
2145 receive information. The association of attributes to subjects and objects by a system is referred
2146 to as binding and is inclusive of setting the attribute value and the attribute type. Attributes,
2147 when bound to data or information, permit the enforcement of security and privacy policies for
2148 access control and information flow control, including data retention limits, permitted uses of
2149 personally identifiable information, and identification of personal information within data
2150 objects. Such enforcement occurs through organizational processes or system functions or
2151 mechanisms. The binding techniques implemented by systems affect the strength of attribute
2152 binding to information. Binding strength and the assurance associated with binding techniques
2153 play an important part in the trust organizations have in the information flow enforcement
2154 process. The binding techniques affect the number and degree of additional reviews required by
2155 organizations. The content or assigned values of attributes can directly affect the ability of
2156 individuals to access organizational information.
2157 Organizations can define the types of attributes needed for systems to support missions or
2158 business functions. There are many values that can be assigned to a security attribute. Release
2159 markings include US only, NATO (North Atlantic Treaty Organization), or NOFORN (not releasable
2160 to foreign nationals). By specifying the permitted attribute ranges and values, organizations
2161 ensure that attribute values are meaningful and relevant. Labeling refers to the association of
2162 attributes with the subjects and objects represented by the internal data structures within
2163 systems. This facilitates system-based enforcement of information security and privacy policies.
2164 Labels include classification of information in accordance with legal and compliance
2165 requirements; access authorizations; nationality; data life cycle protection (i.e., encryption and
2166 data expiration); personally identifiable information processing permissions; individual consent
2167 to personally identifiable information processing; and affiliation as a contractor. Conversely,
2168 marking refers to the association of attributes with objects in a human-readable form. Marking
2169 enables manual, procedural, or process-based enforcement of information security and privacy
2170 policies. Attribute types include classification level for objects and clearance (access
2171 authorization) level for subjects. An attribute value for both attribute types is Top Secret.
2172 Related Controls: AC-3, AC-4, AC-6, AC-21, AC-25, AU-2, AU-10, MP-3, PE-22, PT-2, PT-5, SC-11,
2173 SC-16, SI-12.
2174 Control Enhancements:
2175 (1) SECURITY AND PRIVACY ATTRIBUTES | DYNAMIC ATTRIBUTE ASSOCIATION
2176 Dynamically associate security and privacy attributes with [Assignment: organization-
2177 defined subjects and objects] in accordance with the following security and privacy policies
2178 as information is created and combined: [Assignment: organization-defined security and
2179 privacy policies].

CHAPTER THREE PAGE 44

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2180 Discussion: Dynamic association of attributes is appropriate whenever the security or

2181 privacy characteristics of information change over time. Attributes may change due to
2182 information aggregation issues (i.e., characteristics of individual data elements are different
2183 from the combined elements); changes in individual access authorizations (i.e., privileges);
2184 changes in the security category of information; or changes in security or privacy policies.
2185 Attributes may also change situationally.
2186 Related Controls: None.
2187 (2) SECURITY AND PRIVACY ATTRIBUTES | ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS
2188 Provide authorized individuals (or processes acting on behalf of individuals) the capability
2189 to define or change the value of associated security and privacy attributes.
2190 Discussion: The content or assigned values of attributes can directly affect the ability of
2191 individuals to access organizational information. Therefore, it is important for systems to be
2192 able to limit the ability to create or modify attributes to authorized individuals.
2193 Related Controls: None.
2194 (3) SECURITY AND PRIVACY ATTRIBUTES | MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY SYSTEM
2195 Maintain the association and integrity of [Assignment: organization-defined security and
2196 privacy attributes] to [Assignment: organization-defined subjects and objects].
2197 Discussion: Maintaining the association and integrity of security and privacy attributes to
2198 subjects and objects with sufficient assurance helps to ensure that the attribute associations
2199 can be used as the basis of automated policy actions. The integrity of specific items, such as
2200 security configuration files, may be maintained through the use of an integrity monitoring
2201 mechanism that detects anomalies and changes that deviate from “known good” baselines.
2202 Automated policy actions include retention date expirations, access control decisions,
2203 information flow control decisions, and information disclosure decisions.
2204 Related Controls: None.
2205 (4) SECURITY AND PRIVACY ATTRIBUTES | ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS
2206 Provide the capability to associate [Assignment: organization-defined security and privacy
2207 attributes] with [Assignment: organization-defined subjects and objects] by authorized
2208 individuals (or processes acting on behalf of individuals).
2209 Discussion: Systems in general, provide the capability for privileged users to assign security
2210 and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories,
2211 files, and ports). Some systems provide additional capability for general users to assign
2212 security and privacy attributes to additional objects (e.g., files, emails). The association of
2213 attributes by authorized individuals is described in the design documentation. The support
2214 provided by systems can include prompting users to select security and privacy attributes to
2215 be associated with information objects; employing automated mechanisms to categorize
2216 information with attributes based on defined policies; or ensuring that the combination of
2217 the security or privacy attributes selected is valid. Organizations consider the creation,
2218 deletion, or modification of attributes when defining auditable events.
2219 Related Controls: None.
2220 (5) SECURITY AND PRIVACY ATTRIBUTES | ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES
2221 Display security and privacy attributes in human-readable form on each object that the
2222 system transmits to output devices to identify [Assignment: organization-defined special
2223 dissemination, handling, or distribution instructions] using [Assignment: organization-
2224 defined human-readable, standard naming conventions].
2225 Discussion: System outputs include printed pages, screens, or equivalent. System output
2226 devices include printers, notebook computers, video displays, tablets, and smartphones. To

CHAPTER THREE PAGE 45

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2227 mitigate the risk of unauthorized exposure of selected information, for example, shoulder
2228 surfing, the outputs display full attribute values when unmasked by the subscriber.
2229 Related Controls: None.
2230 (6) SECURITY AND PRIVACY ATTRIBUTES | MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION
2231 Require personnel to associate and maintain the association of [Assignment: organization-
2232 defined security and privacy attributes] with [Assignment: organization-defined subjects
2233 and objects] in accordance with [Assignment: organization-defined security and privacy
2234 policies].
2235 Discussion: This control enhancement requires individual users (as opposed to the system)
2236 to maintain associations of defined security and privacy attributes with subjects and objects.
2237 Related Controls: None.
2238 (7) SECURITY AND PRIVACY ATTRIBUTES | CONSISTENT ATTRIBUTE INTERPRETATION
2239 Provide a consistent interpretation of security and privacy attributes transmitted between
2240 distributed system components.
2241 Discussion: To enforce security and privacy policies across multiple system components in
2242 distributed systems, organizations provide a consistent interpretation of security and privacy
2243 attributes employed in access enforcement and flow enforcement decisions. Organizations
2244 can establish agreements and processes to help ensure that distributed system components
2245 implement attributes with consistent interpretations in automated access enforcement and
2246 flow enforcement actions.
2247 Related Controls: None.
2248 (8) SECURITY AND PRIVACY ATTRIBUTES | ASSOCIATION TECHNIQUES AND TECHNOLOGIES
2249 Implement [Assignment: organization-defined techniques and technologies] with
2250 [Assignment: organization-defined level of assurance] in associating security and privacy
2251 attributes to information.
2252 Discussion: The association of security and privacy attributes to information within systems
2253 is important for conducting automated access enforcement and flow enforcement actions.
2254 The association of such attributes to information (i.e., binding) can be accomplished with
2255 technologies and techniques providing different levels of assurance. For example, systems
2256 can bind attributes to information cryptographically using digital signatures supporting
2257 cryptographic keys protected by hardware devices (sometimes known as hardware roots of
2258 trust).
2259 Related Controls: None.
2260 (9) SECURITY AND PRIVACY ATTRIBUTES | ATTRIBUTE REASSIGNMENT — REGRADING MECHANISMS
2261 Change security and privacy attributes associated with information only via regrading
2262 mechanisms validated using [Assignment: organization-defined techniques or procedures].
2263 Discussion: A regrading mechanism is a trusted process authorized to re-classify and re-label
2264 data in accordance with a defined policy exception. Validated regrading mechanisms are
2265 used by organizations to provide the requisite levels of assurance for attribute reassignment
2266 activities. The validation is facilitated by ensuring that regrading mechanisms are single
2267 purpose and of limited function. Since security and privacy attribute changes can directly
2268 affect policy enforcement actions, implementing trustworthy regrading mechanisms is
2269 necessary to help ensure that such mechanisms perform in a consistent and correct mode of
2270 operation.
2271 Related Controls: None.

CHAPTER THREE PAGE 46

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2272 (10) SECURITY AND PRIVACY ATTRIBUTES | ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS
2273 Provide authorized individuals the capability to define or change the type and value of
2274 security and privacy attributes available for association with subjects and objects.
2275 Discussion: The content or assigned values of security and privacy attributes can directly
2276 affect the ability of individuals to access organizational information. Therefore, it is
2277 important for systems to be able to limit the ability to create or modify attributes to
2278 authorized individuals only.
2279 Related Controls: None.
2280 References: [OMB A-130]; [FIPS 140-3]; [FIPS 186-4]; [SP 800-162]; [SP 800-178].

2281 AC-17 REMOTE ACCESS

2282 Control:
2283 a. Establish and document usage restrictions, configuration/connection requirements, and
2284 implementation guidance for each type of remote access allowed; and
2285 b. Authorize each type of remote access to the system prior to allowing such connections.
2286 Discussion: Remote access is access to organizational systems (or processes acting on behalf of
2287 users) communicating through external networks such as the Internet. Types of remote access
2288 include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks
2289 (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted
2290 VPNs provides sufficient assurance to the organization that it can effectively treat such
2291 connections as internal networks if the cryptographic mechanisms used are implemented in
2292 accordance with applicable laws, executive orders, directives, regulations, policies, standards,
2293 and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does
2294 not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect
2295 the capability to adequately monitor network communications traffic for malicious code. Remote
2296 access controls apply to systems other than public web servers or systems designed for public
2297 access. This control addresses authorization prior to allowing remote access without specifying
2298 the specific formats for such authorization. While organizations may use information exchange
2299 and system connection security agreements to authorize remote access connections, such
2300 agreements are not required by this control. Enforcing access restrictions for remote access is
2301 addressed via AC-3.
2302 Related Controls: AC-2, AC-3, AC-4, AC-18, AC-19, AC-20, CA-3, CM-10, IA-2, IA-3, IA-8, MA-4, PE-
2303 17, PL-2, PL-4, SC-10, SI-4.
2304 Control Enhancements:
2305 (1) REMOTE ACCESS | MONITORING AND CONTROL
2306 Employ automated mechanisms to monitor and control remote access methods.
2307 Discussion: Monitoring and control of remote access methods allows organizations to
2308 detect attacks and ensure compliance with remote access policies by auditing connection
2309 activities of remote users on a variety of system components, including servers, notebook
2310 computers, workstations, smart phones, and tablets. Audit logging for remote access is
2311 enforced by AU-2. Audit events are defined in AU-2a.
2312 Related Controls: AU-2, AU-6, AU-12, AU-14.
2313 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY AND INTEGRITY USING ENCRYPTION
2314 Implement cryptographic mechanisms to protect the confidentiality and integrity of
2315 remote access sessions.

CHAPTER THREE PAGE 47

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2316 Discussion: Virtual private networks can be used to protect the confidentiality and integrity
2317 of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic
2318 protocol that provides end-to-end communications security over networks and is used for
2319 Internet communications and online transactions.
2320 Related Controls: SC-8, SC-12, SC-13.
2321 (3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS
2322 Route remote accesses through authorized and managed network access control points.
2323 Discussion: Organizations consider the Trusted Internet Connections initiative [DHS TIC]
2324 requirements for external network connections since limiting the number of access control
2325 points for remote accesses reduces attack surface.
2326 Related Controls: SC-7.
2327 (4) REMOTE ACCESS | PRIVILEGED COMMANDS AND ACCESS
2328 (a) Authorize the execution of privileged commands and access to security-relevant
2329 information via remote access only in a format that provides assessable evidence and
2330 for the following needs: [Assignment: organization-defined needs]; and
2331 (b) Document the rationale for remote access in the security plan for the system.
2332 Discussion: Remote access to systems represents a significant potential vulnerability that
2333 can be exploited by adversaries. As such, restricting the execution of privileged commands
2334 and access to security-relevant information via remote access reduces the exposure of the
2335 organization and the susceptibility to threats by adversaries to the remote access capability.
2336 Related Controls: AC-6, SC-12, SC-13.
2337 (5) REMOTE ACCESS | MONITORING FOR UNAUTHORIZED CONNECTIONS
2338 [Withdrawn: Incorporated into SI-4.]
2339 (6) REMOTE ACCESS | PROTECTION OF MECHANISM INFORMATION
2340 Protect information about remote access mechanisms from unauthorized use and
2341 disclosure.
2342 Discussion: Remote access to organizational information by nonorganizational entities can
2343 increase the risk of unauthorized use and disclosure about remote access mechanisms. The
2344 organization considers including remote access requirements in the information exchange
2345 agreements with other organizations, as applicable. Remote access requirements can also be
2346 included in rules of behavior (see PL-4) and access agreements (see PS-6).
2347 Related Controls: AT-2, AT-3, PS-6.
2348 (7) REMOTE ACCESS | ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS
2349 [Withdrawn: Incorporated into AC-3(10).]
2350 (8) REMOTE ACCESS | DISABLE NONSECURE NETWORK PROTOCOLS
2351 [Withdrawn: Incorporated into CM-7.]
2352 (9) REMOTE ACCESS | DISCONNECT OR DISABLE ACCESS
2353 Provide the capability to disconnect or disable remote access to the system within
2354 [Assignment: organization-defined time-period].
2355 Discussion: This control enhancement requires organizations to have the capability to
2356 rapidly disconnect current users remotely accessing the system or disable further remote
2357 access. The speed of disconnect or disablement varies based on the criticality of missions or
2358 business functions and the need to eliminate immediate or future remote access to systems.
2359 Related Controls: None.

CHAPTER THREE PAGE 48

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2360 (10) REMOTE ACCESS | AUTHENTICATE REMOTE COMMANDS

2361 Implement [Assignment: organization-defined controls] to authenticate [Assignment:
2362 organization-defined remote commands].
2363 Discussion: Authenticating remote commands protects against unauthorized commands and
2364 the replay of authorized commands. The capability to authenticate remote commands is
2365 important for remote systems whose loss, malfunction, misdirection, or exploitation would
2366 have immediate or serious consequences, including injury or death; property damage; loss
2367 of high value assets; failure of missions or business functions; or compromise of classified or
2368 controlled unclassified information. Authentication controls for remote commands ensure
2369 that systems accept and execute commands in the order intended, execute only authorized
2370 commands, and reject unauthorized commands. Cryptographic mechanisms can be used, for
2371 example, to authenticate remote commands.
2372 Related Controls: SC-12, SC-13, SC-23.
2373 References: [SP 800-46]; [SP 800-77]; [SP 800-113]; [SP 800-114]; [SP 800-121]; [IR 7966].

2374 AC-18 WIRELESS ACCESS

2375 Control:
2376 a. Establish configuration requirements, connection requirements, and implementation
2377 guidance for each type of wireless access; and
2378 b. Authorize each type of wireless access to the system prior to allowing such connections.
2379 Discussion: Wireless technologies include microwave, packet radio (ultra-high frequency or very
2380 high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that
2381 provide credential protection and mutual authentication.
2382 Related Controls: AC-2, AC-3, AC-17, AC-19, CA-9, CM-7, IA-2, IA-3, IA-8, PL-4, SC-40, SC-43, SI-4.
2383 Control Enhancements:
2384 (1) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION
2385 Protect wireless access to the system using authentication of [Selection (one or more):
2386 users; devices] and encryption.
2387 Discussion: Wireless networking capabilities represent a significant potential vulnerability
2388 that can be exploited by adversaries. To protect systems with wireless access points, strong
2389 authentication of users and devices with encryption can reduce susceptibility to threats by
2390 adversaries involving wireless technologies.
2391 Related Controls: SC-8, SC-13.
2392 (2) WIRELESS ACCESS | MONITORING UNAUTHORIZED CONNECTIONS
2393 [Withdrawn: Incorporated into SI-4.]
2394 (3) WIRELESS ACCESS | DISABLE WIRELESS NETWORKING
2395 Disable, when not intended for use, wireless networking capabilities embedded within
2396 system components prior to issuance and deployment.
2397 Discussion: Wireless networking capabilities that are embedded within system components
2398 represent a significant potential vulnerability that can be exploited by adversaries. Disabling
2399 wireless capabilities when not needed for essential organizational missions or functions can
2400 reduce susceptibility to threats by adversaries involving wireless technologies.
2401 Related Controls: None.

CHAPTER THREE PAGE 49

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2402 (4) WIRELESS ACCESS | RESTRICT CONFIGURATIONS BY USERS

2403 Identify and explicitly authorize users allowed to independently configure wireless
2404 networking capabilities.
2405 Discussion: Organizational authorizations to allow selected users to configure wireless
2406 networking capability are enforced in part, by the access enforcement mechanisms
2407 employed within organizational systems.
2408 Related Controls: SC-7, SC-15.
2409 (5) WIRELESS ACCESS | ANTENNAS AND TRANSMISSION POWER LEVELS
2410 Select radio antennas and calibrate transmission power levels to reduce the probability
2411 that signals from wireless access points can be received outside of organization-controlled
2412 boundaries.
2413 Discussion: Actions that may be taken to limit unauthorized use of wireless communications
2414 outside of organization-controlled boundaries include reducing the power of wireless
2415 transmissions so that the transmissions are less likely to emit a signal that can be captured
2416 outside of the physical perimeters of the organization; employing measures such as
2417 emissions security to control wireless emanations; and using directional or beam forming
2418 antennas that reduce the likelihood that unintended receivers will be able to intercept
2419 signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless
2420 surveys to understand the radio frequency profile of organizational systems as well as other
2421 systems that may be operating in the area.
2422 Related Controls: PE-19.
2423 References: [SP 800-94]; [SP 800-97].

2424 AC-19 ACCESS CONTROL FOR MOBILE DEVICES

2425 Control:
2426 a. Establish configuration requirements, connection requirements, and implementation
2427 guidance for organization-controlled mobile devices, to include when such devices are
2428 outside of controlled areas; and
2429 b. Authorize the connection of mobile devices to organizational systems.
2430 Discussion: A mobile device is a computing device that has a small form factor such that it can
2431 easily be carried by a single individual; is designed to operate without a physical connection;
2432 possesses local, non-removable or removable data storage; and includes a self-contained power
2433 source. Mobile device functionality may also include voice communication capabilities, on-board
2434 sensors that allow the device to capture information, and/or built-in features for synchronizing
2435 local data with remote locations. Examples include smart phones and tablets. Mobile devices are
2436 typically associated with a single individual. The processing, storage, and transmission capability
2437 of the mobile device may be comparable to or merely a subset of notebook/desktop systems,
2438 depending upon the nature and intended purpose of the device. Protection and control of
2439 mobile devices is behavior or policy-based and requires users to take physical action to protect
2440 and control such devices when outside of controlled areas. Controlled areas are spaces for which
2441 organizations provide physical or procedural controls to meet the requirements established for
2442 protecting information and systems.
2443 Due to the large variety of mobile devices with different characteristics and capabilities,
2444 organizational restrictions may vary for the different classes or types of such devices. Usage
2445 restrictions and specific implementation guidance for mobile devices include configuration
2446 management, device identification and authentication, implementation of mandatory protective
2447 software, scanning devices for malicious code, updating virus protection software, scanning for

CHAPTER THREE PAGE 50

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2448 critical software updates and patches, conducting primary operating system (and possibly other
2449 resident software) integrity checks, and disabling unnecessary hardware.
2450 Usage restrictions and authorization to connect may vary among organizational systems. For
2451 example, the organization may authorize the connection of mobile devices to the organizational
2452 network and impose a set of usage restrictions while a system owner may withhold authorization
2453 for mobile device connection to specific applications or may impose additional usage restrictions
2454 before allowing mobile device connections to a system. The need to provide adequate security
2455 for mobile devices goes beyond the requirements in this control. Many controls for mobile
2456 devices are reflected in other controls allocated to the initial control baselines as starting points
2457 for the development of security plans and overlays using the tailoring process. There may also be
2458 some overlap by the security controls within the different families of controls. AC-20 addresses
2459 mobile devices that are not organization-controlled.
2460 Related Controls: AC-3, AC-4, AC-7, AC-11, AC-17, AC-18, AC-20, CA-9, CM-2, CM-6, IA-2, IA-3,
2461 MP-2, MP-4, MP-5, MP-7, PL-4, SC-7, SC-34, SC-43, SI-3, SI-4.
2462 Control Enhancements:
2463 (1) ACCESS CONTROL FOR MOBILE DEVICES | USE OF WRITABLE AND PORTABLE STORAGE DEVICES
2464 [Withdrawn: Incorporated into MP-7.]
2465 (2) ACCESS CONTROL FOR MOBILE DEVICES | USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES
2466 [Withdrawn: Incorporated into MP-7.]
2467 (3) ACCESS CONTROL FOR MOBILE DEVICES | USE OF PORTABLE STORAGE DEVICES WITH NO
2468 IDENTIFIABLE OWNER
2469 [Withdrawn: Incorporated into MP-7.]
2470 (4) ACCESS CONTROL FOR MOBILE DEVICES | RESTRICTIONS FOR CLASSIFIED INFORMATION
2471 (a) Prohibit the use of unclassified mobile devices in facilities containing systems
2472 processing, storing, or transmitting classified information unless specifically permitted
2473 by the authorizing official; and
2474 (b) Enforce the following restrictions on individuals permitted by the authorizing official
2475 to use unclassified mobile devices in facilities containing systems processing, storing,
2476 or transmitting classified information:
2477 (1) Connection of unclassified mobile devices to classified systems is prohibited;
2478 (2) Connection of unclassified mobile devices to unclassified systems requires
2479 approval from the authorizing official;
2480 (3) Use of internal or external modems or wireless interfaces within the unclassified
2481 mobile devices is prohibited; and
2482 (4) Unclassified mobile devices and the information stored on those devices are
2483 subject to random reviews and inspections by [Assignment: organization-defined
2484 security officials], and if classified information is found, the incident handling
2485 policy is followed.
2486 (c) Restrict the connection of classified mobile devices to classified systems in accordance
2487 with [Assignment: organization-defined security policies].
2488 Discussion: None.
2489 Related Controls: CM-8, IR-4.

CHAPTER THREE PAGE 51

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2490 (5) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE AND CONTAINER-BASED ENCRYPTION
2491 Employ [Selection: full-device encryption; container-based encryption] to protect the
2492 confidentiality and integrity of information on [Assignment: organization-defined mobile
2493 devices].
2494 Discussion: Container-based encryption provides a more fine-grained approach to data and
2495 information encryption on mobile devices, including encrypting selected data structures
2496 such as files, records, or fields.
2497 Related Controls: SC-13, SC-28.
2498 References: [SP 800-114]; [SP 800-124].

2499 AC-20 USE OF EXTERNAL SYSTEMS

2500 Control: Establish [Selection (one or more): [Assignment: organization-defined terms and
2501 conditions]; [Assignment: organization-defined controls asserted to be implemented on external
2502 systems]], consistent with the trust relationships established with other organizations owning,
2503 operating, and/or maintaining external systems, allowing authorized individuals to:
2504 a. Access the system from external systems; and
2505 b. Process, store, or transmit organization-controlled information using external systems.
2506 Discussion: External systems are systems that are used by, but not a part of, organizational
2507 systems and for which the organization has no direct control over the implementation of
2508 required security and privacy controls or the assessment of control effectiveness. External
2509 systems include personally owned systems, components, or devices; privately owned computing
2510 and communications devices in commercial or public facilities; systems owned or controlled by
2511 nonfederal organizations; systems managed by contractors; and federal information systems that
2512 are not owned by, operated by, or under the direct supervision and authority of the organization.
2513 External systems also include systems owned or operated by other components within the same
2514 organization, and systems within the organization with different authorization boundaries.
2515 For some external systems (i.e., systems operated by other organizations), the trust relationships
2516 that have been established between those organizations and the originating organization may be
2517 such, that no explicit terms and conditions are required. Systems within these organizations may
2518 not be considered external. These situations occur when, for example, there are pre-existing
2519 information exchange agreements (either implicit or explicit) established between organizations
2520 or components, or when such agreements are specified by applicable laws, executive orders,
2521 directives, regulations, policies, or standards. Authorized individuals include organizational
2522 personnel, contractors, or other individuals with authorized access to organizational systems and
2523 over which organizations have the authority to impose specific rules of behavior regarding
2524 system access. Restrictions that organizations impose on authorized individuals need not be
2525 uniform, as the restrictions may vary depending on trust relationships between organizations.
2526 Therefore, organizations may choose to impose different security restrictions on contractors
2527 than on state, local, or tribal governments.
2528 This control does not apply to external systems used to access public interfaces to organizational
2529 systems. Organizations establish specific terms and conditions for the use of external systems in
2530 accordance with organizational security policies and procedures. Terms and conditions address
2531 as a minimum: the specific types of applications that can be accessed on organizational systems
2532 from external systems; and the highest security category of information that can be processed,
2533 stored, or transmitted on external systems. If the terms and conditions with the owners of the
2534 external systems cannot be established, organizations may impose restrictions on organizational
2535 personnel using those external systems.
2536 Related Controls: AC-2, AC-3, AC-17, AC-19, CA-3, PL-2, PL-4, SA-9, SC-7.

CHAPTER THREE PAGE 52

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2537 Control Enhancements:

2538 (1) USE OF EXTERNAL SYSTEMS | LIMITS ON AUTHORIZED USE
2539 Permit authorized individuals to use an external system to access the system or to process,
2540 store, or transmit organization-controlled information only after:
2541 (a) Verification of the implementation of controls on the external system as specified in
2542 the organization’s security and privacy policies and security and privacy plans; or
2543 (b) Retention of approved system connection or processing agreements with the
2544 organizational entity hosting the external system.
2545 Discussion: Limits on authorized use recognizes the circumstances where individuals using
2546 external systems may need to access organizational systems. Organizations need assurance
2547 that the external systems contain the necessary controls so as not to compromise, damage,
2548 or otherwise harm organizational systems. Verification that the required controls have been
2549 implemented can be achieved by external, independent assessments, attestations, or other
2550 means, depending on the confidence level required by organizations.
2551 Related Controls: CA-2.
2552 (2) USE OF EXTERNAL SYSTEMS | PORTABLE STORAGE DEVICES — RESTRICTED USE
2553 Restrict the use of organization-controlled portable storage devices by authorized
2554 individuals on external systems using [Assignment: organization-defined restrictions].
2555 Discussion: Limits on the use of organization-controlled portable storage devices in external
2556 systems include restrictions on how the devices may be used and under what conditions the
2557 devices may be used.
2558 Related Controls: MP-7, SC-41.
2559 (3) USE OF EXTERNAL SYSTEMS | NON-ORGANIZATIONALLY OWNED SYSTEMS — RESTRICTED USE
2560 Restrict the use of non-organizationally owned systems or system components to process,
2561 store, or transmit organizational information using [Assignment: organization-defined
2562 restrictions].
2563 Discussion: Non-organizationally owned systems or system components include systems or
2564 system components owned by other organizations and personally owned devices. There are
2565 potential risks to using non-organizationally owned systems or system components. In some
2566 cases, the risk is sufficiently high as to prohibit such use (see AC-20(6)). In other cases, the
2567 use of such systems or system components may be allowed but restricted in some way.
2568 Restrictions include requiring the implementation of approved controls prior to authorizing
2569 connection of non-organizationally owned systems and components; limiting access to types
2570 of information, services, or applications; using virtualization techniques to limit processing
2571 and storage activities to servers or system components provisioned by the organization; and
2572 agreeing to the terms and conditions for usage. Organizations consult with the Office of the
2573 General Counsel regarding legal issues associated with using personally owned devices,
2574 including requirements for conducting forensic analyses during investigations after an
2575 incident.
2576 Related Controls: None.
2577 (4) USE OF EXTERNAL SYSTEMS | NETWORK ACCESSIBLE STORAGE DEVICES
2578 Prohibit the use of [Assignment: organization-defined network accessible storage devices]
2579 in external systems.
2580 Discussion: Network accessible storage devices in external systems include online storage
2581 devices in public, hybrid, or community cloud-based systems.
2582 Related Controls: None.

CHAPTER THREE PAGE 53

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2583 (5) USE OF EXTERNAL SYSTEMS | PORTABLE STORAGE DEVICES — PROHIBITED USE
2584 Prohibit the use of organization-controlled portable storage devices by authorized
2585 individuals on external systems.
2586 Discussion: Limits on the use of organization-controlled portable storage devices in external
2587 systems include a complete prohibition of the use of such devices.
2588 Related Controls: MP-7, SC-41.
2589 (6) USE OF EXTERNAL SYSTEMS | NON-ORGANIZATIONALLY OWNED SYSTEMS — PROHIBITED USE
2590 Prohibit the use of non-organizationally owned systems or system components to process,
2591 store, or transmit organizational information.
2592 Discussion: Non-organizationally owned systems or system components include systems or
2593 system components owned by other organizations and personally owned devices. There are
2594 potential risks to using non-organizationally owned systems or system components. In some
2595 cases, the risk is sufficiently high as to prohibit such use. In other cases, the use of such
2596 systems or system components may be allowed but restricted in some way (see AC-20(4)).
2597 Related Controls: None.
2598 References: [FIPS 199]; [SP 800-171]; [SP 800-171B].

2599 AC-21 INFORMATION SHARING

2600 Control:
2601 a. Enable authorized users to determine whether access authorizations assigned to a sharing
2602 partner match the information’s access and use restrictions for [Assignment: organization-
2603 defined information sharing circumstances where user discretion is required]; and
2604 b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to
2605 assist users in making information sharing and collaboration decisions.
2606 Discussion: Information sharing applies to information that may be restricted in some manner
2607 based on some formal or administrative determination. Examples of such information include,
2608 contract-sensitive information, classified information related to special access programs or
2609 compartments, privileged information, proprietary information, and personally identifiable
2610 information. Security and privacy risk assessments as well as applicable laws, regulations, and
2611 policies can provide useful inputs to these determinations. Depending on the circumstances,
2612 sharing partners may be defined at the individual, group, or organizational level. Information
2613 may be defined by content, type, security category, or special access program or compartment.
2614 Access restrictions may include non-disclosure agreements (NDA).
2615 Related Controls: AC-3, AC-4, AC-16, PT-2, PT-8, RA-3, SC-15.
2616 Control Enhancements:
2617 (1) INFORMATION SHARING | AUTOMATED DECISION SUPPORT
2618 Employ [Assignment: organization-defined automated mechanisms] to enforce
2619 information-sharing decisions by authorized users based on access authorizations of
2620 sharing partners and access restrictions on information to be shared.
2621 Discussion: Automated mechanisms are used to enforce information sharing decisions.
2622 Related Controls: None.
2623 (2) INFORMATION SHARING | INFORMATION SEARCH AND RETRIEVAL
2624 Implement information search and retrieval services that enforce [Assignment:
2625 organization-defined information sharing restrictions].

CHAPTER THREE PAGE 54

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2626 Discussion: Information search and retrieval services identify information system resources
2627 relevant to an information need.
2628 Related Controls: None.
2629 References: [OMB A-130]; [SP 800-150]; [IR 8062].

2630 AC-22 PUBLICLY ACCESSIBLE CONTENT

2631 Control:
2632 a. Designate individuals authorized to make information publicly accessible;
2633 b. Train authorized individuals to ensure that publicly accessible information does not contain
2634 nonpublic information;
2635 c. Review the proposed content of information prior to posting onto the publicly accessible
2636 system to ensure that nonpublic information is not included; and
2637 d. Review the content on the publicly accessible system for nonpublic information
2638 [Assignment: organization-defined frequency] and remove such information, if discovered.
2639 Discussion: In accordance with applicable laws, executive orders, directives, policies, regulations,
2640 standards, and guidelines, the public is not authorized to have access to nonpublic information,
2641 including information protected under the [PRIVACT] and proprietary information. This control
2642 addresses systems that are controlled by the organization and accessible to the public, typically
2643 without identification or authentication. Posting information on non-organizational systems (e.g.,
2644 non-organizational public websites, forums, and social media) is covered by organizational policy.
2645 While organizations may have individuals who are responsible for developing and implementing
2646 policies about the information that can be made publicly accessible, this control addresses the
2647 management of the individuals who make such information publicly accessible.
2648 Related Controls: AC-3, AT-2, AT-3, AU-13.
2649 Control Enhancements: None.
2650 References: [PRIVACT].

2651 AC-23 DATA MINING PROTECTION

2652 Control: Employ [Assignment: organization-defined data mining prevention and detection
2653 techniques] for [Assignment: organization-defined data storage objects] to detect and protect
2654 against unauthorized data mining.
2655 Discussion: Data mining is an analytical process that attempts to find correlations or patterns in
2656 large data sets for the purpose of data or knowledge discovery. Data storage objects include
2657 database records and database fields. Sensitive information can be extracted from data mining
2658 operations. When information is personally identifiable information, it may lead to unanticipated
2659 revelations about individuals and give rise to privacy risks. Prior to performing data mining
2660 activities, organizations determine whether such activities are authorized. Organizations may be
2661 subject to applicable laws, executive orders, directives, regulations, or policies that address data
2662 mining requirements. Organizational personnel consult with the senior agency official for privacy
2663 and legal counsel regarding such requirements.
2664 Data mining prevention and detection techniques include limiting the number and the frequency
2665 of database queries to increase the work factor needed to determine the contents of such
2666 databases; limiting types of responses provided to database queries; applying differential privacy
2667 techniques or homomorphic encryption; and notifying personnel when atypical database queries
2668 or accesses occur. Data mining protection focuses on protecting information from data mining
2669 while such information resides in organizational data stores. In contrast, AU-13 focuses on

CHAPTER THREE PAGE 55

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2670 monitoring for organizational information that may have been mined or otherwise obtained from
2671 data stores and is available as open source information residing on external sites, for example,
2672 through social networking or social media websites.
2673 [EO 13587] requires the establishment of an insider threat program for deterring, detecting, and
2674 mitigating insider threats, including the safeguarding of sensitive information from exploitation,
2675 compromise, or other unauthorized disclosure. This control requires organizations to identify
2676 appropriate techniques to prevent and detect unnecessary or unauthorized data mining, which
2677 can be used by an insider to collect organizational information for the purpose of exfiltration.
2678 Related Controls: PM-12, PT-2.
2679 Control Enhancements: None.
2680 References: [EO 13587].

2681 AC-24 ACCESS CONTROL DECISIONS

2682 Control: [Selection: Establish procedures; Implement mechanisms] to ensure [Assignment:
2683 organization-defined access control decisions] are applied to each access request prior to access
2684 enforcement.
2685 Discussion: Access control decisions (also known as authorization decisions) occur when
2686 authorization information is applied to specific accesses. In contrast, access enforcement occurs
2687 when systems enforce access control decisions. While it is very common to have access control
2688 decisions and access enforcement implemented by the same entity, it is not required, and it is
2689 not always an optimal implementation choice. For some architectures and distributed systems,
2690 different entities may perform access control decisions and access enforcement.
2691 Related Controls: AC-2, AC-3.
2692 Control Enhancements:
2693 (1) ACCESS CONTROL DECISIONS | TRANSMIT ACCESS AUTHORIZATION INFORMATION
2694 Transmit [Assignment: organization-defined access authorization information] using
2695 [Assignment: organization-defined controls] to [Assignment: organization-defined
2696 systems] that enforce access control decisions.
2697 Discussion: Authorization processes and access control decisions may occur in separate
2698 parts of systems or in separate systems. In such instances, authorization information is
2699 transmitted securely (e.g., using cryptographic mechanisms) so timely access control
2700 decisions can be enforced at the appropriate locations. To support the access control
2701 decisions, it may be necessary to transmit as part of the access authorization information,
2702 supporting security and privacy attributes. This is because in distributed systems, there are
2703 various access control decisions that need to be made and different entities make these
2704 decisions in a serial fashion, each requiring those attributes to make the decisions.
2705 Protecting access authorization information ensures that such information cannot be
2706 altered, spoofed, or compromised during transmission.
2707 Related Controls: AU-10.
2708 (2) ACCESS CONTROL DECISIONS | NO USER OR PROCESS IDENTITY
2709 Enforce access control decisions based on [Assignment: organization-defined security or
2710 privacy attributes] that do not include the identity of the user or process acting on behalf
2711 of the user.
2712 Discussion: In certain situations, it is important that access control decisions can be made
2713 without information regarding the identity of the users issuing the requests. These are
2714 generally instances where preserving individual privacy is of paramount importance. In other

CHAPTER THREE PAGE 56

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2715 situations, user identification information is simply not needed for access control decisions
2716 and, especially in the case of distributed systems, transmitting such information with the
2717 needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC,
2718 ABAC, and label-based control policies, for example, might not include user identity as an
2719 attribute.
2720 Related Controls: None.
2721 References: [SP 800-162]; [SP 800-178].

2722 AC-25 REFERENCE MONITOR

2723 Control: Implement a reference monitor for [Assignment: organization-defined access control
2724 policies] that is tamperproof, always invoked, and small enough to be subject to analysis and
2725 testing, the completeness of which can be assured.
2726 Discussion: A reference monitor is a set of design requirements on a reference validation
2727 mechanism that as key component of an operating system, enforces an access control policy
2728 over all subjects and objects. A reference validation mechanism is always invoked (i.e., complete
2729 mediation); tamperproof; and small enough to be subject to analysis and tests, the completeness
2730 of which can be assured (i.e., verifiable). Information is represented internally within systems
2731 using abstractions known as data structures. Internal data structures can represent different
2732 types of entities, both active and passive. Active entities, also known as subjects, are associated
2733 with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known
2734 as objects, are associated with data structures such as records, buffers, communications ports,
2735 tables, files, and inter-process pipes. Reference monitors enforce access control policies that
2736 restrict access to objects based on the identity of subjects or groups to which the subjects
2737 belong. The system enforces the access control policy based on the rule set established by the
2738 policy. The tamperproof property of the reference monitor prevents determined adversaries
2739 from compromising the functioning of the mechanism. The always invoked property prevents
2740 adversaries from bypassing the mechanism and hence violating the security policy. The smallness
2741 property helps to ensure the completeness in the analysis and testing of the mechanism to
2742 detect any weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of
2743 the security policy.
2744 Related Controls: AC-3, AC-16, SA-8, SA-17, SC-3, SC-11, SC-39, SI-13.
2745 Control Enhancements: None.
2746 References: None.

CHAPTER THREE PAGE 57

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2747 3.2 AWARENESS AND TRAINING

2748 Quick link to Awareness and Training summary table
2749
2750 AT-1 POLICY AND PROCEDURES
2751 Control:
2752 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
2753 roles]:
2754 1. [Selection (one or more): organization-level; mission/business process-level; system-
2755 level] awareness and training policy that:
2756 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
2757 coordination among organizational entities, and compliance; and
2758 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
2759 standards, and guidelines; and
2760 2. Procedures to facilitate the implementation of the awareness and training policy and
2761 the associated awareness and training controls;
2762 b. Designate an [Assignment: organization-defined official] to manage the development,
2763 documentation, and dissemination of the awareness and training policy and procedures; and
2764 c. Review and update the current awareness and training:
2765 1. Policy [Assignment: organization-defined frequency]; and
2766 2. Procedures [Assignment: organization-defined frequency].
2767 Discussion: This control addresses policy and procedures for the controls in the AT family
2768 implemented within systems and organizations. The risk management strategy is an important
2769 factor in establishing such policies and procedures. Policies and procedures help provide security
2770 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
2771 on their development. Security and privacy program policies and procedures at the organization
2772 level are preferable, in general, and may obviate the need for system-specific policies and
2773 procedures. The policy can be included as part of the general security and privacy policy or can
2774 be represented by multiple policies reflecting the complex nature of organizations. Procedures
2775 can be established for security and privacy programs and for systems, if needed. Procedures
2776 describe how the policies or controls are implemented and can be directed at the individual or
2777 role that is the object of the procedure. Procedures can be documented in system security and
2778 privacy plans or in one or more separate documents. Restating controls does not constitute an
2779 organizational policy or procedure.
2780 Related Controls: PM-9, PS-8, SI-12.
2781 Control Enhancements: None.
2782 References: [OMB A-130]; [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-50]; [SP 800-100].

2783 AT-2 AWARENESS TRAINING

2784 Control:
2785 a. Provide security and privacy awareness training to system users (including managers, senior
2786 executives, and contractors):

CHAPTER THREE PAGE 58

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2787 1. As part of initial training for new users and [Assignment: organization-defined
2788 frequency] thereafter; and
2789 2. When required by system changes; and
2790 b. Update awareness training [Assignment: organization-defined frequency].
2791 Discussion: Organizations provide foundational and advanced levels of awareness training to
2792 system users, including measures to test the knowledge level of users. Organizations determine
2793 the content of awareness training based on specific organizational requirements, the systems to
2794 which personnel have authorized access, and work environments (e.g., telework). The content
2795 includes an understanding of the need for security and privacy and actions by users to maintain
2796 security and personal privacy and to respond to suspected incidents. The content addresses the
2797 need for operations security and the handling of personally identifiable information.
2798 Awareness techniques include displaying posters, offering supplies inscribed with security and
2799 privacy reminders, displaying logon screen messages, generating email advisories or notices from
2800 organizational officials, and conducting awareness events. Awareness training after the initial
2801 training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable
2802 laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one
2803 or more short ad hoc sessions and include topical information on recent attack schemes; changes
2804 to organizational security and privacy policies; revised security and privacy expectations; or a
2805 subset of topics from the initial training. Updating awareness training on a regular basis helps to
2806 ensure the content remains relevant and effective.
2807 Related Controls: AC-3, AC-17, AC-22, AT-3, AT-4, CP-3, IA-4, IR-2, IR-7, IR-9, PA-2, PL-4, PM-13,
2808 PM-21, PS-7, PT-2, SA-8, SA-16.
2809 Control Enhancements:
2810 (1) AWARENESS TRAINING | PRACTICAL EXERCISES
2811 Provide practical exercises in awareness training that simulate events and incidents.
2812 Discussion: Practical exercises include no-notice social engineering attempts to collect
2813 information, gain unauthorized access, or simulate the adverse impact of opening malicious
2814 email attachments; or invoking, via spear phishing attacks, malicious web links.
2815 Related Controls: CA-2, CA-7, CP-4, IR-3.
2816 (2) AWARENESS TRAINING | INSIDER THREAT
2817 Provide awareness training on recognizing and reporting potential indicators of insider
2818 threat.
2819 Discussion: Potential indicators and possible precursors of insider threat can include
2820 behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to
2821 information not required for job performance; unexplained access to financial resources;
2822 bullying or sexual harassment of fellow employees; workplace violence; and other serious
2823 violations of policies, procedures, directives, regulations, rules, or practices. Awareness
2824 training includes how to communicate concerns of employees and management regarding
2825 potential indicators of insider threat through channels established by the organization and in
2826 accordance with established policies and procedures. Organizations may consider tailoring
2827 insider threat awareness topics to the role. For example, training for managers may be
2828 focused on changes in behavior of team members, while training for employees may be
2829 focused on more general observations.
2830 Related Controls: PM-12.

CHAPTER THREE PAGE 59

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2831 (3) AWARENESS TRAINING | SOCIAL ENGINEERING AND MINING

2832 Provide awareness training on recognizing and reporting potential and actual instances of
2833 social engineering and social mining.
2834 Discussion: Social engineering is an attempt to trick an individual into revealing information
2835 or taking an action that can be used to breach, compromise, or otherwise adversely impact a
2836 system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro
2837 quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to
2838 gather information about the organization that may be used to support future attacks.
2839 Awareness training includes information on how to communicate the concerns of employees
2840 and management regarding potential and actual instances of social engineering and data
2841 mining through organizational channels based on established policies and procedures.
2842 Related Controls: None.
2843 (4) AWARENESS TRAINING | SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR
2844 Provide awareness training on recognizing suspicious communications and anomalous
2845 behavior in organizational systems using [Assignment: organization-defined indicators of
2846 malicious code].
2847 Discussion: A well-trained workforce provides another organizational control that can be
2848 employed as part of a defense-in-depth strategy to protect organizations against malicious
2849 code coming into organizations via email or the web applications. Personnel are trained to
2850 look for indications of potentially suspicious email (e.g., receiving an unexpected email,
2851 receiving an email containing strange or poor grammar, or receiving an email from an
2852 unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel
2853 are also trained on how to respond to suspicious email or web communications. For this
2854 process to work effectively, personnel are trained and made aware of what constitutes
2855 suspicious communications. Training personnel on how to recognize anomalous behaviors in
2856 systems can provide organizations with early warning for the presence of malicious code.
2857 Recognition of anomalous behavior by organizational personnel can supplement malicious
2858 code detection and protection tools and systems employed by organizations.
2859 Related Controls: None.
2860 (5) AWARENESS TRAINING | BREACH
2861 Provide awareness training on how to identify and respond to a breach, including the
2862 organization’s process for reporting a breach.
2863 Discussion: A breach is a type of incident that involves personally identifiable information. A
2864 breach results in the loss of control, compromise, unauthorized disclosure, unauthorized
2865 acquisition, or a similar occurrence where a person other than an authorized user accesses
2866 or potentially accesses personally identifiable information or an authorized user accesses or
2867 potentially accesses such information for other than authorized purposes. The awareness
2868 training emphasizes the obligation of individuals to report both confirmed and suspected
2869 breaches involving information in any medium or form, including paper, oral, and electronic.
2870 Awareness training includes tabletop exercises that simulate a breach.
2871 Related Controls: IR-1, IR-2.
2872 (6) AWARENESS TRAINING | ADVANCED PERSISTENT THREAT
2873 Provide awareness training on the advanced persistent threat.
2874 Discussion: An effective way to detect advanced persistent threats (APT) and to preclude
2875 success attacks is to provide specific awareness training for individuals. Threat awareness
2876 training includes educating individuals on the various ways APTs can infiltrate into the
2877 organization (e.g., through websites, emails, advertisement pop-ups, articles, and social
2878 engineering). Effective training includes techniques for recognizing suspicious emails, use of

CHAPTER THREE PAGE 60

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2879 removable systems in non-secure settings, and the potential targeting of individuals at
2880 home.
2881 Related Controls: None.
2882 (7) AWARENESS TRAINING | CYBER THREAT ENVIRONMENT
2883 (a) Provide awareness training on the cyber threat environment; and
2884 (b) Reflect current cyber threat information in system operations.
2885 Discussion: Since threats continue to change over time, the threat awareness training by the
2886 organization is dynamic. Moreover, threat awareness training is not performed in isolation
2887 from the system operations that support organizational missions and business functions.
2888 Related Controls: RA-3.
2889 (8) AWARENESS TRAINING | TRAINING FEEDBACK
2890 Provide feedback on organizational training results to the following personnel
2891 [Assignment: organization-defined frequency]: [Assignment: organization-defined
2892 personnel].
2893 Discussion: Training feedback includes awareness training results and role-based training
2894 results. Training results, especially failures of personnel in critical roles, can be indicative of a
2895 potentially serious problem. Therefore, it is important that senior managers are made aware
2896 of such situations so that they can take appropriate response actions. Training feedback
2897 supports the assessment and update of organization training described in AT-2b.
2898 Related Controls: None.
2899 References: [OMB A-130]; [SP 800-50]; [SP 800-160 v2].

2900 AT-3 ROLE-BASED TRAINING

2901 Control:
2902 a. Provide role-based security and privacy training to personnel with the following roles and
2903 responsibilities: [Assignment: organization-defined roles and responsibilities]:
2904 1. Before authorizing access to the system, information, or performing assigned duties,
2905 and [Assignment: organization-defined frequency] thereafter; and
2906 2. When required by system changes; and
2907 b. Update role-based training [Assignment: organization-defined frequency].
2908 Discussion: Organizations determine the content of training based on the assigned roles and
2909 responsibilities of individuals and the security and privacy requirements of organizations and the
2910 systems to which personnel have authorized access, including technical training specifically
2911 tailored for assigned duties. Roles that may require role-based training include system owners;
2912 authorizing officials; system security officers; privacy officers; acquisition and procurement
2913 officials; enterprise architects; systems engineers; system and software developers; system,
2914 network, and database administrators; personnel conducting configuration management
2915 activities; personnel performing verification and validation activities; auditors; personnel having
2916 access to system-level software; control assessors; personnel with contingency planning and
2917 incident response duties; personnel with privacy management responsibilities; and personnel
2918 having access to personally identifiable information.
2919 Comprehensive role-based training addresses management, operational, and technical roles and
2920 responsibilities covering physical, personnel, and technical controls. Role-based training also
2921 includes policies, procedures, tools, methods, and artifacts for the security and privacy roles
2922 defined. Organizations provide the training necessary for individuals to fulfill their responsibilities

CHAPTER THREE PAGE 61

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2923 related to operations and supply chain security within the context of organizational security and
2924 privacy programs. Role-based training also applies to contractors providing services to federal
2925 agencies. Types of training include web-based and computer-based training, classroom-style
2926 training, and hands-on training (including micro-training). Updating role-based training on a
2927 regular basis helps to ensure the content remains relevant and effective.
2928 Related Controls: AC-3, AC-17, AC-22, AT-2, AT-4, CP-3, IR-2, IR-7, IR-9, IR-10, PL-4, PM-13, PM-
2929 23, PS-7, SA-3, SA-8, SA-11, SA-16, SR-5, SR-6, SR-11.
2930 Control Enhancements:
2931 (1) ROLE-BASED TRAINING | ENVIRONMENTAL CONTROLS
2932 Provide [Assignment: organization-defined personnel or roles] with initial and
2933 [Assignment: organization-defined frequency] training in the employment and operation
2934 of environmental controls.
2935 Discussion: Environmental controls include fire suppression and detection devices or
2936 systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors,
2937 temperature or humidity, heating, ventilation, and air conditioning, and power within the
2938 facility.
2939 Related Controls: PE-1, PE-11, PE-13, PE-14, PE-15.
2940 (2) ROLE-BASED TRAINING | PHYSICAL SECURITY CONTROLS
2941 Provide [Assignment: organization-defined personnel or roles] with initial and
2942 [Assignment: organization-defined frequency] training in the employment and operation
2943 of physical security controls.
2944 Discussion: Physical security controls include physical access control devices, physical
2945 intrusion and detection alarms, operating procedures for facility security guards, and
2946 monitoring or surveillance equipment.
2947 Related Controls: PE-2, PE-3, PE-4.
2948 (3) ROLE-BASED TRAINING | PRACTICAL EXERCISES
2949 Provide practical exercises in security and privacy training that reinforce training
2950 objectives.
2951 Discussion: Practical exercises for security include training for software developers that
2952 addresses simulated attacks exploiting common software vulnerabilities or spear or whale
2953 phishing attacks targeted at senior leaders or executives. Practical exercises for privacy
2954 include modules with quizzes on handling personally identifiable information in various
2955 scenarios, or scenarios on conducting privacy impact assessments.
2956 Related Controls: None.
2957 (4) ROLE-BASED TRAINING | SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR
2958 [Withdrawn: Moved to AT-2(4)].
2959 (5) ROLE-BASED TRAINING | ACCESSING PERSONALLY IDENTIFIABLE INFORMATION
2960 Provide [Assignment: organization-defined personnel or roles] with initial and
2961 [Assignment: organization-defined frequency] training on:
2962 (a) Organizational authority for collecting personally identifiable information;
2963 (b) Authorized uses of personally identifiable information;
2964 (c) Identifying, reporting, and responding to a suspected or confirmed breach;
2965 (d) Content of system of records notices, computer matching agreements, and privacy
2966 impact assessments;
2967 (e) Authorized sharing of personally identifiable information with external parties; and

CHAPTER THREE PAGE 62

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2968 (f) Rules of behavior and the consequences for unauthorized collection, use, or sharing of
2969 personally identifiable information.
2970 Discussion: Role-based training addresses the responsibility of individuals when accessing
2971 personally identifiable information; the organization’s established rules of behavior when
2972 accessing personally identifiable information; the consequences for violating the rules of
2973 behavior; and how to respond to a breach. Role-based training helps ensure personnel
2974 comply with applicable privacy requirements and is necessary to manage privacy risks.
2975 Related Controls: None.
2976 References: [OMB A-130]; [SP 800-50].

2977 AT-4 TRAINING RECORDS

2978 Control:
2979 a. Document and monitor information security and privacy training activities, including security
2980 and privacy awareness training and specific role-based security and privacy training; and
2981 b. Retain individual training records for [Assignment: organization-defined time-period].
2982 Discussion: Documentation for specialized training may be maintained by individual supervisors
2983 at the discretion of the organization. The National Archives and Records Administration provides
2984 guidance on records retention for federal agencies.
2985 Related Controls: AT-2, AT-3, CP-3, IR-2, PM-14, SI-12.
2986 Control Enhancements: None.
2987 References: [OMB A-130].

2988 AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS

2989 [Withdrawn: Incorporated into PM-15.]

CHAPTER THREE PAGE 63

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

2990 3.3 AUDIT AND ACCOUNTABILITY

2991 Quick link to Audit and Accountability summary table

2992 AU-1 POLICY AND PROCEDURES

2993 Control:
2994 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
2995 roles]:
2996 1. [Selection (one or more): organization-level; mission/business process-level; system-
2997 level] audit and accountability policy that:
2998 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
2999 coordination among organizational entities, and compliance; and
3000 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
3001 standards, and guidelines; and
3002 2. Procedures to facilitate the implementation of the audit and accountability policy and
3003 the associated audit and accountability controls;
3004 b. Designate an [Assignment: organization-defined official] to manage the development,
3005 documentation, and dissemination of the audit and accountability policy and procedures;
3006 and
3007 c. Review and update the current audit and accountability:
3008 1. Policy [Assignment: organization-defined frequency]; and
3009 2. Procedures [Assignment: organization-defined frequency].
3010 Discussion: This control addresses policy and procedures for the controls in the AU family
3011 implemented within systems and organizations. The risk management strategy is an important
3012 factor in establishing such policies and procedures. Policies and procedures help provide security
3013 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
3014 on their development. Security and privacy program policies and procedures at the organization
3015 level are preferable, in general, and may obviate the need for system-specific policies and
3016 procedures. The policy can be included as part of the general security and privacy policy or can
3017 be represented by multiple policies reflecting the complex nature of organizations. Procedures
3018 can be established for security and privacy programs and for systems, if needed. Procedures
3019 describe how the policies or controls are implemented and can be directed at the individual or
3020 role that is the object of the procedure. Procedures can be documented in system security and
3021 privacy plans or in one or more separate documents. Restating controls does not constitute an
3022 organizational policy or procedure.
3023 Related Controls: PM-9, PS-8, SI-12.
3024 Control Enhancements: None.
3025 References: [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100].

3026 AU-2 EVENT LOGGING

3027 Control:
3028 a. Identify the types of events that the system is capable of logging in support of the audit
3029 function: [Assignment: organization-defined event types that the system is capable of
3030 logging];

CHAPTER THREE PAGE 64

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3031 b. Coordinate the event logging function with other organizational entities requiring audit-
3032 related information to guide and inform the selection criteria for events to be logged;
3033 c. Specify the following event types for logging within the system: [Assignment: organization-
3034 defined event types (subset of the event types defined in AU-2 a.) along with the frequency of
3035 (or situation requiring) logging for each identified event type];
3036 d. Provide a rationale for why the event types selected for logging are deemed to be adequate
3037 to support after-the-fact investigations of incidents; and
3038 e. Review and update the event types selected for logging [Assignment: organization-defined
3039 frequency].
3040 Discussion: An event is an observable occurrence in a system. The types of events that require
3041 logging are those events that are significant and relevant to the security of systems and the
3042 privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event
3043 types include password changes; failed logons or failed accesses related to systems; security or
3044 privacy attribute changes; administrative privilege usage; PIV credential usage; data action
3045 changes; query parameters; or external credential usage. In determining the set of event types
3046 that require logging, organizations consider the monitoring and auditing appropriate for each of
3047 the controls to be implemented. For completeness, event logging includes all protocols that are
3048 operational and supported by the system.
3049 To balance monitoring and auditing requirements with other system needs, this control also
3050 requires identifying the subset of event types that are logged at a given point in time. For
3051 example, organizations may determine that systems need the capability to log every file access
3052 successful and unsuccessful, but not activate that capability except for specific circumstances due
3053 to the potential burden on system performance. The types of events that organizations desire to
3054 be logged may change. Reviewing and updating the set of logged events is necessary to help
3055 ensure that the events remain relevant and continue to support the needs of the organization.
3056 Organizations consider how the types of logging events can reveal information about individuals
3057 that may give rise to privacy risk and how best to mitigate such risks. For example, there is the
3058 potential for personally identifiable information in the audit trail especially if the logging event is
3059 based on patterns or time of usage.
3060 Event logging requirements, including the need to log specific event types, may be referenced in
3061 other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11),
3062 AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-
3063 7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required
3064 by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
3065 Audit records can be generated at various levels, including at the packet level as information
3066 traverses the network. Selecting the appropriate level of event logging is an important part of a
3067 monitoring and auditing capability and can identify the root causes of problems. Organizations
3068 consider in the definition of event types, the logging necessary to cover related event types such
3069 as the steps in distributed, transaction-based processes and the actions that occur in service-
3070 oriented architectures.
3071 Related Controls: AC-2, AC-3, AC-6, AC-7, AC-8, AC-16, AC-17, AU-3, AU-4, AU-5, AU-6, AU-7, AU-
3072 11, AU-12, CM-3, CM-5, CM-6, CM-13, IA-3, MA-4, MP-4, PE-3, PM-21, PT-2, PT-8, RA-8, SA-8, SC-
3073 7, SC-18, SI-3, SI-4, SI-7, SI-10, SI-11.
3074 Control Enhancements:
3075 (1) EVENT LOGGING | COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES
3076 [Withdrawn: Incorporated into AU-12.]

CHAPTER THREE PAGE 65

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3077 (2) EVENT LOGGING | SELECTION OF AUDIT EVENTS BY COMPONENT

3078 [Withdrawn: Incorporated into AU-12.]
3079 (3) EVENT LOGGING | REVIEWS AND UPDATES
3080 [Withdrawn: Incorporated into AU-2.]
3081 (4) EVENT LOGGING | PRIVILEGED FUNCTIONS
3082 [Withdrawn: Incorporated into AC-6(9).]
3083 References: [OMB A-130]; [SP 800-92].

3084 AU-3 CONTENT OF AUDIT RECORDS

3085 Control: Ensure that audit records contain information that establishes the following:
3086 a. What type of event occurred;
3087 b. When the event occurred;
3088 c. Where the event occurred;
3089 d. Source of the event;
3090 e. Outcome of the event; and
3091 f. Identity of any individuals, subjects, or objects/entities associated with the event.
3092 Discussion: Audit record content that may be necessary to support the auditing function
3093 includes, but is not limited to, event descriptions (item a), time stamps (item b), source and
3094 destination addresses (item c), user or process identifiers (items d and f), success or fail
3095 indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include
3096 indicators of event success or failure and event-specific results, such as the system security and
3097 privacy posture after the event occurred. Organizations consider how audit records can reveal
3098 information about individuals that may give rise to privacy risk and how best to mitigate such
3099 risks. For example, there is the potential for personally identifiable information in the audit trail
3100 especially if the trail records inputs or is based on patterns or time of usage.
3101 Related Controls: AU-2, AU-8, AU-12, AU-14, MA-4, SA-8, SI-7, SI-11.
3102 Control Enhancements:
3103 (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION
3104 Generate audit records containing the following additional information: [Assignment:
3105 organization-defined additional information].
3106 Discussion: The ability to add information generated in audit records is dependent on system
3107 functionality to configure the audit record content. Organizations may consider additional
3108 information in audit records including, but not limited to, access control or flow control rules
3109 invoked and individual identities of group account users. Organizations may also consider limiting
3110 additional audit record information to only information explicitly needed for audit requirements.
3111 This facilitates the use of audit trails and audit logs by not including information in audit records
3112 that could potentially be misleading or that could make it more difficult to locate information of
3113 interest.
3114 Related Controls: None.
3115 (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT
3116 Provide centralized management and configuration of the content to be captured in audit
3117 records generated by [Assignment: organization-defined system components].

CHAPTER THREE PAGE 66

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3118 Discussion: Centralized management of planned audit record content requires that the
3119 content to be captured in audit records be configured from a central location (necessitating
3120 an automated capability). Organizations coordinate the selection of the required audit
3121 record content to support the centralized management and configuration capability
3122 provided by the system.
3123 Related Controls: AU-6, AU-7.
3124 (3) CONTENT OF AUDIT RECORDS | LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS
3125 Limit personally identifiable information contained in audit records to the following
3126 elements identified in the privacy risk assessment: [Assignment: organization-defined
3127 elements].
3128 Discussion: Limiting personally identifiable information in audit records when such
3129 information is not needed for operational purposes helps reduce the level of privacy risk
3130 created by a system.
3131 Related Controls: RA-3.
3132 References: [OMB A-130]; [IR 8062].

3133 AU-4 AUDIT LOG STORAGE CAPACITY

3134 Control: Allocate audit log storage capacity to accommodate [Assignment: organization-defined
3135 audit log retention requirements].
3136 Discussion: Organizations consider the types of audit logging to be performed and the audit log
3137 processing requirements when allocating audit log storage capacity. Allocating sufficient audit
3138 log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the
3139 potential loss or reduction of audit logging capability.
3140 Related Controls: AU-2, AU-5, AU-6, AU-7, AU-9, AU-11, AU-12, AU-14, SI-4.
3141 Control Enhancements:
3142 (1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
3143 Transfer audit logs [Assignment: organization-defined frequency] to a different system,
3144 system component, or media other than the system or system component conducting the
3145 logging.
3146 Discussion: Audit log transfer, also known as off-loading, is a common process in systems
3147 with limited audit log storage capacity and thus supports availability of the audit logs. The
3148 initial audit log storage is used only in a transitory fashion until the system can communicate
3149 with the secondary or alternate system allocated to audit log storage, at which point the
3150 audit logs are transferred. This control enhancement is similar to AU-9(2) in that audit logs
3151 are transferred to a different entity. However, the primary purpose of selecting AU-9(2) is to
3152 protect the confidentiality and integrity of audit records. Organizations can select either
3153 control enhancement to obtain the dual benefit of increased audit log storage capacity and
3154 preserving the confidentiality, integrity, and availability of audit records and logs.
3155 Related Controls: None.
3156 References: None.

3157 AU-5 RESPONSE TO AUDIT LOGGING PROCESS FAILURES

3158 Control:
3159 a. Alert [Assignment: organization-defined personnel or roles] within [Assignment:
3160 organization-defined time-period] in the event of an audit logging process failure; and

CHAPTER THREE PAGE 67

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3161 b. Take the following additional actions: [Assignment: organization-defined additional actions].
3162 Discussion: Audit logging process failures include, for example, software and hardware errors;
3163 reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms.
3164 Organization-defined actions include overwriting oldest audit records; shutting down the system;
3165 and stopping the generation of audit records. Organizations may choose to define additional
3166 actions for audit logging process failures based on the type of failure, the location of the failure,
3167 the severity of the failure, or a combination of such factors. When the audit logging process
3168 failure is related to storage, the response is carried out for the audit log storage repository (i.e.,
3169 the distinct system component where the audit logs are stored); the system on which the audit
3170 logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage
3171 repositories combined), or all three. Organizations may decide to take no additional actions after
3172 alerting designated roles or personnel.
3173 Related Controls: AU-2, AU-4, AU-7, AU-9, AU-11, AU-12, AU-14, SI-4, SI-12.
3174 Control Enhancements:
3175 (1) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | STORAGE CAPACITY WARNING
3176 Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations]
3177 within [Assignment: organization-defined time-period] when allocated audit log storage
3178 volume reaches [Assignment: organization-defined percentage] of repository maximum
3179 audit log storage capacity.
3180 Discussion: Organizations may have multiple audit log storage repositories distributed
3181 across multiple system components, with each repository having different storage volume
3182 capacities.
3183 Related Controls: None.
3184 (2) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | REAL-TIME ALERTS
3185 Provide an alert within [Assignment: organization-defined real-time-period] to
3186 [Assignment: organization-defined personnel, roles, and/or locations] when the following
3187 audit failure events occur: [Assignment: organization-defined audit logging failure events
3188 requiring real-time alerts].
3189 Discussion: Alerts provide organizations with urgent messages. Real-time alerts provide
3190 these messages at information technology speed (i.e., the time from event detection to alert
3191 occurs in seconds or less).
3192 Related Controls: None.
3193 (3) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | CONFIGURABLE TRAFFIC VOLUME THRESHOLDS
3194 Enforce configurable network communications traffic volume thresholds reflecting limits
3195 on audit log storage capacity and [Selection: reject; delay] network traffic above those
3196 thresholds.
3197 Discussion: Organizations have the capability to reject or delay the processing of network
3198 communications traffic if audit logging information about such traffic is determined to
3199 exceed the storage capacity of the system audit logging function. The rejection or delay
3200 response is triggered by the established organizational traffic volume thresholds that can be
3201 adjusted based on changes to audit log storage capacity.
3202 Related Controls: None.
3203 (4) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | SHUTDOWN ON FAILURE
3204 Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational
3205 mode with limited mission or business functionality available] in the event of [Assignment:

CHAPTER THREE PAGE 68

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3206 organization-defined audit logging failures], unless an alternate audit logging capability
3207 exists.
3208 Discussion: Organizations determine the types of audit logging failures that can trigger
3209 automatic system shutdowns or degraded operations. Because of the importance of
3210 ensuring mission and business continuity, organizations may determine that the nature of
3211 the audit logging failure is not so severe that it warrants a complete shutdown of the system
3212 supporting the core organizational missions and business operations. In those instances,
3213 partial system shutdowns or operating in a degraded mode with reduced capability may be
3214 viable alternatives.
3215 Related Controls: AU-15.
3216 (5) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | ALTERNATE AUDIT LOGGING CAPABILITY
3217 Provide an alternate audit logging capability in the event of a failure in primary audit
3218 logging capability that implements [Assignment: organization-defined alternate audit
3219 logging functionality].
3220 Discussion: Since an alternate audit logging capability may be a short-term protection
3221 solution employed until the failure in the primary audit logging capability is corrected,
3222 organizations may determine that the alternate audit logging capability need only provide a
3223 subset of the primary audit logging functionality that is impacted by the failure.
3224 Related Controls: AU-9.
3225 References: None.

3226 AU-6 AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING

3227 Control:
3228 a. Review and analyze system audit records [Assignment: organization-defined frequency] for
3229 indications of [Assignment: organization-defined inappropriate or unusual activity];
3230 b. Report findings to [Assignment: organization-defined personnel or roles]; and
3231 c. Adjust the level of audit record review, analysis, and reporting within the system when there
3232 is a change in risk based on law enforcement information, intelligence information, or other
3233 credible sources of information.
3234 Discussion: Audit record review, analysis, and reporting covers information security- and privacy-
3235 related logging performed by organizations, including logging that results from monitoring of
3236 account usage, remote access, wireless connectivity, mobile device connection, configuration
3237 settings, system component inventory, use of maintenance tools and nonlocal maintenance,
3238 physical access, temperature and humidity, equipment delivery and removal, communications at
3239 system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational
3240 entities that include the incident response team, help desk, and security or privacy offices. If
3241 organizations are prohibited from reviewing and analyzing audit records or unable to conduct
3242 such activities, the review or analysis may be carried out by other organizations granted such
3243 authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting
3244 may be adjusted to meet organizational needs based on new information received.
3245 Related Controls: AC-2, AC-3, AC-5, AC-6, AC-7, AC-17, AU-7, AU-16, CA-2, CA-7, CM-2, CM-5,
3246 CM-6, CM-10, CM-11, IA-2, IA-3, IA-5, IA-8, IR-5, MA-4, MP-4, PE-3, PE-6, RA-5, SA-8, SC-7, SI-3,
3247 SI-4, SI-7.

CHAPTER THREE PAGE 69

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3248 Control Enhancements:

3249 (1) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | AUTOMATED PROCESS INTEGRATION
3250 Integrate audit record review, analysis, and reporting processes using [Assignment:
3251 organization-defined automated mechanisms].
3252 Discussion: Organizational processes benefiting from integrated audit record review,
3253 analysis, and reporting include incident response, continuous monitoring, contingency
3254 planning, investigation and response to suspicious activities, and Inspector General audits.
3255 Related Controls: PM-7.
3256 (2) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | AUTOMATED SECURITY ALERTS
3257 [Withdrawn: Incorporated into SI-4.]
3258 (3) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT RECORD REPOSITORIES
3259 Analyze and correlate audit records across different repositories to gain organization-wide
3260 situational awareness.
3261 Discussion: Organization-wide situational awareness includes awareness across all three
3262 levels of risk management (i.e., organizational level, mission/business process level, and
3263 information system level) and supports cross-organization awareness.
3264 Related Controls: AU-12, IR-4.
3265 (4) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CENTRAL REVIEW AND ANALYSIS
3266 Provide and implement the capability to centrally review and analyze audit records from
3267 multiple components within the system.
3268 Discussion: Automated mechanisms for centralized reviews and analyses include Security
3269 Information and Event Management products.
3270 Related Controls: AU-2, AU-12.
3271 (5) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | INTEGRATED ANALYSIS OF AUDIT RECORDS
3272 Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability
3273 scanning information; performance data; system monitoring information; [Assignment:
3274 organization-defined data/information collected from other sources]] to further enhance
3275 the ability to identify inappropriate or unusual activity.
3276 Discussion: Integrated analysis of audit records does not require vulnerability scanning, the
3277 generation of performance data, or system monitoring. Rather, integrated analysis requires
3278 that the analysis of information generated by scanning, monitoring, or other data collection
3279 activities is integrated with the analysis of audit record information. Security Information
3280 and Event Management tools can facilitate audit record aggregation or consolidation from
3281 multiple system components as well as audit record correlation and analysis. The use of
3282 standardized audit record analysis scripts developed by organizations (with localized script
3283 adjustments, as necessary) provides more cost-effective approaches for analyzing audit
3284 record information collected. The correlation of audit record information with vulnerability
3285 scanning information is important in determining the veracity of vulnerability scans of the
3286 system and in correlating attack detection events with scanning results. Correlation with
3287 performance data can uncover denial of service attacks or other types of attacks resulting in
3288 unauthorized use of resources. Correlation with system monitoring information can assist in
3289 uncovering attacks and in better relating audit information to operational situations.
3290 Related Controls: AU-12, IR-4.

CHAPTER THREE PAGE 70

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3291 (6) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH PHYSICAL MONITORING
3292 Correlate information from audit records with information obtained from monitoring
3293 physical access to further enhance the ability to identify suspicious, inappropriate,
3294 unusual, or malevolent activity.
3295 Discussion: The correlation of physical audit record information and the audit records from
3296 systems may assist organizations in identifying suspicious behavior or supporting evidence of
3297 such behavior. For example, the correlation of an individual’s identity for logical access to
3298 certain systems with the additional physical security information that the individual was
3299 present at the facility when the logical access occurred, may be useful in investigations.
3300 Related Controls: None.
3301 (7) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | PERMITTED ACTIONS
3302 Specify the permitted actions for each [Selection (one or more): system process; role; user]
3303 associated with the review, analysis, and reporting of audit record information.
3304 Discussion: Organizations specify permitted actions for system processes, roles, and users
3305 associated with the review, analysis, and reporting of audit records through system account
3306 management activities. Specifying permitted actions on audit record information is a way to
3307 enforce the principle of least privilege. Permitted actions are enforced by the system and
3308 include read, write, execute, append, and delete.
3309 Related Controls: None.
3310 (8) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | FULL TEXT ANALYSIS OF PRIVILEGED
3311 COMMANDS
3312 Perform a full text analysis of logged privileged commands in a physically distinct
3313 component or subsystem of the system, or other system that is dedicated to that analysis.
3314 Discussion: Full text analysis of privileged commands requires a distinct environment for the
3315 analysis of audit record information related to privileged users without compromising such
3316 information on the system where the users have elevated privileges, including the capability
3317 to execute privileged commands. Full text analysis refers to analysis that considers the full
3318 text of privileged commands (i.e., commands and parameters) as opposed to analysis that
3319 considers only the name of the command. Full text analysis includes the use of pattern
3320 matching and heuristics.
3321 Related Controls: AU-3, AU-9, AU-11, AU-12.
3322 (9) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH INFORMATION FROM
3323 NONTECHNICAL SOURCES
3324 Correlate information from nontechnical sources with audit record information to enhance
3325 organization-wide situational awareness.
3326 Discussion: Nontechnical sources include records documenting organizational policy
3327 violations related to sexual harassment incidents and the improper use of information
3328 assets. Such information can lead to a directed analytical effort to detect potential malicious
3329 insider activity. Organizations limit access to information that is available from nontechnical
3330 sources due to its sensitive nature. Limited access minimizes the potential for inadvertent
3331 release of privacy-related information to individuals that do not have a need to know. Thus,
3332 the correlation of information from nontechnical sources with audit record information
3333 generally occurs only when individuals are suspected of being involved in an incident.
3334 Organizations obtain legal advice prior to initiating such actions.
3335 Related Controls: PM-12.
3336 (10) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | AUDIT LEVEL ADJUSTMENT
3337 [Withdrawn: Incorporated into AU-6.]

CHAPTER THREE PAGE 71

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3338 References: [SP 800-86]; [SP 800-101].

3339 AU-7 AUDIT RECORD REDUCTION AND REPORT GENERATION

3340 Control: Provide and implement an audit record reduction and report generation capability that:
3341 a. Supports on-demand audit record review, analysis, and reporting requirements and after-
3342 the-fact investigations of incidents; and
3343 b. Does not alter the original content or time ordering of audit records.
3344 Discussion: Audit record reduction is a process that manipulates collected audit log information
3345 and organizes such information in a summary format that is more meaningful to analysts. Audit
3346 record reduction and report generation capabilities do not always emanate from the same
3347 system or from the same organizational entities conducting audit logging activities. The audit
3348 record reduction capability includes modern data mining techniques with advanced data filters to
3349 identify anomalous behavior in audit records. The report generation capability provided by the
3350 system can generate customizable reports. Time ordering of audit records can be an issue if the
3351 granularity of the timestamp in the record is insufficient.
3352 Related Controls: AC-2, AU-2, AU-3, AU-4, AU-5, AU-6, AU-12, AU-16, CM-5, IA-5, IR-4, PM-12, SI-
3353 4.
3354 Control Enhancements:
3355 (1) AUDIT RECORD REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING
3356 Provide and implement the capability to process, sort, and search audit records for events
3357 of interest based on the following content: [Assignment: organization-defined fields within
3358 audit records].
3359 Discussion: Events of interest can be identified by the content of audit records including
3360 system resources involved, information objects accessed, identities of individuals, event
3361 types, event locations, event dates and times, Internet Protocol addresses involved, or event
3362 success or failure. Organizations may define event criteria to any degree of granularity
3363 required, for example, locations selectable by a general networking location or by specific
3364 system component.
3365 Related Controls: None.
3366 (2) AUDIT RECORD REDUCTION AND REPORT GENERATION | AUTOMATIC SORT AND SEARCH
3367 [Withdrawn: Incorporated into AU-7(1).]
3368 References: None.

3369 AU-8 TIME STAMPS

3370 Control:
3371 a. Use internal system clocks to generate time stamps for audit records; and
3372 b. Record time stamps for audit records that meet [Assignment: organization-defined
3373 granularity of time measurement] and that use Coordinated Universal Time, have a fixed
3374 local time offset from Coordinated Universal Time, or that include the local time offset as
3375 part of the time stamp.
3376 Discussion: Time stamps generated by the system include date and time. Time is commonly
3377 expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time
3378 (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the
3379 degree of synchronization between system clocks and reference clocks, for example, clocks
3380 synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define

CHAPTER THREE PAGE 72

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3381 different time granularities for different system components. Time service can be critical to other
3382 security capabilities such as access control and identification and authentication, depending on
3383 the nature of the mechanisms used to support those capabilities.
3384 Related Controls: AU-3, AU-12, AU-14, SC-45.
3385 Control Enhancements:
3386 (1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE
3387 (a) Compare the internal system clocks [Assignment: organization-defined frequency]
3388 with [Assignment: organization-defined authoritative time source]; and
3389 (b) Synchronize the internal system clocks to the authoritative time source when the time
3390 difference is greater than [Assignment: organization-defined time-period].
3391 Discussion: Synchronization of internal system clocks with an authoritative source provides
3392 uniformity of time stamps for systems with multiple system clocks and systems connected
3393 over a network.
3394 Related Controls: None.
3395 (2) TIME STAMPS | SECONDARY AUTHORITATIVE TIME SOURCE
3396 (a) Identify a secondary authoritative time source that is in a different geographic region
3397 than the primary authoritative time source; and
3398 (b) Synchronize the internal system clocks to the secondary authoritative time source if
3399 the primary authoritative time source is unavailable.
3400 Discussion: It may be necessary to employ geolocation information to determine that the
3401 secondary authoritative time source is in a different geographic region.
3402 Related Controls: None.
3403 References: [IETF 5905].

3404 AU-9 PROTECTION OF AUDIT INFORMATION

3405 Control: Protect audit information and audit logging tools from unauthorized access,
3406 modification, and deletion.
3407 Discussion: Audit information includes all information, for example, audit records, audit log
3408 settings, audit reports, and personally identifiable information, needed to successfully audit
3409 system activity. Audit logging tools are those programs and devices used to conduct system audit
3410 and logging activities. Protection of audit information focuses on technical protection and limits
3411 the ability to access and execute audit logging tools to authorized individuals. Physical protection
3412 of audit information is addressed by both media protection controls and physical and
3413 environmental protection controls.
3414 Related Controls: AC-3, AC-6, AU-6, AU-11, AU-14, AU-15, MP-2, MP-4, PE-2, PE-3, PE-6, SA-8,
3415 SC-8, SI-4.
3416 Control Enhancements:
3417 (1) PROTECTION OF AUDIT INFORMATION | HARDWARE WRITE-ONCE MEDIA
3418 Write audit trails to hardware-enforced, write-once media.
3419 Discussion: Writing audit trails to hardware-enforced, write-once media applies to the initial
3420 generation of audit trails (i.e., the collection of audit records that represents the information
3421 to be used for detection, analysis, and reporting purposes) and to the backup of those audit
3422 trails. Writing audit trails to hardware-enforced, write-once media does not apply to the
3423 initial generation of audit records prior to being written to an audit trail. Write-once, read-
3424 many (WORM) media includes Compact Disk-Recordable (CD-R) and Digital Versatile Disk-

CHAPTER THREE PAGE 73

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3425 Recordable (DVD-R). In contrast, the use of switchable write-protection media such as on
3426 tape cartridges or Universal Serial Bus (USB) drives results in write-protected, but not write-
3427 once, media.
3428 Related Controls: AU-4, AU-5.
3429 (2) PROTECTION OF AUDIT INFORMATION | STORE ON SEPARATE PHYSICAL SYSTEMS OR COMPONENTS
3430 Store audit records [Assignment: organization-defined frequency] in a repository that is
3431 part of a physically different system or system component than the system or component
3432 being audited.
3433 Discussion: Storing audit records in a repository separate from the audited system or system
3434 component helps to ensure that a compromise of the system being audited does not also
3435 result in a compromise of the audit records. Storing audit records on separate physical
3436 systems or components also preserves the confidentiality and integrity of audit records and
3437 facilitates the management of audit records as an organization-wide activity. Storing audit
3438 records on separate systems or components applies to initial generation as well as backup or
3439 long-term storage of audit records.
3440 Related Controls: AU-4, AU-5.
3441 (3) PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION
3442 Implement cryptographic mechanisms to protect the integrity of audit information and
3443 audit tools.
3444 Discussion: Cryptographic mechanisms used for protecting the integrity of audit information
3445 include signed hash functions using asymmetric cryptography. This enables the distribution
3446 of the public key to verify the hash information while maintaining the confidentiality of the
3447 secret key used to generate the hash.
3448 Related Controls: AU-10, SC-12, SC-13.
3449 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS
3450 Authorize access to management of audit logging functionality to only [Assignment:
3451 organization-defined subset of privileged users or roles].
3452 Discussion: Individuals or roles with privileged access to a system and who are also the
3453 subject of an audit by that system, may affect the reliability of the audit information by
3454 inhibiting audit activities or modifying audit records. Requiring privileged access to be
3455 further defined between audit-related privileges and other privileges, limits the number of
3456 users or roles with audit-related privileges.
3457 Related Controls: AC-5.
3458 (5) PROTECTION OF AUDIT INFORMATION | DUAL AUTHORIZATION
3459 Enforce dual authorization for [Selection (one or more): movement; deletion] of
3460 [Assignment: organization-defined audit information].
3461 Discussion: Organizations may choose different selection options for different types of audit
3462 information. Dual authorization mechanisms (also known as two-person control) require the
3463 approval of two authorized individuals to execute audit functions. To reduce the risk of
3464 collusion, organizations consider rotating dual authorization duties to other individuals.
3465 Organizations do not require dual authorization mechanisms when immediate responses are
3466 necessary to ensure public and environmental safety.
3467 Related Controls: AC-3.
3468 (6) PROTECTION OF AUDIT INFORMATION | READ-ONLY ACCESS
3469 Authorize read-only access to audit information to [Assignment: organization-defined
3470 subset of privileged users or roles].

CHAPTER THREE PAGE 74

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3471 Discussion: Restricting privileged user or role authorizations to read-only helps to limit the
3472 potential damage to organizations that could be initiated by such users or roles, for example,
3473 deleting audit records to cover up malicious activity.
3474 Related Controls: None.
3475 (7) PROTECTION OF AUDIT INFORMATION | STORE ON COMPONENT WITH DIFFERENT OPERATING
3476 SYSTEM
3477 Store audit information on a component running a different operating system than the
3478 system or component being audited.
3479 Discussion: Storing auditing information on a system component running a different
3480 operating system reduces the risk of a vulnerability specific to the system resulting in a
3481 compromise of the audit records.
3482 Related controls: AU-4, AU-5, AU-11, SC-29.
3483 References: [FIPS 140-3]; [FIPS 180-4]; [FIPS 202].

3484 AU-10 NON-REPUDIATION

3485 Control: Provide irrefutable evidence that an individual (or process acting on behalf of an
3486 individual) has performed [Assignment: organization-defined actions to be covered by non-
3487 repudiation].
3488 Discussion: Types of individual actions covered by non-repudiation include creating information,
3489 sending and receiving messages, and approving information. Non-repudiation protects against
3490 claims by authors of not having authored certain documents; senders of not having transmitted
3491 messages; receivers of not having received messages; and signatories of not having signed
3492 documents. Non-repudiation services can be used to determine if information originated from an
3493 individual, or if an individual took specific actions (e.g., sending an email, signing a contract, or
3494 approving a procurement request, or received specific information). Organizations obtain non-
3495 repudiation services by employing various techniques or mechanisms, including digital signatures
3496 and digital message receipts.
3497 Related Controls: AU-9, PM-12, SA-8, SC-8, SC-12, SC-13, SC-16, SC-17, SC-23.
3498 Control Enhancements:
3499 (1) NON-REPUDIATION | ASSOCIATION OF IDENTITIES
3500 (a) Bind the identity of the information producer with the information to [Assignment:
3501 organization-defined strength of binding]; and
3502 (b) Provide the means for authorized individuals to determine the identity of the
3503 producer of the information.
3504 Discussion: Binding identities to the information supports audit requirements that provide
3505 organizational personnel with the means to identify who produced specific information in
3506 the event of an information transfer. Organizations determine and approve the strength of
3507 attribute binding between the information producer and the information based on the
3508 security category of the information and other relevant risk factors.
3509 Related Controls: AC-4, AC-16.
3510 (2) NON-REPUDIATION | VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY
3511 (a) Validate the binding of the information producer identity to the information at
3512 [Assignment: organization-defined frequency]; and
3513 (b) Perform [Assignment: organization-defined actions] in the event of a validation error.

CHAPTER THREE PAGE 75

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3514 Discussion: Validating the binding of the information producer identity to the information
3515 prevents the modification of information between production and review. The validation of
3516 bindings can be achieved, for example, using cryptographic checksums. Organizations
3517 determine if validations are in response to user requests or generated automatically.
3518 Related Controls: AC-3, AC-4, AC-16.
3519 (3) NON-REPUDIATION | CHAIN OF CUSTODY
3520 Maintain reviewer or releaser identity and credentials within the established chain of
3521 custody for information reviewed or released.
3522 Discussion: Chain of custody is a process that tracks the movement of evidence through its
3523 collection, safeguarding, and analysis life cycle by documenting each person who handled
3524 the evidence, the date and time it was collected or transferred, and the purpose for the
3525 transfer. If the reviewer is a human or if the review function is automated but separate from
3526 the release or transfer function, the system associates the identity of the reviewer of the
3527 information to be released with the information and the information label. In the case of
3528 human reviews, maintaining the identity and credentials of reviewers or releasers provides
3529 organizational officials the means to identify who reviewed and released the information. In
3530 the case of automated reviews, it ensures that only approved review functions are used.
3531 Related Controls: AC-4, AC-16.
3532 (4) NON-REPUDIATION | VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY
3533 (a) Validate the binding of the information reviewer identity to the information at the
3534 transfer or release points prior to release or transfer between [Assignment:
3535 organization-defined security domains]; and
3536 (b) Perform [Assignment: organization-defined actions] in the event of a validation error.
3537 Discussion: Validating the binding of the information reviewer identity to the information at
3538 transfer or release points prevents the unauthorized modification of information between
3539 review and the transfer or release. The validation of bindings can be achieved by using
3540 cryptographic checksums. Organizations determine if validations are in response to user
3541 requests or generated automatically.
3542 Related Controls: AC-4, AC-16.
3543 (5) NON-REPUDIATION | DIGITAL SIGNATURES
3544 [Withdrawn: Incorporated into SI-7.]
3545 References: [FIPS 140-3]; [FIPS 180-4]; [FIPS 186-4]; [FIPS 202]; [SP 800-177].

3546 AU-11 AUDIT RECORD RETENTION

3547 Control: Retain audit records for [Assignment: organization-defined time-period consistent with
3548 records retention policy] to provide support for after-the-fact investigations of incidents and to
3549 meet regulatory and organizational information retention requirements.
3550 Discussion: Organizations retain audit records until it is determined that the records are no
3551 longer needed for administrative, legal, audit, or other operational purposes. This includes the
3552 retention and availability of audit records relative to Freedom of Information Act (FOIA) requests,
3553 subpoenas, and law enforcement actions. Organizations develop standard categories of audit
3554 records relative to such types of actions and standard response processes for each type of action.
3555 The National Archives and Records Administration (NARA) General Records Schedules provide
3556 federal policy on record retention.
3557 Related Controls: AU-2, AU-4, AU-5, AU-6, AU-9, AU-14, MP-6, RA-5, SI-12.
3558 Control Enhancements:

CHAPTER THREE PAGE 76

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3559 (1) AUDIT RECORD RETENTION | LONG-TERM RETRIEVAL CAPABILITY

3560 Employ [Assignment: organization-defined measures] to ensure that long-term audit
3561 records generated by the system can be retrieved.
3562 Discussion: Organizations need to access and read audit records requiring long-term storage
3563 (on the order of years). Measures employed to help facilitate the retrieval of audit records
3564 include converting records to newer formats, retaining equipment capable of reading the
3565 records, and retaining necessary documentation to help personnel understand how to
3566 interpret the records.
3567 Related Controls: None.
3568 References: [OMB A-130].

3569 AU-12 AUDIT RECORD GENERATION

3570 Control:
3571 a. Provide audit record generation capability for the event types the system is capable of
3572 auditing as defined in AU-2a on [Assignment: organization-defined system components];
3573 b. Allow [Assignment: organization-defined personnel or roles] to select the event types that
3574 are to be logged by specific components of the system; and
3575 c. Generate audit records for the event types defined in AU-2c that include the audit record
3576 content defined in AU-3.
3577 Discussion: Audit records can be generated from many different system components. The event
3578 types specified in AU-2d are the event types for which audit logs are to be generated and are a
3579 subset of all event types for which the system can generate audit records.
3580 Related Controls: AC-6, AC-17, AU-2, AU-3, AU-4, AU-5, AU-6, AU-7, AU-14, CM-5, MA-4, MP-4,
3581 PM-12, SA-8, SC-18, SI-3, SI-4, SI-7, SI-10.
3582 Control Enhancements:
3583 (1) AUDIT RECORD GENERATION | SYSTEM-WIDE AND TIME-CORRELATED AUDIT TRAIL
3584 Compile audit records from [Assignment: organization-defined system components] into a
3585 system-wide (logical or physical) audit trail that is time-correlated to within [Assignment:
3586 organization-defined level of tolerance for the relationship between time stamps of
3587 individual records in the audit trail].
3588 Discussion: Audit trails are time-correlated if the time stamps in the individual audit records
3589 can be reliably related to the time stamps in other audit records to achieve a time ordering
3590 of the records within organizational tolerances.
3591 Related Controls: AU-8.
3592 (2) AUDIT RECORD GENERATION | STANDARDIZED FORMATS
3593 Produce a system-wide (logical or physical) audit trail composed of audit records in a
3594 standardized format.
3595 Discussion: Audit records that follow common standards promote interoperability and
3596 information exchange between devices and systems. This facilitates the production of event
3597 information that can be readily analyzed and correlated. Standard formats for audit records
3598 include records that are compliant with Common Event Expressions. If logging mechanisms
3599 within systems do not conform to standardized formats, systems may convert individual
3600 audit records into standardized formats when compiling system-wide audit trails.
3601 Related Controls: None.

CHAPTER THREE PAGE 77

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3602 (3) AUDIT RECORD GENERATION | CHANGES BY AUTHORIZED INDIVIDUALS

3603 Provide and implement the capability for [Assignment: organization-defined individuals or
3604 roles] to change the logging to be performed on [Assignment: organization-defined system
3605 components] based on [Assignment: organization-defined selectable event criteria] within
3606 [Assignment: organization-defined time thresholds].
3607 Discussion: Permitting authorized individuals to make changes to system logging enables
3608 organizations to extend or limit logging as necessary to meet organizational requirements.
3609 Logging that is limited to conserve system resources may be extended (either temporarily or
3610 permanently) to address certain threat situations. In addition, logging may be limited to a
3611 specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations
3612 can establish time thresholds in which logging actions are changed, for example, near real-
3613 time, within minutes, or within hours.
3614 Related Controls: AC-3.
3615 (4) AUDIT RECORD GENERATION | QUERY PARAMETER AUDITS OF PERSONALLY IDENTIFIABLE
3616 INFORMATION
3617 Provide and implement the capability for auditing the parameters of user query events for
3618 data sets containing personally identifiable information.
3619 Discussion: Query parameters are explicit criteria that an individual or an automated system
3620 submits to a system to retrieve data. Auditing of query parameters for datasets that contain
3621 personally identifiable information augments the capability of an organization to track and
3622 understand the access, usage, or sharing of personally identifiable information by authorized
3623 personnel.
3624 Related Controls: None.
3625 References: None.

3626 AU-13 MONITORING FOR INFORMATION DISCLOSURE

3627 Control:
3628 a. Monitor [Assignment: organization-defined open source information and/or information
3629 sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure
3630 of organizational information; and
3631 b. If an information disclosure is discovered:
3632 1. Notify [Assignment: organization-defined personnel or roles]; and
3633 2. Take the following additional actions: [Assignment: organization-defined additional
3634 actions].
3635 Discussion: Unauthorized disclosure of information is a form of data leakage. Open source
3636 information includes social networking sites and code sharing platforms and repositories.
3637 Organizational information can include personally identifiable information retained by the
3638 organization.
3639 Related Controls: AC-22, PE-3, PM-12, RA-5, SC-7.
3640 Control Enhancements:
3641 (1) MONITORING FOR INFORMATION DISCLOSURE | USE OF AUTOMATED TOOLS
3642 Monitor open source information and information sites using [Assignment: organization-
3643 defined automated mechanisms].
3644 Discussion: Automated mechanisms include commercial services providing notifications and
3645 alerts to organizations and automated scripts to monitor new posts on websites.

CHAPTER THREE PAGE 78

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3646 Related Controls: None.

3647 (2) MONITORING FOR INFORMATION DISCLOSURE | REVIEW OF MONITORED SITES
3648 Review the list of open source information sites being monitored [Assignment:
3649 organization-defined frequency].
3650 Discussion: Reviewing on a regular basis, the current list of open source information sites
3651 being monitored, helps to ensure that the selected sites remain relevant. The review also
3652 provides the opportunity to add new open source information sites with the potential to
3653 provide evidence of unauthorized disclosure of organizational information. The list of sites
3654 monitored can be guided and informed by threat intelligence of other credible sources of
3655 information.
3656 Related Controls: None.
3657 (3) MONITORING FOR INFORMATION DISCLOSURE | UNAUTHORIZED REPLICATION OF INFORMATION
3658 Employ discovery techniques, processes, and tools to determine if external entities are
3659 replicating organizational information in an unauthorized manner.
3660 Discussion: The unauthorized use or replication of organizational information by external
3661 entities can cause adverse impact on organizational operations and assets including damage
3662 to reputation. Such activity can include, for example, the replication of an organizational
3663 website by an adversary or hostile threat actor who attempts to impersonate the web-
3664 hosting organization. Discovery tools, techniques and processes used to determine if
3665 external entities are replicating organizational information in an unauthorized manner
3666 include scanning external websites, monitoring social media, and training staff to recognize
3667 unauthorized use of organizational information.
3668 Related Controls: None.
3669 References: None.

3670 AU-14 SESSION AUDIT

3671 Control:
3672 a. Provide and implement the capability for [Assignment: organization-defined users or roles]
3673 to [Selection (one or more): record; view; hear; log] the content of a user session under
3674 [Assignment: organization-defined circumstances]; and
3675 b. Develop, integrate, and use session auditing activities in consultation with legal counsel and
3676 in accordance with applicable laws, executive orders, directives, regulations, policies,
3677 standards, and guidelines.
3678 Discussion: Session audits can include monitoring keystrokes, tracking websites visited, and
3679 recording information and/or file transfers. Organizations consider how session auditing can
3680 reveal information about individuals that may give rise to privacy risk and how to mitigate those
3681 risks. Because session auditing can impact system and network performance, organizations
3682 activate the capability under well-defined situations (e.g., the organization is suspicious of a
3683 specific individual). Organizations consult with legal counsel, civil liberties officials, and privacy
3684 officials to ensure that any legal, privacy, civil rights, or civil liberties issues, including use of
3685 personally identifiable information, are appropriately addressed.
3686 Related Controls: AC-3, AC-8, AU-2, AU-3, AU-4, AU-5, AU-8, AU-9, AU-11, AU-12.
3687 Control Enhancements:
3688 (1) SESSION AUDIT | SYSTEM START-UP
3689 Initiate session audits automatically at system start-up.

CHAPTER THREE PAGE 79

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3690 Discussion: The initiation of session audits automatically at startup helps to ensure the
3691 information being captured on selected individuals is complete and is not subject to
3692 compromise through tampering by malicious threat actors.
3693 Related Controls: None.
3694 (2) SESSION AUDIT | CAPTURE AND RECORD CONTENT
3695 [Withdrawn: Incorporated into AU-14.]
3696 (3) SESSION AUDIT | REMOTE VIEWING AND LISTENING
3697 Provide and implement the capability for authorized users to remotely view and hear
3698 content related to an established user session in real time.
3699 Discussion: None.
3700 Related Controls: AC-17.
3701 References: None.

3702 AU-15 ALTERNATE AUDIT LOGGING CAPABILITY

3703 [Withdrawn: Moved to AU-5(5).]

3704 AU-16 CROSS-ORGANIZATIONAL AUDIT LOGGING

3705 Control: Employ [Assignment: organization-defined methods] for coordinating [Assignment:
3706 organization-defined audit information] among external organizations when audit information is
3707 transmitted across organizational boundaries.
3708 Discussion: When organizations use systems or services of external organizations, the audit
3709 logging capability necessitates a coordinated, cross-organization approach. For example,
3710 maintaining the identity of individuals that requested specific services across organizational
3711 boundaries may often be difficult, and doing so may prove to have significant performance and
3712 privacy ramifications. Therefore, it is often the case that cross-organizational audit logging simply
3713 captures the identity of individuals issuing requests at the initial system, and subsequent systems
3714 record that the requests originated from authorized individuals. Organizations consider including
3715 processes for coordinating audit information requirements and protection of audit information in
3716 information exchange agreements.
3717 Related Controls: AU-3, AU-6, AU-7, CA-3, PT-8.
3718 Control Enhancements:
3719 (1) CROSS-ORGANIZATIONAL AUDIT LOGGING | IDENTITY PRESERVATION
3720 Preserve the identity of individuals in cross-organizational audit trails.
3721 Discussion: Identity preservation is applied when there is a need to be able to trace actions
3722 that are performed across organizational boundaries to a specific individual.
3723 Related Controls: IA-2, IA-4, IA-5, IA-8.
3724 (2) CROSS-ORGANIZATIONAL AUDIT LOGGING | SHARING OF AUDIT INFORMATION
3725 Provide cross-organizational audit information to [Assignment: organization-defined
3726 organizations] based on [Assignment: organization-defined cross-organizational sharing
3727 agreements].
3728 Discussion: Due to the distributed nature of the audit information, cross-organization
3729 sharing of audit information may be essential for effective analysis of the auditing being
3730 performed. For example, the audit records of one organization may not provide sufficient
3731 information to determine the appropriate or inappropriate use of organizational information
3732 resources by individuals in other organizations. In some instances, only individuals’ home

CHAPTER THREE PAGE 80

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3733 organizations have appropriate knowledge to make such determinations, thus requiring the
3734 sharing of audit information among organizations.
3735 Related Controls: IR-4, SI-4.
3736 (3) CROSS-ORGANIZATIONAL AUDITING | DISASSOCIABILITY
3737 Implement [Assignment: organization-defined measures] to disassociate individuals from
3738 audit information transmitted across organizational boundaries.
3739 Discussion: Preserving identities in audit trails could have privacy ramifications such as
3740 enabling the tracking and profiling of individuals but may not be operationally necessary.
3741 These risks could be further amplified when transmitting information across organizational
3742 boundaries. Using privacy-enhancing cryptographic techniques can disassociate individuals
3743 from audit information and reduce privacy risk while maintaining accountability.
3744 Related Controls: None.
3745 References: None.

CHAPTER THREE PAGE 81

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3746 3.4 ASSESSMENT, AUTHORIZATION, AND MONITORING

3747 Quick link to Assessment, Authorization, and Monitoring summary table

3748 CA-1 POLICY AND PROCEDURES

3749 Control:
3750 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
3751 roles]:
3752 1. [Selection (one or more): organization-level; mission/business process-level; system-
3753 level] assessment, authorization, and monitoring policy that:
3754 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
3755 coordination among organizational entities, and compliance; and
3756 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
3757 standards, and guidelines; and
3758 2. Procedures to facilitate the implementation of the assessment, authorization, and
3759 monitoring policy and the associated assessment, authorization, and monitoring
3760 controls;
3761 b. Designate an [Assignment: organization-defined official] to manage the development,
3762 documentation, and dissemination of the assessment, authorization, and monitoring policy
3763 and procedures; and
3764 c. Review and update the current assessment, authorization, and monitoring:
3765 1. Policy [Assignment: organization-defined frequency]; and
3766 2. Procedures [Assignment: organization-defined frequency].
3767 Discussion: This control addresses policy and procedures for the controls in the CA family
3768 implemented within systems and organizations. The risk management strategy is an important
3769 factor in establishing such policies and procedures. Policies and procedures help provide security
3770 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
3771 on their development. Security and privacy program policies and procedures at the organization
3772 level are preferable, in general, and may obviate the need for system-specific policies and
3773 procedures. The policy can be included as part of the general security and privacy policy or can
3774 be represented by multiple policies reflecting the complex nature of organizations. Procedures
3775 can be established for security and privacy programs and for systems, if needed. Procedures
3776 describe how the policies or controls are implemented and can be directed at the individual or
3777 role that is the object of the procedure. Procedures can be documented in system security and
3778 privacy plans or in one or more separate documents. Restating controls does not constitute an
3779 organizational policy or procedure.
3780 Related Controls: PM-9, PS-8, SI-12.
3781 Control Enhancements: None.
3782 References: [OMB A-130, Appendix II]; [SP 800-12]; [SP 800-30]; [SP 800-37]; [SP 800-39]; [SP
3783 800-53A]; [SP 800-100]; [SP 800-137]; [IR 8062].

3784 CA-2 CONTROL ASSESSMENTS

3785 Control:
3786 a. Develop a control assessment plan that describes the scope of the assessment including:

CHAPTER THREE PAGE 82

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3787 1. Controls and control enhancements under assessment;

3788 2. Assessment procedures to be used to determine control effectiveness; and
3789 3. Assessment environment, assessment team, and assessment roles and responsibilities;
3790 b. Ensure the control assessment plan is reviewed and approved by the authorizing official or
3791 designated representative prior to conducting the assessment;
3792 c. Assess the controls in the system and its environment of operation [Assignment:
3793 organization-defined frequency] to determine the extent to which the controls are
3794 implemented correctly, operating as intended, and producing the desired outcome with
3795 respect to meeting established security and privacy requirements;
3796 d. Produce a control assessment report that document the results of the assessment; and
3797 e. Provide the results of the control assessment to [Assignment: organization-defined
3798 individuals or roles].
3799 Discussion: Organizations assess controls in systems and the environments in which those
3800 systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA
3801 annual assessments; system design and development; systems security engineering; and the
3802 system development life cycle. Assessments help to ensure that organizations meet information
3803 security and privacy requirements; identify weaknesses and deficiencies in the system design and
3804 development process; provide essential information needed to make risk-based decisions as part
3805 of authorization processes; and comply with vulnerability mitigation procedures. Organizations
3806 conduct assessments on the implemented controls as documented in security and privacy plans.
3807 Assessments can also be conducted throughout the system development life cycle as part of
3808 systems engineering and systems security engineering processes. For example, the design for the
3809 controls can be assessed as RFPs are developed and responses assessed, and as design reviews
3810 are conducted. If design to implement controls and subsequent implementation in accordance
3811 with the design is assessed during development, the final control testing can be a simple
3812 confirmation utilizing previously completed control assessment and aggregating the outcomes.
3813 Organizations may develop a single, consolidated security and privacy assessment plan for the
3814 system or maintain separate plans. A consolidated assessment plan clearly delineates roles and
3815 responsibilities for control assessment. If multiple organizations participate in assessing a system,
3816 a coordinated approach can reduce redundancies and associated costs.
3817 Organizations can use other types of assessment activities such as vulnerability scanning and
3818 system monitoring to maintain the security and privacy posture of systems during the system life
3819 cycle. Assessment reports document assessment results in sufficient detail as deemed necessary
3820 by organizations, to determine the accuracy and completeness of the reports and whether the
3821 controls are implemented correctly, operating as intended, and producing the desired outcome
3822 with respect to meeting requirements. Assessment results are provided to the individuals or
3823 roles appropriate for the types of assessments being conducted. For example, assessments
3824 conducted in support of authorization decisions are provided to authorizing officials, senior
3825 agency officials for privacy, senior agency information security officers, and authorizing official
3826 designated representatives.
3827 To satisfy annual assessment requirements, organizations can use assessment results from the
3828 following sources: initial or ongoing system authorizations; continuous monitoring; systems
3829 engineering processes, or system development life cycle activities. Organizations ensure that
3830 assessment results are current, relevant to the determination of control effectiveness, and
3831 obtained with the appropriate level of assessor independence. Existing control assessment
3832 results can be reused to the extent that the results are still valid and can also be supplemented
3833 with additional assessments as needed. After the initial authorizations, organizations assess
3834 controls during continuous monitoring. Organizations also establish the frequency for ongoing

CHAPTER THREE PAGE 83

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3835 assessments in accordance with organizational continuous monitoring strategies. External audits,
3836 including audits by external entities such as regulatory agencies, are outside the scope of this
3837 control.
3838 Related Controls: AC-20, CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SC-38, SI-3, SI-12, SR-2, SR-3.
3839 Control Enhancements:
3840 (1) ASSESSMENTS | INDEPENDENT ASSESSORS
3841 Employ independent assessors or assessment teams to conduct control assessments.
3842 Discussion: Independent assessors or assessment teams are individuals or groups
3843 conducting impartial assessments of systems. Impartiality means that assessors are free
3844 from any perceived or actual conflicts of interest regarding development, operation,
3845 sustainment, or management of the systems under assessment or the determination of
3846 control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting
3847 interest with the organizations where the assessments are being conducted; assess their
3848 own work; act as management or employees of the organizations they are serving; or place
3849 themselves in positions of advocacy for the organizations acquiring their services.
3850 Independent assessments can be obtained from elements within organizations or can be
3851 contracted to public or private sector entities outside of organizations. Authorizing officials
3852 determine the required level of independence based on the security categories of systems
3853 and/or the risk to organizational operations, organizational assets, or individuals. Authorizing
3854 officials also determine if the level of assessor independence provides sufficient assurance
3855 that the results are sound and can be used to make credible, risk-based decisions. Assessor
3856 independence determination also includes whether contracted assessment services have
3857 sufficient independence, for example, when system owners are not directly involved in
3858 contracting processes or cannot influence the impartiality of the assessors conducting the
3859 assessments. During the system design and development phase, the analogy to independent
3860 assessors is having independent SMEs involved in design reviews.
3861 When organizations that own the systems are small or the structures of the organizations
3862 require that assessments are conducted by individuals that are in the developmental,
3863 operational, or management chain of the system owners, independence in assessment
3864 processes can be achieved by ensuring that assessment results are carefully reviewed and
3865 analyzed by independent teams of experts to validate the completeness, accuracy, integrity,
3866 and reliability of the results. Assessments performed for purposes other than to support
3867 authorization decisions, are more likely to be useable for such decisions when performed by
3868 assessors with sufficient independence, thereby reducing the need to repeat assessments.
3869 Related Controls: None.
3870 (2) ASSESSMENTS | SPECIALIZED ASSESSMENTS
3871 Include as part of control assessments, [Assignment: organization-defined frequency],
3872 [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring;
3873 security instrumentation; automated security test cases; vulnerability scanning; malicious
3874 user testing; insider threat assessment; performance and load testing; data leakage or
3875 data loss assessment [Assignment: organization-defined other forms of assessment]].
3876 Discussion: Organizations can conduct specialized assessments, including verification and
3877 validation, system monitoring, insider threat assessments, malicious user testing, and other
3878 forms of testing. These assessments can improve readiness by exercising organizational
3879 capabilities and indicating current levels of performance as a means of focusing actions to
3880 improve security and privacy. Organizations conduct specialized assessments in accordance
3881 with applicable laws, executive orders, directives, regulations, policies, standards, and
3882 guidelines. Authorizing officials approve the assessment methods in coordination with the

CHAPTER THREE PAGE 84

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3883 organizational risk executive function. Organizations can include vulnerabilities uncovered
3884 during assessments into vulnerability remediation processes. Specialized assessments can
3885 also be conducted early in the system development life cycle, for example, during design,
3886 development, and unit testing.
3887 Related Controls: PE-3, SI-2.
3888 (3) ASSESSMENTS | EXTERNAL ORGANIZATIONS
3889 Leverage the results of control assessments performed by [Assignment: organization-
3890 defined external organization] on [Assignment: organization-defined system] when the
3891 assessment meets [Assignment: organization-defined requirements].
3892 Discussion: Organizations may rely on control assessments of organizational systems by
3893 other (external) organizations. Using such assessments and reusing existing assessment
3894 evidence can decrease the time and resources required for assessments by limiting the
3895 independent assessment activities that organizations need to perform. The factors that
3896 organizations consider in determining whether to accept assessment results from external
3897 organizations can vary. Such factors include the organization’s past experience with the
3898 organization that conducted the assessment; the reputation of the assessment organization;
3899 the level of detail of supporting assessment evidence provided; and mandates imposed by
3900 applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
3901 Accredited testing laboratories supporting the Common Criteria Program [ISO 15408-1], the
3902 NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm
3903 Validation Program (CAVP) can provide independent assessment results that organizations
3904 can leverage.
3905 Related Controls: SA-4.
3906 References: [OMB A-130]; [FIPS 199]; [SP 800-18]; [SP 800-37]; [SP 800-39]; [SP 800-53A]; [SP
3907 800-115]; [SP 800-137]; [IR 8062].

3908 CA-3 INFORMATION EXCHANGE

3909 Control:
3910 a. Approve and manage the exchange of information between the system and other systems
3911 using [Selection (one or more): interconnection security agreements; information exchange
3912 security agreements; memoranda of understanding or agreement; service level agreements;
3913 user agreements; nondisclosure agreements; [Assignment: organization-defined type of
3914 agreement]];
3915 b. Document, as part of each exchange agreement, the interface characteristics, security and
3916 privacy requirements, controls, and responsibilities for each system, and the impact level of
3917 the information communicated; and
3918 c. Review and update the agreements [Assignment: organization-defined frequency].
3919 Discussion: System information exchange requirements apply to information exchanges
3920 between two or more systems. System information exchanges include connections via leased
3921 lines or virtual private networks, connections to internet service providers, database sharing or
3922 exchanges of database transaction information, connections and exchanges associated with
3923 cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols,
3924 network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications.
3925 Organizations consider the risk related to new or increased threats, that may be introduced
3926 when systems exchange information with other systems that may have different security and
3927 privacy requirements and controls. This includes systems within the same organization and
3928 systems that are external to the organization. A joint authorization of the systems exchanging
3929 information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk.

CHAPTER THREE PAGE 85

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3930 Authorizing officials determine the risk associated with system information exchange and the
3931 controls needed for appropriate risk mitigation. The type of agreement selected is based on
3932 factors such as the impact level of the information being exchanged, the relationship between
3933 the organizations exchanging information (e.g., government to government, government to
3934 business, business to business, government or business to service provider, government or
3935 business to individual), or the level of access to the organizational system by users of the other
3936 system. If systems that exchange information have the same authorizing official, organizations
3937 need not develop agreements. Instead, the interface characteristics between the systems (e.g.,
3938 how the information is being exchanged; how the information is protected) are described in the
3939 respective security and privacy plans. If the systems that exchange information have different
3940 authorizing officials within the same organization, the organizations can develop agreements, or
3941 they can provide the same information that would be provided in the appropriate agreement
3942 type from CA-3a in the respective security and privacy plans for the systems. Organizations may
3943 incorporate agreement information into formal contracts, especially for information exchanges
3944 established between federal agencies and nonfederal organizations (including service providers,
3945 contractors, system developers, and system integrators). Risk considerations include systems
3946 sharing the same networks.
3947 Related Controls: AC-4, AC-20, AU-16, CA-6, IA-3, IR-4, PL-2, PT-8, RA-3, SA-9, SC-7, SI-12.
3948 Control Enhancements:
3949 (1) SYSTEM CONNECTIONS | UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
3950 [Withdrawn: Moved to SC-7(25).]
3951 (2) SYSTEM CONNECTIONS | CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
3952 [Withdrawn: Moved to SC-7(26).]
3953 (3) SYSTEM CONNECTIONS | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS
3954 [Withdrawn: Moved to SC-7(27).]
3955 (4) SYSTEM CONNECTIONS | CONNECTIONS TO PUBLIC NETWORKS
3956 [Withdrawn: Moved to SC-7(28).]
3957 (5) SYSTEM CONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS
3958 [Withdrawn: Moved to SC-7(5).]
3959 (6) INFORMATION EXCHANGE | TRANSFER AUTHORIZATIONS
3960 Verify that individuals or systems transferring data between interconnecting systems have
3961 the requisite authorizations (i.e., write permissions or privileges) prior to accepting such
3962 data.
3963 Discussion: To prevent unauthorized individuals and systems from making information
3964 transfers to protected systems, the protected system verifies via independent means,
3965 whether the individual or system attempting to transfer information is authorized to do so.
3966 This control enhancement also applies to control plane traffic (e.g., routing and DNS) and
3967 services such as authenticated SMTP relays.
3968 Related Controls: AC-2, AC-3, AC-4.
3969 (7) INFORMATION EXCHANGE |TRANSITIVE INFORMATION EXCHANGES
3970 (a) Identify transitive (downstream) information exchanges with other systems through
3971 the systems identified in CA-3a; and
3972 (b) Take measures to ensure that transitive (downstream) information exchanges cease
3973 when the controls on identified transitive (downstream) systems cannot be verified or
3974 validated.

CHAPTER THREE PAGE 86

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

3975 Discussion: Transitive or “downstream” information exchanges are information exchanges

3976 between the system or systems with which the organizational system exchanges information
3977 and other systems. For mission essential systems, services, and applications, including high
3978 value assets, it is necessary to identify such information exchanges. The transparency of the
3979 controls or protection measures in place in such downstream systems connected directly or
3980 indirectly to organizational systems is essential in understanding the security and privacy
3981 risks resulting from those interconnections. Organizational systems can inherit risk from
3982 downstream systems through transitive connections and information exchanges which can
3983 make the organizational systems more susceptible to threats, hazards, and adverse impacts.
3984 Related Controls: SC-7.
3985 References: [OMB A-130, Appendix II]; [FIPS 199]; [SP 800-47].

3986 CA-4 SECURITY CERTIFICATION

3987 [Withdrawn: Incorporated into CA-2.]

3988 CA-5 PLAN OF ACTION AND MILESTONES

3989 Control:
3990 a. Develop a plan of action and milestones for the system to document the planned
3991 remediation actions of the organization to correct weaknesses or deficiencies noted during
3992 the assessment of the controls and to reduce or eliminate known vulnerabilities in the
3993 system; and
3994 b. Update existing plan of action and milestones [Assignment: organization-defined frequency]
3995 based on the findings from control assessments, audits, and continuous monitoring
3996 activities.
3997 Discussion: Plans of action and milestones are useful for any type of organization to track
3998 planned remedial actions. Plans of action and milestones are required in authorization packages
3999 and are subject to federal reporting requirements established by OMB.
4000 Related Controls: CA-2, CA-7, PM-4, PM-9, RA-7, SI-2, SI-12.
4001 Control Enhancements:
4002 (1) PLAN OF ACTION AND MILESTONES | AUTOMATION SUPPORT FOR ACCURACY AND CURRENCY
4003 Ensure the accuracy, currency, and availability of the plan of action and milestones for the
4004 system using [Assignment: organization-defined automated mechanisms].
4005 Discussion: Using automated tools helps to maintain the accuracy, currency, and availability
4006 of the plan of action and milestones and facilitates the coordination and sharing of security
4007 and privacy information throughout the organization. Such coordination and information
4008 sharing helps to identify systemic weaknesses or deficiencies in organizational systems and
4009 ensure that appropriate resources are directed at the most critical system vulnerabilities in a
4010 timely manner.
4011 Related Controls: None.
4012 References: [OMB A-130]; [SP 800-37].

4013 CA-6 AUTHORIZATION

4014 Control:
4015 a. Assign a senior official as the authorizing official for the system;

CHAPTER THREE PAGE 87

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4016 b. Assign a senior official as the authorizing official for common controls available for
4017 inheritance by organizational systems;
4018 c. Ensure that the authorizing official for the system, before commencing operations:
4019 1. Accepts the use of common controls inherited by the system; and
4020 2. Authorizes the system to operate;
4021 d. Ensure that the authorizing official for common controls authorizes the use of those controls
4022 for inheritance by organizational systems;
4023 e. Update the authorizations [Assignment: organization-defined frequency].
4024 Discussion: Authorizations are official management decisions by senior officials to authorize
4025 operation of systems, to authorize the use of common controls for inheritance by organizational
4026 systems and to explicitly accept the risk to organizational operations and assets, individuals,
4027 other organizations, and the Nation based on the implementation of agreed-upon controls.
4028 Authorizing officials provide budgetary oversight for organizational systems and for common
4029 controls or assume responsibility for the mission and business operations supported by those
4030 systems or common controls. The authorization process is a federal responsibility and therefore,
4031 authorizing officials must be federal employees. Authorizing officials are both responsible and
4032 accountable for security and privacy risks associated with the operation and use of organizational
4033 systems. Nonfederal organizations may have similar processes to authorize systems and senior
4034 officials that assume the authorization role and associated responsibilities.
4035 Authorizing officials issue ongoing authorizations of systems based on evidence produced from
4036 implemented continuous monitoring programs. Robust continuous monitoring programs reduce
4037 the need for separate reauthorization processes. Through the employment of comprehensive
4038 continuous monitoring processes, the information contained in authorization packages (i.e., the
4039 security and privacy plans, assessment reports, and plans of action and milestones), is updated
4040 on an ongoing basis. This provides authorizing officials, system owners, and common control
4041 providers with an up-to-date status of the security and privacy posture of their systems, controls,
4042 and operating environments. To reduce the cost of reauthorization, authorizing officials can
4043 leverage the results of continuous monitoring processes to the maximum extent possible as the
4044 basis for rendering reauthorization decisions.
4045 Related Controls: CA-2, CA-3, CA-7, PM-9, PM-10, SA-10, SI-12.
4046 Control Enhancements:
4047 (1) AUTHORIZATION | JOINT AUTHORIZATION — INTRA-ORGANIZATION
4048 Employ a joint authorization process for the system that includes multiple authorizing
4049 officials from the same organization conducting the authorization.
4050 Discussion: Assigning multiple authorizing officials from the same organization to serve as
4051 co-authorizing officials for the system, increases the level of independence in the risk-based
4052 decision-making process. It also implements the concepts of separation of duties and dual
4053 authorization as applied to the system authorization process. The intra-organization joint
4054 authorization process is most relevant for connected systems, shared systems, and systems
4055 with multiple information owners.
4056 Related Controls: AC-6.
4057 (2) AUTHORIZATION | JOINT AUTHORIZATION — INTER-ORGANIZATION
4058 Employ a joint authorization process for the system that includes multiple authorizing
4059 officials with at least one authorizing official from an organization external to the
4060 organization conducting the authorization.

CHAPTER THREE PAGE 88

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4061 Discussion: Assigning multiple authorizing officials, at least one of which comes from an
4062 external organization, to serve as co-authorizing officials for the system, increases the level
4063 of independence in the risk-based decision-making process. It implements the concepts of
4064 separation of duties and dual authorization as applied to the system authorization process.
4065 Employing authorizing officials from external organizations to supplement the authorizing
4066 official from the organization owning or hosting the system may be necessary when the
4067 external organizations have a vested interest or equities in the outcome of the authorization
4068 decision. The inter-organization joint authorization process is relevant and appropriate for
4069 connected systems, shared systems or services, and systems with multiple information
4070 owners. The authorizing officials from the external organizations are key stakeholders of the
4071 system undergoing authorization.
4072 Related Controls: AC-6.
4073 References: [OMB A-130]; [SP 800-37]; [SP 800-137].

4074 CA-7 CONTINUOUS MONITORING

4075 Control: Develop a system-level continuous monitoring strategy and implement continuous
4076 monitoring in accordance with the organization-level continuous monitoring strategy that
4077 includes:
4078 a. Establishing the following system-level metrics to be monitored: [Assignment: organization-
4079 defined system-level metrics];
4080 b. Establishing [Assignment: organization-defined frequencies] for monitoring and
4081 [Assignment: organization-defined frequencies] for assessment of control effectiveness;
4082 c. Ongoing control assessments in accordance with the continuous monitoring strategy;
4083 d. Ongoing monitoring of system and organization-defined metrics in accordance with the
4084 continuous monitoring strategy;
4085 e. Correlation and analysis of information generated by control assessments and monitoring;
4086 f. Response actions to address results of the analysis of control assessment and monitoring
4087 information; and
4088 g. Reporting the security and privacy status of the system to [Assignment: organization-
4089 defined personnel or roles] [Assignment: organization-defined frequency].
4090 Discussion: Continuous monitoring at the system level facilitates ongoing awareness of the
4091 system security and privacy posture to support organizational risk management decisions. The
4092 terms continuous and ongoing imply that organizations assess and monitor their controls and
4093 risks at a frequency sufficient to support risk-based decisions. Different types of controls may
4094 require different monitoring frequencies. The results of continuous monitoring generate risk
4095 response actions by organizations. When monitoring the effectiveness of multiple controls that
4096 have been grouped into capabilities, a root-cause analysis may be needed to determine the
4097 specific control that has failed. Continuous monitoring programs allow organizations to maintain
4098 the authorizations of systems and common controls in highly dynamic environments of operation
4099 with changing mission and business needs, threats, vulnerabilities, and technologies. Having
4100 access to security and privacy information on a continuing basis through reports and dashboards
4101 gives organizational officials the ability to make effective and timely risk management decisions,
4102 including ongoing authorization decisions.
4103 Automation supports more frequent updates to hardware, software, and firmware inventories,
4104 authorization packages, and other system information. Effectiveness is further enhanced when
4105 continuous monitoring outputs are formatted to provide information that is specific, measurable,
4106 actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with

CHAPTER THREE PAGE 89

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4107 the security categories of systems. Monitoring requirements, including the need for specific
4108 monitoring, may be referenced in other controls and control enhancements, for example, AC-2g,
4109 AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f,
4110 CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23,
4111 PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.
4112 Related Controls: AC-2, AC-6, AC-17, AT-4, AU-6, AU-13, CA-2, CA-5, CA-6, CM-3, CM-4, CM-6,
4113 CM-11, IA-5, IR-5, MA-2, MA-3, MA-4, PE-3, PE-6, PE-14, PE-16, PE-20, PL-2, PM-4, PM-6, PM-9,
4114 PM-10, PM-12, PM-14, PM-23, PM-28, PM-31, PS-7, PT-8, RA-3, RA-5, RA-7, SA-8, SA-9, SA-11, SC-
4115 5, SC-7, SC-18, SC-38, SC-43, SC-38, SI-3, SI-4, SI-12, SR-6.
4116 Control Enhancements:
4117 (1) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT
4118 Employ independent assessors or assessment teams to monitor the controls in the system
4119 on an ongoing basis.
4120 Discussion: Organizations maximize the value of control assessments by requiring that
4121 assessments be conducted by assessors with appropriate levels of independence. The level
4122 of required independence is based on organizational continuous monitoring strategies.
4123 Assessor independence provides a degree of impartiality to the monitoring process. To
4124 achieve such impartiality, assessors do not create a mutual or conflicting interest with the
4125 organizations where the assessments are being conducted; assess their own work; act as
4126 management or employees of the organizations they are serving; or place themselves in
4127 advocacy positions for the organizations acquiring their services.
4128 Related Controls: None.
4129 (2) CONTINUOUS MONITORING | TYPES OF ASSESSMENTS
4130 [Withdrawn: Incorporated into CA-2.]
4131 (3) CONTINUOUS MONITORING | TREND ANALYSES
4132 Employ trend analyses to determine if control implementations, the frequency of
4133 continuous monitoring activities, and the types of activities used in the continuous
4134 monitoring process need to be modified based on empirical data.
4135 Discussion: Trend analyses include examining recent threat information addressing the
4136 types of threat events that have occurred within the organization or the federal government;
4137 success rates of certain types of attacks; emerging vulnerabilities in technologies; evolving
4138 social engineering techniques; the effectiveness of configuration settings; results from
4139 multiple control assessments; and findings from Inspectors General or auditors.
4140 Related Controls: None.
4141 (4) CONTINUOUS MONITORING | RISK MONITORING
4142 Ensure risk monitoring is an integral part of the continuous monitoring strategy that
4143 includes the following:
4144 (a) Effectiveness monitoring;
4145 (b) Compliance monitoring; and
4146 (c) Change monitoring.
4147 Discussion: Risk monitoring is informed by the established organizational risk tolerance.
4148 Effectiveness monitoring determines the ongoing effectiveness of the implemented risk
4149 response measures. Compliance monitoring verifies that required risk response measures
4150 are implemented. It also verifies that security and privacy requirements are satisfied. Change
4151 monitoring identifies changes to organizational systems and environments of operation that
4152 may affect security and privacy risk.

CHAPTER THREE PAGE 90

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4153 Related Controls: None.

4154 (5) CONTINUOUS MONITORING | CONSISTENCY ANALYSIS
4155 Employ the following actions to validate that policies are established and implemented
4156 controls are operating in a consistent manner: [Assignment: organization-defined actions].
4157 Discussion: Security and privacy controls are often added incrementally to a system. As a
4158 result, policies for selecting and implementing controls may be inconsistent and the controls
4159 could fail to work together in a consistent or coordinated manner. At a minimum, the lack of
4160 consistency and coordination could mean that there are unacceptable security and privacy
4161 gaps in the system. At worst, it could mean that some of the controls implemented in one
4162 location or by one component are actually impeding the functionality of other controls (e.g.,
4163 encrypting internal network traffic can impede monitoring). Or in other situations, failing to
4164 consistently monitor all implemented network protocols (e.g., a dual stack of IPv4 and IPv6)
4165 may create unintended vulnerabilities in the system that could be exploited by adversaries.
4166 It is important to validate through testing, monitoring, and analysis that the implemented
4167 controls are operating in a consistent, coordinated, non-interfering manner.
4168 Related Controls: None.
4169 References: [OMB A-130]; [SP 800-37]; [SP 800-39]; [SP 800-53A]; [SP 800-115]; [SP 800-137]; [IR
4170 8011 v1] [IR 8062].

4171 CA-8 PENETRATION TESTING

4172 Control: Conduct penetration testing [Assignment: organization-defined frequency] on
4173 [Assignment: organization-defined systems or system components].
4174 Discussion: Penetration testing is a specialized type of assessment conducted on systems or
4175 individual system components to identify vulnerabilities that could be exploited by adversaries.
4176 Penetration testing goes beyond automated vulnerability scanning and is conducted by agents
4177 and teams with demonstrable skills and experience that include technical expertise in network,
4178 operating system, and/or application level security. Penetration testing can be used to validate
4179 vulnerabilities or determine the degree of penetration resistance of systems to adversaries
4180 within specified constraints. Such constraints include time, resources, and skills. Penetration
4181 testing attempts to duplicate the actions of adversaries in carrying out attacks and provides a
4182 more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration
4183 testing is especially important when organizations are transitioning from older technologies to
4184 newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).
4185 Organizations can use the results of vulnerability analyses to support penetration testing
4186 activities. Penetration testing can be conducted internally or externally on the hardware,
4187 software, or firmware components of a system and can exercise both physical and technical
4188 controls. A standard method for penetration testing includes pretest analysis based on full
4189 knowledge of the system; pretest identification of potential vulnerabilities based on pretest
4190 analysis; and testing designed to determine exploitability of vulnerabilities. All parties agree to
4191 the rules of engagement before commencement of penetration testing scenarios. Organizations
4192 correlate the rules of engagement for the penetration tests with the tools, techniques, and
4193 procedures that are anticipated to be employed by adversaries. Risk assessments guide the
4194 decisions on the level of independence required for the personnel conducting penetration
4195 testing.
4196 Related Controls: SA-11, SR-5, SR-6.

CHAPTER THREE PAGE 91

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4197 Control Enhancements:

4198 (1) PENETRATION TESTING | INDEPENDENT PENETRATION TESTING AGENT OR TEAM
4199 Employ an independent penetration testing agent or team to perform penetration testing
4200 on the system or system components.
4201 Discussion: Independent penetration testing agents or teams are individuals or groups who
4202 conduct impartial penetration testing of organizational systems. Impartiality implies that
4203 penetration testing agents or teams are free from perceived or actual conflicts of interest
4204 with respect to the development, operation, or management of the systems that are the
4205 targets of the penetration testing. CA-2(1) provides additional information on independent
4206 assessments that can be applied to penetration testing.
4207 Related Controls: CA-2.
4208 (2) PENETRATION TESTING | RED TEAM EXERCISES
4209 Employ the following red-team exercises to simulate attempts by adversaries to
4210 compromise organizational systems in accordance with applicable rules of engagement:
4211 [Assignment: organization-defined red team exercises].
4212 Discussion: Red team exercises extend the objectives of penetration testing by examining
4213 the security and privacy posture of organizations and the capability to implement effective
4214 cyber defenses. Red team exercises simulate attempts by adversaries to compromise
4215 missions and business functions and provide a comprehensive assessment of the security
4216 and privacy posture of systems and organizations. Such attempts may include technology-
4217 based attacks and social engineering-based attacks. Technology-based attacks include
4218 interactions with hardware, software, or firmware components and/or mission and business
4219 processes. Social engineering-based attacks include interactions via email, telephone,
4220 shoulder surfing, or personal conversations. Red team exercises are most effective when
4221 conducted by penetration testing agents and teams with knowledge of and experience with
4222 current adversarial tactics, techniques, procedures, and tools. While penetration testing may
4223 be primarily laboratory-based testing, organizations can use red team exercises to provide
4224 more comprehensive assessments that reflect real-world conditions. The results from red
4225 team exercises can be used by organizations to improve security and privacy awareness and
4226 training and to assess control effectiveness.
4227 Related Controls: None.
4228 (3) PENETRATION TESTING | FACILITY PENETRATION TESTING
4229 Employ a penetration testing process that includes [Assignment: organization-defined
4230 frequency] [Selection: announced; unannounced] attempts to bypass or circumvent
4231 controls associated with physical access points to the facility.
4232 Discussion: Penetration testing of physical access points can provide information on critical
4233 vulnerabilities in the operating environments of organizational systems. Such information
4234 can be used to correct weaknesses or deficiencies in physical controls that are necessary to
4235 protect organizational systems.
4236 Related Controls: CA-2, PE-3.
4237 References: None.

4238 CA-9 INTERNAL SYSTEM CONNECTIONS

4239 Control:
4240 a. Authorize internal connections of [Assignment: organization-defined system components or
4241 classes of components] to the system;

CHAPTER THREE PAGE 92

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4242 b. Document, for each internal connection, the interface characteristics, security and privacy
4243 requirements, and the nature of the information communicated;
4244 c. Terminate internal system connections after [Assignment: organization-defined conditions];
4245 and
4246 d. Review [Assignment: organization-defined frequency] the continued need for each internal
4247 connection.
4248 Discussion: Internal system connections are connections between organizational systems and
4249 separate constituent system components (i.e., connections between components that are part of
4250 the same system). Intra-system connections include connections with mobile devices, notebook
4251 and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors,
4252 and servers. Instead of authorizing each individual internal system connection, organizations can
4253 authorize internal connections for a class of system components with common characteristics
4254 and/or configurations, including printers, scanners, and copiers with a specified processing,
4255 transmission, and storage capability; or smart phones and tablets with a specific baseline
4256 configuration. The continued need for an internal system connection is reviewed from the
4257 perspective of whether it provides support for organizational missions or business functions.
4258 Related Controls: AC-3, AC-4, AC-18, AC-19, CM-2, IA-3, SC-7, SI-12.
4259 Control Enhancements:
4260 (1) INTERNAL SYSTEM CONNECTIONS | COMPLIANCE CHECKS
4261 Perform security and privacy compliance checks on constituent system components prior
4262 to the establishment of the internal connection.
4263 Discussion: Compliance checks include verification of the relevant baseline configuration.
4264 Related Controls: CM-6.
4265 References: [SP 800-124]; [IR 8023].

CHAPTER THREE PAGE 93

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4266 3.5 CONFIGURATION MANAGEMENT

4267 Quick link to Configuration Management summary table

4268 CM-1 POLICY AND PROCEDURES

4269 Control:
4270 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
4271 roles]:
4272 1. [Selection (one or more): organization-level; mission/business process-level; system-
4273 level] configuration management policy that:
4274 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
4275 coordination among organizational entities, and compliance; and
4276 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
4277 standards, and guidelines; and
4278 2. Procedures to facilitate the implementation of the configuration management policy
4279 and the associated configuration management controls;
4280 b. Designate an [Assignment: organization-defined official] to manage the development,
4281 documentation, and dissemination of the configuration management policy and procedures;
4282 and
4283 c. Review and update the current configuration management:
4284 1. Policy [Assignment: organization-defined frequency]; and
4285 2. Procedures [Assignment: organization-defined frequency].
4286 Discussion: This control addresses policy and procedures for the controls in the CM family
4287 implemented within systems and organizations. The risk management strategy is an important
4288 factor in establishing such policies and procedures. Policies and procedures help provide security
4289 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
4290 on their development. Security and privacy program policies and procedures at the organization
4291 level are preferable, in general, and may obviate the need for system-specific policies and
4292 procedures. The policy can be included as part of the general security and privacy policy or can
4293 be represented by multiple policies reflecting the complex nature of organizations. Procedures
4294 can be established for security and privacy programs and for systems, if needed. Procedures
4295 describe how the policies or controls are implemented and can be directed at the individual or
4296 role that is the object of the procedure. Procedures can be documented in system security and
4297 privacy plans or in one or more separate documents. Restating controls does not constitute an
4298 organizational policy or procedure.
4299 Related Controls: PM-9, PS-8, SA-8, SI-12.
4300 Control Enhancements: None.
4301 References: [OMB A-130]; [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100].

4302 CM-2 BASELINE CONFIGURATION

4303 Control:
4304 a. Develop, document, and maintain under configuration control, a current baseline
4305 configuration of the system; and
4306 b. Review and update the baseline configuration of the system:

CHAPTER THREE PAGE 94

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4307 1. [Assignment: organization-defined frequency];

4308 2. When required due to [Assignment organization-defined circumstances]; and
4309 3. When system components are installed or upgraded.
4310 Discussion: Baseline configurations for systems and system components include connectivity,
4311 operational, and communications aspects of systems. Baseline configurations are documented,
4312 formally reviewed and agreed-upon specifications for systems or configuration items within
4313 those systems. Baseline configurations serve as a basis for future builds, releases, or changes to
4314 systems and include security and privacy control implementations, operational procedures,
4315 information about system components, network topology, and logical placement of components
4316 in the system architecture. Maintaining baseline configurations requires creating new baselines
4317 as organizational systems change over time. Baseline configurations of systems reflect the
4318 current enterprise architecture.
4319 Related Controls: AC-19, AU-6, CA-9, CM-1, CM-3, CM-5, CM-6, CM-8, CM-9, CP-9, CP-10, CP-12,
4320 MA-2, PL-8, PM-5, SA-8, SA-10, SA-15, SC-18.
4321 Control Enhancements:
4322 (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES
4323 [Withdrawn: Incorporated into CM-2.]
4324 (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY AND CURRENCY
4325 Maintain the currency, completeness, accuracy, and availability of the baseline
4326 configuration of the system using [Assignment: organization-defined automated
4327 mechanisms].
4328 Discussion: Automated mechanisms that help organizations maintain consistent baseline
4329 configurations for systems include configuration management tools, hardware, software,
4330 and firmware inventory tools, and network management tools. Automated tools can be used
4331 at the organization level, mission/business process level or system level on workstations,
4332 servers, notebook computers, network components, or mobile devices. Tools can be used to
4333 track version numbers on operating systems, applications, types of software installed, and
4334 current patch levels. Automation support for accuracy and currency can be satisfied by the
4335 implementation of CM-8(2) for organizations that combine system component inventory and
4336 baseline configuration activities.
4337 Related Controls: CM-7, IA-3, RA-5.
4338 (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS
4339 Retain [Assignment: organization-defined number] of previous versions of baseline
4340 configurations of the system to support rollback.
4341 Discussion: Retaining previous versions of baseline configurations to support rollback
4342 include hardware, software, firmware, configuration files, and configuration records.
4343 Related Controls: None.
4344 (4) BASELINE CONFIGURATION | UNAUTHORIZED SOFTWARE
4345 [Withdrawn: Incorporated into CM-7(4).]
4346 (5) BASELINE CONFIGURATION | AUTHORIZED SOFTWARE
4347 [Withdrawn: Incorporated into CM-7(5).]
4348 (6) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS
4349 Maintain a baseline configuration for system development and test environments that is
4350 managed separately from the operational baseline configuration.

CHAPTER THREE PAGE 95

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4351 Discussion: Establishing separate baseline configurations for development, testing, and
4352 operational environments protects systems from unplanned or unexpected events related to
4353 development and testing activities. Separate baseline configurations allow organizations to
4354 apply the configuration management that is most appropriate for each type of configuration.
4355 For example, the management of operational configurations typically emphasizes the need
4356 for stability, while the management of development or test configurations requires greater
4357 flexibility. Configurations in the test environment mirror configurations in the operational
4358 environment to the extent practicable so that the results of the testing are representative of
4359 the proposed changes to the operational systems. Separate baseline configurations does not
4360 necessarily require separate physical environments.
4361 Related Controls: CM-4, SC-3, SC-7.
4362 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS AND COMPONENTS FOR HIGH-RISK AREAS
4363 (a) Issue [Assignment: organization-defined systems or system components] with
4364 [Assignment: organization-defined configurations] to individuals traveling to locations
4365 that the organization deems to be of significant risk; and
4366 (b) Apply the following controls to the systems or components when the individuals
4367 return from travel: [Assignment: organization-defined controls].
4368 Discussion: When it is known that systems or system components will be in high-risk areas
4369 external to the organization, additional controls may be implemented to counter the
4370 increased threat in such areas. For example, organizations can take actions for notebook
4371 computers used by individuals departing on and returning from travel. Actions include
4372 determining the locations that are of concern, defining the required configurations for the
4373 components, ensuring that components are configured as intended before travel is initiated,
4374 and applying controls to the components after travel is completed. Specially configured
4375 notebook computers include computers with sanitized hard drives, limited applications, and
4376 more stringent configuration settings. Controls applied to mobile devices upon return from
4377 travel include examining the mobile device for signs of physical tampering and purging and
4378 reimaging disk drives. Protecting information that resides on mobile devices is addressed in
4379 the MP (Media Protection) family.
4380 Related Controls: MP-4, MP-5.
4381 References: [SP 800-124]; [SP 800-128].

4382 CM-3 CONFIGURATION CHANGE CONTROL

4383 Control:
4384 a. Determine and document the types of changes to the system that are configuration-
4385 controlled;
4386 b. Review proposed configuration-controlled changes to the system and approve or disapprove
4387 such changes with explicit consideration for security and privacy impact analyses;
4388 c. Document configuration change decisions associated with the system;
4389 d. Implement approved configuration-controlled changes to the system;
4390 e. Retain records of configuration-controlled changes to the system for [Assignment:
4391 organization-defined time-period];
4392 f. Monitor and review activities associated with configuration-controlled changes to the
4393 system; and
4394 g. Coordinate and provide oversight for configuration change control activities through
4395 [Assignment: organization-defined configuration change control element] that convenes

CHAPTER THREE PAGE 96

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4396 [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment:

4397 organization-defined configuration change conditions]].
4398 Discussion: Configuration change control for organizational systems involves the systematic
4399 proposal, justification, implementation, testing, review, and disposition of system changes,
4400 including system upgrades and modifications. Configuration change control includes changes to
4401 baseline configurations and configuration items of systems; changes to operational procedures;
4402 changes to configuration settings for system components; unscheduled or unauthorized changes;
4403 and changes to remediate vulnerabilities. Processes for managing configuration changes to
4404 systems include Configuration Control Boards or Change Advisory Boards that review and
4405 approve proposed changes. For changes impacting privacy risk, the senior agency official for
4406 privacy updates privacy impact assessments and system of records notices. For new systems or
4407 major upgrades, organizations consider including representatives from the development
4408 organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of
4409 changes includes activities before and after changes are made to systems and the auditing
4410 activities required to implement such changes. See also SA-10.
4411 Related Controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, CM-11, IA-3, MA-2, PE-16, PT-7, RA-8,
4412 SA-8, SA-10, SC-28, SC-34, SC-37, SI-2, SI-3, SI-4, SI-7, SI-10, SR-11.
4413 Control Enhancements:
4414 (1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENTATION, NOTIFICATION, AND
4415 PROHIBITION OF CHANGES
4416 Use [Assignment: organization-defined automated mechanisms] to:
4417 (a) Document proposed changes to the system;
4418 (b) Notify [Assignment: organization-defined approval authorities] of proposed changes
4419 to the system and request change approval;
4420 (c) Highlight proposed changes to the system that have not been approved or
4421 disapproved within [Assignment: organization-defined time-period];
4422 (d) Prohibit changes to the system until designated approvals are received;
4423 (e) Document all changes to the system; and
4424 (f) Notify [Assignment: organization-defined personnel] when approved changes to the
4425 system are completed.
4426 Discussion: None.
4427 Related Controls: None.
4428 (2) CONFIGURATION CHANGE CONTROL | TESTING, VALIDATION, AND DOCUMENTATION OF CHANGES
4429 Test, validate, and document changes to the system before finalizing the implementation
4430 of the changes.
4431 Discussion: Changes to systems include modifications to hardware, software, or firmware
4432 components and configuration settings defined in CM-6. Organizations ensure that testing
4433 does not interfere with system operations supporting organizational missions and business
4434 functions. Individuals or groups conducting tests understand security and privacy policies
4435 and procedures, system security and privacy policies and procedures, and the health, safety,
4436 and environmental risks associated with specific facilities or processes. Operational systems
4437 may need to be taken off-line, or replicated to the extent feasible, before testing can be
4438 conducted. If systems must be taken off-line for testing, the tests are scheduled to occur
4439 during planned system outages whenever possible. If the testing cannot be conducted on
4440 operational systems, organizations employ compensating controls.
4441 Related Controls: None.

CHAPTER THREE PAGE 97

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4442 (3) CONFIGURATION CHANGE CONTROL | AUTOMATED CHANGE IMPLEMENTATION

4443 Implement changes to the current system baseline and deploy the updated baseline across
4444 the installed base using [Assignment: organization-defined automated mechanisms].
4445 Discussion: Automated tools (e.g., Security Information and Event Management tools) can
4446 improve the accuracy, consistency, and availability of configuration baseline information.
4447 Automation can also provide data aggregation and data correlation capabilities; alerting
4448 mechanisms; and dashboards to support risk-based decision making within the organization.
4449 Related Controls: None.
4450 (4) CONFIGURATION CHANGE CONTROL | SECURITY AND PRIVACY REPRESENTATIVES
4451 Require [Assignment: organization-defined security and privacy representatives] to be
4452 members of the [Assignment: organization-defined configuration change control element].
4453 Discussion: Information security and privacy representatives include system security
4454 officers, senior agency information security officers, senior agency officials for privacy, or
4455 system privacy officers. Representation by personnel with information security and privacy
4456 expertise is important because changes to system configurations can have unintended side
4457 effects, some of which may be security- or privacy-relevant. Detecting such changes early in
4458 the process can help avoid unintended, negative consequences that could ultimately affect
4459 the security and privacy posture of systems. The configuration change control element in
4460 this control enhancement reflects the change control elements defined by organizations in
4461 CM-3.
4462 Related Controls: None.
4463 (5) CONFIGURATION CHANGE CONTROL | AUTOMATED SECURITY RESPONSE
4464 Implement the following security responses automatically if baseline configurations are
4465 changed in an unauthorized manner: [Assignment: organization-defined security
4466 responses].
4467 Discussion: Automated security responses include halting selected system functions, halting
4468 system processing, or issuing alerts or notifications to organizational personnel when there
4469 is an unauthorized modification of a configuration item.
4470 Related Controls: None.
4471 (6) CONFIGURATION CHANGE CONTROL | CRYPTOGRAPHY MANAGEMENT
4472 Ensure that cryptographic mechanisms used to provide the following controls are under
4473 configuration management: [Assignment: organization-defined controls].
4474 Discussion: The controls referenced in the control enhancement refer to security and
4475 privacy controls from the control catalog. Regardless of the cryptographic mechanisms
4476 employed, processes and procedures are in place to manage those mechanisms. For
4477 example, if system components use certificates for identification and authentication, a
4478 process is implemented to address the expiration of those certificates.
4479 Related Controls: SC-12.
4480 (7) CONFIGURATION CHANGE CONTROL | REVIEW SYSTEM CHANGES
4481 Review changes to the system [Assignment: organization-defined frequency] or when
4482 [Assignment: organization-defined circumstances] to determine whether unauthorized
4483 changes have occurred.
4484 Discussion: Indications that warrant review of changes to the system and the specific
4485 circumstances justifying such reviews may be obtained from activities carried out by
4486 organizations during the configuration change process or continuous monitoring process.
4487 Related Controls: AU-6, AU-7, CM-3.

CHAPTER THREE PAGE 98

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4488 (8) CONFIGURATION CHANGE CONTROL | PREVENT OR RESTRICT CONFIGURATION CHANGES

4489 Prevent or restrict changes to the configuration of the system under the following
4490 circumstances: [Assignment: organization-defined circumstances].
4491 Discussion: System configuration changes made in an ad hoc manner or in uncontrolled
4492 environments can adversely affect critical system security and privacy functionality. Change
4493 restrictions can be enforced through automated mechanisms.
4494 Related Controls: None.
4495 References: [SP 800-124]; [SP 800-128]; [IR 8062].

4496 CM-4 IMPACT ANALYSES

4497 Control: Analyze changes to the system to determine potential security and privacy impacts
4498 prior to change implementation.
4499 Discussion: Organizational personnel with security or privacy responsibilities conduct impact
4500 analyses. Individuals conducting impact analyses possess the necessary skills and technical
4501 expertise to analyze the changes to systems and the security or privacy ramifications. Impact
4502 analyses include reviewing security and privacy plans, policies, and procedures to understand
4503 control requirements; reviewing system design documentation and operational procedures to
4504 understand control implementation and how specific system changes might affect the controls;
4505 reviewing with stakeholders the impact of changes on organizational supply chain partners; and
4506 determining how potential changes to a system create new risks to the privacy of individuals and
4507 the ability of implemented controls to mitigate those risks. Impact analyses also include risk
4508 assessments to understand the impact of the changes and to determine if additional controls are
4509 required.
4510 Related Controls: CA-7, CM-3, CM-8, CM-9, MA-2, RA-3, RA-5, SA-5, SA-8, SA-10, SI-2.
4511 Control Enhancements:
4512 (1) IMPACT ANALYSES | SEPARATE TEST ENVIRONMENTS
4513 Analyze changes to the system in a separate test environment before implementation in
4514 an operational environment, looking for security and privacy impacts due to flaws,
4515 weaknesses, incompatibility, or intentional malice.
4516 Discussion: A separate test environment requires an environment that is physically or
4517 logically separate and distinct from the operational environment. The separation is sufficient
4518 to ensure that activities in the test environment do not impact activities in the operational
4519 environment, and that information in the operational environment is not inadvertently
4520 transmitted to the test environment. Separate environments can be achieved by physical or
4521 logical means. If physically separate test environments are not implemented, organizations
4522 determine the strength of mechanism required when implementing logical separation.
4523 Related Controls: SA-11, SC-7.
4524 (2) IMPACT ANALYSES | VERIFICATION OF CONTROLS
4525 After system changes, verify that the impacted controls are implemented correctly,
4526 operating as intended, and producing the desired outcome with regard to meeting the
4527 security and privacy requirements for the system.
4528 Discussion: Implementation in this context refers to installing changed code in the
4529 operational system that may have an impact on security or privacy controls.
4530 Related Controls: SA-11, SC-3, SI-6.
4531 References: [SP 800-128].

CHAPTER THREE PAGE 99

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4532 CM-5 ACCESS RESTRICTIONS FOR CHANGE

4533 Control: Define, document, approve, and enforce physical and logical access restrictions
4534 associated with changes to the system.
4535 Discussion: Changes to the hardware, software, or firmware components of systems or the
4536 operational procedures related to the system, can potentially have significant effects on the
4537 security of the systems or individual privacy. Therefore, organizations permit only qualified and
4538 authorized individuals to access systems for purposes of initiating changes. Access restrictions
4539 include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow
4540 automation, media libraries, abstract layers (i.e., changes implemented into external interfaces
4541 rather than directly into systems), and change windows (i.e., changes occur only during specified
4542 times).
4543 Related Controls: AC-3, AC-5, AC-6, CM-9, PE-3, SC-28, SC-34, SC-37, SI-2, SI-10.
4544 Control Enhancements:
4545 (1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT AND AUDIT RECORDS
4546 (a) Enforce access restrictions using [Assignment: organization-defined automated
4547 mechanisms]; and
4548 (b) Automatically generate audit records of the enforcement actions.
4549 Discussion: Organizations log access records associated with applying configuration changes
4550 to ensure that configuration change control is implemented and to support after-the-fact
4551 actions should organizations discover any unauthorized changes.
4552 Related Controls: AU-2, AU-6, AU-7, AU-12, CM-6, CM-11, SI-12.
4553 (2) ACCESS RESTRICTIONS FOR CHANGE | REVIEW SYSTEM CHANGES
4554 [Withdrawn: Incorporated into CM-3(7).]
4555 (3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS
4556 Prevent the installation of [Assignment: organization-defined software and firmware
4557 components] without verification that the component has been digitally signed using a
4558 certificate that is recognized and approved by the organization.
4559 Discussion: Software and firmware components prevented from installation unless signed
4560 with recognized and approved certificates include software and firmware version updates,
4561 patches, service packs, device drivers, and basic input/output system updates. Organizations
4562 can identify applicable software and firmware components by type, by specific items, or a
4563 combination of both. Digital signatures and organizational verification of such signatures is a
4564 method of code authentication.
4565 Related Controls: CM-7, SC-13, SI-7.
4566 (4) ACCESS RESTRICTIONS FOR CHANGE | DUAL AUTHORIZATION
4567 Enforce dual authorization for implementing changes to [Assignment: organization-
4568 defined system components and system-level information].
4569 Discussion: Organizations employ dual authorization to help ensure that any changes to
4570 selected system components and information cannot occur unless two qualified individuals
4571 approve and implement such changes. The two individuals possess the skills and expertise to
4572 determine if the proposed changes are correct implementations of approved changes. The
4573 individuals are also accountable for the changes. Dual authorization may also be known as
4574 two-person control. To reduce the risk of collusion, organizations consider rotating dual
4575 authorization duties to other individuals. System-level information includes operational
4576 procedures.

CHAPTER THREE PAGE 100

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4577 Related Controls: AC-2, AC-5, CM-3.

4578 (5) ACCESS RESTRICTIONS FOR CHANGE | PRIVILEGE LIMITATION FOR PRODUCTION AND OPERATION
4579 (a) Limit privileges to change system components and system-related information within
4580 a production or operational environment; and
4581 (b) Review and reevaluate privileges [Assignment: organization-defined frequency].
4582 Discussion: In many organizations, systems support multiple missions and business
4583 functions. Limiting privileges to change system components with respect to operational
4584 systems is necessary because changes to a system component may have far-reaching effects
4585 on mission and business processes supported by the system. The relationships between
4586 systems and mission/business processes are in some cases, unknown to developers. System-
4587 related information includes operational procedures.
4588 Related Controls: AC-2.
4589 (6) ACCESS RESTRICTIONS FOR CHANGE | LIMIT LIBRARY PRIVILEGES
4590 Limit privileges to change software resident within software libraries.
4591 Discussion: Software libraries include privileged programs.
4592 Related Controls: AC-2.
4593 (7) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS
4594 [Withdrawn: Incorporated into SI-7.]
4595 References: [FIPS 140-3]; [FIPS 186-4].

4596 CM-6 CONFIGURATION SETTINGS

4597 Control:
4598 a. Establish and document configuration settings for components employed within the system
4599 using [Assignment: organization-defined common secure configurations] that reflect the
4600 most restrictive mode consistent with operational requirements;
4601 b. Implement the configuration settings;
4602 c. Identify, document, and approve any deviations from established configuration settings for
4603 [Assignment: organization-defined system components] based on [Assignment: organization-
4604 defined operational requirements]; and
4605 d. Monitor and control changes to the configuration settings in accordance with organizational
4606 policies and procedures.
4607 Discussion: Configuration settings are the parameters that can be changed in the hardware,
4608 software, or firmware components of the system that affect the security posture or functionality
4609 of the system. Information technology products for which security-related configuration settings
4610 can be defined include mainframe computers, servers, workstations, operating systems, mobile
4611 devices, input/output devices, protocols, and applications. Security parameters are parameters
4612 impacting the security posture of systems, including the parameters required to satisfy other
4613 security control requirements. Security parameters include registry settings; account, file, or
4614 directory permission settings; and settings for functions, protocols, ports, services, and remote
4615 connections. Organizations establish organization-wide configuration settings and subsequently
4616 derive specific configuration settings for systems. The established settings become part of the
4617 configuration baseline for the system.
4618 Common secure configurations (also known as security configuration checklists, lockdown and
4619 hardening guides, security reference guides) provide recognized, standardized, and established
4620 benchmarks that stipulate secure configuration settings for information technology products and

CHAPTER THREE PAGE 101

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4621 platforms as well as instructions for configuring those products or platforms to meet operational
4622 requirements. Common secure configurations can be developed by a variety of organizations,
4623 including information technology product developers, manufacturers, vendors, federal agencies,
4624 consortia, academia, industry, and other organizations in the public and private sectors.
4625 Implementation of a common secure configuration may be mandated at the organization level,
4626 mission/business process level, or system level, or may be mandated at a higher level, including
4627 by a regulatory agency. Common secure configurations include the United States Government
4628 Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which
4629 affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
4630 Content Automation Protocol (SCAP) and the defined standards within the protocol provide an
4631 effective method to uniquely identify, track, and control configuration settings.
4632 Related Controls: AC-3, AC-19, AU-2, AU-6, CA-9, CM-2, CM-3, CM-5, CM-7, CM-11, CP-7, CP-9,
4633 CP-10, IA-3, IA-5, PL-8, RA-5, SA-4, SA-5, SA-8, SA-9, SC-18, SC-28, SC-43, SI-2, SI-4, SI-6.
4634 Control Enhancements:
4635 (1) CONFIGURATION SETTINGS | AUTOMATED MANAGEMENT, APPLICATION, AND VERIFICATION
4636 Centrally manage, apply, and verify configuration settings for [Assignment: organization-
4637 defined system components] using [Assignment: organization-defined automated
4638 mechanisms].
4639 Discussion: Automated tools (e.g., security information and event management tools or
4640 enterprise security monitoring tools) can improve the accuracy, consistency, and availability
4641 of configuration settings information. Automation can also provide data aggregation and
4642 data correlation capabilities; alerting mechanisms; and dashboards to support risk-based
4643 decision making within the organization.
4644 Related Controls: CA-7.
4645 (2) CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES
4646 Take the following actions in response to unauthorized changes to [Assignment:
4647 organization-defined configuration settings]: [Assignment: organization-defined actions].
4648 Discussion: Responses to unauthorized changes to configuration settings include alerting
4649 designated organizational personnel, restoring established configuration settings, or in
4650 extreme cases, halting affected system processing.
4651 Related Controls: IR-4, IR-6, SI-7.
4652 (3) CONFIGURATION SETTINGS | UNAUTHORIZED CHANGE DETECTION
4653 [Withdrawn: Incorporated into SI-7.]
4654 (4) CONFIGURATION SETTINGS | CONFORMANCE DEMONSTRATION
4655 [Withdrawn: Incorporated into CM-4.]
4656 References: [SP 800-70]; [SP 800-126]; [SP 800-128]; [USGCB]; [NCPR]; [DOD STIG].

4657 CM-7 LEAST FUNCTIONALITY

4658 Control:
4659 a. Configure the system to provide only [Assignment: organization-defined mission essential
4660 capabilities]; and
4661 b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or
4662 services: [Assignment: organization-defined prohibited or restricted functions, ports,
4663 protocols, software, and/or services].

CHAPTER THREE PAGE 102

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4664 Discussion: Systems provide a wide variety of functions and services. Some of the functions and
4665 services routinely provided by default, may not be necessary to support essential organizational
4666 missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple
4667 services from a single system component but doing so increases risk over limiting the services
4668 provided by that single component. Where feasible, organizations limit component functionality
4669 to a single function per component. Organizations consider removing unused or unnecessary
4670 software and disabling unused or unnecessary physical and logical ports and protocols to prevent
4671 unauthorized connection of components, transfer of information, and tunneling. Organizations
4672 employ network scanning tools, intrusion detection and prevention systems, and end-point
4673 protection technologies such as firewalls and host-based intrusion detection systems to identify
4674 and prevent the use of prohibited functions, protocols, ports, and services. Least functionality
4675 can also be achieved as part of the fundamental design and development of the system (see SA-
4676 8, SC-2, and SC-3).
4677 Related Controls: AC-3, AC-4, CM-2, CM-5, CM-6, CM-11, RA-5, SA-4, SA-5, SA-8, SA-9, SA-15, SC-
4678 2, SC-3, SC-7, SC-37, SI-4.
4679 Control Enhancements:
4680 (1) LEAST FUNCTIONALITY | PERIODIC REVIEW
4681 (a) Review the system [Assignment: organization-defined frequency] to identify
4682 unnecessary and/or nonsecure functions, ports, protocols, software, and services; and
4683 (b) Disable or remove [Assignment: organization-defined functions, ports, protocols,
4684 software, and services within the system deemed to be unnecessary and/or
4685 nonsecure].
4686 Discussion: Organizations review functions, ports, protocols, and services provided by
4687 systems or system components to determine the functions and services that are candidates
4688 for elimination. Such reviews are especially important during transition periods from older
4689 technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology
4690 transitions may require implementing the older and newer technologies simultaneously
4691 during the transition period and returning to minimum essential functions, ports, protocols,
4692 and services at the earliest opportunity. Organizations can either decide the relative security
4693 of the function, port, protocol, and/or service or base the security decision on the
4694 assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer
4695 networking.
4696 Related Controls: AC-18.
4697 (2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION
4698 Prevent program execution in accordance with [Selection (one or more): [Assignment:
4699 organization-defined policies, rules of behavior, and/or access agreements regarding
4700 software program usage and restrictions]; rules authorizing the terms and conditions of
4701 software program usage].
4702 Discussion: Prevention of program execution addresses organizational policies, rules of
4703 behavior, and/or access agreements restricting software usage and the terms and conditions
4704 imposed by the developer or manufacturer, including software licensing and copyrights.
4705 Restrictions include prohibiting auto-execute features; restricting roles allowed to approve
4706 program execution; program blacklisting and whitelisting; or restricting the number of
4707 program instances executed at the same time.
4708 Related Controls: CM-8, PL-4, PM-5, PS-6.
4709 (3) LEAST FUNCTIONALITY | REGISTRATION COMPLIANCE
4710 Ensure compliance with [Assignment: organization-defined registration requirements for
4711 functions, ports, protocols, and services].

CHAPTER THREE PAGE 103

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4712 Discussion: Organizations use the registration process to manage, track, and provide
4713 oversight for systems and implemented functions, ports, protocols, and services.
4714 Related Controls: None.
4715 (4) LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE — BLACKLISTING
4716 (a) Identify [Assignment: organization-defined software programs not authorized to
4717 execute on the system];
4718 (b) Employ an allow-all, deny-by-exception policy to prohibit the execution of
4719 unauthorized software programs on the system; and
4720 (c) Review and update the list of unauthorized software programs [Assignment:
4721 organization-defined frequency].
4722 Discussion: The process used to identify software programs or categories of software
4723 programs that are not authorized to execute on organizational systems is commonly
4724 referred to as blacklisting. Software programs identified can be limited to specific versions
4725 or from a specific source. The concept of blacklisting may also be applied to user actions,
4726 ports, IP addresses, and media access control (MAC) addresses.
4727 Related Controls: CM-6, CM-8, CM-10, PM-5.
4728 (5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE — WHITELISTING
4729 (a) Identify [Assignment: organization-defined software programs authorized to execute
4730 on the system];
4731 (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized
4732 software programs on the system; and
4733 (c) Review and update the list of authorized software programs [Assignment:
4734 organization-defined frequency].
4735 Discussion: The process used to identify specific software programs or entire categories of
4736 software programs that are authorized to execute on organizational systems is commonly
4737 referred to as whitelisting. Software programs identified can be limited to specific versions
4738 or from a specific source. To facilitate comprehensive whitelisting and increase the strength
4739 of protection for attacks that bypass application level whitelisting, software programs may
4740 be decomposed into and monitored at different levels of detail. Software program levels of
4741 detail include applications, application programming interfaces, application modules, scripts,
4742 system processes, system services, kernel functions, registries, drivers, and dynamic link
4743 libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses,
4744 and media access control (MAC) addresses. Organizations consider verifying the integrity of
4745 white-listed software programs using, cryptographic checksums, digital signatures, or hash
4746 functions. Verification of white-listed software can occur either prior to execution or at
4747 system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7.
4748 Related Controls: CM-2, CM-6, CM-8, CM-10, PM-5, SA-10, SC-34, SI-7.
4749 (6) LEAST FUNCTIONALITY | CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES
4750 Require that the following user-installed software execute in a confined physical or virtual
4751 machine environment with limited privileges: [Assignment: organization-defined user-
4752 installed software].
4753 Discussion: Organizations identify software that may be of concern regarding its origin or
4754 potential for containing malicious code. For this type of software, user installations occur in
4755 confined environments of operation to limit or contain damage from malicious code that
4756 may be executed.
4757 Related Controls: CM-11, SC-44.

CHAPTER THREE PAGE 104

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4758 (7) LEAST FUNCTIONALITY | CODE EXECUTION IN PROTECTED ENVIRONMENTS

4759 Allow execution of binary or machine-executable code only in confined physical or virtual
4760 machine environments and with the explicit approval of [Assignment: organization-
4761 defined personnel or roles] when such code is:
4762 (a) Obtained from sources with limited or no warranty; and/or
4763 (b) Without the provision of source code.
4764 Discussion: This control enhancement applies to all sources of binary or machine-executable
4765 code, including commercial software and firmware and open source software.
4766 Related Controls: CM-10, SC-44.
4767 (8) LEAST FUNCTIONALITY | BINARY OR MACHINE EXECUTABLE CODE
4768 (a) Prohibit the use of binary or machine-executable code from sources with limited or no
4769 warranty or without the provision of source code; and
4770 (b) Allow exceptions only for compelling mission or operational requirements and with
4771 the approval of the authorizing official.
4772 Discussion: This control enhancement applies to all sources of binary or machine-executable
4773 code, including commercial software and firmware and open source software. Organizations
4774 assess software products without accompanying source code or from sources with limited or
4775 no warranty for potential security impacts. The assessments address the fact that software
4776 products without the provision of source code may be difficult to review, repair, or extend.
4777 In addition, there may be no owners to make such repairs on behalf of organizations. If open
4778 source software is used, the assessments address the fact that there is no warranty, the
4779 open source software could contain back doors or malware, and there may be no support
4780 available.
4781 Related Controls: SA-5, SA-22.
4782 References: [FIPS 140-3]; [FIPS 180-4]; [FIPS 186-4]; [FIPS 202]; [SP 800-167].

4783 CM-8 SYSTEM COMPONENT INVENTORY

4784 Control:
4785 a. Develop and document an inventory of system components that:
4786 1. Accurately reflects the system;
4787 2. Includes all components within the system;
4788 3. Is at the level of granularity deemed necessary for tracking and reporting; and
4789 4. Includes the following information to achieve system component accountability:
4790 [Assignment: organization-defined information deemed necessary to achieve effective
4791 system component accountability]; and
4792 b. Review and update the system component inventory [Assignment: organization-defined
4793 frequency].
4794 Discussion: System components are discrete, identifiable information technology assets that
4795 include hardware, software, and firmware. Organizations may choose to implement centralized
4796 system component inventories that include components from all organizational systems. In such
4797 situations, organizations ensure that the inventories include system-specific information required
4798 for component accountability. The information necessary for effective accountability of system
4799 components includes system name, software owners, software version numbers, hardware
4800 inventory specifications, software license information, and for networked components, the
4801 machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6).

CHAPTER THREE PAGE 105

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4802 Inventory specifications include date of receipt, cost, model, serial number, manufacturer,
4803 supplier information, component type, and physical location.
4804 Related Controls: CM-2, CM-7, CM-9, CM-10, CM-11, CM-13, CP-2, CP-9, MA-2, MA-6, PE-20,
4805 PM-5, SA-4, SA-5, SI-2, SR-4.
4806 Control Enhancements:
4807 (1) SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATION AND REMOVAL
4808 Update the inventory of system components as part of component installations, removals,
4809 and system updates.
4810 Discussion: Organizations can improve the accuracy, completeness, and consistency of
4811 system component inventories if the inventories are updated routinely as part of component
4812 installations or removals, or during general system updates. If inventories are not updated at
4813 these key times, there is a greater likelihood that the information will not be appropriately
4814 captured and documented. System updates include hardware, software, and firmware
4815 components.
4816 Related Controls: PM-16.
4817 (2) SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE
4818 Maintain the currency, completeness, accuracy, and availability of the inventory of system
4819 components using [Assignment: organization-defined automated mechanisms].
4820 Discussion: Organizations maintain system inventories to the extent feasible. For example,
4821 virtual machines can be difficult to monitor because such machines are not visible to the
4822 network when not in use. In such cases, organizations maintain as up-to-date, complete, and
4823 accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by
4824 the implementation of CM-2(2) for organizations that combine system component inventory
4825 and baseline configuration activities.
4826 Related Controls: None.
4827 (3) SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION
4828 (a) Detect the presence of unauthorized hardware, software, and firmware components
4829 within the system using [Assignment: organization-defined automated mechanisms]
4830 [Assignment: organization-defined frequency]; and
4831 (b) Take the following actions when unauthorized components are detected: [Selection
4832 (one or more): disable network access by such components; isolate the components;
4833 notify [Assignment: organization-defined personnel or roles]].
4834 Discussion: Automated unauthorized component detection is applied in addition to the
4835 monitoring for unauthorized remote connections and mobile devices. Monitoring for
4836 unauthorized system components may be accomplished on an ongoing basis or by the
4837 periodic scanning of systems for that purpose. Automated mechanisms can be implemented
4838 in systems or in separate system components. When acquiring and implementing automated
4839 mechanisms, organizations consider whether such mechanisms depend on the ability of the
4840 system component to support an agent or supplicant in order to be detected since some
4841 types of components do not have or cannot support agents (e.g., IoT devices). Isolation can
4842 be achieved, for example, by placing unauthorized system components in separate domains
4843 or subnets or quarantining such components. This type of component isolation is commonly
4844 referred to as sandboxing.
4845 Related Controls: AC-19, CA-7, RA-5, SC-3, SC-39, SC-44, SI-3, SI-4, SI-7.

CHAPTER THREE PAGE 106

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4846 (4) SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY INFORMATION

4847 Include in the system component inventory information, a means for identifying by
4848 [Selection (one or more): name; position; role], individuals responsible and accountable for
4849 administering those components.
4850 Discussion: Identifying individuals who are responsible and accountable for administering
4851 system components ensures that the assigned components are properly administered and
4852 that organizations can contact those individuals if some action is required, for example, the
4853 component is determined to be the source of a breach; the component needs to be recalled
4854 or replaced; or the component needs to be relocated.
4855 Related Controls: None.
4856 (5) SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS
4857 (a) Verify that all components within the system are not duplicated in other system
4858 component inventories; or
4859 (b) If a centralized component inventory is used, verify components are not assigned to
4860 multiple systems.
4861 Discussion: Preventing duplicate accounting of system components addresses the lack of
4862 accountability that occurs when component ownership and system association is not known,
4863 especially in large or complex connected systems. For software inventory, centrally managed
4864 software that is accessed via other systems is addressed as a component of the system on
4865 which it is installed and managed. Software installed on multiple organizational systems and
4866 managed at the system level is addressed for each individual system and may appear more
4867 than once in a centralized component inventory, necessitating a system association for each
4868 software instance in the centralized inventory to avoid duplicate accounting of components.
4869 Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in
4870 duplicate components being identified in different address spaces. The implementation of
4871 CM-8(7) can help to eliminate duplicate accounting of components.
4872 Related Controls: None.
4873 (6) SYSTEM COMPONENT INVENTORY | ASSESSED CONFIGURATIONS AND APPROVED DEVIATIONS
4874 Include assessed component configurations and any approved deviations to current
4875 deployed configurations in the system component inventory.
4876 Discussion: Assessed configurations and approved deviations focus on configuration settings
4877 established by organizations for system components, the specific components that have
4878 been assessed to determine compliance with the required configuration settings, and any
4879 approved deviations from established configuration settings.
4880 Related Controls: None.
4881 (7) SYSTEM COMPONENT INVENTORY | CENTRALIZED REPOSITORY
4882 Provide a centralized repository for the inventory of system components.
4883 Discussion: Organizations may implement centralized system component inventories that
4884 include components from all organizational systems. Centralized repositories of component
4885 inventories provide opportunities for efficiencies in accounting for organizational hardware,
4886 software, and firmware assets. Such repositories may also help organizations rapidly identify
4887 the location and responsible individuals of components that have been compromised,
4888 breached, or are otherwise in need of mitigation actions. Organizations ensure that the
4889 resulting centralized inventories include system-specific information required for proper
4890 component accountability.
4891 Related Controls: None.

CHAPTER THREE PAGE 107

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4892 (8) SYSTEM COMPONENT INVENTORY | AUTOMATED LOCATION TRACKING

4893 Support the tracking of system components by geographic location using [Assignment:
4894 organization-defined automated mechanisms].
4895 Discussion: The use of automated mechanisms to track the location of system components
4896 can increase the accuracy of component inventories. Such capability may help organizations
4897 rapidly identify the location and responsible individuals of system components that have
4898 been compromised, breached, or are otherwise in need of mitigation actions. The use of
4899 tracking mechanisms can be coordinated with senior agency officials for privacy if there are
4900 implications affecting individual privacy.
4901 Related Controls: None.
4902 (9) SYSTEM COMPONENT INVENTORY | ASSIGNMENT OF COMPONENTS TO SYSTEMS
4903 (a) Assign [Assignment: organization-defined acquired system components] to a system;
4904 and
4905 (b) Receive an acknowledgement from [Assignment: organization-defined personnel or
4906 roles] of this assignment.
4907 Discussion: Acquired system components that are not assigned to a specific system may be
4908 unmanaged, lack the required protection, and thus, become an organizational vulnerability.
4909 Organizations determine the types of system components that are subject to this control
4910 enhancement.
4911 Related Controls: None.
4912 References: [OMB A-130]; [SP 800-57-1]; [SP 800-57-2]; [SP 800-57-3]; [SP 800-128].

4913 CM-9 CONFIGURATION MANAGEMENT PLAN

4914 Control: Develop, document, and implement a configuration management plan for the system
4915 that:
4916 a. Addresses roles, responsibilities, and configuration management processes and procedures;
4917 b. Establishes a process for identifying configuration items throughout the system
4918 development life cycle and for managing the configuration of the configuration items;
4919 c. Defines the configuration items for the system and places the configuration items under
4920 configuration management;
4921 d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
4922 e. Protects the configuration management plan from unauthorized disclosure and
4923 modification.
4924 Discussion: Configuration management activities occur throughout the system development life
4925 cycle. As such, there are developmental configuration management activities (e.g., the control of
4926 code and software libraries) and operational configuration management activities (e.g., control
4927 of installed components and how the components are configured). Configuration management
4928 plans satisfy the requirements in configuration management policies while being tailored to
4929 individual systems. Configuration management plans define processes and procedures for how
4930 configuration management is used to support system development life cycle activities.
4931 Configuration management plans are generated during the development and acquisition stage of
4932 the system development life cycle. The plans describe how to advance changes through change
4933 management processes, how to update configuration settings and baselines, how to maintain
4934 component inventories, how to control development, test, and operational environments, and
4935 how to develop, release, and update key documents.

CHAPTER THREE PAGE 108

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4936 Organizations can employ templates to help ensure consistent and timely development and
4937 implementation of configuration management plans. Templates can represent a master
4938 configuration management plan for the organization with subsets of the plan implemented on a
4939 system by system basis. Configuration management approval processes include designation of
4940 key management stakeholders responsible for reviewing and approving proposed changes to
4941 systems, and personnel that conduct security impact analyses prior to the implementation of
4942 changes to the systems. Configuration items are the system components, for example, the
4943 hardware, software, firmware, and documentation to be configuration-managed. As systems
4944 continue through the system development life cycle, new configuration items may be identified,
4945 and some existing configuration items may no longer need to be under configuration control.
4946 Related Controls: CM-2, CM-3, CM-4, CM-5, CM-8, PL-2, SA-10, SI-12.
4947 Control Enhancements:
4948 (1) CONFIGURATION MANAGEMENT PLAN | ASSIGNMENT OF RESPONSIBILITY
4949 Assign responsibility for developing the configuration management process to
4950 organizational personnel that are not directly involved in system development.
4951 Discussion: In the absence of dedicated configuration management teams assigned within
4952 organizations, system developers may be tasked to develop configuration management
4953 processes using personnel who are not directly involved in system development or system
4954 integration. This separation of duties ensures that organizations establish and maintain a
4955 sufficient degree of independence between the system development and integration
4956 processes and configuration management processes to facilitate quality control and more
4957 effective oversight.
4958 Related Controls: None.
4959 References: [SP 800-128].

4960 CM-10 SOFTWARE USAGE RESTRICTIONS

4961 Control:
4962 a. Use software and associated documentation in accordance with contract agreements and
4963 copyright laws;
4964 b. Track the use of software and associated documentation protected by quantity licenses to
4965 control copying and distribution; and
4966 c. Control and document the use of peer-to-peer file sharing technology to ensure that this
4967 capability is not used for the unauthorized distribution, display, performance, or
4968 reproduction of copyrighted work.
4969 Discussion: Software license tracking can be accomplished by manual or automated methods
4970 depending on organizational needs. A non-disclosure agreement is an example of a contract
4971 agreement.
4972 Related Controls: AC-17, AU-6, CM-7, CM-8, SC-7.
4973 Control Enhancements:
4974 (1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE
4975 Establish the following restrictions on the use of open source software: [Assignment:
4976 organization-defined restrictions].
4977 Discussion: Open source software refers to software that is available in source code form.
4978 Certain software rights normally reserved for copyright holders are routinely provided under
4979 software license agreements that permit individuals to study, change, and improve the

CHAPTER THREE PAGE 109

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

4980 software. From a security perspective, the major advantage of open source software is that
4981 it provides organizations with the ability to examine the source code. However, remediating
4982 vulnerabilities in open source software may be problematic. There may also be licensing
4983 issues associated with open source software, including the constraints on derivative use of
4984 such software. Open source software that is available only in binary form may increase the
4985 level of risk in using such software.
4986 Related Controls: SI-7.
4987 References: None.

4988 CM-11 USER-INSTALLED SOFTWARE

4989 Control:
4990 a. Establish [Assignment: organization-defined policies] governing the installation of software
4991 by users;
4992 b. Enforce software installation policies through the following methods: [Assignment:
4993 organization-defined methods]; and
4994 c. Monitor policy compliance [Assignment: organization-defined frequency].
4995 Discussion: If provided the necessary privileges, users can install software in organizational
4996 systems. To maintain control over the software installed, organizations identify permitted and
4997 prohibited actions regarding software installation. Permitted software installations include
4998 updates and security patches to existing software and downloading new applications from
4999 organization-approved “app stores.” Prohibited software installations include software with
5000 unknown or suspect pedigrees or software that organizations consider potentially malicious.
5001 Policies selected for governing user-installed software are organization-developed or provided by
5002 some external entity. Policy enforcement methods can include procedural methods and
5003 automated methods.
5004 Related Controls: AC-3, AU-6, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, PL-4, SI-7.
5005 Control Enhancements:
5006 (1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS
5007 [Withdrawn: Incorporated into CM-8(3).]
5008 (2) USER-INSTALLED SOFTWARE | SOFTWARE INSTALLATION WITH PRIVILEGED STATUS
5009 Allow user installation of software only with explicit privileged status.
5010 Discussion: Privileged status can be obtained, for example, by serving in the role of system
5011 administrator.
5012 Related Controls: AC-5, AC-6.
5013 References: None.

5014 CM-12 INFORMATION LOCATION

5015 Control:
5016 a. Identify and document the location of [Assignment: organization-defined information] and
5017 the specific system components on which the information is processed and stored;
5018 b. Identify and document the users who have access to the system and system components
5019 where the information is processed and stored; and
5020 c. Document changes to the location (i.e., system or system components) where the
5021 information is processed and stored.

CHAPTER THREE PAGE 110

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5022 Discussion: Information location addresses the need to understand where information is being
5023 processed and stored. Information location includes identifying where specific information types
5024 and associated information reside in the system components; and how information is being
5025 processed so that information flow can be understood, and adequate protection and policy
5026 management provided for such information and system components. The security category of
5027 the information is also a factor in determining the controls necessary to protect the information
5028 and the system component where the information resides (see FIPS 199). The location of the
5029 information and system components is also a factor in the architecture and design of the system
5030 (see SA-4, SA-8, SA-17).
5031 Related Controls: AC-2, AC-3, AC-4, AC-6, AC-23, CM-8, PM-5, RA-2, SA-4, SA-8, SA-17, SC-4, SC-
5032 16, SC-28, SI-4, SI-7.
5033 Control Enhancements:
5034 (1) INFORMATION LOCATION | AUTOMATED TOOLS TO SUPPORT INFORMATION LOCATION
5035 Use automated tools to identify [Assignment: organization-defined information by
5036 information type] on [Assignment: organization-defined system components] to ensure
5037 controls are in place to protect organizational information and individual privacy.
5038 Discussion: The use of automated tools helps to increase the effectiveness and efficiency of
5039 the information location capability implemented within the system. Automation also helps
5040 organizations manage the data produced during information location activities and share
5041 such information organization-wide. The output of automated information location tools can
5042 be used to guide and inform system architecture and design decisions.
5043 Related Controls: None.
5044 References: [FIPS 199]; [SP 800-60 v1]; [SP 800-60 v2].

5045 CM-13 DATA ACTION MAPPING

5046 Control: Develop and document a map of system data actions.
5047 Discussion: Data actions are system operations that process personally identifiable information.
5048 The processing of such information encompasses the full information life cycle which includes
5049 collection, generation, transformation, use, disclosure, retention, and disposal. A map of system
5050 data actions includes discrete data actions, elements of personally identifiable information being
5051 processed in the data actions, components of the system involved in the data actions, and the
5052 owners or operators of the components. Understanding what personally identifiable information
5053 is being processed (e.g., the sensitivity of the personally identifiable information), how personally
5054 identifiable information is being processed (e.g., if the data action is visible to the individual or is
5055 processed on the backend of the system), and by whom (e.g., individuals may have different
5056 privacy perceptions based on the entity that is processing the personally identifiable information)
5057 provides a number of contextual factors that are important to assessing the degree of privacy
5058 risk created by the system. The data map may be an overlay of any system design artifact that
5059 the organization is using. The development of this map may necessitate coordination between
5060 the privacy and security programs regarding the covered data actions and the components that
5061 are identified as part of the system.
5062 Related Controls: CM-4, CM-12, PM-5, PM-27.
5063 References: [IR 8062].

CHAPTER THREE PAGE 111

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5064 3.6 CONTINGENCY PLANNING

5065 Quick link to Contingency Planning summary table

5066 CP-1 POLICY AND PROCEDURES

5067 Control:
5068 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
5069 roles]:
5070 1. [Selection (one or more): organization-level; mission/business process-level; system-
5071 level] contingency planning policy that:
5072 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
5073 coordination among organizational entities, and compliance; and
5074 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
5075 standards, and guidelines; and
5076 2. Procedures to facilitate the implementation of the contingency planning policy and the
5077 associated contingency planning controls;
5078 b. Designate an [Assignment: organization-defined official] to manage the development,
5079 documentation, and dissemination of the contingency planning policy and procedures; and
5080 c. Review and update the current contingency planning:
5081 1. Policy [Assignment: organization-defined frequency]; and
5082 2. Procedures [Assignment: organization-defined frequency].
5083 Discussion: This control addresses policy and procedures for the controls in the CP family
5084 implemented within systems and organizations. The risk management strategy is an important
5085 factor in establishing such policies and procedures. Policies and procedures help provide security
5086 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
5087 on their development. Security and privacy program policies and procedures at the organization
5088 level are preferable, in general, and may obviate the need for system-specific policies and
5089 procedures. The policy can be included as part of the general security and privacy policy or can
5090 be represented by multiple policies reflecting the complex nature of organizations. Procedures
5091 can be established for security and privacy programs and for systems, if needed. Procedures
5092 describe how the policies or controls are implemented and can be directed at the individual or
5093 role that is the object of the procedure. Procedures can be documented in system security and
5094 privacy plans or in one or more separate documents. Restating controls does not constitute an
5095 organizational policy or procedure.
5096 Related Controls: PM-9, PS-8, SI-12.
5097 Control Enhancements: None.
5098 References: [SP 800-12]; [SP 800-30]; [SP 800-34]; [SP 800-39]; [SP 800-50]; [SP 800-100].

5099 CP-2 CONTINGENCY PLAN

5100 Control:
5101 a. Develop a contingency plan for the system that:
5102 1. Identifies essential missions and business functions and associated contingency
5103 requirements;

CHAPTER THREE PAGE 112

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5104 2. Provides recovery objectives, restoration priorities, and metrics;

5105 3. Addresses contingency roles, responsibilities, assigned individuals with contact
5106 information;
5107 4. Addresses maintaining essential missions and business functions despite a system
5108 disruption, compromise, or failure;
5109 5. Addresses eventual, full system restoration without deterioration of the controls
5110 originally planned and implemented; and
5111 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
5112 b. Distribute copies of the contingency plan to [Assignment: organization-defined key
5113 contingency personnel (identified by name and/or by role) and organizational elements];
5114 c. Coordinate contingency planning activities with incident handling activities;
5115 d. Review the contingency plan for the system [Assignment: organization-defined frequency];
5116 e. Update the contingency plan to address changes to the organization, system, or
5117 environment of operation and problems encountered during contingency plan
5118 implementation, execution, or testing;
5119 f. Communicate contingency plan changes to [Assignment: organization-defined key
5120 contingency personnel (identified by name and/or by role) and organizational elements]; and
5121 g. Protect the contingency plan from unauthorized disclosure and modification.
5122 Discussion: Contingency planning for systems is part of an overall program for achieving
5123 continuity of operations for organizational missions and business functions. Contingency
5124 planning addresses system restoration and implementation of alternative mission or business
5125 processes when systems are compromised or breached. Contingency planning is considered
5126 throughout the system development life cycle and is a fundamental part of the system design.
5127 Systems can be designed for redundancy, to provide backup capabilities, and for resilience.
5128 Contingency plans reflect the degree of restoration required for organizational systems since not
5129 all systems need to fully recover to achieve the level of continuity of operations desired. System
5130 recovery objectives reflect applicable laws, executive orders, directives, regulations, policies,
5131 standards, and guidelines.
5132 In addition to availability, contingency plans address other security-related events resulting in a
5133 reduction in mission effectiveness including malicious attacks that compromise the integrity of
5134 systems or the confidentiality of information. Actions addressed in contingency plans include
5135 orderly system degradation, system shutdown, fallback to a manual mode, alternate information
5136 flows, and operating in modes reserved for when systems are under attack. By coordinating
5137 contingency planning with incident handling activities, organizations ensure that the necessary
5138 planning activities are in place and activated in the event of an incident. Organizations consider
5139 whether continuity of operations during an incident conflicts with the capability to automatically
5140 disable the system as specified in IR-4(5). Incident response planning is part of contingency
5141 planning for organizations and is addressed in the IR (Incident Response) family.
5142 Related Controls: CP-3, CP-4, CP-6, CP-7, CP-8, CP-9, CP-10, CP-11, CP-13, IR-4, IR-6, IR-8, IR-9,
5143 MA-6, MP-2, MP-4, MP-5, PL-2, PM-8, PM-11, SA-15, SA-20, SC-7, SC-23, SI-12.
5144 Control Enhancements:
5145 (1) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS
5146 Coordinate contingency plan development with organizational elements responsible for
5147 related plans.

CHAPTER THREE PAGE 113

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5148 Discussion: Plans that are related to contingency plans include Business Continuity Plans,
5149 Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis
5150 Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans,
5151 and Occupant Emergency Plans.
5152 Related Controls: None.
5153 (2) CONTINGENCY PLAN | CAPACITY PLANNING
5154 Conduct capacity planning so that necessary capacity for information processing,
5155 telecommunications, and environmental support exists during contingency operations.
5156 Discussion: Capacity planning is needed because different threats can result in a reduction
5157 of the available processing, telecommunications, and support services intended to support
5158 essential missions and business functions. Organizations anticipate degraded operations
5159 during contingency operations and factor the degradation into capacity planning. For
5160 capacity planning, environmental support refers to any environmental factor for which the
5161 organization determines that it needs to provide support in a contingency situation, even if
5162 in a degraded state. Such determinations are based on an organizational assessment of risk,
5163 system categorization (impact level), and organizational risk tolerance.
5164 Related Controls: PE-11, PE-12, PE-13, PE-14, PE-18, SC-5.
5165 (3) CONTINGENCY PLAN | RESUME MISSIONS AND BUSINESS FUNCTIONS
5166 Plan for the resumption of [Selection: all; essential] missions and business functions within
5167 [Assignment: organization-defined time-period] of contingency plan activation.
5168 Discussion: Organizations may choose to conduct contingency planning activities to resume
5169 missions and business functions as part of business continuity planning or as part of business
5170 impact analyses. Organizations prioritize the resumption of missions and business functions.
5171 The time-period for the resumption of missions and business functions may be dependent
5172 on the severity and extent of the disruptions to the system and its supporting infrastructure.
5173 Related Controls: None.
5174 (4) CONTINGENCY PLAN | RESUME ALL MISSIONS AND BUSINESS FUNCTIONS
5175 [Withdrawn: Incorporated into CP-2(3).]
5176 (5) CONTINGENCY PLAN | CONTINUE MISSIONS AND BUSINESS FUNCTIONS
5177 Plan for the continuance of [Selection: all; essential] missions and business functions with
5178 minimal or no loss of operational continuity and sustains that continuity until full system
5179 restoration at primary processing and/or storage sites.
5180 Discussion: Organizations may choose to conduct the contingency planning activities to
5181 continue missions and business functions as part of business continuity planning or as part of
5182 business impact analyses. Primary processing and/or storage sites defined by organizations
5183 as part of contingency planning may change depending on the circumstances associated
5184 with the contingency.
5185 Related Controls: None.
5186 (6) CONTINGENCY PLAN | ALTERNATE PROCESSING AND STORAGE SITES
5187 Plan for the transfer of [Selection: all; essential] missions and business functions to
5188 alternate processing and/or storage sites with minimal or no loss of operational continuity
5189 and sustain that continuity through system restoration to primary processing and/or
5190 storage sites.
5191 Discussion: Organizations may choose to conduct the contingency planning activities for
5192 alternate processing and storage sites as part of business continuity planning or as part of
5193 business impact analyses. Primary processing and/or storage sites defined by organizations

CHAPTER THREE PAGE 114

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5194 as part of contingency planning may change depending on the circumstances associated
5195 with the contingency.
5196 Related Controls: None.
5197 (7) CONTINGENCY PLAN | COORDINATE WITH EXTERNAL SERVICE PROVIDERS
5198 Coordinate the contingency plan with the contingency plans of external service providers
5199 to ensure that contingency requirements can be satisfied.
5200 Discussion: When the capability of an organization to carry out its missions and business
5201 functions is dependent on external service providers, developing a comprehensive and
5202 timely contingency plan may become more challenging. When missions and business
5203 functions are dependent on external service providers, organizations coordinate contingency
5204 planning activities with the external entities to ensure that the individual plans reflect the
5205 overall contingency needs of the organization.
5206 Related Controls: SA-9.
5207 (8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS
5208 Identify critical system assets supporting [Selection: all; essential] missions and business
5209 functions.
5210 Discussion: Organizations may choose to identify critical assets as part of criticality analysis,
5211 business continuity planning, or business impact analyses. Organizations identify critical
5212 system assets so additional controls can be employed (beyond the controls routinely
5213 implemented) to help ensure that organizational missions and business functions can
5214 continue to be conducted during contingency operations. The identification of critical
5215 information assets also facilitates the prioritization of organizational resources. Critical
5216 system assets include technical and operational aspects. Technical aspects include system
5217 components, information technology services, information technology products, and
5218 mechanisms. Operational aspects include procedures (manually executed operations) and
5219 personnel (individuals operating technical controls and/or executing manual procedures).
5220 Organizational program protection plans can assist in identifying critical assets. If critical
5221 assets are resident within or supported by external service providers, organizations consider
5222 implementing CP-2(7) as a control enhancement.
5223 Related Controls: CM-8, RA-9.
5224 References: [SP 800-34]; [IR 8179].

5225 CP-3 CONTINGENCY TRAINING

5226 Control: Provide contingency training to system users consistent with assigned roles and
5227 responsibilities:
5228 a. Within [Assignment: organization-defined time-period] of assuming a contingency role or
5229 responsibility;
5230 b. When required by system changes; and
5231 c. [Assignment: organization-defined frequency] thereafter.
5232 Discussion: Contingency training provided by organizations is linked to the assigned roles and
5233 responsibilities of organizational personnel to ensure that the appropriate content and level of
5234 detail is included in such training. For example, some individuals may only need to know when
5235 and where to report for duty during contingency operations and if normal duties are affected;
5236 system administrators may require additional training on how to establish systems at alternate
5237 processing and storage sites; and organizational officials may receive more specific training on
5238 how to conduct mission-essential functions in designated off-site locations and how to establish
5239 communications with other governmental entities for purposes of coordination on contingency-

CHAPTER THREE PAGE 115

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5240 related activities. Training for contingency roles or responsibilities reflects the specific continuity
5241 requirements in the contingency plan.
5242 Related Controls: AT-2, AT-3, AT-4, CP-2, CP-4, CP-8, IR-2, IR-4, IR-9.
5243 Control Enhancements:
5244 (1) CONTINGENCY TRAINING | SIMULATED EVENTS
5245 Incorporate simulated events into contingency training to facilitate effective response by
5246 personnel in crisis situations.
5247 Discussion: The use of simulated events creates an environment for personnel to experience
5248 actual threat events including cyber-attacks that disable web sites, ransom-ware attacks that
5249 encrypt organizational data on servers, hurricanes that damage or destroy organizational
5250 facilities, or hardware or software failures.
5251 Related Controls: None.
5252 (2) CONTINGENCY TRAINING | MECHANISMS USED IN TRAINING ENVIRONMENTS
5253 Employ mechanisms used in operations to provide a more thorough and realistic
5254 contingency training environment.
5255 Discussion: Operational mechanisms refer to processes that have been established to
5256 accomplish an organizational goal or a system that supports a particular organizational
5257 mission or business objective. Actual mission/business processes, systems, and/or facilities
5258 may be used to generate simulated events and/or to enhance the realism of simulated
5259 events during contingency training.
5260 Related Controls: None.
5261 References: [SP 800-50].

5262 CP-4 CONTINGENCY PLAN TESTING

5263 Control:
5264 a. Test the contingency plan for the system [Assignment: organization-defined frequency] using
5265 the following tests to determine the effectiveness of the plan and the readiness to execute
5266 the plan: [Assignment: organization-defined tests].
5267 b. Review the contingency plan test results; and
5268 c. Initiate corrective actions, if needed.
5269 Discussion: Methods for testing contingency plans to determine the effectiveness of the plans
5270 and to identify potential weaknesses in the plans include checklists, walk-through and tabletop
5271 exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations
5272 conduct testing based on the requirements in contingency plans and include a determination of
5273 the effects on organizational operations, assets, and individuals due to contingency operations.
5274 Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective
5275 actions.
5276 Related Controls: AT-3, CP-2, CP-3, CP-8, CP-9, IR-3, IR-4, PL-2, PM-14, SR-2.
5277 Control Enhancements:
5278 (1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS
5279 Coordinate contingency plan testing with organizational elements responsible for related
5280 plans.
5281 Discussion: Plans related to contingency planning for organizational systems include
5282 Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis

CHAPTER THREE PAGE 116

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5283 Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and
5284 Occupant Emergency Plans. Coordination of contingency plan testing does not require
5285 organizations to create organizational elements to handle related plans or to align such
5286 elements with specific plans. It does require, however, that if such organizational elements
5287 are responsible for related plans, organizations coordinate with those elements.
5288 Related Controls: IR-8, PM-8.
5289 (2) CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE
5290 Test the contingency plan at the alternate processing site:
5291 (a) To familiarize contingency personnel with the facility and available resources; and
5292 (b) To evaluate the capabilities of the alternate processing site to support contingency
5293 operations.
5294 Discussion: Conditions at the alternate processing site may be significantly different than
5295 the conditions at the primary site. Having the opportunity to visit the alternate site and
5296 experience, firsthand, the actual capabilities available at the site can provide valuable
5297 information on potential vulnerabilities that could affect essential organizational missions
5298 and functions. The on-site visit can also provide an opportunity to refine the contingency
5299 plan to address the vulnerabilities discovered during testing.
5300 Related Controls: CP-7.
5301 (3) CONTINGENCY PLAN TESTING | AUTOMATED TESTING
5302 Test the contingency plan using [Assignment: organization-defined automated
5303 mechanisms].
5304 Discussion: Automated mechanisms facilitate thorough and effective testing of contingency
5305 plans by providing more complete coverage of contingency issues; by selecting more realistic
5306 test scenarios and environments; and by effectively stressing the system and supported
5307 missions and business operations.
5308 Related Controls: None.
5309 (4) CONTINGENCY PLAN TESTING | FULL RECOVERY AND RECONSTITUTION
5310 Include a full recovery and reconstitution of the system to a known state as part of
5311 contingency plan testing.
5312 Discussion: Recovery is executing contingency plan activities to restore organizational
5313 missions and business functions. Reconstitution takes place following recovery and includes
5314 activities for returning systems to fully operational states. Organizations establish a known
5315 state for systems that includes system state information for hardware, software programs,
5316 and data. Preserving system state information facilitates system restart and return to the
5317 operational mode of organizations with less disruption of mission and business processes.
5318 Related Controls: CP-10, SC-24.
5319 References: [FIPS 199]; [SP 800-34]; [SP 800-84].

5320 CP-5 CONTINGENCY PLAN UPDATE

5321 [Withdrawn: Incorporated into CP-2.]

5322 CP-6 ALTERNATE STORAGE SITE

5323 Control:
5324 a. Establish an alternate storage site, including necessary agreements to permit the storage
5325 and retrieval of system backup information; and

CHAPTER THREE PAGE 117

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5326 b. Ensure that the alternate storage site provides controls equivalent to that of the primary
5327 site.
5328 Discussion: Alternate storage sites are sites that are geographically distinct from primary storage
5329 sites and that maintain duplicate copies of information and data if the primary storage site is not
5330 available. In contrast to alternate storage sites, alternate processing sites provide processing
5331 capability if the primary processing site is not available. Geographically distributed architectures
5332 that support contingency requirements may also be considered as alternate storage sites. Items
5333 covered by alternate storage site agreements include environmental conditions at the alternate
5334 sites, access rules for systems and facilities, physical and environmental protection requirements,
5335 and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the
5336 requirements in contingency plans so that organizations can maintain essential missions and
5337 business functions despite disruption, compromise, or failure in organizational systems.
5338 Related Controls: CP-2, CP-7, CP-8, CP-9, CP-10, MP-4, MP-5, PE-3, SC-36, SI-13.
5339 Control Enhancements:
5340 (1) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE
5341 Identify an alternate storage site that is sufficiently separated from the primary storage
5342 site to reduce susceptibility to the same threats.
5343 Discussion: Threats that affect alternate storage sites are defined in organizational risk
5344 assessments and include natural disasters, structural failures, hostile attacks, and errors of
5345 omission or commission. Organizations determine what is considered a sufficient degree of
5346 separation between primary and alternate storage sites based on the types of threats that
5347 are of concern. For threats such as hostile attacks, the degree of separation between sites is
5348 less relevant.
5349 Related Controls: RA-3.
5350 (2) ALTERNATE STORAGE SITE | RECOVERY TIME AND RECOVERY POINT OBJECTIVES
5351 Configure the alternate storage site to facilitate recovery operations in accordance with
5352 recovery time and recovery point objectives.
5353 Discussion: Organizations establish recovery time and recovery point objectives as part of
5354 contingency planning. Configuration of the alternate storage site includes physical facilities
5355 and the systems supporting recovery operations ensuring accessibility and correct execution.
5356 Related Controls: None.
5357 (3) ALTERNATE STORAGE SITE | ACCESSIBILITY
5358 Identify potential accessibility problems to the alternate storage site in the event of an
5359 area-wide disruption or disaster and outline explicit mitigation actions.
5360 Discussion: Area-wide disruptions refer to those types of disruptions that are broad in
5361 geographic scope with such determinations made by organizations based on organizational
5362 assessments of risk. Explicit mitigation actions include duplicating backup information at
5363 other alternate storage sites if access problems occur at originally designated alternate sites;
5364 or planning for physical access to retrieve backup information if electronic accessibility to
5365 the alternate site is disrupted.
5366 Related Controls: RA-3.
5367 References: [SP 800-34].

CHAPTER THREE PAGE 118

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5368 CP-7 ALTERNATE PROCESSING SITE

5369 Control:
5370 a. Establish an alternate processing site, including necessary agreements to permit the transfer
5371 and resumption of [Assignment: organization-defined system operations] for essential
5372 missions and business functions within [Assignment: organization-defined time-period
5373 consistent with recovery time and recovery point objectives] when the primary processing
5374 capabilities are unavailable;
5375 b. Make available at the alternate processing site, the equipment and supplies required to
5376 transfer and resume operations or put contracts in place to support delivery to the site
5377 within the organization-defined time-period for transfer and resumption; and
5378 c. Provide controls at the alternate processing site that are equivalent to those at the primary
5379 site.
5380 Discussion: Alternate processing sites are sites that are geographically distinct from primary
5381 processing sites and provide processing capability if the primary processing site is not available.
5382 The alternate processing capability may be addressed using a physical processing site or other
5383 alternatives such as failover to a cloud-based service provider or other internally- or externally-
5384 provided processing service. Geographically distributed architectures that support contingency
5385 requirements may also be considered as alternate processing sites. Controls that are covered by
5386 alternate processing site agreements include the environmental conditions at alternate sites;
5387 access rules; physical and environmental protection requirements; and the coordination for the
5388 transfer and assignment of personnel. Requirements are specifically allocated to alternate
5389 processing sites that reflect the requirements in contingency plans to maintain essential missions
5390 and business functions despite disruption, compromise, or failure in organizational systems.
5391 Related Controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6, PE-3, PE-11, PE-12, PE-17, SC-36, SI-13.
5392 Control Enhancements:
5393 (1) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE
5394 Identify an alternate processing site that is sufficiently separated from the primary
5395 processing site to reduce susceptibility to the same threats.
5396 Discussion: Threats that affect alternate processing sites are defined in organizational
5397 assessments of risk and include natural disasters, structural failures, hostile attacks, and
5398 errors of omission or commission. Organizations determine what is considered a sufficient
5399 degree of separation between primary and alternate processing sites based on the types of
5400 threats that are of concern. For threats such as hostile attacks, the degree of separation
5401 between sites is less relevant.
5402 Related Controls: RA-3.
5403 (2) ALTERNATE PROCESSING SITE | ACCESSIBILITY
5404 Identify potential accessibility problems to alternate processing sites in the event of an
5405 area-wide disruption or disaster and outlines explicit mitigation actions.
5406 Discussion: Area-wide disruptions refer to those types of disruptions that are broad in
5407 geographic scope with such determinations made by organizations based on organizational
5408 assessments of risk.
5409 Related Controls: RA-3.
5410 (3) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE
5411 Develop alternate processing site agreements that contain priority-of-service provisions in
5412 accordance with availability requirements (including recovery time objectives).

CHAPTER THREE PAGE 119

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5413 Discussion: Priority-of-service agreements refer to negotiated agreements with service

5414 providers that ensure that organizations receive priority treatment consistent with their
5415 availability requirements and the availability of information resources for logical alternate
5416 processing and/or at the physical alternate processing site. Organizations establish recovery
5417 time objectives as part of contingency planning.
5418 Related Controls: None.
5419 (4) ALTERNATE PROCESSING SITE | PREPARATION FOR USE
5420 Prepare the alternate processing site so that the site can serve as the operational site
5421 supporting essential missions and business functions.
5422 Discussion: Site preparation includes establishing configuration settings for systems at the
5423 alternate processing site consistent with the requirements for such settings at the primary
5424 site and ensuring that essential supplies and logistical considerations are in place.
5425 Related Controls: CM-2, CM-6, CP-4.
5426 (5) ALTERNATE PROCESSING SITE | EQUIVALENT INFORMATION SECURITY SAFEGUARDS
5427 [Withdrawn: Incorporated into CP-7.]
5428 (6) ALTERNATE PROCESSING SITE | INABILITY TO RETURN TO PRIMARY SITE
5429 Plan and prepare for circumstances that preclude returning to the primary processing site.
5430 Discussion: There may be situations that preclude an organization from returning to the
5431 primary processing site. This can occur, for example, if a natural disaster such as a flood or a
5432 hurricane damaged or destroyed a facility and it was determined that rebuilding in the same
5433 location was not prudent.
5434 Related Controls: None.
5435 References: [SP 800-34].

5436 CP-8 TELECOMMUNICATIONS SERVICES

5437 Control: Establish alternate telecommunications services, including necessary agreements to
5438 permit the resumption of [Assignment: organization-defined system operations] for essential
5439 missions and business functions within [Assignment: organization-defined time-period] when the
5440 primary telecommunications capabilities are unavailable at either the primary or alternate
5441 processing or storage sites.
5442 Discussion: This control applies to telecommunications services (for data and voice) for primary
5443 and alternate processing and storage sites. Alternate telecommunications services reflect the
5444 continuity requirements in contingency plans to maintain essential missions and business
5445 functions despite the loss of primary telecommunications services. Organizations may specify
5446 different time-periods for primary or alternate sites. Alternate telecommunications services
5447 include additional organizational or commercial ground-based circuits or lines or the use of
5448 satellites in lieu of ground-based communications. Organizations consider factors such as
5449 availability, quality of service, and access when entering into alternate telecommunications
5450 agreements.
5451 Related Controls: CP-2, CP-6, CP-7, CP-11, SC-7.
5452 Control Enhancements:
5453 (1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS
5454 (a) Develop primary and alternate telecommunications service agreements that contain
5455 priority-of-service provisions in accordance with availability requirements (including
5456 recovery time objectives); and

CHAPTER THREE PAGE 120

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5457 (b) Request Telecommunications Service Priority for all telecommunications services used
5458 for national security emergency preparedness if the primary and/or alternate
5459 telecommunications services are provided by a common carrier.
5460 Discussion: Organizations consider the potential mission or business impact in situations
5461 where telecommunications service providers are servicing other organizations with similar
5462 priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal
5463 Communications Commission (FCC) program that directs telecommunications service
5464 providers (e.g., wireline and wireless phone companies) to give preferential treatment to
5465 users enrolled in the program when they need to add new lines or have their lines restored
5466 following a disruption of service, regardless of the cause. The FCC sets the rules and policies
5467 for the TSP program and the Department of Homeland Security, manages the TSP program.
5468 The TSP program is always in effect and not contingent on a major disaster or attack taking
5469 place. Federal sponsorship is required to enroll in the TSP program.
5470 Related Controls: None.
5471 (2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE
5472 Obtain alternate telecommunications services to reduce the likelihood of sharing a single
5473 point of failure with primary telecommunications services.
5474 Discussion: In certain circumstances, telecommunications service providers or services may
5475 share the same physical lines, which increases the vulnerability of a single failure point. It is
5476 important to have provider transparency for the actual physical transmission capability for
5477 telecommunication services.
5478 Related Controls: None.
5479 (3) TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY AND ALTERNATE PROVIDERS
5480 Obtain alternate telecommunications services from providers that are separated from
5481 primary service providers to reduce susceptibility to the same threats.
5482 Discussion: Threats that affect telecommunications services are defined in organizational
5483 assessments of risk and include natural disasters, structural failures, cyber or physical
5484 attacks, and errors of omission or commission. Organizations can reduce common
5485 susceptibilities by minimizing shared infrastructure among telecommunications service
5486 providers and achieving sufficient geographic separation between services. Organizations
5487 may consider using a single service provider in situations where the service provider can
5488 provide alternate telecommunications services meeting the separation needs addressed in
5489 the risk assessment.
5490 Related Controls: None.
5491 (4) TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN
5492 (a) Require primary and alternate telecommunications service providers to have
5493 contingency plans;
5494 (b) Review provider contingency plans to ensure that the plans meet organizational
5495 contingency requirements; and
5496 (c) Obtain evidence of contingency testing and training by providers [Assignment:
5497 organization-defined frequency].
5498 Discussion: Reviews of provider contingency plans consider the proprietary nature of such
5499 plans. In some situations, a summary of provider contingency plans may be sufficient
5500 evidence for organizations to satisfy the review requirement. Telecommunications service
5501 providers may also participate in ongoing disaster recovery exercises in coordination with
5502 the Department of Homeland Security, state, and local governments. Organizations may use

CHAPTER THREE PAGE 121

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5503 these types of activities to satisfy evidentiary requirements related to service provider
5504 contingency plan reviews, testing, and training.
5505 Related Controls: CP-3, CP-4.
5506 (5) TELECOMMUNICATIONS SERVICES | ALTERNATE TELECOMMUNICATION SERVICE TESTING
5507 Test alternate telecommunication services [Assignment: organization-defined frequency].
5508 Discussion: Alternate telecommunications services testing is arranged through contractual
5509 agreements with service providers. The testing may occur in parallel with normal operations
5510 to ensure there is no degradation in organizational missions or functions.
5511 Related Controls: CP-3.
5512 References: [SP 800-34].

5513 CP-9 SYSTEM BACKUP

5514 Control:
5515 a. Conduct backups of user-level information contained in [Assignment: organization-defined
5516 system components] [Assignment: organization-defined frequency consistent with recovery
5517 time and recovery point objectives];
5518 b. Conduct backups of system-level information contained in the system [Assignment:
5519 organization-defined frequency consistent with recovery time and recovery point objectives];
5520 c. Conduct backups of system documentation, including security and privacy-related
5521 documentation [Assignment: organization-defined frequency consistent with recovery time
5522 and recovery point objectives]; and
5523 d. Protect the confidentiality, integrity, and availability of backup information.
5524 Discussion: System-level information includes system state information, operating system
5525 software, middleware, application software, and licenses. User-level information includes
5526 information other than system-level information. Mechanisms employed to protect the integrity
5527 of system backups include digital signatures and cryptographic hashes. Protection of backup
5528 information while in transit is outside the scope of this control. System backups reflect the
5529 requirements in contingency plans as well as other organizational requirements for backing up
5530 information. Organizations may be subject to laws, executive orders, directives, regulations, or
5531 policies with requirements regarding specific categories of information (e.g., personal health
5532 information). Organizational personnel consult with the senior agency official for privacy and
5533 legal counsel regarding such requirements.
5534 Related Controls: CP-2, CP-6, CP-10, MP-4, MP-5, SC-13, SI-4, SI-13.
5535 Control Enhancements:
5536 (1) SYSTEM BACKUP | TESTING FOR RELIABILITY AND INTEGRITY
5537 Test backup information [Assignment: organization-defined frequency] to verify media
5538 reliability and information integrity.
5539 Discussion: Organizations need assurance that backup information can be reliably retrieved.
5540 Reliability pertains to the systems and system components where the backup information is
5541 stored, the operations used to retrieve the information, and the integrity of the information
5542 being retrieved. Independent and specialized tests can be used for each of the aspects of
5543 reliability. For example, decrypting and transporting (or transmitting) a random sample of
5544 backup files from the alternate storage or backup site and comparing the information to the
5545 same information at the primary processing site can provide such assurance.
5546 Related Controls: CP-4.

CHAPTER THREE PAGE 122

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5547 (2) SYSTEM BACKUP | TEST RESTORATION USING SAMPLING

5548 Use a sample of backup information in the restoration of selected system functions as part
5549 of contingency plan testing.
5550 Discussion: Organizations need assurance that system functions can be restored correctly
5551 and can support established organizational missions. To ensure that the selected system
5552 functions are thoroughly exercised during contingency plan testing, a sample of backup
5553 information is used to determine if the functions operate as intended. Organizations can
5554 determine the sample size for the functions and backup information based on the level of
5555 assurance needed.
5556 Related Controls: CP-4.
5557 (3) SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION
5558 Store backup copies of [Assignment: organization-defined critical system software and
5559 other security-related information] in a separate facility or in a fire-rated container that is
5560 not collocated with the operational system.
5561 Discussion: Separate storage for critical information applies to all critical information
5562 regardless of the type of backup storage media. Critical system software includes operating
5563 systems, middleware, cryptographic key management systems, and intrusion detection
5564 systems. Security-related information includes inventories of system hardware, software,
5565 and firmware components. Alternate storage sites, including geographically distributed
5566 architectures, serve as separate storage facilities for organizations. Organizations may
5567 provide separate storage by implementing automated backup processes at alternative
5568 storage sites (e.g., data centers). The General Services Administration (GSA) establishes
5569 standards and specifications for security and fire-rated containers.
5570 Related Controls: CM-2, CM-6, CM-8.
5571 (4) SYSTEM BACKUP | PROTECTION FROM UNAUTHORIZED MODIFICATION
5572 [Withdrawn: Incorporated into CP-9.]
5573 (5) SYSTEM BACKUP | TRANSFER TO ALTERNATE STORAGE SITE
5574 Transfer system backup information to the alternate storage site [Assignment:
5575 organization-defined time-period and transfer rate consistent with the recovery time and
5576 recovery point objectives].
5577 Discussion: System backup information can be transferred to alternate storage sites either
5578 electronically or by physical shipment of storage media.
5579 Related Controls: CP-7, MP-3, MP-4, MP-5.
5580 (6) SYSTEM BACKUP | REDUNDANT SECONDARY SYSTEM
5581 Conduct system backup by maintaining a redundant secondary system that is not
5582 collocated with the primary system and that can be activated without loss of information
5583 or disruption to operations.
5584 Discussion: The effect of system backup can be achieved by maintaining a redundant
5585 secondary system that mirrors the primary system, including the replication of information.
5586 If this type of redundancy is in place and there is sufficient geographic separation between
5587 the two systems, the secondary system can also serve as the alternate processing site.
5588 Related Controls: CP-7.
5589 (7) SYSTEM BACKUP | DUAL AUTHORIZATION
5590 Enforce dual authorization for the deletion or destruction of [Assignment: organization-
5591 defined backup information].

CHAPTER THREE PAGE 123

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5592 Discussion: Dual authorization ensures that deletion or destruction of backup information
5593 cannot occur unless two qualified individuals carry out the task. Individuals deleting or
5594 destroying backup information possess the skills or expertise to determine if the proposed
5595 deletion or destruction of information reflects organizational policies and procedures. Dual
5596 authorization may also be known as two-person control. To reduce the risk of collusion,
5597 organizations consider rotating dual authorization duties to other individuals.
5598 Related Controls: AC-3, AC-5, MP-2.
5599 (8) SYSTEM BACKUP | CRYPTOGRAPHIC PROTECTION
5600 Implement cryptographic mechanisms to prevent unauthorized disclosure and
5601 modification of [Assignment: organization-defined backup information].
5602 Discussion: The selection of cryptographic mechanisms is based on the need to protect the
5603 confidentiality and integrity of backup information. The strength of mechanisms selected is
5604 commensurate with the security category or classification of the information. This control
5605 enhancement applies to system backup information in storage at primary and alternate
5606 locations. Organizations implementing cryptographic mechanisms to protect information at
5607 rest also consider cryptographic key management solutions.
5608 Related Controls: SC-12, SC-13, SC-28.
5609 References: [FIPS 140-3]; [FIPS 186-4]; [SP 800-34]; [SP 800-130]; [SP 800-152].

5610 CP-10 SYSTEM RECOVERY AND RECONSTITUTION

5611 Control: Provide for the recovery and reconstitution of the system to a known state within
5612 [Assignment: organization-defined time-period consistent with recovery time and recovery point
5613 objectives] after a disruption, compromise, or failure.
5614 Discussion: Recovery is executing contingency plan activities to restore organizational missions
5615 and business functions. Reconstitution takes place following recovery and includes activities for
5616 returning systems to fully operational states. Recovery and reconstitution operations reflect
5617 mission and business priorities, recovery point, recovery time, and reconstitution objectives, and
5618 organizational metrics consistent with contingency plan requirements. Reconstitution includes
5619 the deactivation of interim system capabilities that may have been needed during recovery
5620 operations. Reconstitution also includes assessments of fully restored system capabilities,
5621 reestablishment of continuous monitoring activities, system reauthorization (if required), and
5622 activities to prepare the system and organization for future disruptions, breaches, compromises,
5623 or failures. Recovery and reconstitution capabilities can include automated mechanisms and
5624 manual procedures. Organizations establish recovery time and recovery point objectives as part
5625 of contingency planning.
5626 Related Controls: CP-2, CP-4, CP-6, CP-7, CP-9, IR-4, SA-8, SC-24, SI-13.
5627 Control Enhancements:
5628 (1) SYSTEM RECOVERY AND RECONSTITUTION | CONTINGENCY PLAN TESTING
5629 [Withdrawn: Incorporated into CP-4.]
5630 (2) SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY
5631 Implement transaction recovery for systems that are transaction-based.
5632 Discussion: Transaction-based systems include database management systems and
5633 transaction processing systems. Mechanisms supporting transaction recovery include
5634 transaction rollback and transaction journaling.
5635 Related Controls: None.

CHAPTER THREE PAGE 124

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5636 (3) SYSTEM RECOVERY AND RECONSTITUTION | COMPENSATING SECURITY CONTROLS

5637 [Withdrawn: Addressed through tailoring procedures.]
5638 (4) SYSTEM RECOVERY AND RECONSTITUTION | RESTORE WITHIN TIME-PERIOD
5639 Provide the capability to restore system components within [Assignment: organization-
5640 defined restoration time-periods] from configuration-controlled and integrity-protected
5641 information representing a known, operational state for the components.
5642 Discussion: Restoration of system components includes reimaging which restores the
5643 components to known, operational states.
5644 Related Controls: CM-2, CM-6.
5645 (5) SYSTEM RECOVERY AND RECONSTITUTION | FAILOVER CAPABILITY
5646 [Withdrawn: Incorporated into SI-13.]
5647 (6) SYSTEM RECOVERY AND RECONSTITUTION | COMPONENT PROTECTION
5648 Protect system components used for recovery and reconstitution.
5649 Discussion: Protection of system recovery and reconstitution components (i.e., hardware,
5650 firmware, and software) includes physical and technical controls. Backup and restoration
5651 components used for recovery and reconstitution include router tables, compilers, and other
5652 system software.
5653 Related Controls: AC-3, AC-6, MP-2, MP-4, PE-3, PE-6.
5654 References: [SP 800-34].

5655 CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS

5656 Control: Provide the capability to employ [Assignment: organization-defined alternative
5657 communications protocols] in support of maintaining continuity of operations.
5658 Discussion: Contingency plans and the contingency training or testing associated with those
5659 plans, incorporate an alternate communications protocol capability as part of establishing
5660 resilience in organizational systems. Switching communications protocols may affect software
5661 applications and operational aspects of systems. Organizations assess the potential side effects
5662 of introducing alternate communications protocols prior to implementation.
5663 Related Controls: CP-2, CP-8, CP-13.
5664 Control Enhancements: None.
5665 References: None.

5666 CP-12 SAFE MODE

5667 Control: When [Assignment: organization-defined conditions] are detected, enter a safe mode of
5668 operation with [Assignment: organization-defined restrictions of safe mode of operation].
5669 Discussion: For systems supporting critical missions and business functions, including military
5670 operations, civilian space operations, nuclear power plant operations, and air traffic control
5671 operations (especially real-time operational environments), organizations can identify certain
5672 conditions under which those systems revert to a predefined safe mode of operation. The safe
5673 mode of operation, which can be activated either automatically or manually, restricts the
5674 operations systems can execute when those conditions are encountered. Restriction includes
5675 allowing only selected functions to execute that can be carried out under limited power or with
5676 reduced communications bandwidth.
5677 Related Controls: CM-2, SA-8, SC-24, SI-13, SI-17.

CHAPTER THREE PAGE 125

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5678 Control Enhancements: None.

5679 References: None.

5680 CP-13 ALTERNATIVE SECURITY MECHANISMS

5681 Control: Employ [Assignment: organization-defined alternative or supplemental security
5682 mechanisms] for satisfying [Assignment: organization-defined security functions] when the
5683 primary means of implementing the security function is unavailable or compromised.
5684 Discussion: Use of alternative security mechanisms supports system resiliency, contingency
5685 planning, and continuity of operations. To ensure mission and business continuity, organizations
5686 can implement alternative or supplemental security mechanisms. The mechanisms may be less
5687 effective than the primary mechanisms. However, having the capability to readily employ
5688 alternative or supplemental mechanisms enhances mission and business continuity that might
5689 otherwise be adversely impacted if operations had to be curtailed until the primary means of
5690 implementing the functions was restored. Given the cost and level of effort required to provide
5691 such alternative capabilities, the alternative or supplemental mechanisms are typically applied
5692 only to critical security capabilities provided by systems, system components, or system services.
5693 For example, an organization may issue to senior executives and system administrators one-time
5694 pads if multifactor tokens, the standard means for secure remote authentication, is
5695 compromised.
5696 Related Controls: CP-2, CP-11, SI-13.
5697 Control Enhancements: None.
5698 References: None.

5699 CP-14 SELF-CHALLENGE

5700 Control: Employ [Assignment: organization-defined autonomous service] to [Assignment:
5701 organization-defined system or system components] to affect the system or system components
5702 in an adverse manner.
5703 Discussion: Often the best means of assessing the effectiveness of the controls implemented
5704 within a system and the system resilience is to disrupt it in some manner. The autonomous
5705 service selected and implemented by the organization could disrupt system services in many
5706 ways, including terminating or disabling key system components, changing the configuration of
5707 system elements, altering privileges, or degrading critical functionality (e.g., restricting network
5708 bandwidth). Such automated, on-going, simulated cyber-attacks and service disruptions can
5709 reveal unexpected functional dependencies and help the organization determine its ability to
5710 ensure resilience in the face of an actual cyber-attack.
5711 Related Controls: None.
5712 Control Enhancements: None.
5713 References: [SP 800-160 v2].

CHAPTER THREE PAGE 126

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5714 3.7 IDENTIFICATION AND AUTHENTICATION

5715 Quick link to Identification and Authentication summary table

5716 IA-1 POLICY AND PROCEDURES

5717 Control:
5718 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
5719 roles]:
5720 1. [Selection (one or more): organization-level; mission/business process-level; system-
5721 level] identification and authentication policy that:
5722 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
5723 coordination among organizational entities, and compliance; and
5724 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
5725 standards, and guidelines; and
5726 2. Procedures to facilitate the implementation of the identification and authentication
5727 policy and the associated identification and authentication controls;
5728 b. Designate an [Assignment: organization-defined official] to manage the development,
5729 documentation, and dissemination of the identification and authentication policy and
5730 procedures; and
5731 c. Review and update the current identification and authentication:
5732 1. Policy [Assignment: organization-defined frequency]; and
5733 2. Procedures [Assignment: organization-defined frequency].
5734 Discussion: This control addresses policy and procedures for the controls in the IA family
5735 implemented within systems and organizations. The risk management strategy is an important
5736 factor in establishing such policies and procedures. Policies and procedures help provide security
5737 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
5738 on their development. Security and privacy program policies and procedures at the organization
5739 level are preferable, in general, and may obviate the need for system-specific policies and
5740 procedures. The policy can be included as part of the general security and privacy policy or can
5741 be represented by multiple policies reflecting the complex nature of organizations. Procedures
5742 can be established for security and privacy programs and for systems, if needed. Procedures
5743 describe how the policies or controls are implemented and can be directed at the individual or
5744 role that is the object of the procedure. Procedures can be documented in system security and
5745 privacy plans or in one or more separate documents. Restating controls does not constitute an
5746 organizational policy or procedure.
5747 Related Controls: AC-1, PM-9, PS-8, SI-12.
5748 Control Enhancements: None.
5749 References: [OMB A-130]; [FIPS 201-2]; [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-63-3]; [SP
5750 800-73-4]; [SP 800-76-2]; [SP 800-78-4]; [SP 800-100]; [IR 7874].

5751 IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

5752 Control: Uniquely identify and authenticate organizational users and associate that unique
5753 identification with processes acting on behalf of those users.

CHAPTER THREE PAGE 127

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5754 Discussion: Organizations can satisfy the identification and authentication requirements by
5755 complying with the requirements in [HSPD 12]. Organizational users include employees or
5756 individuals that organizations consider having equivalent status of employees (e.g., contractors
5757 and guest researchers). Unique identification and authentication of users applies to all accesses
5758 other than accesses that are explicitly identified in AC-14 and that occur through the authorized
5759 use of group authenticators without individual authentication. Since processes execute on behalf
5760 of groups and roles, organizations may require unique identification of individuals in group
5761 accounts or for detailed accountability of individual activity.
5762 Organizations employ passwords, physical authenticators, or biometrics to authenticate user
5763 identities, or in the case of multifactor authentication, some combination thereof. Access to
5764 organizational systems is defined as either local access or network access. Local access is any
5765 access to organizational systems by users or processes acting on behalf of users, where access is
5766 obtained through direct connections without the use of networks. Network access is access to
5767 organizational systems by users (or processes acting on behalf of users) where access is obtained
5768 through network connections (i.e., nonlocal accesses). Remote access is a type of network access
5769 that involves communication through external networks. Internal networks include local area
5770 networks and wide area networks.
5771 The use of encrypted virtual private networks for network connections between organization-
5772 controlled endpoints and non-organization-controlled endpoints may be treated as internal
5773 networks with respect to protecting the confidentiality and integrity of information traversing
5774 the network. Identification and authentication requirements for non-organizational users are
5775 described in IA-8.
5776 Related Controls: AC-2, AC-3, AC-4, AC-14, AC-17, AC-18, AU-1, AU-6, IA-4, IA-5, IA-8, MA-4, MA-
5777 5, PE-2, PL-4, SA-4, SA-8.
5778 Control Enhancements:
5779 (1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | MULTIFACTOR AUTHENTICATION
5780 TO PRIVILEGED ACCOUNTS
5781 Implement multifactor authentication for access to privileged accounts.
5782 Discussion: Multifactor authentication requires the use of two or more different factors to
5783 achieve authentication. The authentication factors are defined as follows: something you
5784 know (e.g., a personal identification number (PIN)); something you have (e.g., a physical
5785 authenticator or cryptographic private key stored in hardware or software); or something
5786 you are (e.g., a biometric). Multifactor authentication solutions that feature physical
5787 authenticators include hardware authenticators providing time-based or challenge-response
5788 authenticators and smart cards such as the U.S. Government Personal Identity Verification
5789 card or the DoD Common Access Card. In addition to authenticating users at the system level
5790 (i.e., at logon), organizations may also employ authentication mechanisms at the application
5791 level, at their discretion, to provide increased information security. Regardless of the type of
5792 access (i.e., local, network, remote), privileged accounts are authenticated using multifactor
5793 options appropriate for the level of risk. Organizations can add additional security measures,
5794 such as additional or more rigorous authentication mechanisms, for specific types of access.
5795 Related Controls: AC-5, AC-6.
5796 (2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | MULTIFACTOR AUTHENTICATION
5797 TO NON-PRIVILEGED ACCOUNTS
5798 Implement multifactor authentication for access to non-privileged accounts.
5799 Discussion: Multifactor authentication requires the use of two or more different factors to
5800 achieve authentication. The authentication factors are defined as follows: something you
5801 know (e.g., a personal identification number (PIN)); something you have (e.g., a physical

CHAPTER THREE PAGE 128

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5802 authenticator or cryptographic private key stored in hardware or software); or something

5803 you are (e.g., a biometric). Multifactor authentication solutions that feature physical
5804 authenticators include hardware authenticators providing time-based or challenge-response
5805 authenticators and smart cards such as the U.S. Government Personal Identity Verification
5806 card or the DoD Common Access Card. In addition to authenticating users at the system
5807 level, organizations may also employ authentication mechanisms at the application level, at
5808 their discretion, to provide increased information security. Regardless of the type of access,
5809 privileged accounts are authenticated using multifactor options appropriate for the level of
5810 risk. Organizations can provide additional security measures, such as additional or more
5811 rigorous authentication mechanisms, for specific types of access.
5812 Related Controls: AC-5.
5813 (3) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO PRIVILEGED
5814 ACCOUNTS
5815 [Withdrawn: Incorporated into IA-2(1).]
5816 (4) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO NON-
5817 PRIVILEGED ACCOUNTS
5818 [Withdrawn: Incorporated into IA-2(2).]
5819 (5) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | INDIVIDUAL AUTHENTICATION
5820 WITH GROUP AUTHENTICATION
5821 When shared accounts or authenticators are employed, require users to be individually
5822 authenticated before granting access to the shared accounts or resources.
5823 Discussion: Individual authentication prior to shared group authentication helps to mitigate
5824 the risk of using group accounts or authenticators.
5825 Related Controls: None.
5826 (6) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCESS TO ACCOUNTS —
5827 SEPARATE DEVICE
5828 Implement multifactor authentication for [Selection (one or more): local; network; remote]
5829 access to [Selection (one or more): privileged accounts; non-privileged accounts] such that:
5830 (a) One of the factors is provided by a device separate from the system gaining access;
5831 and
5832 (b) The device meets [Assignment: organization-defined strength of mechanism
5833 requirements].
5834 Discussion: The purpose of requiring a device that is separate from the system to which the
5835 user is attempting to gain access for one of the factors during multifactor authentication is
5836 to reduce the likelihood of compromising authentication credentials stored on the system.
5837 Adversaries may be able to compromise credentials stored on the system and subsequently
5838 impersonate authorized users. Implementing one of the factors in multifactor authentication
5839 (e.g., a hardware token) on a separate device, provides a greater strength of mechanism and
5840 an increased level of assurance in the authentication process.
5841 Related Controls: AC-6.
5842 (7) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCESS TO NON-PRIVILEGED
5843 ACCOUNTS — SEPARATE DEVICE
5844 [Withdrawn: Incorporated into IA-2(6).]

CHAPTER THREE PAGE 129

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5845 (8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCESS TO ACCOUNTS —

5846 REPLAY RESISTANT
5847 Implement replay-resistant authentication mechanisms for access to [Selection (one or
5848 more): privileged accounts; non-privileged accounts].
5849 Discussion: Authentication processes resist replay attacks if it is impractical to achieve
5850 successful authentications by replaying previous authentication messages. Replay-resistant
5851 techniques include protocols that use nonces or challenges such as time synchronous or
5852 challenge-response one-time authenticators.
5853 Related Controls: None.
5854 (9) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-
5855 PRIVILEGED ACCOUNTS — REPLAY RESISTANT
5856 [Withdrawn: Incorporated into IA-2(8).]
5857 (10) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | SINGLE SIGN-ON
5858 Provide a single sign-on capability for [Assignment: organization-defined system accounts
5859 and services].
5860 Discussion: Single sign-on enables users to log in once and gain access to multiple system
5861 resources. Organizations consider the operational efficiencies provided by single sign-on
5862 capabilities with the risk introduced by allowing access to multiple systems via a single
5863 authentication event. Single sign-on can present opportunities to improve system security,
5864 for example by providing the ability to add multifactor authentication for applications and
5865 systems (existing and new) that may not be able to natively support multifactor
5866 authentication.
5867 Related Controls: None.
5868 (11) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | REMOTE ACCESS — SEPARATE
5869 DEVICE
5870 [Withdrawn: Incorporated into IA-2(6).]
5871 (12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV
5872 CREDENTIALS
5873 Accept and electronically verify Personal Identity Verification-compliant credentials.
5874 Discussion: Acceptance of Personal Identity Verification (PIV)-compliant credentials applies
5875 to organizations implementing logical access control and physical access control systems.
5876 PIV-compliant credentials are those credentials issued by federal agencies that conform to
5877 FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV
5878 card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials
5879 includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD
5880 Common Access Card (CAC) is an example of a PIV credential.
5881 Related Controls: None.
5882 (13) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | OUT-OF-BAND
5883 AUTHENTICATION
5884 Implement the following out-of-band authentication mechanisms under [Assignment:
5885 organization-defined conditions]: [Assignment: organization-defined out-of-band
5886 authentication].
5887 Discussion: Out-of-band authentication refers to the use of two separate communication
5888 paths to identify and authenticate users or devices to an information system. The first path
5889 (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is
5890 the path through which information flows. The second path (i.e., the out-of-band path) is

CHAPTER THREE PAGE 130

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5891 used to independently verify the authentication and/or requested action. For example, a
5892 user authenticates via a notebook computer to a remote server to which the user desires
5893 access and requests some action of the server via that communication path. Subsequently,
5894 the server contacts the user via the user’s cell phone to verify that the requested action
5895 originated from the user. The user may confirm the intended action to an individual on the
5896 telephone or provide an authentication code via the telephone. Out-of-band authentication
5897 can be used to mitigate actual or suspected man-in the-middle attacks. The conditions or
5898 criteria for activation can include suspicious activities, new threat indicators or elevated
5899 threat levels, or the impact or classification level of information in requested transactions.
5900 Related Controls: IA-10, IA-11, SC-37.
5901 References: [FIPS 140-3]; [FIPS 201-2]; [FIPS 202]; [SP 800-63-3]; [SP 800-73-4]; [SP 800-76-2];
5902 [SP 800-78-4]; [SP 800-79-2]; [SP 800-156]; [SP 800-166]; [IR 7539]; [IR 7676]; [IR 7817]; [IR
5903 7849]; [IR 7870]; [IR 7874]; [IR 7966].

5904 IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION

5905 Control: Uniquely identify and authenticate [Assignment: organization-defined devices and/or
5906 types of devices] before establishing a [Selection (one or more): local; remote; network]
5907 connection.
5908 Discussion: Devices that require unique device-to-device identification and authentication are
5909 defined by type, by device, or by a combination of type and device. Organization-defined device
5910 types can include devices that are not owned by the organization. Systems use shared known
5911 information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol
5912 [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE
5913 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer
5914 Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide
5915 area networks. Organizations determine the required strength of authentication mechanisms
5916 based on the security categories of systems and mission or business requirements. Because of
5917 the challenges of implementing device authentication on large scale, organizations can restrict
5918 the application of the control to a limited number (and type) of devices based on need.
5919 Related Controls: AC-17, AC-18, AC-19, AU-6, CA-3, CA-9, IA-4, IA-5, IA-9, IA-11, SI-4.
5920 Control Enhancements:
5921 (1) DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION
5922 Authenticate [Assignment: organization-defined devices and/or types of devices] before
5923 establishing [Selection (one or more): local; remote; network] connection using
5924 bidirectional authentication that is cryptographically based.
5925 Discussion: A local connection is any connection with a device communicating without the
5926 use of a network. A network connection is any connection with a device that communicates
5927 through a network. A remote connection is any connection with a device communicating
5928 through an external network. Bidirectional authentication provides stronger protection to
5929 validate the identity of other devices for connections that are of greater risk.
5930 Related Controls: SC-8, SC-12, SC-13.
5931 (2) DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL NETWORK
5932 AUTHENTICATION
5933 [Withdrawn: Incorporated into IA-3(1).]

CHAPTER THREE PAGE 131

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5934 (3) DEVICE IDENTIFICATION AND AUTHENTICATION | DYNAMIC ADDRESS ALLOCATION

5935 (a) Where addresses are allocated dynamically, standardize dynamic address allocation
5936 lease information and the lease duration assigned to devices in accordance with
5937 [Assignment: organization-defined lease information and lease duration]; and
5938 (b) Audit lease information when assigned to a device.
5939 Discussion: The Dynamic Host Configuration (DHCP) protocol is an example of a means by
5940 which clients can dynamically receive network address assignments.
5941 Related Controls: AU-2.
5942 (4) DEVICE IDENTIFICATION AND AUTHENTICATION | DEVICE ATTESTATION
5943 Handle device identification and authentication based on attestation by [Assignment:
5944 organization-defined configuration management process].
5945 Discussion: Device attestation refers to the identification and authentication of a device
5946 based on its configuration and known operating state. Device attestation can be determined
5947 via a cryptographic hash of the device. If device attestation is the means of identification and
5948 authentication, then it is important that patches and updates to the device are handled via a
5949 configuration management process such that the patches and updates are done securely
5950 and at the same time do not disrupt the identification and authentication to other devices.
5951 Related Controls: CM-2, CM-3, CM-6.
5952 References: None.

5953 IA-4 IDENTIFIER MANAGEMENT

5954 Control: Manage system identifiers by:
5955 a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign
5956 an individual, group, role, service, or device identifier;
5957 b. Selecting an identifier that identifies an individual, group, role, service, or device;
5958 c. Assigning the identifier to the intended individual, group, role, service, or device; and
5959 d. Preventing reuse of identifiers for [Assignment: organization-defined time-period].
5960 Discussion: Common device identifiers include media access control (MAC), Internet Protocol
5961 (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not
5962 applicable to shared system accounts. Typically, individual identifiers are the user names of the
5963 system accounts assigned to those individuals. In such instances, the account management
5964 activities of AC-2 use account names provided by IA-4. Identifier management also addresses
5965 individual identifiers not necessarily associated with system accounts. Preventing the reuse of
5966 identifiers implies preventing the assignment of previously used individual, group, role, service,
5967 or device identifiers to different individuals, groups, roles, services, or devices.
5968 Related Controls: IA-2, IA-3, IA-5, IA-8, IA-9, MA-4, PE-2, PE-3, PE-4, PL-4, PM-12, PS-3, PS-4, PS-
5969 5, SC-37.
5970 Control Enhancements:
5971 (1) IDENTIFIER MANAGEMENT | PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS
5972 Prohibit the use of system account identifiers that are the same as public identifiers for
5973 individual accounts.
5974 Discussion: This control enhancement applies to any publicly disclosed account identifier
5975 used for communication including, for example, electronic mail and instant messaging.
5976 Prohibiting the use of systems account identifiers that are the same as some public identifier
5977 such as the individual identifier section of an electronic mail address, makes it more difficult

CHAPTER THREE PAGE 132

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

5978 for adversaries to guess user identifiers. Prohibiting account identifiers as public identifiers
5979 without the implementation of other supporting controls only complicates guessing of
5980 identifiers. Additional protections are required for authenticators and attributes to protect
5981 the account.
5982 Related Controls: AT-2.
5983 (2) IDENTIFIER MANAGEMENT | SUPERVISOR AUTHORIZATION
5984 [Withdrawn: Incorporated into IA-12(1).]
5985 (3) IDENTIFIER MANAGEMENT | MULTIPLE FORMS OF CERTIFICATION
5986 [Withdrawn: Incorporated into IA-12(2).]
5987 (4) IDENTIFIER MANAGEMENT | IDENTIFY USER STATUS
5988 Manage individual identifiers by uniquely identifying each individual as [Assignment:
5989 organization-defined characteristic identifying individual status].
5990 Discussion: Characteristics identifying the status of individuals include contractors and
5991 foreign nationals. Identifying the status of individuals by characteristics provides additional
5992 information about the people with whom organizational personnel are communicating. For
5993 example, it might be useful for a government employee to know that one of the individuals
5994 on an email message is a contractor.
5995 Related Controls: None.
5996 (5) IDENTIFIER MANAGEMENT | DYNAMIC MANAGEMENT
5997 Manage individual identifiers dynamically in accordance with [Assignment: organization-
5998 defined dynamic identifier policy].
5999 Discussion: In contrast to conventional approaches to identification that presume static
6000 accounts for preregistered users, many distributed systems establish identifiers at run time
6001 for entities that were previously unknown. When identifiers are established at runtime for
6002 previously unknown entities, organizations can anticipate and provision for the dynamic
6003 establishment of identifiers. Pre-established trust relationships and mechanisms with
6004 appropriate authorities to validate identities and related credentials are essential.
6005 Related Controls: AC-16.
6006 (6) IDENTIFIER MANAGEMENT | CROSS-ORGANIZATION MANAGEMENT
6007 Coordinate with the following external organizations for cross-organization management
6008 of identifiers: [Assignment: organization-defined external organizations].
6009 Discussion: Cross-organization identifier management provides the capability to identify
6010 individuals, groups, roles, or devices when conducting cross-organization activities involving
6011 the processing, storage, or transmission of information.
6012 Related Controls: AU-16, IA-2, IA-5.
6013 (7) IDENTIFIER MANAGEMENT | IN-PERSON REGISTRATION
6014 [Withdrawn: Incorporated into IA-12(4).]
6015 (8) IDENTIFIER MANAGEMENT | PAIRWISE PSEUDONYMOUS IDENTIFIERS
6016 Generate pairwise pseudonymous identifiers.
6017 Discussion: A pairwise pseudonymous identifier is an opaque unguessable subscriber
6018 identifier generated by an identify provider for use at a specific individual relying party.
6019 Generating distinct pairwise pseudonymous identifiers, with no identifying information
6020 about a subscriber, discourages subscriber activity tracking and profiling beyond the
6021 operational requirements established by an organization. The pairwise pseudonymous
6022 identifiers are unique to each relying party, except in situations where relying parties can

CHAPTER THREE PAGE 133

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6023 show a demonstrable relationship justifying an operational need for correlation, or all
6024 parties consent to being correlated in such a manner.
6025 Related Controls: IA-5.
6026 (9) IDENTIFIER MANAGEMENT | ATTRIBUTE MAINTENANCE AND PROTECTION
6027 Maintain the attributes for each uniquely identified individual, device, or service in
6028 [Assignment: organization-defined protected central storage].
6029 Discussion: For each of the entities covered in IA-2, IA-3, IA-8, and IA-9, it is important to
6030 maintain the attributes for each authenticated entity on an ongoing basis in a central
6031 (protected) store.
6032 Related Controls: None.
6033 References: [FIPS 201-2]; [SP 800-63-3]; [SP 800-73-4]; [SP 800-76-2]; [SP 800-78-4].

6034 IA-5 AUTHENTICATOR MANAGEMENT

6035 Control: Manage system authenticators by:
6036 a. Verifying, as part of the initial authenticator distribution, the identity of the individual,
6037 group, role, service, or device receiving the authenticator;
6038 b. Establishing initial authenticator content for any authenticators issued by the organization;
6039 c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
6040 d. Establishing and implementing administrative procedures for initial authenticator
6041 distribution, for lost or compromised or damaged authenticators, and for revoking
6042 authenticators;
6043 e. Establishing minimum and maximum lifetime restrictions and reuse conditions for
6044 authenticators;
6045 f. Changing default authenticators prior to first use;
6046 g. Changing or refreshing authenticators [Assignment: organization-defined time-period by
6047 authenticator type];
6048 h. Protecting authenticator content from unauthorized disclosure and modification;
6049 i. Requiring individuals to take, and having devices implement, specific controls to protect
6050 authenticators; and
6051 j. Changing authenticators for group or role accounts when membership to those accounts
6052 changes.
6053 Discussion: Authenticators include passwords, cryptographic devices, one-time password
6054 devices, and key cards. Device authenticators include certificates and passwords. Initial
6055 authenticator content is the actual content of the authenticator (e.g., the initial password). In
6056 contrast, the requirements about authenticator content contain specific characteristics or criteria
6057 (e.g., minimum password length). Developers may deliver system components with factory
6058 default authentication credentials to allow for initial installation and configuration. Default
6059 authentication credentials are often well known, easily discoverable, and present a significant
6060 security risk. The requirement to protect individual authenticators may be implemented via
6061 control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-
6062 6, and SC-28 for authenticators stored in organizational systems, including passwords stored in

CHAPTER THREE PAGE 134

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6063 hashed or encrypted formats or files containing encrypted or hashed passwords accessible with
6064 administrator privileges.
6065 Systems support authenticator management by organization-defined settings and restrictions for
6066 various authenticator characteristics (e.g., minimum password length, validation time window
6067 for time synchronous one-time tokens, and number of allowed rejections during the verification
6068 stage of biometric authentication). Actions can be taken to safeguard individual authenticators,
6069 including maintaining possession of authenticators; not sharing authenticators with others; and
6070 reporting lost, stolen, or compromised authenticators immediately. Authenticator management
6071 includes issuing and revoking authenticators for temporary access when no longer needed.
6072 Related Controls: AC-3, AC-6, CM-6, IA-2, IA-4, IA-7, IA-8, IA-9, MA-4, PE-2, PL-4.
6073 Control Enhancements:
6074 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION
6075 For password-based authentication:
6076 (a) Maintain a list of commonly-used, expected, or compromised passwords and update
6077 the list [Assignment: organization-defined frequency] and when organizational
6078 passwords are suspected to have been compromised directly or indirectly;
6079 (b) Verify, when users create or update passwords, that the passwords are not found on
6080 the organization-defined list of commonly-used, expected, or compromised
6081 passwords;
6082 (c) Transmit only cryptographically-protected passwords;
6083 (d) Store passwords using an approved hash algorithm and salt, preferably using a keyed
6084 hash;
6085 (e) Require immediate selection of a new password upon account recovery;
6086 (f) Allow user selection of long passwords and passphrases, including spaces and all
6087 printable characters;
6088 (g) Employ automated tools to assist the user in selecting strong password
6089 authenticators; and
6090 (h) Enforce the following composition and complexity rules: [Assignment: organization-
6091 defined composition and complexity rules].
6092 Discussion: Password-based authentication applies to passwords regardless of whether they
6093 are used in single-factor or multifactor authentication. Long passwords or passphrases are
6094 preferable over shorter passwords. Enforced composition rules provide marginal security
6095 benefit while decreasing usability. However, organizations may choose to establish certain
6096 rules for password generation (e.g., minimum character length for long passwords) under
6097 certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can
6098 occur, for example, in situations when a password is forgotten. Cryptographically-protected
6099 passwords include salted one-way cryptographic hashes of passwords. The list of commonly-
6100 used, compromised, or expected passwords includes passwords obtained from previous
6101 breach corpuses, dictionary words, and repetitive or sequential characters. The list includes
6102 context specific words, for example, the name of the service, username, and derivatives
6103 thereof.
6104 Related Controls: IA-6.
6105 (2) AUTHENTICATOR MANAGEMENT | PUBLIC KEY-BASED AUTHENTICATION
6106 (a) For public key-based authentication:
6107 (1) Enforce authorized access to the corresponding private key; and
6108 (2) Map the authenticated identity to the account of the individual or group; and

CHAPTER THREE PAGE 135

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6109 (b) When public key infrastructure (PKI) is used:

6110 (1) Validate certificates by constructing and verifying a certification path to an
6111 accepted trust anchor, including checking certificate status information; and
6112 (2) Implement a local cache of revocation data to support path discovery and
6113 validation.
6114 Discussion: Public key cryptography is a valid authentication mechanism for individuals and
6115 machines or devices. When PKI is implemented, status information for certification paths
6116 includes certificate revocation lists or certificate status protocol responses. For PIV cards,
6117 certificate validation involves the construction and verification of a certification path to the
6118 Common Policy Root trust anchor which includes certificate policy processing. Implementing
6119 a local cache of revocation data to support path discovery and validation supports system
6120 availability in situations where organizations are unable to access revocation information via
6121 the network.
6122 Related Controls: IA-3, SC-17.
6123 (3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED EXTERNAL PARTY REGISTRATION
6124 [Withdrawn: Incorporated into IA-12(4).]
6125 (4) AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH
6126 DETERMINATION
6127 [Withdrawn: Incorporated into IA-5(1).]
6128 (5) AUTHENTICATOR MANAGEMENT | CHANGE AUTHENTICATORS PRIOR TO DELIVERY
6129 Require developers and installers of system components to provide unique authenticators
6130 or change default authenticators prior to delivery and installation.
6131 Discussion: Changing authenticators prior to delivery and installation of system components
6132 extends the requirement for organizations to change default authenticators upon system
6133 installation, by requiring developers and/or installers to provide unique authenticators or
6134 change default authenticators for system components prior to delivery and/or installation.
6135 However, it typically does not apply to developers of commercial off-the-shelf information
6136 technology products. Requirements for unique authenticators can be included in acquisition
6137 documents prepared by organizations when procuring systems or system components.
6138 Related Controls: None.
6139 (6) AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS
6140 Protect authenticators commensurate with the security category of the information to
6141 which use of the authenticator permits access.
6142 Discussion: For systems containing multiple security categories of information without
6143 reliable physical or logical separation between categories, authenticators used to grant
6144 access to the systems are protected commensurate with the highest security category of
6145 information on the systems. Security categories of information are determined as part of the
6146 security categorization process.
6147 Related Controls: RA-2.
6148 (7) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS
6149 Ensure that unencrypted static authenticators are not embedded in applications or
6150 other forms of static storage.
6151 Discussion: In addition to applications, other forms of static storage include access scripts
6152 and function keys. Organizations exercise caution in determining whether embedded or
6153 stored authenticators are in encrypted or unencrypted form. If authenticators are used in
6154 the manner stored, then those representations are considered unencrypted authenticators.

CHAPTER THREE PAGE 136

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6155 Related Controls: None.

6156 (8) AUTHENTICATOR MANAGEMENT | MULTIPLE SYSTEM ACCOUNTS
6157 Implement [Assignment: organization-defined security controls] to manage the risk of
6158 compromise due to individuals having accounts on multiple systems.
6159 Discussion: When individuals have accounts on multiple systems, there is the risk that a
6160 compromise of one account may lead to the compromise of other accounts if individuals use
6161 the same authenticators. Alternatives include having different authenticators on all systems;
6162 employing a single sign-on mechanism; or using some form of one-time passwords on all
6163 systems. Organizations can also use rules of behavior (see PL-4) and access agreements (see
6164 PS-6) to mitigate the risk of multiple system accounts.
6165 Related Controls: None.
6166 (9) AUTHENTICATOR MANAGEMENT | FEDERATED CREDENTIAL MANAGEMENT
6167 Use the following external organizations to federate authenticators: [Assignment:
6168 organization-defined external organizations].
6169 Discussion: Federation provides the capability for organizations to authenticate individuals
6170 and devices when conducting cross-organization activities involving the processing, storage,
6171 or transmission of information.
6172 Related Controls: AU-7, AU-16.
6173 (10) AUTHENTICATOR MANAGEMENT | DYNAMIC CREDENTIAL BINDING
6174 Bind identities and authenticators dynamically using the following rules: [Assignment:
6175 organization-defined binding rules].
6176 Discussion: Authentication requires some form of binding between an identity and the
6177 authenticator that is used to confirm the identity. In conventional approaches, binding is
6178 established by pre-provisioning both the identity and the authenticator to the system. For
6179 example, the binding between a username (i.e., identity) and a password (i.e., authenticator)
6180 is accomplished by provisioning the identity and authenticator as a pair in the system. New
6181 authentication techniques allow the binding between the identity and the authenticator to
6182 be implemented external to a system. For example, with smartcard credentials, the identity
6183 and authenticator are bound together on the smartcard. Using these credentials, systems
6184 can authenticate identities that have not been pre-provisioned, dynamically provisioning the
6185 identity after authentication. In these situations, organizations can anticipate the dynamic
6186 provisioning of identities. Pre-established trust relationships and mechanisms with
6187 appropriate authorities to validate identities and related credentials are essential.
6188 Related Controls: AU-16, IA-5.
6189 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION
6190 [Withdrawn: Incorporated into IA-2(1) and IA-2(2).]
6191 (12) AUTHENTICATOR MANAGEMENT | BIOMETRIC AUTHENTICATION PERFORMANCE
6192 For biometric-based authentication, employ mechanisms that satisfy the following
6193 biometric quality requirements [Assignment: organization-defined biometric quality
6194 requirements].
6195 Discussion: Unlike password-based authentication which provides exact matches of user-
6196 input passwords to stored passwords, biometric authentication does not provide such exact
6197 matches. Depending upon the type of biometric and the type of collection mechanism, there
6198 is likely to be some divergence from the presented biometric and the stored biometric that
6199 serves as the basis of comparison. Matching performance is the rate at which a biometric
6200 algorithm correctly results in a match for a genuine user and rejects other users. Biometric

CHAPTER THREE PAGE 137

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6201 performance requirements include the match rate as this rate reflects the accuracy of the
6202 biometric matching algorithm used by a system.
6203 Related Controls: AC-7.
6204 (13) AUTHENTICATOR MANAGEMENT | EXPIRATION OF CACHED AUTHENTICATORS
6205 Prohibit the use of cached authenticators after [Assignment: organization-defined time-
6206 period].
6207 Discussion: If cached authentication information is out-of-date, the validity of the
6208 authentication information may be questionable.
6209 Related Controls: None.
6210 (14) AUTHENTICATOR MANAGEMENT | MANAGING CONTENT OF PKI TRUST STORES
6211 For PKI-based authentication, employ an organization-wide methodology for managing the
6212 content of PKI trust stores installed across all platforms, including networks, operating
6213 systems, browsers, and applications.
6214 Discussion: An organization-wide methodology for managing the content of PKI trust stores
6215 helps improve the accuracy and currency of PKI-based authentication credentials across the
6216 organization.
6217 Related Controls: None.
6218 (15) AUTHENTICATOR MANAGEMENT | GSA-APPROVED PRODUCTS AND SERVICES
6219 Use only General Services Administration-approved and validated products and services
6220 for identity, credential, and access management.
6221 Discussion: General Services Administration (GSA)-approved products and services are the
6222 products and services that have been approved through the GSA conformance program,
6223 where applicable, and posted to the GSA Approved Products List. GSA provides guidance for
6224 teams to design and build functional and secure systems that comply with Federal Identity,
6225 Credential, and Access Management (FICAM) policies, technologies, and implementation
6226 patterns.
6227 Related Controls: None.
6228 (16) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED EXTERNAL PARTY AUTHENTICATOR
6229 ISSUANCE
6230 Require that the issuance of [Assignment: organization-defined types of and/or specific
6231 authenticators] be conducted [Selection: in person; by a trusted external party] before
6232 [Assignment: organization-defined registration authority] with authorization by
6233 [Assignment: organization-defined personnel or roles].
6234 Discussion: Issuing authenticators in person or by a trusted external party enhances and
6235 reinforces the trustworthiness of the identity proofing process.
6236 Related Controls: IA-12.
6237 (17) AUTHENTICATOR MANAGEMENT | PRESENTATION ATTACK DETECTION FOR BIOMETRIC
6238 AUTHENTICATORS
6239 Employ presentation attack detection mechanisms for biometric-based authentication.
6240 Discussion: Biometric characteristics do not constitute secrets. Such characteristics can be
6241 obtained by online web accesses; taking a picture of someone with a camera phone to
6242 obtain facial images with or without their knowledge; lifting from objects that someone has
6243 touched, for example, a latent fingerprint; or capturing a high-resolution image, for example,
6244 an iris pattern. Presentation attack detection technologies including liveness detection, can
6245 mitigate the risk of these types of attacks by making it difficult to produce artifacts intended
6246 to defeat the biometric sensor.

CHAPTER THREE PAGE 138

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6247 Related Controls: AC-7.

6248 (18) AUTHENTICATOR MANAGEMENT | PASSWORD MANAGERS
6249 (a) Employ [Assignment: organization-defined password managers] to generate and
6250 manage passwords; and
6251 (b) Protect the passwords using [Assignment: organization-defined controls].
6252 Discussion: For those systems where static passwords are employed, it is often a challenge
6253 to ensure that the passwords are suitably complex and that the same passwords are not
6254 employed on multiple systems. A password manager is a solution to this problem as it
6255 automatically generates and stores strong and different passwords for the various accounts.
6256 A potential risk of using password managers is that adversaries can target the collection of
6257 passwords generated by the password manager. Therefore, the collection of passwords
6258 requires protection including encrypting the passwords (see IA-5(1)d.) and storing the
6259 collection off-line in a token.
6260 Related Controls: None.
6261 References: [FIPS 140-3]; [FIPS 180-4]; [FIPS 201-2]; [FIPS 202]; [SP 800-63-3]; [SP 800-73-4]; [SP
6262 800-76-2]; [SP 800-78-4]; [IR 7539]; [IR 7817]; [IR 7849]; [IR 7870]; [IR 8040].

6263 IA-6 AUTHENTICATOR FEEDBACK

6264 Control: Obscure feedback of authentication information during the authentication process to
6265 protect the information from possible exploitation and use by unauthorized individuals.
6266 Discussion: Authenticator feedback from systems does not provide information that would allow
6267 unauthorized individuals to compromise authentication mechanisms. For some types of systems,
6268 for example, desktops or notebooks with relatively large monitors, the threat (referred to as
6269 shoulder surfing) may be significant. For other types of systems, for example, mobile devices
6270 with small displays, the threat may be less significant, and is balanced against the increased
6271 likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring
6272 authenticator feedback is selected accordingly. Obscuring authenticator feedback includes
6273 displaying asterisks when users type passwords into input devices, or displaying feedback for a
6274 very limited time before obscuring it.
6275 Related Controls: AC-3.
6276 Control Enhancements: None.
6277 References: None.

6278 IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION

6279 Control: Implement mechanisms for authentication to a cryptographic module that meet the
6280 requirements of applicable laws, executive orders, directives, policies, regulations, standards,
6281 and guidelines for such authentication.
6282 Discussion: Authentication mechanisms may be required within a cryptographic module to
6283 authenticate an operator accessing the module and to verify that the operator is authorized to
6284 assume the requested role and perform services within that role.
6285 Related Controls: AC-3, IA-5, SA-4, SC-12, SC-13.
6286 Control Enhancements: None.
6287 References: [FIPS 140-3].

CHAPTER THREE PAGE 139

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6288 IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

6289 Control: Uniquely identify and authenticate non-organizational users or processes acting on
6290 behalf of non-organizational users.
6291 Discussion: Non-organizational users include system users other than organizational users
6292 explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for
6293 accesses other than those accesses explicitly identified and documented in AC-14. Identification
6294 and authentication of non-organizational users accessing federal systems may be required to
6295 protect federal, proprietary, or privacy-related information (with exceptions noted for national
6296 security systems). Organizations consider many factors, including security, privacy, scalability,
6297 and practicality in balancing the need to ensure ease of use for access to federal information and
6298 systems with the need to protect and adequately mitigate risk.
6299 Related Controls: AC-2, AC-6, AC-14, AC-17, AC-18, AU-6, IA-2, IA-4, IA-5, IA-10, IA-11, MA-4, RA-
6300 3, SA-4, SC-8.
6301 Control Enhancements:
6302 (1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV
6303 CREDENTIALS FROM OTHER AGENCIES
6304 Accept and electronically verify Personal Identity Verification-compliant credentials from
6305 other federal agencies.
6306 Discussion: Acceptance of Personal Identity Verification (PIV) credentials from other federal
6307 agencies applies to both logical and physical access control systems. PIV credentials are
6308 those credentials issued by federal agencies that conform to FIPS Publication 201 and
6309 supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and
6310 authorized using [SP 800-79-2].
6311 Related Controls: PE-3.
6312 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF EXTERNAL
6313 CREDENTIALS
6314 Accept only external credentials that are NIST-compliant.
6315 Discussion: Acceptance of only NIST-compliant external credentials applies to organizational
6316 systems that are accessible to the public (e.g., public-facing websites). External credentials
6317 are those credentials issued by nonfederal government entities. External credentials are
6318 certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved
6319 external credentials meet or exceed the set of minimum federal government-wide technical,
6320 security, privacy, and organizational maturity requirements. Meeting or exceeding federal
6321 requirements allows federal government relying parties to trust external credentials at their
6322 approved assurance levels.
6323 Related Controls: None.
6324 (3) IDENTIFICATION AND IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE
6325 OF FICAM-APPROVED PRODUCTS
6326 [Withdrawn: Incorporated into IA-8(2).]
6327 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF NIST-ISSUED
6328 PROFILES
6329 Conform to NIST-issued profiles for identity management.
6330 Discussion: Conformance with NIST-issued profiles for identity management addresses open
6331 identity management standards. To ensure that open identity management standards are
6332 viable, robust, reliable, sustainable, and interoperable as documented, the United States
6333 Government assesses and scopes the standards and technology implementations against

CHAPTER THREE PAGE 140

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6334 applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
6335 The result is NIST-issued implementation profiles of approved protocols.
6336 Related Controls: None.
6337 (5) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV-I
6338 CREDENTIALS
6339 Accept and verify federated or PKI credentials that meet [Assignment: organization-
6340 defined policy].
6341 Discussion: This control enhancement can be implemented by PIV , PIV-I, and other
6342 commercial or external identity providers. Acceptance and verification of Personal Identity
6343 Verification (PIV)-I-compliant credentials applies to both logical and physical access control
6344 systems. Acceptance and verification of PIV-I credentials addresses nonfederal issuers of
6345 identity cards that desire to interoperate with United States Government PIV systems and
6346 that can be trusted by federal government-relying parties. The X.509 certificate policy for
6347 the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I
6348 card is commensurate with the PIV credentials as defined in cited references. PIV-I
6349 credentials are the credentials issued by a PIV-I provider whose PIV-I certificate policy maps
6350 to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified with the FBCA
6351 (directly or through another PKI bridge) with policies that have been mapped and approved
6352 as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy.
6353 Related Controls: None.
6354 (6) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | DISASSOCIABILITY
6355 Implement the following measures to disassociate user attributes or credential assertion
6356 relationships among individuals, credential service providers, and relying parties:
6357 [Assignment: organization-defined measures].
6358 Discussion: Federated identity solutions can create increased privacy risks due to tracking
6359 and profiling of individuals. Using identifier mapping tables or cryptographic techniques to
6360 blind credential service providers and relying parties from each other or to make identity
6361 attributes less visible to transmitting parties can reduce these privacy risks.
6362 Related Controls: None.
6363 References: [OMB A-130]; [FIPS 201-2]; [SP 800-63-3]; [SP 800-79-2]; [SP 800-116]; [IR 8062].

6364 IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION

6365 Control: Uniquely identify and authenticate [Assignment: organization-defined system services
6366 and applications] before establishing communications with devices, users, or other services or
6367 applications.
6368 Discussion: Services that may require identification and authentication include web applications
6369 using digital certificates or services or applications that query a database. Identification and
6370 authentication methods for system services/applications include information or code signing,
6371 provenance graphs, and/or electronic signatures indicating the sources of services. Decisions
6372 regarding the validation of identification and authentication claims can be made by services
6373 separate from the services acting on those decisions. This can occur in distributed system
6374 architectures. In such situations, the identification and authentication decisions (instead of actual
6375 identifiers and authenticators) are provided to the services that need to act on those decisions.
6376 Related Controls: IA-3, IA-4, IA-5, SC-8.

CHAPTER THREE PAGE 141

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6377 Control Enhancements:

6378 (1) SERVICE IDENTIFICATION AND AUTHENTICATION | INFORMATION EXCHANGE
6379 [Withdrawn: Incorporated into IA-9.]
6380 (2) SERVICE IDENTIFICATION AND AUTHENTICATION | TRANSMISSION OF DECISIONS
6381 [Withdrawn: Incorporated into IA-9.]
6382 References: None.

6383 IA-10 ADAPTIVE AUTHENTICATION

6384 Control: Require individuals accessing the system to employ [Assignment: organization-defined
6385 supplemental authentication techniques or mechanisms] under specific [Assignment:
6386 organization-defined circumstances or situations].
6387 Discussion: Adversaries may compromise individual authentication mechanisms employed by
6388 organizations and subsequently attempt to impersonate legitimate users. To address this threat,
6389 organizations may employ specific techniques or mechanisms and establish protocols to assess
6390 suspicious behavior. Suspicious behavior may include accessing information that individuals do
6391 not typically access as part of their duties, roles, or responsibilities; accessing greater quantities
6392 of information than individuals would routinely access; or attempting to access information from
6393 suspicious network addresses. When pre-established conditions or triggers occur, organizations
6394 can require individuals to provide additional authentication information. Another potential use
6395 for adaptive authentication is to increase the strength of mechanism based on the number or
6396 types of records being accessed. Adaptive authentication does not replace and is not used to
6397 avoid the use of multifactor authentication mechanisms but can augment implementations of
6398 these controls.
6399 Related Controls: IA-2, IA-8.
6400 Control Enhancements: None.
6401 References: [SP 800-63-3].

6402 IA-11 RE-AUTHENTICATION

6403 Control: Require users to re-authenticate when [Assignment: organization-defined
6404 circumstances or situations requiring re-authentication].
6405 Discussion: In addition to the re-authentication requirements associated with device locks,
6406 organizations may require re-authentication of individuals in certain situations, including when
6407 authenticators or roles change; when security categories of systems change; when the execution
6408 of privileged functions occurs; after a fixed time-period; or periodically.
6409 Related Controls: AC-3, AC-11, IA-2, IA-3, IA-8.
6410 Control Enhancements: None.
6411 References: None.

6412 IA-12 IDENTITY PROOFING

6413 Control:
6414 a. Identity proof users that require accounts for logical access to systems based on appropriate
6415 identity assurance level requirements as specified in applicable standards and guidelines;
6416 b. Resolve user identities to a unique individual; and

CHAPTER THREE PAGE 142

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6417 c. Collect, validate, and verify identity evidence.

6418 Discussion: Identity proofing is the process of collecting, validating, and verifying user’s identity
6419 information for the purposes of issuing credentials for accessing a system. Identity proofing is
6420 intended to mitigate threats to the registration of users and the establishment of their accounts.
6421 Standards and guidelines specifying identity assurance levels for identity proofing include [SP
6422 800-63-3] and [SP 800-63A].
6423 Related Controls: IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-8.
6424 (1) IDENTITY PROOFING | SUPERVISOR AUTHORIZATION
6425 Require that the registration process to receive an account for logical access includes
6426 supervisor or sponsor authorization.
6427 Discussion: Including supervisor or sponsor authorization as part of the registration process
6428 provides an additional level of scrutiny to ensure that the user’s management chain is aware
6429 of the account, the account is essential to carry out organizational missions and functions,
6430 and the user’s privileges are appropriate for the anticipated responsibilities and authorities
6431 within the organization.
6432 Related Controls: None.
6433 (2) IDENTITY PROOFING | IDENTITY EVIDENCE
6434 Require evidence of individual identification be presented to the registration authority.
6435 Discussion: Identity evidence, such as documentary evidence or a combination of
6436 documents and biometrics, reduces the likelihood of individuals using fraudulent
6437 identification to establish an identity, or at least increases the work factor of potential
6438 adversaries. The forms of acceptable evidence are consistent with the risk to the systems,
6439 roles, and privileges associated with the user’s account.
6440 Related Controls: None.
6441 (3) IDENTITY PROOFING | IDENTITY EVIDENCE VALIDATION AND VERIFICATION
6442 Require that the presented identity evidence be validated and verified through
6443 [Assignment: organizational defined methods of validation and verification].
6444 Discussion: Validating and verifying identity evidence increases the assurance that accounts,
6445 identifiers, and authenticators are being issued to the correct user. Validation refers to the
6446 process of confirming that the evidence is genuine and authentic, and the data contained in
6447 the evidence is correct, current, and related to an actual person or individual. Verification
6448 confirms and establishes a linkage between the claimed identity and the actual existence of
6449 the user presenting the evidence. Acceptable methods for validating and verifying identity
6450 evidence are consistent with the risk to the systems, roles, and privileges associated with the
6451 users account
6452 Related Controls: None.
6453 (4) IDENTITY PROOFING | IN-PERSON VALIDATION AND VERIFICATION
6454 Require that the validation and verification of identity evidence be conducted in person
6455 before a designated registration authority.
6456 Discussion: In-person proofing reduces the likelihood of fraudulent credentials being issued
6457 because it requires the physical presence of individuals, the presentation of physical identity
6458 documents, and actual face-to-face interactions with designated registration authorities.
6459 Related Controls: None.

CHAPTER THREE PAGE 143

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6460 (5) IDENTITY PROOFING | ADDRESS CONFIRMATION

6461 Require that a [Selection: registration code; notice of proofing] be delivered through an
6462 out-of-band channel to verify the users address (physical or digital) of record.
6463 Discussion: To make it more difficult for adversaries to pose as legitimate users during the
6464 identity proofing process, organizations can use out-of-band methods to increase assurance
6465 that the individual associated with an address of record is the same person that participated
6466 in the registration. Confirmation can take the form of a temporary enrollment code or a
6467 notice of proofing. The delivery address for these artifacts are obtained from records and
6468 not self-asserted by the user. The address can include a physical or a digital address. A home
6469 address is an example of a physical address. Email addresses and telephone numbers are
6470 examples of digital addresses.
6471 Related Controls: IA-12.
6472 (6) IDENTITY PROOFING | ACCEPT EXTERNALLY-PROOFED IDENTITIES
6473 Accept externally-proofed identities at [Assignment: organization-defined identity
6474 assurance level].
6475 Discussion: To limit unnecessary re-proofing of identities, particularly of non-PIV users,
6476 organizations accept proofing conducted at a commensurate level of assurance by other
6477 agencies or organizations. Proofing is consistent with organizational security policy and with
6478 the identity assurance level appropriate for the system, application, or information accessed.
6479 Accepting externally-proofed identities is a fundamental component of managing federated
6480 identities across agencies and organizations.
6481 Related Controls: IA-3, IA-4, IA-5, IA-8.
6482 References: [FIPS 201-2]; [SP 800-63-3]; [SP 800-63A]; [SP 800-79-2].

CHAPTER THREE PAGE 144

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6483 3.8 INCIDENT RESPONSE

6484 Quick link to Incident Response summary table

6485 IR-1 POLICY AND PROCEDURES

6486 Control:
6487 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
6488 roles]:
6489 1. [Selection (one or more): organization-level; mission/business process-level; system-
6490 level] incident response policy that:
6491 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
6492 coordination among organizational entities, and compliance; and
6493 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
6494 standards, and guidelines; and
6495 2. Procedures to facilitate the implementation of the incident response policy and the
6496 associated incident response controls;
6497 b. Designate an [Assignment: organization-defined official] to manage the development,
6498 documentation, and dissemination of the incident response policy and procedures; and
6499 c. Review and update the current incident response:
6500 1. Policy [Assignment: organization-defined frequency]; and
6501 2. Procedures [Assignment: organization-defined frequency].
6502 Discussion: This control addresses policy and procedures for the controls in the IR family
6503 implemented within systems and organizations. The risk management strategy is an important
6504 factor in establishing such policies and procedures. Policies and procedures help provide security
6505 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
6506 on their development. Security and privacy program policies and procedures at the organization
6507 level are preferable, in general, and may obviate the need for system-specific policies and
6508 procedures. The policy can be included as part of the general security and privacy policy or can
6509 be represented by multiple policies reflecting the complex nature of organizations. Procedures
6510 can be established for security and privacy programs and for systems, if needed. Procedures
6511 describe how the policies or controls are implemented and can be directed at the individual or
6512 role that is the object of the procedure. Procedures can be documented in system security and
6513 privacy plans or in one or more separate documents. Restating controls does not constitute an
6514 organizational policy or procedure.
6515 Related Controls: PM-9, PS-8, SI-12.
6516 Control Enhancements: None.
6517 References: [OMB A-130]; [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-50]; [SP 800-61]; [SP
6518 800-83]; [SP 800-100].

6519 IR-2 INCIDENT RESPONSE TRAINING

6520 Control: Provide incident response training to system users consistent with assigned roles and
6521 responsibilities:
6522 a. Within [Assignment: organization-defined time-period] of assuming an incident response
6523 role or responsibility or acquiring system access;

CHAPTER THREE PAGE 145

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6524 b. When required by system changes; and

6525 c. [Assignment: organization-defined frequency] thereafter.
6526 Discussion: Incident response training is associated with assigned roles and responsibilities of
6527 organizational personnel to ensure the appropriate content and level of detail is included in such
6528 training. For example, users may only need to know who to call or how to recognize an incident;
6529 system administrators may require additional training on how to handle incidents; and finally,
6530 incident responders may receive more specific training on forensics, data collection techniques,
6531 reporting, system recovery, and system restoration. Incident response training includes user
6532 training in identifying and reporting suspicious activities from external and internal sources.
6533 Incident response training for users may be provided as part of AT-2 or AT-3.
6534 Related Controls: AT-2, AT-3, AT-4, CP-3, IR-3, IR-4, IR-8, IR-9.
6535 Control Enhancements:
6536 (1) INCIDENT RESPONSE TRAINING | SIMULATED EVENTS
6537 Incorporate simulated events into incident response training to facilitate the required
6538 response by personnel in crisis situations.
6539 Discussion: Organizations establish requirements for responding to incidents in incident
6540 response plans. Incorporating simulated events into incident response training helps to
6541 ensure that personnel understand their individual responsibilities and what specific actions
6542 to take in crisis situations.
6543 Related Controls: None.
6544 (2) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTS
6545 Provide an incident response training environment using [Assignment: organization-
6546 defined automated mechanisms].
6547 Discussion: Automated mechanisms can provide a more thorough and realistic incident
6548 response training environment. This can be accomplished, for example, by providing more
6549 complete coverage of incident response issues; by selecting more realistic training scenarios
6550 and training environments; and by stressing the response capability.
6551 Related Controls: None.
6552 References: [SP 800-50].

6553 IR-3 INCIDENT RESPONSE TESTING

6554 Control: Test the effectiveness of the incident response capability for the system [Assignment:
6555 organization-defined frequency] using the following tests: [Assignment: organization-defined
6556 tests].
6557 Discussion: Organizations test incident response capabilities to determine the effectiveness of
6558 the capabilities and to identify potential weaknesses or deficiencies. Incident response testing
6559 includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full
6560 interrupt). Incident response testing can include a determination of the effects on organizational
6561 operations, organizational assets, and individuals due to incident response. Use of qualitative
6562 and quantitative data aids in determining the effectiveness of incident response processes.
6563 Related Controls: CP-3, CP-4, IR-2, IR-4, IR-8, PM-14.
6564 Control Enhancements:
6565 (1) INCIDENT RESPONSE TESTING | AUTOMATED TESTING
6566 Test the incident response capability using [Assignment: organization-defined automated
6567 mechanisms].

CHAPTER THREE PAGE 146

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6568 Discussion: Organizations use automated mechanisms to more thoroughly and effectively
6569 test incident response capabilities. This can be accomplished by providing more complete
6570 coverage of incident response issues; by selecting more realistic test scenarios and test
6571 environments; and by stressing the response capability.
6572 Related Controls: None.
6573 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS
6574 Coordinate incident response testing with organizational elements responsible for related
6575 plans.
6576 Discussion: Organizational plans related to incident response testing include Business
6577 Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans,
6578 Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.
6579 Related Controls: None.
6580 (3) INCIDENT RESPONSE TESTING | CONTINUOUS IMPROVEMENT
6581 Use qualitative and quantitative data from testing to:
6582 (a) Determine the effectiveness of incident response processes;
6583 (b) Continuously improve incident response processes; and
6584 (c) Provide incident response measures and metrics that are accurate, consistent, and in a
6585 reproducible format.
6586 Discussion: To help incident response activities function as intended, organizations may use
6587 metrics and evaluation criteria to assess incident response programs as part of an effort to
6588 continually improve response performance. These efforts facilitate improvement in incident
6589 response efficacy and lessen the impact of incidents.
6590 Related Controls: None.
6591 References: [OMB A-130]; [SP 800-84]; [SP 800-115].

6592 IR-4 INCIDENT HANDLING

6593 Control:
6594 a. Implement an incident handling capability for incidents that is consistent with the incident
6595 response plan and includes preparation, detection and analysis, containment, eradication,
6596 and recovery;
6597 b. Coordinate incident handling activities with contingency planning activities;
6598 c. Incorporate lessons learned from ongoing incident handling activities into incident response
6599 procedures, training, and testing, and implement the resulting changes accordingly; and
6600 d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable
6601 and predictable across the organization.
6602 Discussion: Organizations recognize that incident response capability is dependent on the
6603 capabilities of organizational systems and the mission/business processes being supported by
6604 those systems. Organizations consider incident response as part of the definition, design, and
6605 development of mission/business processes and systems. Incident-related information can be
6606 obtained from a variety of sources, including audit monitoring, physical access monitoring, and
6607 network monitoring; user or administrator reports; and reported supply chain events. Effective
6608 incident handling capability includes coordination among many organizational entities (e.g.,
6609 mission or business owners, system owners, authorizing officials, human resources offices,
6610 physical security offices, personnel security offices, legal departments, risk executive (function),
6611 operations personnel, procurement offices). Suspected security incidents include the receipt of

CHAPTER THREE PAGE 147

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6612 suspicious email communications that can contain malicious code. Suspected supply chain
6613 incidents include the insertion of counterfeit hardware or malicious code into organizational
6614 systems or system components. Suspected privacy incidents include a breach of personally
6615 identifiable information or the recognition that the processing of personally identifiable
6616 information creates potential privacy risk.
6617 Related Controls: AC-19, AU-6, AU-7, CM-6, CP-2, CP-3, CP-4, IR-2, IR-3, IR-6, IR-8, IR-10, PE-6, PL-
6618 2, PM-12, SA-8, SC-5, SC-7, SI-3, SI-4, SI-7.
6619 Control Enhancements:
6620 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
6621 Support the incident handling process using [Assignment: organization-defined automated
6622 mechanisms].
6623 Discussion: Automated mechanisms supporting incident handling processes include online
6624 incident management systems; and tools that support the collection of live response data,
6625 full network packet capture, and forensic analysis.
6626 Related Controls: None.
6627 (2) INCIDENT HANDLING | DYNAMIC RECONFIGURATION
6628 Include the following types of dynamic reconfiguration for [Assignment: organization-
6629 defined system components] as part of the incident response capability: [Assignment:
6630 organization-defined types of dynamic reconfiguration].
6631 Discussion: Dynamic reconfiguration includes changes to router rules, access control lists,
6632 intrusion detection or prevention system parameters, and filter rules for guards or firewalls.
6633 Organizations perform dynamic reconfiguration of systems, for example, to stop attacks, to
6634 misdirect attackers, and to isolate components of systems, thus limiting the extent of the
6635 damage from breaches or compromises. Organizations include time frames for achieving the
6636 reconfiguration of systems in the definition of the reconfiguration capability, considering the
6637 potential need for rapid response to effectively address cyber threats.
6638 Related Controls: AC-2, AC-4, CM-2.
6639 (3) INCIDENT HANDLING | CONTINUITY OF OPERATIONS
6640 Identify [Assignment: organization-defined classes of incidents] and take the following
6641 actions in response to those incidents to ensure continuation of organizational missions
6642 and business functions: [Assignment: organization-defined actions to take in response to
6643 classes of incidents].
6644 Discussion: Classes of incidents include malfunctions due to design or implementation
6645 errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident
6646 response actions include orderly system degradation, system shutdown, fall back to manual
6647 mode or activation of alternative technology whereby the system operates differently,
6648 employing deceptive measures, alternate information flows, or operating in a mode that is
6649 reserved for when systems are under attack. Organizations consider whether continuity of
6650 operations requirements during an incident conflict with the capability to automatically
6651 disable the system as specified as part of IR-4(5).
6652 Related Controls: None.
6653 (4) INCIDENT HANDLING | INFORMATION CORRELATION
6654 Correlate incident information and individual incident responses to achieve an
6655 organization-wide perspective on incident awareness and response.
6656 Discussion: Sometimes a threat event, for example, a hostile cyber-attack, can only be
6657 observed by bringing together information from different sources, including various reports
6658 and reporting procedures established by organizations.

CHAPTER THREE PAGE 148

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6659 Related Controls: None.

6660 (5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM
6661 Implement a configurable capability to automatically disable the system if [Assignment:
6662 organization-defined security violations] are detected.
6663 Discussion: Organizations consider whether the capability to automatically disable the
6664 system conflicts with continuity of operations requirements specified as part of CP-2 or IR-
6665 4(3). Security violations include cyber-attacks that have compromised the integrity of the
6666 system or exfiltrated organizational information; serious errors in software programs that
6667 could adversely impact organizational missions or functions or jeopardize the safety of
6668 individuals.
6669 Related Controls: None.
6670 (6) INCIDENT HANDLING | INSIDER THREATS — SPECIFIC CAPABILITIES
6671 Implement an incident handling capability for incidents involving insider threats.
6672 Discussion: While many organizations address insider threat incidents as part of their
6673 organizational incident response capability, this control enhancement provides additional
6674 emphasis on this type of threat and the need for specific incident handling capabilities (as
6675 defined within organizations) to provide appropriate and timely responses.
6676 Related Controls: None.
6677 (7) INCIDENT HANDLING | INSIDER THREATS — INTRA-ORGANIZATION COORDINATION
6678 Coordinate an incident handling capability for insider threats that includes the following
6679 organizational entities [Assignment: organization-defined entities].
6680 Discussion: Incident handling for insider threat incidents (including preparation, detection
6681 and analysis, containment, eradication, and recovery) requires coordination among many
6682 organizational entities, including mission or business owners, system owners, human
6683 resources offices, procurement offices, personnel offices, physical security offices, senior
6684 agency information security officer, operations personnel, risk executive (function), senior
6685 agency official for privacy, and legal counsel. In addition, organizations may require external
6686 support from federal, state, and local law enforcement agencies.
6687 Related Controls: None.
6688 (8) INCIDENT HANDLING | CORRELATION WITH EXTERNAL ORGANIZATIONS
6689 Coordinate with [Assignment: organization-defined external organizations] to correlate
6690 and share [Assignment: organization-defined incident information] to achieve a cross-
6691 organization perspective on incident awareness and more effective incident responses.
6692 Discussion: The coordination of incident information with external organizations, including
6693 mission or business partners, military or coalition partners, customers, and developers, can
6694 provide significant benefits. Cross-organizational coordination can serve as an important risk
6695 management capability. This capability allows organizations to leverage critical information
6696 from a variety of sources to effectively respond to information security-related incidents
6697 potentially affecting the organization’s operations, assets, and individuals.
6698 Related Controls: AU-16, PM-16.
6699 (9) INCIDENT HANDLING | DYNAMIC RESPONSE CAPABILITY
6700 Employ [Assignment: organization-defined dynamic response capabilities] to respond to
6701 incidents.
6702 Discussion: Dynamic response capability addresses the timely deployment of new or
6703 replacement organizational capabilities in response to incidents. This includes capabilities
6704 implemented at the mission and business process level and at the system level.

CHAPTER THREE PAGE 149

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6705 Related Controls: None.

6706 (10) INCIDENT HANDLING | SUPPLY CHAIN COORDINATION
6707 Coordinate incident handling activities involving supply chain events with other
6708 organizations involved in the supply chain.
6709 Discussion: Organizations involved in supply chain activities include product developers,
6710 system integrators, manufacturers, packagers, assemblers, distributors, vendors, and
6711 resellers. Supply chain incidents include compromises or breaches that involve system
6712 components, information technology products, development processes or personnel, and
6713 distribution processes or warehousing facilities. Organizations consider including processes
6714 for protecting and sharing incident information in information exchange agreements.
6715 Related Controls: CA-3, MA-2, SA-9, SR-8.
6716 (11) INCIDENT HANDLING | INTEGRATED INCIDENT RESPONSE TEAM
6717 Establish and maintain an integrated incident response team that can be deployed to any
6718 location identified by the organization in [Assignment: organization-defined time period].
6719 Discussion: An integrated incident response team is a team of experts that assesses,
6720 documents, and responds to incidents so that organizational systems and networks can
6721 recover quickly and can implement the necessary controls to avoid future incidents. Incident
6722 response team personnel include forensic and malicious code analysts, tool developers,
6723 systems security engineers, and real-time operations personnel. The incident handling
6724 capability includes performing rapid forensic preservation of evidence and analysis of and
6725 response to intrusions. For some organizations the incident response team can be a cross
6726 organizational entity.
6727 An integrated incident response team facilitates information sharing and allows
6728 organizational personnel (e.g., developers, implementers, and operators), to leverage team
6729 knowledge of the threat and to implement defensive measures that enable organizations to
6730 deter intrusions more effectively. Moreover, integrated teams promote the rapid detection
6731 of intrusions, development of appropriate mitigations, and the deployment of effective
6732 defensive measures. For example, when an intrusion is detected, the integrated team can
6733 rapidly develop an appropriate response for operators to implement, correlate the new
6734 incident with information on past intrusions, and augment ongoing cyber intelligence
6735 development. Integrated incident response teams are better able to identify adversary
6736 tactics, techniques, and procedures that are linked to the operations tempo or to specific
6737 missions and business functions, and to define responsive actions in a way that does not
6738 disrupt those missions and business functions. Incident response teams can be distributed
6739 within organizations to make the capability resilient.
6740 Related Controls: AT-3.
6741 (12) INCIDENT HANDLING | MALICIOUS CODE AND FORENSIC ANALYSIS
6742 Analyze [Selection (one or more): malicious code; [Assignment: organization-defined
6743 residual artifacts] remaining in the system after the incident.
6744 Discussion: Analysis of malicious code and other residual artifacts of a security or privacy
6745 incident can give the organization insight into adversary tactics, techniques, and procedures.
6746 It can also indicate the identity or some defining characteristics of the adversary. Malicious
6747 code analysis can also help the organization develop responses to future incidents.
6748 Related Controls: None.
6749 (13) INCIDENT HANDLING | BEHAVIOR ANALYSIS
6750 Analyze anomalous or suspected adversarial behavior in or related to [Assignment:
6751 organization-defined environments or resources].

CHAPTER THREE PAGE 150

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6752 Discussion: If the organization maintains a deception environment, analysis of behaviors in

6753 that environment, including resources targeted by the adversary and timing of the incident
6754 or event, can provide insight into adversarial tactics, techniques, and procedures. External to
6755 a deception environment, the analysis of anomalous adversarial behavior (e.g., changes in
6756 system performance or usage patterns) or suspected behavior (e.g., changes in searches for
6757 the location of specific resources) can give the organization such insight.
6758 Related Controls: None.
6759 (14) INCIDENT HANDLING | SECURITY OPERATIONS CENTER
6760 Establish and maintain a security operations center.
6761 Discussion: A security operations center (SOC) is the focal point for security operations and
6762 computer network defense for an organization. The purpose of the SOC is to defend and
6763 monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing
6764 basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity
6765 incidents in a timely manner. The organization staffs the SOC with skilled technical and
6766 operational personnel (e.g., security analysts, incident response personnel, systems security
6767 engineers) and implements a combination of technical, management, and operational
6768 controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate,
6769 analyze, and respond to threat and security-relevant event data from multiple sources.
6770 These sources include perimeter defenses, network devices (e.g., routers, switches), and
6771 endpoint agent data feeds. The SOC provides a holistic situational awareness capability to
6772 help organizations determine the security posture of the system and organization. A SOC
6773 capability can be obtained in a variety of ways. Larger organizations may implement a
6774 dedicated SOC while smaller organizations may employ third-party organizations to provide
6775 such capability.
6776 Related Controls: None.
6777 (15) INCIDENT HANDLING | PUBLICATION RELATIONS AND REPUTATION REPAIR
6778 (a) Manage public relations associated with an incident; and
6779 (b) Employ measures to repair the reputation of the organization.
6780 Discussion: It is important for an organization to have a strategy in place for addressing
6781 incidents that have been brought to the attention of the general public and that have cast
6782 the organization in a negative light or affected the organization’s constituents (e.g., partners,
6783 customers). Such publicity can be extremely harmful to the organization and effect its ability
6784 to effectively carry out its missions and business functions. Taking proactive steps to repair
6785 the organization’s reputation is an essential aspect of reestablishing trust and confidence of
6786 its constituents.
6787 Related Controls: None.
6788 References: [SP 800-61]; [SP 800-86]; [SP 800-101]; [SP 800-150]; [SP 800-160 v2]; [SP 800-184];
6789 [IR 7559].

6790 IR-5 INCIDENT MONITORING

6791 Control: Track and document security, privacy, and supply chain incidents.
6792 Discussion: Documenting incidents includes maintaining records about each incident, the status
6793 of the incident, and other pertinent information necessary for forensics; and evaluating incident
6794 details, trends, and handling. Incident information can be obtained from a variety of sources,
6795 including network monitoring; incident reports; incident response teams; user complaints; supply
6796 chain partners; audit monitoring; physical access monitoring; and user and administrator reports.
6797 Related Controls: AU-6, AU-7, IR-8, PE-6, PM-5, SC-5, SC-7, SI-3, SI-4, SI-7.

CHAPTER THREE PAGE 151

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6798 Control Enhancements:

6799 (1) INCIDENT MONITORING | AUTOMATED TRACKING, DATA COLLECTION, AND ANALYSIS
6800 Track security and privacy incidents and collect and analyze incident information using
6801 [Assignment: organization-defined automated mechanisms].
6802 Discussion: Automated mechanisms for tracking incidents and for collecting and analyzing
6803 incident information include Computer Incident Response Centers or other electronic
6804 databases of incidents and network monitoring devices.
6805 Related Controls: AU-7, IR-4.
6806 References: [SP 800-61].

6807 IR-6 INCIDENT REPORTING

6808 Control:
6809 a. Require personnel to report suspected security, privacy, and supply chain incidents to the
6810 organizational incident response capability within [Assignment: organization-defined time-
6811 period]; and
6812 b. Report security, privacy, and supply chain incident information to [Assignment: organization-
6813 defined authorities].
6814 Discussion: The types of incidents reported, the content and timeliness of the reports, and the
6815 designated reporting authorities reflect applicable laws, executive orders, directives, regulations,
6816 policies, standards, and guidelines.
6817 Related Controls: CM-6, CP-2, IR-4, IR-5, IR-8, IR-9.
6818 Control Enhancements:
6819 (1) INCIDENT REPORTING | AUTOMATED REPORTING
6820 Report incidents using [Assignment: organization-defined automated mechanisms].
6821 Discussion: Reporting recipients are as specified in IR-6b. Automated reporting mechanisms
6822 include email, posting on web sites, and automated incident response tools and programs.
6823 Related Controls: IR-7.
6824 (2) INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS
6825 Report system vulnerabilities associated with reported incidents to [Assignment:
6826 organization-defined personnel or roles].
6827 Discussion: Reported incidents that uncover system vulnerabilities are analyzed by
6828 organizational personnel including system owners; mission/business owners; senior agency
6829 information security officers; senior agency officials for privacy; authorizing officials; and the
6830 risk executive (function). The analysis can serve to prioritize and initiate mitigation actions to
6831 address the discovered system vulnerability.
6832 Related Controls: None.
6833 (3) INCIDENT REPORTING | SUPPLY CHAIN COORDINATION
6834 Provide security and privacy incident information to the provider of the product or service
6835 and other organizations involved in the supply chain for systems or system components
6836 related to the incident.
6837 Discussion: Organizations involved in supply chain activities include product developers,
6838 system integrators, manufacturers, packagers, assemblers, distributors, vendors, and
6839 resellers. Supply chain incidents include compromises or breaches that involve information
6840 technology products, system components, development processes or personnel, and

CHAPTER THREE PAGE 152

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6841 distribution processes or warehousing facilities. Organizations determine the appropriate

6842 information to share and consider the value gained from informing external organizations
6843 about supply chain incidents including the ability to improve processes or to identify the root
6844 cause of an incident.
6845 Related Controls: SR-8.
6846 References: [SP 800-61].

6847 IR-7 INCIDENT RESPONSE ASSISTANCE

6848 Control: Provide an incident response support resource, integral to the organizational incident
6849 response capability, that offers advice and assistance to users of the system for the handling and
6850 reporting of security, privacy, and supply chain incidents.
6851 Discussion: Incident response support resources provided by organizations include help desks,
6852 assistance groups, automated ticketing systems to open and track incident response tickets, and
6853 access to forensics services or consumer redress services, when required.
6854 Related Controls: AT-2, AT-3, IR-4, IR-6, IR-8, PM-22, PM-26, SA-9, SI-18.
6855 Control Enhancements:
6856 (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION AND
6857 SUPPORT
6858 Increase the availability of incident response information and support using [Assignment:
6859 organization-defined automated mechanisms].
6860 Discussion: Automated mechanisms can provide a push or pull capability for users to obtain
6861 incident response assistance. For example, individuals may have access to a website to query
6862 the assistance capability, or the assistance capability can proactively send incident response
6863 information to users (general distribution or targeted) as part of increasing understanding of
6864 current response capabilities and support.
6865 Related Controls: None.
6866 (2) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS
6867 (a) Establish a direct, cooperative relationship between its incident response capability
6868 and external providers of system protection capability; and
6869 (b) Identify organizational incident response team members to the external providers.
6870 Discussion: External providers of a system protection capability include the Computer
6871 Network Defense program within the U.S. Department of Defense. External providers help to
6872 protect, monitor, analyze, detect, and respond to unauthorized activity within organizational
6873 information systems and networks. It may be beneficial to have agreements in place with
6874 external providers to clarify the roles and responsibilities of each party before an incident
6875 occurs.
6876 Related Controls: None.
6877 References: [OMB A-130]; [IR 7559].

6878 IR-8 INCIDENT RESPONSE PLAN

6879 Control:
6880 a. Develop an incident response plan that:
6881 1. Provides the organization with a roadmap for implementing its incident response
6882 capability;

CHAPTER THREE PAGE 153

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6883 2. Describes the structure and organization of the incident response capability;
6884 3. Provides a high-level approach for how the incident response capability fits into the
6885 overall organization;
6886 4. Meets the unique requirements of the organization, which relate to mission, size,
6887 structure, and functions;
6888 5. Defines reportable incidents;
6889 6. Provides metrics for measuring the incident response capability within the organization;
6890 7. Defines the resources and management support needed to effectively maintain and
6891 mature an incident response capability;
6892 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]
6893 [Assignment: organization-defined frequency]; and
6894 9. Explicitly designates responsibility for incident response to [Assignment: organization-
6895 defined entities, personnel, or roles].
6896 b. Distribute copies of the incident response plan to [Assignment: organization-defined incident
6897 response personnel (identified by name and/or by role) and organizational elements];
6898 c. Update the incident response plan to address system and organizational changes or
6899 problems encountered during plan implementation, execution, or testing;
6900 d. Communicate incident response plan changes to [Assignment: organization-defined incident
6901 response personnel (identified by name and/or by role) and organizational elements]; and
6902 e. Protect the incident response plan from unauthorized disclosure and modification.
6903 Discussion: It is important that organizations develop and implement a coordinated approach to
6904 incident response. Organizational missions and business functions help determine the structure
6905 of incident response capabilities. As part of the incident response capabilities, organizations
6906 consider the coordination and sharing of information with external organizations, including
6907 external service providers and other organizations involved in the supply chain. For incidents
6908 involving personally identifiable information, include a process to determine whether notice to
6909 oversight organizations or affected individuals is appropriate and provide that notice accordingly.
6910 Related Controls: AC-2, CP-2, CP-4, IR-4, IR-7, IR-9, PE-6, PL-2, SA-15, SI-12, SR-8.
6911 Control Enhancements:
6912 (1) INCIDENT RESPONSE PLAN | PRIVACY BREACHES
6913 Include the following in the Incident Response Plan for breaches involving personally
6914 identifiable information:
6915 (a) A process to determine if notice to individuals or other organizations, including
6916 oversight organizations, is needed;
6917 (b) An assessment process to determine the extent of the harm, embarrassment,
6918 inconvenience, or unfairness to affected individuals and any mechanisms to mitigate
6919 such harms; and
6920 (c) Identification of applicable privacy requirements.
6921 Discussion: Organizations may be required by law, regulation, or policy to follow specific
6922 procedures relating to privacy breaches, including notice to individuals, affected
6923 organizations, and oversight bodies, standards of harm, and mitigation or other specific
6924 requirements.
6925 Related Controls: PT-1, PT-2, PT-3, PT-5, PT-6, PT-8.

CHAPTER THREE PAGE 154

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6926 References: [OMB A-130]; [SP 800-61]; [OMB M-17-12].

6927 IR-9 INFORMATION SPILLAGE RESPONSE

6928 Control: Respond to information spills by:
6929 a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for
6930 responding to information spills;
6931 b. Identifying the specific information involved in the system contamination;
6932 c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using
6933 a method of communication not associated with the spill;
6934 d. Isolating the contaminated system or system component;
6935 e. Eradicating the information from the contaminated system or component;
6936 f. Identifying other systems or system components that may have been subsequently
6937 contaminated; and
6938 g. Performing the following additional actions: [Assignment: organization-defined actions].
6939 Discussion: Information spillage refers to instances where information is placed on systems that
6940 are not authorized to process such information. Information spills occur when information that is
6941 thought to be a certain classification or impact level is transmitted to a system and subsequently
6942 is determined to be of higher classification or impact level. At that point, corrective action is
6943 required. The nature of the response is based upon the classification or impact level of the spilled
6944 information, the security capabilities of the system, the specific nature of contaminated storage
6945 media, and the access authorizations of individuals with authorized access to the contaminated
6946 system. The methods used to communicate information about the spill after the fact do not
6947 involve methods directly associated with the actual spill to minimize the risk of further spreading
6948 the contamination before such contamination is isolated and eradicated.
6949 Related Controls: CP-2, IR-6, PM-26, PM-27, RA-7.
6950 Control Enhancements:
6951 (1) INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL
6952 [Withdrawn: Incorporated into IR-9.]
6953 (2) INFORMATION SPILLAGE RESPONSE | TRAINING
6954 Provide information spillage response training [Assignment: organization-defined
6955 frequency].
6956 Discussion: Organizations establish requirements for responding to information spillage
6957 incidents in incident response plans. Incident response training on a regular basis helps to
6958 ensure that organizational personnel understand their individual responsibilities and what
6959 specific actions to take when spillage incidents occur.
6960 Related Controls: AT-2, AT-3, CP-3, IR-2.
6961 (3) INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS
6962 Implement the following procedures to ensure that organizational personnel impacted by
6963 information spills can continue to carry out assigned tasks while contaminated systems are
6964 undergoing corrective actions: [Assignment: organization-defined procedures].
6965 Discussion: Correction actions for systems contaminated due to information spillages may
6966 be time-consuming. Personnel may not have access to the contaminated systems while
6967 corrective actions are being taken, which may potentially affect their ability to conduct
6968 organizational business.

CHAPTER THREE PAGE 155

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6969 Related Controls: None.

6970 (4) INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL
6971 Employ the following controls for personnel exposed to information not within assigned
6972 access authorizations: [Assignment: organization-defined controls].
6973 Discussion: Controls include ensuring that personnel who are exposed to spilled information
6974 are made aware of the laws, executive orders, directives, regulations, policies, standards,
6975 and guidelines regarding the information and the restrictions imposed based on exposure to
6976 such information.
6977 Related Controls: None.
6978 References: None.

6979 IR-10 INCIDENT ANALYSIS

6980 [Withdrawn: Incorporated into IR-4(11).]

CHAPTER THREE PAGE 156

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

6981 3.9 MAINTENANCE

6982 Quick link to Maintenance summary table

6983 MA-1 POLICY AND PROCEDURES

6984 Control:
6985 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
6986 roles]:
6987 1. [Selection (one or more): organization-level; mission/business process-level; system-
6988 level] maintenance policy that:
6989 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
6990 coordination among organizational entities, and compliance; and
6991 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
6992 standards, and guidelines; and
6993 2. Procedures to facilitate the implementation of the maintenance policy and the
6994 associated maintenance controls;
6995 b. Designate an [Assignment: organization-defined official] to manage the development,
6996 documentation, and dissemination of the maintenance policy and procedures; and
6997 c. Review and update the current maintenance:
6998 1. Policy [Assignment: organization-defined frequency]; and
6999 2. Procedures [Assignment: organization-defined frequency].
7000 Discussion: This control addresses policy and procedures for the controls in the MA family
7001 implemented within systems and organizations. The risk management strategy is an important
7002 factor in establishing such policies and procedures. Policies and procedures help provide security
7003 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
7004 on their development. Security and privacy program policies and procedures at the organization
7005 level are preferable, in general, and may obviate the need for system-specific policies and
7006 procedures. The policy can be included as part of the general security and privacy policy or can
7007 be represented by multiple policies reflecting the complex nature of organizations. Procedures
7008 can be established for security and privacy programs and for systems, if needed. Procedures
7009 describe how the policies or controls are implemented and can be directed at the individual or
7010 role that is the object of the procedure. Procedures can be documented in system security and
7011 privacy plans or in one or more separate documents. Restating controls does not constitute an
7012 organizational policy or procedure.
7013 Related Controls: PM-9, PS-8, SI-12.
7014 Control Enhancements: None.
7015 References: [OMB A-130]; [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100].

7016 MA-2 CONTROLLED MAINTENANCE

7017 Control:
7018 a. Schedule, document, and review records of maintenance, repair, or replacement on system
7019 components in accordance with manufacturer or vendor specifications and/or organizational
7020 requirements;

CHAPTER THREE PAGE 157

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7021 b. Approve and monitor all maintenance activities, whether performed on site or remotely and
7022 whether the system or system components are serviced on site or removed to another
7023 location;
7024 c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the
7025 removal of the system or system components from organizational facilities for off-site
7026 maintenance, repair, or replacement;
7027 d. Sanitize equipment to remove the following information from associated media prior to
7028 removal from organizational facilities for off-site maintenance, repair, or replacement:
7029 [Assignment: organization-defined information];
7030 e. Check all potentially impacted controls to verify that the controls are still functioning
7031 properly following maintenance, repair, or replacement actions; and
7032 f. Include the following information in organizational maintenance records: [Assignment:
7033 organization-defined information].
7034 Discussion: Controlling system maintenance addresses the information security aspects of the
7035 system maintenance program and applies to all types of maintenance to system components
7036 conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners,
7037 copiers, and printers. Information necessary for creating effective maintenance records includes
7038 date and time of maintenance; name of individuals or group performing the maintenance; name
7039 of escort, if necessary; a description of the maintenance performed; and system components or
7040 equipment removed or replaced. Organizations consider supply chain issues associated with
7041 replacement components for systems.
7042 Related Controls: CM-2, CM-3, CM-4, CM-5, CM-8, MA-4, MP-6, PE-16, SI-2, SR-3, SR-4, SR-11.
7043 Control Enhancements:
7044 (1) CONTROLLED MAINTENANCE | RECORD CONTENT
7045 [Withdrawn: Incorporated into MA-2.]
7046 (2) CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES
7047 (a) Schedule, conduct, and document maintenance, repair, and replacement actions for
7048 the system using [Assignment: organization-defined automated mechanisms]; and
7049 (b) Produce up-to date, accurate, and complete records of all maintenance, repair, and
7050 replacement actions requested, scheduled, in process, and completed.
7051 Discussion: The use of automated mechanisms to manage and control system maintenance
7052 programs and activities helps to ensure the generation of timely, accurate, complete, and
7053 consistent maintenance records.
7054 Related Controls: MA-3.
7055 References: [OMB A-130]; [IR 8023].

7056 MA-3 MAINTENANCE TOOLS

7057 Control:
7058 a. Approve, control, and monitor the use of system maintenance tools; and
7059 b. Review previously approved system maintenance tools [Assignment: organization-defined
7060 frequency].
7061 Discussion: Approving, controlling, monitoring, and reviewing maintenance tools are intended to
7062 address security-related issues associated with maintenance tools that are not within system
7063 boundaries but are used specifically for diagnostic and repair actions on organizational systems.

CHAPTER THREE PAGE 158

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7064 Organizations have flexibility in determining roles for approval of maintenance tools and how
7065 that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the
7066 approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can
7067 include hardware, software, and firmware items. Such tools can be vehicles for transporting
7068 malicious code, intentionally or unintentionally, into a facility and subsequently into systems.
7069 Maintenance tools can include hardware and software diagnostic test equipment and packet
7070 sniffers. The hardware and software components that support system maintenance and are a
7071 part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware
7072 and software implementing the monitoring port of an Ethernet switch, are not addressed by
7073 maintenance tools.
7074 Related Controls: MA-2, PE-16.
7075 Control Enhancements:
7076 (1) MAINTENANCE TOOLS | INSPECT TOOLS
7077 Inspect the maintenance tools used by maintenance personnel for improper or
7078 unauthorized modifications.
7079 Discussion: Maintenance tools can be brought into a facility directly by maintenance
7080 personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance
7081 tools, organizations determine that the tools have been modified in an improper manner or
7082 the tools contain malicious code, the incident is handled consistent with organizational
7083 policies and procedures for incident handling.
7084 Related Controls: SI-7.
7085 (2) MAINTENANCE TOOLS | INSPECT MEDIA
7086 Check media containing diagnostic and test programs for malicious code before the media
7087 are used in the system.
7088 Discussion: If, upon inspection of media containing maintenance diagnostic and test
7089 programs, organizations determine that the media contain malicious code, the incident is
7090 handled consistent with organizational incident handling policies and procedures.
7091 Related Controls: SI-3.
7092 (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL
7093 Prevent the removal of maintenance equipment containing organizational information by:
7094 (a) Verifying that there is no organizational information contained on the equipment;
7095 (b) Sanitizing or destroying the equipment;
7096 (c) Retaining the equipment within the facility; or
7097 (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles]
7098 explicitly authorizing removal of the equipment from the facility.
7099 Discussion: Organizational information includes all information owned by organizations and
7100 any information provided to organizations for which the organizations serve as information
7101 stewards.
7102 Related Controls: MP-6.
7103 (4) MAINTENANCE TOOLS | RESTRICTED TOOL USE
7104 Restrict the use of maintenance tools to authorized personnel only.
7105 Discussion: This control enhancement applies to systems that are used to carry out
7106 maintenance functions.
7107 Related Controls: AC-3, AC-5, AC-6.

CHAPTER THREE PAGE 159

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7108 (5) MAINTENANCE TOOLS | EXECUTION WITH PRIVILEGE

7109 Monitor the use of maintenance tools that execute with increased privilege.
7110 Discussion: Maintenance tools that execute with increased system privilege can result in
7111 unauthorized access to organizational information and assets that would otherwise be
7112 inaccessible.
7113 Related Controls: AC-3, AC-6.
7114 (6) MAINTENANCE TOOLS | SOFTWARE UPDATES AND PATCHES
7115 Inspect maintenance tools to ensure the latest software updates and patches are installed.
7116 Discussion: Maintenance tools using outdated and/or unpatched software can provide a
7117 threat vector for adversaries and result in a significant vulnerability for organizations.
7118 Related Controls: AC-3, AC-6.
7119 References: [SP 800-88].

7120 MA-4 NONLOCAL MAINTENANCE

7121 Control:
7122 a. Approve and monitor nonlocal maintenance and diagnostic activities;
7123 b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with
7124 organizational policy and documented in the security plan for the system;
7125 c. Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic
7126 sessions;
7127 d. Maintain records for nonlocal maintenance and diagnostic activities; and
7128 e. Terminate session and network connections when nonlocal maintenance is completed.
7129 Discussion: Nonlocal maintenance and diagnostic activities are conducted by individuals
7130 communicating through a network, either an external network or an internal network. Local
7131 maintenance and diagnostic activities are those activities carried out by individuals physically
7132 present at the system and not communicating across a network connection. Authentication
7133 techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect
7134 the network access requirements in IA-2. Strong authentication requires authenticators that are
7135 resistant to replay attacks and employ multifactor authentication. Strong authenticators include
7136 PKI where certificates are stored on a token protected by a password, passphrase, or biometric.
7137 Enforcing requirements in MA-4 is accomplished in part by other controls.
7138 Related Controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, PL-2,
7139 SC-7, SC-10.
7140 Control Enhancements:
7141 (1) NONLOCAL MAINTENANCE | LOGGING AND REVIEW
7142 (a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and
7143 diagnostic sessions; and
7144 (b) Review the audit records of the maintenance and diagnostic sessions.
7145 Discussion: Audit logging for nonlocal maintenance is enforced by AU-2. Audit events are
7146 defined in AU-2a. The review of audit records of maintenance and diagnostic sessions is to
7147 detect anomalous behavior.
7148 Related Controls: AU-6, AU-12.

CHAPTER THREE PAGE 160

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7149 (2) NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE

7150 [Withdrawn: Incorporated into MA-1, MA-4.]
7151 (3) NONLOCAL MAINTENANCE | COMPARABLE SECURITY AND SANITIZATION
7152 (a) Require that nonlocal maintenance and diagnostic services be performed from a
7153 system that implements a security capability comparable to the capability
7154 implemented on the system being serviced; or
7155 (b) Remove the component to be serviced from the system prior to nonlocal maintenance
7156 or diagnostic services; sanitize the component (for organizational information); and
7157 after the service is performed, inspect and sanitize the component (for potentially
7158 malicious software) before reconnecting the component to the system.
7159 Discussion: Comparable security capability on systems, diagnostic tools, and equipment
7160 providing maintenance services implies that the implemented controls on those systems,
7161 tools, and equipment are at least as comprehensive as the controls on the system being
7162 serviced.
7163 Related Controls: MP-6, SI-3, SI-7.
7164 (4) NONLOCAL MAINTENANCE | AUTHENTICATION AND SEPARATION OF MAINTENANCE SESSIONS
7165 Protect nonlocal maintenance sessions by:
7166 (a) Employing [Assignment: organization-defined authenticators that are replay
7167 resistant]; and
7168 (b) Separating the maintenance sessions from other network sessions with the system by
7169 either:
7170 (1) Physically separated communications paths; or
7171 (2) Logically separated communications paths.
7172 Discussion: Communications paths can be logically separated using encryption.
7173 Related Controls: None.
7174 (5) NONLOCAL MAINTENANCE | APPROVALS AND NOTIFICATIONS
7175 (a) Require the approval of each nonlocal maintenance session by [Assignment:
7176 organization-defined personnel or roles]; and
7177 (b) Notify the following personnel or roles of the date and time of planned nonlocal
7178 maintenance: [Assignment: organization-defined personnel or roles].
7179 Discussion: Notification may be performed by maintenance personnel. Approval of nonlocal
7180 maintenance is accomplished by personnel with sufficient information security and system
7181 knowledge to determine the appropriateness of the proposed maintenance.
7182 Related Controls: None.
7183 (6) NONLOCAL MAINTENANCE | CRYPTOGRAPHIC PROTECTION
7184 Implement the following cryptographic mechanisms to protect the integrity and
7185 confidentiality of nonlocal maintenance and diagnostic communications: [Assignment:
7186 organization-defined cryptographic mechanisms].
7187 Discussion: Failure to protect nonlocal maintenance and diagnostic communications can
7188 result in unauthorized individuals gaining access to sensitive organizational information.
7189 Unauthorized access during remote maintenance sessions can result in a variety of hostile
7190 actions including malicious code insertion, unauthorized changes to system parameters, and
7191 exfiltration of organizational information. Such actions can result in the loss or degradation
7192 of mission capability.
7193 Related Controls: SC-8, SC-13.

CHAPTER THREE PAGE 161

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7194 (7) NONLOCAL MAINTENANCE | DISCONNECT VERIFICATION

7195 Verify session and network connection termination after the completion of nonlocal
7196 maintenance and diagnostic sessions.
7197 Discussion: This control enhancement ensures that connections established during nonlocal
7198 maintenance and diagnostic sessions have been terminated and are no longer available for
7199 use.
7200 Related Controls: AC-12.
7201 References: [FIPS 140-3]; [FIPS 197]; [FIPS 201-2]; [SP 800-63-3]; [SP 800-88].

7202 MA-5 MAINTENANCE PERSONNEL

7203 Control:
7204 a. Establish a process for maintenance personnel authorization and maintain a list of
7205 authorized maintenance organizations or personnel;
7206 b. Verify that non-escorted personnel performing maintenance on the system possess the
7207 required access authorizations; and
7208 c. Designate organizational personnel with required access authorizations and technical
7209 competence to supervise the maintenance activities of personnel who do not possess the
7210 required access authorizations.
7211 Discussion: Maintenance personnel refers to individuals performing hardware or software
7212 maintenance on organizational systems, while PE-2 addresses physical access for individuals
7213 whose maintenance duties place them within the physical protection perimeter of the systems.
7214 Technical competence of supervising individuals relates to the maintenance performed on the
7215 systems while having required access authorizations refers to maintenance on and near the
7216 systems. Individuals not previously identified as authorized maintenance personnel, such as
7217 information technology manufacturers, vendors, systems integrators, and consultants, may
7218 require privileged access to organizational systems, for example, when required to conduct
7219 maintenance activities with little or no notice. Based on organizational assessments of risk,
7220 organizations may issue temporary credentials to these individuals. Temporary credentials may
7221 be for one-time use or for very limited time-periods.
7222 Related Controls: AC-2, AC-3, AC-5, AC-6, IA-2, IA-8, MA-4, MP-2, PE-2, PE-3, PS-7, RA-3.
7223 Control Enhancements:
7224 (1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS
7225 (a) Implement procedures for the use of maintenance personnel that lack appropriate
7226 security clearances or are not U.S. citizens, that include the following requirements:
7227 i. Maintenance personnel who do not have needed access authorizations, clearances,
7228 or formal access approvals are escorted and supervised during the performance of
7229 maintenance and diagnostic activities on the system by approved organizational
7230 personnel who are fully cleared, have appropriate access authorizations, and are
7231 technically qualified;
7232 ii. Prior to initiating maintenance or diagnostic activities by personnel who do not
7233 have needed access authorizations, clearances or formal access approvals, all
7234 volatile information storage components within the system are sanitized and all
7235 nonvolatile storage media are removed or physically disconnected from the system
7236 and secured; and

CHAPTER THREE PAGE 162

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7237 (b) Develop and implement [Assignment: organization-defined alternate controls] in the
7238 event a system component cannot be sanitized, removed, or disconnected from the
7239 system.
7240 Discussion: Procedures for individuals who lack appropriate security clearances or who are
7241 not U.S. citizens are intended to deny visual and electronic access to classified or controlled
7242 unclassified information contained on organizational systems. Procedures for the use of
7243 maintenance personnel can be documented in security plans for the systems.
7244 Related Controls: MP-6, PL-2.
7245 (2) MAINTENANCE PERSONNEL | SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS
7246 Verify that personnel performing maintenance and diagnostic activities on a system
7247 processing, storing, or transmitting classified information possess security clearances and
7248 formal access approvals for at least the highest classification level and for compartments
7249 of information on the system.
7250 Discussion: Personnel conducting maintenance on organizational systems may be exposed
7251 to classified information during the course of their maintenance activities. To mitigate the
7252 inherent risk of such exposure, organizations use maintenance personnel that are cleared
7253 (i.e., possess security clearances) to the classification level of the information stored on the
7254 system.
7255 Related Controls: PS-3.
7256 (3) MAINTENANCE PERSONNEL | CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS
7257 Verify that personnel performing maintenance and diagnostic activities on a system
7258 processing, storing, or transmitting classified information are U.S. citizens.
7259 Discussion: Personnel conducting maintenance on organizational systems may be exposed
7260 to classified information during the course of their maintenance activities. If access to
7261 classified information on organizational systems is restricted to U. S. citizens, the same
7262 restriction is applied to personnel performing maintenance on those systems.
7263 Related Controls: PS-3.
7264 (4) MAINTENANCE PERSONNEL | FOREIGN NATIONALS
7265 Verify that:
7266 (a) Foreign nationals with appropriate security clearances are used to conduct
7267 maintenance and diagnostic activities on classified systems only when the systems are
7268 jointly owned and operated by the United States and foreign allied governments, or
7269 owned and operated solely by foreign allied governments; and
7270 (b) Approvals, consents, and detailed operational conditions regarding the use of foreign
7271 nationals to conduct maintenance and diagnostic activities on classified systems are
7272 fully documented within Memoranda of Agreements.
7273 Discussion: Personnel conducting maintenance on organizational systems may be exposed
7274 to classified information during the course of their maintenance activities. To mitigate the
7275 inherent risk of such exposure, organizations use maintenance personnel that are cleared
7276 (i.e., possess security clearances) to the classification level of the information stored on the
7277 system.
7278 Related Controls: PS-3.
7279 (5) MAINTENANCE PERSONNEL | NON-SYSTEM MAINTENANCE
7280 Verify that non-escorted personnel performing maintenance activities not directly
7281 associated with the system but in the physical proximity of the system, have required
7282 access authorizations.

CHAPTER THREE PAGE 163

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7283 Discussion: Personnel performing maintenance activities in other capacities not directly
7284 related to the system include physical plant personnel and custodial personnel.
7285 Related Controls: None.
7286 References: None.

7287 MA-6 TIMELY MAINTENANCE

7288 Control: Obtain maintenance support and/or spare parts for [Assignment: organization-defined
7289 system components] within [Assignment: organization-defined time-period] of failure.
7290 Discussion: Organizations specify the system components that result in increased risk to
7291 organizational operations and assets, individuals, other organizations, or the Nation when the
7292 functionality provided by those components is not operational. Organizational actions to obtain
7293 maintenance support include having appropriate contracts in place.
7294 Related Controls: CM-8, CP-2, CP-7, RA-7, SA-15, SI-13, SR-2, SR-3, SR-4.
7295 Control Enhancements:
7296 (1) TIMELY MAINTENANCE | PREVENTIVE MAINTENANCE
7297 Perform preventive maintenance on [Assignment: organization-defined system
7298 components] at [Assignment: organization-defined time intervals].
7299 Discussion: Preventive maintenance includes proactive care and the servicing of system
7300 components to maintain organizational equipment and facilities in satisfactory operating
7301 condition. Such maintenance provides for the systematic inspection, tests, measurements,
7302 adjustments, parts replacement, detection, and correction of incipient failures either before
7303 they occur or before they develop into major defects. The primary goal of preventive
7304 maintenance is to avoid or mitigate the consequences of equipment failures. Preventive
7305 maintenance is designed to preserve and restore equipment reliability by replacing worn
7306 components before they fail. Methods of determining what preventive (or other) failure
7307 management policies to apply include original equipment manufacturer recommendations;
7308 statistical failure records; expert opinion; maintenance that has already been conducted on
7309 similar equipment; requirements of codes, laws, or regulations within a jurisdiction; or
7310 measured values and performance indications.
7311 Related Controls: None.
7312 (2) TIMELY MAINTENANCE | PREDICTIVE MAINTENANCE
7313 Perform predictive maintenance on [Assignment: organization-defined system
7314 components] at [Assignment: organization-defined time intervals].
7315 Discussion: Predictive maintenance evaluates the condition of equipment by performing
7316 periodic or continuous (online) equipment condition monitoring. The goal of predictive
7317 maintenance is to perform maintenance at a scheduled time when the maintenance activity
7318 is most cost-effective and before the equipment loses performance within a threshold. The
7319 predictive component of predictive maintenance stems from the objective of predicting the
7320 future trend of the equipment's condition. The predictive maintenance approach employs
7321 principles of statistical process control to determine at what point in the future maintenance
7322 activities will be appropriate. Most predictive maintenance inspections are performed while
7323 equipment is in service, thus, minimizing disruption of normal system operations. Predictive
7324 maintenance can result in substantial cost savings and higher system reliability.
7325 Related Controls: None.

CHAPTER THREE PAGE 164

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7326 (3) TIMELY MAINTENANCE | AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE

7327 Transfer predictive maintenance data to a maintenance management system using
7328 [Assignment: organization-defined automated mechanisms].
7329 Discussion: A computerized maintenance management system maintains a database of
7330 information about the maintenance operations of organizations and automates processing
7331 equipment condition data to trigger maintenance planning, execution, and reporting.
7332 Related Controls: None.
7333 References: None.

7334 MA-7 FIELD MAINTENANCE

7335 Control: Restrict or prohibit field maintenance on [Assignment: organization-defined systems or
7336 system components] to [Assignment: organization-defined trusted maintenance facilities].
7337 Discussion: Field maintenance is the type of maintenance conducted on a system or system
7338 component after the system or component has been deployed to a specific site (i.e., operational
7339 environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not
7340 be executed with the same degree of rigor or with the same quality control checks as depot
7341 maintenance. For critical systems designated as such by the organization, it may be necessary to
7342 restrict or prohibit field maintenance at the local site and require that such maintenance be
7343 conducted in trusted facilities with additional controls.
7344 Related Controls: MA-2, MA-4, MA-5.
7345 Control Enhancements: None.
7346 References: None.

CHAPTER THREE PAGE 165

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7347 3.10 MEDIA PROTECTION

7348 Quick link to Media Protection summary table

7349 MP-1 POLICY AND PROCEDURES

7350 Control:
7351 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
7352 roles]:
7353 1. [Selection (one or more): organization-level; mission/business process-level; system-
7354 level] media protection policy that:
7355 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
7356 coordination among organizational entities, and compliance; and
7357 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
7358 standards, and guidelines; and
7359 2. Procedures to facilitate the implementation of the media protection policy and the
7360 associated media protection controls;
7361 b. Designate an [Assignment: organization-defined official] to manage the development,
7362 documentation, and dissemination of the media protection policy and procedures; and
7363 c. Review and update the current media protection:
7364 1. Policy [Assignment: organization-defined frequency]; and
7365 2. Procedures [Assignment: organization-defined frequency].
7366 Discussion: This control addresses policy and procedures for the controls in the MP family
7367 implemented within systems and organizations. The risk management strategy is an important
7368 factor in establishing such policies and procedures. Policies and procedures help provide security
7369 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
7370 on their development. Security and privacy program policies and procedures at the organization
7371 level are preferable, in general, and may obviate the need for system-specific policies and
7372 procedures. The policy can be included as part of the general security and privacy policy or can
7373 be represented by multiple policies reflecting the complex nature of organizations. Procedures
7374 can be established for security and privacy programs and for systems, if needed. Procedures
7375 describe how the policies or controls are implemented and can be directed at the individual or
7376 role that is the object of the procedure. Procedures can be documented in system security and
7377 privacy plans or in one or more separate documents. Restating controls does not constitute an
7378 organizational policy or procedure.
7379 Related Controls: PM-9, PS-8, SI-12.
7380 Control Enhancements: None.
7381 References: [OMB A-130]; [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100].

7382 MP-2 MEDIA ACCESS

7383 Control: Restrict access to [Assignment: organization-defined types of digital and/or non-digital
7384 media] to [Assignment: organization-defined personnel or roles].
7385 Discussion: System media includes digital and non-digital media. Digital media includes flash
7386 drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic),
7387 compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying

CHAPTER THREE PAGE 166

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7388 access to patient medical records in a community hospital unless the individuals seeking access
7389 to such records are authorized healthcare providers is an example of restricting access to non-
7390 digital media. Limiting access to the design specifications stored on compact disks in the media
7391 library to individuals on the system development team is an example of restricting access to
7392 digital media.
7393 Related Controls: AC-19, AU-9, CP-2, CP-9, CP-10, MA-5, MP-4, MP-6, PE-2, PE-3, SC-13, SC-34,
7394 SI-12.
7395 Control Enhancements:
7396 (1) MEDIA ACCESS | AUTOMATED RESTRICTED ACCESS
7397 [Withdrawn: Incorporated into MP-4(2).]
7398 (2) MEDIA ACCESS | CRYPTOGRAPHIC PROTECTION
7399 [Withdrawn: Incorporated into SC-28(1).]
7400 References: [OMB A-130]; [FIPS 199]; [SP 800-111].

7401 MP-3 MEDIA MARKING

7402 Control:
7403 a. Mark system media indicating the distribution limitations, handling caveats, and applicable
7404 security markings (if any) of the information; and
7405 b. Exempt [Assignment: organization-defined types of system media] from marking if the media
7406 remain within [Assignment: organization-defined controlled areas].
7407 Discussion: Security marking refers to the application or use of human-readable security
7408 attributes. Security labeling refers to the application or use of security attributes regarding
7409 internal data structures within systems. System media includes digital and non-digital media.
7410 Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid
7411 state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes
7412 paper and microfilm. Controlled unclassified information is defined by the National Archives and
7413 Records Administration along with the appropriate safeguarding and dissemination requirements
7414 for such information and is codified in [32 CFR 2002]. Security marking is generally not required
7415 for media containing information determined by organizations to be in the public domain or to
7416 be publicly releasable. However, some organizations may require markings for public information
7417 indicating that the information is publicly releasable. System media marking reflects applicable
7418 laws, executive orders, directives, policies, regulations, standards, and guidelines.
7419 Related Controls: AC-16, CP-9, MP-5, PE-22, SI-12.
7420 Control Enhancements: None.
7421 References: [32 CFR 2002]; [FIPS 199].

7422 MP-4 MEDIA STORAGE

7423 Control:
7424 a. Physically control and securely store [Assignment: organization-defined types of digital
7425 and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
7426 b. Protect system media types defined in MP-4a until the media are destroyed or sanitized
7427 using approved equipment, techniques, and procedures.
7428 Discussion: System media includes digital and non-digital media. Digital media includes flash
7429 drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic),

CHAPTER THREE PAGE 167

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7430 compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically
7431 controlling stored media includes conducting inventories, ensuring procedures are in place to
7432 allow individuals to check out and return media to the library, and maintaining accountability for
7433 stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media
7434 library. The type of media storage is commensurate with the security category or classification of
7435 the information on the media. Controlled areas are spaces that provide physical and procedural
7436 controls to meet the requirements established for protecting information and systems. For
7437 media containing information determined to be in the public domain, to be publicly releasable,
7438 or to have limited adverse impact on organizations, operations, or individuals if accessed by
7439 other than authorized personnel, fewer controls may be needed. In these situations, physical
7440 access controls provide adequate protection.
7441 Related Controls: AC-19, CP-2, CP-6, CP-9, CP-10, MP-2, MP-7, PE-3, PL-2, SC-13, SC-28, SC-34, SI-
7442 12.
7443 Control Enhancements:
7444 (1) MEDIA STORAGE | CRYPTOGRAPHIC PROTECTION
7445 [Withdrawn: Incorporated into SC-28(1).]
7446 (2) MEDIA STORAGE | AUTOMATED RESTRICTED ACCESS
7447 Restrict access to media storage areas, log access attempts, and access granted using
7448 [Assignment: organization-defined automated mechanisms].
7449 Discussion: Automated mechanisms include keypads or card readers on the external entries
7450 to media storage areas.
7451 Related Controls: AC-3, AU-2, AU-6, AU-9, AU-12, PE-3.
7452 References: [FIPS 199]; [SP 800-56A]; [SP 800-56B]; [SP 800-56C]; [SP 800-57-1]; [SP 800-57-2];
7453 [SP 800-57-3]; [SP 800-111].

7454 MP-5 MEDIA TRANSPORT

7455 Control:
7456 a. Protect and control [Assignment: organization-defined types of system media] during
7457 transport outside of controlled areas using [Assignment: organization-defined controls];
7458 b. Maintain accountability for system media during transport outside of controlled areas;
7459 c. Document activities associated with the transport of system media; and
7460 d. Restrict the activities associated with the transport of system media to authorized
7461 personnel.
7462 Discussion: System media includes digital and non-digital media. Digital media includes flash
7463 drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and
7464 magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and
7465 paper. Controlled areas are spaces for which organizations provide physical or procedural
7466 controls to meet requirements established for protecting information and systems. Controls to
7467 protect media during transport include cryptography and locked containers. Cryptographic
7468 mechanisms can provide confidentiality and integrity protections depending on the mechanisms
7469 implemented. Activities associated with media transport include releasing media for transport,
7470 ensuring that media enters the appropriate transport processes, and the actual transport.
7471 Authorized transport and courier personnel may include individuals external to the organization.
7472 Maintaining accountability of media during transport includes restricting transport activities to
7473 authorized personnel, and tracking and/or obtaining records of transport activities as the media
7474 moves through the transportation system to prevent and detect loss, destruction, or tampering.

CHAPTER THREE PAGE 168

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7475 Organizations establish documentation requirements for activities associated with the transport
7476 of system media in accordance with organizational assessments of risk. Organizations maintain
7477 the flexibility to define record-keeping methods for the different types of media transport as part
7478 of a system of transport-related records.
7479 Related Controls: AC-7, AC-19, CP-2, CP-9, MP-3, MP-4, PE-16, PL-2, SC-13, SC-28, SC-34.
7480 Control Enhancements:
7481 (1) MEDIA TRANSPORT | PROTECTION OUTSIDE OF CONTROLLED AREAS
7482 [Withdrawn: Incorporated into MP-5.]
7483 (2) MEDIA TRANSPORT | DOCUMENTATION OF ACTIVITIES
7484 [Withdrawn: Incorporated into MP-5.]
7485 (3) MEDIA TRANSPORT | CUSTODIANS
7486 Employ an identified custodian during transport of system media outside of controlled
7487 areas.
7488 Discussion: Identified custodians provide organizations with specific points of contact during
7489 the media transport process and facilitate individual accountability. Custodial responsibilities
7490 can be transferred from one individual to another if an unambiguous custodian is identified.
7491 Related Controls: None.
7492 (4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION
7493 [Withdrawn: Incorporated into SC-28(1).]
7494 References: [FIPS 199]; [SP 800-60 v1]; [SP 800-60 v2].

7495 MP-6 MEDIA SANITIZATION

7496 Control:
7497 a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of
7498 organizational control, or release for reuse using [Assignment: organization-defined
7499 sanitization techniques and procedures]; and
7500 b. Employ sanitization mechanisms with the strength and integrity commensurate with the
7501 security category or classification of the information.
7502 Discussion: Media sanitization applies to all digital and non-digital system media subject to
7503 disposal or reuse, whether or not the media is considered removable. Examples include digital
7504 media in scanners, copiers, printers, notebook computers, workstations, network components,
7505 mobile devices, and non-digital media such as paper and microfilm. The sanitization process
7506 removes information from system media such that the information cannot be retrieved or
7507 reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-
7508 identification of personally identifiable information, and destruction, prevent the disclosure of
7509 information to unauthorized individuals when such media is reused or released for disposal.
7510 Organizations determine the appropriate sanitization methods recognizing that destruction is
7511 sometimes necessary when other methods cannot be applied to media requiring sanitization.
7512 Organizations use discretion on the employment of approved sanitization techniques and
7513 procedures for media containing information deemed to be in the public domain or publicly
7514 releasable or information deemed to have no adverse impact on organizations or individuals if
7515 released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a
7516 classified appendix from an otherwise unclassified document, or redacting selected sections or
7517 words from a document by obscuring the redacted sections or words in a manner equivalent in
7518 effectiveness to removing them from the document. NARA policies controls the sanitization

CHAPTER THREE PAGE 169

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7519 process for controlled unclassified information. NSA standards and policies control the
7520 sanitization process for media containing classified information.
7521 Related Controls: AC-3, AC-7, AU-11, MA-2, MA-3, MA-4, MA-5, PM-22, SI-12, SI-18, SI-19, SR-11.
7522 Control Enhancements:
7523 (1) MEDIA SANITIZATION | REVIEW, APPROVE, TRACK, DOCUMENT, AND VERIFY
7524 Review, approve, track, document, and verify media sanitization and disposal actions.
7525 Discussion: Organizations review and approve media to be sanitized to ensure compliance
7526 with records-retention policies. Tracking and documenting actions include listing personnel
7527 who reviewed and approved sanitization and disposal actions; types of media sanitized; files
7528 stored on the media; sanitization methods used; date and time of the sanitization actions;
7529 personnel who performed the sanitization; verification actions taken and personnel who
7530 performed the verification; and the disposal actions taken. Organizations verify that the
7531 sanitization of the media was effective prior to disposal.
7532 Related Controls: None.
7533 (2) MEDIA SANITIZATION | EQUIPMENT TESTING
7534 Test sanitization equipment and procedures [Assignment: organization-defined frequency]
7535 to verify that the intended sanitization is being achieved.
7536 Discussion: Testing of sanitization equipment and procedures may be conducted by
7537 qualified and authorized external entities, including federal agencies or external service
7538 providers.
7539 Related Controls: None.
7540 (3) MEDIA SANITIZATION | NONDESTRUCTIVE TECHNIQUES
7541 Apply nondestructive sanitization techniques to portable storage devices prior to
7542 connecting such devices to the system under the following circumstances: [Assignment:
7543 organization-defined circumstances requiring sanitization of portable storage devices].
7544 Discussion: Portable storage devices include external or removable hard disk drives (solid
7545 state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash
7546 memory cards, and other external or removable disks. Portable storage devices can be
7547 obtained from untrustworthy sources and can contain malicious code that can be inserted
7548 into or transferred to organizational systems through USB ports or other entry portals. While
7549 scanning storage devices is recommended, sanitization provides additional assurance that
7550 such devices are free of malicious code. Organizations consider nondestructive sanitization
7551 of portable storage devices when the devices are purchased from manufacturers or vendors
7552 prior to initial use or when organizations cannot maintain a positive chain of custody for the
7553 devices.
7554 Related Controls: None.
7555 (4) MEDIA SANITIZATION | CONTROLLED UNCLASSIFIED INFORMATION
7556 [Withdrawn: Incorporated into MP-6.]
7557 (5) MEDIA SANITIZATION | CLASSIFIED INFORMATION
7558 [Withdrawn: Incorporated into MP-6.]
7559 (6) MEDIA SANITIZATION | MEDIA DESTRUCTION
7560 [Withdrawn: Incorporated into MP-6.]

CHAPTER THREE PAGE 170

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7561 (7) MEDIA SANITIZATION | DUAL AUTHORIZATION

7562 Enforce dual authorization for the sanitization of [Assignment: organization-defined
7563 system media].
7564 Discussion: Organizations employ dual authorization to help ensure that system media
7565 sanitization cannot occur unless two technically qualified individuals conduct the designated
7566 task. Individuals sanitizing system media possess sufficient skills and expertise to determine
7567 if the proposed sanitization reflects applicable federal and organizational standards, policies,
7568 and procedures. Dual authorization also helps to ensure that sanitization occurs as intended,
7569 both protecting against errors and false claims of having performed the sanitization actions.
7570 Dual authorization may also be known as two-person control. To reduce the risk of collusion,
7571 organizations consider rotating dual authorization duties to other individuals.
7572 Related Controls: AC-3, MP-2.
7573 (8) MEDIA SANITIZATION | REMOTE PURGING OR WIPING OF INFORMATION
7574 Provide the capability to purge or wipe information from [Assignment: organization-
7575 defined systems or system components] [Selection: remotely; under the following
7576 conditions: [Assignment: organization-defined conditions]].
7577 Discussion: Remote purging or wiping of information protects information on organizational
7578 systems and system components if systems or components are obtained by unauthorized
7579 individuals. Remote purge or wipe commands require strong authentication to help mitigate
7580 the risk of unauthorized individuals purging or wiping the system, component, or device. The
7581 purge or wipe function can be implemented in a variety of ways, including by overwriting
7582 data or information multiple times or by destroying the key necessary to decrypt encrypted
7583 data.
7584 Related Controls: None.
7585 References: [OMB A-130]; [FIPS 199]; [SP 800-60 v1]; [SP 800-60 v2]. [SP 800-88]; [SP 800-124];
7586 [IR 8023]; [NSA MEDIA].

7587 MP-7 MEDIA USE

7588 Control:
7589 a. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system
7590 media] on [Assignment: organization-defined systems or system components] using
7591 [Assignment: organization-defined controls]; and
7592 b. Prohibit the use of portable storage devices in organizational systems when such devices
7593 have no identifiable owner.
7594 Discussion: System media includes both digital and non-digital media. Digital media includes
7595 diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard
7596 disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to
7597 mobile devices with information storage capability. In contrast to MP-2, which restricts user
7598 access to media, MP-7 restricts the use of certain types of media on systems, for example,
7599 restricting or prohibiting use of flash drives or external hard disk drives. Organizations use
7600 technical and nontechnical controls to restrict the use of system media. Organizations may
7601 restrict the use of portable storage devices, for example, by using physical cages on workstations
7602 to prohibit access to certain external ports, or disabling or removing the ability to insert, read or
7603 write to such devices. Organizations may also limit the use of portable storage devices to only
7604 approved devices, including devices provided by the organization, devices provided by other
7605 approved organizations, and devices that are not personally owned. Finally, organizations may
7606 restrict the use of portable storage devices based on the type of device, for example, prohibiting
7607 the use of writeable, portable storage devices, and implementing this restriction by disabling or

CHAPTER THREE PAGE 171

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7608 removing the capability to write to such devices. Requiring identifiable owners for storage
7609 devices reduces the risk of using such devices by allowing organizations to assign responsibility
7610 for addressing known vulnerabilities in the devices.
7611 Related Controls: AC-19, AC-20, PL-4, PM-12, SC-34, SC-41.
7612 Control Enhancements:
7613 (1) MEDIA USE | PROHIBIT USE WITHOUT OWNER
7614 [Withdrawn: Incorporated into MP-7.]
7615 (2) MEDIA USE | PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA
7616 Prohibit the use of sanitization-resistant media in organizational systems.
7617 Discussion: Sanitization-resistance refers to non-destructive sanitization techniques and
7618 applies to the capability to purge information from media. Certain types of media do not
7619 support sanitization commands, or if supported, the interfaces are not supported in a
7620 standardized way across these devices. Sanitization-resistant media include compact flash,
7621 embedded flash on boards and devices, solid state drives, and USB removable media.
7622 Related Controls: MP-6.
7623 References: [FIPS 199]; [SP 800-111].

7624 MP-8 MEDIA DOWNGRADING

7625 Control:
7626 a. Establish [Assignment: organization-defined system media downgrading process] that
7627 includes employing downgrading mechanisms with strength and integrity commensurate
7628 with the security category or classification of the information;
7629 b. Verify that the system media downgrading process is commensurate with the security
7630 category and/or classification level of the information to be removed and the access
7631 authorizations of the potential recipients of the downgraded information;
7632 c. Identify [Assignment: organization-defined system media requiring downgrading]; and
7633 d. Downgrade the identified system media using the established process.
7634 Discussion: Media downgrading applies to digital and non-digital media, subject to release
7635 outside the organization, whether the media is considered removable or not removable. The
7636 downgrading process, when applied to system media, removes information from the media,
7637 typically by security category or classification level, such that the information cannot be retrieved
7638 or reconstructed. Downgrading of media includes redacting information to enable wider release
7639 and distribution. Downgrading also ensures that empty space on the media is devoid of
7640 information.
7641 Related Controls: None.
7642 Control Enhancements:
7643 (1) MEDIA DOWNGRADING | DOCUMENTATION OF PROCESS
7644 Document system media downgrading actions.
7645 Discussion: Organizations can document the media downgrading process by providing
7646 information such as the downgrading technique employed, the identification number of the
7647 downgraded media, and the identity of the individual that authorized and/or performed the
7648 downgrading action.
7649 Related Controls: None.

CHAPTER THREE PAGE 172

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7650 (2) MEDIA DOWNGRADING | EQUIPMENT TESTING

7651 Test downgrading equipment and procedures [Assignment: organization-defined
7652 frequency] to verify that downgrading actions are being achieved.
7653 Discussion: None.
7654 Related Controls: None.
7655 (3) MEDIA DOWNGRADING | CONTROLLED UNCLASSIFIED INFORMATION
7656 Downgrade system media containing controlled unclassified information prior to public
7657 release.
7658 Discussion: Downgrading of controlled unclassified information uses approved sanitization
7659 tools, techniques, and procedures.
7660 Related Controls: None.
7661 (4) MEDIA DOWNGRADING | CLASSIFIED INFORMATION
7662 Downgrade system media containing classified information prior to release to individuals
7663 without required access authorizations.
7664 Discussion: Downgrading of classified information uses approved sanitization tools,
7665 techniques, and procedures to transfer information confirmed to be unclassified from
7666 classified systems to unclassified media.
7667 Related Controls: None.
7668 References: None.

CHAPTER THREE PAGE 173

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7669 3.11 PHYSICAL AND ENVIRONMENTAL PROTECTION

7670 Quick link to Physical and Environmental Protection summary table

7671 PE-1 POLICY AND PROCEDURES

7672 Control:
7673 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
7674 roles]:
7675 1. [Selection (one or more): organization-level; mission/business process-level; system-
7676 level] physical and environmental protection policy that:
7677 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
7678 coordination among organizational entities, and compliance; and
7679 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
7680 standards, and guidelines; and
7681 2. Procedures to facilitate the implementation of the physical and environmental
7682 protection policy and the associated physical and environmental protection controls;
7683 b. Designate an [Assignment: organization-defined official] to manage the development,
7684 documentation, and dissemination of the physical and environmental protection policy and
7685 procedures; and
7686 c. Review and update the current physical and environmental protection:
7687 1. Policy [Assignment: organization-defined frequency]; and
7688 2. Procedures [Assignment: organization-defined frequency].
7689 Discussion: This control addresses policy and procedures for the controls in the PE family
7690 implemented within systems and organizations. The risk management strategy is an important
7691 factor in establishing such policies and procedures. Policies and procedures help provide security
7692 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
7693 on their development. Security and privacy program policies and procedures at the organization
7694 level are preferable, in general, and may obviate the need for system-specific policies and
7695 procedures. The policy can be included as part of the general security and privacy policy or can
7696 be represented by multiple policies reflecting the complex nature of organizations. Procedures
7697 can be established for security and privacy programs and for systems, if needed. Procedures
7698 describe how the policies or controls are implemented and can be directed at the individual or
7699 role that is the object of the procedure. Procedures can be documented in system security and
7700 privacy plans or in one or more separate documents. Restating controls does not constitute an
7701 organizational policy or procedure.
7702 Related Controls: AT-3, PM-9, PS-8, SI-12.
7703 Control Enhancements: None.
7704 References: [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100].

7705 PE-2 PHYSICAL ACCESS AUTHORIZATIONS

7706 Control:
7707 a. Develop, approve, and maintain a list of individuals with authorized access to the facility
7708 where the system resides;

CHAPTER THREE PAGE 174

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7709 b. Issue authorization credentials for facility access;

7710 c. Review the access list detailing authorized facility access by individuals [Assignment:
7711 organization-defined frequency]; and
7712 d. Remove individuals from the facility access list when access is no longer required.
7713 Discussion: Physical access authorizations apply to employees and visitors. Individuals with
7714 permanent physical access authorization credentials are not considered visitors. Authorization
7715 credentials include biometrics, badges, identification cards, and smart cards. Organizations
7716 determine the strength of authorization credentials needed consistent with applicable laws,
7717 executive orders, directives, regulations, policies, standards, and guidelines. Physical access
7718 authorizations are not necessary to access areas within facilities that are designated as publicly
7719 accessible.
7720 Related Controls: AT-3, AU-9, IA-4, MA-5, MP-2, PE-3, PE-4, PE-5, PE-8, PM-12, PS-3, PS-4, PS-5,
7721 PS-6.
7722 Control Enhancements:
7723 (1) PHYSICAL ACCESS AUTHORIZATIONS | ACCESS BY POSITION OR ROLE
7724 Authorize physical access to the facility where the system resides based on position or
7725 role.
7726 Discussion: Role-based facility access includes permanent maintenance personnel, duty
7727 officers, or emergency medical staff.
7728 Related Controls: AC-2, AC-3, AC-6.
7729 (2) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF IDENTIFICATION
7730 Require two forms of identification from the following forms of identification for visitor
7731 access to the facility where the system resides: [Assignment: organization-defined list of
7732 acceptable forms of identification].
7733 Discussion: Acceptable forms of identification include passports, REAL ID-compliant drivers’
7734 licenses, and Personal Identity Verification (PIV) cards. For gaining access to facilities using
7735 automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics.
7736 Related Controls: IA-2, IA-4, IA-5.
7737 (3) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT UNESCORTED ACCESS
7738 Restrict unescorted access to the facility where the system resides to personnel with
7739 [Selection (one or more): security clearances for all information contained within the
7740 system; formal access authorizations for all information contained within the system; need
7741 for access to all information contained within the system; [Assignment: organization-
7742 defined credentials]].
7743 Discussion: Individuals without required security clearances, access approvals, or need to
7744 know, are escorted by individuals with appropriate credentials to ensure that information is
7745 not exposed or otherwise compromised.
7746 Related Controls: PS-2, PS-6.
7747 References: [FIPS 201-2]; [SP 800-73-4]; [SP 800-76-2]; [SP 800-78-4].

7748 PE-3 PHYSICAL ACCESS CONTROL

7749 Control:
7750 a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit
7751 points to the facility where the system resides] by:

CHAPTER THREE PAGE 175

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7752 1. Verifying individual access authorizations before granting access to the facility; and
7753 2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment:
7754 organization-defined physical access control systems or devices]; guards];
7755 b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit
7756 points];
7757 c. Control access to areas within the facility designated as publicly accessible by implementing
7758 the following controls: [Assignment: organization-defined controls];
7759 d. Escort visitors and monitor visitor activity [Assignment: organization-defined circumstances
7760 requiring visitor escorts and monitoring];
7761 e. Secure keys, combinations, and other physical access devices;
7762 f. Inventory [Assignment: organization-defined physical access devices] every [Assignment:
7763 organization-defined frequency]; and
7764 g. Change combinations and keys [Assignment: organization-defined frequency] and/or when
7765 keys are lost, combinations are compromised, or when individuals possessing the keys or
7766 combinations are transferred or terminated.
7767 Discussion: Physical access control applies to employees and visitors. Individuals with permanent
7768 physical access authorization credentials are not considered visitors. Organizations determine
7769 the types of guards needed, including professional security staff, system users, or administrative
7770 staff. Physical access devices include keys, locks, combinations, and card readers. Physical access
7771 control systems comply with applicable laws, executive orders, directives, policies, regulations,
7772 standards, and guidelines. Organizations have flexibility in the types of audit logs employed.
7773 Audit logs can be procedural, automated, or some combination thereof. Physical access points
7774 can include facility access points, interior access points to systems requiring supplemental access
7775 controls, or both. Components of systems may be in areas designated as publicly accessible with
7776 organizations controlling access to the components.
7777 Related Controls: AT-3, AU-2, AU-6, AU-9, AU-13, CP-10, IA-3, IA-8, MA-5, MP-2, MP-4, PE-2, PE-
7778 4, PE-5, PE-8, PS-2, PS-3, PS-6, PS-7, RA-3, SC-28, SI-4, SR-3.
7779 Control Enhancements:
7780 (1) PHYSICAL ACCESS CONTROL | SYSTEM ACCESS
7781 Enforce physical access authorizations to the system in addition to the physical access
7782 controls for the facility at [Assignment: organization-defined physical spaces containing
7783 one or more components of the system].
7784 Discussion: Control of physical access to the system provides additional physical security for
7785 those areas within facilities where there is a concentration of system components.
7786 Related Controls: None.
7787 (2) PHYSICAL ACCESS CONTROL | FACILITY AND SYSTEMS
7788 Perform security checks [Assignment: organization-defined frequency] at the physical
7789 perimeter of the facility or system for exfiltration of information or removal of system
7790 components.
7791 Discussion: Organizations determine the extent, frequency, and/or randomness of security
7792 checks to adequately mitigate risk associated with exfiltration.
7793 Related Controls: AC-4, SC-7.

CHAPTER THREE PAGE 176

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7794 (3) PHYSICAL ACCESS CONTROL | CONTINUOUS GUARDS

7795 Employ guards to control [Assignment: organization-defined physical access points] to the
7796 facility where the system resides 24 hours per day, 7 days per week.
7797 Discussion: Employing guards at selected physical access points to the facility provides a
7798 more rapid response capability for organizations. Guards also provide the opportunity for
7799 human surveillance in areas of the facility not covered by video surveillance.
7800 Related Controls: CP-6, CP-7, PE-6.
7801 (4) PHYSICAL ACCESS CONTROL | LOCKABLE CASINGS
7802 Use lockable physical casings to protect [Assignment: organization-defined system
7803 components] from unauthorized physical access.
7804 Discussion: The greatest risk from the use of portable devices such as notebook computers,
7805 tablets, and smart phones is theft. Organizations can employ lockable, physical casings to
7806 reduce or eliminate the risk of equipment theft. Such casings come in a variety of sizes, from
7807 units that protect a single notebook computer to full cabinets that can protect multiple
7808 servers, computers, and peripherals. Lockable physical casings can be used in conjunction
7809 with cable locks or lockdown plates to prevent the theft of the locked casing containing the
7810 computer equipment.
7811 Related Controls: None.
7812 (5) PHYSICAL ACCESS CONTROL | TAMPER PROTECTION
7813 Employ [Assignment: organization-defined controls] to [Selection (one or more): detect;
7814 prevent] physical tampering or alteration of [Assignment: organization-defined hardware
7815 components] within the system.
7816 Discussion: Organizations can implement tamper detection and prevention at selected
7817 hardware components or implement tamper detection at some components and tamper
7818 prevention at other components. Detection and prevention activities can employ many
7819 types of anti-tamper technologies, including tamper-detection seals and anti-tamper
7820 coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting
7821 and other supply chain-related risks.
7822 Related Controls: SA-16, SR-9, SR-11.
7823 (6) PHYSICAL ACCESS CONTROL | FACILITY PENETRATION TESTING
7824 [Withdrawn: Incorporated into CA-8.]
7825 (7) PHYSICAL ACCESS CONTROL | PHYSICAL BARRIERS
7826 Limit access using physical barriers.
7827 Discussion: Physical barriers include bollards, concrete slabs, jersey walls, and hydraulic
7828 active vehicle barriers.
7829 Related Controls: None.
7830 (8) PHYSICAL ACCESS CONTROL | ACCESS CONTROL VESTIBULES
7831 Employ access control vestibules at [Assignment: organization-defined locations within the
7832 facility].
7833 Discussion: An access control vestibule, or mantrap, is part of a physical access control
7834 system that typically provides a space between two sets of interlocking doors. Mantraps are
7835 designed to prevent unauthorized individuals from following authorized individuals into
7836 facilities with controlled access. This activity, also known as piggybacking or tailgating,
7837 results in unauthorized access to the facility. Mantraps can also be used to limit the number
7838 of individuals entering controlled access points and to provide containment areas to verify
7839 credentials. Mantraps can be fully automated, controlling the opening and closing of the

CHAPTER THREE PAGE 177

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7840 interlocking doors, or partially automated using security guards to control the number of
7841 individuals entering the mantrap.
7842 Related Controls: None.
7843 References: [FIPS 201-2]; [SP 800-73-4]; [SP 800-76-2]; [SP 800-78-4]; [SP 800-116].

7844 PE-4 ACCESS CONTROL FOR TRANSMISSION

7845 Control: Control physical access to [Assignment: organization-defined system distribution and
7846 transmission lines] within organizational facilities using [Assignment: organization-defined
7847 security controls].
7848 Discussion: Security controls applied to system distribution and transmission lines prevent
7849 accidental damage, disruption, and physical tampering. Such controls may also be necessary to
7850 prevent eavesdropping or modification of unencrypted transmissions. Security controls used to
7851 control physical access to system distribution and transmission lines include locked wiring
7852 closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and
7853 wiretapping sensors.
7854 Related Controls: AT-3, IA-4, MP-2, MP-4, PE-2, PE-3, PE-5, PE-9, SC-7, SC-8.
7855 Control Enhancements: None.
7856 References: None.

7857 PE-5 ACCESS CONTROL FOR OUTPUT DEVICES

7858 Control: Control physical access to output from [Assignment: organization-defined output
7859 devices] to prevent unauthorized individuals from obtaining the output.
7860 Discussion: Controlling physical access to output devices includes placing output devices in
7861 locked rooms or other secured areas with keypad or card reader access controls and allowing
7862 access to authorized individuals only; placing output devices in locations that can be monitored
7863 by personnel; installing monitor or screen filters; and using headphones. Examples of output
7864 devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.
7865 Related Controls: PE-2, PE-3, PE-4, PE-18.
7866 Control Enhancements:
7867 (1) ACCESS CONTROL FOR OUTPUT DEVICES | ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS
7868 [Withdrawn: Incorporated into PE-5.]
7869 (2) ACCESS CONTROL FOR OUTPUT DEVICES | LINK TO INDIVIDUAL IDENTITY
7870 Link individual identity to receipt of output from output devices.
7871 Discussion: Methods to link individual identity to receipt of output from output devices
7872 include installing security functionality on facsimile machines, copiers, and printers. Such
7873 functionality allows organizations to implement authentication on output devices prior to
7874 the release of output to individuals.
7875 Related Controls: None.
7876 (3) ACCESS CONTROL FOR OUTPUT DEVICES | MARKING OUTPUT DEVICES
7877 Mark [Assignment: organization-defined system output devices] indicating the security
7878 marking of the types of information output from the device.
7879 Discussion: Permissions controlling the output to outputs devices are addressed in AC-3 or
7880 AC-4. Outputs devices include printers, monitors, facsimile machines, scanners, copiers, and
7881 audio devices.

CHAPTER THREE PAGE 178

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7882 Related Controls: AC-3, AC-4, PE-22.

7883 References: [IR 8023].

7884 PE-6 MONITORING PHYSICAL ACCESS

7885 Control:
7886 a. Monitor physical access to the facility where the system resides to detect and respond to
7887 physical security incidents;
7888 b. Review physical access logs [Assignment: organization-defined frequency] and upon
7889 occurrence of [Assignment: organization-defined events or potential indications of events];
7890 and
7891 c. Coordinate results of reviews and investigations with the organizational incident response
7892 capability.
7893 Discussion: Physical access monitoring includes publicly accessible areas within organizational
7894 facilities. Physical access monitoring can be accomplished, for example, by the employment of
7895 guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access
7896 logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can
7897 be supported by audit logging controls such as AU-2 if the access logs are part of an automated
7898 system. Organizational incident response capabilities include investigations of physical security
7899 incidents and responses to the incidents. Incidents include security violations or suspicious
7900 physical access activities. Suspicious physical access activities include accesses outside of normal
7901 work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of
7902 time; and out-of-sequence accesses.
7903 Related Controls: AU-2, AU-6, AU-9, AU-12, CA-7, CP-10, IR-4, IR-8.
7904 Control Enhancements:
7905 (1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS AND SURVEILLANCE EQUIPMENT
7906 Monitor physical access to the facility where the system resides using physical intrusion
7907 alarms and surveillance equipment.
7908 Discussion: Physical intrusion alarms can be employed to alert security personnel when
7909 unauthorized access to the facility is attempted. Alarm systems work in conjunction with
7910 physical barriers, physical access control systems, and security guards, triggering a response
7911 when these other forms of security have been compromised or breached. Physical intrusion
7912 alarms can include different types of sensor devices, for example, motion sensors, contact
7913 sensors, and broken glass sensors. Surveillance equipment includes video cameras installed
7914 at strategic locations throughout the facility.
7915 Related Controls: None.
7916 (2) MONITORING PHYSICAL ACCESS | AUTOMATED INTRUSION RECOGNITION AND RESPONSES
7917 Recognize [Assignment: organization-defined classes or types of intrusions] and initiate
7918 [Assignment: organization-defined response actions] using [Assignment: organization-
7919 defined automated mechanisms].
7920 Discussion: Response actions can include notifying selected organizational personnel or law
7921 enforcement personnel. Automated mechanisms implemented to initiate response actions
7922 include system alert notifications, email and text messages, and activating door locking
7923 mechanisms. Physical access monitoring can be coordinated with intrusion detection
7924 systems and system monitoring capabilities to provide integrated threat coverage for the
7925 organization.
7926 Related Controls: SI-4.

CHAPTER THREE PAGE 179

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7927 (3) MONITORING PHYSICAL ACCESS | VIDEO SURVEILLANCE

7928 (a) Employ video surveillance of [Assignment: organization-defined operational areas];
7929 (b) Review video recordings [Assignment: organization-defined frequency]; and
7930 (c) Retain video recordings for [Assignment: organization-defined time-period].
7931 Discussion: Video surveillance focuses on recording activity in specified areas for purposes
7932 of subsequent review, if circumstances so warrant. Video recordings are typically reviewed
7933 to detect anomalous events or incidents. Monitoring the surveillance video is not required
7934 although organizations may choose to do so. There may be legal considerations when
7935 performing and retaining video surveillance, especially if such surveillance is in a public
7936 location.
7937 Related Controls: None.
7938 (4) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO SYSTEMS
7939 Monitor physical access to the system in addition to the physical access monitoring of the
7940 facility at [Assignment: organization-defined physical spaces containing one or more
7941 components of the system].
7942 Discussion: Monitoring physical access to systems provides additional monitoring for those
7943 areas within facilities where there is a concentration of system components, including server
7944 rooms, media storage areas, and communications centers. Physical access monitoring can be
7945 coordinated with intrusion detection systems and system monitoring capabilities to provide
7946 comprehensive and integrated threat coverage for the organization.
7947 Related Controls: None.
7948 References: None.

7949 PE-7 VISITOR CONTROL

7950 [Withdrawn: Incorporated into PE-2 and PE-3.]

7951 PE-8 VISITOR ACCESS RECORDS

7952 Control:
7953 a. Maintain visitor access records to the facility where the system resides for [Assignment:
7954 organization-defined time-period];
7955 b. Review visitor access records [Assignment: organization-defined frequency]; and
7956 c. Report anomalies in visitor access records to [Assignment: organization-defined personnel].
7957 Discussion: Visitor access records include names and organizations of persons visiting; visitor
7958 signatures; forms of identification; dates of access; entry and departure times; purpose of visits;
7959 and names and organizations of persons visited. Reviews of access records determines if access
7960 authorizations are current and still required to support organizational missions and business
7961 functions. Access records are not required for publicly accessible areas.
7962 Related Controls: PE-2, PE-3, PE-6.
7963 Control Enhancements:
7964 (1) VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE AND REVIEW
7965 Maintain and review visitor access records using [Assignment: organization-defined
7966 automated mechanisms].
7967 Discussion: Visitor access records can be stored and maintained, for example, in a database
7968 management system that is accessible by organizational personnel. Automated access to

CHAPTER THREE PAGE 180

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

7969 such records facilitates record reviews on regular basis to determine if access authorizations
7970 are current and still required to support organizational missions and business functions.
7971 Related Controls: None.
7972 (2) VISITOR ACCESS RECORDS | PHYSICAL ACCESS RECORDS
7973 [Withdrawn: Incorporated into PE-2.]
7974 References: None.

7975 PE-9 POWER EQUIPMENT AND CABLING

7976 Control: Protect power equipment and power cabling for the system from damage and
7977 destruction.
7978 Discussion: Organizations determine the types of protection necessary for the power equipment
7979 and cabling employed at different locations both internal and external to organizational facilities
7980 and environments of operation. Power equipment and cabling includes generators and power
7981 cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data
7982 centers; and power sources for self-contained components such as satellites, vehicles, and other
7983 deployable systems.
7984 Related Controls: PE-4.
7985 Control Enhancements:
7986 (1) POWER EQUIPMENT AND CABLING | REDUNDANT CABLING
7987 Employ redundant power cabling paths that are physically separated by [Assignment:
7988 organization-defined distance].
7989 Discussion: Physically separate and redundant power cables ensure that power continues to
7990 flow in the event one of the cables is cut or otherwise damaged.
7991 Related Controls: None.
7992 (2) POWER EQUIPMENT AND CABLING | AUTOMATIC VOLTAGE CONTROLS
7993 Employ automatic voltage controls for [Assignment: organization-defined critical system
7994 components].
7995 Discussion: Automatic voltage controls can monitor and control voltage. Such controls
7996 include voltage regulators, voltage conditioners, and voltage stabilizers.
7997 Related Controls: None.
7998 References: None.

7999 PE-10 EMERGENCY SHUTOFF

8000 Control:
8001 a. Provide the capability of shutting off power to [Assignment: organization-defined system or
8002 individual system components] in emergency situations;
8003 b. Place emergency shutoff switches or devices in [Assignment: organization-defined location
8004 by system or system component] to facilitate access for authorized personnel; and
8005 c. Protect emergency power shutoff capability from unauthorized activation.
8006 Discussion: Emergency power shutoff applies primarily to organizational facilities containing
8007 concentrations of system resources, including data centers, mainframe computer rooms, server
8008 rooms, and areas with computer-controlled machinery.
8009 Related Controls: PE-15.

CHAPTER THREE PAGE 181

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8010 Control Enhancements:

8011 (1) EMERGENCY SHUTOFF | ACCIDENTAL AND UNAUTHORIZED ACTIVATION
8012 [Withdrawn: Incorporated into PE-10.]
8013 References: None.

8014 PE-11 EMERGENCY POWER

8015 Control: Provide an uninterruptible power supply to facilitate [Selection (one or more): an
8016 orderly shutdown of the system; transition of the system to long-term alternate power] in the
8017 event of a primary power source loss.
8018 Discussion: An uninterruptible power supply (UPS) is an electrical system or mechanism that
8019 provides emergency power when there is a failure of the main power source. A UPS is typically
8020 used to protect computers, data centers, telecommunication equipment or other electrical
8021 equipment where an unexpected power disruption could cause injuries, fatalities, serious
8022 mission or business disruption or loss of data or information. A UPS differs from an emergency
8023 power system or backup generator in that the UPS provides near-instantaneous protection from
8024 unanticipated power interruptions from the main power source by providing energy stored in
8025 batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but
8026 provides sufficient time to start a standby power source such as a backup generator or properly
8027 shut down the system.
8028 Related Controls: AT-3, CP-2, CP-7.
8029 Control Enhancements:
8030 (1) EMERGENCY POWER | ALTERNATE POWER SUPPLY — MINIMAL OPERATIONAL CAPABILITY
8031 Provide an alternate power supply for the system that is activated [Selection: manually;
8032 automatically] and that can maintain minimally required operational capability in the
8033 event of an extended loss of the primary power source.
8034 Discussion: Provision of an alternate power supply with minimal operating capability can be
8035 satisfied, for example, by accessing a secondary commercial power supply or other external
8036 power supply.
8037 Related Controls: None.
8038 (2) EMERGENCY POWER | ALTERNATE POWER SUPPLY — SELF-CONTAINED
8039 Provide an alternate power supply for the system that is activated [Selection: manually;
8040 automatically] and that is:
8041 (a) Self-contained;
8042 (b) Not reliant on external power generation; and
8043 (c) Capable of maintaining [Selection: minimally required operational capability; full
8044 operational capability] in the event of an extended loss of the primary power source.
8045 Discussion: The provision of a long-term, self-contained power supply, can be satisfied by
8046 using one or more generators with sufficient capacity to meet the needs of the organization.
8047 Related Controls: None.
8048 References: None.

8049 PE-12 EMERGENCY LIGHTING

8050 Control: Employ and maintain automatic emergency lighting for the system that activates in the
8051 event of a power outage or disruption and that covers emergency exits and evacuation routes
8052 within the facility.

CHAPTER THREE PAGE 182

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8053 Discussion: The provision of emergency lighting applies primarily to organizational facilities
8054 containing concentrations of system resources, including data centers, server rooms, and
8055 mainframe computer rooms. Emergency lighting provisions for the system are described in the
8056 contingency plan for the organization. If emergency lighting for the system cannot be provided or
8057 fails, organizations consider alternate processing sites.
8058 Related Controls: CP-2, CP-7.
8059 Control Enhancements:
8060 (1) EMERGENCY LIGHTING | ESSENTIAL MISSIONS AND BUSINESS FUNCTIONS
8061 Provide emergency lighting for all areas within the facility supporting essential missions
8062 and business functions.
8063 Discussion: Organizations define their essential missions and functions.
8064 Related Controls: None.
8065 References: None.

8066 PE-13 FIRE PROTECTION

8067 Control: Employ and maintain fire detection and suppression systems that are supported by an
8068 independent energy source.
8069 Discussion: The provision of fire detection and suppression systems applies to organizational
8070 facilities containing concentrations of system resources, including data centers, server rooms,
8071 and mainframe computer rooms. Fire detection and suppression systems that may require an
8072 independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors.
8073 Related Controls: AT-3.
8074 Control Enhancements:
8075 (1) FIRE PROTECTION | DETECTION SYSTEMS – AUTOMATIC ACTIVATION AND NOTIFICATION
8076 Employ fire detection systems that activate automatically and notify [Assignment:
8077 organization-defined personnel or roles] and [Assignment: organization-defined
8078 emergency responders] in the event of a fire.
8079 Discussion: Organizations can identify personnel, roles, and emergency responders if
8080 individuals on the notification list need to have access authorizations or clearances, for
8081 example, to enter to facilities where access is restricted due to the classification or impact
8082 level of information within the facility. Notification mechanisms may require independent
8083 energy sources to ensure the notification capability is not adversely affected by the fire.
8084 Related Controls: None.
8085 (2) FIRE PROTECTION | SUPPRESSION SYSTEMS – AUTOMATIC ACTIVATION AND NOTIFICATION
8086 (a) Employ fire suppression systems that activate automatically and notify [Assignment:
8087 organization-defined personnel or roles] and [Assignment: organization-defined
8088 emergency responders]; and
8089 (b) Employ an automatic fire suppression capability when the facility is not staffed on a
8090 continuous basis.
8091 Discussion: Organizations can identify specific personnel, roles, and emergency responders
8092 if individuals on the notification list need to have appropriate access authorizations and/or
8093 clearances, for example, to enter to facilities where access is restricted due to the impact
8094 level or classification of information within the facility. Notification mechanisms may require
8095 independent energy sources to ensure the notification capability is not adversely affected by
8096 the fire.

CHAPTER THREE PAGE 183

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8097 Related Controls: None.

8098 (3) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION
8099 [Withdrawn: Incorporated into PE-13(2).]
8100 (4) FIRE PROTECTION | INSPECTIONS
8101 Ensure that the facility undergoes [Assignment: organization-defined frequency] fire
8102 protection inspections by authorized and qualified inspectors and identified deficiencies
8103 are resolved within [Assignment: organization-defined time-period].
8104 Discussion: Authorized and qualified personnel within the jurisdiction of the organization
8105 include state, county, and city fire inspectors and fire marshals. Organizations provide
8106 escorts during inspections in situations where the systems that reside within the facilities
8107 contain sensitive information.
8108 Related Controls: None.
8109 References: None.

8110 PE-14 ENVIRONMENTAL CONTROLS

8111 Control:
8112 a. Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment:
8113 organization-defined environmental control]] levels within the facility where the system
8114 resides at [Assignment: organization-defined acceptable levels]; and
8115 b. Monitor environmental control levels [Assignment: organization-defined frequency].
8116 Discussion: The provision of environmental controls applies primarily to organizational facilities
8117 containing concentrations of system resources, for example, data centers, server rooms, and
8118 mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a
8119 significant adverse impact on the systems and system components that are needed to support
8120 organizational missions and business functions. Environmental controls, such as electromagnetic
8121 pulse (EMP) protection described in PE-21, are especially significant for systems and applications
8122 that are part of the U.S. critical infrastructure.
8123 Related Controls: AT-3, CP-2, PE-21.
8124 Control Enhancements:
8125 (1) ENVIRONMENTAL CONTROLS | AUTOMATIC CONTROLS
8126 Employ the following automatic environmental controls in the facility to prevent
8127 fluctuations potentially harmful to the system: [Assignment: organization-defined
8128 automatic environmental controls].
8129 Discussion: The implementation of automatic environmental controls provides an
8130 immediate response to environmental conditions that can damage, degrade, or destroy
8131 organizational systems or systems components.
8132 Related Controls: None.
8133 (2) ENVIRONMENTAL CONTROLS | MONITORING WITH ALARMS AND NOTIFICATIONS
8134 Employ environmental control monitoring that provides an alarm or notification of
8135 changes potentially harmful to personnel or equipment to [Assignment: organization-
8136 defined personnel or roles].
8137 Discussion: The alarm or notification may be, for example, an audible alarm or a message in
8138 real time to personnel or roles defined by the organization. Such alarms and/or notifications

CHAPTER THREE PAGE 184

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8139 can help to minimize harm to individuals and damage to organizational assets by facilitating
8140 a timely incident response.
8141 Related Controls: None.
8142 References: None.

8143 PE-15 WATER DAMAGE PROTECTION

8144 Control: Protect the system from damage resulting from water leakage by providing master
8145 shutoff or isolation valves that are accessible, working properly, and known to key personnel.
8146 Discussion: The provision of water damage protection applies primarily to organizational
8147 facilities containing concentrations of system resources, including data centers, server rooms,
8148 and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of
8149 master shutoff valves to shut off water supplies in specific areas of concern, without affecting
8150 entire organizations.
8151 Related Controls: AT-3, PE-10.
8152 Control Enhancements:
8153 (1) WATER DAMAGE PROTECTION | AUTOMATION SUPPORT
8154 Detect the presence of water near the system and alert [Assignment: organization-defined
8155 personnel or roles] using [Assignment: organization-defined automated mechanisms].
8156 Discussion: Automated mechanisms include notification systems, water detection sensors,
8157 and alarms.
8158 Related Controls: None.
8159 References: None.

8160 PE-16 DELIVERY AND REMOVAL

8161 Control:
8162 a. Authorize and control [Assignment: organization-defined types of system components]
8163 entering and exiting the facility; and
8164 b. Maintain records of the system components.
8165 Discussion: Enforcing authorizations for entry and exit of system components may require
8166 restricting access to delivery areas and isolating the areas from the system and media libraries.
8167 Related Controls: CM-3, CM-8, MA-2, MA-3, MP-5, PE-20, SR-2, SR-3, SR-4, SR-6.
8168 Control Enhancements: None.
8169 References: None.

8170 PE-17 ALTERNATE WORK SITE

8171 Control:
8172 a. Determine and document the [Assignment: organization-defined alternate work sites]
8173 allowed for use by employees;
8174 b. Employ the following controls at alternate work sites: [Assignment: organization-defined
8175 controls];
8176 c. Assess the effectiveness of controls at alternate work sites; and

CHAPTER THREE PAGE 185

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8177 d. Provide a means for employees to communicate with information security and privacy
8178 personnel in case of incidents.
8179 Discussion: Alternate work sites include government facilities or the private residences of
8180 employees. While distinct from alternative processing sites, alternate work sites can provide
8181 readily available alternate locations during contingency operations. Organizations can define
8182 different sets of controls for specific alternate work sites or types of sites depending on the
8183 work-related activities conducted at those sites. This control supports the contingency planning
8184 activities of organizations.
8185 Related Controls: AC-17, AC-18, CP-7.
8186 Control Enhancements: None.
8187 References: [SP 800-46].

8188 PE-18 LOCATION OF SYSTEM COMPONENTS

8189 Control: Position system components within the facility to minimize potential damage from
8190 [Assignment: organization-defined physical and environmental hazards] and to minimize the
8191 opportunity for unauthorized access.
8192 Discussion: Physical and environmental hazards include floods, fires, tornados, earthquakes,
8193 hurricanes, terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms
8194 of incoming electromagnetic radiation. Organizations consider the location of entry points where
8195 unauthorized individuals, while not being granted access, might nonetheless be near systems.
8196 Such proximity can increase the risk of unauthorized access to organizational communications,
8197 including using wireless sniffers or microphones.
8198 Related Controls: CP-2, PE-5, PE-19, PE-20, RA-3.
8199 (1) LOCATION OF SYSTEM COMPONENTS | FACILITY SITE
8200 [Withdrawn: Moved to PE-23.]
8201 References: None.

8202 PE-19 INFORMATION LEAKAGE

8203 Control: Protect the system from information leakage due to electromagnetic signals
8204 emanations.
8205 Discussion: Information leakage is the intentional or unintentional release of data or information
8206 to an untrusted environment from electromagnetic signals emanations. The security categories
8207 or classifications of systems (with respect to confidentiality), organizational security policies, and
8208 risk tolerance guide the selection of controls employed to protect systems against information
8209 leakage due to electromagnetic signals emanations.
8210 Related Controls: AC-18, PE-18, PE-20.
8211 Control Enhancements:
8212 (1) INFORMATION LEAKAGE | NATIONAL EMISSIONS AND TEMPEST POLICIES AND PROCEDURES
8213 Protect system components, associated data communications, and networks in accordance
8214 with national Emissions Security policies and procedures based on the security category or
8215 classification of the information.
8216 Discussion: Emissions Security (EMSEC) policies include the former TEMPEST policies.
8217 Related Controls: None.
8218 References: [FIPS 199].

CHAPTER THREE PAGE 186

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8219 PE-20 ASSET MONITORING AND TRACKING

8220 Control: Employ [Assignment: organization-defined asset location technologies] to track and
8221 monitor the location and movement of [Assignment: organization-defined assets] within
8222 [Assignment: organization-defined controlled areas].
8223 Discussion: Asset location technologies can help ensure that critical assets, including vehicles,
8224 equipment, or system components remain in authorized locations. Organizations consult with
8225 the Office of the General Counsel and senior agency official for privacy regarding the deployment
8226 and use of asset location technologies to address potential privacy concerns.
8227 Related Controls: CM-8, PE-16, PM-8.
8228 Control Enhancements: None.
8229 References: None.

8230 PE-21 ELECTROMAGNETIC PULSE PROTECTION

8231 Control: Employ [Assignment: organization-defined controls] against electromagnetic pulse
8232 damage for [Assignment: organization-defined systems and system components].
8233 Discussion: An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is
8234 spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP
8235 interference may be disruptive or damaging to electronic equipment. Protective measures used
8236 to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth
8237 grounding.
8238 Related Controls: PE-18, PE-19.
8239 Control Enhancements: None.
8240 References: None.

8241 PE-22 COMPONENT MARKING

8242 Control: Mark [Assignment: organization-defined system hardware components] indicating the
8243 impact level or classification level of the information permitted to be processed, stored, or
8244 transmitted by the hardware component.
8245 Discussion: Hardware components that require marking include input devices marked to indicate
8246 the classification of the network to which the devices are connected or a multifunction printer or
8247 copier residing in a classified area. Security marking refers to the use of human-readable security
8248 attributes. Security labeling refers to the use of security attributes for internal data structures
8249 within systems. Security marking is generally not required for hardware components processing,
8250 storing, or transmitting information determined by organizations to be in the public domain or to
8251 be publicly releasable. However, organizations may require markings for hardware components
8252 processing, storing, or transmitting public information indicating that such information is publicly
8253 releasable. Marking of system hardware components reflects applicable laws, executive orders,
8254 directives, policies, regulations, and standards.
8255 Related Controls: AC-16, MP-3.
8256 Control Enhancements: None.
8257 References: None.

CHAPTER THREE PAGE 187

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8258 PE-23 FACILITY LOCATION

8259 Control:
8260 a. Plan the location or site of the facility where the system resides considering physical and
8261 environmental hazards; and
8262 b. For existing facilities, consider the physical and environmental hazards in the organizational
8263 risk management strategy.
8264 Discussion: Physical and environmental hazards include floods, fires, tornados, earthquakes,
8265 hurricanes, terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms
8266 of incoming electromagnetic radiation. The location of system components within the facility is
8267 addressed in PE-18.
8268 Related Controls: CP-2, PE-18, PE-19, PM-8, PM-9, RA-3.
8269 References: None.

CHAPTER THREE PAGE 188

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8270 3.12 PLANNING

8271 Quick link to Planning summary table

8272 PL-1 POLICY AND PROCEDURES

8273 Control:
8274 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
8275 roles]:
8276 1. [Selection (one or more): organization-level; mission/business process-level; system-
8277 level] planning policy that:
8278 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
8279 coordination among organizational entities, and compliance; and
8280 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
8281 standards, and guidelines; and
8282 2. Procedures to facilitate the implementation of the planning policy and the associated
8283 planning controls;
8284 b. Designate an [Assignment: organization-defined official] to manage the development,
8285 documentation, and dissemination of the planning policy and procedures; and
8286 c. Review and update the current planning:
8287 1. Policy [Assignment: organization-defined frequency]; and
8288 2. Procedures [Assignment: organization-defined frequency].
8289 Discussion: This control addresses policy and procedures for the controls in the PL family
8290 implemented within systems and organizations. The risk management strategy is an important
8291 factor in establishing such policies and procedures. Policies and procedures help provide security
8292 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
8293 on their development. Security and privacy program policies and procedures at the organization
8294 level are preferable, in general, and may obviate the need for system-specific policies and
8295 procedures. The policy can be included as part of the general security and privacy policy or can
8296 be represented by multiple policies reflecting the complex nature of organizations. Procedures
8297 can be established for security and privacy programs and for systems, if needed. Procedures
8298 describe how the policies or controls are implemented and can be directed at the individual or
8299 role that is the object of the procedure. Procedures can be documented in system security and
8300 privacy plans or in one or more separate documents. Restating controls does not constitute an
8301 organizational policy or procedure.
8302 Related Controls: PM-9, PS-8, SI-12.
8303 Control Enhancements: None.
8304 References: [OMB A-130]; [SP 800-12]; [SP 800-18]; [SP 800-30]; [SP 800-39]; [SP 800-100].

8305 PL-2 SYSTEM SECURITY AND PRIVACY PLANS

8306 Control:
8307 a. Develop security and privacy plans for the system that:
8308 1. Are consistent with the organization’s enterprise architecture;
8309 2. Explicitly define the constituent system components;

CHAPTER THREE PAGE 189

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8310 3. Describe the operational context of the system in terms of missions and business
8311 processes;
8312 4. Provide the security categorization of the system, including supporting rationale;
8313 5. Describe any specific threats to the system that are of concern to the organization;
8314 6. Provide the results of a privacy risk assessment for systems processing personally
8315 identifiable information;
8316 7. Describe the operational environment for the system and any dependencies on or
8317 connections to other systems or system components;
8318 8. Provide an overview of the security and privacy requirements for the system;
8319 9. Identify any relevant control baselines or overlays, if applicable;
8320 10. Describe the controls in place or planned for meeting the security and privacy
8321 requirements, including a rationale for any tailoring decisions;
8322 11. Include risk determinations for security and privacy architecture and design decisions;
8323 12. Include security- and privacy-related activities affecting the system that require planning
8324 and coordination with [Assignment: organization-defined individuals or groups]; and
8325 13. Are reviewed and approved by the authorizing official or designated representative
8326 prior to plan implementation.
8327 b. Distribute copies of the plans and communicate subsequent changes to the plans to
8328 [Assignment: organization-defined personnel or roles];
8329 c. Review the plans [Assignment: organization-defined frequency];
8330 d. Update the plans to address changes to the system and environment of operation or
8331 problems identified during plan implementation or control assessments; and
8332 e. Protect the plans from unauthorized disclosure and modification.
8333 Discussion: System security and privacy plans contain an overview of the security and privacy
8334 requirements for the system and the controls selected to satisfy the requirements. The plans
8335 describe the intended application of each selected control in the context of the system with a
8336 sufficient level of detail to correctly implement the control and to subsequently assess the
8337 effectiveness of the control. The control documentation describes how system-specific and
8338 hybrid controls are implemented and the plans and expectations regarding the functionality of
8339 the system. System security and privacy plans can also be used in the design and development of
8340 systems in support of life cycle-based security engineering processes. System security and privacy
8341 plans are living documents that are updated and adapted throughout the system development
8342 life cycle, for example, during capability determination, analysis of alternatives, requests for
8343 proposal, and design reviews. Section 2.1 describes the different types of requirements that are
8344 relevant to organizations during the system development life cycle and the relationship between
8345 requirements and controls.
8346 Organizations may develop a single, integrated security and privacy plan or maintain separate
8347 plans. Security and privacy plans relate security and privacy requirements to a set of controls and
8348 control enhancements. The plans describe how the controls and control enhancements meet the
8349 security and privacy requirements, but do not provide detailed, technical descriptions of the
8350 design or implementation of the controls and control enhancements. Security and privacy plans
8351 contain sufficient information (including specifications of control parameter values for selection
8352 and assignment statements explicitly or by reference) to enable a design and implementation
8353 that is unambiguously compliant with the intent of the plans and subsequent determinations of
8354 risk to organizational operations and assets, individuals, other organizations, and the Nation if

CHAPTER THREE PAGE 190

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8355 the plan is implemented. Organizations can also apply the tailoring guidance to the control
8356 baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized
8357 requirements, technologies, missions, business applications, or environments of operation.
8358 Security and privacy plans need not be single documents. The plans can be a collection of various
8359 documents, including documents that already exist. Effective security and privacy plans make
8360 extensive use of references to policies, procedures, and additional documents, including design
8361 and implementation specifications where more detailed information can be obtained. The use of
8362 references helps to reduce the documentation associated with security and privacy programs
8363 and maintains the security- and privacy-related information in other established management
8364 and operational areas, including enterprise architecture, system development life cycle, systems
8365 engineering, and acquisition. Security and privacy plans need not contain detailed contingency
8366 plan or incident response plan information but instead can provide explicitly or by reference,
8367 sufficient information to define what needs to be accomplished by those plans.
8368 Security- and privacy-related activities that may require coordination and planning with other
8369 individuals or groups within the organization include: assessments, audits, and inspections;
8370 hardware and software maintenance; patch management; and contingency plan testing.
8371 Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent
8372 unplanned) situations. The process defined by organizations to plan and coordinate security- and
8373 privacy-related activities can also be included other documents, as appropriate.
8374 Related Controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CM-13, CP-2, CP-4,
8375 IR-4, IR-8, MA-4, MA-5, MP-4, MP-5, PL-7, PL-8, PL-10, PL-11, PM-1, PM-7, PM-8, PM-9, PM-10,
8376 PM-11, RA-3, RA-8, RA-9, SA-5, SA-17, SA-22, SI-12, SR-2, SR-4.
8377 Control Enhancements:
8378 (1) SYSTEM SECURITY AND PRIVACY PLANS | CONCEPT OF OPERATIONS
8379 [Withdrawn: Incorporated into PL-7.]
8380 (2) SYSTEM SECURITY AND PRIVACY PLANS | FUNCTIONAL ARCHITECTURE
8381 [Withdrawn: Incorporated into PL-8.]
8382 (3) SYSTEM SECURITY AND PRIVACY PLANS | PLAN AND COORDINATE WITH OTHER ORGANIZATIONAL
8383 ENTITIES
8384 [Withdrawn: Incorporated into PL-2.]
8385 References: [OMB A-130, Appendix II]; [SP 800-18]; [SP 800-37]; [SP 800-160 v1]; [SP 800-160
8386 v2].

8387 PL-3 SYSTEM SECURITY PLAN UPDATE

8388 [Withdrawn: Incorporated into PL-2.]

8389 PL-4 RULES OF BEHAVIOR

8390 Control:
8391 a. Establish and provide to individuals requiring access to the system, the rules that describe
8392 their responsibilities and expected behavior for information and system usage, security, and
8393 privacy;
8394 b. Receive a documented acknowledgment from such individuals, indicating that they have
8395 read, understand, and agree to abide by the rules of behavior, before authorizing access to
8396 information and the system;
8397 c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and

CHAPTER THREE PAGE 191

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8398 d. Require individuals who have acknowledged a previous version of the rules of behavior to
8399 read and re-acknowledge [Selection (one or more): [Assignment: organization-defined
8400 frequency]; when the rules are revised or updated].
8401 Discussion: Rules of behavior represent a type of access agreement for organizational users.
8402 Other types of access agreements include nondisclosure agreements, conflict-of-interest
8403 agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior
8404 based on individual user roles and responsibilities, and differentiating, for example, between
8405 rules that apply to privileged users and rules that apply to general users. Establishing rules of
8406 behavior for some types of non-organizational users, including individuals who simply receive
8407 information from federal systems, is often not feasible given the large number of such users and
8408 the limited nature of their interactions with the systems. Rules of behavior for organizational and
8409 non-organizational users can also be established in AC-8. The related controls section provides a
8410 list of controls that are relevant to organizational rules of behavior. PL-4b, the documented
8411 acknowledgment portion of the control, may be satisfied by the awareness training and role-
8412 based training programs conducted by organizations if such training includes rules of behavior.
8413 Documented acknowledgements for rules of behavior include electronic or physical signatures;
8414 and electronic agreement check boxes or radio buttons.
8415 Related Controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2,
8416 IA-4, IA-5, MP-7, PS-6, PS-8, SA-5, SI-12.
8417 Control Enhancements:
8418 (1) RULES OF BEHAVIOR | SOCIAL MEDIA AND EXTERNAL SITE/APPLICATION USAGE RESTRICTIONS
8419 Include in the rules of behavior, restrictions on:
8420 (a) Use of social media, social networking sites, and external sites/applications;
8421 (b) Posting organizational information on public websites; and
8422 (c) Use of organization-provided credentials (i.e., email addresses) for creating accounts
8423 on external sites/applications.
8424 Discussion: Social media, social networking, and external site/application usage restrictions
8425 address rules of behavior related to the use of these sites when organizational personnel are
8426 using such sites for official duties or in the conduct of official business; when organizational
8427 information is involved in social media and networking transactions; and when personnel are
8428 accessing social media and networking sites from organizational systems. Organizations also
8429 address specific rules that prevent unauthorized entities from obtaining, either directly or
8430 through inference, non-public organizational information from social media and networking
8431 sites. Non-public information includes, for example, personally identifiable information and
8432 system account information.
8433 Related Controls: AC-22, AU-13.
8434 References: [OMB A-130]; [SP 800-18].

8435 PL-5 PRIVACY IMPACT ASSESSMENT

8436 [Withdrawn: Incorporated into RA-8.]

8437 PL-6 SECURITY-RELATED ACTIVITY PLANNING

8438 [Withdrawn: Incorporated into PL-2.]

CHAPTER THREE PAGE 192

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8439 PL-7 CONCEPT OF OPERATIONS

8440 Control:
8441 a. Develop a Concept of Operations (CONOPS) for the system describing how the organization
8442 intends to operate the system from the perspective of information security and privacy; and
8443 b. Review and update the CONOPS [Assignment: organization-defined frequency].
8444 Discussion: The CONOPS may be included in the security or privacy plans for the system or in
8445 other system development life cycle documents. The CONOPS is a living document that requires
8446 updating throughout the system development life cycle. For example, during system design
8447 reviews, the concept of operations is checked to ensure that it remains consistent with the
8448 design for controls, the system architecture, and the operational procedures. Changes to the
8449 CONOPS are reflected in ongoing updates to the security and privacy plans, security and privacy
8450 architectures, and other appropriate organizational documents, for example, procurement
8451 specifications, system development life cycle documents, and systems engineering documents.
8452 Related Controls: PL-2, SA-2, SI-12.
8453 Control Enhancements: None.
8454 References: [OMB A-130, Appendix II].

8455 PL-8 SECURITY AND PRIVACY ARCHITECTURES

8456 Control:
8457 a. Develop security and privacy architectures for the system that:
8458 1. Describe the requirements and approach to be taken for protecting the confidentiality,
8459 integrity, and availability of organizational information;
8460 2. Describe the requirements and approach to be taken for processing personally
8461 identifiable information to minimize privacy risk to individuals;
8462 3. Describe how the architectures are integrated into and support the enterprise
8463 architecture; and
8464 4. Describe any assumptions about, and dependencies on, external systems and services;
8465 b. Review and update the architectures [Assignment: organization-defined frequency] to reflect
8466 changes in the enterprise architecture; and
8467 c. Reflect planned architecture changes in the security and privacy plans, the Concept of
8468 Operations (CONOPS), organizational procedures, and procurements and acquisitions.
8469 Discussion: The system-level security and privacy architectures are consistent with organization-
8470 wide security and privacy architectures described in PM-7 that are integral to and developed as
8471 part of the enterprise architecture. The architectures include an architectural description, the
8472 allocation of security and privacy functionality (including controls), security- and privacy-related
8473 information for external interfaces, information being exchanged across the interfaces, and the
8474 protection mechanisms associated with each interface. The architectures can also include other
8475 information, for example, user roles and the access privileges assigned to each role; security and
8476 privacy requirements; types of information processed, stored, and transmitted by the system;
8477 restoration priorities of information and system services; and other protection needs.
8478 [SP 800-160 v1] provides guidance on the use of security architectures as part of the system
8479 development life cycle process. [OMB M-19-03] requires the use of the systems security
8480 engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy
8481 architectures are reviewed and updated throughout the system development life cycle from

CHAPTER THREE PAGE 193

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8482 analysis of alternatives through review of the proposed architecture in the RFP responses, to the
8483 design reviews before and during implementation (e.g., during preliminary design reviews and
8484 critical design reviews).
8485 In today’s modern computing architectures, it is becoming less common for organizations to
8486 control all information resources. There may be key dependencies on external information
8487 services and service providers. Describing such dependencies in the security and privacy
8488 architectures is necessary for developing a comprehensive mission and business protection
8489 strategy. Establishing, developing, documenting, and maintaining under configuration control, a
8490 baseline configuration for organizational systems is critical to implementing and maintaining
8491 effective architectures. The development of the architectures is coordinated with the senior
8492 agency information security officer and the senior agency official for privacy to ensure that
8493 controls needed to support security and privacy requirements are identified and effectively
8494 implemented.
8495 PL-8 is primarily directed at organizations to ensure that architectures are developed for the
8496 system, and moreover, that the architectures are integrated with or tightly coupled to the
8497 enterprise architecture. In contrast, SA-17 is primarily directed at the external information
8498 technology product and system developers and integrators. SA-17, which is complementary to
8499 PL-8, is selected when organizations outsource the development of systems or components to
8500 external entities, and when there is a need to demonstrate consistency with the organization’s
8501 enterprise architecture and security and privacy architectures.
8502 Related Controls: CM-2, CM-6, PL-2, PL-7, PL-9, PM-5, PM-7, RA-9, SA-3, SA-5, SA-8, SA-17.
8503 Control Enhancements:
8504 (1) SECURITY AND PRIVACY ARCHITECTURES | DEFENSE-IN-DEPTH
8505 Design the security and privacy architectures for the system using a defense-in-depth
8506 approach that:
8507 (a) Allocates [Assignment: organization-defined controls] to [Assignment: organization-
8508 defined locations and architectural layers]; and
8509 (b) Ensures that the allocated controls operate in a coordinated and mutually reinforcing
8510 manner.
8511 Discussion: Organizations strategically allocate security and privacy controls in the security
8512 and privacy architectures so that adversaries must overcome multiple controls to achieve
8513 their objective. Requiring adversaries to defeat multiple controls makes it more difficult to
8514 attack information resources by increasing the work factor of the adversary; and increases
8515 the likelihood of detection. The coordination of allocated controls is essential to ensure that
8516 an attack that involves one control does not create adverse unintended consequences by
8517 interfering with other controls. Unintended consequences can include system lockout and
8518 cascading alarms. The placement of controls in systems and organizations is an important
8519 activity requiring thoughtful analysis. The value of organizational assets is an important
8520 consideration in providing additional layering. Defense-in-depth architectural approaches
8521 include modularity and layering (see SA-8(3)); separation of system and user functionality
8522 (see SC-2); and security function isolation (see SC-3).
8523 Related Controls: SC-2, SC-3, SC-29, SC-36.
8524 (2) SECURITY AND PRIVACY ARCHITECTURES | SUPPLIER DIVERSITY
8525 Require that [Assignment: organization-defined controls] allocated to [Assignment:
8526 organization-defined locations and architectural layers] are obtained from different
8527 suppliers.
8528 Discussion: Information technology products have different strengths and weaknesses.
8529 Providing a broad spectrum of products complements the individual offerings. For example,

CHAPTER THREE PAGE 194

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8530 vendors offering malicious code protection typically update their products at different times,
8531 often developing solutions for known viruses, Trojans, or worms based on their priorities
8532 and development schedules. By deploying different products at different locations, there is
8533 an increased likelihood that at least one of the products will detect the malicious code. With
8534 respect to privacy, vendors may offer products that track personally identifiable information
8535 in systems. Products may use different tracking methods. Using multiple products may result
8536 in more assurance that personally identifiable information is inventoried.
8537 Related Controls: SC-29, SR-3.
8538 References: [OMB A-130]; [SP 800-160 v1]; [SP 800-160 v2].

8539 PL-9 CENTRAL MANAGEMENT

8540 Control: Centrally manage [Assignment: organization-defined controls and related processes].
8541 Discussion: Central management refers to organization-wide management and implementation
8542 of selected controls and processes. This includes planning, implementing, assessing, authorizing,
8543 and monitoring the organization-defined, centrally managed controls and processes. As the
8544 central management of controls is generally associated with the concept of common (inherited)
8545 controls, such management promotes and facilitates standardization of control implementations
8546 and management and judicious use of organizational resources. Centrally-managed controls and
8547 processes may also meet independence requirements for assessments in support of initial and
8548 ongoing authorizations to operate and as part of organizational continuous monitoring.
8549 As part of the control selection processes, organizations determine the controls that may be
8550 suitable for central management based on resources and capabilities. It is not always possible to
8551 centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid
8552 control with the control managed and implemented centrally or at the system level. The controls
8553 and control enhancements that are candidates for full or partial central management include,
8554 but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-17(1), AC-17(2), AC-17(3), AC-17(9),
8555 AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2),
8556 AT-3(3), AT-4, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-
8557 16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-
8558 3(4), CM-4, CM-6(1), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-
8559 43, SI-2, SI-3, SI-7, SI-8.
8560 Related Controls: PL-8, PM-9.
8561 Control Enhancements: None.
8562 References: [OMB A-130]; [SP 800-37].

8563 PL-10 BASELINE SELECTION

8564 Control: Select a control baseline for the system.
8565 Discussion: Control baselines are pre-defined sets of controls specifically assembled to address
8566 the protection needs of a group, organization, or community of interest. Controls are chosen for
8567 baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations,
8568 policies, standards, or guidelines; or to address threats common to all users of the baseline under
8569 the assumptions specific to the baseline. Baselines represent a starting point for the protection
8570 of individuals’ privacy, information, and information systems, with subsequent tailoring actions
8571 to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal
8572 control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined
8573 by the needs of stakeholders. Stakeholder needs consider mission and business requirements
8574 and as well as mandates imposed by applicable laws, executive orders, directives, policies,
8575 regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are

CHAPTER THREE PAGE 195

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8576 based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST
8577 standards and guidelines implementing the legislation, direct organizations to select one of the
8578 control baselines after the reviewing the information types and the information that is
8579 processed, stored, and transmitted on the system; analyzing the potential adverse impact of the
8580 loss or compromise of the information or system on the organization’s operations and assets,
8581 individuals, other organizations or the Nation; and considering the results from system and
8582 organizational risk assessments.
8583 Related Controls: PL-2, PL-11, RA-2, RA-3, SA-8.
8584 Control Enhancements: None.
8585 References: [FIPS 199]; [FIPS 200]; [SP 800-30]; [SP 800-37]; [SP 800-39]; [SP 800-53B]; [SP 800-
8586 60 v1]; [SP 800-60 v2]; [SP 800-160 v1]; [CNSSI 1253].

8587 PL-11 BASELINE TAILORING

8588 Control: Tailor the selected control baseline by applying specified tailoring actions.
8589 Discussion: The concept of tailoring allows organizations to specialize or customize a set of
8590 baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such
8591 specialization and customization by allowing organizations to develop security and privacy plans
8592 that reflect their specific missions and business functions, the environments where their systems
8593 operate, the threats and vulnerabilities that can affect their systems, and any other conditions or
8594 situations that can impact their mission or business success. Tailoring guidance is provided in [SP
8595 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common
8596 controls; applying scoping considerations; selecting compensating controls; assigning values to
8597 control parameters; supplementing the control baseline with additional controls, as needed; and
8598 providing information for control implementation. The general tailoring actions in [SP 800-53B]
8599 can be supplemented with additional actions based on the needs of organizations. Tailoring
8600 actions can be applied to the baselines in [SP 800-53B] in accordance with the security and
8601 privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest
8602 adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize
8603 or customize the controls that represent the specific needs and concerns of those entities.
8604 Related Controls: PL-10, RA-2, RA-3, RA-9, SA-8.
8605 Control Enhancements: None.
8606 References: [FIPS 199]; [FIPS 200]; [SP 800-30]; [SP 800-37]; [SP 800-39]; [SP 800-53B]; [SP 800-
8607 60 v1]; [SP 800-60 v2]; [SP 800-160 v1]; [CNSSI 1253].

CHAPTER THREE PAGE 196

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8608 3.13 PROGRAM MANAGEMENT

8609
PROGRAM MANAGEMENT CONTROLS
8610
[FISMA], [PRIVACT], and [OMB A-130] require Federal agencies to develop, implement, and
provide oversight for organization-wide information security and privacy programs to help
8611 ensure the confidentiality, integrity, and availability federal information processed, stored, and
transmitted by federal information systems and to protect individual privacy. The program
8612 management (PM) controls described in this section are implemented at the organization level
and not directed at individual information systems. The PM controls have been designed to
facilitate organizational compliance with applicable federal laws, Executive Orders, directives,
8613 policies, regulations, and standards. The controls are independent of [FIPS 200] impact levels
and therefore, are not associated with the control baselines described in [SP 800-53B].
8614 Organizations document program management controls in the information security and privacy
program plans. The organization-wide information security program plan (see PM-1) and privacy
program plan (see PM-18) supplement system security and privacy plans (see PL-2) developed
8615 for organizational information systems. Together, the system security and privacy plans for the
individual information systems and the information security and privacy program plans cover
8616 the totality of security and privacy controls employed by the organization.

8617

8618 Quick link to Program Management summary table

8619 PM-1 INFORMATION SECURITY PROGRAM PLAN

8620 Control:
8621 a. Develop and disseminate an organization-wide information security program plan that:
8622 1. Provides an overview of the requirements for the security program and a description of
8623 the security program management controls and common controls in place or planned
8624 for meeting those requirements;
8625 2. Includes the identification and assignment of roles, responsibilities, management
8626 commitment, coordination among organizational entities, and compliance;
8627 3. Reflects the coordination among organizational entities responsible for information
8628 security; and
8629 4. Is approved by a senior official with responsibility and accountability for the risk being
8630 incurred to organizational operations (including mission, functions, image, and
8631 reputation), organizational assets, individuals, other organizations, and the Nation;
8632 b. Review the organization-wide information security program plan [Assignment: organization-
8633 defined frequency];
8634 c. Update the information security program plan to address organizational changes and
8635 problems identified during plan implementation or control assessments; and
8636 d. Protect the information security program plan from unauthorized disclosure and
8637 modification.

CHAPTER THREE PAGE 197

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8638 Discussion: An information security program plan is a formal document that provides an
8639 overview of the security requirements for an organization-wide information security program
8640 and describes the program management controls and common controls in place or planned for
8641 meeting those requirements. Information security program plans can be represented in single
8642 documents or compilations of documents.
8643 Information security program plans document the program management and common controls.
8644 The plans provide sufficient information about the controls (including specification of parameters
8645 for assignment and selection statements explicitly or by reference) to enable implementations
8646 that are unambiguously compliant with the intent of the plans and a determination of the risk to
8647 be incurred if the plans are implemented as intended.
8648 Program management controls are generally implemented at the organization level and are
8649 essential for managing the organization’s information security program. Program management
8650 controls are distinct from common, system-specific, and hybrid controls because program
8651 management controls are independent of any particular information system. The individual
8652 system security plans and the organization-wide information security program plan together,
8653 provide complete coverage for the security controls employed within the organization.
8654 Common controls are documented in an appendix to the organization’s information security
8655 program plan unless the controls are included in a separate security plan for a system. The
8656 organization-wide information security program plan indicates which separate security plans
8657 contain descriptions of common controls.
8658 Related Controls: PL-2, PM-8, PM-12, RA-9, SI-12, SR-2.
8659 Control Enhancements: None.
8660 References: [FISMA]; [OMB A-130].

8661 PM-2 INFORMATION SECURITY PROGRAM LEADERSHIP ROLE

8662 Control: Appoint a senior agency information security officer with the mission and resources to
8663 coordinate, develop, implement, and maintain an organization-wide information security
8664 program.
8665 Discussion: The senior agency information security officer is an organizational official. For
8666 federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies,
8667 and standards), this official is the senior agency information security officer. Organizations may
8668 also refer to this official as the senior information security officer or chief information security
8669 officer.
8670 Related Controls: None.
8671 Control Enhancements: None.
8672 References: [OMB M-17-25]; [SP 800-37]; [SP 800-39].

8673 PM-3 INFORMATION SECURITY AND PRIVACY RESOURCES

8674 Control:
8675 a. Include the resources needed to implement the information security and privacy programs
8676 in capital planning and investment requests and document all exceptions to this
8677 requirement;
8678 b. Prepare documentation required for addressing information security and privacy programs
8679 in capital planning and investment requests in accordance with applicable laws, executive
8680 orders, directives, policies, regulations, standards; and

CHAPTER THREE PAGE 198

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8681 c. Make available for expenditure, the planned information security and privacy resources.
8682 Discussion: Organizations consider establishing champions for information security and privacy
8683 and as part of including the necessary resources, assign specialized expertise and resources as
8684 needed. Organizations may designate and empower an Investment Review Board or similar
8685 group to manage and provide oversight for the information security and privacy aspects of the
8686 capital planning and investment control process.
8687 Related Controls: PM-4, SA-2.
8688 Control Enhancements: None.
8689 References: [OMB A-130].

8690 PM-4 PLAN OF ACTION AND MILESTONES PROCESS

8691 Control:
8692 a. Implement a process to ensure that plans of action and milestones for the information
8693 security and privacy programs and associated organizational systems:
8694 1. Are developed and maintained;
8695 2. Document the remedial information security and privacy actions to adequately respond
8696 to risk to organizational operations and assets, individuals, other organizations, and the
8697 Nation; and
8698 3. Are reported in accordance with established reporting requirements.
8699 b. Review plans of action and milestones for consistency with the organizational risk
8700 management strategy and organization-wide priorities for risk response actions.
8701 Discussion: The plan of action and milestones is a key document in the information security and
8702 privacy programs of organizations and is subject to reporting requirements established by the
8703 Office of Management and Budget. Organizations view plans of action and milestones from an
8704 organization-wide perspective, prioritizing risk response actions and ensuring consistency with
8705 the goals and objectives of the organization. Plan of action and milestones updates are based on
8706 findings from control assessments and continuous monitoring activities. There can be multiple
8707 levels of plan of action and milestones documents corresponding to the information system
8708 level, mission/business process level, and organizational/governance level. While the plan of
8709 action and milestones is required for federal organizations, any type of organization can help
8710 reduce risk by documenting and tracking planned remediations. Specific guidance on plans of
8711 action and milestones for organizational systems in described in CA-5.
8712 Related Controls: CA-5, CA-7, PM-3, RA-7, SI-12.
8713 Control Enhancements: None.
8714 References: [PRIVACT]; [OMB A-130]; [SP 800-37].

8715 PM-5 SYSTEM INVENTORY

8716 Control: Develop and update [Assignment: organization-defined frequency] an inventory of
8717 organizational systems.
8718 Discussion: [OMB A-130] provides guidance on developing systems inventories and associated
8719 reporting requirements. This control refers to an organization-wide inventory of systems, not
8720 system components as described in CM-8.
8721 Related Controls: None.

CHAPTER THREE PAGE 199

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8722 Control Enhancements:

8723 (1) SYSTEM INVENTORY | INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION
8724 Establish, maintain, and update [Assignment: organization-defined frequency] an
8725 inventory of all systems, applications, and projects that process personally identifiable
8726 information.
8727 Discussion: An inventory of systems, applications, and projects that process personally
8728 identifiable information supports mapping of data actions, providing individuals with privacy
8729 notices, maintaining accurate personally identifiable information, and limiting the processing
8730 of personally identifiable information when such information is not needed for operational
8731 purposes. Organizations may use this inventory to ensure that systems only process the
8732 personally identifiable information for authorized purposes and that this processing is still
8733 relevant and necessary for the purpose specified therein.
8734 Related Controls: CM-8, CM-12, CM-13, PL-8, PM-22, PT-3, PT-6, SI-12, SI-18.
8735 References: [IR 8062].

8736 PM-6 MEASURES OF PERFORMANCE

8737 Control: Develop, monitor, and report on the results of information security and privacy
8738 measures of performance.
8739 Discussion: Measures of performance are outcome-based metrics used by an organization to
8740 measure the effectiveness or efficiency of the information security and privacy programs and the
8741 controls employed in support of the program.
8742 Related Controls: CA-7.
8743 Control Enhancements: None.
8744 References: [OMB A-130]; [SP 800-55]; [SP 800-137].

8745 PM-7 ENTERPRISE ARCHITECTURE

8746 Control: Develop and maintain an enterprise architecture with consideration for information
8747 security, privacy, and the resulting risk to organizational operations and assets, individuals, other
8748 organizations, and the Nation.
8749 Discussion: The integration of security and privacy requirements and controls into the enterprise
8750 architecture helps to ensure that security and privacy considerations are addressed throughout
8751 the system development life cycle and are explicitly related to the organization’s mission and
8752 business processes. The process of security and privacy requirements integration also embeds
8753 into the enterprise architecture, the organization’s security and privacy architectures consistent
8754 with the organizational risk management strategy. For PM-7, security and privacy architectures
8755 are developed at a system-of-systems level, representing all organizational systems. For PL-8, the
8756 security and privacy architectures are developed at a level representing an individual system. The
8757 system-level architectures are consistent with the security and privacy architectures defined for
8758 the organization. Security and privacy requirements and control integration are most effectively
8759 accomplished through the rigorous application of the Risk Management Framework [SP 800-37]
8760 and supporting security standards and guidelines.
8761 Related Controls: AU-6, PL-2, PL-8, PM-11, RA-2, SA-3, SA-8, SA-17.

CHAPTER THREE PAGE 200

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8762 Control Enhancements:

8763 (1) ENTERPRISE ARCHITECTURE | OFFLOADING
8764 Offload [Assignment: organization-defined non-essential functions or services] to other
8765 systems, system components, or an external provider.
8766 Discussion: Not every function or service a system provides is essential to an organization’s
8767 missions or business operations. Printing or copying is an example of a non-essential but
8768 supporting service for an organization. Whenever feasible, such supportive but non-essential
8769 functions or services are not co-located with the functions or services supporting essential
8770 missions or business operations. Maintaining such functions on the same system or system
8771 component increases the attack surface of the organization’s mission essential functions or
8772 services. Moving supportive but non-essential functions to a non-critical system, system
8773 component, or external provider can also increase efficiency by putting those functions or
8774 services under the control of individuals or providers who are subject matter experts in the
8775 functions or services.
8776 Related Controls: SA-8.
8777 References: [OMB A-130]; [SP 800-37]; [SP 800-39]; [SP 800-160 v1]; [SP 800-160 v2].

8778 PM-8 CRITICAL INFRASTRUCTURE PLAN

8779 Control: Address information security and privacy issues in the development, documentation,
8780 and updating of a critical infrastructure and key resources protection plan.
8781 Discussion: Protection strategies are based on the prioritization of critical assets and resources.
8782 The requirement and guidance for defining critical infrastructure and key resources and for
8783 preparing an associated critical infrastructure protection plan are found in applicable laws,
8784 executive orders, directives, policies, regulations, standards, and guidelines.
8785 Related Controls: CP-2, CP-4, PE-18, PL-2, PM-9, PM-11, PM-18, RA-3, SI-12.
8786 Control Enhancements: None.
8787 References: [OMB A-130]; [HSPD 7]; [DHS NIPP].

8788 PM-9 RISK MANAGEMENT STRATEGY

8789 Control:
8790 a. Develops a comprehensive strategy to manage:
8791 1. Security risk to organizational operations and assets, individuals, other organizations,
8792 and the Nation associated with the operation and use of organizational systems; and
8793 2. Privacy risk to individuals resulting from the authorized processing of personally
8794 identifiable information;
8795 b. Implement the risk management strategy consistently across the organization; and
8796 c. Review and update the risk management strategy [Assignment: organization-defined
8797 frequency] or as required, to address organizational changes.
8798 Discussion: An organization-wide risk management strategy includes an expression of the
8799 security and privacy risk tolerance for the organization; security and privacy risk mitigation
8800 strategies; acceptable risk assessment methodologies; a process for evaluating security and
8801 privacy risk across the organization with respect to the organization’s risk tolerance; and
8802 approaches for monitoring risk over time. The senior accountable official for risk management
8803 (agency head or designated official) aligns information security management processes with
8804 strategic, operational, and budgetary planning processes. The risk executive function, led by the

CHAPTER THREE PAGE 201

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8805 senior accountable official for risk management, can facilitate consistent application of the risk
8806 management strategy organization-wide. The risk management strategy can be informed by
8807 security and privacy risk-related inputs from other sources, both internal and external to the
8808 organization, to ensure the strategy is broad-based and comprehensive.
8809 Related Controls: AC-1, AU-1, AT-1, CA-1, CA-2, CA-5, CA-6, CA-7, CM-1, CP-1, IA-1, IR-1, MA-1,
8810 MP-1, PE-1, PL-1, PL-2, PM-2, PM-8, PM-18, PM-28, PM-30, PS-1, PT-1, PT-2, PT-3, RA-1, RA-3,
8811 RA-9, SA-1, SA-4, SC-1, SC-38, SI-1, SI-12, SR-1, SR-2.
8812 Control Enhancements: None.
8813 References: [OMB A-130]; [SP 800-30]; [SP 800-39]; [SP 800-161]; [IR 8023].

8814 PM-10 AUTHORIZATION PROCESS

8815 Control:
8816 a. Manage the security and privacy state of organizational systems and the environments in
8817 which those systems operate through authorization processes;
8818 b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk
8819 management process; and
8820 c. Integrate the authorization processes into an organization-wide risk management program.
8821 Discussion: Authorization processes for organizational systems and environments of operation
8822 require the implementation of an organization-wide risk management process and associated
8823 security and privacy standards and guidelines. Specific roles for risk management processes
8824 include a risk executive (function) and designated authorizing officials for each organizational
8825 system and common control provider. The organizational authorization processes are integrated
8826 with continuous monitoring processes to facilitate ongoing understanding and acceptance of
8827 security and privacy risks to organizational operations, organizational assets, individuals, other
8828 organizations, and the Nation.
8829 Related Controls: CA-6, CA-7, PL-2.
8830 Control Enhancements: None.
8831 References: [SP 800-37]; [SP 800-39].

8832 PM-11 MISSION AND BUSINESS PROCESS DEFINITION

8833 Control:
8834 a. Define organizational mission and business processes with consideration for information
8835 security and privacy and the resulting risk to organizational operations, organizational assets,
8836 individuals, other organizations, and the Nation; and
8837 b. Determine information protection and personally identifiable information processing needs
8838 arising from the defined mission and business processes; and
8839 c. Review and revise the mission and business processes [Assignment: organization-defined
8840 frequency].
8841 Discussion: Protection needs are technology-independent, required capabilities to counter
8842 threats to organizations, individuals, systems, and the Nation through the compromise of
8843 information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection
8844 and personally identifiable information processing needs are derived from the mission and
8845 business needs defined by the stakeholders in organizations, the mission and business processes
8846 defined to meet those needs, and the organizational risk management strategy. Information
8847 protection and personally identifiable information processing needs determine the required

CHAPTER THREE PAGE 202

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8848 controls for the organization and the systems. Inherent in defining protection and personally
8849 identifiable information processing needs, is an understanding of adverse impact that could
8850 result if a compromise or breach of information occurs. The categorization process is used to
8851 make such potential impact determinations. Privacy risks to individuals can arise from the
8852 compromise of personally identifiable information, but they can also arise as unintended
8853 consequences or a byproduct of authorized processing of information at any stage of the data
8854 life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals
8855 from system processing of personally identifiable information. These risk assessments enable the
8856 selection of the required privacy controls for the organization and systems. Mission and business
8857 process definitions and the associated protection requirements are documented in accordance
8858 with organizational policy and procedures.
8859 Related Controls: CP-2, PL-2, PM-7, PM-8, RA-2, RA-3, SA-2.
8860 Control Enhancements: None.
8861 References: [OMB A-130]; [FIPS 199]; [SP 800-60 v1]; [SP 800-60 v2]; [SP 800-160 v1].

8862 PM-12 INSIDER THREAT PROGRAM

8863 Control: Implement an insider threat program that includes a cross-discipline insider threat
8864 incident handling team.
8865 Discussion: Organizations handling classified information are required, under Executive Order
8866 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat
8867 programs. The same standards and guidelines that apply to insider threat programs in classified
8868 environments can also be employed effectively to improve the security of controlled unclassified
8869 and other information in non-national security systems. Insider threat programs include controls
8870 to detect and prevent malicious insider activity through the centralized integration and analysis
8871 of both technical and non-technical information to identify potential insider threat concerns. A
8872 senior official is designated by the department or agency head as the responsible individual to
8873 implement and provide oversight for the program. In addition to the centralized integration and
8874 analysis capability, insider threat programs require organizations to prepare department or
8875 agency insider threat policies and implementation plans; conduct host-based user monitoring of
8876 individual employee activities on government-owned classified computers; provide insider threat
8877 awareness training to employees; receive access to information from offices in the department
8878 or agency for insider threat analysis; and conduct self-assessments of department or agency
8879 insider threat posture.
8880 Insider threat programs can leverage the existence of incident handling teams that organizations
8881 may already have in place, such as computer security incident response teams. Human resources
8882 records are especially important in this effort, as there is compelling evidence to show that some
8883 types of insider crimes are often preceded by nontechnical behaviors in the workplace, including
8884 ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues.
8885 These precursors can guide organizational officials in more focused, targeted monitoring efforts.
8886 However, the use of human resource records could raise significant concerns for privacy. The
8887 participation of a legal team, including consultation with the senior agency official for privacy,
8888 ensures that monitoring activities are performed in accordance with applicable laws, executive
8889 orders, directives, regulations, policies, standards, and guidelines.
8890 Related Controls: AC-6, AT-2, AU-6, AU-7, AU-10, AU-12, AU-13, CA-7, IA-4, IR-4, MP-7, PE-2, PM-
8891 16, PS-3, PS-4, PS-5, PS-7, PS-8, SC-7, SC-38, SI-4, PM-14.
8892 Control Enhancements: None.
8893 References: [EO 13587]; [ODNI NITP].

CHAPTER THREE PAGE 203

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8894 PM-13 SECURITY AND PRIVACY WORKFORCE

8895 Control: Establish a security and privacy workforce development and improvement program.
8896 Discussion: Security and privacy workforce development and improvement programs include
8897 defining the knowledge, skills, and abilities needed to perform security and privacy duties and
8898 tasks; developing role-based training programs for individuals assigned security and privacy roles
8899 and responsibilities; and providing standards and guidelines for measuring and building individual
8900 qualifications for incumbents and applicants for security- and privacy-related positions. Such
8901 workforce development and improvement programs can also include security and privacy career
8902 paths to encourage security and privacy professionals to advance in the field and fill positions
8903 with greater responsibility. The programs encourage organizations to fill security- and privacy-
8904 related positions with qualified personnel. Security and privacy workforce development and
8905 improvement programs are complementary to organizational security awareness and training
8906 programs and focus on developing and institutionalizing the core security and privacy capabilities
8907 of personnel needed to protect organizational operations, assets, and individuals.
8908 Related Controls: AT-2, AT-3.
8909 Control Enhancements: None.
8910 References: [OMB A-130]; [SP 800-181].

8911 PM-14 TESTING, TRAINING, AND MONITORING

8912 Control:
8913 a. Implement a process for ensuring that organizational plans for conducting security and
8914 privacy testing, training, and monitoring activities associated with organizational systems:
8915 1. Are developed and maintained; and
8916 2. Continue to be executed; and
8917 b. Review testing, training, and monitoring plans for consistency with the organizational risk
8918 management strategy and organization-wide priorities for risk response actions.
8919 Discussion: This control ensures that organizations provide oversight for testing, training, and
8920 monitoring activities and that those activities are coordinated. With the growing importance of
8921 continuous monitoring programs, the implementation of information security and privacy across
8922 the three levels of the risk management hierarchy and the widespread use of common controls,
8923 organizations coordinate and consolidate the testing and monitoring activities that are routinely
8924 conducted as part of ongoing assessments supporting a variety of controls. Security and privacy
8925 training activities, while focused on individual systems and specific roles, require coordination
8926 across all organizational elements. Testing, training, and monitoring plans and activities are
8927 informed by current threat and vulnerability assessments.
8928 Related Controls: AT-2, AT-3, CA-7, CP-4, IR-3, PM-12, SI-4.
8929 Control Enhancements: None.
8930 References: [OMB A-130]; [SP 800-37]; [SP 800-39]; [SP 800-53A]; [SP 800-115]; [SP 800-137].

8931 PM-15 SECURITY AND PRIVACY GROUPS AND ASSOCIATIONS

8932 Control: Establish and institutionalize contact with selected groups and associations within the
8933 security and privacy communities:
8934 a. To facilitate ongoing security and privacy education and training for organizational
8935 personnel;

CHAPTER THREE PAGE 204

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8936 b. To maintain currency with recommended security and privacy practices, techniques, and
8937 technologies; and
8938 c. To share current security and privacy information, including threats, vulnerabilities, and
8939 incidents.
8940 Discussion: Ongoing contact with security and privacy groups and associations is important in an
8941 environment of rapidly changing technologies and threats. Groups and associations include
8942 special interest groups, professional associations, forums, news groups, users’ groups, and peer
8943 groups of security and privacy professionals in similar organizations. Organizations select security
8944 and privacy groups and associations based on missions and business functions. Organizations
8945 share threat, vulnerability, and incident information as well as contextual insights, compliance
8946 techniques, and privacy problems consistent with applicable laws, executive orders, directives,
8947 policies, regulations, standards, and guidelines.
8948 Related Controls: SA-11, SI-5.
8949 Control Enhancements: None.
8950 References: [OMB A-130].

8951 PM-16 THREAT AWARENESS PROGRAM

8952 Control: Implement a threat awareness program that includes a cross-organization information-
8953 sharing capability for threat intelligence.
8954 Discussion: Because of the constantly changing and increasing sophistication of adversaries,
8955 especially the advanced persistent threat (APT), it may be more likely that adversaries can
8956 successfully breach or compromise organizational systems. One of the best techniques to
8957 address this concern is for organizations to share threat information including threat events (i.e.,
8958 tactics, techniques, and procedures) that organizations have experienced; mitigations that
8959 organizations have found are effective against certain types of threats; and threat intelligence
8960 (i.e., indications and warnings about threats). Threat information sharing may be bilateral or
8961 multilateral. Bilateral threat sharing includes government-to-commercial and government-to-
8962 government cooperatives. Multilateral threat sharing includes organizations taking part in threat-
8963 sharing consortia. Threat information may be highly sensitive requiring special agreements and
8964 protection, or less sensitive and freely shared.
8965 Related Controls: IR-4, PM-12.
8966 Control Enhancements:
8967 (1) THREAT AWARENESS PROGRAM | AUTOMATED MEANS FOR SHARING THREAT INTELLIGENCE
8968 Employ automated mechanisms to maximize the effectiveness of sharing threat
8969 intelligence information.
8970 Discussion: To maximize the effectiveness of monitoring, it is important to know what
8971 threat observables and indicators the sensors need to be searching for. By utilizing well
8972 established frameworks, services, and automated tools, organizations improve their ability
8973 to rapidly share and feed into monitoring tools, the relevant threat detection signatures.
8974 Related Controls: None.
8975 References: None.

CHAPTER THREE PAGE 205

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

8976 PM-17 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION ON EXTERNAL SYSTEMS

8977 Control:
8978 a. Establish policy and procedures to ensure that requirements for the protection of controlled
8979 unclassified information that is processed, stored or transmitted on external systems, are
8980 implemented in accordance with applicable laws, executive orders, directives, policies,
8981 regulations, and standards.
8982 b. Update the policy and procedures [Assignment: organization-defined frequency].
8983 Discussion: Controlled unclassified information is defined by the National Archives and Records
8984 Administration along with the safeguarding and dissemination requirements for such information
8985 and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization,
8986 in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in
8987 accordance with organizational procedures, including via its contracting processes.
8988 Related Controls: CA-6, PM-10.
8989 Control Enhancements: None.
8990 References: [32 CFR 2002]; [SP 800-171]; [NARA CUI].

8991 PM-18 PRIVACY PROGRAM PLAN

8992 Control:
8993 a. Develop and disseminate an organization-wide privacy program plan that provides an
8994 overview of the agency’s privacy program, and:
8995 1. Includes a description of the structure of the privacy program and the resources
8996 dedicated to the privacy program;
8997 2. Provides an overview of the requirements for the privacy program and a description of
8998 the privacy program management controls and common controls in place or planned for
8999 meeting those requirements;
9000 3. Includes the role of the senior agency official for privacy and the identification and
9001 assignment of roles of other privacy officials and staff and their responsibilities;
9002 4. Describes management commitment, compliance, and the strategic goals and objectives
9003 of the privacy program;
9004 5. Reflects coordination among organizational entities responsible for the different aspects
9005 of privacy; and
9006 6. Is approved by a senior official with responsibility and accountability for the privacy risk
9007 being incurred to organizational operations (including mission, functions, image, and
9008 reputation), organizational assets, individuals, other organizations, and the Nation; and
9009 b. Update the plan to address changes in federal privacy laws and policy and organizational
9010 changes and problems identified during plan implementation or privacy control
9011 assessments.
9012 Discussion: A privacy program plan is a formal document that provides an overview of an
9013 organization’s privacy program, including a description of the structure of the privacy program;
9014 the resources dedicated to the privacy program; the role of the senior agency official for privacy
9015 and other privacy officials and staff; the strategic goals and objectives of the privacy program;
9016 and the program management controls and common controls in place or planned for meeting
9017 applicable privacy requirements and managing privacy risks. Privacy program plans can be
9018 represented in single documents or compilations of documents.

CHAPTER THREE PAGE 206

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9019 The senior agency official for privacy is responsible for designating which privacy controls the
9020 organization will treat as program management, common, system-specific, and hybrid controls.
9021 Privacy program plans provide sufficient information about the privacy program management
9022 and common controls (including the specification of parameters and assignment and selection
9023 statements explicitly or by reference) to enable control implementations that are unambiguously
9024 compliant with the intent of the plans and a determination of the risk incurred if the plans are
9025 implemented as intended.
9026 Program management controls are generally implemented at the organization level and are
9027 essential for managing the organization’s privacy program. Program management controls are
9028 distinct from common, system-specific, and hybrid controls because program management
9029 controls are independent of any particular information system. The privacy plans for individual
9030 systems and the organization-wide privacy program plan together, provide complete coverage
9031 for the privacy controls employed within the organization.
9032 Common controls are documented in an appendix to the organization’s privacy program plan
9033 unless the controls are included in a separate privacy plan for a system. The organization-wide
9034 privacy program plan indicates which separate privacy plans contain descriptions of privacy
9035 controls.
9036 Related Controls: PM-8, PM-9, PM-19.
9037 Control Enhancements: None.
9038 References: [PRIVACT]; [OMB A-130].

9039 PM-19 PRIVACY PROGRAM LEADERSHIP ROLE

9040 Control: Appoint a senior agency official for privacy with the authority, mission, accountability,
9041 and resources to coordinate, develop, and implement, applicable privacy requirements and
9042 manage privacy risks through the organization-wide privacy program.
9043 Discussion: The privacy officer is an organizational official. For federal agencies, as defined by
9044 applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this
9045 official is designated as the senior agency official for privacy. Organizations may also refer to this
9046 official as the chief privacy officer. The senior agency official for privacy also has a role in the data
9047 management board (see PM-23) and the data integrity board (see PM-24).
9048 Related Controls: PM-18, PM-20, PM-23, PM-24.
9049 Control Enhancements: None.
9050 References: [OMB A-130].

9051 PM-20 DISSEMINATION OF PRIVACY PROGRAM INFORMATION

9052 Control: Maintain a central resource webpage on the organization’s principal public website that
9053 serves as a central source of information about the organization’s privacy program and that:
9054 a. Ensures that the public has access to information about organizational privacy activities and
9055 can communicate with its senior agency official for privacy;
9056 b. Ensures that organizational privacy practices and reports are publicly available; and
9057 c. Employs publicly facing email addresses and/or phone lines to enable the public to provide
9058 feedback and/or direct questions to privacy offices regarding privacy practices.
9059 Discussion: Organizations maintain a central resource webpage on their principal public website
9060 for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy.
9061 Organizations should use the webpage to inform the public about privacy policies and practices,

CHAPTER THREE PAGE 207

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9062 including privacy impact assessments, system of records notices, computer matching notices and
9063 agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making
9064 an access or amendment request, privacy reports, privacy policies, email addresses for
9065 questions/complaints, blogs, and periodic publications.
9066 Related Controls: PM-19, PT-6, PT-7, RA-8.
9067 Control Enhancements: None.
9068 References: [PRIVACT]; [OMB A-130]; [OMB M-17-06].

9069 PM-21 ACCOUNTING OF DISCLOSURES

9070 Control:
9071 a. Develop and maintain an accurate accounting of disclosures of personally identifiable
9072 information, including:
9073 1. Date, nature, and purpose of each disclosure; and
9074 2. Name and address, or other contact information of the person or organization to which
9075 the disclosure was made;
9076 b. Retain the accounting of disclosures for the length of the time the personally identifiable
9077 information is maintained or five years after the disclosure is made, whichever is longer; and
9078 c. Make the accounting of disclosures available to the individual to whom the personally
9079 identifiable information relates upon request.
9080 Discussion: The purpose of accounting of disclosures is to allow individuals to learn to whom
9081 their personally identifiable information has been disclosed; to provide a basis for subsequently
9082 advising recipients of any corrected or disputed personally identifiable information; and to
9083 provide an audit trail for subsequent reviews of organizational compliance with conditions for
9084 disclosures. For federal agencies, keeping an accounting of disclosures is required by the
9085 [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel
9086 on this requirement and be aware of the statutory exceptions and OMB guidance relating to the
9087 provision.
9088 Organizations can use any system for keeping notations of disclosures, if it can construct from
9089 such a system, a document listing of all disclosures along with the required information.
9090 Automated mechanisms can be used by organizations to determine when personally identifiable
9091 information is disclosed, including commercial services providing notifications and alerts.
9092 Accounting of disclosures may also be used to help organizations verify compliance with
9093 applicable privacy statutes and policies governing disclosure or dissemination of information and
9094 dissemination restrictions.
9095 Related Controls: AU-2, PT-2.
9096 Control Enhancements: None.
9097 References: [PRIVACT]; [OMB A-130].

9098 PM-22 PERSONALLY IDENTIFIABLE INFORMATION QUALITY MANAGEMENT

9099 Control: Develop and document policies and procedures for:
9100 a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally
9101 identifiable information across the information life cycle;
9102 b. Correcting or deleting inaccurate or outdated personally identifiable information;

CHAPTER THREE PAGE 208

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9103 c. Disseminating notice of corrected or deleted personally identifiable information to

9104 individuals or other appropriate entities; and
9105 d. Appeals of adverse decisions on correction or deletion requests.
9106 Discussion: Personally identifiable information quality management include steps that
9107 organizations take to confirm the accuracy and relevance of personally identifiable information
9108 throughout the information life cycle. The information life cycle includes the creation, collection,
9109 use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally
9110 identifiable information. Organizational policies and procedures for personally identifiable
9111 information quality management are important because inaccurate or outdated personally
9112 identifiable information maintained by organizations may cause problems for individuals.
9113 Organizations consider the quality of personally identifiable information involved in business
9114 functions where inaccurate information may result in adverse decisions or the denial of benefits
9115 and services, or the disclosure of the information may cause stigmatization. Correct information,
9116 in certain circumstances, can cause problems for individuals that outweigh the benefits of
9117 organizations maintaining the information. Organizations consider creating policies and
9118 procedures for the removal of such information.
9119 The senior agency official for privacy ensures that practical means and mechanisms exist and are
9120 accessible for individuals or their authorized representatives to seek the correction or deletion of
9121 personally identifiable information. Processes for correcting or deleting data are clearly defined
9122 and publicly available. Organizations use discretion in determining whether data is to be deleted
9123 or corrected based on the scope of requests, the changes sought, and the impact of the changes.
9124 Additionally, processes include the provision of responses to individuals of decisions to deny
9125 requests for correction or deletion. The responses include the reasons for the decisions, a means
9126 to record individual objections to the decisions, and a means of requesting reviews of the initial
9127 determinations.
9128 Organizations notify individuals or their designated representatives when their personally
9129 identifiable information is corrected or deleted to provide transparency and confirm the
9130 completed action. Due to complexity of data flows and storage, other entities may need to be
9131 informed of correction or deletion. Notice supports the consistent correction and deletion of
9132 personally identifiable information across the data ecosystem.
9133 Related Controls: PM-23, SI-18.
9134 Control Enhancements: None.
9135 References: [OMB A-130]; [SP 800-188].

9136 PM-23 DATA GOVERNANCE BODY

9137 Control: Establish a Data Governance Body consisting of [Assignment: organization-defined
9138 roles] with [Assignment: organization-defined responsibilities].
9139 Discussion: A Data Governance Body can help ensure that the organization has coherent policies
9140 and the ability to balance the utility of data with security and privacy requirements. The Data
9141 Governance Body establishes policies, procedures, and standards that facilitate data governance
9142 so that data, including personally identifiable information, is effectively managed and maintained
9143 in accordance with applicable laws, executive orders, directives, regulations, policies, standards,
9144 and guidance. Responsibilities can include developing and implementing guidelines supporting
9145 data modeling, quality, integrity, and de-identification needs of personally identifiable
9146 information across the information life cycle and reviewing and approving applications to release
9147 data outside of the organization, archiving the applications and the released data, and
9148 performing post-release monitoring to ensure that the assumptions made as part of the data
9149 release continue to be valid. Members include the chief information officer, senior agency

CHAPTER THREE PAGE 209

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9150 information security officer, and senior agency official for privacy. Federal agencies are required
9151 to establish a Data Governance Body with specific roles and responsibilities in accordance with
9152 the [EVIDACT] and policies set forth under [OMB M-19-23].
9153 Related Controls: AT-2, AT-3, PM-19, PM-22, PM-24, PT-8, SI-4, SI-19.
9154 Control Enhancements: None.
9155 References: [EVIDACT]; [OMB A-130]; [OMB M-19-23]; [SP 800-188].

9156 PM-24 DATA INTEGRITY BOARD

9157 Control: Establish a Data Integrity Board to:
9158 a. Review proposals to conduct or participate in a matching program; and
9159 b. Conduct an annual review of all matching programs in which the agency has participated.
9160 Discussion: A Data Integrity Board is the board of senior officials designated by the head of a
9161 federal agency that is responsible for, among other things, reviewing the agency’s proposals to
9162 conduct or participate in a matching program and conducting an annual review of all matching
9163 programs in which the agency has participated. As a general matter, a matching program is a
9164 computerized comparison of records from two or more automated [PRIVACT] systems of
9165 records, or an automated system of records and automated records maintained by a non-Federal
9166 agency (or agent thereof). A matching program either pertains to Federal benefit programs or
9167 Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the
9168 Inspector General of the agency, if any, and the senior agency official for privacy.
9169 Related Controls: AC-4, PM-19, PM-23, PT-8.
9170 Control Enhancements: None.
9171 References: [PRIVACT]; [OMB A-130, Appendix II]; [OMB A-108].

9172 PM-25 MINIMIZATION OF PII USED IN TESTING, TRAINING, AND RESEARCH

9173 Control:
9174 a. Develop, document, and implement policies and procedures that address the use of
9175 personally identifiable information for internal testing, training, and research;
9176 b. Limit or minimize the amount of personally identifiable information used for internal testing,
9177 training, and research purposes;
9178 c. Authorize the use of personally identifiable information when such information is required
9179 for internal testing, training, and research; and
9180 d. Review and update policies and procedures [Assignment: organization-defined frequency].
9181 Discussion: The use of personally identifiable information in testing, research, and training
9182 increases risk of unauthorized disclosure or misuse of such information. Organizations consult
9183 with the senior agency official for privacy and legal counsel to ensure that the use of personally
9184 identifiable information in testing, training, and research is compatible with the original purpose
9185 for which it was collected. When possible, organizations use placeholder data to avoid exposure
9186 of personally identifiable information when conducting testing, training, and research. The use of
9187 live data for testing, training, and research is also addressed in SA-3(2).
9188 Related Controls: PM-23, PT-3, SA-3.
9189 Control Enhancements: None.
9190 References: [OMB A-130, Appendix II].

CHAPTER THREE PAGE 210

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9191 PM-26 COMPLAINT MANAGEMENT

9192 Control: Implement a process for receiving and responding to complaints, concerns, or questions
9193 from individuals about the organizational privacy practices that includes:
9194 a. Mechanisms that are easy to use and readily accessible by the public;
9195 b. All information necessary for successfully filing complaints;
9196 c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within
9197 [Assignment: organization-defined time-period];
9198 d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within
9199 [Assignment: organization-defined time-period]; and
9200 e. Response to complaints, concerns, or questions from individuals within [Assignment:
9201 organization-defined time-period].
9202 Discussion: Complaints, concerns, and questions from individuals can serve as a valuable source
9203 of input to organizations that ultimately improves operational models, uses of technology, data
9204 collection practices, and controls. Mechanisms that can be used by the public include telephone
9205 hotline, email, or web-based forms. The information necessary for successfully filing complaints
9206 includes contact information for the senior agency official for privacy or other official designated
9207 to receive complaints. Privacy complaints may also include personally identifiable information.
9208 Related Controls: IR-7, IR-9, PM-22, SI-18.
9209 Control Enhancements: None.
9210 References: [OMB A-130].

9211 PM-27 PRIVACY REPORTING

9212 Control:
9213 a. Develop [Assignment: organization-defined privacy reports] and disseminate to:
9214 1. OMB, Congress, and other oversight bodies to demonstrate accountability with
9215 statutory, regulatory, and policy privacy mandates; and
9216 2. [Assignment: organization-defined officials] and other personnel with responsibility for
9217 monitoring privacy program compliance; and
9218 b. Review and update privacy reports [Assignment: organization-defined frequency].
9219 Discussion: Through internal and external reporting, organizations promote accountability and
9220 transparency in organizational privacy operations. Reporting can also help organizations to
9221 determine progress in meeting privacy compliance requirements and privacy controls, compare
9222 performance across the federal government, discover vulnerabilities, identify gaps in policy and
9223 implementation, and identify models for success. Privacy reports include annual senior agency
9224 official for privacy reports to OMB; reports to Congress required by Implementing Regulations of
9225 the 9/11 Commission Act; and other public reports required by law, regulation, or policy,
9226 including internal policies of organizations. The senior agency official for privacy consults with
9227 legal counsel, where appropriate, to ensure that organizations meet all applicable privacy
9228 reporting requirements.
9229 Related Controls: IR-9, PM-19.
9230 Control Enhancements: None.
9231 References: [FISMA]; [OMB A-130]; [OMB A-108].

CHAPTER THREE PAGE 211

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9232 PM-28 RISK FRAMING

9233 Control:
9234 a. Identify and document:
9235 1. Assumptions affecting risk assessments, risk responses, and risk monitoring;
9236 2. Constraints affecting risk assessments, risk responses, and risk monitoring;
9237 3. Priorities and trade-offs considered by the organization for managing risk; and
9238 4. Organizational risk tolerance; and
9239 b. Distribute the results of risk framing activities to [Assignment: organization-defined
9240 personnel];
9241 c. Review and update risk framing considerations [Assignment: organization-defined
9242 frequency].
9243 Discussion: Risk framing is most effective when conducted at the organization level. The
9244 assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk
9245 framing process, inform the risk management strategy which in turn, informs the conduct of risk
9246 assessment, risk response, and risk monitoring activities. Risk framing results are shared with
9247 organizational personnel including mission/business owners, information owners or stewards,
9248 system owners, authorizing officials, senior agency information security officer, senior agency
9249 official for privacy, and senior accountable official for risk management.
9250 Related Controls: CA-7, PM-9, RA-3, RA-7.
9251 Control Enhancements: None.
9252 References: [OMB A-130]; [SP 800-39].

9253 PM-29 RISK MANAGEMENT PROGRAM LEADERSHIP ROLES

9254 Control:
9255 a. Appoint a Senior Accountable Official for Risk Management to align organizational
9256 information security and privacy management processes with strategic, operational, and
9257 budgetary planning processes; and
9258 b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide
9259 perspective and ensure management of risk is consistent across the organization.
9260 Discussion: The senior accountable official for risk management leads the risk executive
9261 (function) in organization-wide risk management activities.
9262 Related Controls: PM-2, PM-19.
9263 Control Enhancements: None.
9264 References: [SP 800-37].

9265 PM-30 SUPPLY CHAIN RISK MANAGEMENT STRATEGY

9266 Control:
9267 a. Develop an organization-wide strategy for managing supply chain risks associated with the
9268 development, acquisition, maintenance, and disposal of systems, system components, and
9269 system services;
9270 b. Implement the supply chain risk management strategy consistently across the organization;
9271 and

CHAPTER THREE PAGE 212

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9272 c. Review and update the supply chain risk management strategy on [Assignment:
9273 organization-defined frequency] or as required, to address organizational changes.
9274 Discussion: An organization-wide supply chain risk management strategy includes an
9275 unambiguous expression of the supply chain risk tolerance for the organization, acceptable
9276 supply chain risk mitigation strategies or controls, a process for consistently evaluating and
9277 monitoring supply chain risk, approaches for implementing and communicating the supply chain
9278 risk management strategy, and the associated roles and responsibilities. Supply chain risk
9279 management includes considerations of both security and privacy risks associated with the
9280 development, acquisition, maintenance, and disposal of systems, system components, and
9281 system services. The supply chain risk management strategy can be incorporated into the
9282 organization’s overarching risk management strategy and can guide and inform the system-level
9283 supply chain risk management plan. The use of a risk executive function can facilitate a
9284 consistent, organization-wide application of the supply chain risk management strategy. The
9285 supply chain risk management strategy is implemented at the organizational level, whereas the
9286 supply chain risk management plan (see SR-2) is applied at the system-level.
9287 Related Controls: PM-9, SR-1, SR-2, SR-3, SR-4, SR-5, SR-6, SR-7, SR-8, SR-9, SR-11.
9288 Control Enhancements: None.
9289 References: [SP 800-161].

9290 PM-31 CONTINUOUS MONITORING STRATEGY

9291 Control: Develop an organization-wide continuous monitoring strategy and implement
9292 continuous monitoring programs that include:
9293 a. Establishing the following organization-wide metrics to be monitored: [Assignment:
9294 organization-defined metrics];
9295 b. Establishing [Assignment: organization-defined frequencies] for monitoring and
9296 [Assignment: organization-defined frequencies] for assessment of control effectiveness;
9297 c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous
9298 monitoring strategy;
9299 d. Correlation and analysis of information generated by control assessments and monitoring;
9300 e. Response actions to address results of the analysis of control assessment and monitoring
9301 information; and
9302 f. Reporting the security and privacy status of organizational systems to [Assignment:
9303 organization-defined personnel or roles] [Assignment: organization-defined frequency].
9304 Discussion: Continuous monitoring at the organization level facilitates ongoing awareness of the
9305 security and privacy posture across the organization to support organizational risk management
9306 decisions. The terms continuous and ongoing imply that organizations assess and monitor their
9307 controls and risks at a frequency sufficient to support risk-based decisions. Different types of
9308 controls may require different monitoring frequencies. The results of continuous monitoring
9309 guide and inform risk response actions by organizations. Continuous monitoring programs allow
9310 organizations to maintain the authorizations of systems and common controls in highly dynamic
9311 environments of operation with changing mission and business needs, threats, vulnerabilities,
9312 and technologies. Having access to security- and privacy-related information on a continuing
9313 basis through reports and dashboards gives organizational officials the capability to make
9314 effective and timely risk management decisions, including ongoing authorization decisions.
9315 Monitoring requirements, including the need for specific monitoring, may be referenced in other
9316 controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-
9317 2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b,

CHAPTER THREE PAGE 213

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9318 MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a,
9319 SC-7(24)(b), SC-18c, SC-43b, SI-4.
9320 Related Controls: AC-2, AC-6, AC-17, AT-4, AU-6, AU-13, CA-2, CA-5, CA-6, CA-7, CM-3, CM-4,
9321 CM-6, CM-11, IA-5, IR-5, MA-2, MA-3, MA-4, PE-3, PE-6, PE-14, PE-16, PE-20, PL-2, PM-4, PM-6,
9322 PM-9, PM-10, PM-12, PM-14, PM-23, PM-28, PS-7, PT-8, RA-3, RA-5, RA-7, SA-9, SA-11, SC-5, SC-
9323 7, SC-18, SC-38, SC-43, SC-38, SI-3, SI-4, SI-12, SR-2, SR-4.
9324 References: [SP 800-37]; [SP 800-137].

9325 PM-32 PURPOSING

9326 Control: Analyze [Assignment: organization-defined systems or systems components] supporting
9327 mission essential services or functions to ensure that the information resources are being used
9328 consistent with their intended purpose.
9329 Discussion: Systems are designed to support a specific mission or business function. However,
9330 over time, systems and system components may be used to support services and functions that
9331 are outside the scope of the intended mission or business functions. This can result in exposing
9332 information resources to unintended environments and uses that can significantly increase
9333 threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can
9334 ultimately impact the services and functions for which they were intended. This is especially
9335 impactful for mission essential services and functions. By analyzing resource use, organizations
9336 can identify such potential exposures.
9337 Related Controls: CA-7, PL-2, RA-3, RA-9.
9338 Control Enhancements: None.
9339 References: [SP 800-137].

9340 PM-33 PRIVACY POLICIES ON WEBSITES, APPLICATIONS, AND DIGITAL SERVICES

9341 Control: Develop and post privacy policies on all external-facing websites, mobile applications,
9342 and other digital services, that:
9343 a. Are written in plain language and organized in a way that is easy to understand and
9344 navigate;
9345 b. Provide useful information that the public would need to make an informed decision about
9346 whether and how to interact with the organization; and
9347 c. Are updated whenever the organization makes a substantive change to the practices it
9348 describes and includes a time/date stamp to inform the public of the date of the most
9349 recent changes.
9350 Discussion: Organizations post privacy policies on all external-facing websites, mobile
9351 applications, and other digital services. Organizations should post a link to the relevant privacy
9352 policy on any known, major entry points to the website, application, or digital service. In
9353 addition, organizations should provide a link to the privacy policy on any webpage that collects
9354 personally identifiable information.
9355 Related Controls: PM-19, PM-20, PT-6, PT-7, RA-8.
9356 Control Enhancements: None.
9357 References: [OMB A-130].

CHAPTER THREE PAGE 214

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9358 3.14 PERSONNEL SECURITY

9359 Quick link to Personnel Security summary table

9360 PS-1 POLICY AND PROCEDURES

9361 Control:
9362 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
9363 roles]:
9364 1. [Selection (one or more): organization-level; mission/business process-level; system-
9365 level] personnel security policy that:
9366 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
9367 coordination among organizational entities, and compliance; and
9368 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
9369 standards, and guidelines; and
9370 2. Procedures to facilitate the implementation of the personnel security policy and the
9371 associated personnel security controls;
9372 b. Designate an [Assignment: organization-defined official] to manage the development,
9373 documentation, and dissemination of the personnel security policy and procedures; and
9374 c. Review and update the current personnel security:
9375 1. Policy [Assignment: organization-defined frequency]; and
9376 2. Procedures [Assignment: organization-defined frequency].
9377 Discussion: This control addresses policy and procedures for the controls in the PS family
9378 implemented within systems and organizations. The risk management strategy is an important
9379 factor in establishing such policies and procedures. Policies and procedures help provide security
9380 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
9381 on their development. Security and privacy program policies and procedures at the organization
9382 level are preferable, in general, and may obviate the need for system-specific policies and
9383 procedures. The policy can be included as part of the general security and privacy policy or can
9384 be represented by multiple policies reflecting the complex nature of organizations. Procedures
9385 can be established for security and privacy programs and for systems, if needed. Procedures
9386 describe how the policies or controls are implemented and can be directed at the individual or
9387 role that is the object of the procedure. Procedures can be documented in system security and
9388 privacy plans or in one or more separate documents. Restating controls does not constitute an
9389 organizational policy or procedure.
9390 Related Controls: PM-9, PS-8, SI-12.
9391 Control Enhancements: None.
9392 References: [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100].

9393 PS-2 POSITION RISK DESIGNATION

9394 Control:
9395 a. Assign a risk designation to all organizational positions;
9396 b. Establish screening criteria for individuals filling those positions; and
9397 c. Review and update position risk designations [Assignment: organization-defined frequency].

CHAPTER THREE PAGE 215

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9398 Discussion: Position risk designations reflect Office of Personnel Management (OPM) policy and
9399 guidance. Proper position designation is the foundation of an effective and consistent suitability
9400 and personnel security program. The Position Designation System (PDS) assesses the duties and
9401 responsibilities of a position to determine the degree of potential damage to the efficiency or
9402 integrity of the service from misconduct of an incumbent of a position. This establishes the risk
9403 level of that position. This assessment also determines if a position’s duties and responsibilities
9404 present the potential for position incumbents to bring about a material adverse effect on the
9405 national security, and the degree of that potential effect, which establishes the sensitivity level of
9406 a position. The results of this assessment determine what level of investigation is conducted for a
9407 position. Risk designations can guide and inform the types of authorizations individuals receive
9408 when accessing organizational information and information systems. Position screening criteria
9409 include explicit information security role appointment requirements. Parts 1400 and 731 of Title
9410 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant
9411 covered positions for a position sensitivity and position risk designation commensurate with the
9412 duties and responsibilities of those positions.
9413 Related Controls: AC-5, AT-3, PE-2, PE-3, PL-2, PS-3, PS-6, SA-5, SA-21, SI-12.
9414 Control Enhancements: None.
9415 References: [5 CFR 731].

9416 PS-3 PERSONNEL SCREENING

9417 Control:
9418 a. Screen individuals prior to authorizing access to the system; and
9419 b. Rescreen individuals in accordance with [Assignment: organization-defined conditions
9420 requiring rescreening and, where rescreening is so indicated, the frequency of rescreening].
9421 Discussion: Personnel screening and rescreening activities reflect applicable laws, executive
9422 orders, directives, regulations, policies, standards, guidelines, and specific criteria established for
9423 the risk designations of assigned positions. Examples of personnel screening include background
9424 investigations and agency checks. Organizations may define different rescreening conditions and
9425 frequencies for personnel accessing systems based on types of information processed, stored, or
9426 transmitted by the systems.
9427 Related Controls: AC-2, IA-4, MA-5, PE-2, PM-12, PS-2, PS-6, PS-7, SA-21.
9428 Control Enhancements:
9429 (1) PERSONNEL SCREENING | CLASSIFIED INFORMATION
9430 Verify that individuals accessing a system processing, storing, or transmitting classified
9431 information are cleared and indoctrinated to the highest classification level of the
9432 information to which they have access on the system.
9433 Discussion: Classified information is the most sensitive information the federal government
9434 processes, stores, or transmits. It is imperative that individuals have the requisite security
9435 clearances and system access authorizations prior to gaining access to such information.
9436 Access authorizations are enforced by system access controls (see AC-3) and flow controls
9437 (see AC-4).
9438 Related Controls: AC-3, AC-4.
9439 (2) PERSONNEL SCREENING | FORMAL INDOCTRINATION
9440 Verify that individuals accessing a system processing, storing, or transmitting types of
9441 classified information that require formal indoctrination, are formally indoctrinated for all
9442 the relevant types of information to which they have access on the system.

CHAPTER THREE PAGE 216

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9443 Discussion: Types of classified information requiring formal indoctrination include Special
9444 Access Program (SAP), Restricted Data (RD), and Sensitive Compartment Information (SCI).
9445 Related Controls: AC-3, AC-4.
9446 (3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTIVE MEASURES
9447 Verify that individuals accessing a system processing, storing, or transmitting information
9448 requiring special protection:
9449 (a) Have valid access authorizations that are demonstrated by assigned official
9450 government duties; and
9451 (b) Satisfy [Assignment: organization-defined additional personnel screening criteria].
9452 Discussion: Organizational information requiring special protection includes controlled
9453 unclassified information. Personnel security criteria include position sensitivity background
9454 screening requirements.
9455 Related Controls: None.
9456 (4) PERSONNEL SCREENING | CITIZENSHIP REQUIREMENTS
9457 Verify that individuals accessing a system processing, storing, or transmitting [Assignment:
9458 organization-defined information types] meet [Assignment: organization-defined
9459 citizenship requirements].
9460 Discussion: None.
9461 Related Controls: None.
9462 References: [EO 13526]; [EO 13587]; [FIPS 199]; [FIPS 201-2]; [SP 800-60 v1]; [SP 800-60 v2]; [SP
9463 800-73-4]; [SP 800-76-2]; [SP 800-78-4].

9464 PS-4 PERSONNEL TERMINATION

9465 Control: Upon termination of individual employment:
9466 a. Disable system access within [Assignment: organization-defined time-period];
9467 b. Terminate or revoke any authenticators and credentials associated with the individual;
9468 c. Conduct exit interviews that include a discussion of [Assignment: organization-defined
9469 information security topics];
9470 d. Retrieve all security-related organizational system-related property; and
9471 e. Retain access to organizational information and systems formerly controlled by terminated
9472 individual.
9473 Discussion: System property includes hardware authentication tokens, system administration
9474 technical manuals, keys, identification cards, and building passes. Exit interviews ensure that
9475 terminated individuals understand the security constraints imposed by being former employees
9476 and that proper accountability is achieved for system-related property. Security topics at exit
9477 interviews include reminding individuals of nondisclosure agreements and potential limitations
9478 on future employment. Exit interviews may not always be possible for some individuals including
9479 in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are
9480 important for individuals with security clearances. Timely execution of termination actions is
9481 essential for individuals who have been terminated for cause. In certain situations, organizations
9482 consider disabling system accounts of individuals that are being terminated prior to the
9483 individuals being notified.
9484 Related Controls: AC-2, IA-4, PE-2, PM-12, PS-6, PS-7.

CHAPTER THREE PAGE 217

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9485 Control Enhancements:

9486 (1) PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS
9487 (a) Notify terminated individuals of applicable, legally binding post-employment
9488 requirements for the protection of organizational information; and
9489 (b) Require terminated individuals to sign an acknowledgment of post-employment
9490 requirements as part of the organizational termination process.
9491 Discussion: Organizations consult with the Office of the General Counsel regarding matters
9492 of post-employment requirements on terminated individuals.
9493 Related Controls: None.
9494 (2) PERSONNEL TERMINATION | AUTOMATED NOTIFICATION
9495 Notify [Assignment: organization-defined personnel or roles] of individual termination
9496 actions using [Assignment: organization-defined automated mechanisms].
9497 Discussion: In organizations with many employees, not all personnel who need to know
9498 about termination actions receive the appropriate notifications—or, if such notifications are
9499 received, they may not occur in a timely manner. Automated mechanisms can be used to
9500 send automatic alerts or notifications to organizational personnel or roles when individuals
9501 are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways,
9502 including telephonically, via electronic mail, via text message, or via websites.
9503 Related Controls: None.
9504 References: None.

9505 PS-5 PERSONNEL TRANSFER

9506 Control:
9507 a. Review and confirm ongoing operational need for current logical and physical access
9508 authorizations to systems and facilities when individuals are reassigned or transferred to
9509 other positions within the organization;
9510 b. Initiate [Assignment: organization-defined transfer or reassignment actions] within
9511 [Assignment: organization-defined time-period following the formal transfer action];
9512 c. Modify access authorization as needed to correspond with any changes in operational need
9513 due to reassignment or transfer; and
9514 d. Notify [Assignment: organization-defined personnel or roles] within [Assignment:
9515 organization-defined time-period].
9516 Discussion: Personnel transfer applies when reassignments or transfers of individuals are
9517 permanent or of such extended durations as to make the actions warranted. Organizations
9518 define actions appropriate for the types of reassignments or transfers, whether permanent or
9519 extended. Actions that may be required for personnel transfers or reassignments to other
9520 positions within organizations include returning old and issuing new keys, identification cards,
9521 and building passes; closing system accounts and establishing new accounts; changing system
9522 access authorizations (i.e., privileges); and providing for access to official records to which
9523 individuals had access at previous work locations and in previous system accounts.
9524 Related Controls: AC-2, IA-4, PE-2, PM-12, PS-4, PS-7.
9525 Control Enhancements: None.
9526 References: None.

CHAPTER THREE PAGE 218

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9527 PS-6 ACCESS AGREEMENTS

9528 Control:
9529 a. Develop and document access agreements for organizational systems;
9530 b. Review and update the access agreements [Assignment: organization-defined frequency];
9531 and
9532 c. Verify that individuals requiring access to organizational information and systems:
9533 1. Sign appropriate access agreements prior to being granted access; and
9534 2. Re-sign access agreements to maintain access to organizational systems when access
9535 agreements have been updated or [Assignment: organization-defined frequency].
9536 Discussion: Access agreements include nondisclosure agreements, acceptable use agreements,
9537 rules of behavior, and conflict-of-interest agreements. Signed access agreements include an
9538 acknowledgement that individuals have read, understand, and agree to abide by the constraints
9539 associated with organizational systems to which access is authorized. Organizations can use
9540 electronic signatures to acknowledge access agreements unless specifically prohibited by
9541 organizational policy.
9542 Related Controls: AC-17, PE-2, PL-4, PS-2, PS-3, PS-6, PS-7, PS-8, SA-21, SI-12.
9543 Control Enhancements:
9544 (1) ACCESS AGREEMENTS | INFORMATION REQUIRING SPECIAL PROTECTION
9545 [Withdrawn: Incorporated into PS-3.]
9546 (2) ACCESS AGREEMENTS | CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION
9547 Verify that access to classified information requiring special protection is granted only to
9548 individuals who:
9549 (a) Have a valid access authorization that is demonstrated by assigned official
9550 government duties;
9551 (b) Satisfy associated personnel security criteria; and
9552 (c) Have read, understood, and signed a nondisclosure agreement.
9553 Discussion: Classified information requiring special protection includes collateral
9554 information, Special Access Program (SAP) information, and Sensitive Compartmented
9555 Information (SCI). Personnel security criteria reflect applicable laws, executive orders,
9556 directives, regulations, policies, standards, and guidelines.
9557 Related Controls: None.
9558 (3) ACCESS AGREEMENTS | POST-EMPLOYMENT REQUIREMENTS
9559 (a) Notify individuals of applicable, legally binding post-employment requirements for
9560 protection of organizational information; and
9561 (b) Require individuals to sign an acknowledgment of these requirements, if applicable, as
9562 part of granting initial access to covered information.
9563 Discussion: Organizations consult with the Office of the General Counsel regarding matters
9564 of post-employment requirements on terminated individuals.
9565 Related Controls: PS-4.
9566 References: None.

CHAPTER THREE PAGE 219

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9567 PS-7 EXTERNAL PERSONNEL SECURITY

9568 Control:
9569 a. Establish personnel security requirements, including security roles and responsibilities for
9570 external providers;
9571 b. Require external providers to comply with personnel security policies and procedures
9572 established by the organization;
9573 c. Document personnel security requirements;
9574 d. Require external providers to notify [Assignment: organization-defined personnel or roles] of
9575 any personnel transfers or terminations of external personnel who possess organizational
9576 credentials and/or badges, or who have system privileges within [Assignment: organization-
9577 defined time-period]; and
9578 e. Monitor provider compliance with personnel security requirements.
9579 Discussion: External provider refers to organizations other than the organization operating or
9580 acquiring the system. External providers include service bureaus, contractors, and other
9581 organizations providing system development, information technology services, testing or
9582 assessment services, outsourced applications, and network/security management. Organizations
9583 explicitly include personnel security requirements in acquisition-related documents. External
9584 providers may have personnel working at organizational facilities with credentials, badges, or
9585 system privileges issued by organizations. Notifications of external personnel changes ensure
9586 appropriate termination of privileges and credentials. Organizations define the transfers and
9587 terminations deemed reportable by security-related characteristics that include functions, roles,
9588 and nature of credentials or privileges associated with individuals transferred or terminated.
9589 Related Controls: AT-2, AT-3, MA-5, PE-3, PS-2, PS-3, PS-4, PS-5, PS-6, SA-5, SA-9, SA-21.
9590 Control Enhancements: None.
9591 References: [SP 800-35].

9592 PS-8 PERSONNEL SANCTIONS

9593 Control:
9594 a. Employ a formal sanctions process for individuals failing to comply with established
9595 information security and privacy policies and procedures; and
9596 b. Notify [Assignment: organization-defined personnel or roles] within [Assignment:
9597 organization-defined time-period] when a formal employee sanctions process is initiated,
9598 identifying the individual sanctioned and the reason for the sanction.
9599 Discussion: Organizational sanctions reflect applicable laws, executive orders, directives,
9600 regulations, policies, standards, and guidelines. Sanctions processes are described in access
9601 agreements and can be included as part of general personnel policies for organizations and/or
9602 specified in security and privacy policies. Organizations consult with the Office of the General
9603 Counsel regarding matters of employee sanctions.
9604 Related Controls: All XX-1 Controls, PL-4, PM-12, PS-6, PT-1.
9605 Control Enhancements: None.
9606 References: None.

CHAPTER THREE PAGE 220

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9607 3.15 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND

9608 TRANSPARENCY
9609 Quick link to Personally Identifiable Information Processing and Transparency table

9610 PT-1 POLICY AND PROCEDURES

9611 Control:
9612 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
9613 roles]:
9614 1. [Selection (one or more): organization-level; mission/business process-level; system-
9615 level] personally identifiable information processing and transparency policy that:
9616 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
9617 coordination among organizational entities, and compliance; and
9618 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
9619 standards, and guidelines; and
9620 2. Procedures to facilitate the implementation of the personally identifiable information
9621 processing and transparency policy and the associated personally identifiable
9622 information processing and transparency controls;
9623 b. Designate an [Assignment: organization-defined official] to manage the development,
9624 documentation, and dissemination of the incident personally identifiable information
9625 processing and transparency policy and procedures; and
9626 c. Review and update the current personally identifiable information processing and
9627 transparency:
9628 1. Policy [Assignment: organization-defined frequency]; and
9629 2. Procedures [Assignment: organization-defined frequency].
9630 Discussion: This control addresses policy and procedures for the controls in the PT family
9631 implemented within systems and organizations. The risk management strategy is an important
9632 factor in establishing such policies and procedures. Policies and procedures help provide security
9633 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
9634 on their development. Security and privacy program policies and procedures at the organization
9635 level are preferable, in general, and may obviate the need for system-specific policies and
9636 procedures. The policy can be included as part of the general security and privacy policy or can
9637 be represented by multiple policies reflecting the complex nature of organizations. Procedures
9638 can be established for security and privacy programs and for systems, if needed. Procedures
9639 describe how the policies or controls are implemented and can be directed at the individual or
9640 role that is the object of the procedure. Procedures can be documented in system security and
9641 privacy plans or in one or more separate documents. Restating controls does not constitute an
9642 organizational policy or procedure.
9643 Related Controls: None.
9644 Control Enhancements: None.
9645 References: [OMB A-130].

CHAPTER THREE PAGE 221

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9646 PT-2 AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION

9647 Control:
9648 a. Determine and document the [Assignment: organization-defined authority] that permits the
9649 [Assignment: organization-defined processing] of personally identifiable information; and
9650 b. Restrict the [Assignment: organization-defined processing] of personally identifiable
9651 information to only that which is authorized.
9652 Discussion: Processing of personally identifiable information is an operation or set of operations
9653 that the information system or organization performs with respect to personally identifiable
9654 information across the information life cycle. Processing includes, but is not limited to, creation,
9655 collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal.
9656 Processing operations also include logging, generation, and transformation, as well as analysis
9657 techniques, such as data mining.
9658 Organizations may be subject to laws, executive orders, directives, regulations, or policies that
9659 establish the organization’s authority and thereby limit certain types of processing of personally
9660 identifiable information or establish other requirements related to the processing. Organizational
9661 personnel consult with the senior agency official for privacy and legal counsel regarding such
9662 authority, particularly if the organization is subject to multiple jurisdictions or sources of
9663 authority. For organizations whose processing is not determined according to legal authorities,
9664 the organizations’ policies and determinations govern how they process personally identifiable
9665 information. While processing of personally identifiable information may be legally permissible,
9666 privacy risks may still arise from its processing. Privacy risk assessments can identify the privacy
9667 risks associated with the authorized processing of personally identifiable information and
9668 support solutions to manage such risks.
9669 Organizations consider applicable requirements and organizational policies to determine how to
9670 document this authority. For federal agencies, the authority to process personally identifiable
9671 information is documented in privacy policies and notices, system of records notices, privacy
9672 impact assessments, [PRIVACT] statements, computer matching agreements and notices,
9673 contracts, information sharing agreements, memoranda of understanding, and/or other
9674 documentation.
9675 Organizations take steps to ensure that personally identifiable information is processed only for
9676 authorized purposes, including training organizational personnel on the authorized processing of
9677 personally identifiable information and monitoring and auditing organizational use of personally
9678 identifiable information.
9679 Related Controls: AC-3, CM-13, PM-9, PM-24, PT-1, PT-3, PT-6, PT-7, RA-3, RA-8, SI-12, SI-18.
9680 Control Enhancements:
9681 (1) AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION | DATA TAGGING
9682 Attach data tags containing [Assignment: organization-defined permissible processing] to
9683 [Assignment: organization-defined elements of personally identifiable information].
9684 Discussion: Data tags support tracking and enforcement of authorized processing by
9685 conveying the types of processing that are authorized along with the relevant elements of
9686 personally identifiable information throughout the system. Data tags may also support the
9687 use of automated tools.
9688 Related Controls: CA-6, CM-12, PM-5, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.
9689 (2) AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION | AUTOMATION
9690 Manage enforcement of the authorized processing of personally identifiable information
9691 using [Assignment: organization-defined automated mechanisms].

CHAPTER THREE PAGE 222

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9692 Discussion: Automated mechanisms augment verification that only authorized processing is
9693 occurring.
9694 Related Controls: CA-6, CM-12, PM-5, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.
9695 References: [PRIVACT]; [OMB A-130, Appendix II].

9696 PT-3 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES

9697 Control:
9698 a. Identify and document the [Assignment organization-defined purpose(s)] for processing
9699 personally identifiable information;
9700 b. Describe the purpose(s) in the public privacy notices and policies of the organization;
9701 c. Restrict the [Assignment: organization-defined processing] of personally identifiable
9702 information to only that which is compatible with the identified purpose(s); and
9703 d. Monitor changes in processing personally identifiable information and implement
9704 [Assignment: organization-defined mechanisms] to ensure that any changes are made in
9705 accordance with [Assignment: organization-defined requirements].
9706 Discussion: Identifying and documenting the purpose for processing provides organizations with
9707 a basis for understanding why personally identifiable information may be processed. The term
9708 process includes every step of the information life cycle, including creation, collection, use,
9709 processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and
9710 documenting the purpose of processing is a prerequisite to enabling owners and operators of the
9711 system, and individuals whose information is processed by the system, to understand how the
9712 information will be processed. This enables individuals to make informed decisions about their
9713 engagement with information systems and organizations, and to manage their privacy interests.
9714 Once the specific processing purpose has been identified, the purpose is described in the
9715 organization’s privacy notices, policies, and any related privacy compliance documentation,
9716 including privacy impact assessments, system of records notices, [PRIVACT] statements,
9717 computer matching notices, and other applicable Federal Register notices.
9718 Organizations take steps to help ensure that personally identifiable information is processed only
9719 for identified purposes, including training organizational personnel and monitoring and auditing
9720 organizational processing of personally identifiable information.
9721 Organizations monitor for changes in personally identifiable information processing.
9722 Organizational personnel consult with the senior agency official for privacy and legal counsel to
9723 ensure that any new purposes arising from changes in processing are compatible with the
9724 purpose for which the information was collected, or if the new purpose is not compatible,
9725 implement mechanisms in accordance with defined requirements to allow for the new
9726 processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising
9727 privacy policies, or other measures to manage privacy risks arising from changes in personally
9728 identifiable information processing purposes.
9729 Related Controls: AC-3, AT-3, CM-13, PM-9, PM-25, PT-2, PT-6, PT-7, PT-8, RA-8, SC-43, SI-12, SI-
9730 18.
9731 Control Enhancements:
9732 (1) PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES | DATA TAGGING
9733 Attach data tags containing the following purposes to [Assignment: organization-defined
9734 elements of personally identifiable information]: [Assignment: organization-defined
9735 processing purposes].

CHAPTER THREE PAGE 223

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9736 Discussion: Data tags support tracking of processing purposes by conveying the purposes
9737 along with the relevant elements of personally identifiable information throughout the
9738 system. By conveying the processing purposes in a data tag along with the personally
9739 identifiable information as the information transits a system, a system owner or operator
9740 can identify whether a change in processing would be compatible with the identified and
9741 documented purposes. Data tags may also support the use of automated tools.
9742 Related Controls: CA-6, CM-12, PM-5, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.
9743 (2) PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES | AUTOMATION
9744 Track processing purposes of personally identifiable information using [Assignment:
9745 organization-defined automated mechanisms].
9746 Discussion: Automated mechanisms augment tracking of the processing purposes.
9747 Related Controls: CA-6, CM-12, PM-5, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.
9748 References: [PRIVACT]; [OMB A-130, Appendix II].

9749 PT-4 MINIMIZATION

9750 Control: Implement the privacy principle of minimization using [Assignment: organization-
9751 defined processes].
9752 Discussion: The principle of minimization states that organizations should only process personally
9753 identifiable information that is directly relevant and necessary to accomplish an authorized
9754 purpose, and should only maintain personally identifiable information for as long as is necessary
9755 to accomplish the purpose. Organizations have processes in place, consistent with applicable
9756 laws and policies, to implement the principle of minimization.
9757 Related Controls: PM-25, SA-15, SC-42, SI-12.
9758 References: [OMB A-130].

9759 PT-5 CONSENT

9760 Control: Implement [Assignment: organization-defined tools or mechanisms] for individuals to
9761 consent to the processing of their personally identifiable information prior to its collection that:
9762 a. Facilitate individuals’ informed decision-making; and
9763 b. Provide a means for individuals to decline consent.
9764 Discussion: Consent allows individuals to participate in the decision-making about the processing
9765 of their information and transfers some of the risk that arises from the processing of personally
9766 identifiable information from the organization to an individual. Organizations consider whether
9767 other controls may more effectively mitigate privacy risk either alone or in conjunction with
9768 consent. Consent may be required by applicable laws, executive orders, directives, regulations,
9769 policies, standards, or guidelines. Otherwise, when selecting this control, organizations consider
9770 whether individuals can be reasonably expected to understand and accept the privacy risks
9771 arising from their authorization. Organizations also consider any demographic or contextual
9772 factors that may influence the understanding or behavior of individuals with respect to the data
9773 actions carried out by the system or organization. When soliciting consent from individuals,
9774 organizations consider the appropriate mechanism for obtaining consent, including how to
9775 properly authenticate and identity proof individuals and how to obtain consent through
9776 electronic means. In addition, organizations consider providing a mechanism for individuals to
9777 revoke consent once it has been provided, as appropriate. Finally, organizations consider
9778 usability factors to help individuals understand the risks being accepted when providing consent,
9779 including the use of plain language and avoiding technical jargon.

CHAPTER THREE PAGE 224

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9780 Related Controls: AC-16, PT-6.

9781 Control Enhancements:
9782 (1) CONSENT | TAILORED CONSENT
9783 Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor
9784 processing permissions to selected elements of personally identifiable information.
9785 Discussion: While some processing may be necessary for the basic functionality of the
9786 product or service, other processing may not be necessary for the functionality of the
9787 product or service. In these circumstances, organizations allow individuals to select how
9788 specific personally identifiable information elements may be processed. More tailored
9789 consent may help reduce privacy risk, increase individual satisfaction, and avoid adverse
9790 behaviors such as abandonment of the product or service.
9791 Related Controls: PT-2.
9792 (2) CONSENT | JUST-IN-TIME CONSENT
9793 Present [Assignment: organization-defined consent mechanisms] to individuals at a time
9794 and location where the individual provides personally identifiable information or in
9795 conjunction with a data action.
9796 Discussion: Just-in-time consent enables individuals to participate in how their personally
9797 identifiable information is being processed at the time when such participation may be most
9798 useful to the individual. Individual assumptions about how personally identifiable
9799 information will be processed might not be accurate or reliable if time has passed since the
9800 individual last gave consent or the particular circumstances under which consent was given
9801 have changed. Organizations use discretion to determine when to use just-in-time consent
9802 and may use supporting information on demographics, focus groups, or surveys to learn
9803 more about individuals’ privacy interests and concerns.
9804 Related Controls: PT-2.
9805 References: [PRIVACT]; [OMB A-130]; [SP 800-63-3].

9806 PT-6 PRIVACY NOTICE

9807 Control: Provide notice to individuals about the processing of personally identifiable information
9808 that:
9809 a. Is available to individuals upon first interacting with an organization, and subsequently at
9810 [Assignment: organization-defined frequency];
9811 b. Is clear and easy-to-understand, expressing information about personally identifiable
9812 information processing in plain language;
9813 c. Identifies the authority that authorizes the processing of personally identifiable information;
9814 d. Identifies the purposes for which personally identifiable information is to be processed; and
9815 e. Includes [Assignment: organization-defined information].
9816 Discussion: Privacy notices help inform individuals about how their personally identifiable
9817 information is being processed by the system or organization. Organizations use privacy notices
9818 to inform individuals about how, under what authority, and for what purpose their personally
9819 identifiable information is processed, as well as other information such as choices individuals
9820 might have with respect to that processing and, other parties with whom information is shared.
9821 Laws, executive orders, directives, regulations, or policies may require that privacy notices
9822 include specific elements or be provided in specific formats. Federal agency personnel consult
9823 with the senior agency official for privacy and legal counsel regarding when and where to provide

CHAPTER THREE PAGE 225

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9824 privacy notices, as well as elements to include in privacy notices and required formats. In
9825 circumstances where laws or government-wide policies do not require privacy notices,
9826 organizational policies and determinations may require privacy notices and may serve as a source
9827 of the elements to include in privacy notices.
9828 Privacy risk assessments identify the privacy risks associated with the processing of personally
9829 identifiable information and may help organizations determine appropriate elements to include
9830 in a privacy notice to manage such risks. To help individuals understand how their information is
9831 being processed, organizations write materials in plain language and avoid technical jargon.
9832 Related Controls: PM-20, PM-22, PT-2, PT-3, PT-5, PT-8, RA-3, SI-18.
9833 Control Enhancements:
9834 (1) PRIVACY NOTICE | JUST-IN-TIME NOTICE
9835 Present notice of personally identifiable information processing to individuals at a time
9836 and location where the individual provides personally identifiable information or in
9837 conjunction with a data action, or [Assignment: organization-defined frequency].
9838 Discussion: Just-in-time notice enables individuals to be informed of how organizations
9839 process their personally identifiable information at a time when such notice may be most
9840 useful to the individual. Individual assumption about how personally identifiable information
9841 will be processed might not be accurate or reliable if time has passed since the organization
9842 last presented notice or the circumstances under which the individual was last provided
9843 notice have changed. Just-in-time notice can explain data actions that organizations have
9844 identified as potentially giving rise to greater privacy risk for individuals. Organizations can
9845 use just-in-time notice to update or remind individuals about specific data actions as they
9846 occur or highlight specific changes that occurred since last presenting notice. Just-in-time
9847 notice can be used in conjunction with just-in-time consent to explain what will occur if
9848 consent is declined. Organizations use discretion to determine when to use just-in-time
9849 notice and may use supporting information on user demographics, focus groups, or surveys
9850 to learn about users’ privacy interests and concerns.
9851 Related Controls: PM-21.
9852 (2) PRIVACY NOTICE | PRIVACY ACT STATEMENTS
9853 Include Privacy Act statements on forms that collect information that will be maintained in
9854 a Privacy Act system of records, or provide Privacy Act statements on separate forms that
9855 can be retained by individuals.
9856 Discussion: If a federal agency asks individuals to supply information that will become part
9857 of a system of records, the agency is required to provide a [PRIVACT] statement on the form
9858 used to collect the information or on a separate form that can be retained by the individual.
9859 The agency provides a [PRIVACT] statement in such circumstances regardless of whether the
9860 information will be collected on a paper or electronic form, on a website, on a mobile
9861 application, over the telephone, or through some other medium. This requirement ensures
9862 that the individual is provided with sufficient information about the request for information
9863 to make an informed decision on whether or not to respond.
9864 [PRIVACT] statements provide formal notice to individuals of the authority that authorizes
9865 the solicitation of the information; whether providing the information is mandatory or
9866 voluntary; the principal purpose(s) for which the information is to be used; the published
9867 routine uses to which the information is subject; the effects on the individual, if any, of not
9868 providing all or any part of the information requested; and an appropriate citation and link
9869 to the relevant system of records notice. Federal agency personnel consult with the senior
9870 agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT].
9871 Related Controls: PT-7.

CHAPTER THREE PAGE 226

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9872 Control Enhancements: None.

9873 References: [PRIVACT]; [OMB A-130]; [OMB A-108].

9874 PT-7 SYSTEM OF RECORDS NOTICE

9875 Control: For systems that process information that will be maintained in a Privacy Act system of
9876 records:
9877 a. Draft system of records notices in accordance with OMB guidance and submit new and
9878 significantly modified system of records notices to the OMB and appropriate congressional
9879 committees for advance review;
9880 b. Publish system of records notices in the Federal Register; and
9881 c. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.
9882 Discussion: The [PRIVACT] requires that federal agencies publish a system of records notice in
9883 the Federal Register upon the establishment and/or modification of a [PRIVACT] system of
9884 records. As a general matter, a system of records notice is required when an agency maintains a
9885 group of any records under the control of the agency from which information is retrieved by the
9886 name of an individual or by some identifying number, symbol, or other identifier. The notice
9887 describes the existence and character of the system, and identifies the system of records, the
9888 purpose(s) of the system, the authority for maintenance of the records, the categories of records
9889 maintained in the system, the categories of individuals about whom records are maintained, the
9890 routine uses to which the records are subject, and additional details about the system as
9891 described in [OMB A-108].
9892 Related Controls: PM-20, PT-2, PT-3, PT-6.
9893 Control Enhancements:
9894 (1) SYSTEM OF RECORDS NOTICE | ROUTINE USES
9895 Review all routine uses published in the system of records notice at [Assignment:
9896 organization-defined frequency] to ensure continued accuracy, and to ensure that routine
9897 uses continue to be compatible with the purpose for which the information was collected.
9898 Discussion: A [PRIVACT] routine use is a particular kind of disclosure of a record outside of
9899 the federal agency maintaining the system of records. A routine use is an exception to the
9900 [PRIVACT] prohibition on the disclosure of a record in a system of records without the prior
9901 written consent of the individual to whom the record pertains. To qualify as a routine use,
9902 the disclosure must be for a purpose that is compatible with the purpose for which the
9903 information was originally collected. The [PRIVACT] requires agencies to describe each
9904 routine use of the records maintained in the system of records, including the categories of
9905 users of the records and the purpose of the use. Agencies may only establish routine uses by
9906 explicitly publishing them in the relevant system of records notice.
9907 Related Controls: None.
9908 (2) SYSTEM OF RECORDS NOTICE | EXEMPTION RULES
9909 Review all Privacy Act exemptions claimed for the system of records at [Assignment:
9910 organization-defined frequency] to ensure they remain appropriate and necessary in
9911 accordance with law, that they have been promulgated as regulations, and that they are
9912 accurately described in the system of records notice.
9913 Discussion: The [PRIVACT] includes two sets of provisions that allow federal agencies to
9914 claim exemptions from certain requirements in the statute. These provisions allow agencies
9915 in certain circumstances to promulgate regulations to exempt a system of records from
9916 select provisions of the [PRIVACT]. At a minimum, organizations’ [PRIVACT] exemption

CHAPTER THREE PAGE 227

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9917 regulations include the specific name(s) of any system(s) of records that will be exempt, the
9918 specific provisions of the [PRIVACT] from which the system(s) of records is to be exempted,
9919 the reasons for the exemption, and an explanation for why the exemption is both necessary
9920 and appropriate.
9921 Related Controls: None.
9922 References: [PRIVACT]; [OMB A-108].

9923 PT-8 SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION

9924 Control: Apply [Assignment: organization-defined processing conditions] for specific categories of
9925 personally identifiable information.
9926 Discussion: Organizations apply any conditions or protections that may be necessary for specific
9927 categories of personally identifiable information. These conditions may be required by laws,
9928 executive orders, directives, regulations, policies, standards, or guidelines. The requirements may
9929 also come from organizational policies and determinations when an organization has determined
9930 that a particular category of personally identifiable information is particularly sensitive or raises
9931 particular privacy risks. Organizations consult with the senior agency official for privacy and legal
9932 counsel regarding any protections that may be necessary.
9933 Related Controls: PT-2, PT-3.
9934 Control Enhancements:
9935 (1) SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION | SOCIAL SECURITY NUMBERS
9936 When a system processes Social Security numbers:
9937 (a) Eliminate unnecessary collection, maintenance, and use of Social Security numbers,
9938 and explore alternatives to their use as a personal identifier;
9939 (b) Do not deny any individual any right, benefit, or privilege provided by law because of
9940 such individual’s refusal to disclose his or her Social Security number; and
9941 (c) Inform any individual who is asked to disclose his or her Social Security number
9942 whether that disclosure is mandatory or voluntary, by what statutory or other
9943 authority such number is solicited, and what uses will be made of it.
9944 Discussion: Federal law and policy establish specific requirements for organizations’
9945 processing of Social Security numbers. Organizations take steps to eliminate unnecessary
9946 uses of Social Security numbers and other sensitive information, and observe any particular
9947 requirements that apply.
9948 Related Controls: None.
9949 (2) SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION | FIRST AMENDMENT
9950 INFORMATION
9951 Prohibit the processing of information describing how any individual exercises rights
9952 guaranteed by the First Amendment unless expressly authorized by statute or by the
9953 individual or unless pertinent to and within the scope of an authorized law enforcement
9954 activity.
9955 Discussion: None.
9956 Related Controls: The [PRIVACT] limits agencies’ ability to process information that describes
9957 how individuals exercise rights guaranteed by the First Amendment. Organizations consult
9958 with the senior agency official for privacy and legal counsel regarding these requirements.
9959 References: [PRIVACT]; [OMB A-130]; [OMB A-108].

CHAPTER THREE PAGE 228

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9960 PT-9 COMPUTER MATCHING REQUIREMENTS

9961 Control: When a system or organization processes information for the purpose of conducting a
9962 matching program:
9963 a. Obtain approval from the Data Integrity Board to conduct the matching program;
9964 b. Develop and enter into a computer matching agreement;
9965 c. Publish a matching notice in the Federal Register;
9966 d. Independently verify the information produced by the matching program before taking
9967 adverse action against an individual, if required; and
9968 e. Provide individuals with notice and an opportunity to contest the findings before taking
9969 adverse action against an individual.
9970 Discussion: The [PRIVACT] establishes a set of requirements for federal and non-federal agencies
9971 when they engage in a matching program. In general, a matching program is a computerized
9972 comparison of records from two or more automated [PRIVACT] systems of records, or an
9973 automated system of records and automated records maintained by a non-Federal agency (or
9974 agent thereof). A matching program either pertains to Federal benefit programs or Federal
9975 personnel or payroll records. A Federal benefit match is performed for purposes of determining
9976 or verifying eligibility for payments under Federal benefit programs, or recouping payments or
9977 delinquent debts under Federal benefit programs. A matching program involves not just the
9978 matching activity itself, but also the investigative follow-up and ultimate action, if any.
9979 Related Controls: PM-24.
9980 Control Enhancements: None.
9981 References: [PRIVACT]; [OMB A-130]; [OMB A-108].

CHAPTER THREE PAGE 229

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

9982 3.16 RISK ASSESSMENT

9983 Quick link to Risk Assessment summary table

9984 RA-1 POLICY AND PROCEDURES

9985 Control:
9986 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
9987 roles]:
9988 1. [Selection (one or more): organization-level; mission/business process-level; system-
9989 level] risk assessment policy that:
9990 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
9991 coordination among organizational entities, and compliance; and
9992 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
9993 standards, and guidelines; and
9994 2. Procedures to facilitate the implementation of the risk assessment policy and the
9995 associated risk assessment controls;
9996 b. Designate an [Assignment: organization-defined official] to manage the development,
9997 documentation, and dissemination of the risk assessment policy and procedures; and
9998 c. Review and update the current risk assessment:
9999 1. Policy [Assignment: organization-defined frequency]; and
10000 2. Procedures [Assignment: organization-defined frequency].
10001 Discussion: This control addresses policy and procedures for the controls in the RA family
10002 implemented within systems and organizations. The risk management strategy is an important
10003 factor in establishing such policies and procedures. Policies and procedures help provide security
10004 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
10005 on their development. Security and privacy program policies and procedures at the organization
10006 level are preferable, in general, and may obviate the need for system-specific policies and
10007 procedures. The policy can be included as part of the general security and privacy policy or can
10008 be represented by multiple policies reflecting the complex nature of organizations. Procedures
10009 can be established for security and privacy programs and for systems, if needed. Procedures
10010 describe how the policies or controls are implemented and can be directed at the individual or
10011 role that is the object of the procedure. Procedures can be documented in system security and
10012 privacy plans or in one or more separate documents. Restating controls does not constitute an
10013 organizational policy or procedure.
10014 Related Controls: PM-9, PS-8, SI-12.
10015 Control Enhancements: None.
10016 References: [OMB A-130]; [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100].

10017 RA-2 SECURITY CATEGORIZATION

10018 Control:
10019 a. Categorize the system and information it processes, stores, and transmits;
10020 b. Document the security categorization results, including supporting rationale, in the security
10021 plan for the system; and

CHAPTER THREE PAGE 230

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10022 c. Verify that the authorizing official or authorizing official designated representative reviews
10023 and approves the security categorization decision.
10024 Discussion: Clearly defined system boundaries are a prerequisite for security categorization
10025 decisions. Security categories describe the potential adverse impacts or negative consequences
10026 to organizational operations, organizational assets, and individuals if organizational information
10027 and systems are comprised through a loss of confidentiality, integrity, or availability. Security
10028 categorization is also a type of asset loss characterization in systems security engineering
10029 processes carried out throughout the system development life cycle. Organizations can use
10030 privacy risk assessments or privacy impact assessments to better understand the potential
10031 adverse effects on individuals.
10032 Organizations conduct the security categorization process as an organization-wide activity with
10033 the direct involvement of chief information officers, senior agency information security officers,
10034 senior agency officials for privacy, system owners, mission and business owners, and information
10035 owners or stewards. Organizations consider the potential adverse impacts to other organizations
10036 and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential
10037 national-level adverse impacts.
10038 Security categorization processes facilitate the development of inventories of information assets,
10039 and along with CM-8, mappings to specific system components where information is processed,
10040 stored, or transmitted. The security categorization process is revisited throughout the system
10041 development life cycle to ensure the security categories remain accurate and relevant.
10042 Related Controls: CM-8, MP-4, PL-2, PL-10, PL-11, PM-7, RA-3, RA-5, RA-7, RA-8, SA-8, SC-7, SC-
10043 38, SI-12.
10044 Control Enhancements:
10045 (1) SECURITY CATEGORIZATION | IMPACT-LEVEL PRIORITIZATION
10046 Conduct an impact-level prioritization of organizational systems to obtain additional
10047 granularity on system impact levels.
10048 Discussion: Organizations apply the “high water mark” concept to each system categorized
10049 in accordance with [FIPS 199] resulting in systems designated as low impact, moderate
10050 impact, or high impact. Organizations desiring additional granularity in the system impact
10051 designations for risk-based decision making, can further partition the systems into sub-
10052 categories of the initial system categorization. For example, an impact-level prioritization on
10053 a moderate-impact system can produce three new sub-categories: low-moderate systems,
10054 moderate-moderate systems, and high-moderate systems. Impact-level prioritization and
10055 the resulting sub-categories of the system give organizations an opportunity to focus their
10056 investments related to security control selection and the tailoring of control baselines in
10057 responding to identified risks. Impact-level prioritization can also be used to determine
10058 those systems that may be of heightened interest or value to adversaries or represent a
10059 critical loss to the federal enterprise, sometimes described as high value assets. For such
10060 high value assets, organizations may be more focused on complexity, aggregation, and
10061 interconnections. Systems with high value assets can be prioritized by partitioning high-
10062 impact systems into low-high systems, moderate-high systems, and high-high systems.
10063 Related Controls: None.
10064 References: [FIPS 199]; [FIPS 200]; [SP 800-30]; [SP 800-37]; [SP 800-39]; [SP 800-60 v1]; [SP 800-
10065 60 v2]; [SP 800-160 v1].

CHAPTER THREE PAGE 231

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10066 RA-3 RISK ASSESSMENT

10067 Control:
10068 a. Conduct a risk assessment, including:
10069 1. The likelihood and magnitude of harm from unauthorized access, use, disclosure,
10070 disruption, modification, or destruction of the system, the information it processes,
10071 stores, or transmits, and any related information; and
10072 2. The likelihood and impact of adverse effects on individuals arising from the processing
10073 of personally identifiable information;
10074 b. Integrate risk assessment results and risk management decisions from the organization and
10075 mission or business process perspectives with system-level risk assessments;
10076 c. Document risk assessment results in [Selection: security and privacy plans; risk assessment
10077 report; [Assignment: organization-defined document]];
10078 d. Review risk assessment results [Assignment: organization-defined frequency];
10079 e. Disseminate risk assessment results to [Assignment: organization-defined personnel or
10080 roles]; and
10081 f. Update the risk assessment [Assignment: organization-defined frequency] or when there are
10082 significant changes to the system, its environment of operation, or other conditions that may
10083 impact the security or privacy state of the system.
10084 Discussion: Clearly defined authorization boundaries are a prerequisite for effective risk
10085 assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to
10086 organizational operations and assets, individuals, other organizations, and the Nation based on
10087 the operation and use of systems. Risk assessments also consider risk from external parties,
10088 including individuals accessing organizational systems; contractors operating systems on behalf
10089 of the organization; service providers; and outsourcing entities.
10090 Organizations can conduct risk assessments at all three levels in the risk management hierarchy
10091 (i.e., organization level, mission/business process level, or information system level) and at any
10092 stage in the system development life cycle. Risk assessments can also be conducted at various
10093 steps in the Risk Management Framework, including categorization, control selection, control
10094 implementation, control assessment, system authorization, and control monitoring. Risk
10095 assessment is an ongoing activity carried out throughout the system development life cycle.
10096 In addition to the information processed, stored, and transmitted by the system, risk
10097 assessments can also address any information related to the system, including system design, the
10098 intended use of the system, testing results, and other supply chain-related information or
10099 artifacts. Assessments of risk can play an important role in control selection processes,
10100 particularly during the application of tailoring guidance and in the earliest phases of capability
10101 determination.
10102 Related Controls: CA-3, CM-4, CM-13, CP-6, CP-7, IA-8, MA-5, PE-3, PE-18, PL-2, PL-10, PL-11,
10103 PM-8, PM-9, PM-28, RA-2, RA-5, RA-7, SA-8, SA-9, SC-38, SI-12.
10104 Control Enhancements:
10105 (1) RISK ASSESSMENT | SUPPLY CHAIN RISK ASSESSMENT
10106 (a) Assess supply chain risks associated with [Assignment: organization-defined systems,
10107 system components, and system services]; and
10108 (b) Update the supply chain risk assessment [Assignment: organization-defined
10109 frequency], when there are significant changes to the relevant supply chain, or when

CHAPTER THREE PAGE 232

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10110 changes to the system, environments of operation, or other conditions may

10111 necessitate a change in the supply chain.
10112 Discussion: Supply chain-related events include disruption, use of defective components,
10113 insertion of counterfeits, theft, malicious development practices, improper delivery
10114 practices, and insertion of malicious code. These events can have a significant impact on the
10115 confidentiality, integrity, or availability of a system and its information and therefore, can
10116 also adversely impact organizational operations (including mission, functions, image, or
10117 reputation), organizational assets, individuals, other organizations, and the Nation. The
10118 supply chain-related events may be unintentional or malicious and can occur at any point
10119 during the system life cycle. An analysis of supply chain risk can help an organization identify
10120 systems or components for which additional supply chain risk mitigations are required.
10121 Related Controls: RA-2, RA-9, PM-17, SR-2.
10122 (2) RISK ASSESSMENT | USE OF ALL-SOURCE INTELLIGENCE
10123 Use all-source intelligence to assist in the analysis of risk.
10124 Discussion: Organizations employ all-source intelligence to inform engineering, acquisition,
10125 and risk management decisions. All-source intelligence consists of information derived from
10126 all available sources, including publicly available or open-source information; measurement
10127 and signature intelligence; human intelligence; signals intelligence; and imagery intelligence.
10128 All-source intelligence is used to analyze the risk of vulnerabilities (both intentional and
10129 unintentional) from development, manufacturing, and delivery processes, people, and the
10130 environment. The risk analysis may be performed on suppliers at multiple tiers in the supply
10131 chain sufficient to manage risks. Organizations may develop agreements to share all-source
10132 intelligence information or resulting decisions with other organizations, as appropriate.
10133 Related Controls: None.
10134 (3) RISK ASSESSMENT | DYNAMIC THREAT AWARENESS
10135 Determine the current cyber threat environment on an ongoing basis using [Assignment:
10136 organization-defined means].
10137 Discussion: The threat awareness information that is gathered feeds into the organization’s
10138 information security operations to ensure that procedures are updated in response to the
10139 changing threat environment. For example, at higher threat levels, organizations may
10140 change the privilege or authentication thresholds required to perform certain operations.
10141 Related Controls: AT-2.
10142 (4) RISK ASSESSMENT | PREDICTIVE CYBER ANALYTICS
10143 Employ the following advanced automation and analytics capabilities to predict and
10144 identify risks to [Assignment: organization-defined systems or system components]:
10145 [Assignment: organization-defined advanced automation and analytics capabilities].
10146 Discussion: A properly resourced Security Operations Center (SOC) or Computer Incident
10147 Response Team (CIRT) may be overwhelmed by the volume of information generated by the
10148 proliferation of security tools and appliances unless it employs advanced automation and
10149 analytics to analyze the data. Advanced automation and analytics capabilities are typically
10150 supported by artificial intelligence concepts including, machine learning. Examples include
10151 Automated Threat Discovery and Response (which includes broad-based collection, context-
10152 based analysis, and adaptive response capabilities), Automated Workflow Operations, and
10153 Machine Assisted Decision tools. Note, however, that sophisticated adversaries may be able
10154 to extract information related to analytic parameters and retrain the machine learning to
10155 classify malicious activity as benign. Accordingly, machine learning is augmented by human
10156 monitoring to ensure sophisticated adversaries are not able to conceal their activity.
10157 Related Controls: None.

CHAPTER THREE PAGE 233

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10158 References: [OMB A-130]; [SP 800-30]; [SP 800-39]; [SP 800-161]; [IR 8023]; [IR 8062].

10159 RA-4 RISK ASSESSMENT UPDATE

10160 [Withdrawn: Incorporated into RA-3.]

10161 RA-5 VULNERABILITY MONITORING AND SCANNING

10162 Control:
10163 a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment:
10164 organization-defined frequency and/or randomly in accordance with organization-defined
10165 process] and when new vulnerabilities potentially affecting the system are identified and
10166 reported;
10167 b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among
10168 tools and automate parts of the vulnerability management process by using standards for:
10169 1. Enumerating platforms, software flaws, and improper configurations;
10170 2. Formatting checklists and test procedures; and
10171 3. Measuring vulnerability impact;
10172 c. Analyze vulnerability scan reports and results from vulnerability monitoring;
10173 d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in
10174 accordance with an organizational assessment of risk;
10175 e. Share information obtained from the vulnerability monitoring process and control
10176 assessments with [Assignment: organization-defined personnel or roles] to help eliminate
10177 similar vulnerabilities in other systems; and
10178 f. Employ vulnerability monitoring tools that include the capability to readily update the
10179 vulnerabilities to be scanned.
10180 Discussion: Security categorization of information and systems guides the frequency and
10181 comprehensiveness of vulnerability monitoring (including scans). Organizations determine the
10182 required vulnerability monitoring for system components, ensuring that the potential sources of
10183 vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked
10184 printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability
10185 monitoring tools as new vulnerabilities are discovered and announced, and as new scanning
10186 methods are developed, helps to ensure that new vulnerabilities are not missed by employed
10187 vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure
10188 that potential vulnerabilities in the system are identified and addressed as quickly as possible.
10189 Vulnerability monitoring and analyses for custom software may require additional approaches
10190 such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches.
10191 Organizations can use these analysis approaches in source code reviews and in a variety of tools,
10192 including web-based application scanners, static analysis tools, and binary analyzers.
10193 Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports,
10194 protocols, and services that should not be accessible to users or devices; and scanning for flow
10195 control mechanisms that are improperly configured or operating incorrectly. Vulnerability
10196 monitoring may also include continuous vulnerability monitoring tools that use instrumentation
10197 to continuously analyze components. Instrumentation-based tools may improve accuracy and
10198 may be run throughout an organization without scanning. Vulnerability monitoring tools that
10199 facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)
10200 validated. Thus, organizations consider using scanning tools that express vulnerabilities in the
10201 Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open

CHAPTER THREE PAGE 234

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10202 Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources
10203 for vulnerability information include the Common Weakness Enumeration (CWE) listing and the
10204 National Vulnerability Database (NVD). Control assessments such as red team exercises provide
10205 additional sources of potential vulnerabilities for which to scan. Organizations also consider using
10206 scanning tools that express vulnerability impact by the Common Vulnerability Scoring System
10207 (CVSS).
10208 Vulnerability monitoring also includes a channel and process for receiving reports of security
10209 vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as
10210 publishing a monitored email address or web form that can receive reports, including notification
10211 authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally
10212 expect that such research is happening with or without their authorization, and can use public
10213 vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are
10214 reported directly to the organization for remediation.
10215 Organizations may also employ the use of financial incentives (also known as “bug bounties”) to
10216 further encourage external security researchers to report discovered vulnerabilities. Bug bounty
10217 programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or
10218 over a defined period of time, and can be offered to the general public or to a curated group.
10219 Organizations may run public and private bounties simultaneously, and could choose to offer
10220 partially credentialed access to certain participants in order to evaluate security vulnerabilities
10221 from privileged vantage points.
10222 Related Controls: CA-2, CA-7, CM-2, CM-4, CM-6, CM-8, RA-2, RA-3, SA-11, SA-15, SC-38, SI-2, SI-
10223 3, SI-4, SI-7, SR-11.
10224 Control Enhancements:
10225 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY
10226 [Withdrawn: Incorporated into RA-5.]
10227 (2) VULNERABILITY MONITORING AND SCANNING | UPDATE SYSTEM VULNERABILITIES
10228 Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment:
10229 organization-defined frequency]; prior to a new scan; when new vulnerabilities are
10230 identified and reported].
10231 Discussion: Due to the complexity of modern software and systems and other factors, new
10232 vulnerabilities are discovered on a regular basis. It is important that newly discovered
10233 vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the
10234 organization can take steps to mitigate those vulnerabilities in a timely manner.
10235 Related Controls: SI-5.
10236 (3) VULNERABILITY MONITORING AND SCANNING | BREADTH AND DEPTH OF COVERAGE
10237 Define the breadth and depth of vulnerability scanning coverage.
10238 Discussion: The breadth of vulnerability scanning coverage can be expressed, for example,
10239 as a percentage of components within the system, by the particular types of systems, by the
10240 criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the
10241 depth of vulnerability scanning coverage can be expressed as the level of the system design
10242 the organization intends to monitor (e.g., component, module, subsystem). Organizations
10243 can determine the sufficiency of vulnerability scanning coverage with regard to its risk
10244 tolerance and other factors. [SP 800-53A] provides additional information on the breadth
10245 and depth of coverage.
10246 Related Controls: None.

CHAPTER THREE PAGE 235

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10247 (4) VULNERABILITY MONITORING AND SCANNING | DISCOVERABLE INFORMATION

10248 Determine information about the system that is discoverable and take [Assignment:
10249 organization-defined corrective actions].
10250 Discussion: Discoverable information includes information that adversaries could obtain
10251 without compromising or breaching the system, for example, by collecting information the
10252 system is exposing or by conducting extensive web searches. Corrective actions include
10253 notifying appropriate organizational personnel, removing designated information, or
10254 changing the system to make the designated information less relevant or attractive to
10255 adversaries. This enhancement excludes intentionally discoverable information that may be
10256 part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the
10257 organization.
10258 Related Controls: AU-13, SC-26.
10259 (5) VULNERABILITY MONITORING AND SCANNING | PRIVILEGED ACCESS
10260 Implement privileged access authorization to [Assignment: organization-defined system
10261 components] for [Assignment: organization-defined vulnerability scanning activities].
10262 Discussion: In certain situations, the nature of the vulnerability scanning may be more
10263 intrusive or the system component that is the subject of the scanning may contain classified
10264 or controlled unclassified information, such as personally identifiable information. Privileged
10265 access authorization to selected system components facilitates more thorough vulnerability
10266 scanning and protects the sensitive nature of such scanning.
10267 Related Controls: None.
10268 (6) VULNERABILITY MONITORING AND SCANNING | AUTOMATED TREND ANALYSES
10269 Compare the results of multiple vulnerability scans using [Assignment: organization-
10270 defined automated mechanisms].
10271 Discussion: Using automated mechanisms to analyze multiple vulnerability scans over time
10272 can help to determine trends in system vulnerabilities.
10273 Related Controls: None.
10274 (7) VULNERABILITY MONITORING AND SCANNING | AUTOMATED DETECTION AND NOTIFICATION OF
10275 UNAUTHORIZED COMPONENTS
10276 [Withdrawn: Incorporated into CM-8.]
10277 (8) VULNERABILITY MONITORING AND SCANNING | REVIEW HISTORIC AUDIT LOGS
10278 Review historic audit logs to determine if a vulnerability identified in a [Assignment:
10279 organization-defined system] has been previously exploited within an [Assignment:
10280 organization-defined time period].
10281 Discussion: Reviewing historic audit logs to determine if a recently detected vulnerability in
10282 a system has been previously exploited by an adversary can provide important information
10283 for forensic analyses. Such analyses can help identify, for example, the extent of a previous
10284 intrusion, the trade craft employed during the attack, organizational information exfiltrated
10285 or modified, mission or business capabilities affected, and the duration of the attack.
10286 Related Controls: AU-6, AU-11.
10287 (9) VULNERABILITY MONITORING AND SCANNING | PENETRATION TESTING AND ANALYSES
10288 [Withdrawn: Incorporated into CA-8.]
10289 (10) VULNERABILITY SCANNING | CORRELATE SCANNING INFORMATION
10290 Correlate the output from vulnerability scanning tools to determine the presence of multi-
10291 vulnerability and multi-hop attack vectors.

CHAPTER THREE PAGE 236

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10292 Discussion: An attack vector is a path or means by which an adversary can gain access to a
10293 system in order to deliver malicious code or exfiltrate information. Organizations can use
10294 attack trees to show how hostile activities by adversaries interact and combine to produce
10295 adverse impacts or negative consequences to systems and organizations. Such information,
10296 together with correlated data from vulnerability scanning tools, can provide greater clarity
10297 regarding multi-vulnerability and multi-hop attack vectors. The correlation of vulnerability
10298 scanning information is especially important when organizations are transitioning from older
10299 technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).
10300 During such transitions, some system components may inadvertently be unmanaged and
10301 create opportunities for adversary exploitation.
10302 Related Controls: None.
10303 (11) VULNERABILITY MONITORING AND SCANNING | PUBLIC DISCLOSURE PROGRAM
10304 Establish an [Assignment: organization-defined public reporting channel] for receiving
10305 reports of vulnerabilities in organizational systems and system components.
10306 Discussion: The reporting channel is publicly discoverable and contains clear language
10307 authorizing good-faith research and disclosure of vulnerabilities to the organization. The
10308 organization does not condition its authorization on an expectation of indefinite non-
10309 disclosure to the public by the reporting entity, but may request a specific time period to
10310 properly remediate the vulnerability.
10311 Related Controls: None.
10312 References: [SP 800-40]; [SP 800-53A]; [SP 800-70]; [SP 800-115]; [SP 800-126]; [IR 7788]; [IR
10313 8023].

10314 RA-6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY

10315 Control: Employ a technical surveillance countermeasures survey at [Assignment: organization-
10316 defined locations] [Selection (one or more): [Assignment: organization-defined frequency];
10317 [Assignment: organization-defined events or indicators occur]].
10318 Discussion: A technical surveillance countermeasures survey is a service provided by qualified
10319 personnel to detect the presence of technical surveillance devices and hazards and to identify
10320 technical security weaknesses that could be used in the conduct of a technical penetration of the
10321 surveyed facility. Technical surveillance countermeasures surveys also provide evaluations of the
10322 technical security posture of organizations and facilities and include visual, electronic, and
10323 physical examinations of surveyed facilities, internally and externally. The surveys also provide
10324 useful input for risk assessments and information regarding organizational exposure to potential
10325 adversaries.
10326 Related Controls: None.
10327 Control Enhancements: None.
10328 References: None.

10329 RA-7 RISK RESPONSE

10330 Control: Respond to findings from security and privacy assessments, monitoring, and audits in
10331 accordance with organizational risk tolerance.
10332 Discussion: Organizations have many options for responding to risk including mitigating risk by
10333 implementing new controls or strengthening existing controls; accepting risk with appropriate
10334 justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the
10335 organization influences risk response decisions and actions. Risk response addresses the need to

CHAPTER THREE PAGE 237

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10336 determine an appropriate response to risk before generating a plan of action and milestones
10337 entry. For example, the response may be to accept risk or reject risk, or it may be possible to
10338 mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if
10339 the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a
10340 plan of action and milestones entry is generated.
10341 Related Controls: CA-5, IR-9, PM-4, PM-28, RA-2, RA-3, SR-2.
10342 Control Enhancements: None.
10343 References: [FIPS 199]; [FIPS 200]; [SP 800-30]; [SP 800-37]; [SP 800-39]; [SP 800-160 v1].

10344 RA-8 PRIVACY IMPACT ASSESSMENTS

10345 Control: Conduct privacy impact assessments for systems, programs, or other activities before:
10346 a. Developing or procuring information technology that processes personally identifiable
10347 information; and
10348 b. Initiating a new collection of personally identifiable information that:
10349 1. Will be processed using information technology; and
10350 2. Includes personally identifiable information permitting the physical or online contacting
10351 of a specific individual, if identical questions have been posed to, or identical reporting
10352 requirements imposed on, ten or more persons, other than agencies, instrumentalities,
10353 or employees of the federal government.
10354 Discussion: A privacy impact assessment is an analysis of how personally identifiable information
10355 is handled to ensure that handling conforms to applicable privacy requirements, determine the
10356 privacy risks associated with an information system or activity, and evaluate ways to mitigate
10357 privacy risks. A privacy impact assessment is both an analysis and a formal document detailing
10358 the process and the outcome of the analysis.
10359 Organizations conduct and develop a privacy impact assessment with sufficient clarity and
10360 specificity to demonstrate that the organization fully considered privacy and incorporated
10361 appropriate privacy protections from the earliest stages of the organization’s activity and
10362 throughout the information life cycle. In order to conduct a meaningful privacy impact
10363 assessment, the organization’s senior agency official for privacy works closely with program
10364 managers, system owners, information technology experts, security officials, counsel, and other
10365 relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted
10366 activity that is limited to a particular milestone or stage of the information system or personally
10367 identifiable information life cycles. Rather, the privacy analysis continues throughout the system
10368 and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a
10369 living document that organizations update whenever changes to the information technology,
10370 changes to the organization’s practices, or other factors alter the privacy risks associated with
10371 the use of such information technology.
10372 To conduct the privacy impact assessment, organizations can use security and privacy risk
10373 assessments. Organizations may also use other related processes which may have different
10374 labels, including privacy threshold analyses. A privacy impact assessment can also serve as notice
10375 to the public regarding the organization’s practices with respect to privacy. Although conducting
10376 and publishing privacy impact assessments may be required by law, organizations may develop
10377 such policies in the absence of applicable laws. For federal agencies, privacy impact assessments
10378 may be required by [EGOV]; agencies should consult with their senior agency official for privacy
10379 and legal counsel on this requirement and be aware of the statutory exceptions and OMB
10380 guidance relating to the provision.
10381 Related Controls: CM-13, PT-2, PT-3, PT-6, RA-1, RA-2, RA-3, RA-7.

CHAPTER THREE PAGE 238

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10382 Control Enhancements: None.

10383 References: [EGOV]; [OMB A-130, Appendix II].

10384 RA-9 CRITICALITY ANALYSIS

10385 Control: Identify critical system components and functions by performing a criticality analysis for
10386 [Assignment: organization-defined systems, system components, or system services] at
10387 [Assignment: organization-defined decision points in the system development life cycle].
10388 Discussion: Not all system components, functions, or services necessarily require significant
10389 protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and
10390 informs the prioritization of protection activities. The identification of critical system components
10391 and functions considers applicable laws, executive orders regulations, directives, policies, and
10392 standards; system functionality requirements; system and component interfaces; and system
10393 and component dependencies. Systems engineers conduct a functional decomposition of a
10394 system to identify mission-critical functions and components. The functional decomposition
10395 includes the identification of organizational missions supported by the system; decomposition
10396 into the specific functions to perform those missions; and traceability to the hardware, software,
10397 and firmware components that implement those functions, including when the functions are
10398 shared by many components within and external to the system.
10399 The operational environment of a system or a system component may impact the criticality,
10400 including the connections to and dependencies on cyber-physical systems, devices, system-of-
10401 systems, and outsourced IT services. System components that allow unmediated access to critical
10402 system components or functions are considered critical due to the inherent vulnerabilities such
10403 components create. Component and function criticality are assessed in terms of the impact of a
10404 component or function failure on the organizational missions that are supported by the system
10405 containing the components and functions. Criticality analysis is performed when an architecture
10406 or design is being developed, modified, or upgraded. If such analysis is performed early in the
10407 system development life cycle, organizations may be able to modify the system design to reduce
10408 the critical nature of these components and functions, for example, by adding redundancy or
10409 alternate paths into the system design. Criticality analysis can also influence the protection
10410 measures required by development contractors. In addition to criticality analysis for systems,
10411 system components, and system services, criticality analysis of information is an important
10412 consideration. Such analysis is conducted as part of security categorization in RA-2.
10413 Related Controls: CP-2, PL-2, PL-8, PL-11, PM-1, RA-2, SA-8, SA-15, SA-20.
10414 Control Enhancements: None.
10415 References: [IR 8179].

10416 RA-10 THREAT HUNTING

10417 Control:
10418 a. Establish and maintain a cyber threat hunting capability to:
10419 1. Search for indicators of compromise in organizational systems; and
10420 2. Detect, track, and disrupt threats that evade existing controls; and
10421 b. Employ the threat hunting capability [Assignment: organization-defined frequency].
10422 Discussion: Threat hunting is an active means of cyber defense in contrast to the traditional
10423 protection measures such as firewalls, intrusion detection and prevention systems, quarantining
10424 malicious code in sandboxes, and Security Information and Event Management technologies and
10425 systems. Cyber threat hunting involves proactively searching organizational systems, networks,

CHAPTER THREE PAGE 239

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10426 and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as
10427 early as possible in the attack sequence and to measurably improve the speed and accuracy of
10428 organizational responses. Indications of compromise include unusual network traffic, unusual file
10429 changes, and the presence of malicious code. Threat hunting teams leverage existing threat
10430 intelligence and may create new threat intelligence, which is shared with peer organizations,
10431 Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers
10432 (ISAC), and relevant government departments and agencies.
10433 Related Controls: RA-3, RA-5, RA-6.
10434 Control Enhancements: None.
10435 References: [SP 800-30].

CHAPTER THREE PAGE 240

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10436 3.17 SYSTEM AND SERVICES ACQUISITION

10437 Quick link to System and Services Acquisition summary table

10438 SA-1 POLICY AND PROCEDURES

10439 Control:
10440 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
10441 roles]:
10442 1. [Selection (one or more): organization-level; mission/business process-level; system-
10443 level] system and services acquisition policy that:
10444 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
10445 coordination among organizational entities, and compliance; and
10446 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
10447 standards, and guidelines; and
10448 2. Procedures to facilitate the implementation of the system and services acquisition
10449 policy and the associated system and services acquisition controls;
10450 b. Designate an [Assignment: organization-defined official] to manage the development,
10451 documentation, and dissemination of the system and services acquisition policy and
10452 procedures; and
10453 c. Review and update the current system and services acquisition:
10454 1. Policy [Assignment: organization-defined frequency]; and
10455 2. Procedures [Assignment: organization-defined frequency].
10456 Discussion: This control addresses policy and procedures for the controls in the SA family
10457 implemented within systems and organizations. The risk management strategy is an important
10458 factor in establishing such policies and procedures. Policies and procedures help provide security
10459 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
10460 on their development. Security and privacy program policies and procedures at the organization
10461 level are preferable, in general, and may obviate the need for system-specific policies and
10462 procedures. The policy can be included as part of the general security and privacy policy or can
10463 be represented by multiple policies reflecting the complex nature of organizations. Procedures
10464 can be established for security and privacy programs and for systems, if needed. Procedures
10465 describe how the policies or controls are implemented and can be directed at the individual or
10466 role that is the object of the procedure. Procedures can be documented in system security and
10467 privacy plans or in one or more separate documents. Restating controls does not constitute an
10468 organizational policy or procedure.
10469 Related Controls: PM-9, PS-8, SA-8, SI-12.
10470 Control Enhancements: None.
10471 References: [OMB A-130]; [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100]; [SP 800-160 v1].

10472 SA-2 ALLOCATION OF RESOURCES

10473 Control:
10474 a. Determine the high-level information security and privacy requirements for the system or
10475 system service in mission and business process planning;

CHAPTER THREE PAGE 241

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10476 b. Determine, document, and allocate the resources required to protect the system or system
10477 service as part of the organizational capital planning and investment control process; and
10478 c. Establish a discrete line item for information security and privacy in organizational
10479 programming and budgeting documentation.
10480 Discussion: Resource allocation for information security and privacy includes funding for system
10481 and services acquisition, sustainment, and supply chain concerns throughout the system
10482 development life cycle.
10483 Related Controls: PL-7, PM-3, PM-11, SA-9, SR-3, SR-5.
10484 Control Enhancements: None.
10485 References: [OMB A-130]; [SP 800-160 v1].

10486 SA-3 SYSTEM DEVELOPMENT LIFE CYCLE

10487 Control:
10488 a. Acquire, develop, and manage the system using [Assignment: organization-defined system
10489 development life cycle] that incorporates information security and privacy considerations;
10490 b. Define and document information security and privacy roles and responsibilities throughout
10491 the system development life cycle;
10492 c. Identify individuals having information security and privacy roles and responsibilities; and
10493 d. Integrate the organizational information security and privacy risk management process into
10494 system development life cycle activities.
10495 Discussion: A system development life cycle process provides the foundation for the successful
10496 development, implementation, and operation of organizational systems. The integration of
10497 security and privacy considerations early in the system development life cycle is a foundational
10498 principle of systems security engineering and privacy engineering. To apply the required controls
10499 within the system development life cycle requires a basic understanding of information security
10500 and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business
10501 functions. The security engineering principles in SA-8 help individuals properly design, code, and
10502 test systems and system components. Organizations include in system development life cycle
10503 processes, qualified personnel, including senior agency information security officers, senior
10504 agency officials for privacy, security and privacy architects, and security and privacy engineers to
10505 ensure that established security and privacy requirements are incorporated into organizational
10506 systems. Role-based security and privacy training programs can ensure that individuals having
10507 key security and privacy roles and responsibilities have the experience, skills, and expertise to
10508 conduct assigned system development life cycle activities.
10509 The effective integration of security and privacy requirements into enterprise architecture also
10510 helps to ensure that important security and privacy considerations are addressed throughout the
10511 system life cycle and that those considerations are directly related to organizational mission and
10512 business processes. This process also facilitates the integration of the information security and
10513 privacy architectures into the enterprise architecture, consistent with risk management strategy
10514 of the organization. Because the system development life cycle involves multiple organizations,
10515 (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply
10516 chain risk management functions and controls play a significant role in the effective management
10517 of the system during the life cycle.
10518 Related Controls: AT-3, PL-8, PM-7, SA-4, SA-5, SA-8, SA-11, SA-15, SA-17, SA-22, SR-3, SR-5, SR-
10519 9.

CHAPTER THREE PAGE 242

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10520 Control Enhancements:

10521 (1) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT
10522 Protect system preproduction environments commensurate with risk throughout the
10523 system development life cycle for the system, system component, or system service.
10524 Discussion: The preproduction environment includes development, test, and integration
10525 environments. The program protection planning processes established by the Department of
10526 Defense is an example of managing the preproduction environment for defense contractors.
10527 Criticality analysis and the application of controls on developers also contribution to a more
10528 secure system development environment.
10529 Related Controls: CM-2, CM-4, RA-3, RA-9, SA-4.
10530 (2) SYSTEM DEVELOPMENT LIFE CYCLE | USE OF LIVE OR OPERATIONAL DATA
10531 (a) Approve, document, and control the use of live data in preproduction environments
10532 for the system, system component, or system service; and
10533 (b) Protect preproduction environments for the system, system component, or system
10534 service at the same impact or classification level as any live data in use within the
10535 preproduction environments.
10536 Discussion: Live data is also referred to as operational data. The use of live or operational
10537 data in preproduction (i.e., development, test, and integration) environments can result in
10538 significant risk to organizations. In addition, the use of personally identifiable information in
10539 testing, research, and training increases risk of unauthorized disclosure or misuse of such
10540 information. Thus, it is important for the organization to manage any additional risks that
10541 may result from use of live or operational data. Organizations can minimize such risk by
10542 using test or dummy data during the design, development, and testing of systems, system
10543 components, and system services. Risk assessment techniques may be used to determine if
10544 the risk of using live or operational data is acceptable.
10545 Related Controls: PM-25, RA-3.
10546 (3) SYSTEM DEVELOPMENT LIFE CYCLE | TECHNOLOGY REFRESH
10547 Plan for and implement a technology refresh schedule for the system throughout the
10548 system development life cycle.
10549 Discussion: Technology refresh planning may encompass hardware, software, firmware,
10550 processes, personnel skill sets, suppliers, service providers, and facilities. The use of obsolete
10551 or nearing obsolete technology may increase security and privacy risks associated with, for
10552 example, unsupported components, components unable to implement security or privacy
10553 requirements, counterfeit or re-purposed components, slow or inoperable components,
10554 components from untrusted sources, inadvertent personnel error, or increased complexity.
10555 Technology refreshes typically occur during the operations and maintenance stage of the
10556 system development life cycle.
10557 Related Controls: None.
10558 References: [OMB A-130]; [SP 800-30]; [SP 800-37]; [SP 800-160 v1]; [SP 800-171]; [SP 800-
10559 171B].

10560 SA-4 ACQUISITION PROCESS

10561 Control: Include the following requirements, descriptions, and criteria, explicitly or by reference,
10562 using [Selection (one or more): standardized contract language; [Assignment: organization-
10563 defined contract language]] in the acquisition contract for the system, system component, or
10564 system service:
10565 a. Security and privacy functional requirements;

CHAPTER THREE PAGE 243

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10566 b. Strength of mechanism requirements;

10567 c. Security and privacy assurance requirements;
10568 d. Controls needed to satisfy the security and privacy requirements.
10569 e. Security and privacy documentation requirements;
10570 f. Requirements for protecting security and privacy documentation;
10571 g. Description of the system development environment and environment in which the system
10572 is intended to operate;
10573 h. Allocation of responsibility or identification of parties responsible for information security,
10574 privacy, and supply chain risk management; and
10575 i. Acceptance criteria.
10576 Discussion: Security and privacy functional requirements are typically derived from the high-
10577 level security and privacy requirements described in SA-2. The derived requirements include
10578 security and privacy capabilities, functions, and mechanisms. Strength requirements associated
10579 with such capabilities, functions, and mechanisms include degree of correctness, completeness,
10580 resistance to tampering or bypass, and resistance to direct attack. Assurance requirements
10581 include development processes, procedures, practices, and methodologies; and the evidence
10582 from development and assessment activities providing grounds for confidence that the required
10583 functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1]
10584 describes the process of requirements engineering as part of the system development life cycle.
10585 Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate
10586 for achieving the particular security and privacy objectives of the organization and reflecting the
10587 security and privacy requirements of stakeholders. Controls are selected and implemented in
10588 order to satisfy system requirements and include developer and organizational responsibilities.
10589 Controls can include technical aspects, administrative aspects, and physical aspects. In some
10590 cases, the selection and implementation of a control may necessitate additional specification by
10591 the organization in the form of derived requirements or instantiated control parameter values.
10592 The derived requirements and control parameter values may be necessary to provide the
10593 appropriate level of implementation detail for controls within the system development life cycle.
10594 Security and privacy documentation requirements address all stages of the system development
10595 life cycle. Documentation provides user and administrator guidance for the implementation and
10596 operation of controls. The level of detail required in such documentation is based on the security
10597 categorization or classification level of the system and the degree to which organizations depend
10598 on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements
10599 can include mandated configuration settings specifying allowed functions, ports, protocols, and
10600 services. Acceptance criteria for systems, system components, and system services are defined in
10601 the same manner as such criteria for any organizational acquisition or procurement.
10602 Related Controls: CM-6, CM-8, PS-7, SA-3, SA-5, SA-8, SA-11, SA-15, SA-16, SA-17, SA-21, SR-3,
10603 SR-5.
10604 Control Enhancements:
10605 (1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF CONTROLS
10606 Require the developer of the system, system component, or system service to provide a
10607 description of the functional properties of the controls to be implemented.
10608 Discussion: Functional properties of security and privacy controls describe the functionality
10609 (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the
10610 controls and specifically exclude functionality and data structures internal to the operation
10611 of the controls.

CHAPTER THREE PAGE 244

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10612 Related Controls: None.

10613 (2) ACQUISITION PROCESS | DESIGN AND IMPLEMENTATION INFORMATION FOR CONTROLS
10614 Require the developer of the system, system component, or system service to provide
10615 design and implementation information for the controls that includes: [Selection (one or
10616 more): security-relevant external system interfaces; high-level design; low-level design;
10617 source code or hardware schematics; [Assignment: organization-defined design and
10618 implementation information]] at [Assignment: organization-defined level of detail].
10619 Discussion: Organizations may require different levels of detail in the documentation for the
10620 design and implementation for controls in organizational systems, system components, or
10621 system services based on mission and business requirements; requirements for resiliency
10622 and trustworthiness; and requirements for analysis and testing. Systems can be partitioned
10623 into multiple subsystems. Each subsystem within the system can contain one or more
10624 modules. The high-level design for the system is expressed in terms of subsystems and the
10625 interfaces between subsystems providing security-relevant functionality. The low-level
10626 design for the system is expressed in terms of modules and the interfaces between modules
10627 providing security-relevant functionality. Design and implementation documentation can
10628 include manufacturer, version, serial number, verification hash signature, software libraries
10629 used, date of purchase or download, and the vendor or download source. Source code and
10630 hardware schematics are referred to as the implementation representation of the system.
10631 Related Controls: None.
10632 (3) ACQUISITION PROCESS | DEVELOPMENT METHODS, TECHNIQUES, AND PRACTICES
10633 Require the developer of the system, system component, or system service to
10634 demonstrate the use of a system development life cycle process that includes:
10635 (a) [Assignment: organization-defined systems engineering methods];
10636 (b) [Assignment: organization-defined [Selection (one or more): systems security; privacy]
10637 engineering methods];
10638 (c) [Assignment: organization-defined software development methods; testing,
10639 evaluation, assessment, verification, and validation methods; and quality control
10640 processes].
10641 Discussion: Following a system development life cycle that includes state-of-the-practice
10642 software development methods, systems engineering methods, systems security and privacy
10643 engineering methods, and quality control processes helps to reduce the number and severity
10644 of the latent errors within systems, system components, and system services. Reducing the
10645 number and severity of such errors reduces the number of vulnerabilities in those systems,
10646 components, and services. Transparency in the methods developers select and implement
10647 for systems engineering, systems security and privacy engineering, software development,
10648 component and system assessments, and quality control processes provide an increased
10649 level of assurance in the trustworthiness of the system, system component, or system
10650 service being acquired.
10651 Related Controls: None.
10652 (4) ACQUISITION PROCESS | ASSIGNMENT OF COMPONENTS TO SYSTEMS
10653 [Withdrawn: Incorporated into CM-8(9).]
10654 (5) ACQUISITION PROCESS | SYSTEM, COMPONENT, AND SERVICE CONFIGURATIONS
10655 Require the developer of the system, system component, or system service to:
10656 (a) Deliver the system, component, or service with [Assignment: organization-defined
10657 security configurations] implemented; and

CHAPTER THREE PAGE 245

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10658 (b) Use the configurations as the default for any subsequent system, component, or
10659 service reinstallation or upgrade.
10660 Discussion: Examples of security configurations include the U.S. Government Configuration
10661 Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on
10662 functions, ports, protocols, and services. Security characteristics can include requiring that
10663 default passwords have been changed.
10664 Related Controls: None.
10665 (6) ACQUISITION PROCESS | USE OF INFORMATION ASSURANCE PRODUCTS
10666 (a) Employ only government off-the-shelf or commercial off-the-shelf information
10667 assurance and information assurance-enabled information technology products that
10668 compose an NSA-approved solution to protect classified information when the
10669 networks used to transmit the information are at a lower classification level than the
10670 information being transmitted; and
10671 (b) Ensure that these products have been evaluated and/or validated by NSA or in
10672 accordance with NSA-approved procedures.
10673 Discussion: Commercial off-the-shelf IA or IA-enabled information technology products used
10674 to protect classified information by cryptographic means may be required to use NSA-
10675 approved key management. See [NSA CSFC].
10676 Related Controls: SC-8, SC-12, SC-13.
10677 (7) ACQUISITION PROCESS | NIAP-APPROVED PROTECTION PROFILES
10678 (a) Limit the use of commercially provided information assurance and information
10679 assurance-enabled information technology products to those products that have been
10680 successfully evaluated against a National Information Assurance partnership (NIAP)-
10681 approved Protection Profile for a specific technology type, if such a profile exists; and
10682 (b) Require, if no NIAP-approved Protection Profile exists for a specific technology type
10683 but a commercially provided information technology product relies on cryptographic
10684 functionality to enforce its security policy, that the cryptographic module is FIPS-
10685 validated or NSA-approved.
10686 Discussion: See [NIAP CCEVS] for additional information on NIAP. See [NIST CMVP] for
10687 additional information on FIPS-validated cryptographic modules.
10688 Related Controls: IA-7, SC-12, SC-13.
10689 (8) ACQUISITION PROCESS | CONTINUOUS MONITORING PLAN FOR CONTROLS
10690 Require the developer of the system, system component, or system service to produce a
10691 plan for continuous monitoring of control effectiveness that contains the following level of
10692 detail: [Assignment: organization-defined level of detail].
10693 Discussion: The objective of continuous monitoring plans is to determine if the planned,
10694 required, and deployed controls within the system, system component, or system service
10695 continue to be effective over time based on the inevitable changes that occur. Developer
10696 continuous monitoring plans include a sufficient level of detail such that the information can
10697 be incorporated into continuous monitoring strategies and programs implemented by
10698 organizations. Continuous monitoring plans can include the frequency of control monitoring,
10699 types of control assessment and monitoring activities planned, and actions to be taken when
10700 controls fail or become ineffective.
10701 Related Controls: CA-7.
10702 (9) ACQUISITION PROCESS | FUNCTIONS, PORTS, PROTOCOLS, AND SERVICES IN USE
10703 Require the developer of the system, system component, or system service to identify the
10704 functions, ports, protocols, and services intended for organizational use.

CHAPTER THREE PAGE 246

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10705 Discussion: The identification of functions, ports, protocols, and services early in the system
10706 development life cycle, for example, during the initial requirements definition and design
10707 stages, allows organizations to influence the design of the system, system component, or
10708 system service. This early involvement in the system life cycle helps organizations to avoid or
10709 minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks
10710 and understand the trade-offs involved in blocking specific ports, protocols, or services or
10711 when requiring system service providers to do so. Early identification of functions, ports,
10712 protocols, and services avoids costly retrofitting of controls after the system, component, or
10713 system service has been implemented. SA-9 describes the requirements for external system
10714 services. Organizations identify which functions, ports, protocols, and services are provided
10715 from external sources.
10716 Related Controls: CM-7, SA-9.
10717 (10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS
10718 Employ only information technology products on the FIPS 201-approved products list for
10719 Personal Identity Verification (PIV) capability implemented within organizational systems.
10720 Discussion: Products on the FIPS 201-approved products list meet NIST requirements for
10721 Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used
10722 for multifactor authentication in systems and organizations.
10723 Related Controls: IA-2, IA-8, PM-9.
10724 (11) ACQUISITION PROCESS | SYSTEM OF RECORDS
10725 Include [Assignment: organization-defined Privacy Act requirements] in the acquisition
10726 contract for the operation of a system of records on behalf of an organization to
10727 accomplish an organizational mission or function.
10728 Discussion: When an organization provides by a contract for the operation of a system of
10729 records to accomplish an organizational mission or function, the organization, consistent
10730 with its authority, causes the requirements of the [PRIVACT] to be applied to the system of
10731 records.
10732 Related Controls: PT-7.
10733 (12) ACQUISITION PROCESS | DATA OWNERSHIP
10734 (a) Include organizational data ownership requirements in the acquisition contract; and
10735 (b) Require all data to be removed from the contractor’s system and returned to the
10736 organization within [Assignment: organization-defined timeframe].
10737 Discussion: Contractors operating a system that contains data owned by an organization
10738 initiating the contract, have policies and procedures in place to remove the data from their
10739 systems and/or return the data in a timeframe defined by the contract.
10740 Related Controls: None.
10741 References: [PRIVACT]; [OMB A-130]; [ISO 15408-1]; [ISO 15408-2]; [ISO 15408-3]; [FIPS 140-3];
10742 [FIPS 201-2]; [SP 800-35]; [SP 800-37]; [SP 800-70]; [SP 800-73-4]; [SP 800-137]; [SP 800-160 v1];
10743 [SP 800-161]; [IR 7539]; [IR 7622]; [IR 7676]; [IR 7870]; [IR 8062]; [NIAP CCEVS]; [NSA CSFC].

10744 SA-5 SYSTEM DOCUMENTATION

10745 Control:
10746 a. Obtain administrator documentation for the system, system component, or system service
10747 that describes:
10748 1. Secure configuration, installation, and operation of the system, component, or service;
10749 2. Effective use and maintenance of security and privacy functions and mechanisms; and

CHAPTER THREE PAGE 247

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10750 3. Known vulnerabilities regarding configuration and use of administrative or privileged

10751 functions;
10752 b. Obtain user documentation for the system, system component, or system service that
10753 describes:
10754 1. User-accessible security and privacy functions and mechanisms and how to effectively
10755 use those functions and mechanisms;
10756 2. Methods for user interaction, which enables individuals to use the system, component,
10757 or service in a more secure manner and protect individual privacy; and
10758 3. User responsibilities in maintaining the security of the system, component, or service
10759 and privacy of individuals;
10760 c. Document attempts to obtain system, system component, or system service documentation
10761 when such documentation is either unavailable or nonexistent and takes [Assignment:
10762 organization-defined actions] in response;
10763 d. Protect documentation as required, in accordance with the organizational risk management
10764 strategy; and
10765 e. Distribute documentation to [Assignment: organization-defined personnel or roles].
10766 Discussion: System documentation helps personnel understand the implementation and the
10767 operation of controls. Organizations consider establishing specific measures to determine the
10768 quality and completeness of the content provided. System documentation may be used, for
10769 example, to support the management of supply chain risk, incident response, and other
10770 functions. Personnel or roles requiring documentation include system owners, system security
10771 officers, and system administrators. Attempts to obtain documentation include contacting
10772 manufacturers or suppliers and conducting web-based searches. The inability to obtain
10773 documentation may occur due to the age of the system or component or lack of support from
10774 developers and contractors. When documentation cannot be obtained, organizations may need
10775 to recreate the documentation if it is essential to the implementation or operation of the
10776 controls. The protection provided for the documentation is commensurate with the security
10777 category or classification of the system. Documentation that addresses system vulnerabilities
10778 may require an increased level of protection. Secure operation of the system includes initially
10779 starting the system and resuming secure system operation after a lapse in system operation.
10780 Related Controls: CM-4, CM-6, CM-7, CM-8, PL-2, PL-4, PL-8, PS-2, SA-3, SA-4, SA-8, SA-9, SA-10,
10781 SA-11, SA-15, SA-16, SA-17, SI-12, SR-3.
10782 Control Enhancements:
10783 (1) SYSTEM DOCUMENTATION | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS
10784 [Withdrawn: Incorporated into SA-4(1).]
10785 (2) SYSTEM DOCUMENTATION | SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES
10786 [Withdrawn: Incorporated into SA-4(2).]
10787 (3) SYSTEM DOCUMENTATION | HIGH-LEVEL DESIGN
10788 [Withdrawn: Incorporated into SA-4(2).]
10789 (4) SYSTEM DOCUMENTATION | LOW-LEVEL DESIGN
10790 [Withdrawn: Incorporated into SA-4(2).]
10791 (5) SYSTEM DOCUMENTATION | SOURCE CODE
10792 [Withdrawn: Incorporated into SA-4(2).]

CHAPTER THREE PAGE 248

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10793 References: [SP 800-160 v1].

10794 SA-6 SOFTWARE USAGE RESTRICTIONS

10795 [Withdrawn: Incorporated into CM-10 and SI-7.]

10796 SA-7 USER-INSTALLED SOFTWARE

10797 [Withdrawn: Incorporated into CM-11 and SI-7.]

10798 SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES

10799 Control: Apply the following systems security and privacy engineering principles in the
10800 specification, design, development, implementation, and modification of the system and system
10801 components: [Assignment: organization-defined systems security and privacy engineering
10802 principles].
10803 Discussion: Systems security and privacy engineering principles are closely related to and are
10804 implemented throughout the system development life cycle (see SA-3). Organizations can apply
10805 systems security and privacy engineering principles to new systems under development or to
10806 systems undergoing upgrades. For existing systems, organizations apply systems security and
10807 privacy engineering principles to system upgrades and modifications to the extent feasible, given
10808 the current state of hardware, software, and firmware components within those systems.
10809 The application of systems security and privacy engineering principles help organizations develop
10810 trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards,
10811 threats, and creating privacy problems for individuals. Examples of system security engineering
10812 principles include: developing layered protections; establishing security and privacy policies,
10813 architecture, and controls as the foundation for design and development; incorporating security
10814 and privacy requirements into the system development life cycle; delineating physical and logical
10815 security boundaries; ensuring that developers are trained on how to build secure software;
10816 tailoring controls to meet organizational needs; performing threat modeling to identify use cases,
10817 threat agents, attack vectors and patterns, design patterns, and compensating controls needed
10818 to mitigate risk.
10819 Organizations that apply systems security and privacy engineering concepts and principles can
10820 facilitate the development of trustworthy, secure systems, system components, and services;
10821 reduce risk to acceptable levels; and make informed risk management decisions. System security
10822 engineering principles can also be used to protect against certain supply chain risks including
10823 incorporating tamper-resistant hardware into a design.
10824 Related Controls: PL-8, PM-7, RA-2, RA-3, RA-9, SA-3, SA-4, SA-15, SA-17, SA-20, SC-2, SC-3, SC-
10825 32, SC-39, SR-2, SR-3, SR-5.
10826 Control Enhancements:
10827 (1) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | CLEAR ABSTRACTIONS
10828 Implement the security design principle of clear abstractions.
10829 Discussion: The principle of clear abstractions states that a system has simple, well-defined
10830 interfaces and functions that provide a consistent and intuitive view of the data and how it is
10831 managed. The elegance (e.g., clarity, simplicity, necessity, and sufficiency) of the system
10832 interfaces, combined with a precise definition of their functional behavior promotes ease of
10833 analysis, inspection, and testing as well as the correct and secure use of the system. The
10834 clarity of an abstraction is subjective. Examples reflecting application of this principle include
10835 avoidance of redundant, unused interfaces; information hiding; and avoidance of semantic
10836 overloading of interfaces or their parameters (e.g., not using a single function to provide

CHAPTER THREE PAGE 249

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10837 different functionality, depending on how it is used). Information hiding, also known as
10838 representation-independent programming, is a design discipline to ensure that the internal
10839 representation of information in one system component is not visible to another system
10840 component invoking or calling the first component, such that the published abstraction is
10841 not influenced by how the data may be managed internally.
10842 Related Controls: None.
10843 (2) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | LEAST COMMON MECHANISM
10844 Implement the security design principle of least common mechanism in [Assignment:
10845 organization-defined systems or system components].
10846 Discussion: The principle of least common mechanism states that the amount of mechanism
10847 common to more than one user and depended on by all users is minimized [POPEK74].
10848 Minimization of mechanism implies that different components of a system refrain from
10849 using the same mechanism to access a system resource. Every shared mechanism (especially
10850 a mechanism involving shared variables) represents a potential information path between
10851 users and is designed with great care to be sure it does not unintentionally compromise
10852 security [SALTZER75]. Implementing the principle of least common mechanism helps to
10853 reduce the adverse consequences of sharing system state among different programs. A
10854 single program corrupting a shared state (including shared variables) has the potential to
10855 corrupt other programs that are dependent on the state. The principle of least common
10856 mechanism also supports the principle of simplicity of design and addresses the issue of
10857 covert storage channels [LAMPSON73].
10858 Related Controls: None.
10859 (3) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | MODULARITY AND LAYERING
10860 Implement the security design principles of modularity and layering in [Assignment:
10861 organization-defined systems or system components].
10862 Discussion: The principles of modularity and layering are fundamental across system
10863 engineering disciplines. Modularity and layering derived from functional decomposition are
10864 effective in managing system complexity, by making it possible to comprehend the structure
10865 of the system. Modular decomposition, or refinement in system design, is challenging and
10866 resists general statements of principle. Modularity serves to isolate functions and related
10867 data structures into well-defined logical units. Layering allows the relationships of these
10868 units to be better understood, so that dependencies are clear and undesired complexity can
10869 be avoided. The security design principle of modularity extends functional modularity to
10870 include considerations based on trust, trustworthiness, privilege, and security policy.
10871 Security-informed modular decomposition includes the following: allocation of policies to
10872 systems in a network; separation of system applications into processes with distinct address
10873 spaces; allocation of system policies to layers; and separation of processes into subjects with
10874 distinct privileges based on hardware-supported privilege domains.
10875 Related Controls: SC-2, SC-3.
10876 (4) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | PARTIALLY ORDERED DEPENDENCIES
10877 Implement the security design principle of partially ordered dependencies in [Assignment:
10878 organization-defined systems or system components].
10879 Discussion: The principle of partially ordered dependencies states that the synchronization,
10880 calling, and other dependencies in the system are partially ordered. A fundamental concept
10881 in system design is layering, whereby the system is organized into well-defined, functionally
10882 related modules or components. The layers are linearly ordered with respect to inter-layer
10883 dependencies, such that higher layers are dependent on lower layers. While providing
10884 functionality to higher layers, some layers can be self-contained and not dependent upon
10885 lower layers. While a partial ordering of all functions in a given system may not be possible,

CHAPTER THREE PAGE 250

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10886 if circular dependencies are constrained to occur within layers, the inherent problems of
10887 circularity can be more easily managed. Partially ordered dependencies and system layering
10888 contribute significantly to the simplicity and the coherency of the system design. Partially
10889 ordered dependencies also facilitate system testing and analysis.
10890 Related Controls: None.
10891 (5) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | EFFICIENTLY MEDIATED ACCESS
10892 Implement the security design principle of efficiently mediated access in [Assignment:
10893 organization-defined systems or system components].
10894 Discussion: The principle of efficiently mediated access states that policy-enforcement
10895 mechanisms utilize the least common mechanism available while satisfying stakeholder
10896 requirements within expressed constraints. The mediation of access to system resources
10897 (i.e., CPU, memory, devices, communication ports, services, infrastructure, data and
10898 information) is often the predominant security function of secure systems. It also enables
10899 the realization of protections for the capability provided to stakeholders by the system.
10900 Mediation of resource access can result in performance bottlenecks if the system is not
10901 designed correctly. For example, by using hardware mechanisms, efficiently mediated access
10902 can be achieved. Once access to a low-level resource such as memory has been obtained,
10903 hardware protection mechanisms can ensure that out-of-bounds access does not occur.
10904 Related Controls: None.
10905 (6) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | MINIMIZED SHARING
10906 Implement the security design principle of minimized sharing in [Assignment:
10907 organization-defined systems or system components].
10908 Discussion: The principle of minimized sharing states that no computer resource is shared
10909 between system components (e.g., subjects, processes, functions) unless it is absolutely
10910 necessary to do so. Minimized sharing helps to simplify system design and implementation.
10911 In order to protect user-domain resources from arbitrary active entities, no resource is
10912 shared unless that sharing has been explicitly requested and granted. The need for resource
10913 sharing can be motivated by the design principle of least common mechanism in the case
10914 internal entities, or driven by stakeholder requirements. However, internal sharing is
10915 carefully designed to avoid performance and covert storage- and timing-channel problems.
10916 Sharing via common mechanism can increase the susceptibility of data and information to
10917 unauthorized access, disclosure, use, or modification and can adversely affect the inherent
10918 capability provided by the system. To minimize sharing induced by common mechanisms,
10919 such mechanisms can be designed to be reentrant or virtualized to preserve separation.
10920 Moreover, use of global data to share information is carefully scrutinized. The lack of
10921 encapsulation may obfuscate relationships among the sharing entities.
10922 Related Controls: SC-31.
10923 (7) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | REDUCED COMPLEXITY
10924 Implement the security design principle of reduced complexity in [Assignment:
10925 organization-defined systems or system components].
10926 Discussion: The principle of reduced complexity states that the system design is as simple
10927 and small as possible. A small and simple design is more understandable, more analyzable,
10928 and less prone to error. The reduced complexity principle applies to any aspect of a system,
10929 but it has particular importance for security due to the various analyses performed to obtain
10930 evidence about the emergent security property of the system. For such analyses to be
10931 successful, a small and simple design is essential. Application of the principle of reduced
10932 complexity contributes to the ability of system developers to understand the correctness
10933 and completeness of system security functions. It also facilitates identification of potential
10934 vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is

CHAPTER THREE PAGE 251

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10935 directly related to the number of vulnerabilities it will contain—that is, simpler systems
10936 contain fewer vulnerabilities. An important benefit of reduced complexity is that it is easier
10937 to understand whether the intended security policy has been captured in the system design,
10938 and that fewer vulnerabilities are likely to be introduced during engineering development.
10939 An additional benefit is that any such conclusion about correctness, completeness, and
10940 existence of vulnerabilities can be reached with a higher degree of assurance in contrast to
10941 conclusions reached in situations where the system design is inherently more complex.
10942 Transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to
10943 IPv6) may require implementing the older and newer technologies simultaneously during the
10944 transition period. This may result in a temporary increase in system complexity during the
10945 transition.
10946 Related Controls: None.
10947 (8) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE EVOLVABILITY
10948 Implement the security design principle of secure evolvability in [Assignment:
10949 organization-defined systems or system components].
10950 Discussion: The principle of secure evolvability states that a system is developed to facilitate
10951 the maintenance of its security properties when there are changes to the system’s structure,
10952 interfaces, interconnections (i.e., system architecture), functionality, or its configuration (i.e.,
10953 security policy enforcement). Changes include a new, an enhanced, or an upgraded system
10954 capability; maintenance and sustainment activities; and reconfiguration. Although it is not
10955 possible to plan for every aspect of system evolution, system upgrades and changes can be
10956 anticipated by analyses of mission or business strategic direction; anticipated changes in the
10957 threat environment; and anticipated maintenance and sustainment needs. It is unrealistic to
10958 expect that complex systems remain secure in contexts not envisioned during development,
10959 whether such contexts are related to the operational environment or to usage. A system
10960 may be secure in some new contexts, but there is no guarantee that its emergent behavior
10961 will always be secure. It is easier to build trustworthiness into a system from the outset, and
10962 it follows that the sustainment of system trustworthiness requires planning for change as
10963 opposed to adapting in an ad hoc or non-methodical manner. The benefits of this principle
10964 include reduced vendor life-cycle costs; reduced cost of ownership; improved system
10965 security; more effective management of security risk; and less risk uncertainty.
10966 Related Controls: CM-3.
10967 (9) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | TRUSTED COMPONENTS
10968 Implement the security design principle of trusted components in [Assignment:
10969 organization-defined systems or system components].
10970 Discussion: The principle of trusted components states that a component is trustworthy to
10971 at least a level commensurate with the security dependencies it supports (i.e., how much it
10972 is trusted to perform its security functions by other components). This principle enables the
10973 composition of components such that trustworthiness is not inadvertently diminished and
10974 where consequently the trust is not misplaced. Ultimately this principle demands some
10975 metric by which the trust in a component and the trustworthiness of a component can be
10976 measured on the same abstract scale. The principle of trusted components is particularly
10977 relevant when considering systems and components in which there are complex chains of
10978 trust dependencies. A trust dependency is also referred to as a trust relationship and there
10979 may be chains of trust relationships.
10980 The principle of trusted components also applies to a compound component that consists of
10981 subcomponents (e.g., a subsystem), which may have varying levels of trustworthiness. The
10982 conservative assumption is that the trustworthiness of a compound component is that of its
10983 least trustworthy subcomponent. It may be possible to provide a security engineering

CHAPTER THREE PAGE 252

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

10984 rationale that the trustworthiness of a particular compound component is greater than the
10985 conservative assumption; however, any such rationale reflects logical reasoning based on a
10986 clear statement of the trustworthiness objectives, and relevant and credible evidence. The
10987 trustworthiness of a compound component is not the same as increased application of
10988 defense-in-depth layering within the component, or replication of components. Defense-in-
10989 depth techniques do not increase the trustworthiness of the whole above that of the least
10990 trustworthy component.
10991 Related Controls: None.
10992 (10) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | HIERARCHICAL TRUST
10993 Implement the security design principle of hierarchical trust in [Assignment: organization-
10994 defined systems or system components].
10995 Discussion: The principle of hierarchical trust for components builds on the principle of
10996 trusted components and states that the security dependencies in a system will form a partial
10997 ordering if they preserve the principle of trusted components. The partial ordering provides
10998 the basis for trustworthiness reasoning or providing an assurance case or argument when
10999 composing a secure system from heterogeneously trustworthy components. To analyze a
11000 system composed of heterogeneously trustworthy components for its trustworthiness, it is
11001 essential to eliminate circular dependencies with regard to the trustworthiness. If a more
11002 trustworthy component located in a lower layer of the system were to depend upon a less
11003 trustworthy component in a higher layer, this would in effect, put the components in the
11004 same “less trustworthy” equivalence class per the principle of trusted components. Trust
11005 relationships, or chains of trust, can have various manifestations. For example, the root
11006 certificate of a certificate hierarchy is the most trusted node in the hierarchy, whereas the
11007 leaves in the hierarchy may be the least trustworthy nodes. Another example occurs in a
11008 layered high-assurance system where the security kernel (including the hardware base),
11009 which is located at the lowest layer of the system, is the most trustworthy component. The
11010 principle of hierarchical trust, however, does not prohibit the use of overly trustworthy
11011 components. There may be cases in a system of low trustworthiness, where it is reasonable
11012 to employ a highly trustworthy component rather than one that is less trustworthy (e.g., due
11013 to availability or other cost-benefit driver). For such a case, any dependency of the highly
11014 trustworthy component upon a less trustworthy component does not degrade the
11015 trustworthiness of the resulting low-trust system.
11016 Related Controls: None.
11017 (11) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | INVERSE MODIFICATION THRESHOLD
11018 Implement the security design principle of inverse modification threshold in [Assignment:
11019 organization-defined systems or system components].
11020 Discussion: The principle of inverse modification threshold builds on the principle of trusted
11021 components and the principle of hierarchical trust, and states that the degree of protection
11022 provided to a component is commensurate with its trustworthiness. As the trust placed in a
11023 component increases, the protection against unauthorized modification of the component
11024 also increases to the same degree. Protection from unauthorized modification can come in
11025 the form of the component’s own self-protection and innate trustworthiness, or it can come
11026 from the protections afforded to the component from other elements or attributes of the
11027 security architecture (to include protections in the environment of operation).
11028 Related Controls: None.
11029 (12) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | HIERARCHICAL PROTECTION
11030 Implement the security design principle of hierarchical protection in [Assignment:
11031 organization-defined systems or system components].

CHAPTER THREE PAGE 253

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11032 Discussion: The principle of hierarchical protection states that a component need not be
11033 protected from more trustworthy components. In the degenerate case of the most trusted
11034 component, it protects itself from all other components. For example, if an operating system
11035 kernel is deemed the most trustworthy component in a system, then it protects itself from
11036 all untrusted applications it supports, but the applications, conversely, do not need to
11037 protect themselves from the kernel. The trustworthiness of users is a consideration for
11038 applying the principle of hierarchical protection. A trusted system need not protect itself
11039 from an equally trustworthy user, reflecting use of untrusted systems in “system high”
11040 environments where users are highly trustworthy and where other protections are put in
11041 place to bound and protect the “system high” execution environment.
11042 Related Controls: None.
11043 (13) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | MINIMIZED SECURITY ELEMENTS
11044 Implement the security design principle of minimized security elements in [Assignment:
11045 organization-defined systems or system components].
11046 Discussion: The principle of minimized security elements states that the system does not
11047 have extraneous trusted components. The principle of minimized security elements has two
11048 aspects: the overall cost of security analysis and the complexity of security analysis. Trusted
11049 components are generally costlier to construct and implement, owing to increased rigor of
11050 development processes. Trusted components also require greater security analysis to qualify
11051 their trustworthiness. Thus, to reduce the cost and decrease the complexity of the security
11052 analysis, a system contains as few trustworthy components as possible. The analysis of the
11053 interaction of trusted components with other components of the system is one of the most
11054 important aspects of system security verification. If the interactions between components
11055 are unnecessarily complex, the security of the system will also be more difficult to ascertain
11056 than one whose internal trust relationships are simple and elegantly constructed. In general,
11057 fewer trusted components result in fewer internal trust relationships and a simpler system.
11058 Related Controls: None.
11059 (14) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | LEAST PRIVILEGE
11060 Implement the security design principle of least privilege in [Assignment: organization-
11061 defined systems or system components].
11062 Discussion: The principle of least privilege states that each system component is allocated
11063 sufficient privileges to accomplish its specified functions, but no more. Applying the principle
11064 of least privilege limits the scope of the component’s actions, which has two desirable
11065 effects: the security impact of a failure, corruption, or misuse of the component will have a
11066 minimized security impact; and the security analysis of the component will be simplified.
11067 Least privilege is a pervasive principle that is reflected in all aspects of the secure system
11068 design. Interfaces used to invoke component capability are available to only certain subsets
11069 of the user population, and component design supports a sufficiently fine granularity of
11070 privilege decomposition. For example, in the case of an audit mechanism, there may be an
11071 interface for the audit manager, who configures the audit settings; an interface for the audit
11072 operator, who ensures that audit data is safely collected and stored; and, finally, yet another
11073 interface for the audit reviewer, who has need only to view the audit data that has been
11074 collected but no need to perform operations on that data.
11075 In addition to its manifestations at the system interface, least privilege can be used as a
11076 guiding principle for the internal structure of the system itself. One aspect of internal least
11077 privilege is to construct modules so that only the elements encapsulated by the module are
11078 directly operated upon by the functions within the module. Elements external to a module
11079 that may be affected by the module’s operation are indirectly accessed through interaction
11080 (e.g., via a function call) with the module that contains those elements. Another aspect of

CHAPTER THREE PAGE 254

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11081 internal least privilege is that the scope of a given module or component includes only those
11082 system elements that are necessary for its functionality, and that the access modes for the
11083 elements (e.g., read, write) are minimal.
11084 Related Controls: AC-6, CM-7.
11085 (15) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | PREDICATE PERMISSION
11086 Implement the security design principle of predicate permission in [Assignment:
11087 organization-defined systems or system components].
11088 Discussion: The principle of predicate permission states that system designers consider
11089 requiring multiple authorized entities to provide consent before a highly critical operation or
11090 access to highly sensitive data, information, or resources is allowed to proceed. [SALTZER75]
11091 originally named predicate permission the separation of privilege. It is also equivalent to
11092 separation of duty. The division of privilege among multiple parties decreases the likelihood
11093 of abuse and provides the safeguard that no single accident, deception, or breach of trust is
11094 sufficient to enable an unrecoverable action that can lead to significantly damaging effects.
11095 The design options for such a mechanism may require simultaneous action (e.g., the firing of
11096 a nuclear weapon requires two different authorized individuals to give the correct command
11097 within a small time window) or a sequence of operations where each successive action is
11098 enabled by some prior action, but no single individual is able to enable more than one
11099 action.
11100 Related Controls: AC-5.
11101 (16) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SELF-RELIANT TRUSTWORTHINESS
11102 Implement the security design principle of self-reliant trustworthiness in [Assignment:
11103 organization-defined systems or system components].
11104 Discussion: The principle of self-reliant trustworthiness states that systems minimize their
11105 reliance on other systems for their own trustworthiness. A system is trustworthy by default
11106 with any connection to an external entity used to supplement its function. If a system were
11107 required to maintain a connection with another external entity in order to maintain its
11108 trustworthiness, then that system would be vulnerable to malicious and non-malicious
11109 threats that result in loss or degradation of that connection. The benefit to the principle of
11110 self-reliant trustworthiness is that the isolation of a system will make it less vulnerable to
11111 attack. A corollary to this principle relates to the ability of the system (or system component)
11112 to operate in isolation and then resynchronize with other components when it is rejoined
11113 with them.
11114 Related Controls: None.
11115 (17) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE DISTRIBUTED COMPOSITION
11116 Implement the security design principle of secure distributed composition in [Assignment:
11117 organization-defined systems or system components].
11118 Discussion: The principle of secure distributed composition states that the composition of
11119 distributed components that enforce the same system security policy result in a system that
11120 enforces that policy at least as well as the individual components do. Many of the design
11121 principles for secure systems deal with how components can or should interact. The need to
11122 create or enable capability from the composition of distributed components can magnify the
11123 relevancy of these principles. In particular, the translation of security policy from a stand-
11124 alone to a distributed system or a system-of-systems can have unexpected or emergent
11125 results. Communication protocols and distributed data consistency mechanisms help to
11126 ensure consistent policy enforcement across a distributed system. To ensure a system-wide
11127 level of assurance of correct policy enforcement, the security architecture of a distributed
11128 composite system is thoroughly analyzed.

CHAPTER THREE PAGE 255

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11129 Related Controls: None.

11130 (18) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | TRUSTED COMMUNICATIONS CHANNELS
11131 Implement the security design principle of trusted communications channels in
11132 [Assignment: organization-defined systems or system components].
11133 Discussion: The principle of trusted communication channels states that when composing a
11134 system where there is a potential threat to communications between components (i.e., the
11135 interconnections between components), each communication channel is trustworthy to a
11136 level commensurate with the security dependencies it supports (i.e., how much it is trusted
11137 by other components to perform its security functions). Trusted communication channels
11138 are achieved by a combination of restricting access to the communication channel (to ensure
11139 an acceptable match in the trustworthiness of the endpoints involved in the communication)
11140 and employing end-to-end protections for the data transmitted over the communication
11141 channel (to protect against interception, modification, and to further increase the assurance
11142 of proper end-to-end communication).
11143 Related Controls: SC-8, SC-12, SC-13.
11144 (19) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | CONTINUOUS PROTECTION
11145 Implement the security design principle of continuous protection in [Assignment:
11146 organization-defined systems or system components].
11147 Discussion: The principle of continuous protection states that components and data used to
11148 enforce the security policy have uninterrupted protection that is consistent with the security
11149 policy and the security architecture assumptions. No assurances that the system can provide
11150 the confidentiality, integrity, availability, and privacy protections for its design capability can
11151 be made if there are gaps in the protection. Any assurances about the ability to secure a
11152 delivered capability require that data and information are continuously protected. That is,
11153 there are no periods during which data and information are left unprotected while under
11154 control of the system (i.e., during the creation, storage, processing, or communication of the
11155 data and information, as well as during system initialization, execution, failure, interruption,
11156 and shutdown). Continuous protection requires adherence to the precepts of the reference
11157 monitor concept (i.e., every request is validated by the reference monitor, the reference
11158 monitor is able to protect itself from tampering, and sufficient assurance of the correctness
11159 and completeness of the mechanism can be ascertained from analysis and testing), and the
11160 principle of secure failure and recovery (i.e., preservation of a secure state during error,
11161 fault, failure, and successful attack; preservation of a secure state during recovery to normal,
11162 degraded, or alternative operational modes).
11163 Continuous protection also applies to systems designed to operate in varying configurations,
11164 including those that deliver full operational capability and degraded-mode configurations
11165 that deliver partial operational capability. The continuous protection principle requires that
11166 changes to the system security policies be traceable to the operational need that drives the
11167 configuration and be verifiable (i.e., it is possible to verify that the proposed changes will not
11168 put the system into an insecure state). Insufficient traceability and verification may lead to
11169 inconsistent states or protection discontinuities due to the complex or undecidable nature of
11170 the problem. The use of pre-verified configuration definitions that reflect the new security
11171 policy enables analysis to determine that a transition from old to new policies is essentially
11172 atomic, and that any residual effects from the old policy are guaranteed to not conflict with
11173 the new policy. The ability to demonstrate continuous protection is rooted in the clear
11174 articulation of life cycle protection needs as stakeholder security requirements.
11175 Related Controls: AC-25.

CHAPTER THREE PAGE 256

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11176 (20) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE METADATA MANAGEMENT
11177 Implement the security design principle of secure metadata management in [Assignment:
11178 organization-defined systems or system components].
11179 Discussion: The principle of secure metadata management states that metadata are “first
11180 class” objects with respect to security policy when the policy requires complete protection of
11181 information or it requires that the security subsystem to be self-protecting. The principle of
11182 secure metadata management is driven by the recognition that a system, subsystem, or
11183 component cannot achieve self-protection unless it protects the data it relies upon for
11184 correct execution. Data is generally not interpreted by the system that stores it. It may have
11185 semantic value (i.e., it comprises information) to users and programs that process the data.
11186 In contrast, metadata is information about data, such as a file name or the date when the
11187 file was created. Metadata is bound to the target data that it describes in a way that the
11188 system can interpret, but it need not be stored inside of or proximate to its target data.
11189 There may be metadata whose target is itself metadata (e.g., the sensitivity level of a file
11190 name), to include self-referential metadata.
11191 The apparent secondary nature of metadata can lead to a neglect of its legitimate need for
11192 protection, resulting in a violation of the security policy that includes the exfiltration of
11193 information. A particular concern associated with insufficient protections for metadata is
11194 associated with multilevel secure (MLS) systems. MLS systems mediate access by a subject to
11195 an object based on relative sensitivity levels. It follows that all subjects and objects in the
11196 scope of control of the MLS system are either directly labeled or indirectly attributed with
11197 sensitivity levels. The corollary of labeled metadata for MLS systems states that objects
11198 containing metadata are labeled. As with protection needs assessment for data, attention is
11199 given to ensure that the confidentiality and integrity protections are individually assessed,
11200 specified, and allocated to metadata, as would be done for mission, business, and system
11201 data.
11202 Related Controls: None.
11203 (21) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SELF-ANALYSIS
11204 Implement the security design principle of self-analysis in [Assignment: organization-
11205 defined systems or system components].
11206 Discussion: The principle of self-analysis states that a system component is able to assess its
11207 internal state and functionality to a limited extent at various stages of execution, and that
11208 this self-analysis capability is commensurate with the level of trustworthiness invested in the
11209 system. At the system level, self-analysis can be achieved through hierarchical assessments
11210 of trustworthiness established in a bottom up fashion. In this approach, the lower-level
11211 components check for data integrity and correct functionality (to a limited extent) of higher-
11212 level components. For example, trusted boot sequences involve a trusted lower-level
11213 component attesting to the trustworthiness of the next higher-level components so that a
11214 transitive chain of trust can be established. At the root, a component attests to itself, which
11215 usually involves an axiomatic or environmentally enforced assumption about its integrity.
11216 Results of the self-analyses can be used to guard against externally induced errors, or
11217 internal malfunction or transient errors. By following this principle, some simple errors or
11218 malfunctions can be detected without allowing the effects of the error or malfunction to
11219 propagate outside the component. Further, the self-test can also be used to attest to the
11220 configuration of the component, detecting any potential conflicts in configuration with
11221 respect to the expected configuration.
11222 Related Controls: CA-7.

CHAPTER THREE PAGE 257

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11223 (22) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | ACCOUNTABILITY AND TRACEABILITY
11224 Implement the security design principle of accountability and traceability in [Assignment:
11225 organization-defined systems or system components].
11226 Discussion: The principle of accountability and traceability states that it is possible to trace
11227 security-relevant actions (i.e., subject-object interactions) to the entity on whose behalf the
11228 action is being taken. The principle of accountability and traceability requires a trustworthy
11229 infrastructure that can record details about actions that affect system security (e.g., an audit
11230 subsystem). To record the details about actions, the system is able to uniquely identify the
11231 entity on whose behalf the action is being carried out and also record the relevant sequence
11232 of actions that are carried out. The accountability policy also requires the audit trail itself be
11233 protected from unauthorized access and modification. The principle of least privilege assists
11234 in tracing the actions to particular entities, as it increases the granularity of accountability.
11235 Associating specific actions with system entities, and ultimately with users, and making the
11236 audit trail secure against unauthorized access and modifications provides non-repudiation,
11237 because once an action is recorded, it is not possible to change the audit trail. Another
11238 important function that accountability and traceability serves is in the routine and forensic
11239 analysis of events associated with the violation of security policy. Analysis of audit logs may
11240 provide additional information that may be helpful in determining the path or component
11241 that allowed the violation of the security policy, and the actions of individuals associated
11242 with the violation of security policy.
11243 Related Controls: AC-6, AU-2, AU-3, AU-6, AU-9, AU-10, AU-12, IA-2, IR-4.
11244 (23) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE DEFAULTS
11245 Implement the security design principle of secure defaults in [Assignment: organization-
11246 defined systems or system components].
11247 Discussion: The principle of secure defaults states that the default configuration of a system
11248 (to include its constituent subsystems, components, and mechanisms) reflects a restrictive
11249 and conservative enforcement of security policy. The principle of secure defaults applies to
11250 the initial (i.e., default) configuration of a system as well as to the security engineering and
11251 design of access control and other security functions that follow a “deny unless explicitly
11252 authorized” strategy. The initial configuration aspect of this principle requires that any “as
11253 shipped” configuration of a system, subsystem, or system component does not aid in the
11254 violation of the security policy, and can prevent the system from operating in the default
11255 configuration for those cases where the security policy itself requires configuration by the
11256 operational user.
11257 Restrictive defaults mean that the system will operate “as-shipped” with adequate self-
11258 protection, and is able to prevent security breaches before the intended security policy and
11259 system configuration is established. In cases where the protection provided by the “as-
11260 shipped” product is inadequate, stakeholders assess the risk of using it prior to establishing a
11261 secure initial state. Adherence to the principle of secure defaults guarantees that a system is
11262 established in a secure state upon successfully completing initialization. In situations where
11263 the system fails to complete initialization, either it will perform a requested operation using
11264 secure defaults or it will not perform the operation. Refer to the principles of continuous
11265 protection and secure failure and recovery that parallel this principle to provide the ability to
11266 detect and recover from failure.
11267 The security engineering approach to this principle states that security mechanisms deny
11268 requests unless the request is found to be well-formed and consistent with the security
11269 policy. The insecure alternative is to allow a request unless it is shown to be inconsistent
11270 with the policy. In a large system, the conditions that are satisfied to grant a request that is
11271 by default denied are often far more compact and complete than those that would need to
11272 be checked in order to deny a request that is by default granted.

CHAPTER THREE PAGE 258

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11273 Related Controls: CM-2, CM-6, SA-4.

11274 (24) SECURITY AND PRIVACY ENGINEERING PRINCIPLES |SECURE FAILURE AND RECOVERY
11275 Implement the security design principle of secure failure and recovery in [Assignment:
11276 organization-defined systems or system components].
11277 Discussion: The principle of secure failure and recovery states that neither a failure in a
11278 system function or mechanism nor any recovery action in response to failure leads to a
11279 violation of security policy. The principle of secure failure and recovery parallels the principle
11280 of continuous protection to ensure that a system is capable of detecting (within limits) actual
11281 and impending failure at any stage of its operation (i.e., initialization, normal operation,
11282 shutdown, and maintenance) and to take appropriate steps to ensure that security policies
11283 are not violated. In addition, when specified, the system is capable of recovering from
11284 impending or actual failure to resume normal, degraded, or alternative secure operation
11285 while ensuring that a secure state is maintained such that security policies are not violated.
11286 Failure is a condition in which the behavior of a component deviates from its specified or
11287 expected behavior for an explicitly documented input. Once a failed security function is
11288 detected, the system may reconfigure itself to circumvent the failed component, while
11289 maintaining security, and provide all or part of the functionality of the original system, or
11290 completely shut itself down to prevent any further violation of security policies. For this to
11291 occur, the reconfiguration functions of the system are designed to ensure continuous
11292 enforcement of security policy during the various phases of reconfiguration.
11293 Another technique that can be used to recover from failures is to perform a rollback to a
11294 secure state (which may be the initial state) and then either shutdown or replace the service
11295 or component that failed such that secure operation may resume. Failure of a component
11296 may or may not be detectable to the components using it. The principle of secure failure
11297 indicates that components fail in a state that denies rather than grants access. For example,
11298 a nominally “atomic” operation interrupted before completion does not violate security
11299 policy and is designed to handle interruption events by employing higher-level atomicity and
11300 rollback mechanisms (e.g., transactions). If a service is being used, its atomicity properties
11301 are well-documented and characterized so that the component availing itself of that service
11302 can detect and handle interruption events appropriately. For example, a system is designed
11303 to gracefully respond to disconnection and support resynchronization and data consistency
11304 after disconnection.
11305 Failure protection strategies that employ replication of policy enforcement mechanisms,
11306 sometimes called defense in depth, can allow the system to continue in a secure state even
11307 when one mechanism has failed to protect the system. If the mechanisms are similar,
11308 however, the additional protection may be illusory, as the adversary can simply attack in
11309 series. Similarly, in a networked system, breaking the security on one system or service may
11310 enable an attacker to do the same on other similar replicated systems and services. By
11311 employing multiple protection mechanisms, whose features are significantly different, the
11312 possibility of attack replication or repetition can be reduced. Analyses are conducted to
11313 weigh the costs and benefits of such redundancy techniques against increased resource
11314 usage and adverse effects on the overall system performance. Additional analyses are
11315 conducted as the complexity of these mechanisms increases, as could be the case for
11316 dynamic behaviors. Increased complexity generally reduces trustworthiness. When a
11317 resource cannot be continuously protected, it is critical to detect and repair any security
11318 breaches before the resource is once again used in a secure context.
11319 Related Controls: CP-10, CP-12, SC-7, SC-8, SC-24, SI-13.

CHAPTER THREE PAGE 259

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11320 (25) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | ECONOMIC SECURITY

11321 Implement the security design principle of economic security in [Assignment: organization-
11322 defined systems or system components].
11323 Discussion: The principle of economic security states that security mechanisms are not
11324 costlier than the potential damage that could occur from a security breach. This is the
11325 security-relevant form of the cost-benefit analyses used in risk management. The cost
11326 assumptions of cost-benefit analysis prevent the system designer from incorporating
11327 security mechanisms of greater strength than necessary, where strength of mechanism is
11328 proportional to cost. The principle of economic security also requires analysis of the benefits
11329 of assurance relative to the cost of that assurance in terms of the effort expended to obtain
11330 relevant and credible evidence, and to perform the analyses necessary to assess and draw
11331 trustworthiness and risk conclusions from the evidence.
11332 Related Controls: RA-3.
11333 (26) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | PERFORMANCE SECURITY
11334 Implement the security design principle of performance security in [Assignment:
11335 organization-defined systems or system components].
11336 Discussion: The principle of performance security states that security mechanisms are
11337 constructed so that they do not degrade system performance unnecessarily. Stakeholder
11338 and system design requirements for performance and security are precisely articulated and
11339 prioritized. For the system implementation to meet its design requirements and be found
11340 acceptable to stakeholders (i.e., validation against stakeholder requirements), the designers
11341 adhere to the specified constraints that capability performance needs place on protection
11342 needs. The overall impact of computationally intensive security services (e.g., cryptography)
11343 are assessed and demonstrated to pose no significant impact to higher-priority performance
11344 considerations or are deemed to be providing an acceptable trade-off of performance for
11345 trustworthy protection. The trade-off considerations include less computationally intensive
11346 security services unless they are unavailable or insufficient. The insufficiency of a security
11347 service is determined by functional capability and strength of mechanism. The strength of
11348 mechanism is selected with respect to security requirements as well as performance-critical
11349 overhead issues (e.g., cryptographic key management) and an assessment of the capability
11350 of the threat.
11351 The principle of performance security leads to the incorporation of features that help in the
11352 enforcement of security policy, but incur minimum overhead, such as low-level hardware
11353 mechanisms upon which higher-level services can be built. Such low-level mechanisms are
11354 usually very specific, have very limited functionality, and are optimized for performance. For
11355 example, once access rights to a portion of memory is granted, many systems use hardware
11356 mechanisms to ensure that all further accesses involve the correct memory address and
11357 access mode. Application of this principle reinforces the need to design security into the
11358 system from the ground up, and to incorporate simple mechanisms at the lower layers that
11359 can be used as building blocks for higher-level mechanisms.
11360 Related Controls: SC-13, SI-2, SI-7.
11361 (27) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | HUMAN FACTORED SECURITY
11362 Implement the security design principle of human factored security in [Assignment:
11363 organization-defined systems or system components].
11364 Discussion: The principle of human factored security states that the user interface for
11365 security functions and supporting services is intuitive, user friendly, and provides feedback
11366 for user actions that affect such policy and its enforcement. The mechanisms that enforce
11367 security policy are not intrusive to the user and are designed not to degrade user efficiency.
11368 Security policy enforcement mechanisms also provide the user with meaningful, clear, and

CHAPTER THREE PAGE 260

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11369 relevant feedback and warnings when insecure choices are being made. Particular attention
11370 is given to interfaces through which personnel responsible for system administration and
11371 operation configure and set up the security policies. Ideally, these personnel are able to
11372 understand the impact of their choices. The personnel with system administrative and
11373 operation responsibility are able to configure systems before start-up and administer them
11374 during runtime, in both cases with confidence that their intent is correctly mapped to the
11375 system’s mechanisms. Security services, functions, and mechanisms do not impede or
11376 unnecessarily complicate the intended use of the system. There is a trade-off between
11377 system usability and the strictness necessitated for security policy enforcement. If security
11378 mechanisms are frustrating or difficult to use, then users may disable or avoid them, or use
11379 the mechanisms in ways inconsistent with the security requirements and protection needs
11380 the mechanisms were designed to satisfy.
11381 Related Controls: None.
11382 (28) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | ACCEPTABLE SECURITY
11383 Implement the security design principle of acceptable security in [Assignment:
11384 organization-defined systems or system components].
11385 Discussion: The principle of acceptable security requires that the level of privacy and
11386 performance the system provides is consistent with the users’ expectations. The perception
11387 of personal privacy may affect user behavior, morale, and effectiveness. Based on the
11388 organizational privacy policy and the system design, users should be able to restrict their
11389 actions to protect their privacy. When systems fail to provide intuitive interfaces, or meet
11390 privacy and performance expectations, users may either choose to completely avoid the
11391 system or use it in ways that may be inefficient or even insecure.
11392 Related Controls: None.
11393 (29) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | REPEATABLE AND DOCUMENTED PROCEDURES
11394 Implement the security design principle of repeatable and documented procedures in
11395 [Assignment: organization-defined systems or system components].
11396 Discussion: The principle of repeatable and documented procedures states that the
11397 techniques and methods employed to construct a system component permits the same
11398 component to be completely and correctly reconstructed at a later time. Repeatable and
11399 documented procedures support the development of a component that is identical to the
11400 component created earlier that may be in widespread use. In the case of other system
11401 artifacts (e.g., documentation and testing results), repeatability supports consistency and
11402 ability to inspect the artifacts. Repeatable and documented procedures can be introduced at
11403 various stages within the system development life cycle and can contribute to the ability to
11404 evaluate assurance claims for the system. Examples include systematic procedures for code
11405 development and review; procedures for configuration management of development tools
11406 and system artifacts; and procedures for system delivery.
11407 Related Controls: CM-1, SA-1, SA-10, SA-11, SA-15, SA-17, SC-1, SI-1.
11408 (30) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | PROCEDURAL RIGOR
11409 Implement the security design principle of procedural rigor in [Assignment: organization-
11410 defined systems or system components].
11411 Discussion: The principle of procedural rigor states that the rigor of a system life cycle
11412 process is commensurate with its intended trustworthiness. Procedural rigor defines the
11413 scope, depth, and detail of the system life cycle procedures. Rigorous system life cycle
11414 procedures contribute to the assurance that the system is correct and free of unintended
11415 functionality in several ways. First, the procedures impose checks and balances on the life
11416 cycle process such that the introduction of unspecified functionality is prevented.

CHAPTER THREE PAGE 261

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11417 Second, rigorous procedures applied to systems security engineering activities that produce
11418 specifications and other system design documents contribute to the ability to understand
11419 the system as it has been built, rather than trusting that the component as implemented, is
11420 the authoritative (and potentially misleading) specification.
11421 Finally, modifications to an existing system component are easier when there are detailed
11422 specifications describing its current design, instead of studying source code or schematics to
11423 try to understand how it works. Procedural rigor helps to ensure that security functional and
11424 assurance requirements have been satisfied, and it contributes to a better-informed basis
11425 for the determination of trustworthiness and risk posture. Procedural rigor is commensurate
11426 with the degree of assurance desired for the system. If the required trustworthiness of the
11427 system is low, a high level of procedural rigor may add unnecessary cost, whereas when high
11428 trustworthiness is critical, the cost of high procedural rigor is merited.
11429 Related Controls: None.
11430 (31) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE SYSTEM MODIFICATION
11431 Implement the security design principle of secure system modification in [Assignment:
11432 organization-defined systems or system components].
11433 Discussion: The principle of secure system modification states that system modification
11434 maintains system security with respect to the security requirements and risk tolerance of
11435 stakeholders. Upgrades or modifications to systems can transform secure systems into
11436 systems that are not secure. The procedures for system modification ensure that, if the
11437 system is to maintain its trustworthiness, the same rigor that was applied to its initial
11438 development is applied to any system changes. Because modifications can affect the ability
11439 of the system to maintain its secure state, a careful security analysis of the modification is
11440 needed prior to its implementation and deployment. This principle parallels the principle of
11441 secure evolvability.
11442 Related Controls: CM-3, CM-4.
11443 (32) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SUFFICIENT DOCUMENTATION
11444 Implement the security design principle of sufficient documentation in [Assignment:
11445 organization-defined systems or system components].
11446 Discussion: The principle of sufficient documentation states that organizational personnel
11447 with responsibility to interact with the system are provided with adequate documentation
11448 and other information such that the personnel contribute to rather than detract from
11449 system security. Despite attempts to comply with principles such as human factored security
11450 and acceptable security, systems are inherently complex, and the design intent for the use of
11451 security mechanisms is not always intuitively obvious. Neither are the ramifications of the
11452 misuse or misconfiguration of security mechanisms. Uninformed and insufficiently trained
11453 users can introduce vulnerabilities due to errors of omission and commission. The availability
11454 of documentation and training can help to ensure a knowledgeable cadre of personnel, all of
11455 whom have a critical role in the achievement of principles such as continuous protection.
11456 Documentation is written clearly and supported by training that provides security awareness
11457 and understanding of security-relevant responsibilities.
11458 Related Controls: AT-2, AT-3, SA-5.
11459 References: [FIPS 199]; [FIPS 200]; [SP 800-53A]; [SP 800-60 v1]; [SP 800-60 v2]; [SP 800-160 v1];
11460 [IR 8062].

CHAPTER THREE PAGE 262

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11461 SA-9 EXTERNAL SYSTEM SERVICES

11462 Control:
11463 a. Require that providers of external system services comply with organizational security and
11464 privacy requirements and employ the following controls: [Assignment: organization-defined
11465 controls];
11466 b. Define and document organizational oversight and user roles and responsibilities with regard
11467 to external system services; and
11468 c. Employ the following processes, methods, and techniques to monitor control compliance by
11469 external service providers on an ongoing basis: [Assignment: organization-defined processes,
11470 methods, and techniques].
11471 Discussion: External system services are services that are provided by an external provider and
11472 for which the organization has no direct control over the implementation of required controls or
11473 the assessment of control effectiveness. Organizations establish relationships with external
11474 service providers in a variety of ways, including through business partnerships, contracts,
11475 interagency agreements, lines of business arrangements, licensing agreements, joint ventures,
11476 and supply chain exchanges. The responsibility for managing risks from the use of external
11477 system services remains with authorizing officials. For services external to organizations, a chain
11478 of trust requires that organizations establish and retain a certain level of confidence that each
11479 provider in the consumer-provider relationship provides adequate protection for the services
11480 rendered. The extent and nature of this chain of trust varies based on relationships between
11481 organizations and the external providers. Organizations document the basis for the trust
11482 relationships so the relationships can be monitored. External system services documentation
11483 includes government, service providers, end user security roles and responsibilities, and service-
11484 level agreements. Service-level agreements define expectations of performance for implemented
11485 controls, describe measurable outcomes, and identify remedies and response requirements for
11486 identified instances of noncompliance.
11487 Related Controls: AC-20, CA-3, CP-2, IR-4, IR-7, PL-10, PL-11, PS-7, SA-2, SA-4, SR-3, SR-5.
11488 Control Enhancements:
11489 (1) EXTERNAL SYSTEM SERVICES | RISK ASSESSMENTS AND ORGANIZATIONAL APPROVALS
11490 (a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of
11491 information security services; and
11492 (b) Verify that the acquisition or outsourcing of dedicated information security services is
11493 approved by [Assignment: organization-defined personnel or roles].
11494 Discussion: Information security services include the operation of security devices such as
11495 firewalls, or key management services; and incident monitoring, analysis, and response.
11496 Risks assessed can include system, mission or business, privacy, or supply chain risks.
11497 Related Controls: CA-6, RA-3.
11498 (2) EXTERNAL SYSTEM SERVICES | IDENTIFICATION OF FUNCTIONS, PORTS, PROTOCOLS, AND SERVICES
11499 Require providers of the following external system services to identify the functions, ports,
11500 protocols, and other services required for the use of such services: [Assignment:
11501 organization-defined external system services].
11502 Discussion: Information from external service providers regarding the specific functions,
11503 ports, protocols, and services used in the provision of such services can be useful when the
11504 need arises to understand the trade-offs involved in restricting certain functions and services
11505 or blocking certain ports and protocols.
11506 Related Controls: CM-6, CM-7.

CHAPTER THREE PAGE 263

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11507 (3) EXTERNAL SYSTEM SERVICES | ESTABLISH AND MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS
11508 Establish, document, and maintain trust relationships with external service providers
11509 based on the following requirements, properties, factors, or conditions: [Assignment:
11510 organization-defined security and privacy requirements, properties, factors, or conditions
11511 defining acceptable trust relationships].
11512 Discussion: The degree of confidence that the risk from using external services is at an
11513 acceptable level depends on the trust that organizations place in the external providers,
11514 individually or in combination. Trust relationships can help organizations to gain increased
11515 levels of confidence that participating service providers are providing adequate protection
11516 for the services rendered and can also be useful when conducting incident response or when
11517 planning for upgrades or obsolescence. Trust relationships can be complicated due to the
11518 potentially large number of entities participating in the consumer-provider interactions,
11519 subordinate relationships and levels of trust, and types of interactions between the parties.
11520 In some cases, the degree of trust is based on the level of control organizations can exert on
11521 external service providers regarding the controls necessary for the protection of the service,
11522 information, or individual privacy and the evidence brought forth as to the effectiveness of
11523 the implemented controls. The level of control is established by the terms and conditions of
11524 the contracts or service-level agreements.
11525 Related Controls: SR-2.
11526 (4) EXTERNAL SYSTEM SERVICES |CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS
11527 Take the following actions to verify that the interests of [Assignment: organization-
11528 defined external service providers] are consistent with and reflect organizational interests:
11529 [Assignment: organization-defined actions].
11530 Discussion: As organizations increasingly use external service providers, it is possible that
11531 the interests of the service providers may diverge from organizational interests. In such
11532 situations, simply having the required technical, management, or operational controls in
11533 place may not be sufficient if the providers that implement and manage those controls are
11534 not operating in a manner consistent with the interests of the consuming organizations.
11535 Actions that organizations take to address such concerns include requiring background
11536 checks for selected service provider personnel; examining ownership records; employing
11537 only trustworthy service providers, including providers with which organizations have had
11538 successful trust relationships; and conducting routine periodic, unscheduled visits to service
11539 provider facilities.
11540 Related Controls: None.
11541 (5) EXTERNAL SYSTEM SERVICES | PROCESSING, STORAGE, AND SERVICE LOCATION
11542 Restrict the location of [Selection (one or more): information processing; information or
11543 data; system services] to [Assignment: organization-defined locations] based on
11544 [Assignment: organization-defined requirements or conditions].
11545 Discussion: The location of information processing, information and data storage, or system
11546 services that are critical to organizations can have a direct impact on the ability of those
11547 organizations to successfully execute their missions and business functions. The impact
11548 occurs when external providers control the location of processing, storage, or services. The
11549 criteria that external providers use for the selection of processing, storage, or service
11550 locations may be different from the criteria organizations use. For example, organizations
11551 may desire that data or information storage locations are restricted to certain locations to
11552 help facilitate incident response activities in case of information security or privacy incidents.
11553 Incident response activities including forensic analyses and after-the-fact investigations, may
11554 be adversely affected by the governing laws, policies, or protocols in the locations where
11555 processing and storage occur and/or the locations from which system services emanate.

CHAPTER THREE PAGE 264

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11556 Related Controls: SA-5, SR-4.

11557 (6) EXTERNAL SYSTEM SERVICES | ORGANIZATION-CONTROLLED CRYPTOGRAPHIC KEYS
11558 Maintain exclusive control of cryptographic keys for encrypted material stored or
11559 transmitted through an external system.
11560 Discussion: Maintaining exclusive control of cryptographic keys in an external system
11561 prevents decryption of organizational data by external system staff. Organizational control
11562 of cryptographic keys can be implemented by encrypting and decrypting data inside the
11563 organization as data is sent to and received from the external system or by employing a
11564 component that permits encryption and decryption functions to be local to the external
11565 system, but allows exclusive organizational access to the encryption keys.
11566 Related Controls: SC-12, SC-13, SI-4.
11567 (7) EXTERNAL SYSTEM SERVICES | ORGANIZATION-CONTROLLED INTEGRITY CHECKING
11568 Provide the capability to check the integrity of information while it resides in the external
11569 system.
11570 Discussion: Storage of organizational information in an external system could limit visibility
11571 into the security status of its data. The ability for the organization to verify and validate the
11572 integrity of its stored data without transferring it out of the external system provides such
11573 visibility.
11574 Related Controls: SI-7.
11575 (8) EXTERNAL SYSTEM SERVICES | PROCESSING AND STORAGE LOCATION — U.S. JURISDICTION
11576 Restrict the geographic location of information processing and data storage to facilities
11577 located within in the legal jurisdictional boundary of the United States.
11578 Discussion: The geographic location of information processing and data storage can have a
11579 direct impact on the ability of organizations to successfully execute their core missions and
11580 business functions. High impact information and systems, if compromised or breached, can
11581 have a severe or catastrophic adverse impact on organizational assets and operations,
11582 individuals, other organizations, and the Nation. Restricting the processing and storage of
11583 high-impact information to facilities within the legal jurisdictional boundary of the United
11584 States provides greater control over such processing and storage.
11585 Related Controls: SA-5, SR-4.
11586 References: [OMB A-130]; [SP 800-35]; [SP 800-160 v1]; [SP 800-161].

11587 SA-10 DEVELOPER CONFIGURATION MANAGEMENT

11588 Control: Require the developer of the system, system component, or system service to:
11589 a. Perform configuration management during system, component, or service [Selection (one or
11590 more): design; development; implementation; operation; disposal];
11591 b. Document, manage, and control the integrity of changes to [Assignment: organization-
11592 defined configuration items under configuration management];
11593 c. Implement only organization-approved changes to the system, component, or service;
11594 d. Document approved changes to the system, component, or service and the potential
11595 security and privacy impacts of such changes; and
11596 e. Track security flaws and flaw resolution within the system, component, or service and report
11597 findings to [Assignment: organization-defined personnel].
11598 Discussion: Organizations consider the quality and completeness of configuration management
11599 activities conducted by developers as direct evidence of applying effective security controls.

CHAPTER THREE PAGE 265

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11600 Controls include protecting from unauthorized modification or destruction, the master copies of
11601 material used to generate security-relevant portions of the system hardware, software, and
11602 firmware. Maintaining the integrity of changes to the system, system component, or system
11603 service requires strict configuration control throughout the system development life cycle to
11604 track authorized changes and to prevent unauthorized changes.
11605 The configuration items that are placed under configuration management include: the formal
11606 model; the functional, high-level, and low-level design specifications; other design data;
11607 implementation documentation; source code and hardware schematics; the current running
11608 version of the object code; tools for comparing new versions of security-relevant hardware
11609 descriptions and source code with previous versions; and test fixtures and documentation.
11610 Depending on the mission and business needs of organizations and the nature of the contractual
11611 relationships in place, developers may provide configuration management support during the
11612 operations and maintenance stage of the system development life cycle.
11613 Related Controls: CM-2, CM-3, CM-4, CM-7, CM-9, SA-4, SA-5, SA-8, SA-15, SI-2, SR-3, SR-4, SR-5,
11614 SR-6.
11615 Control Enhancements:
11616 (1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE AND FIRMWARE INTEGRITY VERIFICATION
11617 Require the developer of the system, system component, or system service to enable
11618 integrity verification of software and firmware components.
11619 Discussion: Software and firmware integrity verification allows organizations to detect
11620 unauthorized changes to software and firmware components using developer-provided
11621 tools, techniques, and mechanisms. The integrity checking mechanisms can also address
11622 counterfeiting of software and firmware components. Organizations verify the integrity of
11623 software and firmware components, for example, through secure one-way hashes provided
11624 by developers. Delivered software and firmware components also include any updates to
11625 such components.
11626 Related Controls: SI-7, SR-11.
11627 (2) DEVELOPER CONFIGURATION MANAGEMENT | ALTERNATIVE CONFIGURATION MANAGEMENT
11628 Provide an alternate configuration management process using organizational personnel in
11629 the absence of a dedicated developer configuration management team.
11630 Discussion: Alternate configuration management processes may be required, for example,
11631 when organizations use commercial off-the-shelf information technology products. Alternate
11632 configuration management processes include organizational personnel that review and
11633 approve proposed changes to systems, system components, and system services; and that
11634 conduct security and privacy impact analyses prior to the implementation of changes to
11635 systems, components, or services.
11636 Related Controls: None.
11637 (3) DEVELOPER CONFIGURATION MANAGEMENT | HARDWARE INTEGRITY VERIFICATION
11638 Require the developer of the system, system component, or system service to enable
11639 integrity verification of hardware components.
11640 Discussion: Hardware integrity verification allows organizations to detect unauthorized
11641 changes to hardware components using developer-provided tools, techniques, methods, and
11642 mechanisms. Organizations verify the integrity of hardware components, for example, with
11643 hard-to-copy labels and verifiable serial numbers provided by developers, and by requiring
11644 the implementation of anti-tamper technologies. Delivered hardware components also
11645 include hardware and firmware updates to such components.
11646 Related Controls: SI-7.

CHAPTER THREE PAGE 266

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11647 (4) DEVELOPER CONFIGURATION MANAGEMENT | TRUSTED GENERATION

11648 Require the developer of the system, system component, or system service to employ
11649 tools for comparing newly generated versions of security-relevant hardware descriptions,
11650 source code, and object code with previous versions.
11651 Discussion: Trusted generation of descriptions, source code, and object code addresses
11652 authorized changes to hardware, software, and firmware components between versions
11653 during development. The focus is on the efficacy of the configuration management process
11654 by the developer to ensure that newly generated versions of security-relevant hardware
11655 descriptions, source code, and object code continue to enforce the security policy for the
11656 system, system component, or system service. In contrast, SA-10(1) and SA-10(3) allow
11657 organizations to detect unauthorized changes to hardware, software, and firmware
11658 components using tools, techniques, or mechanisms provided by developers.
11659 Related Controls: None.
11660 (5) DEVELOPER CONFIGURATION MANAGEMENT | MAPPING INTEGRITY FOR VERSION CONTROL
11661 Require the developer of the system, system component, or system service to maintain
11662 the integrity of the mapping between the master build data (hardware drawings and
11663 software/firmware code) describing the current version of security-relevant hardware,
11664 software, and firmware and the on-site master copy of the data for the current version.
11665 Discussion: Mapping integrity for version control addresses changes to hardware, software,
11666 and firmware components during initial development and during system development life
11667 cycle updates. Maintaining the integrity between the master copies of security-relevant
11668 hardware, software, and firmware (including designs and source code) and the equivalent
11669 data in master copies in operational environments is essential to ensure the availability of
11670 organizational systems supporting critical missions and business functions.
11671 Related Controls: None.
11672 (6) DEVELOPER CONFIGURATION MANAGEMENT | TRUSTED DISTRIBUTION
11673 Require the developer of the system, system component, or system service to execute
11674 procedures for ensuring that security-relevant hardware, software, and firmware updates
11675 distributed to the organization are exactly as specified by the master copies.
11676 Discussion: The trusted distribution of security-relevant hardware, software, and firmware
11677 updates help to ensure that the updates are correct representations of the master copies
11678 maintained by the developer and have not been tampered with during distribution.
11679 Related Controls: None.
11680 References: [FIPS 140-3]; [FIPS 180-4]; [FIPS 202]; [SP 800-128]; [SP 800-160 v1].

11681 SA-11 DEVELOPER TESTING AND EVALUATION

11682 Control: Require the developer of the system, system component, or system service, at all post-
11683 design stages of the system development life cycle, to:
11684 a. Develop and implement a plan for ongoing security and privacy assessments;
11685 b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation
11686 [Assignment: organization-defined frequency] at [Assignment: organization-defined depth
11687 and coverage];
11688 c. Produce evidence of the execution of the assessment plan and the results of the testing and
11689 evaluation;
11690 d. Implement a verifiable flaw remediation process; and
11691 e. Correct flaws identified during testing and evaluation.

CHAPTER THREE PAGE 267

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11692 Discussion: Developmental testing and evaluation confirms that the required controls are
11693 implemented correctly, operating as intended, enforcing the desired security and privacy
11694 policies, and meeting established security and privacy requirements. Security properties of
11695 systems and the privacy of individuals may be affected by the interconnection of system
11696 components or changes to those components. The interconnections or changes, including
11697 upgrading or replacing applications, operating systems, and firmware, may adversely affect
11698 previously implemented controls. Ongoing assessment during development allows for additional
11699 types of testing and evaluation that developers can conduct to reduce or eliminate potential
11700 flaws. Testing custom software applications may require approaches such as manual code
11701 review; security architecture review; penetration testing; and static analysis, dynamic analysis,
11702 binary analysis, or a hybrid of the three analysis approaches.
11703 Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a
11704 variety of tools and in source code reviews. The security and privacy assessment plans include
11705 the specific activities that developers plan to carry out, including the types of analyses, testing,
11706 evaluation, and reviews of software and firmware components, the degree of rigor to be applied,
11707 the frequency of the ongoing testing and evaluation, and the types of artifacts produced during
11708 those processes. The depth of testing and evaluation refers to the rigor and level of detail
11709 associated with the assessment process. The coverage of testing and evaluation refers to the
11710 scope (i.e., number and type) of the artifacts included in the assessment process. Contracts
11711 specify the acceptance criteria for security and privacy assessment plans, flaw remediation
11712 processes, and the evidence that the plans and processes have been diligently applied. Methods
11713 for reviewing and protecting assessment plans, evidence, and documentation are commensurate
11714 with the security category or classification level of the system. Contracts may specify protection
11715 requirements for documentation.
11716 Related Controls: CA-2, CA-7, CM-4, SA-3, SA-4, SA-5, SA-8, SA-15, SA-17, SI-2, SR-5, SR-6, SR-7.
11717 Control Enhancements:
11718 (1) DEVELOPER TESTING AND EVALUATION | STATIC CODE ANALYSIS
11719 Require the developer of the system, system component, or system service to employ
11720 static code analysis tools to identify common flaws and document the results of the
11721 analysis.
11722 Discussion: Static code analysis provides a technology and methodology for security reviews
11723 and includes checking for weaknesses in the code and checking for incorporation of libraries
11724 or other included code with known vulnerabilities or that are out-of-date and not supported.
11725 Static code analysis can be used to identify vulnerabilities and to enforce secure coding
11726 practices and Static code analysis is most effective when used early in the development
11727 process, when each code change can be automatically scanned for potential weaknesses.
11728 Static code analysis can provide clear remediation guidance along with defects to enable
11729 developers to fix such defects. Evidence of correct implementation of static analysis include
11730 aggregate defect density for critical defect types; evidence that defects were inspected by
11731 developers or security professionals; and evidence that defects were remediated. A high
11732 density of ignored findings, commonly referred to as false positives, indicates a potential
11733 problem with the analysis process or the analysis tool. In such cases, organizations weigh the
11734 validity of the evidence against evidence from other sources.
11735 Related Controls: None.
11736 (2) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES
11737 Require the developer of the system, system component, or system service to perform
11738 threat modeling and vulnerability analyses during development and the subsequent
11739 testing and evaluation of the system, component, or service that:

CHAPTER THREE PAGE 268

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11740 (a) Uses the following contextual information: [Assignment: organization-defined

11741 information concerning impact, environment of operations, known or assumed
11742 threats, and acceptable risk levels];
11743 (b) Employs the following tools and methods: [Assignment: organization-defined tools
11744 and methods];
11745 (c) Conducts the modeling and analyses at the following level of rigor: [Assignment:
11746 organization-defined breadth and depth of modeling and analyses]; and
11747 (d) Produces evidence that meets the following acceptance criteria: [Assignment:
11748 organization-defined acceptance criteria].
11749 Discussion: Systems, system components, and system services may deviate significantly
11750 from the functional and design specifications created during the requirements and design
11751 stages of the system development life cycle. Therefore, updates to threat modeling and
11752 vulnerability analyses of those systems, system components, and system services during
11753 development and prior to delivery are critical to the effective operation of those systems,
11754 components, and services. Threat modeling and vulnerability analyses at this stage of the
11755 system development life cycle ensure that design and implementation changes have been
11756 accounted for and vulnerabilities created because of those changes have been reviewed and
11757 mitigated.
11758 Related controls: PM-15, RA-3, RA-5.
11759 (3) DEVELOPER TESTING AND EVALUATION | INDEPENDENT VERIFICATION OF ASSESSMENT PLANS AND
11760 EVIDENCE
11761 (a) Require an independent agent satisfying [Assignment: organization-defined
11762 independence criteria] to verify the correct implementation of the developer security
11763 and privacy assessment plans and the evidence produced during testing and
11764 evaluation; and
11765 (b) Verify that the independent agent is provided with sufficient information to complete
11766 the verification process or granted the authority to obtain such information.
11767 Discussion: Independent agents have the qualifications, including the expertise, skills,
11768 training, certifications, and experience to verify the correct implementation of developer
11769 security and privacy assessment plans.
11770 Related Controls: AT-3, RA-5.
11771 (4) DEVELOPER TESTING AND EVALUATION | MANUAL CODE REVIEWS
11772 Require the developer of the system, system component, or system service to perform a
11773 manual code review of [Assignment: organization-defined specific code] using the
11774 following processes, procedures, and/or techniques: [Assignment: organization-defined
11775 processes, procedures, and/or techniques].
11776 Discussion: Manual code reviews are usually reserved for the critical software and firmware
11777 components of systems. Manual code reviews are effective in identifying weaknesses that
11778 require knowledge of the application’s requirements or context which in most cases, are
11779 unavailable to automated analytic tools and techniques, for example, static and dynamic
11780 analysis. The benefits of manual code review include the ability to verify access control
11781 matrices against application controls and review detailed aspects of cryptographic
11782 implementations and controls.
11783 Related Controls: None.
11784 (5) DEVELOPER TESTING AND EVALUATION | PENETRATION TESTING
11785 Require the developer of the system, system component, or system service to perform
11786 penetration testing:

CHAPTER THREE PAGE 269

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11787 (a) At the following level of rigor: [Assignment: organization-defined breadth and depth
11788 of testing]; and
11789 (b) Under the following constraints: [Assignment: organization-defined constraints].
11790 Discussion: Penetration testing is an assessment methodology in which assessors, using all
11791 available information technology product or system documentation and working under
11792 specific constraints, attempt to circumvent implemented security and privacy features of
11793 information technology products and systems. Useful information for assessors conducting
11794 penetration testing includes product and system design specifications, source code, and
11795 administrator and operator manuals. Penetration testing can include white-box, gray-box, or
11796 black box testing with analyses performed by skilled professionals simulating adversary
11797 actions. The objective of penetration testing is to discover vulnerabilities in systems, system
11798 components and services resulting from implementation errors, configuration faults, or
11799 other operational weaknesses or deficiencies. Penetration tests can be performed in
11800 conjunction with automated and manual code reviews to provide greater levels of analysis
11801 than would ordinarily be possible. When user session information and other personally
11802 identifiable information is captured or recorded during penetration testing, such information
11803 is handled appropriately to protect privacy.
11804 Related Controls: CA-8, PM-14, PM-25, PT-2, SA-3, SI-2, SI-6.
11805 (6) DEVELOPER TESTING AND EVALUATION | ATTACK SURFACE REVIEWS
11806 Require the developer of the system, system component, or system service to perform
11807 attack surface reviews.
11808 Discussion: Attack surfaces of systems and system components are exposed areas that
11809 make those systems more vulnerable to attacks. Attack surfaces include any accessible areas
11810 where weaknesses or deficiencies in the hardware, software, and firmware components
11811 provide opportunities for adversaries to exploit vulnerabilities. Attack surface reviews
11812 ensure that developers analyze the design and implementation changes to systems and
11813 mitigate attack vectors generated as a result of the changes. Correction of identified flaws
11814 includes deprecation of unsafe functions.
11815 Related Controls: SA-15.
11816 (7) DEVELOPER TESTING AND EVALUATION | VERIFY SCOPE OF TESTING AND EVALUATION
11817 Require the developer of the system, system component, or system service to verify that
11818 the scope of testing and evaluation provides complete coverage of the required controls at
11819 the following level of rigor: [Assignment: organization-defined breadth and depth of
11820 testing and evaluation].
11821 Discussion: Verifying that testing and evaluation provides complete coverage of required
11822 controls can be accomplished by a variety of analytic techniques ranging from informal to
11823 formal. Each of these techniques provides an increasing level of assurance corresponding to
11824 the degree of formality of the analysis. Rigorously demonstrating control coverage at the
11825 highest levels of assurance can be provided using formal modeling and analysis techniques,
11826 including correlation between control implementation and corresponding test cases.
11827 Related Controls: SA-15.
11828 (8) DEVELOPER TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS
11829 Require the developer of the system, system component, or system service to employ
11830 dynamic code analysis tools to identify common flaws and document the results of the
11831 analysis.
11832 Discussion: Dynamic code analysis provides run-time verification of software programs,
11833 using tools capable of monitoring programs for memory corruption, user privilege issues,
11834 and other potential security problems. Dynamic code analysis employs run-time tools to

CHAPTER THREE PAGE 270

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11835 ensure that security functionality performs in the way it was designed. A specialized type of
11836 dynamic analysis, known as fuzz testing, induces program failures by deliberately introducing
11837 malformed or random data into software programs. Fuzz testing strategies derive from the
11838 intended use of applications and the associated functional and design specifications for the
11839 applications. To understand the scope of dynamic code analysis and hence the assurance
11840 provided, organizations may also consider conducting code coverage analysis (checking the
11841 degree to which the code has been tested using metrics such as percent of subroutines
11842 tested or percent of program statements called during execution of the test suite) and/or
11843 concordance analysis (checking for words that are out of place in software code such as non-
11844 English language words or derogatory terms).
11845 Related Controls: None.
11846 (9) DEVELOPER TESTING AND EVALUATION | INTERACTIVE APPLICATION SECURITY TESTING
11847 Require the developer of the system, system component, or system service to employ
11848 interactive application security testing tools to identify flaws and document the results.
11849 Discussion: Interactive (also known as instrumentation-based) application security testing is
11850 a method of detecting vulnerabilities by observing applications as they run during testing.
11851 The use of instrumentation relies on direct measurements of the actual running applications,
11852 and uses access to the code, user interaction, libraries, frameworks, backend connections,
11853 and configurations to measure control effectiveness directly. When combined with analysis
11854 techniques, interactive application security testing can identify a broad range of potential
11855 vulnerabilities and confirm control effectiveness. Instrumentation-based testing works in
11856 real time and can be used continuously throughout the system development life cycle.
11857 Related Controls: None.
11858 References: [ISO 15408-3]; [SP 800-30]; [SP 800-53A]; [SP 800-154]; [SP 800-160 v1].

11859 SA-12 SUPPLY CHAIN PROTECTION

11860 [Withdrawn: Incorporated into SR Family.]
11861 Control Enhancements:
11862 (1) SUPPLY CHAIN PROTECTION | ACQUISITION STRATEGIES / TOOLS / METHODS
11863 [Withdrawn: Moved to SR-5.]
11864 (2) SUPPLY CHAIN PROTECTION | SUPPLIER REVIEWS
11865 [Withdrawn: Moved to SR-6.]
11866 (3) SUPPLY CHAIN PROTECTION | TRUSTED SHIPPING AND WAREHOUSING
11867 [Withdrawn: Incorporated into SR-3.]
11868 (4) SUPPLY CHAIN PROTECTION | DIVERSITY OF SUPPLIERS
11869 [Withdrawn: Moved to SR-3(1).]
11870 (5) SUPPLY CHAIN PROTECTION | LIMITATION OF HARM
11871 [Withdrawn: Moved to SR-3(2).]
11872 (6) SUPPLY CHAIN PROTECTION | MINIMIZING PROCUREMENT TIME
11873 [Withdrawn: Incorporated into SR-5(1).]
11874 (7) SUPPLY CHAIN PROTECTION | ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE
11875 [Withdrawn: Moved to SR-5(2).]

CHAPTER THREE PAGE 271

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11876 (8) SUPPLY CHAIN PROTECTION | USE OF ALL-SOURCE INTELLIGENCE

11877 [Withdrawn: Incorporated into RA-3(2).]
11878 (9) SUPPLY CHAIN PROTECTION | OPERATIONS SECURITY
11879 [Withdrawn: Moved to SR-7.]
11880 (10) SUPPLY CHAIN PROTECTION | VALIDATE AS GENUINE AND NOT ALTERED
11881 [Withdrawn: Moved to SR-4(3).]
11882 (11) SUPPLY CHAIN PROTECTION | PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND
11883 ACTORS
11884 [Withdrawn: Moved to SR-6(1).]
11885 (12) SUPPLY CHAIN PROTECTION | INTER-ORGANIZATIONAL AGREEMENTS
11886 [Withdrawn: Moved to SR-8.]
11887 (13) SUPPLY CHAIN PROTECTION | CRITICAL INFORMATION SYSTEM COMPONENTS
11888 [Withdrawn: Incorporated into MA-6, RA-9.]
11889 (14) SUPPLY CHAIN PROTECTION | IDENTITY AND TRACEABILITY
11890 [Withdrawn: Moved to SR-4(1), SR-4(2).]
11891 (15) SUPPLY CHAIN PROTECTION | PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES
11892 [Withdrawn: Incorporated into SR-3.]
11893 SA-13 TRUSTWORTHINESS
11894 [Withdrawn: Incorporated into SA-8.]

11895 SA-14 CRITICALITY ANALYSIS

11896 [Withdrawn: Incorporated into RA-9.]
11897 Control Enhancements:
11898 (1) CRITICALITY ANALYSIS | CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING
11899 [Withdrawn: Incorporated into SA-20.]

11900 SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS

11901 Control:
11902 a. Require the developer of the system, system component, or system service to follow a
11903 documented development process that:
11904 1. Explicitly addresses security and privacy requirements;
11905 2. Identifies the standards and tools used in the development process;
11906 3. Documents the specific tool options and tool configurations used in the development
11907 process; and
11908 4. Documents, manages, and ensures the integrity of changes to the process and/or tools
11909 used in development; and
11910 b. Review the development process, standards, tools, tool options, and tool configurations
11911 [Assignment: organization-defined frequency] to determine if the process, standards, tools,
11912 tool options and tool configurations selected and employed can satisfy the following security

CHAPTER THREE PAGE 272

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11913 and privacy requirements: [Assignment: organization-defined security and privacy

11914 requirements].
11915 Discussion: Development tools include programming languages and computer-aided design
11916 systems. Reviews of development processes include the use of maturity models to determine the
11917 potential effectiveness of such processes. Maintaining the integrity of changes to tools and
11918 processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires
11919 configuration control throughout the system development life cycle to track authorized changes
11920 and to prevent unauthorized changes.
11921 Related Controls: MA-6, SA-3, SA-4, SA-8, SA-10, SA-11, SR-3, SR-4, SR-5, SR-6, SR-9.
11922 Control Enhancements:
11923 (1) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | QUALITY METRICS
11924 Require the developer of the system, system component, or system service to:
11925 (a) Define quality metrics at the beginning of the development process; and
11926 (b) Provide evidence of meeting the quality metrics [Selection (one or more):
11927 [Assignment: organization-defined frequency]; [Assignment: organization-defined
11928 program review milestones]; upon delivery].
11929 Discussion: Organizations use quality metrics to establish acceptable levels of system
11930 quality. Metrics can include quality gates, which are collections of completion criteria or
11931 sufficiency standards representing the satisfactory execution of specific phases of the system
11932 development project. A quality gate, for example, may require the elimination of all compiler
11933 warnings or a determination that such warnings have no impact on the effectiveness of
11934 required security or privacy capabilities. During the execution phases of development
11935 projects, quality gates provide clear, unambiguous indications of progress. Other metrics
11936 apply to the entire development project. These metrics can include defining the severity
11937 thresholds of vulnerabilities, for example, requiring no known vulnerabilities in the delivered
11938 system with a Common Vulnerability Scoring System (CVSS) severity of Medium or High.
11939 Related Controls: None.
11940 (2) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | SECURITY TRACKING TOOLS
11941 Require the developer of the system, system component, or system service to select and
11942 employ security and privacy tracking tools for use during the development process.
11943 Discussion: System development teams select and deploy security and privacy tracking
11944 tools, including vulnerability or work item tracking systems that facilitate assignment,
11945 sorting, filtering, and tracking of completed work items or tasks associated with
11946 development processes.
11947 Related Controls: SA-11.
11948 (3) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | CRITICALITY ANALYSIS
11949 Require the developer of the system, system component, or system service to perform a
11950 criticality analysis:
11951 (a) At the following decision points in the system development life cycle: [Assignment:
11952 organization-defined decision points in the system development life cycle]; and
11953 (b) At the following level of rigor: [Assignment: organization-defined breadth and depth
11954 of criticality analysis].
11955 Discussion: Criticality analysis performed by the developer provides input to the criticality
11956 analysis performed by organizations. Developer input is essential to organizational criticality
11957 analysis because organizations may not have access to detailed design documentation for
11958 system components that are developed as commercial off-the-shelf products. Such design

CHAPTER THREE PAGE 273

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

11959 documentation includes functional specifications, high-level designs, low-level designs, and
11960 source code and hardware schematics. Criticality analysis is important for organizational
11961 systems that are designated as high value assets. High value assets can be moderate- or
11962 high-impact systems due to heightened adversarial interest or potential adverse effects on
11963 the federal enterprise. Developer input is especially important when organizations conduct
11964 supply chain criticality analyses.
11965 Related Controls: RA-9.
11966 (4) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | THREAT MODELING AND VULNERABILITY
11967 ANALYSIS
11968 [Withdrawn: Incorporated into SA-11(2).]
11969 (5) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ATTACK SURFACE REDUCTION
11970 Require the developer of the system, system component, or system service to reduce
11971 attack surfaces to [Assignment: organization-defined thresholds].
11972 Discussion: Attack surface reduction is closely aligned with threat and vulnerability analyses
11973 and system architecture and design. Attack surface reduction is a means of reducing risk to
11974 organizations by giving attackers less opportunity to exploit weaknesses or deficiencies (i.e.,
11975 potential vulnerabilities) within systems, system components, and system services. Attack
11976 surface reduction includes implementing the concept of layered defenses; applying the
11977 principles of least privilege and least functionality; applying secure software development
11978 practices; deprecating unsafe functions; reducing entry points available to unauthorized
11979 users; reducing the amount of code executing; and eliminating application programming
11980 interfaces (APIs) that are vulnerable to attacks.
11981 Related Controls: AC-6, CM-7, RA-3, SA-11.
11982 (6) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | CONTINUOUS IMPROVEMENT
11983 Require the developer of the system, system component, or system service to implement
11984 an explicit process to continuously improve the development process.
11985 Discussion: Developers of systems, system components, and system services consider the
11986 effectiveness and efficiency of their current development processes for meeting quality
11987 objectives and for addressing the security and privacy capabilities in current threat
11988 environments.
11989 Related Controls: None.
11990 (7) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS
11991 Require the developer of the system, system component, or system service [Assignment:
11992 organization-defined frequency] to:
11993 (a) Perform an automated vulnerability analysis using [Assignment: organization-defined
11994 tools];
11995 (b) Determine the exploitation potential for discovered vulnerabilities;
11996 (c) Determine potential risk mitigations for delivered vulnerabilities; and
11997 (d) Deliver the outputs of the tools and results of the analysis to [Assignment:
11998 organization-defined personnel or roles].
11999 Discussion: Automated tools can be more effective in analyzing exploitable weaknesses or
12000 deficiencies in large and complex systems; prioritizing vulnerabilities by severity; and
12001 providing recommendations for risk mitigations.
12002 Related Controls: RA-5, SA-11.

CHAPTER THREE PAGE 274

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12003 (8) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | REUSE OF THREAT AND VULNERABILITY
12004 INFORMATION
12005 Require the developer of the system, system component, or system service to use threat
12006 modeling and vulnerability analyses from similar systems, components, or services to
12007 inform the current development process.
12008 Discussion: Analysis of vulnerabilities found in similar software applications can inform
12009 potential design and implementation issues for systems under development. Similar systems
12010 or system components may exist within developer organizations. Vulnerability information is
12011 available from a variety of public and private sector sources, including the NIST National
12012 Vulnerability Database.
12013 Related Controls: None.
12014 (9) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | USE OF LIVE DATA
12015 [Withdrawn: Incorporated into SA-3(2).]
12016 (10) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | INCIDENT RESPONSE PLAN
12017 Require the developer of the system, system component, or system service to provide,
12018 implement, and test an incident response plan.
12019 Discussion: The incident response plan provided by developers may be incorporated into
12020 organizational incident response plans. Developer incident response information provides
12021 information that is not readily available to organizations. Such information may be extremely
12022 helpful, for example, when organizations respond to vulnerabilities in commercial off-the-
12023 shelf products.
12024 Related Controls: IR-8.
12025 (11) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ARCHIVE SYSTEM OR COMPONENT
12026 Require the developer of the system or system component to archive the system or
12027 component to be released or delivered together with the corresponding evidence
12028 supporting the final security and privacy review.
12029 Discussion: Archiving system or system components requires the developer to retain key
12030 development artifacts, including hardware specifications, source code, object code, and
12031 relevant documentation from the development process that can provide a readily available
12032 configuration baseline for system and component upgrades or modifications.
12033 Related Controls: CM-2.
12034 (12) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | MINIMIZE PERSONALLY IDENTIFIABLE
12035 INFORMATION
12036 Require the developer of the system or system component to minimize the use of
12037 personally identifiable information in development and test environments.
12038 Discussion: Organizations can minimize the risk to an individual’s privacy by using
12039 techniques such as de-identification or synthetic data. Limiting the use of personally
12040 identifiable information in development and test environments helps reduce the level of
12041 privacy risk created by a system.
12042 Related Controls: PM-25.
12043 References: [SP 800-160 v1]; [IR 8179].

12044 SA-16 DEVELOPER-PROVIDED TRAINING

12045 Control: Require the developer of the system, system component, or system service to provide
12046 the following training on the correct use and operation of the implemented security and privacy
12047 functions, controls, and/or mechanisms: [Assignment: organization-defined training].

CHAPTER THREE PAGE 275

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12048 Discussion: Developer-provided training applies to external and internal (in-house) developers.
12049 Training of personnel is an essential element to help ensure the effectiveness of the controls
12050 implemented within organizational systems. Types of training include web-based and computer-
12051 based training; classroom-style training; and hands-on training (including micro-training).
12052 Organizations can also request training materials from developers to conduct in-house training or
12053 offer self-training to organizational personnel. Organizations determine the type of training
12054 necessary and may require different types of training for different security and privacy functions,
12055 controls, and mechanisms.
12056 Related Controls: AT-2, AT-3, PE-3, SA-4, SA-5.
12057 Control Enhancements: None.
12058 References: None.

12059 SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN

12060 Control: Require the developer of the system, system component, or system service to produce
12061 a design specification and security architecture that:
12062 a. Is consistent with the organization’s security architecture that is an integral part the
12063 organization’s enterprise architecture;
12064 b. Accurately and completely describes the required security functionality, and the allocation of
12065 controls among physical and logical components; and
12066 c. Expresses how individual security functions, mechanisms, and services work together to
12067 provide required security capabilities and a unified approach to protection.
12068 Discussion: Developer security architecture and design is directed at external developers,
12069 although it could also be applied to internal (in-house) development. In contrast, PL-8 is directed
12070 at internal developers to ensure that organizations develop a security architecture and that the
12071 architecture is integrated with the enterprise architecture. The distinction between SA-17 and
12072 PL-8 is especially important when organizations outsource the development of systems, system
12073 components, or system services, and when there is a requirement to demonstrate consistency
12074 with the enterprise architecture and security architecture of the organization. [ISO 15408-2], [ISO
12075 15408-3], and [SP 800-160 v1] provide information on security architecture and design, including
12076 formal policy models, security-relevant components, formal and informal correspondence,
12077 conceptually simple design, and structuring for least privilege and testing.
12078 Related Controls: PL-2, PL-8, PM-7, SA-3, SA-4, SA-8.
12079 Control Enhancements:
12080 (1) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | FORMAL POLICY MODEL
12081 Require the developer of the system, system component, or system service to:
12082 (a) Produce, as an integral part of the development process, a formal policy model
12083 describing the [Assignment: organization-defined elements of organizational security
12084 policy] to be enforced; and
12085 (b) Prove that the formal policy model is internally consistent and sufficient to enforce
12086 the defined elements of the organizational security policy when implemented.
12087 Discussion: Formal models describe specific behaviors or security policies using formal
12088 languages, thus enabling the correctness of those behaviors and policies to be formally
12089 proven. Not all components of systems can be modeled. Generally, formal specifications are
12090 scoped to the specific behaviors or policies of interest, for example, nondiscretionary access
12091 control policies. Organizations choose the formal modeling language and approach based on

CHAPTER THREE PAGE 276

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12092 the nature of the behaviors and policies to be described and the available tools. Formal
12093 modeling tools include Gypsy and Zed.
12094 Related Controls: AC-3, AC-4, AC-25.
12095 (2) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | SECURITY-RELEVANT COMPONENTS
12096 Require the developer of the system, system component, or system service to:
12097 (a) Define security-relevant hardware, software, and firmware; and
12098 (b) Provide a rationale that the definition for security-relevant hardware, software, and
12099 firmware is complete.
12100 Discussion: The security-relevant hardware, software, and firmware represent the portion
12101 of the system, component, or service that is trusted to perform correctly to maintain
12102 required security properties.
12103 Related Controls: AC-25, SA-5.
12104 (3) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | FORMAL CORRESPONDENCE
12105 Require the developer of the system, system component, or system service to:
12106 (a) Produce, as an integral part of the development process, a formal top-level
12107 specification that specifies the interfaces to security-relevant hardware, software, and
12108 firmware in terms of exceptions, error messages, and effects;
12109 (b) Show via proof to the extent feasible with additional informal demonstration as
12110 necessary, that the formal top-level specification is consistent with the formal policy
12111 model;
12112 (c) Show via informal demonstration, that the formal top-level specification completely
12113 covers the interfaces to security-relevant hardware, software, and firmware;
12114 (d) Show that the formal top-level specification is an accurate description of the
12115 implemented security-relevant hardware, software, and firmware; and
12116 (e) Describe the security-relevant hardware, software, and firmware mechanisms not
12117 addressed in the formal top-level specification but strictly internal to the security-
12118 relevant hardware, software, and firmware.
12119 Discussion: Correspondence is an important part of the assurance gained through modeling.
12120 It demonstrates that the implementation is an accurate transformation of the model, and
12121 that any additional code or implementation details that are present have no impact on the
12122 behaviors or policies being modeled. Formal methods can be used to show that the high-
12123 level security properties are satisfied by the formal system description, and that the formal
12124 system description is correctly implemented by a description of some lower level, including a
12125 hardware description. Consistency between the formal top-level specification and the formal
12126 policy models is generally not amenable to being fully proven. Therefore, a combination of
12127 formal and informal methods may be needed to demonstrate such consistency. Consistency
12128 between the formal top-level specification and the actual implementation may require the
12129 use of an informal demonstration due to limitations in the applicability of formal methods to
12130 prove that the specification accurately reflects the implementation. Hardware, software, and
12131 firmware mechanisms internal to security-relevant components include mapping registers
12132 and direct memory input and output.
12133 Related Controls: AC-3, AC-4, AC-25, SA-4, SA-5.
12134 (4) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | INFORMAL CORRESPONDENCE
12135 Require the developer of the system, system component, or system service to:
12136 (a) Produce, as an integral part of the development process, an informal descriptive top-
12137 level specification that specifies the interfaces to security-relevant hardware,
12138 software, and firmware in terms of exceptions, error messages, and effects;

CHAPTER THREE PAGE 277

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12139 (b) Show via [Selection: informal demonstration, convincing argument with formal
12140 methods as feasible] that the descriptive top-level specification is consistent with the
12141 formal policy model;
12142 (c) Show via informal demonstration, that the descriptive top-level specification
12143 completely covers the interfaces to security-relevant hardware, software, and
12144 firmware;
12145 (d) Show that the descriptive top-level specification is an accurate description of the
12146 interfaces to security-relevant hardware, software, and firmware; and
12147 (e) Describe the security-relevant hardware, software, and firmware mechanisms not
12148 addressed in the descriptive top-level specification but strictly internal to the security-
12149 relevant hardware, software, and firmware.
12150 Discussion: Correspondence is an important part of the assurance gained through modeling.
12151 It demonstrates that the implementation is an accurate transformation of the model, and
12152 that any additional code or implementation details present has no impact on the behaviors
12153 or policies being modeled. Consistency between the descriptive top-level specification (i.e.,
12154 high-level/low-level design) and the formal policy model is generally not amenable to being
12155 fully proven. Therefore, a combination of formal and informal methods may be needed to
12156 show such consistency. Hardware, software, and firmware mechanisms strictly internal to
12157 security-relevant hardware, software, and firmware include mapping registers and direct
12158 memory input and output.
12159 Related Controls: AC-3, AC-4, AC-25, SA-4, SA-5.
12160 (5) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | CONCEPTUALLY SIMPLE DESIGN
12161 Require the developer of the system, system component, or system service to:
12162 (a) Design and structure the security-relevant hardware, software, and firmware to use a
12163 complete, conceptually simple protection mechanism with precisely defined
12164 semantics; and
12165 (b) Internally structure the security-relevant hardware, software, and firmware with
12166 specific regard for this mechanism.
12167 Discussion: The principle of reduced complexity states that the system design is as simple
12168 and small as possible (see SA-8(7)). A small and simple design is easier to understand and
12169 analyze, and is also less prone to error (see AC-25, SA-8(13)). The principle of reduced
12170 complexity applies to any aspect of a system, but it has particular importance for security
12171 due to the various analyses performed to obtain evidence about the emergent security
12172 property of the system. For such analyses to be successful, a small and simple design is
12173 essential. Application of the principle of reduced complexity contributes to the ability of
12174 system developers to understand the correctness and completeness of system security
12175 functions and facilitates the identification of potential vulnerabilities. The corollary of
12176 reduced complexity states that the simplicity of the system is directly related to the number
12177 of vulnerabilities it will contain—that is, simpler systems contain fewer vulnerabilities. An
12178 important benefit of reduced complexity is that it is easier to understand whether the
12179 security policy has been captured in the system design, and that fewer vulnerabilities are
12180 likely to be introduced during engineering development. An additional benefit is that any
12181 such conclusion about correctness, completeness, and existence of vulnerabilities can be
12182 reached with a higher degree of assurance in contrast to conclusions reached in situations
12183 where the system design is inherently more complex.
12184 Related Controls: AC-25, SA-8, SC-3.
12185 (6) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | STRUCTURE FOR TESTING
12186 Require the developer of the system, system component, or system service to structure
12187 security-relevant hardware, software, and firmware to facilitate testing.

CHAPTER THREE PAGE 278

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12188 Discussion: Applying the security design principles in [SP 800-160 v1] promotes complete,
12189 consistent, and comprehensive testing and evaluation of systems, system components, and
12190 services. The thoroughness of such testing contributes to the evidence produced to generate
12191 an effective assurance case or argument as to the trustworthiness of the system, system
12192 component, or service.
12193 Related Controls: SA-5, SA-11.
12194 (7) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | STRUCTURE FOR LEAST PRIVILEGE
12195 Require the developer of the system, system component, or system service to structure
12196 security-relevant hardware, software, and firmware to facilitate controlling access with
12197 least privilege.
12198 Discussion: The principle of least privilege states that each component is allocated sufficient
12199 privileges to accomplish its specified functions, but no more (see SA-8(14)). Applying the
12200 principle of least privilege limits the scope of the component’s actions, which has two
12201 desirable effects. First, the security impact of a failure, corruption, or misuse of the system
12202 component results in a minimized security impact. Second, the security analysis of the
12203 component is simplified. Least privilege is a pervasive principle that is reflected in all aspects
12204 of the secure system design. Interfaces used to invoke component capability are available to
12205 only certain subsets of the user population, and component design supports a sufficiently
12206 fine granularity of privilege decomposition. For example, in the case of an audit mechanism,
12207 there may be an interface for the audit manager, who configures the audit settings; an
12208 interface for the audit operator, who ensures that audit data is safely collected and stored;
12209 and, finally, yet another interface for the audit reviewer, who has need only to view the
12210 audit data that has been collected but no need to perform operations on that data.
12211 In addition to its manifestations at the system interface, least privilege can be used as a
12212 guiding principle for the internal structure of the system itself. One aspect of internal least
12213 privilege is to construct modules so that only the elements encapsulated by the module are
12214 directly operated upon by the functions within the module. Elements external to a module
12215 that may be affected by the module’s operation are indirectly accessed through interaction
12216 (e.g., via a function call) with the module that contains those elements. Another aspect of
12217 internal least privilege is that the scope of a given module or component includes only those
12218 system elements that are necessary for its functionality, and that the access modes to the
12219 elements (e.g., read, write) are minimal.
12220 Related Controls: AC-5, AC-6, SA-8.
12221 (8) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | ORCHESTRATION
12222 Design [Assignment: organization-defined critical systems or system components] with
12223 coordinated behavior to implement the following capabilities: [Assignment: organization-
12224 defined capabilities, by system or component].
12225 Discussion: Security resources that are distributed, located at different layers or in different
12226 system elements, or are implemented to support different aspects of trustworthiness can
12227 interact in unforeseen or incorrect ways. Adverse consequences can include cascading
12228 failures, interference, or coverage gaps. Coordination of the behavior of security resources
12229 (e.g., by ensuring that one patch is installed across all resources before making a
12230 configuration change that assumes that the patch is propagated) can avert such negative
12231 interactions.
12232 Related Controls: None.

CHAPTER THREE PAGE 279

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12233 (9) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | DESIGN DIVERSITY

12234 Use different designs for [Assignment: organization-defined critical systems or system
12235 components] to satisfy a common set of requirements or to provide equivalent
12236 functionality.
12237 Discussion: Design diversity is achieved by supplying the same requirements specification to
12238 multiple developers, each of which is responsible for developing a variant of the system or
12239 system component that meets the requirements. Variants can be in software design, in
12240 hardware design, or in both hardware and a software design. Differences in the designs of
12241 the variants can result from developer experience (e.g., prior use of a design pattern), design
12242 style (e.g., when decomposing a required function into smaller tasks, determining what
12243 constitutes a separate task, and determining how far to decompose tasks into sub-tasks),
12244 selection of libraries to incorporate into the variant, and the development environment (e.g.,
12245 different design tools make some design patterns easier to visualize). Hardware design
12246 diversity includes making different decisions about what information to keep in analog form
12247 and what to convert to digital form; transmitting the same information at different times;
12248 and introducing delays in sampling (temporal diversity). Design diversity is commonly used
12249 to support fault tolerance.
12250 Related Controls: None.
12251 References: [ISO 15408-2]; [ISO 15408-3]; [SP 800-160 v1].

12252 SA-18 TAMPER RESISTANCE AND DETECTION

12253 [Withdrawn: Moved to SR-9.]
12254 Control Enhancements:
12255 (1) TAMPER RESISTANCE AND DETECTION | MULTIPLE PHASES OF SYSTEM DEVELOPMENT LIFE CYCLE
12256 [Withdrawn: Moved to SR-9(1).]
12257 (2) TAMPER RESISTANCE AND DETECTION | INSPECTION OF SYSTEMS OR COMPONENTS
12258 [Withdrawn: Moved to SR-10.]

12259 SA-19 COMPONENT AUTHENTICITY

12260 [Withdrawn: Moved to SR-11.]
12261 Control Enhancements:
12262 (1) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT TRAINING
12263 [Withdrawn: Moved to SR-11(1).]
12264 (2) COMPONENT AUTHENTICITY | CONFIGURATION CONTROL FOR COMPONENT SERVICE AND REPAIR
12265 [Withdrawn: Moved to SR-11(2).]
12266 (3) COMPONENT AUTHENTICITY | COMPONENT DISPOSAL
12267 [Withdrawn: Moved to SR-11(3).]
12268 (4) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT SCANNING
12269 [Withdrawn: Moved to SR-11(4).]

12270 SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS

12271 Control: Re-implement or custom develop the following critical system components:
12272 [Assignment: organization-defined critical system components].

CHAPTER THREE PAGE 280

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12273 Discussion: Organizations determine that certain system components likely cannot be trusted
12274 due to specific threats to and vulnerabilities in those components, and for which there are no
12275 viable security controls to adequately mitigate the resulting risk. Re-implementation or custom
12276 development of such components may satisfy requirements for higher assurance and is carried
12277 out by initiating changes to system components (including hardware, software, and firmware)
12278 such that the standard attacks by adversaries are less likely to succeed. In situations where no
12279 alternative sourcing is available and organizations choose not to re-implement or custom
12280 develop critical system components, additional controls can be employed. Controls include
12281 enhanced auditing; restrictions on source code and system utility access; and protection from
12282 deletion of system and application files.
12283 Related Controls: CP-2, RA-9, SA-8.
12284 Control Enhancements: None.
12285 References: [SP 800-160 v1].

12286 SA-21 DEVELOPER SCREENING

12287 Control: Require that the developer of [Assignment: organization-defined system, system
12288 component, or system service]:
12289 a. Has appropriate access authorizations as determined by assigned [Assignment: organization-
12290 defined official government duties];
12291 b. Satisfies the following additional personnel screening criteria: [Assignment: organization-
12292 defined additional personnel screening criteria]; and
12293 c. Provides information that the access authorizations and screening criteria are satisfied.
12294 Discussion: Developer screening is directed at external developers. Internal developer screening
12295 is addressed by PS-3. Because the system, system component, or system service may be used in
12296 critical activities essential to the national or economic security interests of the United States,
12297 organizations have a strong interest in ensuring that developers are trustworthy. The degree of
12298 trust required of developers may need to be consistent with that of the individuals accessing the
12299 systems, system components, or system services once deployed. Authorization and personnel
12300 screening criteria include clearances, background checks, citizenship, and nationality. Developer
12301 trustworthiness may also include a review and analysis of company ownership and relationships
12302 the company has with entities potentially affecting the quality and reliability of the systems,
12303 components, or services being developed. Satisfying the required access authorizations and
12304 personnel screening criteria includes providing a list of all individuals who are authorized to
12305 perform development activities on the selected system, system component, or system service so
12306 that organizations can validate that the developer has satisfied the authorization and screening
12307 requirements.
12308 Related Controls: PS-2, PS-3, PS-6, PS-7, SA-4.
12309 Control Enhancements:
12310 (1) DEVELOPER SCREENING | VALIDATION OF SCREENING
12311 [Withdrawn: Incorporated into SA-21.]
12312 References: None.

CHAPTER THREE PAGE 281

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12313 SA-22 UNSUPPORTED SYSTEM COMPONENTS

12314 Control:
12315 a. Replace system components when support for the components is no longer available from
12316 the developer, vendor, or manufacturer; or
12317 b. Provide the following options for alternative sources for continued support for unsupported
12318 components [Selection (one or more): in-house support; [Assignment: organization-defined
12319 support from external providers]].
12320 Discussion: Support for system components includes software patches, firmware updates,
12321 replacement parts, and maintenance contracts. Unsupported components, for example, when
12322 vendors no longer provide critical software patches or product updates, provide an opportunity
12323 for adversaries to exploit weaknesses in the installed components. Exceptions to replacing
12324 unsupported system components include systems that provide critical mission or business
12325 capability where newer technologies are not available or where the systems are so isolated that
12326 installing replacement components is not an option.
12327 Alternative sources for support address the need to provide continued support for system
12328 components that are no longer supported by the original manufacturers, developers, or vendors
12329 when such components remain essential to organizational mission and business operations. If
12330 necessary, organizations can establish in-house support by developing customized patches for
12331 critical software components or alternatively, obtain the services of external providers who
12332 through contractual relationships, provide ongoing support for the designated unsupported
12333 components. Such contractual relationships can include Open Source Software value-added
12334 vendors.
12335 Related Controls: PL-2, SA-3.
12336 Control Enhancements:
12337 (1) UNSUPPORTED SYSTEM COMPONENTS | ALTERNATIVE SOURCES FOR CONTINUED SUPPORT
12338 [Withdrawn: Incorporated into SA-22.]
12339 References: None.

12340 SA-23 SPECIALIZATION

12341 Control: Employ [Selection (one or more): design modification, augmentation, reconfiguration]
12342 on [Assignment: organization-defined systems or system components] supporting mission
12343 essential services or functions to increase the trustworthiness in those systems or components.
12344 Discussion: It is often necessary for a system or system component that supports mission
12345 essential services or functions to be enhanced to maximize the trustworthiness of the resource.
12346 Sometimes this enhancement is done at the design level. In other instances, it is done post-
12347 design, either through modifications of the system in question or by augmenting the system with
12348 additional components. For example, supplemental authentication or non-repudiation functions
12349 may be added to the system to enhance the identity of critical resources to other resources that
12350 depend upon the organization-defined resources.
12351 Related Controls: RA-9, SA-8.
12352 Control Enhancements: None.
12353 References: [SP 800-160 v1]; [SP 800-160 v2].

CHAPTER THREE PAGE 282

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12354 3.18 SYSTEM AND COMMUNICATIONS PROTECTION

12355 Quick link to System and Communications Protection summary table

12356 SC-1 POLICY AND PROCEDURES

12357 Control:
12358 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
12359 roles]:
12360 1. [Selection (one or more): organization-level; mission/business process-level; system-
12361 level] system and communications protection policy that:
12362 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
12363 coordination among organizational entities, and compliance; and
12364 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
12365 standards, and guidelines; and
12366 2. Procedures to facilitate the implementation of the system and communications
12367 protection policy and the associated system and communications protection controls;
12368 b. Designate an [Assignment: organization-defined official] to manage the development,
12369 documentation, and dissemination of the system and communications protection policy and
12370 procedures; and
12371 c. Review and update the current system and communications protection:
12372 1. Policy [Assignment: organization-defined frequency]; and
12373 2. Procedures [Assignment: organization-defined frequency].
12374 Discussion: This control addresses policy and procedures for the controls in the SC family
12375 implemented within systems and organizations. The risk management strategy is an important
12376 factor in establishing such policies and procedures. Policies and procedures help provide security
12377 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
12378 on their development. Security and privacy program policies and procedures at the organization
12379 level are preferable, in general, and may obviate the need for system-specific policies and
12380 procedures. The policy can be included as part of the general security and privacy policy or can
12381 be represented by multiple policies reflecting the complex nature of organizations. Procedures
12382 can be established for security and privacy programs and for systems, if needed. Procedures
12383 describe how the policies or controls are implemented and can be directed at the individual or
12384 role that is the object of the procedure. Procedures can be documented in system security and
12385 privacy plans or in one or more separate documents. Restating controls does not constitute an
12386 organizational policy or procedure.
12387 Related Controls: PM-9, PS-8, SA-8, SI-12.
12388 Control Enhancements: None.
12389 References: [OMB A-130]; [SP 800-12]; [SP 800-100].

12390 SC-2 SEPARATION OF SYSTEM AND USER FUNCTIONALITY

12391 Control: Separate user functionality, including user interface services, from system management
12392 functionality.
12393 Discussion: System management functionality includes functions that are necessary to
12394 administer databases, network components, workstations, or servers. These functions typically

CHAPTER THREE PAGE 283

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12395 require privileged user access. The separation of user functions from system management
12396 functions is physical or logical. Organizations implement separation of system management
12397 functions from user functions, for example, by using different computers, instances of operating
12398 systems, central processing units, or network addresses; by employing virtualization techniques;
12399 or some combination of these or other methods. Separation of system management functions
12400 from user functions includes web administrative interfaces that employ separate authentication
12401 methods for users of any other system resources. Separation of system and user functions may
12402 include isolating administrative interfaces on different domains and with additional access
12403 controls. The separation of system and user functionality can be achieved by applying the
12404 systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-
12405 8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18).
12406 Related Controls: AC-6, SA-4, SA-8, SC-3, SC-7, SC-22, SC-32, SC-39.
12407 Control Enhancements:
12408 (1) SEPARATION OF SYSTEM AND USER FUNCTIONALITY | INTERFACES FOR NON-PRIVILEGED USERS
12409 Prevent the presentation of system management functionality at interfaces to non-
12410 privileged users.
12411 Discussion: Preventing the presentation of system management functionality at interfaces
12412 to non-privileged users ensures that system administration options, including administrator
12413 privileges, are not available to the general user population. Restricting user access also
12414 prohibits the use of the grey-out option commonly used to eliminate accessibility to such
12415 information. One potential solution is to withhold system administration options until users
12416 establish sessions with administrator privileges.
12417 Related Controls: AC-3.
12418 (2) SEPARATION OF SYSTEM AND USER FUNCTIONALITY | DISASSOCIABILITY
12419 Store state information from applications and software separately.
12420 Discussion: If a system is compromised, storing applications and software separately from
12421 state information about users’ interactions with an application, may better protect
12422 individuals’ privacy.
12423 Related Controls: None.
12424 References: None.

12425 SC-3 SECURITY FUNCTION ISOLATION

12426 Control: Isolate security functions from nonsecurity functions.
12427 Discussion: Security functions are isolated from nonsecurity functions by means of an isolation
12428 boundary implemented via partitions and domains. The isolation boundary controls access to
12429 and protects the integrity of the hardware, software, and firmware that perform those security
12430 functions. Systems implement code separation in many ways, for example, through the provision
12431 of security kernels via processor rings or processor modes. For non-kernel code, security function
12432 isolation is often achieved through file system protections that protect the code on disk and
12433 address space protections that protect executing code. Systems can restrict access to security
12434 functions using access control mechanisms and by implementing least privilege capabilities.
12435 While the ideal is for all code within the defined security function isolation boundary to only
12436 contain security-relevant code, it is sometimes necessary to include nonsecurity functions within
12437 the isolation boundary as an exception. The isolation of security functions from nonsecurity
12438 functions can be achieved by applying the systems security engineering design principles in SA-8
12439 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18).

CHAPTER THREE PAGE 284

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12440 Related Controls: AC-3, AC-6, AC-25, CM-2, CM-4, SA-4, SA-5, SA-8, SA-15, SA-17, SC-2, SC-7, SC-
12441 32, SC-39, SI-16.
12442 Control Enhancements:
12443 (1) SECURITY FUNCTION ISOLATION | HARDWARE SEPARATION
12444 Employ hardware separation mechanisms to implement security function isolation.
12445 Discussion: Hardware separation mechanisms include hardware ring architectures that are
12446 implemented within microprocessors, and hardware-enforced address segmentation used to
12447 support logically distinct storage objects with separate attributes (i.e., readable, writeable).
12448 Related Controls: None.
12449 (2) SECURITY FUNCTION ISOLATION | ACCESS AND FLOW CONTROL FUNCTIONS
12450 Isolate security functions enforcing access and information flow control from nonsecurity
12451 functions and from other security functions.
12452 Discussion: Security function isolation occurs because of implementation. The functions can
12453 still be scanned and monitored. Security functions that are potentially isolated from access
12454 and flow control enforcement functions include auditing, intrusion detection, and malicious
12455 code protection functions.
12456 Related Controls: None.
12457 (3) SECURITY FUNCTION ISOLATION | MINIMIZE NONSECURITY FUNCTIONALITY
12458 Minimize the number of nonsecurity functions included within the isolation boundary
12459 containing security functions.
12460 Discussion: Where it is not feasible to achieve strict isolation of nonsecurity functions from
12461 security functions, it is necessary to take actions to minimize nonsecurity-relevant functions
12462 within the security function boundary. Nonsecurity functions contained within the isolation
12463 boundary are considered security-relevant because errors or malicious code in the software,
12464 can directly impact the security functions of systems. The fundamental design objective is
12465 that the specific portions of systems providing information security are of minimal size and
12466 complexity. Minimizing the number of nonsecurity functions in the security-relevant system
12467 components allows designers and implementers to focus only on those functions which are
12468 necessary to provide the desired security capability (typically access enforcement). By
12469 minimizing the nonsecurity functions within the isolation boundaries, the amount of code
12470 that is trusted to enforce security policies is significantly reduced, thus contributing to
12471 understandability.
12472 Related Controls: None.
12473 (4) SECURITY FUNCTION ISOLATION | MODULE COUPLING AND COHESIVENESS
12474 Implement security functions as largely independent modules that maximize internal
12475 cohesiveness within modules and minimize coupling between modules.
12476 Discussion: The reduction in inter-module interactions helps to constrain security functions
12477 and manage complexity. The concepts of coupling and cohesion are important with respect
12478 to modularity in software design. Coupling refers to the dependencies that one module has
12479 on other modules. Cohesion refers to the relationship between functions within a module.
12480 Best practices in software engineering and systems security engineering rely on layering,
12481 minimization, and modular decomposition to reduce and manage complexity. This produces
12482 software modules that are highly cohesive and loosely coupled.
12483 Related Controls: None.

CHAPTER THREE PAGE 285

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12484 (5) SECURITY FUNCTION ISOLATION | LAYERED STRUCTURES

12485 Implement security functions as a layered structure minimizing interactions between
12486 layers of the design and avoiding any dependence by lower layers on the functionality or
12487 correctness of higher layers.
12488 Discussion: The implementation of layered structures with minimized interactions among
12489 security functions and non-looping layers (i.e., lower-layer functions do not depend on
12490 higher-layer functions) further enables the isolation of security functions and management
12491 of complexity.
12492 Related Controls: None.
12493 References: None.

12494 SC-4 INFORMATION IN SHARED SYSTEM RESOURCES

12495 Control: Prevent unauthorized and unintended information transfer via shared system
12496 resources.
12497 Discussion: Preventing unauthorized and unintended information transfer via shared system
12498 resources stops information produced by the actions of prior users or roles (or the actions of
12499 processes acting on behalf of prior users or roles) from being available to current users or roles
12500 (or current processes acting on behalf of current users or roles) that obtain access to shared
12501 system resources after those resources have been released back to the system. This control also
12502 applies to encrypted representations of information. In other contexts, control of information in
12503 shared system resources is referred to as object reuse and residual information protection. This
12504 control does not address information remanence, which refers to the residual representation of
12505 data that has been nominally deleted; covert channels (including storage and timing channels),
12506 where shared system resources are manipulated to violate information flow restrictions; or
12507 components within systems for which there are only single users or roles.
12508 Related Controls: AC-3, AC-4, SA-8.
12509 Control Enhancements:
12510 (1) INFORMATION IN SHARED SYSTEM RESOURCES | SECURITY LEVELS
12511 [Withdrawn: Incorporated into SC-4.]
12512 (2) INFORMATION IN SHARED SYSTEM RESOURCES | MULTILEVEL OR PERIODS PROCESSING
12513 Prevent unauthorized information transfer via shared resources in accordance with
12514 [Assignment: organization-defined procedures] when system processing explicitly switches
12515 between different information classification levels or security categories.
12516 Discussion: Changes in processing levels during system operations can occur, for example,
12517 during multilevel or periods processing with information at different classification levels or
12518 security categories. It can also occur during serial reuse of hardware components at different
12519 classification levels. Organization-defined procedures can include the approved sanitization
12520 processes for electronically stored information.
12521 Related Controls: None.
12522 References: None.

12523 SC-5 DENIAL OF SERVICE PROTECTION

12524 Control:
12525 a. [Selection: protect against; limit] the effects of the following types of denial of service
12526 events: [Assignment: organization-defined types of denial of service events]; and

CHAPTER THREE PAGE 286

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12527 b. Employ the following controls to achieve the denial of service objective: [Assignment:
12528 organization-defined controls by type of denial of service event].
12529 Discussion: Denial of service events may occur due to a variety of internal and external causes
12530 such as an attack by an adversary or a lack of planning to support organizational needs with
12531 respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols
12532 (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and
12533 effects of denial of service events. For example, boundary protection devices can filter certain
12534 types of packets to protect system components on internal networks from being directly affected
12535 by, or the source of, denial of service attacks. Employing increased network capacity and
12536 bandwidth combined with service redundancy also reduces the susceptibility to denial of service
12537 events.
12538 Related Controls: CP-2, IR-4, SC-6, SC-7, SC-40.
12539 Control Enhancements:
12540 (1) DENIAL OF SERVICE PROTECTION | RESTRICT ABILITY TO ATTACK OTHER SYSTEMS
12541 Restrict the ability of individuals to launch the following denial-of-service attacks against
12542 other systems: [Assignment: organization-defined denial of service attacks].
12543 Discussion: Restricting the ability of individuals to launch denial of service attacks requires
12544 the mechanisms commonly used for such attacks are unavailable. Individuals of concern
12545 include hostile insiders or external adversaries that have breached or compromised the
12546 system and are using the system to launch a denial of service attack. Organizations can
12547 restrict the ability of individuals to connect and transmit arbitrary information on the
12548 transport medium (i.e., wired networks, wireless networks, spoofed Internet protocol
12549 packets). Organizations can also limit the ability of individuals to use excessive system
12550 resources. Protection against individuals having the ability to launch denial of service attacks
12551 may be implemented on specific systems or on boundary devices prohibiting egress to
12552 potential target systems.
12553 Related Controls: None.
12554 (2) DENIAL OF SERVICE PROTECTION | CAPACITY, BANDWIDTH, AND REDUNDANCY
12555 Manage capacity, bandwidth, or other redundancy to limit the effects of information
12556 flooding denial of service attacks.
12557 Discussion: Managing capacity ensures that sufficient capacity is available to counter
12558 flooding attacks. Managing capacity includes establishing selected usage priorities, quotas,
12559 partitioning, or load balancing.
12560 Related Controls: None.
12561 (3) DENIAL OF SERVICE PROTECTION | DETECTION AND MONITORING
12562 (a) Employ the following monitoring tools to detect indicators of denial of service attacks
12563 against, or launched from, the system: [Assignment: organization-defined monitoring
12564 tools]; and
12565 (b) Monitor the following system resources to determine if sufficient resources exist to
12566 prevent effective denial of service attacks: [Assignment: organization-defined system
12567 resources].
12568 Discussion: Organizations consider utilization and capacity of system resources when
12569 managing risk from denial of service due to malicious attacks. Denial of service attacks can
12570 originate from external or internal sources. System resources sensitive to denial of service
12571 include physical disk storage, memory, and CPU cycles. Controls used to prevent denial of
12572 service attacks related to storage utilization and capacity include instituting disk quotas;
12573 configuring systems to automatically alert administrators when specific storage capacity

CHAPTER THREE PAGE 287

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12574 thresholds are reached; using file compression technologies to maximize available storage
12575 space; and imposing separate partitions for system and user data.
12576 Related Controls: CA-7, SI-4.
12577 References: [SP 800-189].

12578 SC-6 RESOURCE AVAILABILITY

12579 Control: Protect the availability of resources by allocating [Assignment: organization-defined
12580 resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined
12581 controls]].
12582 Discussion: Priority protection prevents lower-priority processes from delaying or interfering
12583 with the system servicing higher-priority processes. Quotas prevent users or processes from
12584 obtaining more than predetermined amounts of resources. This control does not apply to system
12585 components for which there are only single users or roles.
12586 Related Controls: SC-5.
12587 Control Enhancements: None.
12588 References: [OMB M-08-05]; [DHS TIC].

12589 SC-7 BOUNDARY PROTECTION

12590 Control:
12591 a. Monitor and control communications at the external interfaces to the system and at key
12592 internal interfaces within the system;
12593 b. Implement subnetworks for publicly accessible system components that are [Selection:
12594 physically; logically] separated from internal organizational networks; and
12595 c. Connect to external networks or systems only through managed interfaces consisting of
12596 boundary protection devices arranged in accordance with an organizational security and
12597 privacy architecture.
12598 Discussion: Managed interfaces include gateways, routers, firewalls, guards, network-based
12599 malicious code analysis and virtualization systems, or encrypted tunnels implemented within a
12600 security architecture. Subnetworks that are physically or logically separated from internal
12601 networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces
12602 within organizational systems includes restricting external web traffic to designated web servers
12603 within managed interfaces, prohibiting external traffic that appears to be spoofing internal
12604 addresses, and prohibiting internal traffic that appears to be spoofing external addresses.
12605 Commercial telecommunications services are provided by network components and consolidated
12606 management systems shared by customers. These services may also include third party-provided
12607 access lines and other service elements. Such services may represent sources of increased risk
12608 despite contract security provisions.
12609 Related Controls: AC-4, AC-17, AC-18, AC-19, AC-20, AU-13, CA-3, CM-2, CM-4, CM-7, CM-10, CP-
12610 8, CP-10, IR-4, MA-4, PE-3, PM-12, SA-8, SC-5, SC-32, SC-43.
12611 Control Enhancements:
12612 (1) BOUNDARY PROTECTION | PHYSICALLY SEPARATED SUBNETWORKS
12613 [Withdrawn: Incorporated into SC-7.]
12614 (2) BOUNDARY PROTECTION | PUBLIC ACCESS
12615 [Withdrawn: Incorporated into SC-7.]

CHAPTER THREE PAGE 288

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12616 (3) BOUNDARY PROTECTION | ACCESS POINTS

12617 Limit the number of external network connections to the system.
12618 Discussion: Limiting the number of external network connections facilitates monitoring of
12619 inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC]
12620 initiative is an example of a federal guideline requiring limits on the number of external
12621 network connections. Limiting the number of external network connections to the system is
12622 important during transition periods from older to newer technologies (e.g., transitioning
12623 from IPv4 to IPv6 network protocols). Such transitions may require implementing the older
12624 and newer technologies simultaneously during the transition period and thus increase the
12625 number of access points to the system.
12626 Related Controls: None.
12627 (4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES
12628 (a) Implement a managed interface for each external telecommunication service;
12629 (b) Establish a traffic flow policy for each managed interface;
12630 (c) Protect the confidentiality and integrity of the information being transmitted across
12631 each interface;
12632 (d) Document each exception to the traffic flow policy with a supporting mission or
12633 business need and duration of that need;
12634 (e) Review exceptions to the traffic flow policy [Assignment: organization-defined
12635 frequency] and remove exceptions that are no longer supported by an explicit mission
12636 or business need;
12637 (f) Prevent unauthorized exchange of control plane traffic with external networks;
12638 (g) Publish information to enable remote networks to detect unauthorized control plane
12639 traffic from internal networks; and
12640 (h) Filter unauthorized control plane traffic from external networks.
12641 Discussion: External commercial telecommunications services may provide data or voice
12642 communications services. Examples of control plane traffic include routing, domain name
12643 system (DNS), and management. Unauthorized control plane traffic can occur for example,
12644 through a technique known as “spoofing.”
12645 Related Controls: AC-3, SC-8.
12646 (5) BOUNDARY PROTECTION | DENY BY DEFAULT — ALLOW BY EXCEPTION
12647 Deny network communications traffic by default and allow network communications
12648 traffic by exception [Selection (one or more); at managed interfaces; for [Assignment:
12649 organization-defined systems]].
12650 Discussion: Denying by default and allowing by exception applies to inbound and outbound
12651 network communications traffic. A deny-all, permit-by-exception network communications
12652 traffic policy ensures that only those system connections that are essential and approved are
12653 allowed. Deny by default, allow by exception also applies to a system that is connected to an
12654 external system.
12655 Related Controls: None.
12656 (6) BOUNDARY PROTECTION | RESPONSE TO RECOGNIZED FAILURES
12657 [Withdrawn: Incorporated into SC-7(18).]
12658 (7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES
12659 Prevent a remote device from simultaneously establishing non-remote connections with
12660 the system and communicating via some other connection to resources in external
12661 networks.

CHAPTER THREE PAGE 289

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12662 Discussion: Prevention of split tunneling is implemented in remote devices through

12663 configuration settings to disable split tunneling in those devices, and by preventing those
12664 configuration settings from being configurable by users. Prevention of split tunneling is
12665 implemented within the system by the detection of split tunneling (or of configuration
12666 settings that allow split tunneling) in the remote device, and by prohibiting the connection if
12667 the remote device is using split tunneling. Split tunneling might be desirable by remote users
12668 to communicate with local system resources such as printers or file servers. However, split
12669 tunneling can facilitate unauthorized external connections, making the system vulnerable to
12670 attack and to exfiltration of organizational information.
12671 Related Controls: None.
12672 (8) BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS
12673 Route [Assignment: organization-defined internal communications traffic] to [Assignment:
12674 organization-defined external networks] through authenticated proxy servers at managed
12675 interfaces.
12676 Discussion: External networks are networks outside of organizational control. A proxy server
12677 is a server (i.e., system or application) that acts as an intermediary for clients requesting
12678 system resources from non-organizational or other organizational servers. System resources
12679 that may be requested include files, connections, web pages, or services. Client requests
12680 established through a connection to a proxy server are assessed to manage complexity and
12681 to provide additional protection by limiting direct connectivity. Web content filtering devices
12682 are one of the most common proxy servers providing access to the Internet. Proxy servers
12683 can support logging of Transmission Control Protocol sessions and blocking specific Uniform
12684 Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be
12685 configured with organization-defined lists of authorized and unauthorized websites. Note
12686 that proxy servers may inhibit the use of virtual private networks (VPNs) and create the
12687 potential for “man-in-the-middle” attacks (depending on the implementation).
12688 Related Controls: AC-3.
12689 (9) BOUNDARY PROTECTION | RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC
12690 (a) Detect and deny outgoing communications traffic posing a threat to external systems;
12691 and
12692 (b) Audit the identity of internal users associated with denied communications.
12693 Discussion: Detecting outgoing communications traffic from internal actions that may pose
12694 threats to external systems is known as extrusion detection. Extrusion detection is carried
12695 out at system boundaries as part of managed interfaces. Extrusion detection includes the
12696 analysis of incoming and outgoing communications traffic while searching for indications of
12697 internal threats to the security of external systems. Internal threats to external systems
12698 include traffic indicative of denial of service attacks, traffic with spoofed source addresses,
12699 and traffic containing malicious code.
12700 Related Controls: AU-2, AU-6, SC-5, SC-38, SC-44, SI-3, SI-4.
12701 (10) BOUNDARY PROTECTION | PREVENT EXFILTRATION
12702 (a) Prevent the exfiltration of information; and
12703 (b) Conduct exfiltration tests [Assignment: organization-defined frequency].
12704 Discussion: This control applies to intentional and unintentional exfiltration of information.
12705 Controls to prevent exfiltration of information from systems may be implemented at internal
12706 endpoints, external boundaries, and across managed interfaces and include adherence to
12707 protocol formats; monitoring for beaconing activity from systems; disconnecting external
12708 network interfaces except when explicitly needed; employing traffic profile analysis to
12709 detect deviations from the volume and types of traffic expected or call backs to command

CHAPTER THREE PAGE 290

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12710 and control centers; monitoring for steganography; disassembling and reassembling packet
12711 headers; and employing data loss and data leakage prevention tools. Devices that enforce
12712 strict adherence to protocol formats include deep packet inspection firewalls and XML
12713 gateways. The devices verify adherence to protocol formats and specifications at the
12714 application layer and identify vulnerabilities that cannot be detected by devices operating at
12715 the network or transport layers. Prevention of exfiltration is similar to data loss prevention
12716 or data leakage prevention and is closely associated with cross-domain solutions and system
12717 guards enforcing information flow requirements.
12718 Related Controls: AC-2, SI-3.
12719 (11) BOUNDARY PROTECTION | RESTRICT INCOMING COMMUNICATIONS TRAFFIC
12720 Only allow incoming communications from [Assignment: organization-defined authorized
12721 sources] to be routed to [Assignment: organization-defined authorized destinations].
12722 Discussion: General source address validation techniques should be applied to restrict the
12723 use of illegal and unallocated source addresses and source addresses that should only be
12724 used inside the system boundary. Restriction of incoming communications traffic provides
12725 determinations that source and destination address pairs represent authorized or allowed
12726 communications. Determinations can be based on several factors, including the presence of
12727 such address pairs in the lists of authorized or allowed communications; the absence of such
12728 address pairs in lists of unauthorized or disallowed pairs; or meeting more general rules for
12729 authorized or allowed source and destination pairs. Strong authentication of network
12730 addresses is not possible without the use of explicit security protocols and thus, addresses
12731 can often be spoofed. Further, identity-based incoming traffic restriction methods can be
12732 employed, including router access control lists and firewall rules.
12733 Related Controls: AC-3.
12734 (12) BOUNDARY PROTECTION | HOST-BASED PROTECTION
12735 Implement [Assignment: organization-defined host-based boundary protection
12736 mechanisms] at [Assignment: organization-defined system components].
12737 Discussion: Host-based boundary protection mechanisms include host-based firewalls.
12738 System components employing host-based boundary protection mechanisms include
12739 servers, workstations, notebook computers, and mobile devices.
12740 Related Controls: None.
12741 (13) BOUNDARY PROTECTION | ISOLATION OF SECURITY TOOLS, MECHANISMS, AND SUPPORT
12742 COMPONENTS
12743 Isolate [Assignment: organization-defined information security tools, mechanisms, and
12744 support components] from other internal system components by implementing physically
12745 separate subnetworks with managed interfaces to other components of the system.
12746 Discussion: Physically separate subnetworks with managed interfaces are useful, for
12747 example, in isolating computer network defenses from critical operational processing
12748 networks to prevent adversaries from discovering the analysis and forensics techniques
12749 employed by organizations.
12750 Related Controls: SC-2, SC-3.
12751 (14) BOUNDARY PROTECTION | PROTECT AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS
12752 Protect against unauthorized physical connections at [Assignment: organization-defined
12753 managed interfaces].
12754 Discussion: Systems operating at different security categories or classification levels may
12755 share common physical and environmental controls, since the systems may share space
12756 within the same facilities. In practice, it is possible that these separate systems may share

CHAPTER THREE PAGE 291

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12757 common equipment rooms, wiring closets, and cable distribution paths. Protection against
12758 unauthorized physical connections can be achieved, for example, by using clearly identified
12759 and physically separated cable trays, connection frames, and patch panels for each side of
12760 managed interfaces with physical access controls enforcing limited authorized access to
12761 these items.
12762 Related Controls: PE-4, PE-19.
12763 (15) BOUNDARY PROTECTION | NETWORKED PRIVILEGED ACCESSES
12764 Route networked, privileged accesses through a dedicated, managed interface for
12765 purposes of access control and auditing.
12766 Discussion: Privileged access provides greater accessibility to system functions, including
12767 security functions. Adversaries typically attempt to gain privileged access to systems through
12768 remote access to cause adverse mission or business impact, for example, by exfiltrating
12769 sensitive information or bringing down a critical system capability. Routing networked,
12770 privileged access requests through a dedicated, managed interface can facilitate strong
12771 access controls (including strong authentication) and a comprehensive auditing capability.
12772 Related Controls: AC-2, AC-3, AU-2, SI-4.
12773 (16) BOUNDARY PROTECTION | PREVENT DISCOVERY OF COMPONENTS AND DEVICES
12774 Prevent the discovery of specific system components that represent a managed interface.
12775 Discussion: This control enhancement protects network addresses of system components
12776 that are part of managed interfaces from discovery through common tools and techniques
12777 used to identify devices on networks. Network addresses are not available for discovery,
12778 requiring prior knowledge for access. Preventing discovery of components and devices can
12779 be accomplished by not publishing network addresses, using network address translation, or
12780 not entering the addresses in domain name systems. Another prevention technique is to
12781 periodically change network addresses.
12782 Related Controls: None.
12783 (17) BOUNDARY PROTECTION | AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS
12784 Enforce adherence to protocol formats.
12785 Discussion: System components that enforce protocol formats include deep packet
12786 inspection firewalls and XML gateways. The components verify adherence to protocol
12787 formats and specifications at the application layer and identify vulnerabilities that cannot be
12788 detected by devices operating at the network or transport layers.
12789 Related Controls: SC-4.
12790 (18) BOUNDARY PROTECTION | FAIL SECURE
12791 Prevent systems from entering unsecure states in the event of an operational failure of a
12792 boundary protection device.
12793 Discussion: Fail secure is a condition achieved by employing mechanisms to ensure that in
12794 the event of operational failures of boundary protection devices at managed interfaces,
12795 systems do not enter into unsecure states where intended security properties no longer
12796 hold. Managed interfaces include routers, firewalls, and application gateways residing on
12797 protected subnetworks commonly referred to as demilitarized zones. Failures of boundary
12798 protection devices cannot lead to, or cause information external to the devices to enter the
12799 devices, nor can failures permit unauthorized information releases.
12800 Related Controls: CP-2, CP-12, SC-24.

CHAPTER THREE PAGE 292

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12801 (19) BOUNDARY PROTECTION | BLOCK COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED

12802 HOSTS
12803 Block inbound and outbound communications traffic between [Assignment: organization-
12804 defined communication clients] that are independently configured by end users and
12805 external service providers.
12806 Discussion: Communication clients independently configured by end users and external
12807 service providers include instant messaging clients. Traffic blocking does not apply to
12808 communication clients that are configured by organizations to perform authorized functions.
12809 Related Controls: None.
12810 (20) BOUNDARY PROTECTION | DYNAMIC ISOLATION AND SEGREGATION
12811 Provide the capability to dynamically isolate [Assignment: organization-defined system
12812 components] from other system components.
12813 Discussion: The capability to dynamically isolate certain internal system components is
12814 useful when it is necessary to partition or separate system components of questionable
12815 origin from those components possessing greater trustworthiness. Component isolation
12816 reduces the attack surface of organizational systems. Isolating selected system components
12817 can also limit the damage from successful attacks when such attacks occur.
12818 Related Controls: None.
12819 (21) BOUNDARY PROTECTION | ISOLATION OF SYSTEM COMPONENTS
12820 Employ boundary protection mechanisms to isolate [Assignment: organization-defined
12821 system components] supporting [Assignment: organization-defined missions and/or
12822 business functions].
12823 Discussion: Organizations can isolate system components performing different missions or
12824 business functions. Such isolation limits unauthorized information flows among system
12825 components and provides the opportunity to deploy greater levels of protection for selected
12826 system components. Isolating system components with boundary protection mechanisms
12827 provides the capability for increased protection of individual system components and to
12828 more effectively control information flows between those components. Isolating system
12829 components provides enhanced protection that limits the potential harm from hostile cyber-
12830 attacks and errors. The degree of isolation varies depending upon the mechanisms chosen.
12831 Boundary protection mechanisms include routers, gateways, and firewalls separating system
12832 components into physically separate networks or subnetworks; virtualization techniques;
12833 cross-domain devices separating subnetworks; and encrypting information flows among
12834 system components using distinct encryption keys.
12835 Related Controls: CA-9, SC-3.
12836 (22) BOUNDARY PROTECTION | SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS
12837 Implement separate network addresses to connect to systems in different security
12838 domains.
12839 Discussion: The decomposition of systems into subnetworks (i.e., subnets) helps to provide
12840 the appropriate level of protection for network connections to different security domains
12841 containing information with different security categories or classification levels.
12842 Related Controls: None.
12843 (23) BOUNDARY PROTECTION | DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE
12844 Disable feedback to senders on protocol format validation failure.
12845 Discussion: Disabling feedback to senders when there is a failure in protocol validation
12846 format prevents adversaries from obtaining information that would otherwise be
12847 unavailable.

CHAPTER THREE PAGE 293

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12848 Related Controls: None.

12849 (24) BOUNDARY PROTECTION | PERSONALLY IDENTIFIABLE INFORMATION
12850 For systems that process personally identifiable information:
12851 (a) Apply the following processing rules to data elements of personally identifiable
12852 information: [Assignment: organization-defined processing rules];
12853 (b) Monitor for permitted processing at the external interfaces to the system and at key
12854 internal boundaries within the system;
12855 (c) Document each processing exception; and
12856 (d) Review and remove exceptions that are no longer supported.
12857 Discussion: Managing the processing of personally identifiable information is an important
12858 aspect of protecting an individual’s privacy. Applying, monitoring for and documenting
12859 exceptions to processing rules ensures that personally identifiable information is processed
12860 only in accordance with established privacy requirements.
12861 Related Controls: PT-2, SI-15.
12862 (25) BOUNDARY PROTECTION | UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
12863 Prohibit the direct connection of [Assignment: organization-defined unclassified, national
12864 security system] to an external network without the use of [Assignment: organization-
12865 defined boundary protection device].
12866 Discussion: A direct connection is a dedicated physical or virtual connection between two or
12867 more systems. Organizations typically do not have complete control over external networks,
12868 including the Internet. Boundary protection devices, including firewalls, gateways, and
12869 routers mediate communications and information flows between unclassified national
12870 security systems and external networks.
12871 Related Controls: None.
12872 (26) BOUNDARY PROTECTION | CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
12873 Prohibit the direct connection of a classified, national security system to an external
12874 network without the use of [Assignment: organization-defined boundary protection
12875 device].
12876 Discussion: A direct connection is a dedicated physical or virtual connection between two or
12877 more systems. Organizations typically do not have complete control over external networks,
12878 including the Internet. Boundary protection devices, including firewalls, gateways, and
12879 routers mediate communications and information flows between classified national security
12880 systems and external networks. In addition, approved boundary protection devices (typically
12881 managed interface or cross-domain systems) provide information flow enforcement from
12882 systems to external networks.
12883 Related Controls: None.
12884 (27) BOUNDARY PROTECTION | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS
12885 Prohibit the direct connection of [Assignment: organization-defined unclassified, non-
12886 national security system] to an external network without the use of [Assignment:
12887 organization-defined boundary protection device].
12888 Discussion: A direct connection is a dedicated physical or virtual connection between two or
12889 more systems. Organizations typically do not have complete control over external networks,
12890 including the Internet. Boundary protection devices, including firewalls, gateways, and
12891 routers mediate communications and information flows between unclassified non-national
12892 security systems and external networks.
12893 Related Controls: None.

CHAPTER THREE PAGE 294

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12894 (28) BOUNDARY PROTECTION | CONNECTIONS TO PUBLIC NETWORKS

12895 Prohibit the direct connection of [Assignment: organization-defined system] to a public
12896 network.
12897 Discussion: A direct connection is a dedicated physical or virtual connection between two or
12898 more systems. A public network is a network accessible to the public, including the Internet
12899 and organizational extranets with public access.
12900 Related Controls: None.
12901 (29) BOUNDARY PROTECTION | SEPARATE SUBNETS TO ISOLATE FUNCTIONS
12902 Implement [Selection: physically; logically] separate subnetworks to isolate the following
12903 critical system components and functions: [Assignment: organization-defined critical
12904 system components and functions].
12905 Discussion: Separating critical system components and functions from other noncritical
12906 system components and functions through separate subnetworks may be necessary to
12907 reduce the susceptibility to a catastrophic or debilitating breach or compromise resulting in
12908 system failure. For example, physically separating the command and control function from
12909 the entertainment function through separate subnetworks in a commercial aircraft provides
12910 an increased level of assurance in the trustworthiness of critical system functions.
12911 Related Controls: None.
12912 References: [OMB A-130]; [FIPS 199]; [SP 800-37]; [SP 800-41]; [SP 800-77]; [SP 800-189].

12913 SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY

12914 Control: Protect the [Selection (one or more): confidentiality; integrity] of transmitted
12915 information.
12916 Discussion: Protecting the confidentiality and integrity of transmitted information applies to
12917 internal and external networks, and any system components that can transmit information,
12918 including servers, notebook computers, desktop computers, mobile devices, printers, copiers,
12919 scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the
12920 possibility of interception and modification. Protecting the confidentiality and integrity of
12921 information can be accomplished by physical means or by logical means. Physical protection can
12922 be achieved by using protected distribution systems. A protected distribution system is a term
12923 for wireline or fiber-optics telecommunication system that includes terminals and adequate
12924 acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted
12925 transmission of classified information. Logical protection can be achieved by employing
12926 encryption techniques.
12927 Organizations relying on commercial providers offering transmission services as commodity
12928 services rather than as fully dedicated services, may find it difficult to obtain the necessary
12929 assurances regarding the implementation of needed controls for transmission confidentiality and
12930 integrity. In such situations, organizations determine what types of confidentiality or integrity
12931 services are available in standard, commercial telecommunication service packages. If it is not
12932 feasible to obtain the necessary controls and assurances of control effectiveness through
12933 appropriate contracting vehicles, organizations can implement appropriate compensating
12934 controls.
12935 Related Controls: AC-17, AC-18, AU-10, IA-3, IA-8, IA-9, MA-4, PE-4, SA-4, SA-8, SC-7, SC-16, SC-
12936 20, SC-23, SC-28.

CHAPTER THREE PAGE 295

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12937 Control Enhancements:

12938 (1) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION
12939 Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized
12940 disclosure of information; detect changes to information] during transmission.
12941 Discussion: Encryption protects information from unauthorized disclosure and modification
12942 during transmission. Cryptographic mechanisms that protect the confidentiality and integrity
12943 of information during transmission include TLS and IPSec. Cryptographic mechanisms used to
12944 protect information integrity include cryptographic hash functions that have application in
12945 digital signatures, checksums, and message authentication codes. SC-13 is used to specify
12946 the specific protocols, algorithms, and algorithm parameters to be implemented on each
12947 transmission path.
12948 Related Controls: SC-13.
12949 (2) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | PRE- AND POST-TRANSMISSION HANDLING
12950 Maintain the [Selection (one or more): confidentiality; integrity] of information during
12951 preparation for transmission and during reception.
12952 Discussion: Information can be either unintentionally or maliciously disclosed or modified
12953 during preparation for transmission or during reception, including during aggregation, at
12954 protocol transformation points, and during packing and unpacking. Such unauthorized
12955 disclosures or modifications compromise the confidentiality or integrity of the information.
12956 Related Controls: None.
12957 (3) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION FOR MESSAGE
12958 EXTERNALS
12959 Implement cryptographic mechanisms to protect message externals unless otherwise
12960 protected by [Assignment: organization-defined alternative physical controls].
12961 Discussion: Cryptographic protection for message externals addresses protection from
12962 unauthorized disclosure of information. Message externals include message headers and
12963 routing information. Cryptographic protection prevents the exploitation of message
12964 externals and applies to internal and external networks or links that may be visible to
12965 individuals who are not authorized users. Header and routing information is sometimes
12966 transmitted in clear text (i.e., unencrypted) because the information is not identified by
12967 organizations as having significant value or because encrypting the information can result in
12968 lower network performance or higher costs. Alternative physical controls include protected
12969 distribution systems.
12970 Related Controls: SC-12, SC-13.
12971 (4) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CONCEAL OR RANDOMIZE COMMUNICATIONS
12972 Implement cryptographic mechanisms to conceal or randomize communication patterns
12973 unless otherwise protected by [Assignment: organization-defined alternative physical
12974 controls].
12975 Discussion: Concealing or randomizing communication patterns addresses protection from
12976 unauthorized disclosure of information. Communication patterns include frequency, periods,
12977 predictability, and amount. Changes to communications patterns can reveal information
12978 having intelligence value especially when combined with other available information related
12979 to the missions and business functions of the organization. This control enhancement
12980 prevents the derivation of intelligence based on communications patterns and applies to
12981 both internal and external networks or links that may be visible to individuals who are not
12982 authorized users. Encrypting the links and transmitting in continuous, fixed or random

CHAPTER THREE PAGE 296

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

12983 patterns prevents the derivation of intelligence from the system communications patterns.
12984 Alternative physical controls include protected distribution systems.
12985 Related Controls: SC-12, SC-13.
12986 (5) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | PROTECTED DISTRIBUTION SYSTEM
12987 Implement [Assignment: organization-defined protected distribution system] to [Selection
12988 (one or more): prevent unauthorized disclosure of information; detect changes to
12989 information] during transmission.
12990 Discussion: The purpose of a protected distribution system is to deter, detect and/or make
12991 difficult physical access to the communication lines carrying national security information.
12992 Related Controls: None.
12993 References: [FIPS 140-3]; [FIPS 197]; [SP 800-52]; [SP 800-77]; [SP 800-81-2]; [SP 800-113]; [SP
12994 800-177]; [IR 8023].

12995 SC-9 TRANSMISSION CONFIDENTIALITY

12996 [Withdrawn: Incorporated into SC-8.]

12997 SC-10 NETWORK DISCONNECT

12998 Control: Terminate the network connection associated with a communications session at the
12999 end of the session or after [Assignment: organization-defined time-period] of inactivity.
13000 Discussion: Network disconnect applies to internal and external networks. Terminating network
13001 connections associated with specific communications sessions includes de-allocating TCP/IP
13002 address or port pairs at the operating system level and de-allocating the networking assignments
13003 at the application level if multiple application sessions are using a single operating system-level
13004 network connection. Periods of inactivity may be established by organizations and include time-
13005 periods by type of network access or for specific network accesses.
13006 Related Controls: AC-17, SC-23.
13007 Control Enhancements: None.
13008 References: None.

13009 SC-11 TRUSTED PATH

13010 Control:
13011 a. Provide a [Selection: physically; logically] isolated trusted communications path for
13012 communications between the user and the trusted components of the system; and
13013 b. Permit users to invoke the trusted communications path for communications between the
13014 user and the following security functions of the system, including at a minimum,
13015 authentication and re-authentication: [Assignment: organization-defined security functions].
13016 Discussion: Trusted paths are mechanisms by which users (through input devices) can
13017 communicate directly with security functions of systems with the requisite assurance to support
13018 security policies. These mechanisms can be activated only by users or the security functions of
13019 organizational systems. User responses via trusted paths are protected from modifications by or
13020 disclosure to untrusted applications. Organizations employ trusted paths for trustworthy, high-
13021 assurance connections between security functions of systems and users, including during system
13022 logons. The original implementations of trusted path employed an out-of-band signal to initiate
13023 the path, for example using the <BREAK> key, which does not transmit characters that can be
13024 spoofed. In later implementations, a key combination that could not be hijacked was used, for

CHAPTER THREE PAGE 297

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13025 example, the <CTRL> + <ALT> + <DEL> keys. Note, however, that any such key combinations are
13026 platform-specific and may not provide a trusted path implementation in every case. Enforcement
13027 of trusted communications paths is typically provided by a specific implementation that meets
13028 the reference monitor concept.
13029 Related Controls: AC-16, AC-25, SC-12, SC-23.
13030 Control Enhancements:
13031 (1) TRUSTED PATH | IRREFUTABLE COMMUNICATIONS PATH
13032 (a) Provide a trusted communications path that is irrefutably distinguishable from other
13033 communications paths; and
13034 (b) Initiate the trusted communications path for communications between the
13035 [Assignment: organization-defined security functions] of the system and the user.
13036 Discussion: An irrefutable communications path permits the system to initiate a trusted path
13037 which necessitates that the user can unmistakably recognize the source of the communication as
13038 a trusted system component. For example, the trusted path may appear in an area of the display
13039 that other applications cannot access or be based on the presence of an identifier that cannot be
13040 spoofed.
13041 Related Controls: None.
13042 References: [OMB A-130].

13043 SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

13044 Control: Establish and manage cryptographic keys when cryptography is employed within the
13045 system in accordance with the following key management requirements: [Assignment:
13046 organization-defined requirements for key generation, distribution, storage, access, and
13047 destruction].
13048 Discussion: Cryptographic key management and establishment can be performed using manual
13049 procedures or automated mechanisms with supporting manual procedures. Organizations define
13050 key management requirements in accordance with applicable laws, executive orders, directives,
13051 regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and
13052 levels. Organizations manage trust stores to ensure that only approved trust anchors are part of
13053 such trust stores. This includes certificates with visibility external to organizational systems and
13054 certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide
13055 additional information on validated cryptographic modules and algorithms that can be used in
13056 cryptographic key management and establishment.
13057 Related Controls: AC-17, AU-9, AU-10, CM-3, IA-3, IA-7, SA-4, SA-8, SA-9, SC-8, SC-11, SC-13, SC-
13058 17, SC-20, SC-37, SC-40, SI-3, SI-7.
13059 Control Enhancements:
13060 (1) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABILITY
13061 Maintain availability of information in the event of the loss of cryptographic keys by users.
13062 Discussion: Escrowing of encryption keys is a common practice for ensuring availability in
13063 the event of loss of keys. A forgotten passphrase is an example of losing a cryptographic key.
13064 Related Controls: None.
13065 (2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS
13066 Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-
13067 validated; NSA-approved] key management technology and processes.

CHAPTER THREE PAGE 298

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13068 Discussion: [SP 800-56A], [SP 800-56B], and [SP 800-56C] provide guidance on cryptographic
13069 key establishment schemes and key derivation methods. [SP 800-57-1], [SP 800-57-2], and
13070 [SP 800-57-3] provide guidance on cryptographic key management.
13071 Related Controls: None.
13072 (3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS
13073 Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSA-
13074 approved key management technology and processes; prepositioned keying material;
13075 DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-
13076 issued Medium Hardware Assurance PKI certificates and hardware security tokens that
13077 protect the user’s private key; certificates issued in accordance with organization-defined
13078 requirements].
13079 Discussion: [SP 800-56A], [SP 800-56B], and [SP 800-56C] provide guidance on cryptographic
13080 key establishment schemes and key derivation methods. [SP 800-57-1], [SP 800-57-2], and
13081 [SP 800-57-3] provide guidance on cryptographic key management.
13082 Related Controls: None.
13083 (4) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES
13084 [Withdrawn: Incorporated into SC-12(3).]
13085 (5) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES / HARDWARE TOKENS
13086 [Withdrawn: Incorporated into SC-12(3).]
13087 (6) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PHYSICAL CONTROL OF KEYS
13088 Maintain physical control of cryptographic keys when stored information is encrypted by
13089 external service providers.
13090 Discussion: For organizations using external service providers, for example, cloud service
13091 providers or data center providers, physical control of cryptographic keys provides additional
13092 assurance that information stored by such external providers is not subject to unauthorized
13093 disclosure or modification.
13094 Related Controls: None.
13095 References: [FIPS 140-3]; [SP 800-56A]; [SP 800-56B]; [SP 800-56C]; [SP 800-57-1]; [SP 800-57-2];
13096 [SP 800-57-3]; [SP 800-63-3]; [IR 7956]; [IR 7966].

13097 SC-13 CRYPTOGRAPHIC PROTECTION

13098 Control:
13099 a. Determine the [Assignment: organization-defined cryptographic uses]; and
13100 b. Implement the following types of cryptography required for each specified cryptographic
13101 use: [Assignment: organization-defined types of cryptography for each specified
13102 cryptographic use].
13103 Discussion: Cryptography can be employed to support a variety of security solutions including,
13104 the protection of classified information and controlled unclassified information; the provision
13105 and implementation of digital signatures; and the enforcement of information separation when
13106 authorized individuals have the necessary clearances but lack the necessary formal access
13107 approvals. Cryptography can also be used to support random number and hash generation.
13108 Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-
13109 approved cryptography. For example, organizations that need to protect classified information
13110 may specify the use of NSA-approved cryptography. Organizations that need to provision and
13111 implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is

CHAPTER THREE PAGE 299

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13112 implemented in accordance with applicable laws, executive orders, directives, regulations,
13113 policies, standards, and guidelines.
13114 Related Controls: AC-2, AC-3, AC-7, AC-17, AC-18, AC-19, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7,
13115 MA-4, MP-2, MP-4, MP-5, SA-4, SA-8, SA-9, SC-8, SC-12, SC-20, SC-23, SC-28, SC-40, SI-3, SI-7.
13116 Control Enhancements: None.
13117 (1) CRYPTOGRAPHIC PROTECTION | FIPS-VALIDATED CRYPTOGRAPHY
13118 [Withdrawn: Incorporated into SC-13.]
13119 (2) CRYPTOGRAPHIC PROTECTION | NSA-APPROVED CRYPTOGRAPHY
13120 [Withdrawn: Incorporated into SC-13.]
13121 (3) CRYPTOGRAPHIC PROTECTION | INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS
13122 [Withdrawn: Incorporated into SC-13.]
13123 (4) CRYPTOGRAPHIC PROTECTION | DIGITAL SIGNATURES
13124 [Withdrawn: Incorporated into SC-13.]
13125 References: [FIPS 140-3].

13126 SC-14 PUBLIC ACCESS PROTECTIONS

13127 [Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10.]

13128 SC-15 COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS

13129 Control:
13130 a. Prohibit remote activation of collaborative computing devices and applications with the
13131 following exceptions: [Assignment: organization-defined exceptions where remote activation
13132 is to be allowed]; and
13133 b. Provide an explicit indication of use to users physically present at the devices.
13134 Discussion: Collaborative computing devices and applications include remote meeting devices
13135 and applications, networked white boards, cameras, and microphones. Explicit indication of use
13136 includes signals to users when collaborative computing devices and applications are activated.
13137 Related Controls: AC-21, SC-42.
13138 Control Enhancements:
13139 (1) COLLABORATIVE COMPUTING DEVICES | PHYSICAL OR LOGICAL DISCONNECT
13140 Provide [Selection (one or more): physical; logical] disconnect of collaborative computing
13141 devices in a manner that supports ease of use.
13142 Discussion: Failing to disconnect from collaborative computing devices can result in
13143 subsequent compromises of organizational information. Providing easy methods to
13144 disconnect from such devices after a collaborative computing session ensures that
13145 participants carry out the disconnect activity without having to go through complex and
13146 tedious procedures.
13147 Related Controls: None.
13148 (2) COLLABORATIVE COMPUTING DEVICES | BLOCKING INBOUND AND OUTBOUND COMMUNICATIONS
13149 TRAFFIC
13150 [Withdrawn: Incorporated into SC-7.]

CHAPTER THREE PAGE 300

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13151 (3) COLLABORATIVE COMPUTING DEVICES | DISABLING AND REMOVAL IN SECURE WORK AREAS
13152 Disable or remove collaborative computing devices and applications from [Assignment:
13153 organization-defined systems or system components] in [Assignment: organization-defined
13154 secure work areas].
13155 Discussion: Failing to disable or remove collaborative computing devices and applications
13156 from systems or system components can result in compromises of information, including
13157 eavesdropping on conversations. A secure work area includes a sensitive compartmented
13158 information facility (SCIF).
13159 Related Controls: None.
13160 (4) COLLABORATIVE COMPUTING DEVICES | EXPLICITLY INDICATE CURRENT PARTICIPANTS
13161 Provide an explicit indication of current participants in [Assignment: organization-defined
13162 online meetings and teleconferences].
13163 Discussion: Explicitly indicating current participants prevents unauthorized individuals from
13164 participating in collaborative computing sessions without the explicit knowledge of other
13165 participants.
13166 Related Controls: None.
13167 References: None.

13168 SC-16 TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES

13169 Control: Associate [Assignment: organization-defined security and privacy attributes] with
13170 information exchanged between systems and between system components.
13171 Discussion: Security and privacy attributes can be explicitly or implicitly associated with the
13172 information contained in organizational systems or system components. Attributes are an
13173 abstraction representing the basic properties or characteristics of an entity with respect to
13174 protecting information or the management of personally identifiable information. Attributes are
13175 typically associated with internal data structures, including records, buffers, and files within the
13176 system. Security and privacy attributes are used to implement access control and information
13177 flow control policies; reflect special dissemination, management, or distribution instructions,
13178 including permitted uses of personally identifiable information; or support other aspects of the
13179 information security and privacy policies. Privacy attributes may be used independently, or in
13180 conjunction with security attributes.
13181 Related Controls: AC-3, AC-4, AC-16.
13182 Control Enhancements:
13183 (1) TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES | INTEGRITY VERIFICATION
13184 Verify the integrity of transmitted security and privacy attributes.
13185 Discussion: A part of verifying the integrity of transmitted information is ensuring that
13186 security and privacy attributes that are associated with such information, have not been
13187 modified in an unauthorized manner. Unauthorized modification of security or privacy
13188 attributes can result in a loss of integrity for transmitted information.
13189 Related Controls: AU-10, SC-8.
13190 (2) TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES | ANTI-SPOOFING MECHANISMS
13191 Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security
13192 attributes indicating the successful application of the security process.
13193 Discussion: Some attack vectors operate by altering the security attributes of an information
13194 system to intentionally and maliciously implement an insufficient level of security within the

CHAPTER THREE PAGE 301

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13195 system. The alteration of attributes leads organizations to believe that a greater number of
13196 security functions are in place and operational than have actually been implemented.
13197 Related Controls: SI-3, SI-4, SI-7.
13198 References: [OMB A-130].

13199 SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES

13200 Control:
13201 a. Issue public key certificates under an [Assignment: organization-defined certificate policy] or
13202 obtain public key certificates from an approved service provider; and
13203 b. Include only approved trust anchors in trust stores or certificate stores managed by the
13204 organization.
13205 Discussion: This control addresses certificates with visibility external to organizational systems
13206 and certificates related to internal operations of systems, for example, application-specific time
13207 services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative
13208 source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate
13209 for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list
13210 of trusted root certificates.
13211 Related Controls: AU-10, IA-5, SC-12.
13212 Control Enhancements: None.
13213 References: [SP 800-32]; [SP 800-57-1]; [SP 800-57-2]; [SP 800-57-3]; [SP 800-63-3].

13214 SC-18 MOBILE CODE

13215 Control:
13216 a. Define acceptable and unacceptable mobile code and mobile code technologies; and
13217 b. Authorize, monitor, and control the use of mobile code within the system.
13218 Discussion: Mobile code includes any program, application, or content that can be transmitted
13219 across a network (e.g., embedded in an email, document, or website) and executed on a remote
13220 system. Decisions regarding the use of mobile code within organizational systems are based on
13221 the potential for the code to cause damage to the systems if used maliciously. Mobile code
13222 technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and
13223 implementation guidelines apply to both the selection and use of mobile code installed on
13224 servers and mobile code downloaded and executed on individual workstations and devices,
13225 including notebook computers and smart phones. Mobile code policy and procedures address
13226 specific actions taken to prevent the development, acquisition, and introduction of unacceptable
13227 mobile code within organizational systems, including requiring mobile code to be digitally signed
13228 by a trusted source.
13229 Related Controls: AU-2, AU-12, CM-2, CM-6, SI-3.
13230 Control Enhancements:
13231 (1) MOBILE CODE | IDENTIFY UNACCEPTABLE CODE AND TAKE CORRECTIVE ACTIONS
13232 Identify [Assignment: organization-defined unacceptable mobile code] and take
13233 [Assignment: organization-defined corrective actions].
13234 Discussion: Corrective actions when unacceptable mobile code is detected include blocking,
13235 quarantine, or alerting administrators. Blocking includes preventing transmission of word

CHAPTER THREE PAGE 302

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13236 processing files with embedded macros when such macros have been determined to be
13237 unacceptable mobile code.
13238 Related Controls: None.
13239 (2) MOBILE CODE | ACQUISITION, DEVELOPMENT, AND USE
13240 Verify that the acquisition, development, and use of mobile code to be deployed in the
13241 system meets [Assignment: organization-defined mobile code requirements].
13242 Discussion: None.
13243 Related Controls: None.
13244 (3) MOBILE CODE | PREVENT DOWNLOADING AND EXECUTION
13245 Prevent the download and execution of [Assignment: organization-defined unacceptable
13246 mobile code].
13247 Discussion: None.
13248 Related Controls: None.
13249 (4) MOBILE CODE | PREVENT AUTOMATIC EXECUTION
13250 Prevent the automatic execution of mobile code in [Assignment: organization-defined
13251 software applications] and enforce [Assignment: organization-defined actions] prior to
13252 executing the code.
13253 Discussion: Actions enforced before executing mobile code include prompting users prior to
13254 opening email attachments or clicking on web links. Preventing automatic execution of
13255 mobile code includes disabling auto execute features on system components employing
13256 portable storage devices such as Compact Disks (CDs), Digital Versatile Disks (DVDs), and
13257 Universal Serial Bus (USB) devices.
13258 Related Controls: None.
13259 (5) MOBILE CODE | ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS
13260 Allow execution of permitted mobile code only in confined virtual machine environments.
13261 Discussion: Permitting execution of mobile code only in confined virtual machine
13262 environments helps prevent the introduction of malicious code into other systems and
13263 system components.
13264 Related Controls: SC-44, SI-7.
13265 References: [SP 800-28].

13266 SC-19 VOICE OVER INTERNET PROTOCOL

13267 [Withdrawn: Technology-specific; addressed by other controls for protocols.]

13268 SC-20 SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

13269 Control:
13270 a. Provide additional data origin authentication and integrity verification artifacts along with
13271 the authoritative name resolution data the system returns in response to external
13272 name/address resolution queries; and
13273 b. Provide the means to indicate the security status of child zones and (if the child supports
13274 secure resolution services) to enable verification of a chain of trust among parent and child
13275 domains, when operating as part of a distributed, hierarchical namespace.
13276 Discussion: This control enables external clients, including remote Internet clients, to obtain
13277 origin authentication and integrity verification assurances for the host/service name to network

CHAPTER THREE PAGE 303

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13278 address resolution information obtained through the service. Systems that provide name and
13279 address resolution services include domain name system (DNS) servers. Additional artifacts
13280 include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data
13281 include DNS resource records. The means to indicate the security status of child zones include
13282 the use of delegation signer resource records in the DNS. Systems that use technologies other
13283 than the DNS to map between host and service names and network addresses provide other
13284 means to assure the authenticity and integrity of response data.
13285 Related Controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22.
13286 Control Enhancements:
13287 (1) SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) | CHILD SUBSPACES
13288 [Withdrawn: Incorporated into SC-20.]
13289 (2) SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) | DATA ORIGIN AND
13290 INTEGRITY
13291 Provide data origin and integrity protection artifacts for internal name/address resolution
13292 queries.
13293 Discussion: None.
13294 Related Controls: None.
13295 References: [FIPS 140-3]; [FIPS 186-4]; [SP 800-81-2].

13296 SC-21 SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

13297 Control: Request and perform data origin authentication and data integrity verification on the
13298 name/address resolution responses the system receives from authoritative sources.
13299 Discussion: Each client of name resolution services either performs this validation on its own, or
13300 has authenticated channels to trusted validation providers. Systems that provide name and
13301 address resolution services for local clients include recursive resolving or caching domain name
13302 system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or
13303 clients use authenticated channels to recursive resolvers that perform such validations. Systems
13304 that use technologies other than the DNS to map between host/service names and network
13305 addresses provide some other means to enable clients to verify the authenticity and integrity of
13306 response data.
13307 Related Controls: SC-20, SC-22.
13308 Control Enhancements: None.
13309 (1) SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) | DATA ORIGIN
13310 AND INTEGRITY
13311 [Withdrawn: Incorporated into SC-21.]
13312 References: [SP 800-81-2].

13313 SC-22 ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE

13314 Control: Ensure the systems that collectively provide name/address resolution service for an
13315 organization are fault-tolerant and implement internal and external role separation.
13316 Discussion: Systems that provide name and address resolution services include domain name
13317 system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy,
13318 organizations employ at least two authoritative domain name system servers; one configured as
13319 the primary server and the other configured as the secondary server. Additionally, organizations

CHAPTER THREE PAGE 304

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13320 typically deploy the servers in two geographically separated network subnetworks (i.e., not
13321 located in the same physical facility). For role separation, DNS servers with internal roles only
13322 process name and address resolution requests from within organizations (i.e., from internal
13323 clients). DNS servers with external roles only process name and address resolution information
13324 requests from clients external to organizations (i.e., on external networks including the Internet).
13325 Organizations specify clients that can access authoritative DNS servers in certain roles, for
13326 example, by address ranges and explicit lists.
13327 Related Controls: SC-2, SC-20, SC-21, SC-24.
13328 Control Enhancements: None.
13329 References: [SP 800-81-2].

13330 SC-23 SESSION AUTHENTICITY

13331 Control: Protect the authenticity of communications sessions.
13332 Discussion: Protecting session authenticity addresses communications protection at the session,
13333 level; not at the packet level. Such protection establishes grounds for confidence at both ends of
13334 communications sessions in the ongoing identities of other parties and the validity of information
13335 transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and
13336 session hijacking, and the insertion of false information into sessions.
13337 Related Controls: AU-10, SC-8, SC-10, SC-11.
13338 Control Enhancements:
13339 (1) SESSION AUTHENTICITY | INVALIDATE SESSION IDENTIFIERS AT LOGOUT
13340 Invalidate session identifiers upon user logout or other session termination.
13341 Discussion: Invalidating session identifiers at logout curtails the ability of adversaries from
13342 capturing and continuing to employ previously valid session IDs.
13343 Related Controls: None.
13344 (2) SESSION AUTHENTICITY | USER-INITIATED LOGOUTS AND MESSAGE DISPLAYS
13345 [Withdrawn: Incorporated into AC-12(1).]
13346 (3) SESSION AUTHENTICITY | UNIQUE SYSTEM-GENERATED SESSION IDENTIFIERS
13347 Generate a unique session identifier for each session with [Assignment: organization-
13348 defined randomness requirements] and recognize only session identifiers that are system-
13349 generated.
13350 Discussion: Generating unique session identifiers curtails the ability of adversaries from
13351 reusing previously valid session IDs. Employing the concept of randomness in the generation
13352 of unique session identifiers protects against brute-force attacks to determine future session
13353 identifiers.
13354 Related Controls: AC-10, SC-13.
13355 (4) SESSION AUTHENTICITY | UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION
13356 [Withdrawn: Incorporated into SC-23(3).]
13357 (5) SESSION AUTHENTICITY | ALLOWED CERTIFICATE AUTHORITIES
13358 Only allow the use of [Assignment: organization-defined certificate authorities] for
13359 verification of the establishment of protected sessions.
13360 Discussion: Reliance on certificate authorities for the establishment of secure sessions
13361 includes the use of Transport Layer Security (TLS) certificates. These certificates, after

CHAPTER THREE PAGE 305

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13362 verification by their respective certificate authorities, facilitate the establishment of

13363 protected sessions between web clients and web servers.
13364 Related Controls: SC-13.
13365 References: [SP 800-52]; [SP 800-77]; [SP 800-95]; [SP 800-113].

13366 SC-24 FAIL IN KNOWN STATE

13367 Control: Fail to a [Assignment: organization-defined known system state] for the following
13368 failures on the indicated components while preserving [Assignment: organization-defined system
13369 state information] in failure: [Assignment: list of organization-defined types of system failures on
13370 organization-defined system components].
13371 Discussion: Failure in a known state addresses security concerns in accordance with the mission
13372 and business needs of organizations. Failure in a known state prevents the loss of confidentiality,
13373 integrity, or availability of information in the event of failures of organizational systems or system
13374 components. Failure in a known safe state helps to prevent systems from failing to a state that
13375 may cause injury to individuals or destruction to property. Preserving system state information
13376 facilitates system restart and return to the operational mode with less disruption of mission and
13377 business processes.
13378 Related Controls: CP-2, CP-4, CP-10, CP-12, SA-8, SC-7, SC-22, SI-13.
13379 Control Enhancements: None.
13380 References: None.

13381 SC-25 THIN NODES

13382 Control: Employ minimal functionality and information storage on the following system
13383 components: [Assignment: organization-defined system components].
13384 Discussion: The deployment of system components with minimal functionality reduces the need
13385 to secure every endpoint, and may reduce the exposure of information, systems, and services to
13386 attacks. Reduced or minimal functionality includes diskless nodes and thin client technologies.
13387 Related Controls: SC-30, SC-44.
13388 Control Enhancements: None.
13389 References: None.
13390 SC-26 DECOYS
13391 Control: Include components within organizational systems specifically designed to be the target
13392 of malicious attacks for detecting, deflecting, and analyzing such attacks.
13393 Discussion: Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract
13394 adversaries and to deflect attacks away from the operational systems supporting organizational
13395 missions and business functions. Depending upon the specific usage of the decoy, consultation
13396 with the Office of the General Counsel before deployment may be needed.
13397 Related Controls: RA-5, SC-30, SC-35, SC-44, SI-3, SI-4.
13398 Control Enhancements: None.
13399 (1) DECOYS | DETECTION OF MALICIOUS CODE
13400 [Withdrawn: Incorporated into SC-35.]
13401 References: None.

CHAPTER THREE PAGE 306

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13402 SC-27 PLATFORM-INDEPENDENT APPLICATIONS

13403 Control: Include within organizational systems, the following platform independent applications:
13404 [Assignment: organization-defined platform-independent applications].
13405 Discussion: Platforms are combinations of hardware, firmware, and software components used
13406 to execute software applications. Platforms include operating systems; the underlying computer
13407 architectures; or both. Platform-independent applications are applications with the capability to
13408 execute on multiple platforms. Such applications promote portability and reconstitution on
13409 different platforms. Application portability and the ability to reconstitute on different platforms
13410 increases the availability of mission essential functions within organizations in situations where
13411 systems with specific operating systems are under attack.
13412 Related Controls: SC-29.
13413 Control Enhancements: None.
13414 References: None.

13415 SC-28 PROTECTION OF INFORMATION AT REST

13416 Control: Protect the [Selection (one or more): confidentiality; integrity] of the following
13417 information at rest: [Assignment: organization-defined information at rest].
13418 Discussion: Information at rest refers to the state of information when it is not in process or in
13419 transit and is located on system components. Such components include internal or external hard
13420 disk drives, storage area network devices, or databases. However, the focus of protecting
13421 information at rest is not on the type of storage device or frequency of access but rather the
13422 state of the information. Information at rest addresses the confidentiality and integrity of
13423 information and covers user information and system information. System-related information
13424 requiring protection includes configurations or rule sets for firewalls, intrusion detection and
13425 prevention systems, filtering routers, and authenticator content. Organizations may employ
13426 different mechanisms to achieve confidentiality and integrity protections, including the use of
13427 cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for
13428 example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate
13429 protection of information at rest cannot otherwise be achieved, organizations may employ other
13430 controls, including frequent scanning to identify malicious code at rest and secure off-line
13431 storage in lieu of online storage.
13432 Related Controls: AC-3, AC-4, AC-6, AC-19, CA-7, CM-3, CM-5, CM-6, CP-9, MP-4, MP-5, PE-3, SC-
13433 8, SC-12, SC-13, SC-34, SI-3, SI-7, SI-16.
13434 Control Enhancements:
13435 (1) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION
13436 Implement cryptographic mechanisms to prevent unauthorized disclosure and
13437 modification of the following information at rest on [Assignment: organization-defined
13438 system components or media]: [Assignment: organization-defined information].
13439 Discussion: Selection of cryptographic mechanisms is based on the need to protect the
13440 confidentiality and integrity of organizational information. The strength of mechanism is
13441 commensurate with the security category or classification of the information. Organizations
13442 have the flexibility to encrypt information on system components or media or encrypt data
13443 structures, including files, records, or fields. Organizations using cryptographic mechanisms
13444 also consider cryptographic key management solutions (see SC-12 and SC-13).
13445 Related Controls: AC-19.

CHAPTER THREE PAGE 307

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13446 (2) PROTECTION OF INFORMATION AT REST | OFF-LINE STORAGE

13447 Remove the following information from online storage and store off-line in a secure
13448 location: [Assignment: organization-defined information].
13449 Discussion: Removing organizational information from online storage to off-line storage
13450 eliminates the possibility of individuals gaining unauthorized access to the information
13451 through a network. Therefore, organizations may choose to move information to off-line
13452 storage in lieu of protecting such information in online storage.
13453 Related Controls: None.
13454 (3) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC KEYS
13455 Provide protected storage for cryptographic keys [Selection: [Assignment: organization-
13456 defined safeguards]; hardware-protected key store].
13457 Discussion: A Trusted Platform Module (TPM) is an example of a hardware-projected data
13458 store that can be used to protect cryptographic keys. .
13459 Related Controls: SC-13.
13460 References: [OMB A-130]; [SP 800-56A]; [SP 800-56B]; [SP 800-56C]; [SP 800-57-1]; [SP 800-57-
13461 2]; [SP 800-57-3]; [SP 800-111]; [SP 800-124].

13462 SC-29 HETEROGENEITY

13463 Control: Employ a diverse set of information technologies for the following system components
13464 in the implementation of the system: [Assignment: organization-defined system components].
13465 Discussion: Increasing the diversity of information technologies within organizational systems
13466 reduces the impact of potential exploitations or compromises of specific technologies. Such
13467 diversity protects against common mode failures, including those failures induced by supply
13468 chain attacks. Diversity in information technologies also reduces the likelihood that the means
13469 adversaries use to compromise one system component will be effective against other system
13470 components, thus further increasing the adversary work factor to successfully complete planned
13471 attacks. An increase in diversity may add complexity and management overhead that could
13472 ultimately lead to mistakes and unauthorized configurations.
13473 Related Controls: AU-9, PL-8, SC-27, SC-30, SR-3.
13474 Control Enhancements:
13475 (1) HETEROGENEITY | VIRTUALIZATION TECHNIQUES
13476 Employ virtualization techniques to support the deployment of a diversity of operating
13477 systems and applications that are changed [Assignment: organization-defined frequency].
13478 Discussion: While frequent changes to operating systems and applications can pose
13479 significant configuration management challenges, the changes can result in an increased
13480 work factor for adversaries to conduct successful attacks. Changing virtual operating systems
13481 or applications, as opposed to changing actual operating systems or applications, provides
13482 virtual changes that impede attacker success while reducing configuration management
13483 efforts. Virtualization techniques can assist in isolating untrustworthy software or software
13484 of dubious provenance into confined execution environments.
13485 Related Controls: None.
13486 References: None.

CHAPTER THREE PAGE 308

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13487 SC-30 CONCEALMENT AND MISDIRECTION

13488 Control: Employ the following concealment and misdirection techniques for [Assignment:
13489 organization-defined systems] at [Assignment: organization-defined time-periods] to confuse and
13490 mislead adversaries: [Assignment: organization-defined concealment and misdirection
13491 techniques].
13492 Discussion: Concealment and misdirection techniques can significantly reduce the targeting
13493 capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and
13494 complete attacks. For example, virtualization techniques provide organizations with the ability to
13495 disguise systems, potentially reducing the likelihood of successful attacks without the cost of
13496 having multiple platforms. The increased use of concealment and misdirection techniques and
13497 methods, including randomness, uncertainty, and virtualization, may sufficiently confuse and
13498 mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft.
13499 Concealment and misdirection techniques may provide additional time to perform core missions
13500 and business functions. The implementation of concealment and misdirection techniques may
13501 add to the complexity and management overhead required for the system.
13502 Related Controls: AC-6, SC-25, SC-26, SC-29, SC-44, SI-14.
13503 Control Enhancements:
13504 (1) CONCEALMENT AND MISDIRECTION | VIRTUALIZATION TECHNIQUES
13505 [Withdrawn: Incorporated into SC-29(1).]
13506 (2) CONCEALMENT AND MISDIRECTION | RANDOMNESS
13507 Employ [Assignment: organization-defined techniques] to introduce randomness into
13508 organizational operations and assets.
13509 Discussion: Randomness introduces increased levels of uncertainty for adversaries regarding
13510 the actions organizations take in defending their systems against attacks. Such actions may
13511 impede the ability of adversaries to correctly target information resources of organizations
13512 supporting critical missions or business functions. Uncertainty may also cause adversaries to
13513 hesitate before initiating attacks or continuing the attacks. Misdirection techniques involving
13514 randomness include performing certain routine actions at different times of day, employing
13515 different information technologies, using different suppliers, and rotating roles and
13516 responsibilities of organizational personnel.
13517 Related Controls: None.
13518 (3) CONCEALMENT AND MISDIRECTION | CHANGE PROCESSING AND STORAGE LOCATIONS
13519 Change the location of [Assignment: organization-defined processing and/or storage]
13520 [Selection: [Assignment: organization-defined time frequency]; at random time intervals]].
13521 Discussion: Adversaries target critical missions and business functions and the systems
13522 supporting those missions and functions while at the same time, trying to minimize exposure
13523 of their existence and tradecraft. The static, homogeneous, and deterministic nature of
13524 organizational systems targeted by adversaries, make such systems more susceptible to
13525 attacks with less adversary cost and effort to be successful. Changing processing and storage
13526 locations (also referred to as moving target defense) addresses the advanced persistent
13527 threat using techniques such as virtualization, distributed processing, and replication. This
13528 enables organizations to relocate the system components (i.e., processing and/or storage)
13529 supporting critical missions and business functions. Changing the locations of processing
13530 activities and/or storage sites introduces a degree of uncertainty into the targeting activities
13531 by adversaries. The targeting uncertainty increases the work factor of adversaries making
13532 compromises or breaches to organizational systems more difficult and time-consuming. It

CHAPTER THREE PAGE 309

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13533 also increases the chances that adversaries may inadvertently disclose aspects of tradecraft
13534 while attempting to locate critical organizational resources.
13535 Related Controls: None.
13536 (4) CONCEALMENT AND MISDIRECTION | MISLEADING INFORMATION
13537 Employ realistic, but misleading information in [Assignment: organization-defined system
13538 components] about its security state or posture.
13539 Discussion: This control enhancement is intended to mislead potential adversaries regarding
13540 the nature and extent of controls deployed by organizations. Thus, adversaries may employ
13541 incorrect and ineffective, attack techniques. One technique for misleading adversaries is for
13542 organizations to place misleading information regarding the specific controls deployed in
13543 external systems that are known to be targeted by adversaries. Another technique is the use
13544 of deception nets that mimic actual aspects of organizational systems but use, for example,
13545 out-of-date software configurations.
13546 Related Controls: SC-26.
13547 (5) CONCEALMENT AND MISDIRECTION | CONCEALMENT OF SYSTEM COMPONENTS
13548 Employ the following techniques to hide or conceal [Assignment: organization-defined
13549 system components]: [Assignment: organization-defined techniques].
13550 Discussion: By hiding, disguising, or concealing critical system components, organizations
13551 may be able to decrease the probability that adversaries target and successfully compromise
13552 those assets. Potential means to hide, disguise, or conceal system components include
13553 configuration of routers or the use of encryption or virtualization techniques.
13554 Related Controls: None.
13555 References: None.

13556 SC-31 COVERT CHANNEL ANALYSIS

13557 Control:
13558 a. Perform a covert channel analysis to identify those aspects of communications within the
13559 system that are potential avenues for covert [Selection (one or more): storage; timing]
13560 channels; and
13561 b. Estimate the maximum bandwidth of those channels.
13562 Discussion: Developers are in the best position to identify potential areas within systems that
13563 might lead to covert channels. Covert channel analysis is a meaningful activity when there is the
13564 potential for unauthorized information flows across security domains, for example, in the case of
13565 systems containing export-controlled information and having connections to external networks
13566 (i.e., networks that are not controlled by organizations). Covert channel analysis is also useful for
13567 multilevel secure systems, multiple security level systems, and cross-domain systems.
13568 Related Controls: AC-3, AC-4, SA-8, SI-11.
13569 Control Enhancements:
13570 (1) COVERT CHANNEL ANALYSIS | TEST COVERT CHANNELS FOR EXPLOITABILITY
13571 Test a subset of the identified covert channels to determine the channels that are
13572 exploitable.
13573 Discussion: None.
13574 Related Controls: None.

CHAPTER THREE PAGE 310

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13575 (2) COVERT CHANNEL ANALYSIS | MAXIMUM BANDWIDTH

13576 Reduce the maximum bandwidth for identified covert [Selection (one or more); storage;
13577 timing] channels to [Assignment: organization-defined values].
13578 Discussion: The complete elimination of covert channels, especially covert timing channels,
13579 is usually not possible without significant performance impacts.
13580 Related Controls: None.
13581 (3) COVERT CHANNEL ANALYSIS | MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS
13582 Measure the bandwidth of [Assignment: organization-defined subset of identified covert
13583 channels] in the operational environment of the system.
13584 Discussion: Measuring covert channel bandwidth in specified operational environments
13585 helps organizations to determine how much information can be covertly leaked before such
13586 leakage adversely affects missions or business functions. Covert channel bandwidth may be
13587 significantly different when measured in those settings that are independent of the specific
13588 environments of operation, including laboratories or system development environments.
13589 Related Controls: None.
13590 References: None.

13591 SC-32 SYSTEM PARTITIONING

13592 Control: Partition the system into [Assignment: organization-defined system components]
13593 residing in separate [Selection: physical; logical] domains or environments based on [Assignment:
13594 organization-defined circumstances for physical or logical separation of components].
13595 Discussion: System partitioning is a part of a defense-in-depth protection strategy. Organizations
13596 determine the degree of physical separation of system components. Physical separation options
13597 include: physically distinct components in separate racks in the same room; critical components
13598 in separate rooms; and geographical separation of the most critical components. Security
13599 categorization can guide the selection of appropriate candidates for domain partitioning.
13600 Managed interfaces restrict or prohibit network access and information flow among partitioned
13601 system components.
13602 Related Controls: AC-4, AC-6, SA-8, SC-2, SC-3, SC-7, SC-36.
13603 Control Enhancements:
13604 (1) SYSTEM PARTITIONING | SEPARATE PHYSICAL DOMAINS FOR PRIVILEGED FUNCTIONS
13605 Partition privileged functions into separate physical domains.
13606 Discussion: Privileged functions operating in a single physical domain may represent a single
13607 point of failure if that domain becomes compromised or experiences a denial of service.
13608 Related Controls: None.
13609 References: [FIPS 199]; [IR 8179].

13610 SC-33 TRANSMISSION PREPARATION INTEGRITY

13611 [Withdrawn: Incorporated into SC-8.]

13612 SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS

13613 Control: For [Assignment: organization-defined system components], load and execute:
13614 a. The operating environment from hardware-enforced, read-only media; and

CHAPTER THREE PAGE 311

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13615 b. The following applications from hardware-enforced, read-only media: [Assignment:

13616 organization-defined applications].
13617 Discussion: The operating environment for a system contains the code that hosts applications,
13618 including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can
13619 also include certain applications running directly on hardware platforms. Hardware-enforced,
13620 read-only media include Compact Disk-Recordable (CD-R) and Digital Versatile Disk-Recordable
13621 (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable
13622 storage ensures the integrity of software from the point of creation of the read-only image. Use
13623 of reprogrammable read-only memory can be accepted as read-only media provided integrity
13624 can be adequately protected from the point of initial writing to the insertion of the memory into
13625 the system; and there are reliable hardware protections against reprogramming the memory
13626 while installed in organizational systems.
13627 Related Controls: AC-3, SI-7, SI-14.
13628 Control Enhancements:
13629 (1) NON-MODIFIABLE EXECUTABLE PROGRAMS | NO WRITABLE STORAGE
13630 Employ [Assignment: organization-defined system components] with no writeable storage
13631 that is persistent across component restart or power on/off.
13632 Discussion: Disallowing writeable storage eliminates the possibility of malicious code
13633 insertion via persistent, writeable storage within the designated system components. The
13634 restriction applies to fixed and removable storage, with the latter being addressed either
13635 directly or as specific restrictions imposed through access controls for mobile devices.
13636 Related Controls: AC-19, MP-7.
13637 (2) NON-MODIFIABLE EXECUTABLE PROGRAMS | INTEGRITY PROTECTION ON READ-ONLY MEDIA
13638 Protect the integrity of information prior to storage on read-only media and control the
13639 media after such information has been recorded onto the media.
13640 Discussion: Controls prevent the substitution of media into systems or the reprogramming
13641 of programmable read-only media prior to installation into the systems. Integrity protection
13642 controls include a combination of prevention, detection, and response.
13643 Related Controls: CM-3, CM-5, CM-9, MP-2, MP-4, MP-5, SC-28, SI-3.
13644 (3) NON-MODIFIABLE EXECUTABLE PROGRAMS | HARDWARE-BASED PROTECTION
13645 (a) Employ hardware-based, write-protect for [Assignment: organization-defined system
13646 firmware components]; and
13647 (b) Implement specific procedures for [Assignment: organization-defined authorized
13648 individuals] to manually disable hardware write-protect for firmware modifications
13649 and re-enable the write-protect prior to returning to operational mode.
13650 Discussion: None.
13651 Related Controls: None.
13652 References: None.

13653 SC-35 EXTERNAL MALICIOUS CODE IDENTIFICATION

13654 Control: Include system components that proactively seek to identify network-based malicious
13655 code or malicious websites.
13656 Discussion: External malicious code identification differs from decoys in SC-26 in that the
13657 components actively probe networks, including the Internet, in search of malicious code
13658 contained on external websites. Like decoys, the use of external malicious code identification

CHAPTER THREE PAGE 312

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13659 techniques requires some supporting isolation measures to ensure that any malicious code
13660 discovered during the search and subsequently executed does not infect organizational systems.
13661 Virtualization is a common technique for achieving such isolation.
13662 Related Controls: SC-26, SC-44, SI-3, SI-4.
13663 Control Enhancements: None.
13664 References: None.

13665 SC-36 DISTRIBUTED PROCESSING AND STORAGE

13666 Control: Distribute the following processing and storage components across multiple [Selection:
13667 physical locations; logical domains]: [Assignment: organization-defined processing and storage
13668 components].
13669 Discussion: Distributing processing and storage across multiple physical locations or logical
13670 domains provides a degree of redundancy or overlap for organizations. The redundancy and
13671 overlap increases the work factor of adversaries to adversely impact organizational operations,
13672 assets, and individuals. The use of distributed processing and storage does not assume a single
13673 primary processing or storage location. Therefore, it allows for parallel processing and storage.
13674 Related Controls: CP-6, CP-7, PL-8, SC-32.
13675 Control Enhancements:
13676 (1) DISTRIBUTED PROCESSING AND STORAGE | POLLING TECHNIQUES
13677 (a) Employ polling techniques to identify potential faults, errors, or compromises to the
13678 following processing and storage components: [Assignment: organization-defined
13679 distributed processing and storage components]; and
13680 (b) Take the following actions in response to identified faults, errors, or compromises:
13681 [Assignment: organization-defined actions].
13682 Discussion: Distributed processing and/or storage may be used to reduce opportunities for
13683 adversaries to compromise the confidentiality, integrity, or availability of organizational
13684 information and systems. However, distribution of processing and/or storage components
13685 does not prevent adversaries from compromising one or more of the components. Polling
13686 compares the processing results and/or storage content from the distributed components
13687 and subsequently votes on the outcomes. Polling identifies potential faults, compromises, or
13688 errors in the distributed processing and storage components. Polling techniques may also be
13689 applied to processing and storage components that are not physically distributed.
13690 Related Controls: SI-4.
13691 (2) DISTRIBUTED PROCESSING AND STORAGE | SYNCHRONIZATION
13692 Synchronize the following duplicate systems or system components: [Assignment:
13693 organization-defined duplicate systems or system components].
13694 Discussion: SC-36 and CP-9(6) require the duplication of systems or system components in
13695 distributed locations. Synchronization of duplicated and redundant services and data helps
13696 to ensure that information contained in the distributed locations can be used in the missions
13697 or business functions of organizations, as needed.
13698 Related Controls: CP-9.
13699 References: [SP 800-160 v2].

CHAPTER THREE PAGE 313

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13700 SC-37 OUT-OF-BAND CHANNELS

13701 Control: Employ the following out-of-band channels for the physical delivery or electronic
13702 transmission of [Assignment: organization-defined information, system components, or devices]
13703 to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined
13704 out-of-band channels].
13705 Discussion: Out-of-band channels include local nonnetwork accesses to systems; network paths
13706 physically separate from network paths used for operational traffic; or nonelectronic paths such
13707 as the US Postal Service. The use of out-of-band channels is contrasted with the use of in-band
13708 channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do
13709 not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality,
13710 integrity, or availability compromises of in-band channels will not compromise or adversely affect
13711 the out-of-band channels. Organizations may employ out-of-band channels in the delivery or the
13712 transmission of organizational items, including identifiers and authenticators; cryptographic key
13713 management information; system and data backups; configuration management changes for
13714 hardware, firmware, or software; security updates; maintenance information; and malicious
13715 code protection updates.
13716 Related Controls: AC-2, CM-3, CM-5, CM-7, IA-2, IA-4, IA-5, MA-4, SC-12, SI-3, SI-4, SI-7.
13717 Control Enhancements:
13718 (1) OUT-OF-BAND CHANNELS | ENSURE DELIVERY AND TRANSMISSION
13719 Employ [Assignment: organization-defined controls] to ensure that only [Assignment:
13720 organization-defined individuals or systems] receive the following information, system
13721 components, or devices: [Assignment: organization-defined information, system
13722 components, or devices].
13723 Discussion: Techniques employed by organizations to ensure that only designated systems
13724 or individuals receive certain information, system components, or devices include, sending
13725 authenticators via an approved courier service but requiring recipients to show some form
13726 of government-issued photographic identification as a condition of receipt.
13727 Related Controls: None.
13728 References: [SP 800-57-1]; [SP 800-57-2]; [SP 800-57-3].

13729 SC-38 OPERATIONS SECURITY

13730 Control: Employ the following operations security controls to protect key organizational
13731 information throughout the system development life cycle: [Assignment: organization-defined
13732 operations security controls].
13733 Discussion: Operations security (OPSEC) is a systematic process by which potential adversaries
13734 can be denied information about the capabilities and intentions of organizations by identifying,
13735 controlling, and protecting generally unclassified information that specifically relates to the
13736 planning and execution of sensitive organizational activities. The OPSEC process involves five
13737 steps: identification of critical information; analysis of threats; analysis of vulnerabilities;
13738 assessment of risks; and the application of appropriate countermeasures. OPSEC controls are
13739 applied to organizational systems and the environments in which those systems operate. OPSEC
13740 controls protect the confidentiality of information, including limiting the sharing of information
13741 with suppliers and potential suppliers of system components and services, and with other non-
13742 organizational elements and individuals. Information critical to organizational missions and
13743 business functions includes user identities, element uses, suppliers, supply chain processes,
13744 functional requirements, security requirements, system design specifications, testing and
13745 evaluation protocols, and security control implementation details.

CHAPTER THREE PAGE 314

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13746 Related Controls: CA-2, CA-7, PL-1, PM-9, PM-12, RA-2, RA-3, RA-5, SC-7, SR-3, SR-7.
13747 Control Enhancements: None.
13748 References: None.

13749 SC-39 PROCESS ISOLATION

13750 Control: Maintain a separate execution domain for each executing system process.
13751 Discussion: Systems can maintain separate execution domains for each executing process by
13752 assigning each process a separate address space. Each system process has a distinct address
13753 space so that communication between processes is performed in a manner controlled through
13754 the security functions, and one process cannot modify the executing code of another process.
13755 Maintaining separate execution domains for executing processes can be achieved, for example,
13756 by implementing separate address spaces. Process isolation technologies, including sandboxing
13757 or virtualization, logically separate software and firmware from other software, firmware, and
13758 data. Process isolation helps limit the access of potentially untrusted software to other system
13759 resources. The capability to maintain separate execution domains is available in commercial
13760 operating systems that employ multi-state processor technologies.
13761 Related Controls: AC-3, AC-4, AC-6, AC-25, SA-8, SC-2, SC-3, SI-16.
13762 Control Enhancements:
13763 (1) PROCESS ISOLATION | HARDWARE SEPARATION
13764 Implement hardware separation mechanisms to facilitate process isolation.
13765 Discussion: Hardware-based separation of system processes is generally less susceptible to
13766 compromise than software-based separation, thus providing greater assurance that the
13767 separation will be enforced. Hardware separation mechanisms include hardware memory
13768 management.
13769 Related Controls: None.
13770 (2) PROCESS ISOLATION | SEPARATE EXECUTION DOMAIN PER THREAD
13771 Maintain a separate execution domain for each thread in [Assignment: organization-
13772 defined multi-threaded processing].
13773 Discussion: None.
13774 Related Controls: None.
13775 References: [SP 800-160 v1].

13776 SC-40 WIRELESS LINK PROTECTION

13777 Control: Protect external and internal [Assignment: organization-defined wireless links] from the
13778 following signal parameter attacks: [Assignment: organization-defined types of signal parameter
13779 attacks or references to sources for such attacks].
13780 Discussion: Wireless link protection applies to internal and external wireless communication
13781 links that may be visible to individuals who are not authorized system users. Adversaries can
13782 exploit the signal parameters of wireless links if such links are not adequately protected. There
13783 are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service,
13784 or spoof system users. Protection of wireless links reduces the impact of attacks that are unique
13785 to wireless systems. If organizations rely on commercial service providers for transmission
13786 services as commodity items rather than as fully dedicated services, it may not be possible to
13787 implement this control.
13788 Related Controls: AC-18, SC-5.

CHAPTER THREE PAGE 315

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13789 Control Enhancements:

13790 (1) WIRELESS LINK PROTECTION | ELECTROMAGNETIC INTERFERENCE
13791 Implement cryptographic mechanisms that achieve [Assignment: organization-defined
13792 level of protection] against the effects of intentional electromagnetic interference.
13793 Discussion: Implementation of cryptographic mechanisms for electromagnetic interference
13794 protects against intentional jamming that might deny or impair communications by ensuring
13795 that wireless spread spectrum waveforms used to provide anti-jam protection are not
13796 predictable by unauthorized individuals. The implementation of cryptographic mechanisms
13797 may also coincidentally mitigate the effects of unintentional jamming due to interference
13798 from legitimate transmitters sharing the same spectrum. Mission requirements, projected
13799 threats, concept of operations, and applicable laws, executive orders, directives, regulations,
13800 policies, and standards determine levels of wireless link availability, cryptography needed, or
13801 performance.
13802 Related Controls: PE-21, SC-12, SC-13.
13803 (2) WIRELESS LINK PROTECTION | REDUCE DETECTION POTENTIAL
13804 Implement cryptographic mechanisms to reduce the detection potential of wireless links
13805 to [Assignment: organization-defined level of reduction].
13806 Discussion: Implementation of cryptographic mechanisms to reduce detection potential is
13807 used for covert communications and to protect wireless transmitters from geo-location. It
13808 also ensures that spread spectrum waveforms used to achieve low probability of detection
13809 are not predictable by unauthorized individuals. Mission requirements, projected threats,
13810 concept of operations, and applicable laws, executive orders, directives, regulations, policies,
13811 and standards determine the levels to which wireless links are undetectable.
13812 Related Controls: SC-12, SC-13.
13813 (3) WIRELESS LINK PROTECTION | IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION
13814 Implement cryptographic mechanisms to identify and reject wireless transmissions that
13815 are deliberate attempts to achieve imitative or manipulative communications deception
13816 based on signal parameters.
13817 Discussion: Implementation of cryptographic mechanisms to identify and reject imitative or
13818 manipulative communications ensures that the signal parameters of wireless transmissions
13819 are not predictable by unauthorized individuals. Such unpredictability reduces the
13820 probability of imitative or manipulative communications deception based upon signal
13821 parameters alone.
13822 Related Controls: SC-12, SC-13, SI-4.
13823 (4) WIRELESS LINK PROTECTION | SIGNAL PARAMETER IDENTIFICATION
13824 Implement cryptographic mechanisms to prevent the identification of [Assignment:
13825 organization-defined wireless transmitters] by using the transmitter signal parameters.
13826 Discussion: Radio fingerprinting techniques identify the unique signal parameters of
13827 transmitters to fingerprint such transmitters for purposes of tracking and mission or user
13828 identification. Implementation of cryptographic mechanisms to prevent the identification of
13829 wireless transmitters protects against the unique identification of wireless transmitters for
13830 purposes of intelligence exploitation by ensuring that anti-fingerprinting alterations to signal
13831 parameters are not predictable by unauthorized individuals. It also provides anonymity
13832 when required.
13833 Related Controls: SC-12, SC-13.
13834 References: None.

CHAPTER THREE PAGE 316

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13835 SC-41 PORT AND I/O DEVICE ACCESS

13836 Control: [Selection: Physically or Logically] disable or remove [Assignment: organization-defined
13837 connection ports or input/output devices] on the following systems or system components:
13838 [Assignment: organization-defined systems or system components].
13839 Discussion: Connection ports include Universal Serial Bus (USB), Thunderbolt, Firewire (IEEE
13840 1394). Input/output (I/O) devices include Compact Disk (CD) and Digital Versatile Disk (DVD)
13841 drives. Disabling or removing such connection ports and I/O devices helps prevent exfiltration of
13842 information from systems and the introduction of malicious code into systems from those ports
13843 or devices. Physically disabling or removing ports and/or devices is the stronger action.
13844 Related Controls: AC-20, MP-7.
13845 Control Enhancements: None.
13846 References: None.

13847 SC-42 SENSOR CAPABILITY AND DATA

13848 Control:
13849 a. Prohibit the remote activation of environmental sensing capabilities on organizational
13850 systems or system components with the following exceptions: [Assignment: organization-
13851 defined exceptions where remote activation of sensors is allowed]; and
13852 b. Provide an explicit indication of sensor use to [Assignment: organization-defined class of
13853 users].
13854 Discussion: Sensor capability and data applies to types of systems or system components
13855 characterized as mobile devices, for example, smart phones and tablets. Mobile devices often
13856 include sensors that can collect and record data regarding the environment where the system is
13857 in use. Sensors that are embedded within mobile devices include cameras, microphones, Global
13858 Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices
13859 provide an important function, if activated covertly such devices can potentially provide a means
13860 for adversaries to learn valuable information about individuals and organizations. For example,
13861 remotely activating the GPS function on a mobile device could provide an adversary with the
13862 ability to track the specific movements of an individual.
13863 Related Controls: SC-15.
13864 Control Enhancements:
13865 (1) SENSOR CAPABILITY AND DATA | REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES
13866 Verify that the system is configured so that data or information collected by the
13867 [Assignment: organization-defined sensors] is only reported to authorized individuals or
13868 roles.
13869 Discussion: In situations where sensors are activated by authorized individuals, it is still
13870 possible that the data or information collected by the sensors will be sent to unauthorized
13871 entities.
13872 Related Controls: None.
13873 (2) SENSOR CAPABILITY AND DATA | AUTHORIZED USE
13874 Employ the following measures so that data or information collected by [Assignment:
13875 organization-defined sensors] is only used for authorized purposes: [Assignment:
13876 organization-defined measures].
13877 Discussion: Information collected by sensors for a specific authorized purpose could be
13878 misused for some unauthorized purpose. For example, GPS sensors that are used to support

CHAPTER THREE PAGE 317

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13879 traffic navigation could be misused to track movements of individuals. Measures to mitigate
13880 such activities include additional training to ensure that authorized individuals do not abuse
13881 their authority; and in the case where sensor data or information is maintained by external
13882 parties, contractual restrictions on the use of such data or information.
13883 Related Controls: PT-2.
13884 (3) SENSOR CAPABILITY AND DATA | PROHIBIT USE OF DEVICES
13885 Prohibit the use of devices possessing [Assignment: organization-defined environmental
13886 sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems].
13887 Discussion: For example, organizations may prohibit individuals from bringing cell phones or
13888 digital cameras into certain designated facilities or controlled areas within facilities where
13889 classified information is stored or sensitive conversations are taking place.
13890 Related Controls: None.
13891 (4) SENSOR CAPABILITY AND DATA | NOTICE OF COLLECTION
13892 Employ the following measures to facilitate an individual’s awareness that personally
13893 identifiable information is being collected by [Assignment: organization-defined sensors]:
13894 [Assignment: organization-defined measures].
13895 Discussion: Awareness that organizational sensors are collecting data enable individuals to
13896 more effectively engage in managing their privacy. Measures can include conventional
13897 written notices and sensor configurations that make individuals aware directly or indirectly
13898 through other devices that the sensor is collecting information. Usability and efficacy of the
13899 notice are important considerations.
13900 Related Controls: PT-1, PT-5, PT-6.
13901 (5) SENSOR CAPABILITY AND DATA | COLLECTION MINIMIZATION
13902 Employ [Assignment: organization-defined sensors] that are configured to minimize the
13903 collection of information about individuals that is not needed.
13904 Discussion: Although policies to control for authorized use can be applied to information
13905 once it is collected, minimizing the collection of information that is not needed mitigates
13906 privacy risk at the system entry point and mitigates the risk of policy control failures. Sensor
13907 configurations include the obscuring of human features such as blurring or pixelating flesh
13908 tones.
13909 Related Controls: SI-12.
13910 References: [OMB A-130]; [SP 800-124].

13911 SC-43 USAGE RESTRICTIONS

13912 Control:
13913 a. Establish usage restrictions and implementation guidelines for the following system
13914 components: [Assignment: organization-defined system components]; and
13915 b. Authorize, monitor, and control the use of such components within the system.
13916 Discussion: Usage restrictions apply to all system components including, but not limited to,
13917 mobile code, mobile devices, wireless access, and wired and wireless peripheral components
13918 (e.g., copiers, printers, scanners, optical devices, and other similar technologies). The usage
13919 restrictions and implementation guidelines are based on the potential for system components to
13920 cause damage to the system and help to ensure that only authorized system use occurs.
13921 Related Controls: AC-18, AC-19, CM-6, SC-7, SC-18.
13922 Control Enhancements: None.

CHAPTER THREE PAGE 318

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13923 References: [OMB A-130]; [SP 800-124].

13924 SC-44 DETONATION CHAMBERS

13925 Control: Employ a detonation chamber capability within [Assignment: organization-defined
13926 system, system component, or location].
13927 Discussion: Detonation chambers, also known as dynamic execution environments, allow
13928 organizations to open email attachments, execute untrusted or suspicious applications, and
13929 execute Universal Resource Locator requests in the safety of an isolated environment or a
13930 virtualized sandbox. These protected and isolated execution environments provide a means of
13931 determining whether the associated attachments or applications contain malicious code. While
13932 related to the concept of deception nets, this control is not intended to maintain a long-term
13933 environment in which adversaries can operate and their actions can be observed. Rather, it is
13934 intended to quickly identify malicious code and either reduce the likelihood that the code is
13935 propagated to user environments of operation or prevent such propagation completely.
13936 Related Controls: SC-7, SC-25, SC-26, SC-30, SC-35, SC-39, SI-3, SI-7.
13937 Control Enhancements: None.
13938 References: [SP 800-177].

13939 SC-45 SYSTEM TIME SYNCHRONIZATION

13940 Control: Synchronize system clocks within and between systems and system components.
13941 Discussion: Time synchronization of system clocks is essential for the correct execution of many
13942 system services, including identification and authentication processes involving certificates and
13943 time-of-day restrictions as part of access control. Denial-of-service or failure to deny expired
13944 credentials may result without properly synchronized clocks within and between systems and
13945 system components. Time is commonly expressed in Coordinated Universal Time (UTC), a
13946 modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The
13947 granularity of time measurements refers to the degree of synchronization between system clocks
13948 and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens
13949 of milliseconds. Organizations may define different time granularities for system components.
13950 Time service can be critical to other security capabilities such as access control and identification
13951 and authentication, depending on the nature of the mechanisms used to support the capabilities.
13952 Related Controls: AC-3, AU-8, IA-2, IA-8.
13953 Control Enhancements: None.
13954 References: None.

13955 SC-46 CROSS DOMAIN POLICY ENFORCEMENT

13956 Control: Implement a policy enforcement mechanism [Selection: physically; logically] between
13957 the physical and/or network interfaces for the connecting security domains.
13958 Discussion: For logical policy enforcement mechanisms, organizations avoid creating a logical
13959 path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For
13960 physical policy enforcement mechanisms, the robustness of physical isolation afforded by the
13961 physical implementation of policy enforcement to preclude the presence of logical covert
13962 channels penetrating the security boundary may be needed.
13963 Related Controls: AC-4, SC-7.
13964 Control Enhancements: None.

CHAPTER THREE PAGE 319

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

13965 References: [SP 800-160 v1].

13966 SC-47 COMMUNICATIONS PATH DIVERSITY

13967 Control: Establish [Assignment: organization-defined alternate communications paths] for
13968 system operations organizational command and control.
13969 Discussion: An incident, whether adversarial- or nonadversarial-based, can disrupt established
13970 communications paths used for system operations and organizational command and control. The
13971 inability of organizational officials to obtain timely information about disruptions or to provide
13972 timely direction to operational elements can impact the organization’s ability to respond in a
13973 timely manner to such incidents. Establishing alternate communications paths for command and
13974 control purposes, including designating alternative decision makers if primary decision makers
13975 are unavailable and establishing the extent and limitations of their actions, can greatly facilitate
13976 the organization’s ability to continue to operate and take appropriate actions during an incident.
13977 Related Controls: CP-2, CP-8.
13978 Control Enhancements: None.
13979 References: [SP 800-34]; [SP 800-61]; [SP 800-160 v2].

13980 SC-48 SENSOR RELOCATION

13981 Control: Relocate [Assignment: organization-defined sensors and monitoring capabilities] to
13982 [Assignment: organization-defined locations] under the following conditions or circumstances:
13983 [Assignment: organization-defined conditions or circumstances].
13984 Discussion: Adversaries may take various paths and use different approaches as they move
13985 laterally through an organization (including its systems) to reach their target or as they attempt
13986 to exfiltrate information from the organization. The organization often only has a limited set of
13987 monitoring and detection capabilities and they may be focused on the critical or likely infiltration
13988 or exfiltration paths. By using communications paths that the organization typically does not
13989 monitor, the adversary can increase its chances of achieving its desired goals. By relocating its
13990 sensors or monitoring capabilities to new locations, the organization can impede the adversary’s
13991 ability to achieve its goals. The relocation of the sensors or monitoring capabilities might be done
13992 based on threat information the organization has acquired or randomly to confuse the adversary
13993 and make its lateral transition through the system or organization more challenging.
13994 Related Controls: AU-2, SC-7, SI-4.
13995 Control Enhancements:
13996 (1) SENSOR RELOCATION | DYNAMIC RELOCATION OF SENSORS OR MONITORING CAPABILITIES
13997 Dynamically relocate [Assignment: organization-defined sensors and monitoring
13998 capabilities] to [Assignment: organization-defined locations] under the following
13999 conditions or circumstances: [Assignment: organization-defined conditions or
14000 circumstances].
14001 Discussion: None.
14002 Related Controls: None.
14003 References: [SP 800-160 v2].

14004 SC-49 HARDWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT

14005 Control: Implement hardware-enforced separation and policy enforcement mechanisms
14006 between [Assignment: organization-defined security domains].

CHAPTER THREE PAGE 320

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14007 Discussion: System owners may require additional strength of mechanism and robustness to
14008 ensure domain separation and policy enforcement for specific types of threats and environments
14009 of operation. Hardware-enforced separation and policy enforcement provide greater strength of
14010 mechanism than software-enforced separation and policy enforcement.
14011 Related Controls: AC-4, SA-8, SC-50.
14012 Control Enhancements: None.
14013 References: [SP 800-160 v1].

14014 SC-50 SOFTWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT

14015 Control: Implement software-enforced separation and policy enforcement mechanisms between
14016 [Assignment: organization-defined security domains].
14017 Discussion: System owners may require additional strength of mechanism and robustness to
14018 ensure domain separation and policy enforcement (e.g., filtering) for specific types of threats and
14019 environments of operation.
14020 Related Controls: AC-3, AC-4, SA-8, SC-2, SC-3, SC-49.
14021 Control Enhancements: None.
14022 References: [SP 800-160 v1].

14023 SC-51 OPERATIONAL AND INTERNET-BASED TECHNOLOGIES

14024 Control:
14025 a. Implement the following controls on [Assignment: organization-defined Operational
14026 Technology (OT), Internet of Things (IoT), and/or Industrial Internet of Things (IIoT) systems,
14027 components, or devices] prior to connecting to [Assignment: organization-defined systems or
14028 networks]: [Assignment: organization-defined controls]; or
14029 b. Isolate the OT, IoT, and IIoT systems, components, or devices from the designated
14030 organizational systems or prohibit network connectivity by the systems, components, or
14031 devices.
14032 Discussion: Operational Technology (OT) is the hardware, software, and firmware components
14033 of a system used to detect or cause changes in physical processes through the direct control and
14034 monitoring of physical devices. Examples include distributed control systems (DCS), supervisory
14035 control and data acquisition (SCADA) systems, and programmable logic controllers (PLC). The
14036 term operational technology is used to demonstrate the differences between industrial control
14037 systems (ICS) that are typically found in manufacturing and power plants and the information
14038 technology (IT) systems that typically support traditional data processing applications. The term
14039 Internet of Things (IoT) is used to describe the network of devices (e.g., vehicles, medical devices,
14040 wearables, and home appliances) that contain the hardware, software, firmware, and actuators
14041 which allow the devices to connect, interact, and exchange data and information. IoT extends
14042 Internet connectivity beyond workstations, notebook computers, smartphones and tablets to
14043 physical devices that do not typically have such connectivity. IoT devices can communicate and
14044 interact over the Internet, and they can be remotely monitored and controlled. Finally, the term
14045 Industrial Internet of Things (IIoT) is used to describe the sensors, instruments, machines, and
14046 other devices that are networked together and use Internet connectivity to enhance industrial
14047 and manufacturing business processes and applications.
14048 The recent convergence of IT and OT, producing cyber-physical systems, increases the attack
14049 surface of organizations significantly and provides attack vectors that are challenging to address.
14050 Unfortunately, most of the current generation of IoT, OT and IIOT devices are not designed with

CHAPTER THREE PAGE 321

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14051 security as a foundational property. Connections to and from such devices are generally not
14052 encrypted, do not provide the necessary authentication, are not monitored, and are not logged.
14053 As a result, these devices pose a significant cyber threat. In some instances, gaps in IoT, OT, and
14054 IIoT security capabilities may be addressed by employing intermediary devices that can provide
14055 encryption, authentication, security scanning, and logging capabilities, and preclude the devices
14056 from being accessible from the Internet. But such mitigating options are not always available.
14057 The situation is further complicated because some of the IoT/OT/IIoT devices are needed for
14058 essential missions and functions. In those instances, it is necessary that such devices are isolated
14059 from the Internet to reduce the susceptibility to hostile cyber-attacks.
14060 Related Controls: AC-3, AC-4, SA-8, SC-2, SC-3, SC-49.
14061 Control Enhancements: None.
14062 References: [SP 800-160 v1].

CHAPTER THREE PAGE 322

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14063 3.19 SYSTEM AND INFORMATION INTEGRITY

14064 Quick link to System and Information Integrity summary table

14065 SI-1 POLICY AND PROCEDURES

14066 Control:
14067 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
14068 roles]:
14069 1. [Selection (one or more): organization-level; mission/business process-level; system-
14070 level] system and information integrity policy that:
14071 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
14072 coordination among organizational entities, and compliance; and
14073 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
14074 standards, and guidelines; and
14075 2. Procedures to facilitate the implementation of the system and information integrity
14076 policy and the associated system and information integrity controls;
14077 b. Designate an [Assignment: organization-defined official] to manage the development,
14078 documentation, and dissemination of the system and information integrity policy and
14079 procedures; and
14080 c. Review and update the current system and information integrity:
14081 1. Policy [Assignment: organization-defined frequency]; and
14082 2. Procedures [Assignment: organization-defined frequency].
14083 Discussion: This control addresses policy and procedures for the controls in the SI family
14084 implemented within systems and organizations. The risk management strategy is an important
14085 factor in establishing such policies and procedures. Policies and procedures help provide security
14086 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
14087 on their development. Security and privacy program policies and procedures at the organization
14088 level are preferable, in general, and may obviate the need for system-specific policies and
14089 procedures. The policy can be included as part of the general security and privacy policy or can
14090 be represented by multiple policies reflecting the complex nature of organizations. Procedures
14091 can be established for security and privacy programs and for systems, if needed. Procedures
14092 describe how the policies or controls are implemented and can be directed at the individual or
14093 role that is the object of the procedure. Procedures can be documented in system security and
14094 privacy plans or in one or more separate documents. Restating controls does not constitute an
14095 organizational policy or procedure.
14096 Related Controls: PM-9, PS-8, SA-8, SI-12.
14097 Control Enhancements: None.
14098 References: [OMB A-130]; [SP 800-12]; [SP 800-100].

14099 SI-2 FLAW REMEDIATION

14100 Control:
14101 a. Identify, report, and correct system flaws;

CHAPTER THREE PAGE 323

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14102 b. Test software and firmware updates related to flaw remediation for effectiveness and
14103 potential side effects before installation;
14104 c. Install security-relevant software and firmware updates within [Assignment: organization-
14105 defined time-period] of the release of the updates; and
14106 d. Incorporate flaw remediation into the organizational configuration management process.
14107 Discussion: The need to remediate system flaws applies to all types of software and firmware.
14108 Organizations identify systems affected by software flaws, including potential vulnerabilities
14109 resulting from those flaws, and report this information to designated organizational personnel
14110 with information security and privacy responsibilities. Security-relevant updates include patches,
14111 service packs, and malicious code signatures. Organizations also address flaws discovered during
14112 assessments, continuous monitoring, incident response activities, and system error handling. By
14113 incorporating flaw remediation into configuration management processes, required remediation
14114 actions can be tracked and verified.
14115 Organization-defined time-periods for updating security-relevant software and firmware may
14116 vary based on a variety of risk factors, including the security category of the system or the
14117 criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the
14118 organizational mission; or the threat environment. Some types of flaw remediation may require
14119 more testing than other types. Organizations determine the type of testing needed for the
14120 specific type of flaw remediation activity under consideration and the types of changes that are
14121 to be configuration-managed. In some situations, organizations may determine that the testing
14122 of software or firmware updates is not necessary or practical, for example, when implementing
14123 simple malicious code signature updates. Organizations consider in testing decisions whether
14124 security-relevant software or firmware updates are obtained from authorized sources with
14125 appropriate digital signatures.
14126 Related Controls: CA-5, CM-3, CM-4, CM-5, CM-6, CM-8, MA-2, RA-5, SA-8, SA-10, SA-11, SI-3, SI-
14127 5, SI-7, SI-11.
14128 Control Enhancements:
14129 (1) FLAW REMEDIATION | CENTRAL MANAGEMENT
14130 Centrally manage the flaw remediation process.
14131 Discussion: Central management is the organization-wide management and implementation
14132 of flaw remediation processes. It includes planning, implementing, assessing, authorizing,
14133 and monitoring the organization-defined, centrally managed flaw remediation controls.
14134 Related Controls: PL-9.
14135 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS
14136 Determine if system components have applicable security-relevant software and firmware
14137 updates installed using [Assignment: organization-defined automated mechanisms]
14138 [Assignment: organization-defined frequency].
14139 Discussion: Automated mechanisms can track and determine the status of known flaws for
14140 system components.
14141 Related Controls: CA-7, SI-4.
14142 (3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS AND BENCHMARKS FOR CORRECTIVE ACTIONS
14143 (a) Measure the time between flaw identification and flaw remediation; and
14144 (b) Establish the following benchmarks for taking corrective actions: [Assignment:
14145 organization-defined benchmarks].
14146 Discussion: Organizations determine the time it takes on average to correct system flaws
14147 after such flaws have been identified, and subsequently establish organizational benchmarks

CHAPTER THREE PAGE 324

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14148 (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type
14149 of flaw or the severity of the potential vulnerability if the flaw can be exploited.
14150 Related Controls: None.
14151 (4) FLAW REMEDIATION | AUTOMATED PATCH MANAGEMENT TOOLS
14152 Employ automated patch management tools to facilitate flaw remediation to the following
14153 system components: [Assignment: organization-defined system components].
14154 Discussion: Using automated tools to support patch management helps to ensure the
14155 timeliness and completeness of system patching operations.
14156 Related Controls: None.
14157 (5) FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES
14158 Install [Assignment: organization-defined security-relevant software and firmware
14159 updates] automatically to [Assignment: organization-defined system components].
14160 Discussion: Due to system integrity and availability concerns, organizations consider the
14161 methodology used to carry out automatic updates. Organizations balance the need to
14162 ensure that the updates are installed as soon as possible with the need to maintain
14163 configuration management and control with any mission or operational impacts that
14164 automatic updates might impose.
14165 Related Controls: None.
14166 (6) FLAW REMEDIATION | REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE AND FIRMWARE
14167 Remove previous versions of [Assignment: organization-defined software and firmware
14168 components] after updated versions have been installed.
14169 Discussion: Previous versions of software or firmware components that are not removed
14170 from the system after updates have been installed may be exploited by adversaries. Some
14171 products may remove previous versions of software and firmware automatically from the
14172 system.
14173 Related Controls: None.
14174 References: [OMB A-130]; [FIPS 140-3]; [FIPS 186-4]; [SP 800-40]; [SP 800-128]; [IR 7788].

14175 SI-3 MALICIOUS CODE PROTECTION

14176 Control:
14177 a. Implement [Selection (one or more): signature based; non-signature based] malicious code
14178 protection mechanisms at system entry and exit points to detect and eradicate malicious
14179 code;
14180 b. Automatically update malicious code protection mechanisms as new releases are available in
14181 accordance with organizational configuration management policy and procedures;
14182 c. Configure malicious code protection mechanisms to:
14183 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and
14184 real-time scans of files from external sources at [Selection (one or more); endpoint;
14185 network entry/exit points] as the files are downloaded, opened, or executed in
14186 accordance with organizational policy; and
14187 2. [Selection (one or more): block malicious code; quarantine malicious code; take
14188 [Assignment: organization-defined action]]; and send alert to [Assignment: organization-
14189 defined personnel or roles] in response to malicious code detection.

CHAPTER THREE PAGE 325

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14190 d. Address the receipt of false positives during malicious code detection and eradication and
14191 the resulting potential impact on the availability of the system.
14192 Discussion: System entry and exit points include firewalls, remote-access servers, workstations,
14193 electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices.
14194 Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be
14195 encoded in various formats contained within compressed or hidden files, or hidden in files using
14196 techniques such as steganography. Malicious code can be inserted into systems in a variety of
14197 ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious
14198 code insertions occur through the exploitation of system vulnerabilities. A variety of technologies
14199 and methods exist to limit or eliminate the effects of malicious code.
14200 Malicious code protection mechanisms include both signature- and nonsignature-based
14201 technologies. Nonsignature-based detection mechanisms include artificial intelligence
14202 techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of
14203 malicious code and to provide controls against such code for which signatures do not yet exist or
14204 for which existing signatures may not be effective. Malicious code for which active signatures do
14205 yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes
14206 signatures when it replicates). Nonsignature-based mechanisms also include reputation-based
14207 technologies. In addition to the above technologies, pervasive configuration management,
14208 comprehensive software integrity controls, and anti-exploitation software may be effective in
14209 preventing execution of unauthorized code. Malicious code may be present in commercial off-
14210 the-shelf software and in custom-built software and could include logic bombs, back doors, and
14211 other types of attacks that could affect organizational missions and business functions.
14212 In situations where malicious code cannot be detected by detection methods or technologies,
14213 organizations rely on other types of controls, including secure coding practices, configuration
14214 management and control, trusted procurement processes, and monitoring practices to ensure
14215 that software does not perform functions other than the functions intended. Organizations may
14216 determine in response to the detection of malicious code, different actions may be warranted.
14217 For example, organizations can define actions in response to malicious code detection during
14218 periodic scans, actions in response to detection of malicious downloads, or actions in response to
14219 detection of maliciousness when attempting to open or execute files.
14220 Related Controls: AC-4, AC-19, CM-3, CM-8, IR-4, MA-3, MA-4, RA-5, SC-7, SC-23, SC-26, SC-28,
14221 SC-44, SI-2, SI-4, SI-7, SI-8, SI-15.
14222 Control Enhancements:
14223 (1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT
14224 Centrally manage malicious code protection mechanisms.
14225 Discussion: Central management addresses the organization-wide management and
14226 implementation of malicious code protection mechanisms. Central management includes
14227 planning, implementing, assessing, authorizing, and monitoring the organization-defined,
14228 centrally managed flaw and malicious code protection controls.
14229 Related Controls: PL-9.
14230 (2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES
14231 [Withdrawn: Incorporated into SI-3.]
14232 (3) MALICIOUS CODE PROTECTION | NON-PRIVILEGED USERS
14233 [Withdrawn: Incorporated into AC-6(10).]
14234 (4) MALICIOUS CODE PROTECTION | UPDATES ONLY BY PRIVILEGED USERS
14235 Update malicious code protection mechanisms only when directed by a privileged user.

CHAPTER THREE PAGE 326

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14236 Discussion: Protection mechanisms for malicious code are typically categorized as security-
14237 related software and as such, are only updated by organizational personnel with appropriate
14238 access privileges.
14239 Related Controls: CM-5.
14240 (5) MALICIOUS CODE PROTECTION | PORTABLE STORAGE DEVICES
14241 [Withdrawn: Incorporated into MP-7.]
14242 (6) MALICIOUS CODE PROTECTION | TESTING AND VERIFICATION
14243 (a) Test malicious code protection mechanisms [Assignment: organization-defined
14244 frequency] by introducing known benign code into the system; and
14245 (b) Verify that the detection of the code and the associated incident reporting occur.
14246 Discussion: None.
14247 Related Controls: CA-2, CA-7, RA-5.
14248 (7) MALICIOUS CODE PROTECTION | NONSIGNATURE-BASED DETECTION
14249 [Withdrawn: Incorporated into SI-3.]
14250 (8) MALICIOUS CODE PROTECTION | DETECT UNAUTHORIZED COMMANDS
14251 (a) Detect the following unauthorized operating system commands through the kernel
14252 application programming interface on [Assignment: organization-defined system
14253 hardware components]: [Assignment: organization-defined unauthorized operating
14254 system commands]; and
14255 (b) [Selection (one or more): issue a warning; audit the command execution; prevent the
14256 execution of the command].
14257 Discussion: Detecting unauthorized commands can be applied to critical interfaces other
14258 than kernel-based interfaces, including interfaces with virtual machines and privileged
14259 applications. Unauthorized operating system commands include commands for kernel
14260 functions from system processes that are not trusted to initiate such commands, or
14261 commands for kernel functions that are suspicious even though commands of that type are
14262 reasonable for processes to initiate. Organizations can define the malicious commands to be
14263 detected by a combination of command types, command classes, or specific instances of
14264 commands. Organizations can also define hardware components by component type,
14265 component, component location in the network, or combination therein. Organizations may
14266 select different actions for different types, classes, or instances of malicious commands.
14267 Related Controls: AU-2, AU-6, AU-12.
14268 (9) MALICIOUS CODE PROTECTION | AUTHENTICATE REMOTE COMMANDS
14269 Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment:
14270 organization-defined remote commands].
14271 Discussion: This control enhancement protects against unauthorized remote commands and
14272 the replay of authorized commands. This capability is important for those remote systems
14273 whose loss, malfunction, misdirection, or exploitation would have immediate and/or serious
14274 consequences, including, for example, injury or death, property damage, loss of high-value
14275 assets, compromise of classified or controlled unclassified information, or failure of missions
14276 or business functions. Authentication safeguards for remote commands ensure that systems
14277 accept and execute commands in the order intended, execute only authorized commands,
14278 and reject unauthorized commands. Cryptographic mechanisms can be employed, for
14279 example, to authenticate remote commands.
14280 Related Controls: SC-12, SC-13, SC-23.

CHAPTER THREE PAGE 327

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14281 (10) MALICIOUS CODE PROTECTION | MALICIOUS CODE ANALYSIS

14282 (a) Employ the following tools and techniques to analyze the characteristics and behavior
14283 of malicious code: [Assignment: organization-defined tools and techniques]; and
14284 (b) Incorporate the results from malicious code analysis into organizational incident
14285 response and flaw remediation processes.
14286 Discussion: The use of malicious code analysis tools provides organizations with a more in-
14287 depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and
14288 the functionality and purpose of specific instances of malicious code. Understanding the
14289 characteristics of malicious code facilitates effective organizational responses to current and
14290 future threats. Organizations can conduct malicious code analyses by employing reverse
14291 engineering techniques or by monitoring the behavior of executing code.
14292 Related Controls: None.
14293 References: [SP 800-83]; [SP 800-125B]; [SP 800-177].

14294 SI-4 SYSTEM MONITORING

14295 Control:
14296 a. Monitor the system to detect:
14297 1. Attacks and indicators of potential attacks in accordance with the following monitoring
14298 objectives: [Assignment: organization-defined monitoring objectives]; and
14299 2. Unauthorized local, network, and remote connections;
14300 b. Identify unauthorized use of the system through the following techniques and methods:
14301 [Assignment: organization-defined techniques and methods];
14302 c. Invoke internal monitoring capabilities or deploy monitoring devices:
14303 1. Strategically within the system to collect organization-determined essential information;
14304 and
14305 2. At ad hoc locations within the system to track specific types of transactions of interest
14306 to the organization;
14307 d. Protect information obtained from intrusion-monitoring tools from unauthorized access,
14308 modification, and deletion;
14309 e. Adjust the level of system monitoring activity when there is a change in risk to organizational
14310 operations and assets, individuals, other organizations, or the Nation;
14311 f. Obtain legal opinion regarding system monitoring activities; and
14312 g. Provide [Assignment: organization-defined system monitoring information] to [Assignment:
14313 organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment:
14314 organization-defined frequency]].
14315 Discussion: System monitoring includes external and internal monitoring. External monitoring
14316 includes the observation of events occurring at system boundaries. Internal monitoring includes
14317 the observation of events occurring within the system. Organizations monitor systems, for
14318 example, by observing audit activities in real time or by observing other system aspects such as
14319 access patterns, characteristics of access, and other actions. The monitoring objectives guide and
14320 inform the determination of the events. System monitoring capability is achieved through a
14321 variety of tools and techniques, including intrusion detection and prevention systems, malicious
14322 code protection software, scanning tools, audit record monitoring software, and network
14323 monitoring software.

CHAPTER THREE PAGE 328

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14324 Depending on the security architecture implementation, the distribution and configuration of
14325 monitoring devices may impact throughput at key internal and external boundaries, and at other
14326 locations across a network due to the introduction of network throughput latency. If throughput
14327 management is needed, such devices are strategically located and deployed as part of an
14328 established organization-wide security architecture. Strategic locations for monitoring devices
14329 include selected perimeter locations and near key servers and server farms supporting critical
14330 applications. Monitoring devices are typically employed at the managed interfaces associated
14331 with controls SC-7 and AC-17. The information collected is a function of the organizational
14332 monitoring objectives and the capability of systems to support such objectives. Specific types of
14333 transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP
14334 proxies. System monitoring is an integral part of organizational continuous monitoring and
14335 incident response programs and output from system monitoring serves as input to those
14336 programs. System monitoring requirements, including the need for specific types of system
14337 monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-
14338 13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-
14339 43b). Adjustments to levels of system monitoring are based on law enforcement information,
14340 intelligence information, or other sources of information. The legality of system monitoring
14341 activities is based on applicable laws, executive orders, directives, regulations, policies,
14342 standards, and guidelines.
14343 Related Controls: AC-2, AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, AU-13, AU-14,
14344 CA-7, CM-3, CM-6, CM-8, CM-11, IA-10, IR-4, MA-3, MA-4, PM-12, RA-5, SC-5, SC-7, SC-18, SC-26,
14345 SC-31, SC-35, SC-36, SC-37, SC-43, SI-3, SI-6, SI-7, SR-9, SR-10.
14346 Control Enhancements:
14347 (1) SYSTEM MONITORING | SYSTEM-WIDE INTRUSION DETECTION SYSTEM
14348 Connect and configure individual intrusion detection tools into a system-wide intrusion
14349 detection system.
14350 Discussion: Linking individual intrusion detection tools into a system-wide intrusion
14351 detection system provides additional coverage and effective detection capability. The
14352 information contained in one intrusion detection tool can be shared widely across the
14353 organization making the system-wide detection capability more robust and powerful.
14354 Related Controls: None.
14355 (2) SYSTEM MONITORING | AUTOMATED TOOLS AND MECHANISMS FOR REAL-TIME ANALYSIS
14356 Employ automated tools and mechanisms to support near real-time analysis of events.
14357 Discussion: Automated tools and mechanisms include host-based, network-based,
14358 transport-based, or storage-based event monitoring tools and mechanisms or Security
14359 Information and Event Management technologies that provide real time analysis of alerts
14360 and notifications generated by organizational systems. Automated monitoring techniques
14361 can create unintended privacy risks because automated controls may connect to external or
14362 otherwise unrelated systems. The matching of records between these systems may create
14363 linkages with unintended consequences. Organizations assess and document these risks in
14364 their privacy impact assessment and make determinations that are in alignment with their
14365 privacy program plan.
14366 Related Controls: PM-23, PM-25.
14367 (3) SYSTEM MONITORING | AUTOMATED TOOL AND MECHANISM INTEGRATION
14368 Employ automated tools and mechanisms to integrate intrusion detection tools and
14369 mechanisms into access control and flow control mechanisms.
14370 Discussion: Using automated tools and mechanisms to integrate intrusion detection tools
14371 and mechanisms into access and flow control mechanisms facilitates a rapid response to

CHAPTER THREE PAGE 329

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14372 attacks by enabling reconfiguration of mechanisms in support of attack isolation and

14373 elimination.
14374 Related Controls: PM-23, PM-25.
14375 (4) SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC
14376 Monitor inbound and outbound communications traffic [Assignment: organization-defined
14377 frequency] for unusual or unauthorized activities or conditions.
14378 Discussion: Unusual or unauthorized activities or conditions related to system inbound and
14379 outbound communications traffic include internal traffic that indicates the presence of
14380 malicious code within organizational systems or propagating among system components;
14381 the unauthorized exporting of information; or signaling to external systems. Evidence of
14382 malicious code is used to identify potentially compromised systems or system components.
14383 Related Controls: None.
14384 (5) SYSTEM MONITORING | SYSTEM-GENERATED ALERTS
14385 Alert [Assignment: organization-defined personnel or roles] when the following system-
14386 generated indications of compromise or potential compromise occur: [Assignment:
14387 organization-defined compromise indicators].
14388 Discussion: Alerts may be generated from a variety of sources, including audit records or
14389 inputs from malicious code protection mechanisms; intrusion detection or prevention
14390 mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts
14391 can be automated and may be transmitted, for example, telephonically, by electronic mail
14392 messages, or by text messaging. Organizational personnel on the alert notification list can
14393 include system administrators, mission or business owners, system owners, senior agency
14394 information security officers, senior agency officials for privacy, system security officers, or
14395 privacy officers. This control enhancement addresses the security alerts generated by the
14396 system. Alternatively, alerts generated by organizations in SI-4(12) focus on information
14397 sources external to the system such as suspicious activity reports and reports on potential
14398 insider threats.
14399 Related Controls: AU-4, AU-5, PE-6.
14400 (6) SYSTEM MONITORING | RESTRICT NON-PRIVILEGED USERS
14401 [Withdrawn: Incorporated into AC-6(10).]
14402 (7) SYSTEM MONITORING | AUTOMATED RESPONSE TO SUSPICIOUS EVENTS
14403 (a) Notify [Assignment: organization-defined incident response personnel (identified by
14404 name and/or by role)] of detected suspicious events; and
14405 (b) Take the following actions upon detection: [Assignment: organization-defined least-
14406 disruptive actions to terminate suspicious events].
14407 Discussion: Least-disruptive actions include initiating requests for human responses.
14408 Related Controls: None.
14409 (8) SYSTEM MONITORING | PROTECTION OF MONITORING INFORMATION
14410 [Withdrawn: Incorporated into SI-4.]
14411 (9) SYSTEM MONITORING | TESTING OF MONITORING TOOLS AND MECHANISMS
14412 Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined
14413 frequency].
14414 Discussion: Testing intrusion-monitoring tools and mechanism is necessary to ensure that
14415 the tools and mechanisms are operating correctly and continue to satisfy the monitoring

CHAPTER THREE PAGE 330

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14416 objectives of organizations. The frequency and depth of testing depends on the types of
14417 tools and mechanisms used by organizations and the methods of deployment.
14418 Related Controls: CP-9.
14419 (10) SYSTEM MONITORING | VISIBILITY OF ENCRYPTED COMMUNICATIONS
14420 Make provisions so that [Assignment: organization-defined encrypted communications
14421 traffic] is visible to [Assignment: organization-defined system monitoring tools and
14422 mechanisms].
14423 Discussion: Organizations balance the need for encrypting communications traffic to protect
14424 data confidentiality with the need for having visibility into such traffic from a monitoring
14425 perspective. Organizations determine whether the visibility requirement applies to internal
14426 encrypted traffic, encrypted traffic intended for external destinations, or a subset of the
14427 traffic types.
14428 Related Controls: None.
14429 (11) SYSTEM MONITORING | ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES
14430 Analyze outbound communications traffic at the external interfaces to the system and
14431 selected [Assignment: organization-defined interior points within the system] to discover
14432 anomalies.
14433 Discussion: Organization-defined interior points include subnetworks and subsystems.
14434 Anomalies within organizational systems include large file transfers, long-time persistent
14435 connections, attempts to access information from unexpected locations, the use of unusual
14436 protocols and ports, the use of unmonitored network protocols (e.g. IPv6 usage during IPv4
14437 transition), and attempted communications with suspected malicious external addresses.
14438 Related Controls: None.
14439 (12) SYSTEM MONITORING | AUTOMATED ORGANIZATION-GENERATED ALERTS
14440 Alert [Assignment: organization-defined personnel or roles] using [Assignment:
14441 organization-defined automated mechanisms] when the following indications of
14442 inappropriate or unusual activities with security or privacy implications occur:
14443 [Assignment: organization-defined activities that trigger alerts].
14444 Discussion: Organizational personnel on the system alert notification list include system
14445 administrators, mission or business owners, system owners, senior agency information
14446 security officer, senior agency official for privacy, system security officers, or privacy officers.
14447 This control enhancement focuses on the security alerts generated by organizations and
14448 transmitted using automated means. In contrast to the alerts generated by systems in SI-4(5)
14449 that focus on information sources that are internal to the systems such as audit records, the
14450 sources of information for this enhancement focus on other entities such as suspicious
14451 activity reports and reports on potential insider threats.
14452 Related Controls: None.
14453 (13) SYSTEM MONITORING | ANALYZE TRAFFIC AND EVENT PATTERNS
14454 (a) Analyze communications traffic and event patterns for the system;
14455 (b) Develop profiles representing common traffic and event patterns; and
14456 (c) Use the traffic and event profiles in tuning system-monitoring devices.
14457 Discussion: Identifying and understanding common communications traffic and event
14458 patterns helps organizations provide useful information to system monitoring devices to
14459 more effectively identify suspicious or anomalous traffic and events when they occur. Such
14460 information can help reduce the number of false positives and false negatives during system
14461 monitoring.
14462 Related Controls: None.

CHAPTER THREE PAGE 331

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14463 (14) SYSTEM MONITORING | WIRELESS INTRUSION DETECTION

14464 Employ a wireless intrusion detection system to identify rogue wireless devices and to
14465 detect attack attempts and potential compromises or breaches to the system.
14466 Discussion: Wireless signals may radiate beyond organizational facilities. Organizations
14467 proactively search for unauthorized wireless connections, including the conduct of thorough
14468 scans for unauthorized wireless access points. Wireless scans are not limited to those areas
14469 within facilities containing systems, but also include areas outside of facilities to verify that
14470 unauthorized wireless access points are not connected to organizational systems.
14471 Related Controls: AC-18, IA-3.
14472 (15) SYSTEM MONITORING | WIRELESS TO WIRELINE COMMUNICATIONS
14473 Employ an intrusion detection system to monitor wireless communications traffic as the
14474 traffic passes from wireless to wireline networks.
14475 Discussion: Wireless networks are inherently less secure than wired networks. For example,
14476 wireless networks are more susceptible to eavesdroppers or traffic analysis than wireline
14477 networks. Employing intrusion detection systems to monitor wireless communications traffic
14478 helps to ensure that the traffic does not contain malicious code prior to transitioning to the
14479 wireline network.
14480 Related Controls: AC-18.
14481 (16) SYSTEM MONITORING | CORRELATE MONITORING INFORMATION
14482 Correlate information from monitoring tools and mechanisms employed throughout the
14483 system.
14484 Discussion: Correlating information from different system monitoring tools and mechanisms
14485 can provide a more comprehensive view of system activity. Correlating system monitoring
14486 tools and mechanisms that typically work in isolation, including malicious code protection
14487 software, host monitoring, and network monitoring, can provide an organization-wide
14488 monitoring view and may reveal otherwise unseen attack patterns. Understanding
14489 capabilities and limitations of diverse monitoring tools and mechanisms and how to
14490 maximize the utility of information generated by those tools and mechanisms can help
14491 organizations to develop, operate, and maintain effective monitoring programs. Correlation
14492 of monitoring information is especially important during the transition from older to newer
14493 technologies (e.g., transitioning from IPv4 to IPv6 network protocols).
14494 Related Controls: AU-6.
14495 (17) SYSTEM MONITORING | INTEGRATED SITUATIONAL AWARENESS
14496 Correlate information from monitoring physical, cyber, and supply chain activities to
14497 achieve integrated, organization-wide situational awareness.
14498 Discussion: Correlating monitoring information from a more diverse set of information
14499 sources helps to achieve integrated situational awareness. Integrated situational awareness
14500 from a combination of physical, cyber, and supply chain monitoring activities enhances the
14501 capability of organizations to more quickly detect sophisticated attacks and investigate the
14502 methods and techniques employed to carry out such attacks. In contrast to SI-4(16) that
14503 correlates the various cyber monitoring information, this control enhancement correlates
14504 monitoring beyond the cyber domain. Such monitoring may help reveal attacks on
14505 organizations that are operating across multiple attack vectors.
14506 Related Controls: AU-16, PE-6.

CHAPTER THREE PAGE 332

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14507 (18) SYSTEM MONITORING | ANALYZE TRAFFIC AND COVERT EXFILTRATION

14508 Analyze outbound communications traffic at external interfaces to the system and at the
14509 following interior points to detect covert exfiltration of information: [Assignment:
14510 organization-defined interior points within the system].
14511 Discussion: Organization-defined interior points include subnetworks and subsystems.
14512 Covert means that can be used to exfiltrate information include steganography.
14513 Related Controls: None.
14514 (19) SYSTEM MONITORING | RISK FOR INDIVIDUALS
14515 Implement [Assignment: organization-defined additional monitoring] of individuals who
14516 have been identified by [Assignment: organization-defined sources] as posing an increased
14517 level of risk.
14518 Discussion: Indications of increased risk from individuals can be obtained from different
14519 sources, including personnel records, intelligence agencies, law enforcement organizations,
14520 and other sources. The monitoring of individuals is coordinated with management, legal,
14521 security, privacy and human resource officials conducting such monitoring. Monitoring is
14522 conducted in accordance with applicable laws, executive orders, directives, regulations,
14523 policies, standards, and guidelines.
14524 Related Controls: None.
14525 (20) SYSTEM MONITORING | PRIVILEGED USERS
14526 Implement the following additional monitoring of privileged users: [Assignment:
14527 organization-defined additional monitoring].
14528 Discussion: Privileged users have access to more sensitive information, including security-
14529 related information, than the general user population. Access to such information means
14530 that privileged users can potentially do greater damage to systems and organizations than
14531 non-privileged users. Therefore, implementing additional monitoring on privileged users
14532 helps to ensure that organizations can identify malicious activity at the earliest possible time
14533 and take appropriate actions.
14534 Related Controls: AC-18.
14535 (21) SYSTEM MONITORING | PROBATIONARY PERIODS
14536 Implement the following additional monitoring of individuals during [Assignment:
14537 organization-defined probationary period]: [Assignment: organization-defined additional
14538 monitoring].
14539 Discussion: During probationary periods, employees do not have permanent employment
14540 status within organizations. Without such status and having access to information that is
14541 resident on the system, additional monitoring can help identify any potentially malicious
14542 activity or inappropriate behavior.
14543 Related Controls: AC-18.
14544 (22) SYSTEM MONITORING | UNAUTHORIZED NETWORK SERVICES
14545 (a) Detect network services that have not been authorized or approved by [Assignment:
14546 organization-defined authorization or approval processes]; and
14547 (b) [Selection (one or more): audit; alert [Assignment: organization-defined personnel or
14548 roles]] when detected.
14549 Discussion: Unauthorized or unapproved network services include services in service-
14550 oriented architectures that lack organizational verification or validation and therefore may
14551 be unreliable or serve as malicious rogues for valid services.
14552 Related Controls: CM-7.

CHAPTER THREE PAGE 333

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14553 (23) SYSTEM MONITORING | HOST-BASED DEVICES

14554 Implement the following host-based monitoring mechanisms at [Assignment:
14555 organization-defined system components]: [Assignment: organization-defined host-based
14556 monitoring mechanisms].
14557 Discussion: System components where host-based monitoring can be implemented include
14558 servers, notebook computers, and mobile devices. Organizations may consider employing
14559 host-based monitoring mechanisms from multiple product developers or vendors.
14560 Related Controls: AC-18, AC-19.
14561 (24) SYSTEM MONITORING | INDICATORS OF COMPROMISE
14562 Discover, collect, and distribute to [Assignment: organization-defined personnel or roles],
14563 indicators of compromise provided by [Assignment: organization-defined sources].
14564 Discussion: Indicators of compromise (IOC) are forensic artifacts from intrusions that are
14565 identified on organizational systems at the host or network level. IOCs provide valuable
14566 information on systems that have been compromised. IOCs can include the creation of
14567 registry key values. IOCs for network traffic include Universal Resource Locator or protocol
14568 elements that indicate malicious code command and control servers. The rapid distribution
14569 and adoption of IOCs can improve information security by reducing the time that systems
14570 and organizations are vulnerable to the same exploit or attack. Threat indicators, signatures,
14571 tactics, techniques and procedures, and other indicators of compromise may be available via
14572 government and non-government cooperatives including Forum of Incident Response and
14573 Security Teams, United States Computer Emergency Readiness Team, Defense Industrial
14574 Base Cybersecurity Information Sharing Program, and CERT Coordination Center.
14575 Related Controls: AC-18.
14576 (25) SYSTEM MONITORING | OPTIMIZE NETWORK TRAFFIC ANALYSIS
14577 Provide visibility into network traffic at external and key internal system boundaries to
14578 optimize the effectiveness of monitoring devices.
14579 Discussion: Encrypted traffic, asymmetric routing architectures, capacity and latency
14580 limitations, and transitioning from older to newer technologies (e.g., IPv4 to IPv6 network
14581 protocol transition), may result in blind spots for organizations when analyzing network
14582 traffic. Collecting, decrypting, pre-processing and distributing only relevant traffic to
14583 monitoring devices can streamline efficiency and use of the devices and optimize traffic
14584 analysis.
14585 Related Controls: None.
14586 References: [OMB A-130]; [SP 800-61]; [SP 800-83]; [SP 800-92]; [SP 800-94]; [SP 800-137].

14587 SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

14588 Control:
14589 a. Receive system security alerts, advisories, and directives from [Assignment: organization-
14590 defined external organizations] on an ongoing basis;
14591 b. Generate internal security alerts, advisories, and directives as deemed necessary;
14592 c. Disseminate security alerts, advisories, and directives to: [Selection (one or more):
14593 [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined
14594 elements within the organization]; [Assignment: organization-defined external
14595 organizations]]; and
14596 d. Implement security directives in accordance with established time frames, or notify the
14597 issuing organization of the degree of noncompliance.

CHAPTER THREE PAGE 334

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14598 Discussion: The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts
14599 and advisories to maintain situational awareness throughout the federal government. Security
14600 directives are issued by OMB or other designated organizations with the responsibility and
14601 authority to issue such directives. Compliance with security directives is essential due to the
14602 critical nature of many of these directives and the potential (immediate) adverse effects on
14603 organizational operations and assets, individuals, other organizations, and the Nation should the
14604 directives not be implemented in a timely manner. External organizations include supply chain
14605 partners, external mission or business partners, external service providers, and other peer or
14606 supporting organizations.
14607 Related Controls: PM-15, RA-5, SI-2.
14608 Control Enhancements:
14609 (1) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES
14610 Broadcast security alert and advisory information throughout the organization using
14611 [Assignment: organization-defined automated mechanisms].
14612 Discussion: The significant number of changes to organizational systems and environments
14613 of operation requires the dissemination of security-related information to a variety of
14614 organizational entities that have a direct interest in the success of organizational missions
14615 and business functions. Based on information provided by security alerts and advisories,
14616 changes may be required at one or more of the three levels related to the management of
14617 information security and privacy risk, including the governance level, mission and business
14618 process level, and the information system level.
14619 Related Controls: None.
14620 References: [SP 800-40].

14621 SI-6 SECURITY AND PRIVACY FUNCTION VERIFICATION

14622 Control:
14623 a. Verify the correct operation of [Assignment: organization-defined security and privacy
14624 functions];
14625 b. Perform the verification of the functions specified in SI-6a [Selection (one or more):
14626 [Assignment: organization-defined system transitional states]; upon command by user with
14627 appropriate privilege; [Assignment: organization-defined frequency]];
14628 c. Notify [Assignment: organization-defined personnel or roles] of failed security and privacy
14629 verification tests; and
14630 d. [Selection (one or more): Shut the system down; Restart the system; [Assignment:
14631 organization-defined alternative action(s)]] when anomalies are discovered.
14632 Discussion: Transitional states for systems include system startup, restart, shutdown, and abort.
14633 System notifications include hardware indicator lights, electronic alerts to system administrators,
14634 and messages to local computer consoles. In contrast to security function verification, privacy
14635 function verification ensures that privacy functions operate as expected and are approved by the
14636 senior agency official for privacy, or that privacy attributes are applied or used as expected.
14637 Related Controls: CA-7, CM-4, CM-6, SI-7.
14638 Control Enhancements:
14639 (1) SECURITY AND PRIVACY FUNCTION VERIFICATION | NOTIFICATION OF FAILED SECURITY TESTS
14640 [Withdrawn: Incorporated into SI-6.]

CHAPTER THREE PAGE 335

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14641 (2) SECURITY AND PRIVACY FUNCTION VERIFICATION | AUTOMATION SUPPORT FOR DISTRIBUTED
14642 TESTING
14643 Implement automated mechanisms to support the management of distributed security
14644 and privacy function testing.
14645 Discussion: The use of automated mechanisms to support the management of distributed
14646 function testing helps to ensure the integrity, timeliness, completeness, and efficacy of such
14647 testing.
14648 Related Controls: SI-2.
14649 (3) SECURITY AND PRIVACY FUNCTION VERIFICATION | REPORT VERIFICATION RESULTS
14650 Report the results of security and privacy function verification to [Assignment:
14651 organization-defined personnel or roles].
14652 Discussion: Organizational personnel with potential interest in the results of the verification
14653 of security and privacy function include systems security officers, senior agency information
14654 security officers, and senior agency officials for privacy.
14655 Related Controls: SI-4, SR-4, SR-5.
14656 References: [OMB A-130].

14657 SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

14658 Control:
14659 a. Employ integrity verification tools to detect unauthorized changes to the following software,
14660 firmware, and information: [Assignment: organization-defined software, firmware, and
14661 information]; and
14662 b. Take the following actions when unauthorized changes to the software, firmware, and
14663 information are detected: [Assignment: organization-defined actions].
14664 Discussion: Unauthorized changes to software, firmware, and information can occur due to
14665 errors or malicious activity. Software includes operating systems (with key internal components
14666 such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output
14667 System (BIOS). Information includes personally identifiable information and metadata containing
14668 security and privacy attributes associated with information. Integrity-checking mechanisms,
14669 including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools
14670 can automatically monitor the integrity of systems and hosted applications.
14671 Related Controls: AC-4, CM-3, CM-7, CM-8, MA-3, MA-4, RA-5, SA-8, SA-9, SA-10, SC-8, SC-12,
14672 SC-13, SC-28, SC-37, SI-3, SR-3, SR-4, SR-5, SR-6, SR-9, SR-10, SR-11.
14673 Control Enhancements:
14674 (1) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS
14675 Perform an integrity check of [Assignment: organization-defined software, firmware, and
14676 information] [Selection (one or more): at startup; at [Assignment: organization-defined
14677 transitional states or security-relevant events]; [Assignment: organization-defined
14678 frequency]].
14679 Discussion: Security-relevant events include the identification of a new threat to which
14680 organizational systems are susceptible, and the installation of new hardware, software, or
14681 firmware. Transitional states include system startup, restart, shutdown, and abort.
14682 Related Controls: None.

CHAPTER THREE PAGE 336

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14683 (2) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED NOTIFICATIONS OF INTEGRITY
14684 VIOLATIONS
14685 Employ automated tools that provide notification to [Assignment: organization-defined
14686 personnel or roles] upon discovering discrepancies during integrity verification.
14687 Discussion: The employment of automated tools to report system and information integrity
14688 violations and to notify organizational personnel in a timely matter is essential to effective
14689 risk response. Personnel having an interest in system and information integrity violations
14690 include mission and business owners, system owners, senior agency information security
14691 official, senior agency official for privacy, systems administrators, software developers,
14692 systems integrators, and information security officers, and privacy officers.
14693 Related Controls: None.
14694 (3) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CENTRALLY-MANAGED INTEGRITY TOOLS
14695 Employ centrally managed integrity verification tools.
14696 Discussion: Centrally-managed integrity verification tools provides greater consistency in
14697 the application of such tools and can facilitate more comprehensive coverage of integrity
14698 verification actions.
14699 Related Controls: AU-3, SI-2, SI-8.
14700 (4) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | TAMPER-EVIDENT PACKAGING
14701 [Withdrawn: Incorporated into SR-9.]
14702 (5) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY
14703 VIOLATIONS
14704 Automatically [Selection (one or more): shut the system down; restart the system;
14705 implement [Assignment: organization-defined controls]] when integrity violations are
14706 discovered.
14707 Discussion: Organizations may define different integrity checking responses by type of
14708 information, by specific information, or a combination of both. Types of information include
14709 firmware, software, and user data. Specific information includes boot firmware for certain
14710 types of machines. The automatic implementation of controls within organizational systems
14711 includes reversing the changes, halting the system, or triggering audit alerts when
14712 unauthorized modifications to critical security files occur.
14713 Related Controls: None.
14714 (6) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION
14715 Implement cryptographic mechanisms to detect unauthorized changes to software,
14716 firmware, and information.
14717 Discussion: Cryptographic mechanisms used to protect integrity include digital signatures
14718 and the computation and application of signed hashes using asymmetric cryptography;
14719 protecting the confidentiality of the key used to generate the hash; and using the public key
14720 to verify the hash information. Organizations employing cryptographic mechanisms also
14721 consider cryptographic key management solutions (see SC-12 and SC-13).
14722 Related Controls: SC-12, SC-13.
14723 (7) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND
14724 RESPONSE
14725 Incorporate the detection of the following unauthorized changes into the organizational
14726 incident response capability: [Assignment: organization-defined security-relevant changes
14727 to the system].

CHAPTER THREE PAGE 337

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14728 Discussion: This control enhancement helps to ensure that detected events are tracked,
14729 monitored, corrected, and available for historical purposes. Maintaining historical records is
14730 important both for being able to identify and discern adversary actions over an extended
14731 time-period and for possible legal actions. Security-relevant changes include unauthorized
14732 changes to established configuration settings or unauthorized elevation of system privileges.
14733 Related Controls: AU-2, AU-6, IR-4, IR-5, SI-4.
14734 (8) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUDITING CAPABILITY FOR SIGNIFICANT
14735 EVENTS
14736 Upon detection of a potential integrity violation, provide the capability to audit the event
14737 and initiate the following actions: [Selection (one or more): generate an audit record; alert
14738 current user; alert [Assignment: organization-defined personnel or roles]; [Assignment:
14739 organization-defined other actions]].
14740 Discussion: Organizations select response actions based on types of software, specific
14741 software, or information for which there are potential integrity violations.
14742 Related Controls: AU-2, AU-6, AU-12.
14743 (9) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | VERIFY BOOT PROCESS
14744 Verify the integrity of the boot process of the following system components: [Assignment:
14745 organization-defined system components].
14746 Discussion: Ensuring the integrity of boot processes is critical to starting system components
14747 in known, trustworthy states. Integrity verification mechanisms provide a level of assurance
14748 that only trusted code is executed during boot processes.
14749 Related Controls: SI-6.
14750 (10) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | PROTECTION OF BOOT FIRMWARE
14751 Implement the following mechanisms to protect the integrity of boot firmware in
14752 [Assignment: organization-defined system components]: [Assignment: organization-
14753 defined mechanisms].
14754 Discussion: Unauthorized modifications to boot firmware may indicate a sophisticated,
14755 targeted attack. These types of targeted attacks can result in a permanent denial of service
14756 or a persistent malicious code presence. These situations can occur, for example, if the
14757 firmware is corrupted or if the malicious code is embedded within the firmware. System
14758 components can protect the integrity of boot firmware in organizational systems by verifying
14759 the integrity and authenticity of all updates to the firmware prior to applying changes to the
14760 system component; and preventing unauthorized processes from modifying the boot
14761 firmware.
14762 Related Controls: SI-6.
14763 (11) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CONFINED ENVIRONMENTS WITH LIMITED
14764 PRIVILEGES
14765 [Withdrawn: Moved to CM-7(6).]
14766 (12) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION
14767 Require that the integrity of the following user-installed software be verified prior to
14768 execution: [Assignment: organization-defined user-installed software].
14769 Discussion: Organizations verify the integrity of user-installed software prior to execution to
14770 reduce the likelihood of executing malicious code or executing code that contains errors
14771 from unauthorized modifications. Organizations consider the practicality of approaches to
14772 verifying software integrity, including availability of checksums of adequate trustworthiness
14773 from software developers or vendors.

CHAPTER THREE PAGE 338

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14774 Related Controls: CM-11.

14775 (13) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE EXECUTION IN PROTECTED
14776 ENVIRONMENTS
14777 [Withdrawn: Moved to CM-7(7).]
14778 (14) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | BINARY OR MACHINE EXECUTABLE CODE
14779 [Withdrawn: Moved to CM-7(8).]
14780 (15) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION
14781 Implement cryptographic mechanisms to authenticate the following software or firmware
14782 components prior to installation: [Assignment: organization-defined software or firmware
14783 components].
14784 Discussion: Cryptographic authentication includes verifying that software or firmware
14785 components have been digitally signed using certificates recognized and approved by
14786 organizations. Code signing is an effective method to protect against malicious code.
14787 Organizations employing cryptographic mechanisms also consider cryptographic key
14788 management solutions (see SC-12 and SC-13).
14789 Related Controls: CM-5.
14790 (16) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | TIME LIMIT ON PROCESS EXECUTION
14791 WITHOUT SUPERVISION
14792 Prohibit processes from executing without supervision for more than [Assignment:
14793 organization-defined time-period].
14794 Discussion: This control enhancement addresses processes for which typical or normal
14795 execution periods can be determined and situations in which organizations exceed such
14796 periods. Supervision includes timers on operating systems, automated responses, or manual
14797 oversight and response when system process anomalies occur.
14798 Related Controls: None.
14799 (17) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | RUNTIME APPLICATION SELF-PROTECTION
14800 Implement [Assignment: organization-defined controls] for application self-protection at
14801 runtime.
14802 Discussion: This control enhancement employs runtime instrumentation to detect and
14803 block the exploitation of software vulnerabilities by taking advantage of information from
14804 the software in execution. Runtime exploit prevention differs from traditional perimeter-
14805 based protections such as guards and firewalls, that can only detect and block attacks by
14806 using network information without contextual awareness. Runtime application self-
14807 protection technology can reduce the susceptibility of software to attacks by monitoring its
14808 inputs, and blocking those inputs that could allow attacks. It can also help protect the
14809 runtime environment from unwanted changes and tampering. When a threat is detected,
14810 runtime application self-protection technology can prevent exploitation and take other
14811 actions (e.g., sending a warning message to the user, terminating the user's session,
14812 terminating the application, or sending an alert to organizational personnel). Runtime
14813 application self-protection solutions can be deployed in either a monitor or protection
14814 mode.
14815 Related Controls: SI-16.
14816 References: [OMB A-130]; [FIPS 140-3]; [FIPS 180-4]; [FIPS 186-4]; [FIPS 202]; [SP 800-70]; [SP
14817 800-147].

CHAPTER THREE PAGE 339

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14818 SI-8 SPAM PROTECTION

14819 Control:
14820 a. Employ spam protection mechanisms at system entry and exit points to detect and act on
14821 unsolicited messages; and
14822 b. Update spam protection mechanisms when new releases are available in accordance with
14823 organizational configuration management policy and procedures.
14824 Discussion: System entry and exit points include firewalls, remote-access servers, electronic mail
14825 servers, web servers, proxy servers, workstations, notebook computers, and mobile devices.
14826 Spam can be transported by different means, including email, email attachments, and web
14827 accesses. Spam protection mechanisms include signature definitions.
14828 Related Controls: SC-5, SC-7, SC-38, SI-3, SI-4.
14829 Control Enhancements:
14830 (1) SPAM PROTECTION | CENTRAL MANAGEMENT
14831 Centrally manage spam protection mechanisms.
14832 Discussion: Central management is the organization-wide management and implementation
14833 of spam protection mechanisms. Central management includes planning, implementing,
14834 assessing, authorizing, and monitoring the organization-defined, centrally managed spam
14835 protection controls.
14836 Related Controls: AU-3, CM-6, SI-2, SI-7.
14837 (2) SPAM PROTECTION | AUTOMATIC UPDATES
14838 Automatically update spam protection mechanisms [Assignment: organization-defined
14839 frequency].
14840 Discussion: Using automated mechanisms to update spam protection mechanisms helps to
14841 ensure that updates occur on a regular basis and provide the latest content and protection
14842 capability.
14843 Related Controls: None.
14844 (3) SPAM PROTECTION |CONTINUOUS LEARNING CAPABILITY
14845 Implement spam protection mechanisms with a learning capability to more effectively
14846 identify legitimate communications traffic.
14847 Discussion: Learning mechanisms include Bayesian filters that respond to user inputs
14848 identifying specific traffic as spam or legitimate by updating algorithm parameters and
14849 thereby more accurately separating types of traffic.
14850 Related Controls: None.
14851 References: [SP 800-45]; [SP 800-177].

14852 SI-9 INFORMATION INPUT RESTRICTIONS

14853 [Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6.]

14854 SI-10 INFORMATION INPUT VALIDATION

14855 Control: Check the validity of the following information inputs: [Assignment: organization-
14856 defined information inputs to the system].
14857 Discussion: Checking the valid syntax and semantics of system inputs, including character set,
14858 length, numerical range, and acceptable values, verifies that inputs match specified definitions

CHAPTER THREE PAGE 340

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14859 for format and content. For example, if the organization specifies that numerical values between
14860 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K%
14861 are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from
14862 field to field within a software application. Applications typically follow well-defined protocols
14863 that use structured messages (i.e., commands or queries) to communicate between software
14864 modules or system components. Structured messages can contain raw or unstructured data
14865 interspersed with metadata or control information. If software applications use attacker-supplied
14866 inputs to construct structured messages without properly encoding such messages, then the
14867 attacker could insert malicious commands or special characters that can cause the data to be
14868 interpreted as control information or metadata. Consequently, the module or component that
14869 receives the corrupted output will perform the wrong operations or otherwise interpret the data
14870 incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being
14871 unintentionally interpreted as commands. Input validation ensures accurate and correct inputs
14872 and prevent attacks such as cross-site scripting and a variety of injection attacks.
14873 Related Controls: None.
14874 Control Enhancements:
14875 (1) INFORMATION INPUT VALIDATION | MANUAL OVERRIDE CAPABILITY
14876 (a) Provide a manual override capability for input validation of the following information
14877 inputs: [Assignment: organization-defined inputs];
14878 (b) Restrict the use of the manual override capability to only [Assignment: organization-
14879 defined authorized individuals]; and
14880 (c) Audit the use of the manual override capability.
14881 Discussion: In certain situations, for example, during events that are defined in contingency
14882 plans, a manual override capability for input validation may be needed. Manual overrides
14883 are used only in limited circumstances and with the inputs defined by the organization.
14884 Related Controls: AC-3, AU-2, AU-12.
14885 (2) INFORMATION INPUT VALIDATION | REVIEW AND RESOLVE ERRORS
14886 Review and resolve input validation errors within [Assignment: organization-defined time-
14887 period].
14888 Discussion: Resolution of input validation errors includes correcting systemic causes of
14889 errors and resubmitting transactions with corrected input.
14890 Related Controls: None.
14891 (3) INFORMATION INPUT VALIDATION | PREDICTABLE BEHAVIOR
14892 Verify that the system behaves in a predictable and documented manner when invalid
14893 inputs are received.
14894 Discussion: A common vulnerability in organizational systems is unpredictable behavior
14895 when invalid inputs are received. This control enhancement ensures that there is predictable
14896 behavior when the system receives invalid inputs by specifying system responses that allow
14897 the system to transition to known states without adverse, unintended side effects. The
14898 invalid inputs are those inputs related to the information inputs defined by the organization
14899 in the base control.
14900 Related Controls: None.
14901 (4) INFORMATION INPUT VALIDATION | TIMING INTERACTIONS
14902 Account for timing interactions among system components in determining appropriate
14903 responses for invalid inputs.

CHAPTER THREE PAGE 341

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14904 Discussion: In addressing invalid system inputs received across protocol interfaces, timing
14905 interactions become relevant, where one protocol needs to consider the impact of the error
14906 response on other protocols in the protocol stack. For example, 802.11 standard wireless
14907 network protocols do not interact well with Transmission Control Protocols (TCP) when
14908 packets are dropped (which could be due to invalid packet input). TCP assumes packet losses
14909 are due to congestion, while packets lost over 802.11 links are typically dropped due to noise
14910 or collisions on the link. If TCP makes a congestion response, it takes the wrong action in
14911 response to a collision event. Adversaries may be able to use what appears to be acceptable
14912 individual behaviors of the protocols in concert to achieve adverse effects through suitable
14913 construction of invalid input.
14914 Related Controls: None.
14915 (5) INFORMATION INPUT VALIDATION | RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED
14916 FORMATS
14917 Restrict the use of information inputs to [Assignment: organization-defined trusted
14918 sources] and/or [Assignment: organization-defined formats].
14919 Discussion: This control enhancement applies the concept of whitelisting to information
14920 inputs. Specifying known trusted sources for information inputs and acceptable formats for
14921 such inputs can reduce the probability of malicious activity.
14922 Related Controls: AC-3, AC-6.
14923 (6) INFORMATION INPUT VALIDATION | INJECTION PREVENTION
14924 Prevent untrusted data injections.
14925 Discussion: Untrusted data injections may be prevented using, for example, a parameterized
14926 interface or output escaping (output encoding). Parameterized interfaces separate data from
14927 code so injections of malicious or unintended data cannot change the semantics of the
14928 command being sent. Output escaping uses specified characters to inform the interpreter’s
14929 parser whether data is trusted.
14930 Related Controls: AC-3, AC-6.
14931 References: [OMB A-130, Appendix II].

14932 SI-11 ERROR HANDLING

14933 Control:
14934 a. Generate error messages that provide information necessary for corrective actions without
14935 revealing information that could be exploited; and
14936 b. Reveal error messages only to [Assignment: organization-defined personnel or roles].
14937 Discussion: Organizations consider the structure and the content of error messages. The extent
14938 to which systems can handle error conditions is guided and informed by organizational policy and
14939 operational requirements. Exploitable information includes stack traces and implementation
14940 details; erroneous logon attempts with passwords mistakenly entered as the username; mission
14941 or business information that can be derived from, if not stated explicitly by, the information
14942 recorded; and personally identifiable information such as account numbers, social security
14943 numbers, and credit card numbers. Error messages may also provide a covert channel for
14944 transmitting information.
14945 Related Controls: AU-2, AU-3, SC-31, SI-2.
14946 Control Enhancements: None.
14947 References: None.

CHAPTER THREE PAGE 342

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14948 SI-12 INFORMATION MANAGEMENT AND RETENTION

14949 Control: Manage and retain information within the system and information output from the
14950 system in accordance with applicable laws, executive orders, directives, regulations, policies,
14951 standards, guidelines and operational requirements.
14952 Discussion: Information management and retention requirements cover the full life cycle of
14953 information, in some cases extending beyond system disposal. Information to be retained may
14954 also include policies, procedures, plans, and other types of administrative information. The
14955 National Archives and Records Administration (NARA) provides federal policy and guidance on
14956 records retention. If organizations have a records management office, consider coordinating with
14957 records management personnel.
14958 Related Controls: All XX-1 Controls, AC-16, AU-5, AU-11, CA-2, CA-3, CA-5, CA-6, CA-7, CA-9, CM-
14959 5, CM-9, CP-2, IR-8, MP-2, MP-3, MP-4, MP-6, PL-2, PL-4, PM-4, PM-8, PM-9, PS-2, PS-6, PT-1, PT-
14960 2, PT-3, RA-2, RA-3, SA-5, SR-1.
14961 Control Enhancements:
14962 (1) INFORMATION MANAGEMENT AND RETENTION | LIMIT PERSONALLY IDENTIFIABLE INFORMATION
14963 ELEMENTS
14964 Limit personally identifiable information being processed in the information life cycle to
14965 the following elements of PII: [Assignment: organization-defined elements of personally
14966 identifiable information].
14967 Discussion: Limiting the use of personally identifiable information throughout the
14968 information life cycle when the information is not needed for operational purposes helps to
14969 reduce the level of privacy risk created by a system. The information life cycle includes
14970 information creation, collection, use, processing, storage, maintenance, dissemination,
14971 disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and
14972 policies can provide useful inputs to determining which elements of personally identifiable
14973 information may create risk.
14974 Related Controls: PM-25, PT-2, PT-3, RA-3.
14975 (2) INFORMATION MANAGEMENT AND RETENTION | MINIMIZE PERSONALLY IDENTIFIABLE
14976 INFORMATION IN TESTING, TRAINING, AND RESEARCH
14977 Use the following techniques to minimize the use of personally identifiable information for
14978 research, testing, or training: [Assignment: organization-defined techniques].
14979 Discussion: Organizations can minimize the risk to an individual’s privacy by employing
14980 techniques such as de-identification or synthetic data. Limiting the use of personally
14981 identifiable information throughout the information life cycle when the information is not
14982 needed for research, testing, or training helps reduce the level of privacy risk created by a
14983 system. Risk assessments as well as applicable laws, regulations, and policies can provide
14984 useful inputs to determining the techniques to use and when to use them.
14985 Related Controls: PM-22, PM-25, SI-19.
14986 (3) INFORMATION MANAGEMENT AND RETENTION | INFORMATION DISPOSAL
14987 Use the following techniques to dispose of, destroy, or erase information following the
14988 retention period: [Assignment: organization-defined techniques].
14989 Discussion: Organizations can minimize both security and privacy risks by disposing of
14990 information when it is no longer needed. Disposal or destruction of information applies to
14991 originals as well as copies and archived records, including system logs that may contain
14992 personally identifiable information.
14993 Related Controls: MP-6.

CHAPTER THREE PAGE 343

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

14994 References: [OMB A-130, Appendix II].

14995 SI-13 PREDICTABLE FAILURE PREVENTION

14996 Control:
14997 a. Determine mean time to failure (MTTF) for the following system components in specific
14998 environments of operation: [Assignment: organization-defined system components]; and
14999 b. Provide substitute system components and a means to exchange active and standby
15000 components in accordance with the following criteria: [Assignment: organization-defined
15001 MTTF substitution criteria].
15002 Discussion: While MTTF is primarily a reliability issue, this control addresses potential failures of
15003 system components that provide security capability. Failure rates reflect installation-specific
15004 consideration, not industry-average. Organizations define the criteria for substitution of system
15005 components based on the MTTF value with consideration for resulting potential harm from
15006 component failures. Transfer of responsibilities between active and standby components does
15007 not compromise safety, operational readiness, or security capability. This includes preservation
15008 of system state variables. Standby components remain available at all times except for
15009 maintenance issues or recovery failures in progress.
15010 Related Controls: CP-2, CP-10, CP-13, MA-2, MA-6, SA-8, SC-6.
15011 Control Enhancements:
15012 (1) PREDICTABLE FAILURE PREVENTION | TRANSFERRING COMPONENT RESPONSIBILITIES
15013 Take system components out of service by transferring component responsibilities to
15014 substitute components no later than [Assignment: organization-defined fraction or
15015 percentage] of mean time to failure.
15016 Discussion: Transferring primary system component responsibilities to other substitute
15017 components prior to primary component failure is important to reduce the risk of degraded
15018 or debilitated mission or business operations. Making such transfers based on a percentage
15019 of mean time to failure allows organizations to be proactive based on their risk tolerance.
15020 However, premature replacement of system components can result in increased cost of
15021 system operations.
15022 Related Controls: None.
15023 (2) PREDICTABLE FAILURE PREVENTION | TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION
15024 [Withdrawn: Incorporated into SI-7(16).]
15025 (3) PREDICTABLE FAILURE PREVENTION | MANUAL TRANSFER BETWEEN COMPONENTS
15026 Manually initiate transfers between active and standby system components when the use
15027 of the active component reaches [Assignment: organization-defined percentage] of the
15028 mean time to failure.
15029 Discussion: For example, if the MTTF for a system component is one hundred days and the
15030 organization-defined percentage is ninety percent, the manual transfer would occur after
15031 ninety days.
15032 Related Controls: None.
15033 (4) PREDICTABLE FAILURE PREVENTION | STANDBY COMPONENT INSTALLATION AND NOTIFICATION
15034 If system component failures are detected:
15035 (a) Ensure that the standby components are successfully and transparently installed
15036 within [Assignment: organization-defined time-period]; and

CHAPTER THREE PAGE 344

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15037 (b) [Selection (one or more): Activate [Assignment: organization-defined alarm];

15038 Automatically shut down the system; [Assignment: organization-defined action]].
15039 Discussion: Automatic or manual transfer of components from standby to active mode can
15040 occur, for example, upon detection of component failures.
15041 Related Controls: None.
15042 (5) PREDICTABLE FAILURE PREVENTION | FAILOVER CAPABILITY
15043 Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover
15044 capability] for the system.
15045 Discussion: Failover refers to the automatic switchover to an alternate system upon the
15046 failure of the primary system. Failover capability includes incorporating mirrored system
15047 operations at alternate processing sites or periodic data mirroring at regular intervals
15048 defined by recovery time-periods of organizations.
15049 Related Controls: CP-6, CP-7, CP-9.
15050 References: None.

15051 SI-14 NON-PERSISTENCE

15052 Control: Implement non-persistent [Assignment: organization-defined system components and
15053 services] that are initiated in a known state and terminated [Selection (one or more): upon end of
15054 session of use; periodically at [Assignment: organization-defined frequency]].
15055 Discussion: This control mitigates risk from advanced persistent threats (APTs) by significantly
15056 reducing the targeting capability of adversaries (i.e., window of opportunity and available attack
15057 surface) to initiate and complete attacks. By implementing the concept of non-persistence for
15058 selected system components, organizations can provide a known state computing resource for a
15059 specific time-period that does not give adversaries sufficient time to exploit vulnerabilities in
15060 organizational systems and the environments in which those systems operate. Since the APT is a
15061 high-end, sophisticated threat regarding capability, intent, and targeting, organizations assume
15062 that over an extended period, a percentage of attacks will be successful. Non-persistent system
15063 components and services are activated as required using protected information and terminated
15064 periodically or at the end of sessions. Non-persistence increases the work factor of adversaries in
15065 attempting to compromise or breach organizational systems.
15066 Non-persistence can be achieved by refreshing system components by periodically re-imaging
15067 components or by using a variety of common virtualization techniques. Non-persistent services
15068 can be implemented by using virtualization techniques as part of virtual machines or as new
15069 instances of processes on physical machines (either persistent or non-persistent). The benefit of
15070 periodic refreshes of system components and services is that it does not require organizations to
15071 first determine whether compromises of components or services have occurred (something that
15072 may often be difficult to determine). The refresh of selected system components and services
15073 occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not
15074 with such frequency that it makes the system unstable. Refreshes of critical components and
15075 services may be done periodically to hinder the ability of adversaries to exploit optimum
15076 windows of vulnerabilities.
15077 Related Controls: SC-30, SC-34, SI-21.
15078 Control Enhancements:
15079 (1) NON-PERSISTENCE | REFRESH FROM TRUSTED SOURCES
15080 Obtain software and data employed during system component and service refreshes from
15081 the following trusted sources: [Assignment: organization-defined trusted sources].

CHAPTER THREE PAGE 345

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15082 Discussion: Trusted sources include software and data from write-once, read-only media or
15083 from selected off-line secure storage facilities.
15084 Related Controls: None.
15085 (2) NON-PERSISTENCE | NON-PERSISTENT INFORMATION
15086 (a) [Selection: refresh [Assignment: organization-defined information] [Assignment:
15087 organization-defined frequency]; generate [Assignment: organization-defined
15088 information] on demand]; and
15089 (b) Delete information when no longer needed.
15090 Discussion: Retaining information longer than it is needed makes the information a
15091 potential target for advanced adversaries searching for high value assets to compromise
15092 through unauthorized disclosure, unauthorized modification, or exfiltration. For system-
15093 related information, unnecessary retention provides advanced adversaries information that
15094 can assist in their reconnaissance and lateral movement through the system.
15095 Related Controls: None.
15096 (3) NON-PERSISTENCE | NON-PERSISTENT CONNECTIVITY
15097 Establish connections to the system on demand and terminate connections after
15098 [Selection: completion of a request; a period of non-use].
15099 Discussion: Persistent connections to systems can provide advanced adversaries with paths
15100 to move laterally through systems, and potentially position themselves closer to high value
15101 assets. Limiting the availability of such connections impedes the adversary’s ability to move
15102 freely organizational systems.
15103 Related Controls: SC-10.
15104 References: None.

15105 SI-15 INFORMATION OUTPUT FILTERING

15106 Control: Validate information output from the following software programs and/or applications
15107 to ensure that the information is consistent with the expected content: [Assignment:
15108 organization-defined software programs and/or applications].
15109 Discussion: Certain types of attacks, including SQL injections, produce output results that are
15110 unexpected or inconsistent with the output results that would be expected from software
15111 programs or applications. Information output filtering focuses on detecting extraneous content,
15112 preventing such extraneous content from being displayed, and then alerting monitoring tools
15113 that anomalous behavior has been discovered.
15114 Related Controls: SI-3, SI-4.
15115 Control Enhancements: None.
15116 References: None.

15117 SI-16 MEMORY PROTECTION

15118 Control: Implement the following controls to protect the system memory from unauthorized
15119 code execution: [Assignment: organization-defined controls].
15120 Discussion: Some adversaries launch attacks with the intent of executing code in non-executable
15121 regions of memory or in memory locations that are prohibited. Controls employed to protect
15122 memory include data execution prevention and address space layout randomization. Data
15123 execution prevention controls can either be hardware-enforced or software-enforced with
15124 hardware enforcement providing the greater strength of mechanism.

CHAPTER THREE PAGE 346

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15125 Related Controls: AC-25, SC-3.

15126 Control Enhancements: None.
15127 References: None.

15128 SI-17 FAIL-SAFE PROCEDURES

15129 Control: Implement the indicated fail-safe procedures when the indicated failures occur:
15130 [Assignment: organization-defined list of failure conditions and associated fail-safe procedures].
15131 Discussion: Failure conditions include loss of communications among critical system components
15132 or between system components and operational facilities. Fail-safe procedures include alerting
15133 operator personnel and providing specific instructions on subsequent steps to take. These steps
15134 include doing nothing, reestablishing system settings, shutting down processes, restarting the
15135 system, or contacting designated organizational personnel.
15136 Related Controls: CP-12, CP-13, SC-24, SI-13.
15137 Control Enhancements: None.
15138 References: None.

15139 SI-18 PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS

15140 Control:
15141 a. Check the accuracy, relevance, timeliness, and completeness of personally identifiable
15142 information across the information life cycle [Assignment: organization-defined frequency];
15143 and
15144 b. Correct or delete inaccurate or outdated personally identifiable information.
15145 Discussion: Personally identifiable information quality operations include the steps that
15146 organizations take to confirm the accuracy and relevance of personally identifiable information
15147 throughout the information life cycle. The information life cycle includes the creation, collection,
15148 use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally
15149 identifiable information. Personally identifiable information quality operations include editing
15150 and validating addresses as they are collected or entered into systems using automated address
15151 verification look-up application programming interfaces. Checking personally identifiable
15152 information quality includes the tracking of updates or changes to data over time, which enables
15153 organizations to know how and what personally identifiable information was changed should
15154 erroneous information be identified. The measures taken to protect personally identifiable
15155 information quality are based on the nature and context of the personally identifiable
15156 information, how it is to be used, how it was obtained, and potential de-identification methods
15157 employed. The measures taken to validate the accuracy of personally identifiable information
15158 used to make determinations about the rights, benefits, or privileges of individuals covered
15159 under federal programs may be more comprehensive than the measures used to validate
15160 personally identifiable information used for less sensitive purposes.
15161 Related Controls: PM-22, PM-24, SI-4.
15162 Control Enhancements:
15163 (1) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | AUTOMATION
15164 Correct or delete personally identifiable information that is inaccurate or outdated,
15165 incorrectly determined regarding impact, or incorrectly de-identified using [Assignment:
15166 organization-defined automated mechanisms].

CHAPTER THREE PAGE 347

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15167 Discussion: The use of automated mechanisms to improve data quality may inadvertently
15168 create privacy risks. Automated tools may connect to external or otherwise unrelated
15169 systems, and the matching of records between these systems may create linkages with
15170 unintended consequences. Organizations assess and document these risks in their privacy
15171 impact assessment and make determinations that are in alignment with their privacy
15172 program plan.
15173 As data is obtained and used across the information life cycle, it is important to confirm the
15174 accuracy and relevance of personally identifiable information. Automated mechanisms can
15175 augment existing data quality processes and procedures and enable an organization to
15176 better identify and manage personally identifiable information in large-scale systems. For
15177 example, automated tools can greatly improve efforts to consistently normalize data or
15178 identify malformed data. Automated tools can also be used to improve auditing of data and
15179 detect errors that may incorrectly alter personally identifiable information or incorrectly
15180 associate such information with the wrong individual. Automated capabilities backstop
15181 processes and procedures at-scale and enable more fine-grained detection and correction of
15182 data quality errors.
15183 Related Controls: PM-18, PM-22, RA-8.
15184 (2) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | DATA TAGS
15185 Employ data tags to automate the correction or deletion of personally identifiable
15186 information across the information life cycle within organizational systems.
15187 Discussion: Data tagging personally identifiable information includes tags noting processing
15188 permissions, authority to process, de-identification, impact level, information life cycle
15189 stage, and retention or last updated dates. Employing data tags for personally identifiable
15190 information can support the use of automation tools to correct or delete relevant personally
15191 identifiable information.
15192 Related Controls: SC-16.
15193 (3) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | COLLECTION
15194 Collect personally identifiable information directly from the individual.
15195 Discussion: Individuals, or their designated representatives, can be a source of correct
15196 personally identifiable information about themselves. Organizations consider contextual
15197 factors that may incentivize individuals to provide correct data versus providing false data.
15198 Additional steps may be necessary to validate collected information based on the nature and
15199 context of the personally identifiable information, how it is to be used, and how it was
15200 obtained. Measures taken to validate the accuracy of personally identifiable information
15201 used to make determinations about the rights, benefits, or privileges of individuals under
15202 federal programs may be more comprehensive than those used to validate less sensitive
15203 personally identifiable information.
15204 Related Controls: None.
15205 (4) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | INDIVIDUAL REQUESTS
15206 Correct or delete personally identifiable information upon request by individuals or their
15207 designated representatives.
15208 Discussion: Inaccurate personally identifiable information maintained by organizations may
15209 cause problems for individuals, especially in those business functions where inaccurate
15210 information may result in inappropriate decisions or the denial of benefits and services to
15211 individuals. Even correct information, in certain circumstances, can cause problems for
15212 individuals that outweigh the benefits of an organization maintaining the information.
15213 Organizations use discretion in determining if personally identifiable information is to be
15214 corrected or deleted, based on the scope of requests, the changes sought, the impact of the

CHAPTER THREE PAGE 348

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15215 changes, and applicable laws, regulations, and policies. Organizational personnel consult
15216 with the senior agency official for privacy and legal counsel regarding appropriate instances
15217 of correction or deletion.
15218 Related Controls: PM-22.
15219 (5) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | NOTICE OF COLLECTION OR
15220 DELETION
15221 Notify [Assignment: organization-defined recipients of personally identifiable information]
15222 and individuals that the personally identifiable information has been corrected or deleted.
15223 Discussion: When personally identifiable information is corrected or deleted, organizations
15224 take steps to ensure that all authorized recipients of such information, and the individual
15225 with which the information is associated or their designated representative, are informed of
15226 the corrected or deleted information.
15227 Related Controls: None.
15228 References: [SP 800-188].

15229 SI-19 DE-IDENTIFICATION

15230 Control:
15231 a. Remove the following elements of personally identifiable information from datasets:
15232 [Assignment: organization-defined elements of personally identifiable information]; and
15233 b. Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification.
15234 Discussion: De-identification is the general term for the process of removing the association
15235 between a set of identifying data and the data subject. Many datasets contain information about
15236 individuals that can be used to distinguish or trace an individual’s identity, such as name, social
15237 security number, date and place of birth, mother’s maiden name, or biometric records. Datasets
15238 may also contain other information that is linked or linkable to an individual, such as medical,
15239 educational, financial, and employment information. Personally identifiable information is
15240 removed from datasets by trained individuals when such information is not (or no longer)
15241 necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only
15242 used to produce aggregate statistics, the identifiers that are not needed for producing those
15243 statistics are removed. Removing identifiers improves privacy protection, since information that
15244 is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject
15245 to specific de-identification definitions or methods under applicable laws, regulations, or policies.
15246 Re-identification is a residual risk with de-identified data. Re-identification attacks can vary
15247 including combining new datasets or other improvements in data analytics. Maintaining
15248 awareness of potential attacks and evaluating for the effectiveness of the de-identification over
15249 time supports management of this residual risk.
15250 Related Controls: MP-6, PM-22, PM-23, PM-24, RA-2, SI-12.
15251 Control Enhancements:
15252 (1) DE-IDENTIFICATION | COLLECTION
15253 De-identify the dataset upon collection by not collecting personally identifiable
15254 information.
15255 Discussion: If a data source contains personally identifiable information but the information
15256 will not be used, the dataset can be de-identified upon creation by not collecting the data
15257 elements containing the personally identifiable information. For example, if an organization
15258 does not intend to use the social security number of an applicant, then application forms do
15259 not ask for a social security number.

CHAPTER THREE PAGE 349

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15260 Related Controls: None.

15261 (2) DE-IDENTIFICATION | ARCHIVING
15262 Prohibit archiving of personally identifiable information elements if those elements in a
15263 dataset will not be needed after the dataset is archived.
15264 Discussion: Datasets can be archived for many reasons. The envisioned purposes for the
15265 archived dataset are specified and if personally identifiable information elements are not
15266 required, the elements are not archived. For example, social security numbers may have
15267 been collected for record linkage, but the archived dataset may include the required
15268 elements from the linked records. In this case, it is not necessary to archive the social
15269 security numbers.
15270 Related Controls: None.
15271 (3) DE-IDENTIFICATION | RELEASE
15272 Remove personally identifiable information elements from a dataset prior to its release if
15273 those elements in the dataset do not need to be part of the data release.
15274 Discussion: Prior to releasing a dataset, a data custodian considers the intended uses of the
15275 dataset and determines if it is necessary to release personally identifiable information. If the
15276 personally identifiable information is not necessary, the information can be removed using
15277 de-identification techniques.
15278 Related Controls: None.
15279 (4) DE-IDENTIFICATION | REMOVAL, MASKING, ENCRYPTION, HASHING, OR REPLACEMENT OF DIRECT
15280 IDENTIFIERS
15281 Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.
15282 Discussion: There are many possible processes for removing direct identifiers from a
15283 dataset. Columns in a dataset that contain a direct identifier can be removed. In masking,
15284 the direct identifier is transformed into a repeating character, for example, XXXXXX or
15285 999999. Identifiers can be encrypted or hashed, so that the linked records remain linked. In
15286 the case of encryption or hashing, algorithms are employed that require the use of a key,
15287 including the Advanced Encryption Standard or a Hash-based Message Authentication Code.
15288 Implementations may use the same key for all identifiers or use a different key for each
15289 identifier. Using a different key for each identifier provides for a higher degree of security
15290 and privacy. Identifiers can alternatively be replaced with a keyword, including transforming
15291 “George Washington” to “PATIENT,” or replaced with a surrogate value, for example,
15292 transforming “George Washington” to “Abraham Polk.”
15293 Related Controls: SC-12, SC-13.
15294 (5) DE-IDENTIFICATION | STATISTICAL DISCLOSURE CONTROL
15295 Manipulate numerical data, contingency tables, and statistical findings so that no person
15296 or organization is identifiable in the results of the analysis.
15297 Discussion: Many types of statistical analyses can result in the disclosure of information
15298 about individuals even if only summary information is provided. For example, if a school
15299 publishes a monthly table with the number of minority students, and in January the school
15300 reports that it has 10-19 such students, but in March it reports that it has 20-29 students,
15301 then it can be inferred that the student who enrolled in February was a minority.
15302 Related Controls: None.
15303 (6) DE-IDENTIFICATION | DIFFERENTIAL PRIVACY
15304 Prevent disclosure of personally identifiable information by adding non-deterministic
15305 noise to the results of mathematical operations before the results are reported.

CHAPTER THREE PAGE 350

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15306 Discussion: The mathematical definition for differential privacy holds that the result of a
15307 dataset analysis should be approximately the same before and after the addition or removal
15308 of a single data record (which is assumed to be the data from a single individual). In its most
15309 basic form, differential privacy applies only to online query systems. However, it can also be
15310 used to produce machine-learning statistical classifiers and synthetic data. Differential
15311 privacy comes at the cost of decreased accuracy of results, forcing organizations to quantify
15312 the trade-off between privacy protection and the overall accuracy, usefulness, and utility of
15313 the de-identified dataset. Non-deterministic noise can include adding small random values
15314 to the results of mathematical operations in dataset analysis.
15315 Related Controls: SC-12, SC-13.
15316 (7) DE-IDENTIFICATION | VALIDATED SOFTWARE
15317 Perform de-identification using validated algorithms and software that is validated to
15318 implement the algorithms.
15319 Discussion: Algorithms that appear to remove personally identifiable information from a
15320 dataset may in fact leave information that is personally identifiable or data that are re-
15321 identifiable. Software that is claimed to implement a validated algorithm may contain bugs
15322 or may implement a different algorithm. Software may de-identify one type of data, for
15323 example, integers, but not another type of data, for example, floating point numbers. For
15324 these reasons, de-identification is performed using algorithms and software that are
15325 validated.
15326 Related Controls: None.
15327 (8) DE-IDENTIFICATION | MOTIVATED INTRUDER
15328 Perform a motivated intruder test on the de-identified dataset to determine if the
15329 identified data remains or if the de-identified data can be re-identified.
15330 Discussion: A motivated intruder test is a test in which a person or group takes a data
15331 release and specified resources and attempts to re-identify one or more individuals in the
15332 de-identified dataset. Such tests specify the amount of inside knowledge, computational
15333 resources, financial resources, data, and skills that intruders have at their disposal to
15334 conduct the tests. A motivated intruder test can determine if de-identification is insufficient.
15335 It can also be a useful diagnostic tool to assess if de-identification is likely to be sufficient.
15336 However, the test alone cannot prove that de-identification is sufficient.
15337 Related Controls: None.
15338 References: [OMB A-130, Appendix II]; [SP 800-188].

15339 SI-20 TAINTING

15340 Control: Embed data or capabilities in the following systems or system components to
15341 determine if organizational data has been exfiltrated or improperly removed from the
15342 organization: [Assignment: organization-defined systems or system components].
15343 Discussion: Many cyber-attacks target organizational information (or sensitive information the
15344 organization holds on behalf of other entities (e.g., personally identifiable information) and
15345 exfiltrate that data. In addition, insider attacks and erroneous user procedures can remove
15346 information from the system in violation of the organizational policies. Tainting approaches can
15347 range from passive to active. A passive tainting approach can be as simple as adding false email
15348 names and addresses to an internal database. If the organization receives email at one of the
15349 false email addresses, it knows that the database has been compromised. Moreover, the
15350 organization knows that the email was sent by an unauthorized entity so any packets it includes
15351 potentially contain malicious code and that the unauthorized entity potentially has obtained a
15352 copy of the database. A less passive tainting approach can include embedding false data or

CHAPTER THREE PAGE 351

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15353 steganographic data in files to enable the data to be found via open source analysis. And finally,
15354 an active tainting approach can include embedding software in the data that is able to “call
15355 home” alerting the organization to its “capture” and possibly its location and the path by which it
15356 was exfiltrated or removed.
15357 Related Controls: None.
15358 Control Enhancements: None.
15359 References: [OMB A-130, Appendix II]; [SP 800-160 v2].

15360 SI-21 INFORMATION REFRESH

15361 Control: Refresh [Assignment: organization-defined information] at [Assignment: organization-
15362 defined frequencies] or generate the information on demand and delete the information when
15363 no longer needed.
15364 Discussion: Retaining critical or sensitive information (e.g., classified information or controlled
15365 unclassified information) for longer than it is needed makes it an increasing valuable and enticing
15366 target for adversaries. Keeping such information available for the minimum period of time
15367 needed for mission accomplishment reduces the opportunity for adversaries to compromise,
15368 capture, and exfiltrate that information.
15369 Related Controls: SI-14.
15370 Control Enhancements: None.
15371 References: [OMB A-130]; [SP 800-160 v2].

15372 SI-22 INFORMATION DIVERSITY

15373 Control:
15374 a. Identify the following alternative sources of information for [Assignment: organization-
15375 defined essential functions and services]: [Assignment: organization-defined alternative
15376 information sources]; and
15377 b. Use an alternative information source for the execution of essential functions or services on
15378 [Assignment: organization-defined systems or system components] when the primary source
15379 of information is corrupted or unavailable.
15380 Discussion: Actions taken by a system service or a function are often driven by the information it
15381 receives. Corruption, fabrication, modification, or deletion of that information could impact the
15382 ability of the service function to properly carry out its intended actions. By having multiple
15383 sources of input, the service or function can continue operation if one source is corrupted or no
15384 longer available. It is possible that the alternative sources of information may be less precise or
15385 less accurate than the primary source of information. But having such sub-optimal information
15386 sources may still provide a sufficient level of quality that the essential service or function can be
15387 carried out, even in a degraded or debilitated manner.
15388 Related Controls: None.
15389 Control Enhancements: None.
15390 References: [SP 800-160 v2].

15391 SI-23 INFORMATION FRAGMENTATION

15392 Control: Based on [Assignment: organization-defined circumstances]:
15393 a. Fragment the following information: [Assignment: organization-defined information]; and

CHAPTER THREE PAGE 352

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15394 b. Distribute the fragmented information across the following systems or system components:
15395 [Assignment organization-defined systems or system components].
15396 Discussion: One major objective of the advanced persistent threat is to exfiltrate sensitive and
15397 valuable information. Once exfiltrated, there is generally no way for the organization to recover
15398 the lost information. Therefore, organizations may consider taking the information and dividing it
15399 into disparate elements and then distributing those elements across multiple systems or system
15400 components and locations. Such actions will increase the adversary’s work factor to capture and
15401 exfiltrate the desired information and in so doing, increase the probability of detection. The
15402 fragmentation of information also impacts the organization’s ability to access the information in
15403 a timely manner. The extent of the fragmentation would likely be dictated by the sensitivity (and
15404 value) of the information, threat intelligence information received, and if data tainting is used
15405 (i.e., data tainting derived information about exfiltration of some information could result in the
15406 fragmentation of the remaining information).
15407 Related Controls: None.
15408 Control Enhancements: None.
15409 References: [SP 800-160 v2].

CHAPTER THREE PAGE 353

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15410 3.20 SUPPLY CHAIN RISK MANAGEMENT

15411 Quick link to Supply Chain Risk Management summary table

15412 SR-1 POLICY AND PROCEDURES

15413 Control:
15414 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
15415 roles]:
15416 1. [Selection (one or more): organization-level; mission/business process-level; system-
15417 level] supply chain risk management policy that:
15418 (a) Addresses purpose, scope, roles, responsibilities, management commitment,
15419 coordination among organizational entities, and compliance; and
15420 (b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
15421 standards, and guidelines; and
15422 2. Procedures to facilitate the implementation of the supply chain risk management policy
15423 and the associated supply chain risk management controls;
15424 b. Designate an [Assignment: organization-defined official] to manage the development,
15425 documentation, and dissemination of the supply chain risk management policy and
15426 procedures; and
15427 c. Review and update the current supply chain risk management:
15428 1. Policy [Assignment: organization-defined frequency]; and
15429 2. Procedures [Assignment: organization-defined frequency].
15430 Discussion: This control addresses policy and procedures for the controls in the SR family
15431 implemented within systems and organizations. The risk management strategy is an important
15432 factor in establishing such policies and procedures. Policies and procedures help provide security
15433 and privacy assurance. Therefore, it is important that security and privacy programs collaborate
15434 on their development. Security and privacy program policies and procedures at the organization
15435 level are preferable, in general, and may obviate the need for system-specific policies and
15436 procedures. The policy can be included as part of the general security and privacy policy or can
15437 be represented by multiple policies reflecting the complex nature of organizations. Procedures
15438 can be established for security and privacy programs and for systems, if needed. Procedures
15439 describe how the policies or controls are implemented and can be directed at the individual or
15440 role that is the object of the procedure. Procedures can be documented in system security and
15441 privacy plans or in one or more separate documents. Restating controls does not constitute an
15442 organizational policy or procedure.
15443 Related Controls: PM-9, PM-30, PS-8, SI-12.
15444 Control Enhancements: None.
15445 References: [SP 800-12]; [SP 800-30]; [SP 800-39]; [SP 800-100]; [SP 800-161].

15446 SR-2 SUPPLY CHAIN RISK MANAGEMENT PLAN

15447 Control:
15448 a. Develop a plan for managing supply chain risks associated with the research and
15449 development, design, manufacturing, acquisition, delivery, integration, operations, and

CHAPTER THREE PAGE 354

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15450 disposal of the following systems, system components or system services: [Assignment:
15451 organization-defined systems, system components, or system services];
15452 b. Implement the supply chain risk management plan consistently across the organization; and
15453 c. Review and update the supply chain risk management plan [Assignment: organization-
15454 defined frequency] or as required, to address threat, organizational or environmental
15455 changes.
15456 Discussion: The growing dependence on products, systems, and services from external
15457 providers, along with the nature of the relationships with those providers, present an increasing
15458 level of risk to an organization. Specific threat actions that may increase risk include the insertion
15459 or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software
15460 and hardware, as well as poor manufacturing and development practices in the supply chain that
15461 can create security or privacy risks. Supply chain risks can be endemic or systemic within a
15462 system element or component, a system, an organization, a sector, or the Nation. Managing
15463 supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an
15464 organization building trust relationships and communicating with both internal and external
15465 stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing
15466 risks, determining appropriate mitigating actions, developing SCRM plans to document selected
15467 mitigating actions, and monitoring performance against plans.
15468 Because supply chains can differ significantly across and within organizations, SCRM plans are
15469 tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans
15470 provide the basis for determining whether a system is fit for purpose; and as such, the controls
15471 need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources
15472 on the most critical missions and business functions based on mission and business requirements
15473 and their risk environment. Supply chain risk management plans include an expression of the
15474 supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies
15475 or controls, a process for consistently evaluating and monitoring supply chain risk, approaches
15476 for implementing and communicating the plan, a description of and justification for supply chain
15477 risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk
15478 management plans address requirements for developing trustworthy secure, privacy-protective,
15479 and resilient system components and systems, including the application of the security design
15480 principles implemented as part of life cycle-based systems security engineering processes (see
15481 SA-8).
15482 Related Controls: CA-2, CP-4, IR-4, MA-2, MA-6, PE-16, PL-2, PM-9, PM-30, RA-3, RA-7, SA-8.
15483 Control Enhancements:
15484 (1) SUPPLY CHAIN RISK MANAGEMENT PLAN | ESTABLISH SCRM TEAM
15485 Establish a supply chain risk management team consisting of [Assignment: organization-
15486 defined personnel, roles, and responsibilities] to lead and support the following SCRM
15487 activities: [Assignment: organization-defined supply chain risk management activities].
15488 Discussion: To implement supply chain risk management plans, organizations establish a
15489 coordinated team-based approach to identify and assess supply chain risks and manage
15490 these risks by using programmatic and technical mitigation techniques. The team approach
15491 enables organizations to conduct an analysis of their supply chain, communicate with
15492 external partners or stakeholders, and gain broad consensus regarding the appropriate
15493 resources for SCRM. The SCRM team consists of organizational personnel with diverse roles
15494 and responsibilities for leading and supporting SCRM activities, including risk executive,
15495 information technology, contracting, information security, privacy, mission or business, legal,
15496 supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM
15497 team are involved in the various aspects of the SDLC and collectively, have an awareness of,
15498 and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and

CHAPTER THREE PAGE 355

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15499 attack vectors, as well as an understanding of the technical aspects and dependencies of
15500 systems. The SCRM team can be an extension of the security and privacy risk management
15501 processes or can be included as part of a general organizational risk management team.
15502 Related Controls: None.
15503 References: [SP 800-30]; [SP 800-39]; [SP-800-160 v1]; [SP 800-161]; [IR 7622].

15504 SR-3 SUPPLY CHAIN CONTROLS AND PROCESSES

15505 Control:
15506 a. Establish a process or processes to identify and address weaknesses or deficiencies in the
15507 supply chain elements and processes of [Assignment: organization-defined system or system
15508 component] in coordination with [Assignment: organization-defined supply chain personnel];
15509 b. Employ the following supply chain controls to protect against supply chain risks to the
15510 system, system component, or system service and to limit the harm or consequences from
15511 supply chain-related events: [Assignment: organization-defined supply chain controls]; and
15512 c. Document the selected and implemented supply chain processes and controls in [Selection:
15513 security and privacy plans; supply chain risk management plan; [Assignment: organization-
15514 defined document]].
15515 Discussion: Supply chain elements include organizations, entities, or tools employed for the
15516 development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system
15517 components. Supply chain processes include hardware, software, and firmware development
15518 processes; shipping and handling procedures; personnel security and physical security programs;
15519 configuration management tools, techniques, and measures to maintain provenance; or other
15520 programs, processes, or procedures associated with the development, acquisition, maintenance
15521 and disposal of systems and system components. Supply chain elements and processes may be
15522 provided by organizations, system integrators, or external providers. Weaknesses or deficiencies
15523 in supply chain elements or processes represent potential vulnerabilities that can be exploited by
15524 adversaries to cause harm to the organization and affect its ability to carry out its core missions
15525 or business functions. Supply chain personnel are individuals with roles and responsibilities in the
15526 supply chain.
15527 Related Controls: CA-2, MA-2, MA-6, PE-3, PE-16, PL-8, PM-30, SA-2, SA-3, SA-4, SA-5, SA-8, SA-9,
15528 SA-10, SA-15, SC-7, SC-29, SC-30, SC-38, SI-7, SR-6, SR-9, SR-11.
15529 Control Enhancements:
15530 (1) SUPPLY CHAIN CONTROLS AND PROCESSES | DIVERSE SUPPLY BASE
15531 Employ a diverse set of sources for the following system components and services:
15532 [Assignment: organization-defined system components and services].
15533 Discussion: Diversifying the supply of system, system components and services can reduce
15534 the probability that adversaries will successfully identify and target the supply chain, and can
15535 reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for
15536 replacement components can reduce the probability that the replacement component will
15537 become unavailable; employing a diverse set of developers or logistics service providers can
15538 reduce the impact of a natural disaster or other supply chain event. Organizations consider
15539 designing the system to include diversity of materials and components.
15540 Related Controls: None.

CHAPTER THREE PAGE 356

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15541 (2) SUPPLY CHAIN PROTECTION CONTROLS AND PROCESSES | LIMITATION OF HARM
15542 Employ the following supply chain controls to limit harm from potential adversaries
15543 identifying and targeting the organizational supply chain: [Assignment: organization-
15544 defined controls].
15545 Discussion: Controls that can be implemented to reduce the probability of adversaries
15546 successfully identifying and targeting the supply chain include avoiding the purchase of
15547 custom or non-standardized configurations; employing approved vendor lists with standing
15548 reputations in industry; following pre-agreed maintenance schedules and update and patch
15549 delivery mechanisms; maintaining a contingency plan in case of a supply chain event, and
15550 using procurement carve outs that provide exclusions to commitments or obligations, using
15551 diverse delivery routes; and minimizing the time between purchase decisions and delivery.
15552 Related Controls: None.
15553 References: [SP 800-30]; [SP 800-161]; [IR 7622].

15554 SR-4 PROVENANCE

15555 Control: Document, monitor, and maintain valid provenance of the following systems, system
15556 components, and associated data: [Assignment: organization-defined systems, system
15557 components, and associated data].
15558 Discussion: Every system and system component has a point of origin and may be changed
15559 throughout its existence. Provenance is the chronology of the origin, development, ownership,
15560 location, and changes to a system or system component and associated data. It may also include
15561 personnel and processes used to interact with or make modifications to the system, component,
15562 or associated data. Organizations consider developing procedures (see SR-1) for allocating
15563 responsibilities for the creation, maintenance, and monitoring of provenance for systems and
15564 system components; transferring provenance documentation and responsibility between
15565 organizations; and preventing and monitoring for unauthorized changes to the provenance
15566 records. Organizations consider developing methods to document, monitor, and maintain valid
15567 provenance baselines for systems, system components, and related data. Such actions help track,
15568 assess, and document changes to the provenance, including changes in supply chain elements or
15569 configuration, and help ensure non-repudiation of provenance information and the provenance
15570 change records.
15571 Related Controls: CM-8, MA-2, MA-6, RA-9.
15572 Control Enhancements:
15573 (1) PROVENANCE | IDENTITY
15574 Establish and maintain unique identification of the following supply chain elements,
15575 processes, and personnel associated with the identified system and critical system
15576 components: [Assignment: organization-defined supply chain elements, processes, and
15577 personnel associated with organization-defined systems and critical system components].
15578 Discussion: Knowing who and what is in the supply chains of organizations is critical to
15579 gaining visibility into supply chain activities. Visibility into supply chain activities is also
15580 important for monitoring and identifying high-risk events and activities. Without reasonable
15581 visibility into supply chains elements, processes, and personnel, it is very difficult for
15582 organizations to understand and manage risk, and ultimately reduce the susceptibility to
15583 adverse events. Supply chain elements include organizations, entities, or tools used for the
15584 development, acquisition, delivery, maintenance and disposal of systems and system
15585 components. Supply chain processes include development processes for hardware,
15586 software, and firmware; shipping and handling procedures; configuration management
15587 tools, techniques, and measures to maintain provenance; personnel and physical security

CHAPTER THREE PAGE 357

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15588 programs; or other programs, processes, or procedures associated with the production and
15589 distribution of supply chain elements. Supply chain personnel are individuals with specific
15590 roles and responsibilities related to the secure development, delivery, maintenance, and
15591 disposal of a system or system component. Identification methods are sufficient to support
15592 an investigation in case of a supply chain change (e.g. if a supply company is purchased),
15593 compromise, or event.
15594 Related Controls: IA-2, IA-8, PE-16.
15595 (2) PROVENANCE | TRACK AND TRACE
15596 Establish and maintain unique identification of the following systems and critical system
15597 components for tracking through the supply chain: [Assignment: organization-defined
15598 systems and critical system components].
15599 Discussion: Tracking the unique identification of systems and system components during
15600 development and transport activities provides a foundational identity structure for the
15601 establishment and maintenance of provenance. For example, system components may be
15602 labeled using serial numbers or tagged using radio-frequency identification tags. Labels and
15603 tags can help provide better visibility into the provenance of a system or system component.
15604 A system or system component may have more than one unique identifier. Identification
15605 methods are sufficient to support a forensic investigation after a supply chain compromise
15606 or event.
15607 Related Controls: IA-2, IA-8, PE-16, PL-2.
15608 (3) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED
15609 Employ the following controls to validate that the system or system component received is
15610 genuine and has not been altered: [Assignment: organization-defined controls].
15611 Discussion: For many systems and system components, especially hardware, there are
15612 technical means to determine if the items are genuine or have been altered, including
15613 optical and nanotechnology tagging; physically unclonable functions; side-channel analysis;
15614 cryptographic hash verifications or digital signatures; and visible anti-tamper labels or
15615 stickers. Controls can also include monitoring for out of specification performance, which
15616 can be an indicator of tampering or counterfeits. Organizations may leverage supplier and
15617 contractor processes for validating that a system or component is genuine and has not been
15618 altered, and for replacing a suspect system or component. Some indications of tampering
15619 may be visible and addressable before accepting delivery, including inconsistent packaging,
15620 broken seals, and incorrect labels. When a system or system component is suspected of
15621 being altered or counterfeit, the supplier, contractor, or original equipment manufacturer
15622 may be able to replace the item or provide a forensic capability to determine the origin of
15623 the counterfeit or altered item. Organizations can provide training to personnel on how to
15624 identify suspicious system or component deliveries.
15625 Related Controls: AT-3, SR-9, SR-10, SR-11.
15626 References: [SP 800-161]; [IR 7622].

15627 SR-5 ACQUISITION STRATEGIES, TOOLS, AND METHODS

15628 Control: Employ the following acquisition strategies, contract tools, and procurement methods
15629 to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined
15630 acquisition strategies, contract tools, and procurement methods].
15631 Discussion: The use of the acquisition process provides an important vehicle to protect the
15632 supply chain. There are many useful tools and techniques available, including obscuring the end
15633 use of a system or system component; using blind or filtered buys; requiring tamper-evident
15634 packaging; or using trusted or controlled distribution. The results from a supply chain risk

CHAPTER THREE PAGE 358

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15635 assessment can guide and inform the strategies, tools, and methods that are most applicable to
15636 the situation. Tools and techniques may provide protections against unauthorized production,
15637 theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and
15638 poor development practices throughout the system development life cycle. Organizations also
15639 consider providing incentives for suppliers who implement controls; promote transparency into
15640 their processes and security and privacy practices; provide contract language that addresses the
15641 prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy
15642 suppliers. Organizations consider providing training, education, and awareness programs for
15643 personnel regarding supply chain risk, available mitigation strategies, and when the programs
15644 should be employed. Methods for reviewing and protecting development plans, documentation,
15645 and evidence are commensurate with the security and privacy requirements of the organization.
15646 Contracts may specify documentation protection requirements.
15647 Related Controls: AT-3, SA-2, SA-3, SA-4, SA-5, SA-8, SA-9, SA-10, SA-15, SR-6, SR-9, SR-10, SR-11.
15648 Control Enhancements:
15649 (1) ACQUISITION STRATEGIES, TOOLS, AND METHODS | ADEQUATE SUPPLY
15650 Employ the following controls to ensure an adequate supply of [Assignment: organization-
15651 defined critical system components]: [Assignment: organization-defined controls].
15652 Discussion: Adversaries can attempt to impede organizational operations by disrupting the
15653 supply of critical system components or corrupting supplier operations. Organizations may
15654 track systems and component mean time to failure to mitigate the loss of temporary or
15655 permanent system function. Controls to ensure that adequate supplies of critical system
15656 components include the use of multiple suppliers throughout the supply chain for the
15657 identified critical components; stockpiling spare components to ensure operation during
15658 mission-critical times, and the identification of functionally-identical or similar components
15659 that may be used, if necessary.
15660 Related Controls: None.
15661 (2) ACQUISITION STRATEGIES, TOOLS, AND METHODS | ASSESSMENTS PRIOR TO SELECTION,
15662 ACCEPTANCE, MODIFICATION, OR UPDATE
15663 Assess the system, system component, or system service prior to selection, acceptance,
15664 modification, or update.
15665 Discussion: Organizational personnel or independent, external entities conduct assessments
15666 of systems, components, products, tools, and services to uncover evidence of tampering,
15667 unintentional and intentional vulnerabilities, or evidence of non-compliance with supply
15668 chain controls. These include malicious code, malicious processes, defective software,
15669 backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews;
15670 visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle
15671 inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and
15672 penetration testing (see SR-6(1)). Evidence generated during assessments is documented for
15673 follow-on actions by organizations. The evidence generated during the organizational or
15674 independent assessments of supply chain elements may be used to improve supply chain
15675 processes and to inform the supply chain risk management process. The evidence can be
15676 leveraged in follow-on assessments. Evidence and other documentation may be shared in
15677 accordance with organizational agreements.
15678 Related Controls: CA-8, RA-5, SA-11, SI-7, SR-9.
15679 References: [SP 800-30]; [SP 800-161]; [IR 7622].

CHAPTER THREE PAGE 359

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15680 SR-6 SUPPLIER REVIEWS

15681 Control: Review the supply chain-related risks associated with suppliers or contractors and the
15682 system, system component, or system service they provide [Assignment: organization-defined
15683 frequency].
15684 Discussion: A review of supplier risk includes security processes, foreign ownership, control or
15685 influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier
15686 and third-tier suppliers and contractors. The reviews may be conducted by the organization or by
15687 an independent third party. The reviews consider documented processes, documented controls,
15688 all-source intelligence, and publicly available information related to the supplier or contractor.
15689 Organizations can use open-source information to monitor for indications of stolen information,
15690 poor development and quality control practices, information spillage, or counterfeits. In some
15691 cases, it may be appropriate to share review results with other organizations in accordance with
15692 any applicable inter-organizational agreements or contracts.
15693 Related Controls: SR-3, SR-5.
15694 Control Enhancements:
15695 (1) SUPPLIER REVIEWS | PENETRATION TESTING AND ANALYSIS
15696 Employ [Selection (one or more): organizational analysis, independent third-party analysis,
15697 organizational penetration testing, independent third-party penetration testing] of the
15698 following supply chain elements, processes, and actors associated with the system, system
15699 component, or system service: [Assignment: organization-defined supply chain elements,
15700 processes, and actors].
15701 Discussion: Penetration testing and analysis addresses the analysis or testing of the supply
15702 chain. Relationships between entities and procedures within the supply chain, including
15703 development and delivery, are considered. Supply chain elements include organizations,
15704 entities, or tools use for the development, acquisition, deliver, maintenance and disposal of
15705 systems, system components, or system services. Supply chain processes include personnel
15706 and physical security programs; hardware, software, and firmware development processes;
15707 configuration management tools, techniques, and measures to maintain provenance;
15708 shipping and handling procedures; and programs, processes, or procedures associated with
15709 the production and distribution of supply chain elements. Supply chain actors are individuals
15710 with specific roles and responsibilities in the supply chain. The evidence generated and
15711 collected during analyses and testing of supply chain elements, processes, and actors is
15712 documented and used to inform organizational risk management activities and decisions.
15713 Related Controls: CA-8.
15714 References: [FIPS 140-3]; [FIPS 180-4]; [FIPS 186-4]; [FIPS 202]; [SP 800-30]; [SP 800-161]; [IR
15715 7622].

15716 SR-7 SUPPLY CHAIN OPERATIONS SECURITY

15717 Control: Employ the following Operations Security (OPSEC) controls to protect supply chain-
15718 related information for the system, system component, or system service: [Assignment:
15719 organization-defined Operations Security (OPSEC) controls].
15720 Discussion: Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential
15721 suppliers. OPSEC is a process that includes identifying critical information; analyzing friendly
15722 actions related to operations and other activities to identify those actions that can be observed
15723 by potential adversaries; determining indicators that potential adversaries might obtain that
15724 could be interpreted or pieced together to derive information in sufficient time to cause harm to
15725 organizations; implementing safeguards or countermeasures to eliminate or reduce exploitable
15726 vulnerabilities and thus risk to an acceptable level; and finally, considering how aggregated

CHAPTER THREE PAGE 360

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15727 information may expose users or specific uses of the supply chain. Supply chain information
15728 includes user identities; uses for systems, system components, and system services; supplier
15729 identities; security and privacy requirements; system and component configurations; supplier
15730 processes; design specifications; and testing and evaluation results. Supply chain OPSEC may
15731 require organizations to withhold mission or business information from suppliers and may
15732 include the use of intermediaries to hide the end use, or users of systems, system components,
15733 or system services.
15734 Related Controls: SC-38.
15735 Control Enhancements: None.
15736 References: [SP 800-30]; [SP 800-161]; [IR 7622].

15737 SR-8 NOTIFICATION AGREEMENTS

15738 Control: Establish agreements and procedures with entities involved in the supply chain for the
15739 system, system component, or system service for the [Selection (one or more): notification of
15740 supply chain compromises; results of assessments or audits; [Assignment: organization-defined
15741 information]].
15742 Discussion: The establishment of agreements and procedures facilitates communications among
15743 supply chain entities. Early notification of compromises and potential compromises in the supply
15744 chain that can potentially adversely affect or have adversely affected organizational systems or
15745 system components, is essential for organizations to effectively respond to such incidents. The
15746 results of assessments or audits may include open-source information that contributed to a
15747 decision or result and could be used to help the supply chain entity resolve a concern or improve
15748 its processes.
15749 Related Controls: IR-4, IR-6, IR-8.
15750 Control Enhancements: None.
15751 References: [SP 800-30]; [SP 800-161]; [IR 7622].

15752 SR-9 TAMPER RESISTANCE AND DETECTION

15753 Control: Implement a tamper protection program for the system, system component, or system
15754 service.
15755 Discussion: Anti-tamper technologies, tools, and techniques provide a level of protection for
15756 systems, system components, and services against many threats, including reverse engineering,
15757 modification, and substitution. Strong identification combined with tamper resistance and/or
15758 tamper detection is essential to protecting systems and components during distribution and
15759 when in use.
15760 Related Controls: PE-3, PM-30, SA-15, SI-4, SI-7, SR-3, SR-4, SR-5, SR-10, SR-11.
15761 Control Enhancements:
15762 (1) TAMPER RESISTANCE AND DETECTION | MULTIPLE STAGES OF SYSTEM DEVELOPMENT LIFE CYCLE
15763 Employ anti-tamper technologies, tools, and techniques during multiple stages in the
15764 system development life cycle, including design, development, integration, operations,
15765 and maintenance.
15766 Discussion: Organizations use a combination of hardware and software techniques for
15767 tamper resistance and detection. Organizations employ obfuscation and self-checking, for
15768 example, to make reverse engineering and modifications more difficult, time-consuming,
15769 and expensive for adversaries. The customization of systems and system components can
15770 make substitutions easier to detect and therefore limit damage.

CHAPTER THREE PAGE 361

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15771 Related Controls: SA-3.

15772 References: None.

15773 SR-10 INSPECTION OF SYSTEMS OR COMPONENTS

15774 Control: Inspect the following systems or system components [Selection (one or more): at
15775 random; at [Assignment: organization-defined frequency], upon [Assignment: organization-
15776 defined indications of need for inspection]] to detect tampering: [Assignment: organization-
15777 defined systems or system components].
15778 Discussion: Inspection of systems or systems components for tamper resistance and detection
15779 addresses physical and logical tampering and is applied to systems and system components
15780 taken out of organization-controlled areas. Indications of a need for inspection include when
15781 individuals return from travel to high-risk locations.
15782 Related Controls: AT-3, PM-30, SI-4, SI-7, SR-3, SR-4, SR-5, SR-9, SR-11.
15783 References: None.

15784 SR-11 COMPONENT AUTHENTICITY

15785 Control:
15786 a. Develop and implement anti-counterfeit policy and procedures that include the means to
15787 detect and prevent counterfeit components from entering the system; and
15788 b. Report counterfeit system components to [Selection (one or more): source of counterfeit
15789 component; [Assignment: organization-defined external reporting organizations];
15790 [Assignment: organization-defined personnel or roles]].
15791 Discussion: Sources of counterfeit components include manufacturers, developers, vendors, and
15792 contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a
15793 level of protection against the introduction of malicious code. External reporting organizations
15794 include CISA.
15795 Related Controls: PE-3, SA-4, SI-7, SR-9, SR-10.
15796 Control Enhancements:
15797 (1) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT TRAINING
15798 Train [Assignment: organization-defined personnel or roles] to detect counterfeit system
15799 components (including hardware, software, and firmware).
15800 Discussion: None.
15801 Related Controls: AT-3.
15802 (2) COMPONENT AUTHENTICITY | CONFIGURATION CONTROL FOR COMPONENT SERVICE AND REPAIR
15803 Maintain configuration control over the following system components awaiting service or
15804 repair and serviced or repaired components awaiting return to service: [Assignment:
15805 organization-defined system components].
15806 Discussion: None.
15807 Related Controls: CM-3, MA-2, MA-4, SA-10.
15808 (3) COMPONENT AUTHENTICITY | COMPONENT DISPOSAL
15809 Dispose of system components using the following techniques and methods: [Assignment:
15810 organization-defined techniques and methods].

CHAPTER THREE PAGE 362

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15811 Discussion: Proper disposal of system components helps to prevent such components from
15812 entering the gray market.
15813 Related Controls: MP-6.
15814 (4) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT SCANNING
15815 Scan for counterfeit system components [Assignment: organization-defined frequency].
15816 Discussion: The type of component determines the type of scanning to be conducted (e.g.,
15817 web application scanning if the component is a web application).
15818 Related Controls: RA-5.
15819 References: None.

CHAPTER THREE PAGE 363

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15820 APPENDIX A

15821 REFERENCES
15822 LAWS, POLICIES, DIRECTIVES, REGULATIONS, STANDARDS, AND GUIDELINES 31

LAWS AND EXECUTIVE ORDERS

[ATOM54] Atomic Energy Act (P.L. 107), August 1954.

https://www.govinfo.gov/content/pkg/STATUTE-68/pdf/STATUTE-68-Pg919.pdf
[PRIVACT] Privacy Act (P.L. 93-579), December 1974.
https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf
[CMPPA] Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503),
October 1988.
https://www.govinfo.gov/content/pkg/STATUTE-102/pdf/STATUTE-102-
Pg2507.pdf
[EGOV] E-Government Act [includes FISMA] (P.L. 107-347), December 2002.
https://www.congress.gov/107/plaws/publ347/PLAW-107publ347.pdf
[EVIDACT] Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435),
January 2019.
https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf
[FOIA96] Freedom of Information Act (FOIA), 5 U.S.C. § 552, As Amended By Public
Law No. 104-231, 110 Stat. 3048, Electronic Freedom of Information Act
Amendments of 1996.
https://www.govinfo.gov/content/pkg/PLAW-104publ231/pdf/PLAW-
104publ231.pdf
[USA PATRIOT] USA Patriot Act (P.L. 107-56), October 2001.
https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf
[EO 13526] Executive Order 13526, Classified National Security Information, December
2009.
https://www.archives.gov/isoo/policy-documents/cnsi-eo.html
[EO 13556] Executive Order 13556, Controlled Unclassified Information, November
2010.
https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-
order-13556-controlled-unclassified-information
[FISMA] Federal Information Security Modernization Act (P.L. 113-283), December
2014.
https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf

31 The references cited in this appendix are those external publications that directly support the FISMA and Privacy

Projects. Additional NIST standards, guidelines, and interagency reports are also cited throughout this publication,
including in the references section of the applicable controls in Chapter Three. Direct links to the NIST website are
provided to obtain access to those publications.

APPENDIX A PAGE 364

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[EO 13587] Executive Order 13587, Structural Reforms to Improve the Security of
Classified Networks and the Responsible Sharing and Safeguarding of
Classified Information, October 2011.
https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-
order-13587-structural-reforms-improve-security-classified-net
[EO 13636] Executive Order 13636, Improving Critical Infrastructure Cybersecurity,
February 2013.
https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-
order-improving-critical-infrastructure-cybersecurity
[EO 13800] Executive Order 13800, Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure, May 2017.
https://www.whitehouse.gov/presidential-actions/presidential-executive-order-
strengthening-cybersecurity-federal-networks-critical-infrastructure

[USC 552] United States Code, 2006 Edition, Supplement 4, Title 5 - Government
Organization and Employees, January 2011.
https://www.govinfo.gov/content/pkg/USCODE-2010-title5/pdf/USCODE-2010-
title5-partI-chap5-subchapII-sec552a.pdf

REGULATIONS, DIRECTIVES, PLANS, AND POLICIES

[HSPD 7] Homeland Security Presidential Directive 7, Critical Infrastructure

Identification, Prioritization, and Protection, December 2003.
https://www.dhs.gov/homeland-security-presidential-directive-7
[HSPD 12] Homeland Security Presidential Directive 12, Policy for a Common
Identification Standard for Federal Employees and Contractors, August
2004.
https://www.dhs.gov/homeland-security-presidential-directive-12
[NITP12] Presidential Memorandum for the Heads of Executive Departments and
Agencies, National Insider Threat Policy and Minimum Standards for
Executive Branch Insider Threat Programs, November 2012.
https://obamawhitehouse.archives.gov/the-press-office/2012/11/21/presidential-
memorandum-national-insider-threat-policy-and-minimum-stand
[5 CFR 731] Code of Federal Regulations, Title 5, Administrative Personnel, Section
731.106, Designation of Public Trust Positions and Investigative
Requirements (5 C.F.R. 731.106).
https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-
vol2-sec731-106.pdf
[32 CFR 2002] Code of Federal Regulations, Title 32, Controlled Unclassified Information
(32 C.F.R 2002).
https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-
unclassified-information
[ODNI NITP] Office of the Director National Intelligence, National Insider Threat Policy
https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.
pdf

APPENDIX A PAGE 365

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[OMB A-108] Office of Management and Budget Memorandum Circular A-108, Federal
Agency Responsibilities for Review, Reporting, and Publication under the
Privacy Act, December 2016.
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb
_circular_a-108.pdf
[OMB A-130] Office of Management and Budget Memorandum Circular A-130, Managing
Information as a Strategic Resource, July 2016.
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a13
0revised.pdf
[OMB M-08-05] Office of Management and Budget Memorandum M-08-05, Implementation
of Trusted Internet Connections (TIC), November 2007.
https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memo
randa/fy2008/m08-05.pdf
[OMB M-17-06] Office of Management and Budget Memorandum M-17-06, Policies for
Federal Agency Public Websites and Digital Services, November 2016.
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/
m-17-06.pdf
[OMB M-17-12] Office of Management and Budget Memorandum M-17-12, Preparing for
and Responding to a Breach of Personally Identifiable Information, January
2017.
https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017
/m-17-12_0.pdf
[OMB M-17-25] Office of Management and Budget Memorandum M-17-25, Reporting
Guidance for Executive Order on Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure, May 2017.
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/
M-17-25.pdf
[OMB M-19-03] Office of Management and Budget Memorandum M-19-03, Strengthening
the Cybersecurity of Federal Agencies by Enhancing the High Value Asset
Program, December 2018.
https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf
[OMB M-19-15] Office of Management and Budget Memorandum M-19-15, Improving
Implementation of the Information Quality Act, April 2019.
https://www.whitehouse.gov/wp-content/uploads/2019/04/M-19-15.pdf
[OMB M-19-23] Office of Management and Budget Memorandum M-19-23, Phase 1
Implementation of the Foundations for Evidence-Based Policymaking Act of
2018: Learning Agendas, Personnel, and Planning Guidance, July 2019.
https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf
[CNSSD 505] Committee on National Security Systems Directive No. 505, Supply Chain
Risk Management (SCRM), August 2017.
https://www.cnss.gov/CNSS/issuances/Directives.cfm
[CNSSP 22] Committee on National Security Systems Policy No. 22, Cybersecurity Risk
Management Policy, August 2016.
https://www.cnss.gov/CNSS/issuances/Policies.cfm

APPENDIX A PAGE 366

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[CNSSI 1253] Committee on National Security Systems Instruction No. 1253, Security
Categorization and Control Selection for National Security Systems, March
2014.
https://www.cnss.gov/CNSS/issuances/Instructions.cfm
[CNSSI 4009] Committee on National Security Systems Instruction No. 4009, Committee
on National Security Systems (CNSS) Glossary, April 2015.
https://www.cnss.gov/CNSS/issuances/Instructions.cfm
[DODI 8510.01] Department of Defense Instruction 8510.01, Risk Management Framework
(RMF) for DoD Information Technology (IT), March 2014.
https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001_201
4.pdf
[DHS NIPP] Department of Homeland Security, National Infrastructure Protection Plan
(NIPP), 2009.
https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf

STANDARDS, GUIDELINES, AND REPORTS

[ISO 15026-1] International Organization for Standardization/International

Electrotechnical Commission (ISO/IEC) 15026-1:2013, Systems and software
engineering -- Systems and software assurance -- Part 1: Concepts and
vocabulary, November 2013.
https://www.iso.org/standard/62526.html
[ISO 15408-1] International Organization for Standardization/International
Electrotechnical Commission 15408-1:2009, Information technology—
Security techniques— Evaluation criteria for IT security—Part 1:
Introduction and general model, April 2017.
https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf

[ISO 15408-2] International Organization for Standardization/International

Electrotechnical Commission 15408-2:2008, Information technology—
Security techniques— Evaluation criteria for IT security—Part 2: Security
functional requirements, April 2017.
https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf

[ISO 15408-3] International Organization for Standardization/International

Electrotechnical Commission 15408-3:2008, Information technology—
Security techniques— Evaluation criteria for IT security—Part 3: Security
assurance requirements, April 2017.
https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf

[ISO 15288] International Organization for Standardization/International

Electrotechnical Commission/Institute of Electrical and Electronics
Engineers (ISO/IEC/IEEE) 15288:2015, Systems and software engineering—
Systems life cycle processes, May 2015.
https://www.iso.org/standard/63711.h1ml

APPENDIX A PAGE 367

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[ISO 25237] International Organization for Standardization/International

Electrotechnical Commission 25237:2017, Health informatics —
Pseudonymization, January 2017.
https://www.iso.org/standard/63553.html
[ISO 28001] International Organization for Standardization/International
Electrotechnical Commission 28001:2007, Security management systems
for the supply chain—Best practices for implementing supply chain security,
assessments and plans—Requirements and guidance, October 2007.
https://www.iso.org/standard/45654.html
[ISO 29100] International Organization for Standardization/International
Electrotechnical Commission 29100:2011, Information technology—Security
techniques—Privacy framework, December 2011.
https://www.iso.org/standard/45123.html
[ISO 29148] International Organization for Standardization/International
Electrotechnical Commission/Institute of Electrical and Electronics
Engineers (ISO/IEC/IEEE) 29148:2011, Systems and software engineering—
Life cycle processes—Requirements engineering, December 2011.
https://www.iso.org/standard/45171.html
[FIPS 140-3] National Institute of Standards and Technology (2019) Security
Requirements for Cryptographic Modules. (U.S. Department of Commerce,
Washington, D.C.), Federal Information Processing Standards Publication
(FIPS) 140-3.
https://doi.org/10.6028/NIST.FIPS.140-3
[FIPS 180-4] National Institute of Standards and Technology (2015) Secure Hash
Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal
Information Processing Standards Publication (FIPS) 180-4.
https://doi.org/10.6028/NIST.FIPS.180-4

[FIPS 186-4] National Institute of Standards and Technology (2013) Digital Signature
Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal
Information Processing Standards Publication (FIPS) 186-4.
https://doi.org/10.6028/NIST.FIPS.186-4

[FIPS 197] National Institute of Standards and Technology (2001) Advanced Encryption
Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal
Information Processing Standards Publication (FIPS) 197.
https://doi.org/10.6028/NIST.FIPS.197
[FIPS 199] National Institute of Standards and Technology (2004) Standards for
Security Categorization of Federal Information and Information Systems.
(U.S. Department of Commerce, Washington, D.C.), Federal Information
Processing Standards Publication (FIPS) 199.
https://doi.org/10.6028/NIST.FIPS.199

APPENDIX A PAGE 368

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[FIPS 200] National Institute of Standards and Technology (2006) Minimum Security
Requirements for Federal Information and Information Systems. (U.S.
Department of Commerce, Washington, D.C.), Federal Information
Processing Standards Publication (FIPS) 200.
https://doi.org/10.6028/NIST.FIPS.200
[FIPS 201-2] National Institute of Standards and Technology (2013) Personal Identity
Verification (PIV) of Federal Employees and Contractors. (U.S. Department
of Commerce, Washington, D.C.), Federal Information Processing Standards
Publication (FIPS) 201-2.
https://doi.org/10.6028/NIST.FIPS.201-2
[FIPS 202] National Institute of Standards and Technology (2015) SHA-3 Standard:
Permutation-Based Hash and Extendable-Output Functions. (U.S.
Department of Commerce, Washington, D.C.), Federal Information
Processing Standards Publication (FIPS) 202.
https://doi.org/10.6028/NIST.FIPS.202
[SP 800-12] Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information
Security. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-12, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-12r1

[SP 800-18] Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans
for Federal Information Systems. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev.
1.
https://doi.org/10.6028/NIST.SP.800-18r1
[SP 800-28] Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content
and Mobile Code. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2.
https://doi.org/10.6028/NIST.SP.800-28ver2
[SP 800-30] Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk
Assessments. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-30r1
[SP 800-32] Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key
Technology and the Federal PKI Infrastructure. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-32.
https://doi.org/10.6028/NIST.SP.800-32
[SP 800-34] Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency
Planning Guide for Federal Information Systems. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-34, Rev. 1, Includes updates as of November 11, 2010.
https://doi.org/10.6028/NIST.SP.800-34r1

APPENDIX A PAGE 369

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[SP 800-35] Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information
Technology Security Services. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35.
https://doi.org/10.6028/NIST.SP.800-35

[SP 800-37] Joint Task Force (2018) Risk Management Framework for Information
Systems and Organizations: A System Life Cycle Approach for Security and
Privacy. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-37, Rev. 2.
https://doi.org/10.6028/NIST.SP.800-37r2
[SP 800-39] Joint Task Force Transformation Initiative (2011) Managing Information
Security Risk: Organization, Mission, and Information System View.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-39.
https://doi.org/10.6028/NIST.SP.800-39
[SP 800-40] Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management
Technologies. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3.
https://doi.org/10.6028/NIST.SP.800-40r3
[SP 800-41] Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-41, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-41r1
[SP 800-45] Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on
Electronic Mail Security. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2.
https://doi.org/10.6028/NIST.SP.800-45ver2

[SP 800-46] Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote
Access, and Bring Your Own Device (BYOD) Security. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-46, Rev. 2.
https://doi.org/10.6028/NIST.SP.800-46r2
[SP 800-47] Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for
Interconnecting Information Technology Systems. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-47.
https://doi.org/10.6028/NIST.SP.800-47
[SP 800-50] Wilson M, Hash J (2003) Building an Information Technology Security
Awareness and Training Program. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.
https://doi.org/10.6028/NIST.SP.800-50

APPENDIX A PAGE 370

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[SP 800-52] McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration,
and Use of Transport Layer Security (TLS) Implementations. (National
Institute of Standards and Technology, Gaithersburg, MD), NIST Special
Publication (SP) 800-52, Rev. 2.
https://doi.org/10.6028/NIST.SP.800-52r2
[SP 800-53A] Joint Task Force Transformation Initiative (2014) Assessing Security and
Privacy Controls in Federal Information Systems and Organizations: Building
Effective Assessment Plans. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev.
4, Includes updates as of December 18, 2014.
https://doi.org/10.6028/NIST.SP.800-53Ar4
[SP 800-53B] National Institute of Standards and Technology Special Publication 800-53B,
Control Baselines and Tailoring Guidance for Federal Information Systems
and Organizations. Projected for publication in 2020.
[SP 800-55] Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008)
Performance Measurement Guide for Information Security. (National
Institute of Standards and Technology, Gaithersburg, MD), NIST Special
Publication (SP) 800-55, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-55r1
[SP 800-56A] Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation
for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm
Cryptography. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3.
https://doi.org/10.6028/NIST.SP.800-56Ar3
[SP 800-56B] Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019)
Recommendation for Pair-Wise Key-Establishment Using Integer
Factorization Cryptography. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev.
2.
https://doi.org/10.6028/NIST.SP.800-56Br2
[SP 800-56C] Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation
Methods in Key-Establishment Schemes. (National Institute of Standards
and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C,
Rev. 1.
https://doi.org/10.6028/NIST.SP.800-56Cr1
[SP 800-57-1] Barker EB (2016) Recommendation for Key Management, Part 1: General.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-57 Part 1, Rev. 4.
https://doi.org/10.6028/NIST.SP.800-57pt1r4
[SP 800-57-2] Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2
– Best Practices for Key Management Organizations. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-57 Part 2, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-57pt2r1

APPENDIX A PAGE 371

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[SP 800-57-3] Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3:
Application-Specific Key Management Guidance. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-57 Part 3, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-57pt3r1
[SP 800-58] Kuhn R, Walsh TJ, Fries S (2005) Security Considerations for Voice Over IP
Systems. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-58.
https://doi.org/10.6028/NIST.SP.800-58
[SP 800-60 v1] Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for
Mapping Types of Information and Information Systems to Security
Categories. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-60v1r1
[SP 800-60 v2] Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping
Types of Information and Information Systems to Security Categories:
Appendices. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-60v2r1
[SP 800-61] Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security
Incident Handling Guide. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.
https://doi.org/10.6028/NIST.SP.800-61r2

[SP 800-63-3] Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National
Institute of Standards and Technology, Gaithersburg, MD), NIST Special
Publication (SP) 800-63-3, Includes updates as of March 2, 2020.
https://doi.org/10.6028/NIST.SP.800-63-3

[SP 800-63A] Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK,
Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity
Proofing. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2,
2020.
https://doi.org/10.6028/NIST.SP.800-63a
[SP 800-70] Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist
Program for IT Products: Guidelines for Checklist Users and Developers.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-70, Rev. 4.
https://doi.org/10.6028/NIST.SP.800-70r4
[SP 800-73-4] Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R,
Mohler J (2015) Interfaces for Personal Identity Verification. (National
Institute of Standards and Technology, Gaithersburg, MD), NIST Special
Publication (SP) 800-73-4, Includes updates as of February 8, 2016.
https://doi.org/10.6028/NIST.SP.800-73-4

APPENDIX A PAGE 372

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[SP 800-76-2] Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications
for Personal Identity Verification. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2.
https://doi.org/10.6028/NIST.SP.800-76-2

[SP 800-77] Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR
(2005) Guide to IPsec VPNs. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77.
https://doi.org/10.6028/NIST.SP.800-77

[SP 800-78-4] Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic
Algorithms and Key Sizes for Personal Identity Verification. (National
Institute of Standards and Technology, Gaithersburg, MD), NIST Special
Publication (SP) 800-78-4.
https://doi.org/10.6028/NIST.SP.800-78-4
[SP 800-79-2] Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015)
Guidelines for the Authorization of Personal Identity Verification Card
Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-79-2.
https://doi.org/10.6028/NIST.SP.800-79-2
[SP 800-81-2] Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS)
Deployment Guide. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-81-2.
https://doi.org/10.6028/NIST.SP.800-81-2

[SP 800-82] Stouffer KA, Lightman S, Pillitteri VY, Abrams M, Hahn A (2015) Guide to
Industrial Control Systems (ICS) Security. (National Institute of Standards
and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-82,
Rev. 2.
https://doi.org/10.6028/NIST.SP.800-82r2
[SP 800-83] Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention
and Handling for Desktops and Laptops. (National Institute of Standards
and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83,
Rev. 1.
https://doi.org/10.6028/NIST.SP.800-83r1
[SP 800-84] Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test,
Training, and Exercise Programs for IT Plans and Capabilities. (National
Institute of Standards and Technology, Gaithersburg, MD), NIST Special
Publication (SP) 800-84.
https://doi.org/10.6028/NIST.SP.800-84
[SP 800-86] Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic
Techniques into Incident Response. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86.
https://doi.org/10.6028/NIST.SP.800-86

APPENDIX A PAGE 373

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[SP 800-88] Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media
Sanitization. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-88, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-88r1

[SP 800-92] Kent K, Souppaya MP (2006) Guide to Computer Security Log Management.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-92.
https://doi.org/10.6028/NIST.SP.800-92

[SP 800-94] Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention
Systems (IDPS). (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-94.
https://doi.org/10.6028/NIST.SP.800-94

[SP 800-95] Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-95.
https://doi.org/10.6028/NIST.SP.800-95

[SP 800-97] Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless
Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-97.
https://doi.org/10.6028/NIST.SP.800-97
[SP 800-100] Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide
for Managers. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates
as of March 7, 2007.
https://doi.org/10.6028/NIST.SP.800-100
[SP 800-101] Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device
Forensics. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-101, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-101r1
[SP 800-111] Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption
Technologies for End User Devices. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111.
https://doi.org/10.6028/NIST.SP.800-111
[SP 800-113] Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-113.
https://doi.org/10.6028/NIST.SP.800-113
[SP 800-114] Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your
Own Device (BYOD) Security. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev.
1.
https://doi.org/10.6028/NIST.SP.800-114r1

APPENDIX A PAGE 374

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[SP 800-115] Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to
Information Security Testing and Assessment. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-115.
https://doi.org/10.6028/NIST.SP.800-115
[SP 800-116] Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A
Recommendation for the Use of PIV Credentials in Physical Access Control
Systems (PACS). (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-116r1
[SP 800-121] Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA
(2017) Guide to Bluetooth Security. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev.
2.
https://doi.org/10.6028/NIST.SP.800-121r2
[SP 800-124] Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of
Mobile Devices in the Enterprise. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev.
1.
https://doi.org/10.6028/NIST.SP.800-124r1
[SP 800-125B] Chandramouli R (2016) Secure Virtual Network Configuration for Virtual
Machine (VM) Protection. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-125B.
https://doi.org/10.6028/NIST.SP.800-125B

[SP 800-126] Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The
Technical Specification for the Security Content Automation Protocol
(SCAP): SCAP Version 1.3. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3.
https://doi.org/10.6028/NIST.SP.800-126r3
[SP 800-128] Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for
Security-Focused Configuration Management of Information Systems.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-128.
https://doi.org/10.6028/NIST.SP.800-128
[SP 800-130] Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for
Designing Cryptographic Key Management Systems. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-130.
https://doi.org/10.6028/NIST.SP.800-130
[SP 800-137] Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD,
Scholl MA, Stine KM (2011) Information Security Continuous Monitoring
(ISCM) for Federal Information Systems and Organizations. (National
Institute of Standards and Technology, Gaithersburg, MD), NIST Special
Publication (SP) 800-137.
https://doi.org/10.6028/NIST.SP.800-137

APPENDIX A PAGE 375

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[SP 800-147] Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection
Guidelines. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-147.
https://doi.org/10.6028/NIST.SP.800-147

[SP 800-150] Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide
to Cyber Threat Information Sharing. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150.
https://doi.org/10.6028/NIST.SP.800-150

[SP 800-152] Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal
Cryptographic Key Management Systems (CKMS). (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-152.
https://doi.org/10.6028/NIST.SP.800-152
[SP 800-154] Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat
Modeling. (National Institute of Standards and Technology, Gaithersburg,
MD), Draft NIST Special Publication (SP) 800-154.
https://csrc.nist.gov/publications/detail/sp/800-154/draft

[SP 800-156] Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S

(2016) Representation of PIV Chain-of-Trust for Import and Export.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-156.
https://doi.org/10.6028/NIST.SP.800-156
[SP 800-160 v1] Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering:
Considerations for a Multidisciplinary Approach in the Engineering of
Trustworthy Secure Systems. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol.
1, Includes updates as of March 21, 2018.
https://doi.org/10.6028/NIST.SP.800-160v1
[SP 800-160 v2] Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing
Cyber Resilient Systems: A Systems Security Engineering Approach.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-160, Vol. 2.
https://doi.org/10.6028/NIST.SP.800-160v2
[SP 800-161] Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk
Management Practices for Federal Information Systems and Organizations.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-161.
https://doi.org/10.6028/NIST.SP.800-161
[SP 800-162] Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA
(2014) Guide to Attribute Based Access Control (ABAC) Definition and
Considerations. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates
as of February 25, 2019.
https://doi.org/10.6028/NIST.SP.800-162

APPENDIX A PAGE 376

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[SP 800-166] Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S

(2016) Derived PIV Application and Data Model Test Guidelines. (National
Institute of Standards and Technology, Gaithersburg, MD), NIST Special
Publication (SP) 800-166.
https://doi.org/10.6028/NIST.SP.800-166
[SP 800-167] Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application
Whitelisting. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Special Publication (SP) 800-167.
https://doi.org/10.6028/NIST.SP.800-167
[SP 800-171] Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting
Controlled Unclassified Information in Nonfederal Systems and
Organizations. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2.
https://doi.org/10.6028/NIST.SP.800-171r2
[SP 800-171B] Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019)
Protecting Controlled Unclassified Information in Nonfederal Systems and
Organizations: Enhanced Security Requirements for Critical Programs and
High Value Assets. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-171B.
https://csrc.nist.gov/CSRC/media/Publications/sp/800-
171b/draft/documents/sp800-171B-draft-ipd.pdf
[SP 800-177] Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy
Email. (National Institute of Standards and Technology, Gaithersburg, MD),
NIST Special Publication (SP) 800-177, Rev. 1.
https://doi.org/10.6028/NIST.SP.800-177r1
[SP 800-178] Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of
Attribute Based Access Control (ABAC) Standards for Data Service
Applications: Extensible Access Control Markup Language (XACML) and
Next Generation Access Control (NGAC). (National Institute of Standards
and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178.
https://doi.org/10.6028/NIST.SP.800-178
[SP 800-181] Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for
Cybersecurity Education (NICE) Cybersecurity Workforce Framework.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Special Publication (SP) 800-181.
https://doi.org/10.6028/NIST.SP.800-181
[SP 800-184] Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP
(2016) Guide for Cybersecurity Event Recovery. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
800-184.
https://doi.org/10.6028/NIST.SP.800-184

APPENDIX A PAGE 377

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[SP 800-188] Garfinkel S (2016) De-Identifying Government Datasets. (National Institute

of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special
Publication (SP) 800-188.
https://csrc.nist.gov/publications/detail/sp/800-188/draft

[SP 800-189] Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange:

BGP Security and DDoS Mitigation. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189.
https://doi.org/10.6028/NIST.SP.800-189

[SP 800-192] Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access
Control Policies/Models. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Special Publication (SP) 800-192.
https://doi.org/10.6028/NIST.SP.800-192

[IR 7539] Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart
Cards. (National Institute of Standards and Technology, Gaithersburg, MD),
NIST Interagency or Internal Report (IR) 7539.
https://doi.org/10.6028/NIST.IR.7539

[IR 7559] Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS).
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Interagency or Internal Report (IR) 7559.
https://doi.org/10.6028/NIST.IR.7559

[IR 7622] Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional
Supply Chain Risk Management Practices for Federal Information Systems.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Interagency or Internal Report (IR) 7622.
https://doi.org/10.6028/NIST.IR.7622
[IR 7676] Cooper DA (2010) Maintaining and Using Key History on Personal Identity
Verification (PIV) Cards. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676.
https://doi.org/10.6028/NIST.IR.7676
[IR 7788] Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using
Probabilistic Attack Graphs. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR)
7788.
https://doi.org/10.6028/NIST.IR.7788
[IR 7817] Ferraiolo H (2012) A Credential Reliability and Revocation Model for
Federated Identities. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817.
https://doi.org/10.6028/NIST.IR.7817
[IR 7849] Chandramouli R (2014) A Methodology for Developing Authentication
Assurance Level Taxonomy for Smart Card-based Identity Verification.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Interagency or Internal Report (IR) 7849.
https://doi.org/10.6028/NIST.IR.7849

APPENDIX A PAGE 378

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[IR 7870] Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Interagency or Internal Report (IR) 7870.
https://doi.org/10.6028/NIST.IR.7870

[IR 7874] Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation
Metrics. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Interagency or Internal Report (IR) 7874.
https://doi.org/10.6028/NIST.IR.7874

[IR 7956] Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key

Management Issues & Challenges in Cloud Services. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal
Report (IR) 7956.
https://doi.org/10.6028/NIST.IR.7956
[IR 7966] Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of
Interactive and Automated Access Management Using Secure Shell (SSH).
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Interagency or Internal Report (IR) 7966.
https://doi.org/10.6028/NIST.IR.7966
[IR 8011 v1] Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security
Control Assessments: Volume 1: Overview. (National Institute of Standards
and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011,
Volume 1.
https://doi.org/10.6028/NIST.IR.8011-1
[IR 8023] Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices.
(National Institute of Standards and Technology, Gaithersburg, MD), NIST
Interagency or Internal Report (IR) 8023.
https://doi.org/10.6028/NIST.IR.8023

[IR 8040] Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and
Security of Permuted Passwords on Mobile Platforms. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal
Report (IR) 8040.
https://doi.org/10.6028/NIST.IR.8040
[IR 8062] Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An
Introduction to Privacy Engineering and Risk Management in Federal
Systems. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Interagency or Internal Report (IR) 8062.
https://doi.org/10.6028/NIST.IR.8062
[IR 8179] Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process
Model: Prioritizing Systems and Components. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal
Report (IR) 8179.
https://doi.org/10.6028/NIST.IR.8179

APPENDIX A PAGE 379

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

MISCELLANEOUS PUBLICATIONS AND WEBSITES

[DHS TIC] Department of Homeland Security, Trusted Internet Connections (TIC).

https://www.dhs.gov/trusted-internet-connections
[DSB 2017] Department of Defense, Defense Science Board, Task Force on Cyber
Deterrence, February 2017.
https://www.acq.osd.mil/dsb/reports/2010s/DSB-CyberDeterrenceReport_02-28-
17_Final.pdf
[DOD STIG] Defense Information Systems Agency, Security Technical Implementation
Guides (STIG).
https://iase.disa.mil/stigs/Pages/index.aspx
[DODTERMS] Department of Defense, Dictionary of Military and Associated Terms.
http://www.dtic.mil/dtic/tr/fulltext/u2/a485800.pdf
[IETF 5905] Internet Engineering Task Force (IETF), Request for Comments: 5905,
Network Time Protocol Version 4: Protocol and Algorithms Specification,
June 2010.
https://tools.ietf.org/pdf/rfc5905.pdf
[LAMPSON73] B. W. Lampson, A Note on the Confinement Problem, Communications of
the ACM 16, 10, pp. 613-615, October 1973.
[NARA CUI] National Archives and Records Administration, Controlled Unclassified
Information (CUI) Registry.
https://www.archives.gov/cui
[NIAP CCEVS] National Information Assurance Partnership, Common Criteria Evaluation
and Validation Scheme.
https://www.niap-ccevs.org
[NIST CAVP] National Institute of Standards and Technology (2020) Cryptographic
Algorithm Validation Program. Available at
https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program
[NIST CMVP] National Institute of Standards and Technology (2020) Cryptographic
Module Validation Program. Available at
https://csrc.nist.gov/projects/cryptographic-module-validation-program
[NIST CSF] National Institute of Standards and Technology (2018) Framework for
Improving Critical Infrastructure Cybersecurity, Version 1.1. (National
Institute of Standards and Technology, Gaithersburg, MD).
https://doi.org/10.6028/NIST.CSWP.04162018
[NCPR] National Institute of Standards and Technology (2020) National Checklist
Program Repository. Available at
https://nvd.nist.gov/ncp/repository
[NVD 800-53] National Institute of Standards and Technology (2020) National
Vulnerability Database: NIST Special Publication 800-53 [database of
controls]. Available at
https://nvd.nist.gov/800-53

APPENDIX A PAGE 380

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

[NEUM04] Principled Assuredly Trustworthy Composable Architectures, P. Neumann,

CDRL A001 Final Report, SRI International, December 2004.
http://www.csl.sri.com/users/neumann/chats4.pdf
[NSA CSFC] National Security Agency, Commercial Solutions for Classified Program
(CSfC).
https://www.nsa.gov/resources/everyone/csfc
[NSA MEDIA] National Security Agency, Media Destruction Guidance.
https://www.nsa.gov/resources/everyone/media-destruction
[POPEK74] G. Popek, The Principle of Kernel Design, in 1974 NCC, AFIPS Cong. Proc.,
Vol. 43, pp. 977-978.
[SALTZER75] J. Saltzer and M. Schroeder, The Protection of Information in Computer
Systems, in Proceedings of the IEEE 63(9), September 1975, pp. 1278-1308.
[USGCB] National Institute of Standards and Technology (2020) United States
Government Configuration Baseline. Available at
https://csrc.nist.gov/projects/united-states-government-configuration-baseline
15823

15824

APPENDIX A PAGE 381

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15825 APPENDIX B

15826 GLOSSARY
15827 COMMON TERMS AND DEFINITIONS

15828 Appendix B provides definitions for terminology used in NIST Special Publication 800-53. Sources
15829 for terms used in this publication are cited as applicable. Where no citation is noted, the source
15830 of the definition is Special Publication 800-53.

access control The process of granting or denying specific requests for

[FIPS 201-2] obtaining and using information and related information
processing services; and to enter specific physical facilities (e.g.,
Federal buildings, military establishments, and border crossing
entrances).
adequate security Security protections commensurate with the risk resulting from
[OMB A-130] the unauthorized access, use, disclosure, disruption,
modification, or destruction of information. This includes
ensuring that information hosted on behalf of an agency and
information systems and applications used by the agency
operate effectively and provide appropriate confidentiality,
integrity, and availability protections through the application of
cost-effective security controls.
advanced persistent An adversary that possesses sophisticated levels of expertise and
threat significant resources which allow it to create opportunities to
[SP 800-39]
achieve its objectives by using multiple attack vectors, including
cyber, physical, and deception. These objectives typically include
establishing and extending footholds within the IT infrastructure
of the targeted organizations for purposes of exfiltrating
information, undermining or impeding critical aspects of a
mission, program, or organization; or positioning itself to carry
out these objectives in the future. The advanced persistent
threat pursues its objectives repeatedly over an extended
period; adapts to defenders’ efforts to resist it; and is
determined to maintain the level of interaction needed to
execute its objectives.
agency Any executive agency or department, military department,
[OMB A-130] Federal Government corporation, Federal Government-
controlled corporation, or other establishment in the Executive
Branch of the Federal Government, or any independent
regulatory agency. See executive agency.
all-source intelligence Intelligence products and/or organizations and activities that
[DODTERMS] incorporate all sources of information, most frequently including
human resources intelligence, imagery intelligence,
measurement and signature intelligence, signals intelligence,
and open source data in the production of finished intelligence.

APPENDIX B PAGE 382

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

assessment The testing or evaluation of security or privacy controls to

[CNSSI 4009, Adapted] determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired
outcome with respect to meeting the security requirements for
an information system or organization. See risk assessment.
assessment plan The objectives for the security and privacy control assessments
and a detailed roadmap of how to conduct such assessments.
assessor The individual, group, or organization responsible for conducting
a security or privacy control assessment.
assignment statement A control parameter that allows an organization to assign a
specific, organization-defined value to the control or control
enhancement (e.g., assigning a list of roles to be notified or a
value for the frequency of testing).
See organization-defined control parameters and selection
statement.
assurance Grounds for justified confidence that a [security or privacy] claim
[ISO/IEC 15026, Adapted] has been or will be achieved.
Note 1: Assurance is typically obtained relative to a set of specific claims. The
scope and focus of such claims may vary (e.g., security claims, safety claims)
and the claims themselves may be interrelated.
Note 2: Assurance is obtained through techniques and methods that generate
credible evidence to substantiate claims.

audit Independent review and examination of records and activities to

[CNSSI 4009] assess the adequacy of system controls, to ensure compliance
with established policies and operational procedures.
audit log A chronological record of system activities, including records of
[CNSSI 4009] system accesses and operations performed in a given period.
audit record An individual entry in an audit log related to an audited event.
audit record reduction A process that manipulates collected audit information and
organizes such information in a summary format that is more
meaningful to analysts.
audit trail A chronological record that reconstructs and examines the
sequence of activities surrounding or leading to a specific
operation, procedure, or event in a security-relevant transaction
from inception to result.
authentication Verifying the identity of a user, process, or device, often as a
[FIPS 200] prerequisite to allowing access to resources in a system.
authenticator Something that the claimant possesses and controls (typically a
cryptographic module or password) that is used to authenticate
the claimant’s identity. This was previously referred to as a
token.

APPENDIX B PAGE 383

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

authenticity The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message,
or message originator. See authentication.
authorization Access privileges granted to a user, program, or process or the
[CNSSI 4009] act of granting those privileges.
authorization boundary All components of an information system to be authorized for
[OMB A-130] operation by an authorizing official. This excludes separately
authorized systems to which the information system is
connected.
authorization to operate The official management decision given by a senior Federal
[OMB A-130] official or officials to authorize operation of an information
system and to explicitly accept the risk to agency operations
(including mission, functions, image, or reputation), agency
assets, individuals, other organizations, and the Nation based on
the implementation of an agreed-upon set of security and
privacy controls. Authorization also applies to common controls
inherited by agency information systems.
authorizing official A senior Federal official or executive with the authority to
[OMB A-130] authorize (i.e., assume responsibility for) the operation of an
information system or the use of a designated set of common
controls at an acceptable level of risk to agency operations
(including mission, functions, image, or reputation), agency
assets, individuals, other organizations, and the Nation.
availability Ensuring timely and reliable access to and use of information.
[FISMA]
baseline See control baseline.
baseline configuration A documented set of specifications for a system, or a
[SP 800-128, Adapted] configuration item within a system, that has been formally
reviewed and agreed on at a given point in time, and which can
be changed only through change control procedures.
blacklisting The process used to identify software programs that are not
authorized to execute on a system; or prohibited Universal
Resource Locators or websites.
boundary protection Monitoring and control of communications at the external
interface to a system to prevent and detect malicious and other
unauthorized communications, using boundary protection
devices, for example, gateways, routers, firewalls, guards,
encrypted tunnels.
boundary protection A device with mechanisms that facilitates the adjudication of
device different connected system security policies or provides system
boundary protection.

APPENDIX B PAGE 384

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

breach The loss of control, compromise, unauthorized disclosure,

[OMB M-17-12] unauthorized acquisition, or any similar occurrence where: a
person other than an authorized user accesses or potentially
accesses personally identifiable information; or an authorized
user accesses personally identifiable information for another
than authorized purpose.
breadth An attribute associated with an assessment method that
[SP 800-53A] addresses the scope or coverage of the assessment objects
included with the assessment.
capability A combination of mutually-reinforcing security and/or privacy
controls implemented by technical means, physical means, and
procedural means. Such controls are typically selected to achieve
a common information security- or privacy-related purpose.
central management The organization-wide management and implementation of
selected security and privacy controls and related processes.
Central management includes planning, implementing,
assessing, authorizing, and monitoring the organization-defined,
centrally managed security and privacy controls and processes.
chief information officer The senior official that provides advice and other assistance to
[OMB A-130] the head of the agency and other senior management personnel
of the agency to ensure that IT is acquired and information
resources are managed for the agency in a manner that achieves
the agency’s strategic goals and information resources
management goals; and is responsible for ensuring agency
compliance with, and prompt, efficient, and effective
implementation of, the information policies and information
resources management responsibilities, including the reduction
of information collection burdens on the public.
chief information security See senior agency information security officer.
officer
classified information See classified national security information.
classified national Information that has been determined pursuant to Executive
security information Order (E.O.) 13526 or any predecessor order to require
[CNSSI 4009]
protection against unauthorized disclosure and is marked to
indicate its classified status when in documentary form.
commodity service A system service provided by a commercial service provider to a
large and diverse set of consumers. The organization acquiring or
receiving the commodity service possesses limited visibility into
the management structure and operations of the provider, and
while the organization may be able to negotiate service-level
agreements, the organization is typically not able to require that
the provider implement specific security or privacy controls.
common carrier A telecommunications company that holds itself out to the
public for hire to provide communications transmission services.

APPENDIX B PAGE 385

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

common control A security or privacy control that is inherited by multiple

[OMB A-130] information systems or programs.
common control provider An organizational official responsible for the development,
[SP 800-37] implementation, assessment, and monitoring of common
controls (i.e., security or privacy controls inheritable by systems).
common criteria Governing document that provides a comprehensive, rigorous
[CNSSI 4009] method for specifying security function and assurance
requirements for products and systems.
common secure A recognized standardized and established benchmark that
configuration stipulates specific secure configuration settings for a given
[SP 800-128]
information technology platform.
compensating controls The security and privacy controls employed in lieu of the
controls in the baselines described in NIST Special Publication
800-53B that provide equivalent or comparable protection for a
system or organization.
component See system component.
confidentiality Preserving authorized restrictions on information access and
[FISMA] disclosure, including means for protecting personal privacy and
proprietary information.
configuration control Process for controlling modifications to hardware, firmware,
[SP 800-128] software, and documentation to protect the system against
improper modifications before, during, and after system
implementation.
configuration item An aggregation of system components that is designated for
[SP 800-128] configuration management and treated as a single entity in the
configuration management process.
configuration A collection of activities focused on establishing and maintaining
management the integrity of information technology products and systems,
[SP 800-128]
through control of processes for initializing, changing, and
monitoring the configurations of those products and systems
throughout the system development life cycle.
configuration settings The set of parameters that can be changed in hardware,
[SP 800-128] software, or firmware that affect the security posture and/or
functionality of the system.
continuous monitoring Maintaining ongoing awareness to support organizational risk
[SP 800-137] decisions.
control assessment See assessment.
control assessor See assessor.

APPENDIX B PAGE 386

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

control baseline The set of security and privacy controls defined for a low-impact,
[FIPS 200, Adapted] moderate-impact, or high-impact system or selected based on
the privacy selection criteria that provide a starting point for the
tailoring process.
control effectiveness A measure of whether a given security or privacy control is
contributing to the reduction of information security or privacy
risk.
control enhancement Augmentation of a security or privacy control to build in
additional, but related, functionality to the control; increase the
strength of the control; or add assurance to the control.
control inheritance A situation in which a system or application receives protection
from security or privacy controls (or portions of controls) that
are developed, implemented, assessed, authorized, and
monitored by entities other than those responsible for the
system or application; entities either internal or external to the
organization where the system or application resides. See
common control.
controlled area Any area or space for which an organization has confidence that
the physical and procedural protections provided are sufficient
to meet the requirements established for protecting the
information and/or information system.
controlled interface An interface to a system with a set of mechanisms that enforces
the security policies and controls the flow of information
between connected systems.
controlled unclassified Information that the Government creates or possesses, or that
information an entity creates or possesses for or on behalf of the
[32 CFR 2002]
Government, that a law, regulation, or Government-wide policy
requires or permits an agency to handle using safeguarding or
dissemination controls. However, CUI does not include classified
information or information a non-executive branch entity
possesses and maintains in its own systems that did not come
from, or was not created or possessed by or for, an executive
branch agency or an entity acting for an agency.
counterfeit An unauthorized copy or substitute that has been identified,
[SP 800-161] marked, and/or altered by a source other than the item's legally
authorized source and has been misrepresented to be an
authorized item of the legally authorized source.
countermeasures Actions, devices, procedures, techniques, or other measures that
[FIPS 200] reduce the vulnerability of a system. Synonymous with security
controls and safeguards.

APPENDIX B PAGE 387

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

covert channel An unintended or unauthorized intra-system channel that

[CNSSI 4009] enables two cooperating entities to transfer information in a way
that violates the system's security policy but does not exceed the
entities' access authorizations.
covert channel analysis Determination of the extent to which the security policy model
[CNSSI 4009] and subsequent lower-level program descriptions may allow
unauthorized access to information.
covert storage channel A system feature that enables one system entity to signal
[CNSSI 4009] information to another entity by directly or indirectly writing to a
storage location that is later directly or indirectly read by the
second entity.
covert timing channel A system feature that enables one system entity to signal
[CNSSI 4009, Adapted] information to another by modulating its own use of a system
resource in such a way as to affect system response time
observed by the second entity.
critical infrastructure Systems and assets, whether physical or virtual, so vital to the
[USA PATRIOT] United States that the incapacity or destruction of such systems
and assets would have a debilitating impact on security, national
economic security, national public health or safety, or any
combination of those matters.
cross domain solution A form of controlled interface that provides the ability to
[CNSSI 1253] manually and/or automatically access and/or transfer
information between different security domains.
cryptographic module The set of hardware, software, and/or firmware that implements
[FIPS 140] Approved security functions (including cryptographic algorithms
and key generation) and is contained within the cryptographic
boundary.
cybersecurity Prevention of damage to, protection of, and restoration of
[OMB A-130] computers, electronic communications systems, electronic
communications services, wire communication, and electronic
communication, including information contained therein, to
ensure its availability, integrity, authentication, confidentiality,
and nonrepudiation.
cyberspace The interdependent network of information technology
[CNSSI 4009] infrastructures that includes the Internet, telecommunications
networks, computer systems, and embedded processors and
controllers in critical industries.
data action A system operation that processes personally identifiable
[IR 8062] information.
data mining An analytical process that attempts to find correlations or
patterns in large data sets for the purpose of data or knowledge
discovery.

APPENDIX B PAGE 388

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

de-identification General term for any process of removing the association

[ISO 25237] between a set of identifying data and the data subject.
defense-in-breadth A planned, systematic set of multidisciplinary activities that seek
[CNSSI 4009] to identify, manage, and reduce risk of exploitable vulnerabilities
at every stage of the system, network, or subcomponent life
cycle, including system, network, or product design and
development; manufacturing; packaging; assembly; system
integration; distribution; operations; maintenance; and
retirement.
defense-in-depth Information security strategy that integrates people, technology,
and operations capabilities to establish variable barriers across
multiple layers and missions of the organization.
depth An attribute associated with an assessment method that
[SP 800-53A] addresses the rigor and level of detail associated with the
application of the method.
developer A general term that includes developers or manufacturers of
systems, system components, or system services; systems
integrators; vendors; and product resellers. Development of
systems, components, or services can occur internally within
organizations or through external entities.
digital media A form of electronic media where data are stored in digital (as
opposed to analog) form.
discretionary access An access control policy that is enforced over all subjects and
control objects in a system where the policy specifies that a subject that
has been granted access to information can do one or more of
the following: pass the information to other subjects or objects;
grant its privileges to other subjects; change security attributes
on subjects, objects, systems, or system components; choose the
security attributes to be associated with newly-created or
revised objects; or change the rules governing access control.
Mandatory access controls restrict this capability.
disassociability Enabling the processing of personally identifiable information or
[IR 8062] events without association to individuals or devices beyond the
operational requirements of the system.
domain An environment or context that includes a set of system
resources and a set of system entities that have the right to
access the resources as defined by a common security policy,
security model, or security architecture. See security domain.

APPENDIX B PAGE 389

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

enterprise An organization with a defined mission/goal and a defined

[CNSSI 4009] boundary, using systems to execute that mission, and with
responsibility for managing its own risks and performance. An
enterprise may consist of all or some of the following business
aspects: acquisition, program management, human resources,
financial management, security, and systems, information and
mission management. See organization.
enterprise architecture A strategic information asset base, which defines the mission;
[OMB A-130] the information necessary to perform the mission; the
technologies necessary to perform the mission; and the
transitional processes for implementing new technologies in
response to changing mission needs; and includes a baseline
architecture; a target architecture; and a sequencing plan.
environment of operation The physical surroundings in which an information system
[OMB A-130] processes, stores, and transmits information.
event Any observable occurrence in a system.
[SP 800-61, Adapted]
executive agency An executive department specified in 5 U.S.C., Sec. 101; a
[OMB A-130] military department specified in 5 U.S.C., Sec. 102; an
independent establishment as defined in 5 U.S.C., Sec. 104(1);
and a wholly owned Government corporation fully subject to the
provisions of 31 U.S.C., Chapter 91.
exfiltration The unauthorized transfer of information from a system.
external system (or A system or component of a system that is used by, but not a
component) part of, an organizational system and for which the organization
has no direct control over the implementation of required
security and privacy controls or the assessment of control
effectiveness.
external system service A system service that is provided by an external service provider
and for which the organization has no direct control over the
implementation of required security and privacy controls or the
assessment of control effectiveness.
external system service A provider of external system services to an organization
provider through a variety of consumer-producer relationships, including
joint ventures; business partnerships; outsourcing arrangements
(i.e., through contracts, interagency agreements, lines of
business arrangements); licensing agreements; and/or supply
chain exchanges.
external network A network not controlled by the organization.
failover The capability to switch over automatically (typically without
human intervention or warning) to a redundant or standby
system upon the failure or abnormal termination of the
previously active system.

APPENDIX B PAGE 390

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

federal information An information system used or operated by an executive agency,

system by a contractor of an executive agency, or by another
[OMB A-130] organization on behalf of an executive agency.
FIPS-validated A cryptographic module validated by the Cryptographic Module
cryptography Validation Program (CMVP) to meet requirements specified in
FIPS Publication 140-3 (as amended). As a prerequisite to CMVP
validation, the cryptographic module is required to employ a
cryptographic algorithm implementation that has successfully
passed validation testing by the Cryptographic Algorithm
Validation Program (CAVP). See NSA-approved cryptography.
firmware Computer programs and data stored in hardware - typically in
[CNSSI 4009] read-only memory (ROM) or programmable read-only memory
(PROM) - such that the programs and data cannot be
dynamically written or modified during execution of the
programs. See hardware and software.
hardware The material physical components of a system. See software and
[CNSSI 4009] firmware.
high-impact system A system in which at least one security objective (i.e.,
[FIPS 200] confidentiality, integrity, or availability) is assigned a FIPS
Publication 199 potential impact value of high.
hybrid control A security or privacy control that is implemented for an
[OMB A-130] information system in part as a common control and in part as a
system-specific control.
identifier Unique data used to represent a person’s identity and associated
[FIPS 201-2] attributes. A name or a card number are examples of identifiers.
A unique label used by a system to indicate a specific entity,
object, or group.
impact The effect on organizational operations, organizational assets,
individuals, other organizations, or the Nation (including the
national security interests of the United States) of a loss of
confidentiality, integrity, or availability of information or a
system.
impact value The assessed worst-case potential impact that could result from
[FIPS 199] a compromise of the confidentiality, integrity, or availability of
information expressed as a value of low, moderate or high.
incident An occurrence that actually or imminently jeopardizes, without
[FISMA] lawful authority, the confidentiality, integrity, or availability of
information or an information system; or constitutes a violation
or imminent threat of violation of law, security policies, security
procedures, or acceptable use policies.

APPENDIX B PAGE 391

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

industrial control system General term that encompasses several types of control systems,
[SP 800-82] including supervisory control and data acquisition (SCADA)
systems, distributed control systems (DCS), and other control
system configurations such as programmable logic controllers
(PLC) often found in the industrial sectors and critical
infrastructures. An ICS consists of combinations of control
components (e.g., electrical, mechanical, hydraulic, pneumatic)
that act together to achieve an industrial objective (e.g.,
manufacturing, transportation of matter or energy).
information Any communication or representation of knowledge such as
[OMB A-130] facts, data, or opinions in any medium or form, including textual,
numerical, graphic, cartographic, narrative, electronic, or
audiovisual forms.
information flow control Controls to ensure that information transfers within a system or
organization are not made in violation of the security policy.
information leakage The intentional or unintentional release of information to an
untrusted environment.
information owner Official with statutory or operational authority for specified
[SP 800-37] information and responsibility for establishing the controls for its
generation, collection, processing, dissemination, and disposal.
information resources Information and related resources, such as personnel,
[OMB A-130] equipment, funds, and information technology.
information security The protection of information and systems from unauthorized
[OMB A-130] access, use, disclosure, disruption, modification, or destruction
in order to provide confidentiality, integrity, and availability.
information security An embedded, integral part of the enterprise architecture that
architecture describes the structure and behavior of the enterprise security
[OMB A-130] processes, security systems, personnel and organizational
subunits, showing their alignment with the enterprise’s mission
and strategic plans.
information security Aggregate of directives, regulations, rules, and practices that
policy prescribes how an organization manages, protects, and
[CNSSI 4009]
distributes information.
information security Formal document that provides an overview of the security
program plan requirements for an organization-wide information security
[OMB A-130]
program and describes the program management controls and
common controls in place or planned for meeting those
requirements.
information security risk The risk to organizational operations (including mission,
[SP 800-30] functions, image, reputation), organizational assets, individuals,
other organizations, and the Nation due to the potential for
unauthorized access, use, disclosure, disruption, modification, or
destruction of information and/or systems.

APPENDIX B PAGE 392

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

information steward An agency official with statutory or operational authority for

[SP 800-37] specified information and responsibility for establishing the
controls for its generation, collection, processing, dissemination,
and disposal.
information system A discrete set of information resources organized for the
[OMB A-130] collection, processing, maintenance, use, sharing, dissemination,
or disposition of information.
information technology Any services, equipment, or interconnected system(s) or
[OMB A-130] subsystem(s) of equipment, that are used in the automatic
acquisition, storage, analysis, evaluation, manipulation,
management, movement, control, display, switching,
interchange, transmission, or reception of data or information by
the agency. For purposes of this definition, such services or
equipment if used by the agency directly or is used by a
contractor under a contract with the agency that requires its
use; or to a significant extent, its use in the performance of a
service or the furnishing of a product. Information technology
includes computers, ancillary equipment (including imaging
peripherals, input, output, and storage devices necessary for
security and surveillance), peripheral equipment designed to be
controlled by the central processing unit of a computer,
software, firmware and similar procedures, services (including
cloud computing and help-desk services or other professional
services which support any point of the life cycle of the
equipment or service), and related resources. Information
technology does not include any equipment that is acquired by a
contractor incidental to a contract which does not require its
use.
information technology See system component.
product
information type A specific category of information (e.g., privacy, medical,
[FIPS 199] proprietary, financial, investigative, contractor-sensitive, security
management) defined by an organization or in some instances,
by a specific law, Executive Order, directive, policy, or regulation.
insider Any person with authorized access to any organizational
[CNSSI 4009, Adapted] resource, to include personnel, facilities, information,
equipment, networks, or systems.
insider threat The threat that an insider will use her/his authorized access,
[CNSSI 4009, Adapted] wittingly or unwittingly, to do harm to the security of
organizational operations and assets, individuals, other
organizations, and the Nation. This threat can include damage
through espionage, terrorism, unauthorized disclosure of
national security information, or through the loss or degradation
of organizational resources or capabilities.

APPENDIX B PAGE 393

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

insider threat program A coordinated collection of capabilities authorized by the

[CNSSI 4009, Adapted] organization and used to deter, detect, and mitigate the
unauthorized disclosure of information.
interface Common boundary between independent systems or modules
[CNSSI 4009] where interactions take place.
integrity Guarding against improper information modification or
[FISMA] destruction, and includes ensuring information non-repudiation
and authenticity.
internal network A network where the establishment, maintenance, and
provisioning of security controls are under the direct control of
organizational employees or contractors; or cryptographic
encapsulation or similar security technology implemented
between organization-controlled endpoints, provides the same
effect (at least regarding confidentiality and integrity). An
internal network is typically organization-owned, yet may be
organization-controlled while not being organization-owned.
label See security label.
least privilege The principle that a security architecture is designed so that each
[CNSSI 4009] entity is granted the minimum system resources and
authorizations that the entity needs to perform its function.
line of business The following OMB-defined process areas common to virtually
all federal agencies: Case Management, Financial Management,
Grants Management, Human Resources Management, Federal
Health Architecture, Systems Security, Budget Formulation and
Execution, Geospatial, and IT Infrastructure.
local access Access to an organizational system by a user (or process acting
on behalf of a user) communicating through a direct connection
without the use of a network.
logical access control An automated system that controls an individual’s ability to
system access one or more computer system resources such as a
workstation, network, application, or database. A logical access
control system requires validation of an individual’s identity
through some mechanism such as a PIN, card, biometric, or
other token. It has the capability to assign different access
privileges to different persons depending on their roles and
responsibilities in an organization.
low-impact system A system in which all three security objectives (i.e.,
[FIPS 200] confidentiality, integrity, and availability) are assigned a FIPS
Publication 199 potential impact value of low.

APPENDIX B PAGE 394

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

malicious code Software or firmware intended to perform an unauthorized

process that will have adverse impact on the confidentiality,
integrity, or availability of a system. A virus, worm, Trojan horse,
or other code-based entity that infects a host. Spyware and
some forms of adware are also examples of malicious code.
managed interface An interface within a system that provides boundary protection
capability using automated mechanisms or devices.
mandatory access control An access control policy that is uniformly enforced across all
subjects and objects within a system. A subject that has been
granted access to information is constrained from: passing the
information to unauthorized subjects or objects; granting its
privileges to other subjects; changing one or more security
attributes on subjects, objects, the system, or system
components; choosing the security attributes to be associated
with newly-created or modified objects; or changing the rules for
governing access control. Organization-defined subjects may
explicitly be granted organization-defined privileges (i.e., they
are trusted subjects) such that they are not limited by some or
all the above constraints. Mandatory access control is
considered a type of nondiscretionary access control.
marking See security marking.
matching agreement A written agreement between a recipient agency and a source
[OMB A-108] agency (or a non-Federal agency) that is required by the Privacy
Act for parties engaging in a matching program.
media Physical devices or writing surfaces including magnetic tapes,
[FIPS 200] optical disks, magnetic disks, Large-Scale Integration memory
chips, and printouts (but excluding display media) onto which
information is recorded, stored, or printed within a system.
metadata Information describing the characteristics of data, including
structural metadata describing data structures (i.e., data format,
syntax, semantics) and descriptive metadata describing data
contents (i.e., security labels).
mobile code Software programs or parts of programs obtained from remote
systems, transmitted across a network, and executed on a local
system without explicit installation or execution by the recipient.
mobile code technologies Software technologies that provide the mechanisms for the
production and use of mobile code.

APPENDIX B PAGE 395

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

mobile device A portable computing device that has a small form factor such
that it can easily be carried by a single individual, is designed to
operate without a physical connection (e.g., wirelessly transmit
or receive information), possesses local, non-removable data
storage, and is powered on for extended periods of time with a
self-contained power source. Mobile devices may also include
voice communication capabilities, on board sensors that allow
the device to capture (e.g., photograph, video, record, or
determine location) information, and/or built-in features for
synchronizing local data with remote locations. Examples include
smart phones, tablets, and E-readers.
moderate-impact system A system in which at least one security objective (i.e.,
[FIPS 200] confidentiality, integrity, or availability) is assigned a FIPS
Publication 199 potential impact value of moderate and no
security objective is assigned a potential impact value of high.
multifactor An authentication system or an authenticator that requires more
authentication than one authentication factor for successful authentication.
[SP 800-63-3] Multifactor authentication can be performed using a single
authenticator that provides more than one factor or by a
combination of authenticators that provide different factors.
The three authentication factors are something you know,
something you have, and something you are. See authenticator.
multilevel security Concept of processing information with different classifications
[CNSSI 4009] and categories that simultaneously permits access by users with
different security clearances and denies access to users who lack
authorization.
multiple security levels Capability of a system that is trusted to contain, and maintain
[CNSSI 4009] separation between, resources (particularly stored data) of
different security domains.
national security system Any system (including any telecommunications system) used or
[OMB A-130] operated by an agency or by a contractor of an agency, or other
organization on behalf of an agency—(i) the function, operation,
or use of which involves intelligence activities; involves
cryptologic activities related to national security; involves
command and control of military forces; involves equipment that
is an integral part of a weapon or weapons system; or is critical
to the direct fulfillment of military or intelligence missions
(excluding a system that is to be used for routine administrative
and business applications, for example, payroll, finance, logistics,
and personnel management applications); or (ii) is protected at
all times by procedures established for information that have
been specifically authorized under criteria established by an
Executive Order or an Act of Congress to be kept classified in the
interest of national defense or foreign policy.

APPENDIX B PAGE 396

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

network A system implemented with a collection of connected

components. Such components may include routers, hubs,
cabling, telecommunications controllers, key distribution
centers, and technical control devices.
network access Access to a system by a user (or a process acting on behalf of a
user) communicating through a network, including a local area
network, a wide area network, and the Internet.
nonce A value used in security protocols that is never repeated with the
[SP 800-63-3] same key. For example, nonces used as challenges in challenge-
response authentication protocols are not repeated until the
authentication keys are changed. Otherwise, there is a possibility
of a replay attack.
nondiscretionary access See mandatory access control.
control
nonlocal maintenance Maintenance activities conducted by individuals communicating
through a network, either an external network or internal
network.
non-organizational user A user who is not an organizational user (including public users).
non-repudiation Protection against an individual falsely denying having
performed a certain action and provides the capability to
determine whether an individual took a certain action such as
creating information, sending a message, approving information,
and receiving a message.
NSA-approved Cryptography that consists of an approved algorithm; an
cryptography implementation that has been approved for the protection of
classified information and/or controlled unclassified information
in a specific environment; and a supporting key management
infrastructure.
object Passive system-related entity, including devices, files, records,
tables, processes, programs, and domains, that contain or
receive information. Access to an object (by a subject) implies
access to the information it contains. See subject.
operational technology Programmable systems or devices that interact with the physical
environment (or manage devices that interact with the physical
environment). These systems or devices detect or cause a direct
change through the monitoring or control of devices, processes,
and events. Examples include industrial control systems, building
management systems, fire control systems, and physical access
control mechanisms.
operations technology See operational technology.

APPENDIX B PAGE 397

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

operations security Systematic and proven process by which potential adversaries

[CNSSI 4009] can be denied information about capabilities and intentions by
identifying, controlling, and protecting generally unclassified
evidence of the planning and execution of sensitive activities.
The process involves five steps: identification of critical
information, analysis of threats, analysis of vulnerabilities,
assessment of risks, and application of appropriate
countermeasures.
organization An entity of any size, complexity, or positioning within an
[FIPS 200, Adapted] organizational structure, including federal agencies, private
enterprises, academic institutions, state, local, or tribal
governments, or as appropriate, any of their operational
elements.
organization-defined The variable part of a control or control enhancement that is
control parameter instantiated by an organization during the tailoring process by
either assigning an organization-defined value or selecting a
value from a pre-defined list provided as part of the control or
control enhancement. See assignment statement and selection
statement.
organizational user An organizational employee or an individual the organization
deems to have equivalent status of an employee, including
contractor, guest researcher, individual detailed from another
organization. Policy and procedures for granting equivalent
status of employees to individuals may include need-to-know,
relationship to the organization, and citizenship.
overlay A specification of security or privacy controls, control
[OMB A-130] enhancements, supplemental guidance, and other supporting
information employed during the tailoring process, that is
intended to complement (and further refine) security control
baselines. The overlay specification may be more stringent or
less stringent than the original security control baseline
specification and can be applied to multiple information systems.
See tailoring.
penetration testing A test methodology in which assessors, typically working under
specific constraints, attempt to circumvent or defeat the security
features of a system.
periods processing A mode of system operation in which information of different
sensitivities is processed at distinctly different times by the same
system, with the system being properly purged or sanitized
between periods.
personally identifiable Information that can be used to distinguish or trace an
information individual’s identity, either alone or when combined with other
[OMB A-130] information that is linked or linkable to a specific individual.

APPENDIX B PAGE 398

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

personally identifiable An operation or set of operations performed upon personally

information processing identifiable information that can include, but is not limited to,
[ISO/IEC 29100, Adapted] the collection, retention, logging, generation, transformation,
use, disclosure, transfer, and disposal of personally identifiable
information.
personally identifiable The requirements for how personally identifiable information
information processing can be processed or the conditions under which personally
permissions identifiable information can be processed.
personnel security The discipline of assessing the conduct, integrity, judgment,
loyalty, reliability, and stability of individuals for duties and
responsibilities requiring trustworthiness.
physical access control An electronic system that controls the ability of people or
system vehicles to enter a protected area, by means of authentication
[SP 800-116] and authorization at access control points.
plan of action and A document that identifies tasks needing to be accomplished. It
milestones details resources required to accomplish the elements of the
plan, any milestones in meeting the tasks, and scheduled
completion dates for the milestones.
portable storage device A system component that can communicate with and be added
to or removed from a system or network and that is limited to
data storage, including text, video, audio or image data, as its
primary function (e.g., optical discs; external or removable hard
drives; external or removable solid-state disk drives; magnetic or
optical tapes; flash memory devices; flash memory cards; and
other external or removable disks).
potential impact The loss of confidentiality, integrity, or availability could be
[FIPS 199] expected to have a limited adverse effect (FIPS Publication 199
low); a serious adverse effect (FIPS Publication 199 moderate);
or a severe or catastrophic adverse effect (FIPS Publication 199
high) on organizational operations, organizational assets, or
individuals.
privacy control The administrative, technical, and physical safeguards employed
[OMB A-130] within an agency to ensure compliance with applicable privacy
requirements and manage privacy risks.
privacy impact An analysis of how information is handled to ensure handling
assessment conforms to applicable legal, regulatory, and policy requirements
[OMB A-130] regarding privacy; to determine the risks and effects of creating,
collecting, using, processing, storing, maintaining, disseminating,
disclosing, and disposing of information in identifiable form in an
electronic information system; and to examine and evaluate
protections and alternate processes for handling information to
mitigate potential privacy concerns. A privacy impact assessment
is both an analysis and a formal document detailing the process
and the outcome of the analysis.

APPENDIX B PAGE 399

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

privacy plan A formal document that details the privacy controls selected for
[OMB A-130] an information system or environment of operation that are in
place or planned for meeting applicable privacy requirements
and managing privacy risks, details how the controls have been
implemented, and describes the methodologies and metrics that
will be used to assess the controls.
privacy program plan A formal document that provides an overview of an agency’s
[OMB A-130] privacy program, including a description of the structure of the
privacy program, the resources dedicated to the privacy
program, the role of the Senior Agency Official for Privacy and
other privacy officials and staff, the strategic goals and
objectives of the privacy program, and the program
management controls and common controls in place or planned
for meeting applicable privacy requirements and managing
privacy risks.
privileged account A system account with authorizations of a privileged user.
privileged command A human-initiated command executed on a system involving the
control, monitoring, or administration of the system, including
security functions and associated security-relevant information.
privileged user A user that is authorized (and therefore, trusted) to perform
[CNSSI 4009] security-relevant functions that ordinary users are not
authorized to perform.
protected distribution Wire line or fiber optic system that includes adequate safeguards
system and/or countermeasures (e.g., acoustic, electric,
[CNSSI 4009] electromagnetic, and physical) to permit its use for the
transmission of unencrypted information through an area of
lesser classification or control.
provenance The chronology of the origin, development, ownership, location,
and changes to a system or system component and associated
data. It may also include personnel and processes used to
interact with or make modifications to the system, component,
or associated data.
public key infrastructure The architecture, organization, techniques, practices, and
[CNSSI 4009] procedures that collectively support the implementation and
operation of a certificate-based public key cryptographic system.
Framework established to issue, maintain, and revoke public key
certificates.
purge A method of sanitization that applies physical or logical
[SP 800-88] techniques that render target data recovery infeasible using
state of the art laboratory techniques.

APPENDIX B PAGE 400

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

reciprocity Agreement among participating organizations to accept each

[SP 800-37] other’s security assessments to reuse system resources and/or
to accept each other’s assessed security posture to share
information.
records All recorded information, regardless of form or characteristics,
[OMB A-130] made or received by a Federal agency under Federal law or in
connection with the transaction of public business and preserved
or appropriate for preservation by that agency or its legitimate
successor as evidence of the organization, functions, policies,
decisions, procedures, operations, or other activities of the
United States Government or because of the informational value
of data in them.
red team exercise An exercise, reflecting real-world conditions, conducted as a
simulated adversarial attempt to compromise organizational
missions or business processes and to provide a comprehensive
assessment of the security capability of an organization and its
systems.
reference monitor A set of design requirements on a reference validation
mechanism that as key component of an operating system,
enforces an access control policy over all subjects and objects. A
reference validation mechanism is always invoked (i.e., complete
mediation); tamperproof; and small enough to be subject to
analysis and tests, the completeness of which can be assured
(i.e., verifiable).
regrader A trusted process explicitly authorized to re-classify and re-label
[CNSSI 4009] data in accordance with a defined policy exception. Untrusted or
unauthorized processes are such actions by the security policy.
remote access Access to an organizational system by a user (or a process acting
on behalf of a user) communicating through an external
network.
remote maintenance Maintenance activities conducted by individuals communicating
through an external network.
replay resistance Protection against the capture of transmitted authentication or
access control information and its subsequent retransmission
with the intent of producing an unauthorized effect or gaining
unauthorized access.
resilience The ability to prepare for and adapt to changing conditions and
[CNSSI 4009] withstand and recover rapidly from disruptions. Resilience
includes the ability to withstand and recover from deliberate
attacks, accidents, or naturally occurring threats or incidents.

APPENDIX B PAGE 401

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

restricted data All data concerning (i) design, manufacture, or utilization of

[ATOM54] atomic weapons; (ii) the production of special nuclear material;
or (iii) the use of special nuclear material in the production of
energy, but shall not include data declassified or removed from
the Restricted Data category pursuant to Section 142 [of the
Atomic Energy Act of 1954].
risk A measure of the extent to which an entity is threatened by a
[OMB A-130] potential circumstance or event, and typically is a function of: (i)
the adverse impact, or magnitude of harm, that would arise if
the circumstance or event occurs; and (ii) the likelihood of
occurrence.
risk assessment The process of identifying risks to organizational operations
[SP 800-39] (including mission, functions, image, reputation), organizational
[IR 8062, adapted] assets, individuals, other organizations, and the Nation, resulting
from the operation of a system.
Risk management includes threat and vulnerability analyses as
well as analyses of adverse effects on individuals arising from
information processing and considers mitigations provided by
security and privacy controls planned or in place. Synonymous
with risk analysis.
risk executive (function) An individual or group within an organization that helps to
[SP 800-37] ensure that security risk-related considerations for individual
systems, to include the authorization decisions for those
systems, are viewed from an organization-wide perspective with
regard to the overall strategic goals and objectives of the
organization in carrying out its missions and business functions;
and managing risk from individual systems is consistent across
the organization, reflects organizational risk tolerance, and is
considered along with other organizational risks affecting
mission or business success.
risk management The program and supporting processes to manage risk to agency
[OMB A-130] operations (including mission, functions, image, reputation),
agency assets, individuals, other organizations, and the Nation,
and includes: establishing the context for risk-related activities;
assessing risk; responding to risk once determined; and
monitoring risk over time.
risk mitigation Prioritizing, evaluating, and implementing the appropriate risk-
[CNSSI 4009] reducing controls/countermeasures recommended from the risk
management process.
risk response Accepting, avoiding, mitigating, sharing, or transferring risk to
[OMB A-130] agency operations, agency assets, individuals, other
organizations, or the Nation.

APPENDIX B PAGE 402

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

role-based access control Access control based on user roles (i.e., a collection of access
authorizations a user receives based on an explicit or implicit
assumption of a given role). Role permissions may be inherited
through a role hierarchy and typically reflect the permissions
needed to perform defined functions within an organization. A
given role may apply to a single individual or to several
individuals.
runtime The period during which a computer program is executing.
sanitization A process to render access to target data on the media infeasible
[SP 800-88] for a given level of effort. Clear, purge, and destroy are actions
that can be taken to sanitize media.
scoping considerations A part of tailoring guidance providing organizations with specific
considerations on the applicability and implementation of
security and privacy controls in the control baselines.
Considerations include policy or regulatory, technology, physical
infrastructure, system component allocation, public access,
scalability, common control, operational or environmental, and
security objective.
security A condition that results from the establishment and
[CNSSI 4009] maintenance of protective measures that enable an organization
to perform its mission or critical functions despite risks posed by
threats to its use of systems. Protective measures may involve a
combination of deterrence, avoidance, prevention, detection,
recovery, and correction that should form part of the
organization’s risk management approach.
security attribute An abstraction representing the basic properties or
characteristics of an entity with respect to safeguarding
information; typically associated with internal data structures,
including records, buffers, and files within the system and used
to enable the implementation of access control and flow control
policies, reflect special dissemination, handling or distribution
instructions, or support other aspects of the information security
policy.
security categorization The process of determining the security category for information
or a system. Security categorization methodologies are described
in CNSS Instruction 1253 for national security systems and in
FIPS Publication 199 for other than national security systems.
See security category.
security category The characterization of information or an information system
[OMB A-130] based on an assessment of the potential impact that a loss of
confidentiality, integrity, or availability of such information or
information system would have on agency operations, agency
assets, individuals, other organizations, and the Nation.

APPENDIX B PAGE 403

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

security control The safeguards or countermeasures prescribed for an

[OMB A-130] information system or an organization to protect the
confidentiality, integrity, and availability of the system and its
information.
security control baseline The set of minimum security controls defined for a low-impact,
[OMB A-130] moderate-impact, or high-impact information system.
security domain A domain that implements a security policy and is administered
[CNSSI 4009] by a single authority.
security functionality The security-related features, functions, mechanisms, services,
procedures, and architectures implemented within
organizational information systems or the environments in
which those systems operate.
security functions The hardware, software, or firmware of the system responsible
for enforcing the system security policy and supporting the
isolation of code and data on which the protection is based.
security impact analysis The analysis conducted by an organizational official to determine
[CNSSI 4009] the extent to which changes to the system have affected the
security state of the system.
security kernel Hardware, firmware, and software elements of a trusted
[CNSSI 4009] computing base implementing the reference monitor concept.
Security kernel must mediate all accesses, be protected from
modification, and be verifiable as correct.
security label The means used to associate a set of security attributes with a
specific information object as part of the data structure for that
object.
security marking The means used to associate a set of security attributes with
objects in a human-readable form, to enable organizational
process-based enforcement of information security policies.
security objective Confidentiality, integrity, or availability.
[FIPS 199]
security plan Formal document that provides an overview of the security
requirements for an information system or an information
security program and describes the security controls in place or
planned for meeting those requirements. The system security
plan describes the system components that are included within
the system; the environment in which the system operates; how
the security requirements are implemented; and the
relationships with or connections to other systems.
See system security plan.
security policy A set of criteria for the provision of security services.
[CNSSI 4009]

APPENDIX B PAGE 404

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

security policy filter A hardware and/or software component that performs one or
more of the following functions: content verification to ensure
the data type of the submitted content; content inspection,
analyzing the submitted content to verify it complies with a
defined policy; malicious content checker that evaluates the
content for malicious code; suspicious activity checker that
evaluates or executes the content in a safe manner, such as in a
sandbox or detonation chamber and monitors for suspicious
activity; or content sanitization, cleansing, and transformation,
which modifies the submitted content to comply with a defined
policy.
security requirement A requirement levied on an information system or an
[FIPS 200, Adapted] organization that is derived from applicable laws, executive
orders, directives, regulations, policies, standards, procedures,
or mission/business needs to ensure the confidentiality,
integrity, and availability of information that is being processed,
stored, or transmitted.
Note: Security requirements can be used in a variety of contexts from high-
level policy-related activities to low-level implementation-related activities in
system development and engineering disciplines.

security service A capability that supports one or more security requirements

[CNSSI 4009] (confidentiality, integrity, availability). Examples of security
services are key management, access control, and
authentication.
security-relevant Information within the system that can potentially impact the
information operation of security functions or the provision of security
services in a manner that could result in failure to enforce the
system security policy or maintain isolation of code and data.
selection statement A control parameter that allows an organization to select a value
from a list of pre-defined values provided as part of the control
or control enhancement (e.g., selecting to either restrict an
action or prohibit an action).
See assignment statement and organization-defined control
parameter.
senior agency Official responsible for carrying out the Chief Information Officer
information security responsibilities under FISMA and serving as the Chief
officer Information Officer’s primary liaison to the agency’s authorizing
officials, information system owners, and information system
security officers.
Note: Organizations subordinate to federal agencies may use the term senior
information security officer or chief information security officer to denote
individuals filling positions with similar responsibilities to senior agency
information security officers.

APPENDIX B PAGE 405

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

senior agency official for Senior official, designated by the head of each agency, who has
privacy agency-wide responsibility for privacy, including implementation
[OMB A-130] of privacy protections; compliance with Federal laws,
regulations, and policies relating to privacy; management of
privacy risks at the agency; and a central policy-making role in
the agency’s development and evaluation of legislative,
regulatory, and other policy proposals.
senior information See senior agency information security officer.
security officer
sensitive compartmented Classified information concerning or derived from intelligence
information sources, methods, or analytical processes, which is required to
[CNSSI 4009] be handled within formal access control systems established by
the Director of National Intelligence.
service-oriented A set of principles and methodologies for designing and
architecture developing software in the form of interoperable services. These
services are well-defined business functions that are built as
software components (i.e., discrete pieces of code and/or data
structures) that can be reused for different purposes.
shared control A security or privacy control that is implemented for an
information system in part as a common control and in part as a
system-specific control. See hybrid control.
software Computer programs and associated data that may be
[CNSSI 4009] dynamically written or modified during execution.
spam The abuse of electronic messaging systems to indiscriminately
send unsolicited bulk messages.
special access program A program established for a specific class of classified
[CNSSI 4009] information that imposes safeguarding and access requirements
that exceed those normally required for information at the same
classification level.
split tunneling The process of allowing a remote user or device to establish a
non-remote connection with a system and simultaneously
communicate via some other connection to a resource in an
external network. This method of network access enables a user
to access remote devices and simultaneously, access
uncontrolled networks.
spyware Software that is secretly or surreptitiously installed into an
information system to gather information on individuals or
organizations without their knowledge; a type of malicious code.
subject An individual, process, or device causing information to flow
among objects or change to the system state. Also see object.
subsystem A major subdivision or component of an information system
consisting of information, information technology, and
personnel that performs one or more specific functions.

APPENDIX B PAGE 406

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

supply chain Linked set of resources and processes between multiple tiers of
[ISO 28001, Adapted] developers that begins with the sourcing of products and
services and extends through the design, development,
manufacturing, processing, handling, and delivery of products
and services to the acquirer.
supply chain element An information technology product or product component that
contains programmable logic and that is critically important to
the functioning of a system.
supply chain risk A systematic process for managing supply chain risk by
management identifying susceptibilities, vulnerabilities, and threats
[CNSSD 505] throughout the supply chain and developing mitigation
strategies to combat those threats whether presented by the
supplier, the supplies product and its subcomponents, or the
supply chain (e.g., initial production, packaging, handling,
storage, transport, mission operation, and disposal).
system Any organized assembly of resources and procedures united and
[CNSSI 4009] regulated by interaction or interdependence to accomplish a set
of specific functions.
Note: Systems also include specialized systems such as industrial/process
controls systems, telephone switching and private branch exchange (PBX)
systems, and environmental control systems.
[ISO 15288] Combination of interacting elements organized to achieve one or
more stated purposes.
Note 1: There are many types of systems. Examples include: general and
special-purpose information systems; command, control, and communication
systems; crypto modules; central processing unit and graphics processor
boards; industrial/process control systems; flight control systems; weapons,
targeting, and fire control systems; medical devices and treatment systems;
financial, banking, and merchandising transaction systems; and social
networking systems.
Note 2: The interacting elements in the definition of system include hardware,
software, data, humans, processes, facilities, materials, and naturally occurring
physical entities.
Note 3: System-of-systems is included in the definition of system.

system component A discrete identifiable information technology asset that

[SP 800-128] represents a building block of a system and may include
hardware, software, and firmware.
system of records A group of any records under the control of any agency from
[USC 552] which information is retrieved by the name of the individual or
by some identifying number, symbol, or other identifying
particular assigned to the individual.
system of records notice The notice(s) published by an agency in the Federal Register
[OMB A-108] upon the establishment and/or modification of a system of
records describing the existence and character of the system.

APPENDIX B PAGE 407

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

system owner Official responsible for the overall procurement, development,

(or program manager) integration, modification, or operation and maintenance of a
system.
system Individual with assigned responsibility for maintaining the
security officer appropriate operational security posture for a system or
[SP 800-37]
program.
system security plan See security plan.

system service A capability provided by a system that facilitates information

processing, storage, or transmission.
system-related security Risk that arises through the loss of confidentiality, integrity, or
risk availability of information or systems and that considers impacts
[SP 800-30] to the organization (including assets, mission, functions, image,
or reputation), individuals, other organizations, and the Nation.
See risk.
system-specific control A security or privacy control for an information system that is
[OMB A-130] implemented at the system level and is not inherited by any
other information system.
tailored control baseline A set of controls resulting from the application of tailoring
guidance to a control baseline. See tailoring.
tailoring The process by which security control baselines are modified by:
identifying and designating common controls; applying scoping
considerations on the applicability and implementation of
baseline controls; selecting compensating security controls;
assigning specific values to organization-defined security control
parameters; supplementing baselines with additional security
controls or control enhancements; and providing additional
specification information for control implementation.
tampering An intentional but unauthorized act resulting in the modification
[CNSSI 4009] of a system, components of systems, its intended behavior, or
data.
threat Any circumstance or event with the potential to adversely
[SP 800-30] impact organizational operations, organizational assets,
individuals, other organizations, or the Nation through a system
via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service.
threat assessment Formal description and evaluation of threat to an information
[CNSSI 4009] system.

APPENDIX B PAGE 408

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

threat modeling A form of risk assessment that models aspects of the attack and
[SP 800-154] defense sides of a logical entity, such as a piece of data, an
application, a host, a system, or an environment.
threat source The intent and method targeted at the intentional exploitation
[FIPS 200] of a vulnerability or a situation and method that may
accidentally trigger a vulnerability. See threat agent.
trusted path A mechanism by which a user (through an input device) can
communicate directly with the security functions of the system
with the necessary confidence to support the system security
policy. This mechanism can only be activated by the user or the
security functions of the system and cannot be imitated by
untrusted software.
trustworthiness The attribute of a person or enterprise that provides confidence
[CNSSI 4009] to others of the qualifications, capabilities, and reliability of that
entity to perform specific tasks and fulfill assigned
responsibilities.
trustworthiness The degree to which an information system (including the
(system)
information technology components that are used to build the
system) can be expected to preserve the confidentiality,
integrity, and availability of the information being processed,
stored, or transmitted by the system across the full range of
threats. A trustworthy information system is a system that is
believed to can operate within defined levels of risk despite the
environmental disruptions, human errors, structural failures, and
purposeful attacks that are expected to occur in its environment
of operation.
user Individual, or (system) process acting on behalf of an individual,
[CNSSI 4009, Adapted] authorized to access a system.
See organizational user and non-organizational user.
virtual private network Protected information system link utilizing tunneling, security
[CNSSI 4009] controls, and endpoint address translation giving the impression
of a dedicated line.
vulnerability Weakness in an information system, system security procedures,
[CNSSI 4009] internal controls, or implementation that could be exploited or
triggered by a threat source.
vulnerability analysis See vulnerability assessment.
vulnerability assessment Systematic examination of an information system or product to
[CNSSI 4009] determine the adequacy of security measures, identify security
deficiencies, provide data from which to predict the
effectiveness of proposed security measures, and confirm the
adequacy of such measures after implementation.

APPENDIX B PAGE 409

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

whitelisting The process used to identify software programs that are

authorized to execute on an information system; or authorized
Universal Resource Locators or websites.
15831

APPENDIX B PAGE 410

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15832 APPENDIX C

15833 ACRONYMS
15834 COMMON ABBREVIATIONS

ABAC Attribute Based Access Control

API Application Programming Interfaces
APT Advanced Persistent Threat
BIOS Basic Input Output System
CA Certificate Authority/Certificate Authorities
CAVP Cryptographic Algorithm Validation Program
CD Compact Disk
CD-R Compact Disk-Recordable
CIPSEA Confidential Information Protection and Statistical Efficiency Act
CIRT Computer Incident Response Team
CISA Cybersecurity and Infrastructure Security Agency
CMVP Cryptographic Module Validation Program
CNSSD Committee on National Security Systems Directive
CNSSI Committee on National Security Systems Instruction
CNSSP Committee on National Security Systems Policy
CUI Controlled Unclassified Information
CVE Common Vulnerabilities and Exposures
CVSS Common Vulnerability Scoring System
CWE Common Weakness Enumeration
DHCP Dynamic Host Configuration Protocol
DMZ Demilitarized Zone
DNS Domain Name System
DNSSEC Domain Name System Security
DoD Department of Defense
DVD Digital Versatile Disk
DVD-R Digital Versatile Disk-Recordable
EAP Extensible Authentication Protocol
EMP Electromagnetic Pulse
EMSEC Emissions Security

APPENDIX C PAGE 411

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

FBCA Federal Bridge Certification Authority

FCC Federal Communications Commission
FIPPs Fair Information Practice Principles
FIPS Federal Information Processing Standards
FISMA Federal Information Security Modernization Act
FOCI Foreign Ownership, Control, or Influence
FOIA Freedom of Information Act
FTP File Transfer Protocol
GMT Greenwich Mean Time
GPS Global Positioning System
GSA General Services Administration
HSPD Homeland Security Presidential Directive
HTTP Hyper Text Transfer Protocol
ICS Industrial Control System
I/O Input/Output
IOC Indicators of Compromise
IoT Internet of Things
IP Internet Protocol
IR Internal Report
IT Information Technology
MAC Media Access Control
MTTF Mean Time To Failure
NARA National Archives and Records Administration
NATO North Atlantic Treaty Organization
NIAP National Information Assurance Partnership
NICE National Initiative for Cybersecurity Education
NIST National Institute of Standards and Technology
NOFORN Not Releasable to Foreign Nationals
NSA National Security Agency
NVD National Vulnerability Database
OMB Office of Management and Budget
OPSEC Operation Security
OVAL Open Vulnerability Assessment Language

APPENDIX C PAGE 412

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

PDF Portable Document Format

PII Personally Identifiable Information
PIN Personal Identification Number
PIV Personal Identity Verification
PIV-I Personal Identification Verification Interoperable
PKI Public Key Infrastructure
RBAC Role-Based Access Control
RD Restricted Data
RFID Radio-Frequency Identification
SAP Special Access Program
SCAP Security Content Automation Protocol
SCI Sensitive Compartmented Information
SMTP Simple Mail Transfer Protocol
SOC Security Operations Center
SP Special Publication
STIG Security Technical Implementation Guide
TCP Transmission Control Protocol
TCP/IP Transmission Control Protocol/Internet Protocol
TLS Transport Layer Security
TSP Telecommunications Service Priority
USGCB United States Government Configuration Baseline
USB Universal Serial Bus
UTC Coordinated Universal Time
VoIP Voice Over Internet Protocol
VPN Virtual Private Network
WORM Write-Once, Read-Many
XML Extensible Markup Language
15835

APPENDIX C PAGE 413

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15836 APPENDIX D

15837 CONTROL SUMMARIES

15838 IMPLEMENTATION, WITHDRAWAL, AND ASSURANCE DESIGNATIONS

15839 Tables D-1 through D-20 provide a summary of the security and privacy controls and control
15840 enhancements in Chapter Three. Each table focuses on a different control family. A control or
15841 control enhancement that has been withdrawn from the control catalog is indicated by an
15842 explanation of the control or control enhancement disposition in light gray text. A control or
15843 control enhancement that is typically implemented by an information system through technical
15844 means is indicated by an “S” in the implemented by column. A control or control enhancement
15845 that is typically implemented by an organization (i.e., by an individual through nontechnical
15846 means) is indicated by an “O” in the implemented by column. 32 A control or control
15847 enhancement that can be implemented by an organization or a system or a combination of the
15848 two, is indicated by an “O/S”. Finally, controls or control enhancements marked with a “√” in the
15849 assurance column indicate the controls or control enhancements that contribute to the grounds
15850 for justified confidence that a security or privacy claim has been or will be achieved. 33 Each
15851 control and control enhancement in tables D-1 through D-20 is hyperlinked to the text for that
15852 control and control enhancement in Chapter Three.

32 The indication that a certain control or control enhancement is implemented by a system or by an organization in
Tables D-1 through D-20 is notional. Organizations have the flexibility to implement their selected controls and
control enhancements in the most cost-effective and efficient manner while simultaneously complying with the basic
intent of the controls or control enhancements. In certain situations, a control or control enhancement may be
implemented by the system or by the organization or a combination of the two entities.
33 Assurance is a critical aspect in determining the trustworthiness of systems. Assurance is the measure of confidence

that the security and privacy functions, features, practices, policies, procedures, mechanisms, and architecture of
organizational systems accurately mediate and enforce established security and privacy policies.

APPENDIX D PAGE 414

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15853 TABLE D-1: ACCESS CONTROL FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

AC-1 Policy and Procedures O √

AC-2 Account Management O
AC-2(1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT O
AC-2(2) AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENT S
AC-2(3) DISABLE ACCOUNTS S
AC-2(4) AUTOMATED AUDIT ACTIONS S
AC-2(5) INACTIVITY LOGOUT O /S
AC-2(6) DYNAMIC PRIVILEGE MANAGEMENT S
AC-2(7) PRIVILEGED USER ACCOUNTS O
AC-2(8) DYNAMIC ACCOUNT MANAGEMENT S
AC-2(9) RESTRICTIONS ON USE OF SHARED AND GROUP ACCOUNTS O
AC-2(10) SHARED AND GROUP ACCOUNT CREDENTIAL CHANGE W: Incorporated into AC-2k.
AC-2(11) USAGE CONDITIONS S
AC-2(12) ACCOUNT MONITORING FOR ATYPICAL USAGE O /S
AC-2(13) DISABLE ACCOUNTS FOR HIGH-RISK USERS O
AC-2(14) PROHIBIT SPECIFIC ACCOUNT TYPES O
AC-3 Access Enforcement S
AC-3(1) RESTRICTED ACCESS TO PRIVILEGED FUNCTION W: Incorporated into AC-6.
AC-3(2) DUAL AUTHORIZATION S
AC-3(3) MANDATORY ACCESS CONTROL S
AC-3(4) DISCRETIONARY ACCESS CONTROL S
AC-3(5) SECURITY-RELEVANT INFORMATION S
AC-3(6) PROTECTION OF USER AND SYSTEM INFORMATION W: Incorporated into MP-4, SC-28.
AC-3(7) ROLE-BASED ACCESS CONTROL O /S
AC-3(8) REVOCATION OF ACCESS AUTHORIZATIONS O /S

AC-3(9) CONTROLLED RELEASE O /S

AC-3(10) AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS O
AC-3(11) RESTRICT ACCESS TO SPECIFIC INFORMATION TYPES S
AC-3(12) ASSERT AND ENFORCE APPLICATION ACCESS S
AC-3(13) ATTRIBUTE-BASED ACCESS CONTROL S
AC-3(14) INDIVIDUAL ACCESS S
AC-3(15) DISCRETIONARY AND MANDATORY ACCESS CONTROL S
AC-4 Information Flow Enforcement S
AC-4(1) OBJECT SECURITY AND PRIVACY ATTRIBUTES S
AC-4(2) PROCESSING DOMAINS S
AC-4(3) DYNAMIC INFORMATION FLOW CONTROL S
AC-4(4) FLOW CONTROL OF ENCRYPTED INFORMATION S
AC-4(5) EMBEDDED DATA TYPES S
AC-4(6) METADATA S
AC-4(7) ONE-WAY FLOW MECHANISMS S
AC-4(8) SECURITY AND PRIVACY POLICY FILTERS S
AC-4(9) HUMAN REVIEWS O /S

APPENDIX D PAGE 415

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

AC-4(10) ENABLE AND DISABLE SECURITY OR PRIVACY POLICY FILTERS S

AC-4(11) CONFIGURATION OF SECURITY OR PRIVACY POLICY FILTERS S
AC-4(12) DATA TYPE IDENTIFIERS S
AC-4(13) DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS S
AC-4(14) SECURITY OR PRIVACY POLICY FILTER CONSTRAINTS S
AC-4(15) DETECTION OF UNSANCTIONED INFORMATION S
AC-4(16) INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS W: Incorporated into AC-4.
AC-4(17) DOMAIN AUTHENTICATION S
AC-4(18) SECURITY ATTRIBUTE BINDING W: Incorporated into AC-16.
AC-4(19) VALIDATION OF METADATA S
AC-4(20) APPROVED SOLUTIONS O
AC-4(21) PHYSICAL OR LOGICAL SEPARATION OF INFORMATION FLOWS O /S
AC-4(22) ACCESS ONLY S
AC-4(23) MODIFY NON-RELEASABLE INFORMATION O /S
AC-4(24) INTERNAL NORMALIZED FORMAT S
AC-4(25) DATA SANITIZATION S
AC-4(26) AUDIT FILTERING ACTIONS O /S
AC-4(27) REDUNDANT/INDEPENDENT FILTERING MECHANISMS S
AC-4(28) LINEAR FILTER PIPELINES S
AC-4(29) FILTER ORCHESTRATION ENGINES O /S
AC-4(30) FILTER MECHANISMS USING MULTIPLE PROCESSES S
AC-4(31) FAILED CONTENT TRANSFER PREVENTION S
AC-4(32) PROCESS REQUIREMENTS FOR INFORMATION TRANSFER S
AC-5 Separation of Duties O
AC-6 Least Privilege O
AC-6(1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS O
AC-6(2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS O
AC-6(3) NETWORK ACCESS TO PRIVILEGED COMMANDS O
AC-6(4) SEPARATE PROCESSING DOMAINS O /S
AC-6(5) PRIVILEGED ACCOUNTS O
AC-6(6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS O
AC-6(7) REVIEW OF USER PRIVILEGES O
AC-6(8) PRIVILEGE LEVELS FOR CODE EXECUTION S
AC-6(9) LOG USE OF PRIVILEGED FUNCTIONS S
AC-6(10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED S
FUNCTIONS
AC-7 Unsuccessful Logon Attempts S
AC-7(1) AUTOMATIC ACCOUNT LOCK W: Incorporated into AC-7.
AC-7(2) PURGE OR WIPE MOBILE DEVICE S
AC-7(3) BIOMETRIC ATTEMPT LIMITING O
AC-7(4) USE OF ALTERNATE FACTOR O /S
AC-8 System Use Notification O /S
AC-9 Previous Logon Notification S

APPENDIX D PAGE 416

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

AC-9(1) UNSUCCESSFUL LOGONS S

AC-9(2) SUCCESSFUL AND UNSUCCESSFUL LOGONS S
AC-9(3) NOTIFICATION OF ACCOUNT CHANGES S
AC-9(4) ADDITIONAL LOGON INFORMATION S
AC-10 Concurrent Session Control S
AC-11 Device Lock S
AC-11(1) PATTERN-HIDING DISPLAYS S
AC-12 Session Termination S
AC-12(1) USER-INITIATED LOGOUTS O /S
AC-12(2) TERMINATION MESSAGE S
AC-12(3) TIMEOUT WARNING MESSAGE S
AC-13 Supervision and Review-Access Control W: Incorporated into AC-2, AU-6.
AC-14 Permitted Actions without Identification or O
Authentication
AC-14(1) NECESSARY USES W: Incorporated into AC-14.
AC-15 Automated Marking W: Incorporated into MP-3.
AC-16 Security and Privacy Attributes O
AC-16(1) DYNAMIC ATTRIBUTE ASSOCIATION S
AC-16(2) ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS S
AC-16(3) MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY SYSTEM S
AC-16(4) ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS S
AC-16(5) ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES S
AC-16(6) MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION O
AC-16(7) CONSISTENT ATTRIBUTE INTERPRETATION O
AC-16(8) ASSOCIATION TECHNIQUES AND TECHNOLOGIES S
AC-16(9) ATTRIBUTE REASSIGNMENT – REGRADING MECHANISMS O
AC-16(10) ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS O
AC-17 Remote Access O
AC-17(1) MONITORING AND CONTROL O /S
AC-17(2) PROTECTION OF CONFIDENTIALITY AND INTEGRITY USING ENCRYPTION S
AC-17(3) MANAGED ACCESS CONTROL POINTS S
AC-17(4) PRIVILEGED COMMANDS AND ACCESS O
AC-17(5) MONITORING FOR UNAUTHORIZED CONNECTIONS W: Incorporated into SI-4.
AC-17(6) PROTECTION OF MECHANISM INFORMATION O
AC-17(7) ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS W: Incorporated into AC-3(10).
AC-17(8) DISABLE NONSECURE NETWORK PROTOCOLS W: Incorporated into CM-7.
AC-17(9) DISCONNECT OR DISABLE ACCESS O
AC-17(10) AUTHENTICATE REMOTE COMMANDS S
AC-18 Wireless Access O
AC-18(1) AUTHENTICATION AND ENCRYPTION S
AC-18(2) MONITORING UNAUTHORIZED CONNECTIONS W: Incorporated into SI-4.
AC-18(3) DISABLE WIRELESS NETWORKING O /S
AC-18(4) RESTRICT CONFIGURATIONS BY USERS O

APPENDIX D PAGE 417

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

AC-18(5) ANTENNAS AND TRANSMISSION POWER LEVELS O

AC-19 Access Control for Mobile Devices O
AC-19(1) USE OF WRITABLE AND PORTABLE STORAGE DEVICES W: Incorporated into MP-7.
AC-19(2) USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES W: Incorporated into MP-7.
AC-19(3) USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER W: Incorporated into MP-7.
AC-19(4) RESTRICTIONS FOR CLASSIFIED INFORMATION O
AC-19(5) FULL DEVICE AND CONTAINER-BASED ENCRYPTION O
AC-20 Use of External Systems O
AC-20(1) LIMITS ON AUTHORIZED USE O
AC-20(2) PORTABLE STORAGE DEVICES — RESTRICTED USE O
AC-20(3) NON-ORGANIZATIONALLY OWNED SYSTEMS — RESTRICTED USE O
AC-20(4) NETWORK ACCESSIBLE STORAGE DEVICES O
AC-20(5) PORTABLE STORAGE DEVICES — PROHIBITED USE O
AC-20(6) NON-ORGANIZATIONALLY OWNED SYSTEMS — PROHIBITED USE O
AC-21 Information Sharing O
AC-21(1) AUTOMATED DECISION SUPPORT S
AC-21(2) INFORMATION SEARCH AND RETRIEVAL S
AC-22 Publicly Accessible Content O
AC-23 Data Mining Protection O
AC-24 Access Control Decisions O
AC-24(1) TRANSMIT ACCESS AUTHORIZATION INFORMATION S
AC-24(2) NO USER OR PROCESS IDENTITY S
AC-25 Reference Monitor S √

15854

APPENDIX D PAGE 418

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15855 TABLE D-2: AWARENESS AND TRAINING FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

AT-1 Policy and Procedures O √

AT-2 Awareness Training O √
AT-2(1) PRACTICAL EXERCISES O √
AT-2(2) INSIDER THREAT O √
AT-2(3) SOCIAL ENGINEERING AND MINING O √
AT-2(4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR O √
AT-2(5) BREACH O √
AT-2(6) ADVANCED PERSISTENT THREAT O √
AT-2(7) CYBER THREAT ENVIRONMENT O √
AT-2(8) TRAINING FEEDBACK O √
AT-3 Role-Based Training O √
AT-3(1) ENVIRONMENTAL CONTROLS O √
AT-3(2) PHYSICAL SECURITY CONTROLS O √
AT-3(3) PRACTICAL EXERCISES O √
AT-3(4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR W: Incorporated into AT-2(4).
AT-3(5) ACCESSING PERSONALLY IDENTIFIABLE INFORMATION O √
AT-4 Training Records O √
AT-5 Contacts with Security Groups and Associations W: Incorporated into PM-15.

15856

APPENDIX D PAGE 419

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15857 TABLE D-3: AUDIT AND ACCOUNTABILITY FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

AU-1 Policy and Procedures O √

AU-2 Event Logging O
AU-2(1) COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES W: Incorporated into AU-12.
AU-2(2) SELECTION OF AUDIT EVENTS BY COMPONENT W: Incorporated into AU-12.
AU-2(3) REVIEWS AND UPDATES W: Incorporated into AU-2.
AU-2(4) PRIVILEGED FUNCTIONS W: Incorporated into AC-6(9).
AU-3 Content of Audit Records S
AU-3(1) ADDITIONAL AUDIT INFORMATION S
AU-3(2) CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT S
AU-3(3) LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS O
AU-4 Audit Log Storage Capacity O /S
AU-4(1) TRANSFER TO ALTERNATE STORAGE O /S
AU-5 Response to Audit Logging Process Failures S
AU-5(1) STORAGE CAPACITY WARNING S
AU-5(2) REAL-TIME ALERTS S
AU-5(3) CONFIGURABLE TRAFFIC VOLUME THRESHOLDS S
AU-5(4) SHUTDOWN ON FAILURE S
AU-5(5) ALTERNATE AUDIT LOGGING CAPABILITY O
AU-6 Audit Record Review, Analysis, and Reporting O √
AU-6(1) AUTOMATED PROCESS INTEGRATION O √
AU-6(2) AUTOMATED SECURITY ALERTS W: Incorporated into SI-4.
AU-6(3) CORRELATE AUDIT RECORD REPOSITORIES O √
AU-6(4) CENTRAL REVIEW AND ANALYSIS S √
AU-6(5) INTEGRATED ANALYSIS OF AUDIT RECORDS O √
AU-6(6) CORRELATION WITH PHYSICAL MONITORING O √
AU-6(7) PERMITTED ACTIONS O √
AU-6(8) FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS O √
AU-6(9) CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES O √
AU-6(10) AUDIT LEVEL ADJUSTMENT W: Incorporated into AU-6.
AU-7 Audit Record Reduction and Report Generation S √
AU-7(1) AUTOMATIC PROCESSING S √
AU-7(2) AUTOMATIC SEARCH AND SORT W: Incorporated into AU-7(1).
AU-8 Time Stamps S
AU-8(1) SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE S
AU-8(2) SECONDARY AUTHORITATIVE TIME SOURCE S
AU-9 Protection of Audit Information S
AU-9(1) HARDWARE WRITE-ONCE MEDIA S
AU-9(2) STORE ON SEPARATE PHYSICAL SYSTEMS OR COMPONENTS S
AU-9(3) CRYPTOGRAPHIC PROTECTION S
AU-9(4) ACCESS BY SUBSET OF PRIVILEGED USERS O
AU-9(5) DUAL AUTHORIZATION O /S
AU-9(6) READ-ONLY ACCESS O /S

APPENDIX D PAGE 420

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

AU-9(7) STORE ON COMPONENT WITH DIFFERENT OPERATING SYSTEM O

AU-10 Non-repudiation S √
AU-10(1) ASSOCIATION OF IDENTITIES S √
AU-10(2) VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY S √
AU-10(3) CHAIN OF CUSTODY O /S √
AU-10(4) VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY S √
AU-10(5) DIGITAL SIGNATURES W: Incorporated into SI-7.
AU-11 Audit Record Retention O
AU-11(1) LONG-TERM RETRIEVAL CAPABILITY O √
AU-12 Audit Record Generation S
AU-12(1) SYSTEM-WIDE AND TIME-CORRELATED AUDIT TRAIL S
AU-12(2) STANDARDIZED FORMATS S
AU-12(3) CHANGES BY AUTHORIZED INDIVIDUALS S
AU-12(4) QUERY PARAMETER AUDITS OF PERSONALLY IDENTIFIABLE INFORMATION S
AU-13 Monitoring for Information Disclosure O √
AU-13(1) USE OF AUTOMATED TOOLS O /S √
AU-13(2) REVIEW OF MONITORED SITES O √
AU-13(3) UNAUTHORIZED REPLICATION OF INFORMATION O /S √
AU-14 Session Audit S √
AU-14(1) SYSTEM START-UP S √
AU-14(2) CAPTURE AND RECORD CONTENT W: Incorporated into AU-14.
AU-14(3) REMOTE VIEWING AND LISTENING S √
AU-15 Alternate Audit Logging Capability W: Incorporated into AU-5(5).
AU-16 Cross-Organizational Audit Logging O
AU-16(1) IDENTITY PRESERVATION O
AU-16(2) SHARING OF AUDIT INFORMATION O
AU-16(3) DISASSOCIABILITY O

15858

APPENDIX D PAGE 421

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15859 TABLE D-4: ASSESSMENT, AUTHORIZATION, AND MONITORING FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

CA-1 Policies and Procedures O √

CA-2 Control Assessments O √
CA-2(1) INDEPENDENT ASSESSORS O √
CA-2(2) SPECIALIZED ASSESSMENTS O √
CA-2(3) EXTERNAL ORGANIZATIONS O √
CA-3 Information Exchange O √
CA-3(1) UNCLASSIFIED NATIONAL SECURITY CONNECTIONS W: Moved to SC-7(25).
CA-3(2) CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS W: Moved to SC-7(26).
CA-3(3) UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS W: Moved to SC-7(27).
CA-3(4) CONNECTIONS TO PUBLIC NETWORKS W: Moved to SC-7(28).
CA-3(5) RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS W: Incorporated into SC-7(5).
CA-3(6) TRANSFER AUTHORIZATIONS O /S √
CA-3(7) TRANSITIVE INFORMATION EXCHANGES O /S √
CA-4 Security Certification W: Incorporated into CA-2.
CA-5 Plan of Action and Milestones O √
CA-5(1) AUTOMATION SUPPORT FOR ACCURACY AND CURRENCY O √
CA-6 Authorization O √
CA-6(1) JOINT AUTHORIZATION — INTRA-ORGANIZATION O √
CA-6(2) JOINT AUTHORIZATION — INTER-ORGANIZATION O √
CA-7 Continuous Monitoring O √
CA-7(1) INDEPENDENT ASSESSMENT O √
CA-7(2) TYPES OF ASSESSMENTS W: Incorporated into CA-2.
CA-7(3) TREND ANALYSES O √
CA-7(4) RISK MONITORING O /S √
CA-7(5) CONSISTENCY ANALYSIS O √
CA-8 Penetration Testing O √
CA-8(1) INDEPENDENT PENETRATION TESTING AGENT OR TEAM O √
CA-8(2) RED TEAM EXERCISES O √
CA-8(3) FACILITY PENETRATION TESTING O √
CA-9 Internal System Connections O √
CA-9(1) COMPLIANCE CHECKS O /S √

15860

APPENDIX D PAGE 422

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15861 TABLE D-5: CONFIGURATION MANAGEMENT FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

CM-1 Policy and Procedures O √

CM-2 Baseline Configuration O √
CM-2(1) REVIEWS AND UPDATES W: Incorporated into CM-2.
CM-2(2) AUTOMATION SUPPORT FOR ACCURACY AND CURRENCY O √
CM-2(3) RETENTION OF PREVIOUS CONFIGURATIONS O √
CM-2(4) UNAUTHORIZED SOFTWARE W: Incorporated into CM-7.
CM-2(5) AUTHORIZED SOFTWARE W: Incorporated into CM-7.
CM-2(6) DEVELOPMENT AND TEST ENVIRONMENTS O √
CM-2(7) CONFIGURE SYSTEMS AND COMPONENTS FOR HIGH-RISK AREAS O √
CM-3 Configuration Change Control O √
CM-3(1) AUTOMATED DOCUMENTATION, NOTIFICATION, AND PROHIBITION OF O √
CHANGES
CM-3(2) TESTING, VALIDATION, AND DOCUMENTATION OF CHANGES O √
CM-3(3) AUTOMATED CHANGE IMPLEMENTATION O
CM-3(4) SECURITY AND PRIVACY REPRESENTATIVES O
CM-3(5) AUTOMATED SECURITY RESPONSE S
CM-3(6) CRYPTOGRAPHY MANAGEMENT O
CM-3(7) REVIEW SYSTEM CHANGES O
CM-3(8) PREVENT OR RESTRICT CONFIGURATION CHANGES S
CM-4 Impact Analyses O √
CM-4(1) SEPARATE TEST ENVIRONMENTS O √
CM-4(2) VERIFICATION OF CONTROLS O √
CM-5 Access Restrictions for Change O
CM-5(1) AUTOMATED ACCESS ENFORCEMENT AND AUDIT RECORDS S
CM-5(2) REVIEW SYSTEM CHANGES W: Incorporated into CM-3(7).
CM-5(3) SIGNED COMPONENTS O /S
CM-5(4) DUAL AUTHORIZATION O /S
CM-5(5) PRIVILEGE LIMITATION FOR PRODUCTION AND OPERATION O
CM-5(6) LIMIT LIBRARY PRIVILEGES O /S
CM-5(7) AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS W: Incorporated into SI-7.
CM-6 Configuration Settings O /S
CM-6(1) AUTOMATED MANAGEMENT, APPLICATION, AND VERIFICATION O
CM-6(2) RESPOND TO UNAUTHORIZED CHANGES O
CM-6(3) UNAUTHORIZED CHANGE DETECTION W: Incorporated into SI-7.
CM-6(4) CONFORMANCE DEMONSTRATION W: Incorporated into CM-4.
CM-7 Least Functionality O /S
CM-7(1) PERIODIC REVIEW O /S
CM-7(2) PREVENT PROGRAM EXECUTION S
CM-7(3) REGISTRATION COMPLIANCE O
CM-7(4) UNAUTHORIZED SOFTWARE — BLACKLISTING O /S
CM-7(5) AUTHORIZED SOFTWARE — WHITELISTING O /S
CM-7(6) CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES O √

APPENDIX D PAGE 423

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

CM-7(7) CODE EXECUTION IN PROTECTED ENVIRONMENTS O /S √

CM-7(8) BINARY OR MACHINE EXECUTABLE CODE O /S √
CM-8 System Component Inventory O √
CM-8(1) UPDATES DURING INSTALLATION AND REMOVAL O √
CM-8(2) AUTOMATED MAINTENANCE O √
CM-8(3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION O √
CM-8(4) ACCOUNTABILITY INFORMATION O √
CM-8(5) NO DUPLICATE ACCOUNTING OF COMPONENTS O √
CM-8(6) ASSESSED CONFIGURATIONS AND APPROVED DEVIATIONS O √
CM-8(7) CENTRALIZED REPOSITORY O √
CM-8(8) AUTOMATED LOCATION TRACKING O √
CM-8(9) ASSIGNMENT OF COMPONENTS TO SYSTEMS O √
CM-9 Configuration Management Plan O
CM-9(1) ASSIGNMENT OF RESPONSIBILITY O
CM-10 Software Usage Restrictions O
CM-10(1) OPEN SOURCE SOFTWARE O
CM-11 User-Installed Software O
CM-11(1) ALERTS FOR UNAUTHORIZED INSTALLATIONS W: Incorporated into CM-8(3).
CM-11(2) SOFTWARE INSTALLATION WITH PRIVILEGED STATUS S
CM-12 Information Location O √
CM-12(1) AUTOMATED TOOLS TO SUPPORT INFORMATION LOCATION O √
CM-13 Data Action Mapping O

15862

APPENDIX D PAGE 424

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15863 TABLE D-6: CONTINGENCY PLANNING FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

CP-1 Policy and Procedures O √

CP-2 Contingency Plan O
CP-2(1) COORDINATE WITH RELATED PLANS O
CP-2(2) CAPACITY PLANNING O
CP-2(3) RESUME MISSIONS AND BUSINESS FUNCTIONS O
CP-2(4) RESUME ALL MISSIONS AND BUSINESS FUNCTIONS W: Incorporated into CP-2(3).
CP-2(5) CONTINUE MISSIONS AND BUSINESS FUNCTIONS O
CP-2(6) ALTERNATE PROCESSING AND STORAGE SITES O
CP-2(7) COORDINATE WITH EXTERNAL SERVICE PROVIDERS O
CP-2(8) IDENTIFY CRITICAL ASSETS O
CP-3 Contingency Training O √
CP-3(1) SIMULATED EVENTS O √
CP-3(2) MECHANISMS USED IN TRAINING ENVIRONMENTS O √
CP-4 Contingency Plan Testing O √
CP-4(1) COORDINATE WITH RELATED PLANS O √
CP-4(2) ALTERNATE PROCESSING SITE O √
CP-4(3) AUTOMATED TESTING O √
CP-4(4) FULL RECOVERY AND RECONSTITUTION O √
CP-5 Contingency Plan Update W: Incorporated into CP-2.
CP-6 Alternate Storage Site O
CP-6(1) SEPARATION FROM PRIMARY SITE O
CP-6(2) RECOVERY TIME AND RECOVERY POINT OBJECTIVES O
CP-6(3) ACCESSIBILITY O
CP-7 Alternate Processing Site O
CP-7(1) SEPARATION FROM PRIMARY SITE O
CP-7(2) ACCESSIBILITY O
CP-7(3) PRIORITY OF SERVICE O
CP-7(4) PREPARATION FOR USE O
CP-7(5) EQUIVALENT INFORMATION SECURITY SAFEGUARDS W: Incorporated into CP-7.
CP-7(6) INABILITY TO RETURN TO PRIMARY SITE O
CP-8 Telecommunications Services O
CP-8(1) PRIORITY OF SERVICE PROVISIONS O
CP-8(2) SINGLE POINTS OF FAILURE O
CP-8(3) SEPARATION OF PRIMARY AND ALTERNATE PROVIDERS O
CP-8(4) PROVIDER CONTINGENCY PLAN O
CP-8(5) ALTERNATE TELECOMMUNICATION SERVICE TESTING O
CP-9 System Backup O
CP-9(1) TESTING FOR RELIABILITY AND INTEGRITY O
CP-9(2) TEST RESTORATION USING SAMPLING O
CP-9(3) SEPARATE STORAGE FOR CRITICAL INFORMATION O
CP-9(4) PROTECTION FROM UNAUTHORIZED MODIFICATION W: Incorporated into CP-9.
CP-9(5) TRANSFER TO ALTERNATE STORAGE SITE O

APPENDIX D PAGE 425

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

CP-9(6) REDUNDANT SECONDARY SYSTEM O

CP-9(7) DUAL AUTHORIZATION O
CP-9(8) CRYPTOGRAPHIC PROTECTION O
CP-10 System Recovery and Reconstitution O
CP-10(1) CONTINGENCY PLAN TESTING W: Incorporated into CP-4.
CP-10(2) TRANSACTION RECOVERY O
CP-10(3) COMPENSATING SECURITY CONTROLS W: Addressed through tailoring.
CP-10(4) RESTORE WITHIN TIME-PERIOD O
CP-10(5) FAILOVER CAPABILITY W: Incorporated into SI-13.
CP-10(6) COMPONENT PROTECTION O
CP-11 Alternate Communications Protocols O
CP-12 Safe Mode S √
CP-13 Alternative Security Mechanisms O /S
CP-14 Self-Challenge O /S √

15864

APPENDIX D PAGE 426

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15865 TABLE D-7: IDENTIFICATION AND AUTHENTICATION FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

IA-1 Policy and Procedures O √

IA-2 Identification and Authentication (Organizational Users) O /S
IA-2(1) MULTIFACTOR AUTHENTICATION TO PRIVILEGED ACCOUNTS S
IA-2(2) MULTIFACTOR AUTHENTICATION TO NON-PRIVILEGED ACCOUNTS S
IA-2(3) LOCAL ACCESS TO PRIVILEGED ACCOUNTS W: Incorporated into IA-2(1).
IA-2(4) LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS W: Incorporated into IA-2(2).
IA-2(5) INDIVIDUAL AUTHENTICATION WITH GROUP AUTHENTICATION O /S
IA-2(6) ACCESS TO ACCOUNTS — SEPARATE DEVICE S
IA-2(7) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS — SEPARATE DEVICE W: Incorporated into IA-2(6).
IA-2(8) ACCESS TO ACCOUNTS — REPLAY RESISTANT S
IA-2(9) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS — REPLAY RESISTANT W: Incorporated into IA-2(8).
IA-2(10) SINGLE SIGN-ON S
IA-2(11) REMOTE ACCESS — SEPARATE DEVICE W: Incorporated into IA-2(6).
IA-2(12) ACCEPTANCE OF PIV CREDENTIALS S
IA-2(13) OUT-OF-BAND AUTHENTICATION S
IA-3 Device Identification and Authentication S
IA-3(1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION S
IA-3(2) CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION W: Incorporated into IA-3(1).
IA-3(3) DYNAMIC ADDRESS ALLOCATION O
IA-3(4) DEVICE ATTESTATION O
IA-4 Identifier Management O
IA-4(1) PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS O
IA-4(2) SUPERVISOR AUTHORIZATION W: Incorporated into IA-12(1).
IA-4(3) MULTIPLE FORMS OF CERTIFICATION W: Incorporated into IA-12(2).
IA-4(4) IDENTIFY USER STATUS O
IA-4(5) DYNAMIC MANAGEMENT S
IA-4(6) CROSS-ORGANIZATION MANAGEMENT O
IA-4(7) IN-PERSON REGISTRATION W: Incorporated into IA-12(4).
IA-4(8) PAIRWISE PSEUDONYMOUS IDENTIFIERS O
IA-4(9) ATTRIBUTE MAINTENANCE AND PROTECTION O /S
IA-5 Authenticator Management O /S
IA-5(1) PASSWORD-BASED AUTHENTICATION O /S
IA-5(2) PUBLIC KEY-BASED AUTHENTICATION S
IA-5(3) IN-PERSON OR TRUSTED EXTERNAL PARTY REGISTRATION W: Incorporated into IA-12(4).
IA-5(4) AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION W: Incorporated into IA-5(1).
IA-5(5) CHANGE AUTHENTICATORS PRIOR TO DELIVERY O
IA-5(6) PROTECTION OF AUTHENTICATORS O
IA-5(7) NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS O
IA-5(8) MULTIPLE SYSTEM ACCOUNTS O
IA-5(9) FEDERATED CREDENTIAL MANAGEMENT O
IA-5(10) DYNAMIC CREDENTIAL BINDING S
IA-5(11) HARDWARE TOKEN-BASED AUTHENTICATION W: Incorporated into IA-2(1)(2).

APPENDIX D PAGE 427

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

IA-5(12) BIOMETRIC AUTHENTICATION PERFORMANCE S

IA-5(13) EXPIRATION OF CACHED AUTHENTICATORS S
IA-5(14) MANAGING CONTENT OF PKI TRUST STORES O
IA-5(15) GSA-APPROVED PRODUCTS AND SERVICES O
IA-5(16) IN-PERSON OR TRUSTED EXTERNAL PARTY AUTHENTICATOR ISSUANCE O
IA-5(17) PRESENTATION ATTACK DETECTION FOR BIOMETRIC AUTHENTICATORS S
IA-5(18) PASSWORD MANAGERS S
IA-6 Authenticator Feedback S
IA-7 Cryptographic Module Authentication S
IA-8 Identification and Authentication (Non-Organizational S
Users)
IA-8(1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES S
IA-8(2) ACCEPTANCE OF EXTERNAL PARTY CREDENTIALS S
IA-8(3) USE OF FICAM-APPROVED PRODUCTS W: Incorporated into IA-8(2).
IA-8(4) USE OF NIST-ISSUED PROFILES S
IA-8(5) ACCEPTANCE OF PIV-I CREDENTIALS S
IA-8(6) DISASSOCIABILITY O
IA-9 Service Identification and Authentication O /S
IA-9(1) INFORMATION EXCHANGE W: Incorporated into IA-9.
IA-9(2) TRANSMISSION OF DECISIONS W: Incorporated into IA-9.
IA-10 Adaptive Authentication O
IA-11 Re-authentication O /S
IA-12 Identity Proofing O
IA-12(1) SUPERVISOR AUTHORIZATION O
IA-12(2) IDENTITY EVIDENCE O
IA-12(3) IDENTITY EVIDENCE VALIDATION AND VERIFICATION O
IA-12(4) IN-PERSON VALIDATION AND VERIFICATION O
IA-12(5) ADDRESS CONFIRMATION O
IA-12(6) ACCEPT EXTERNALLY-PROOFED IDENTITIES O

15866
15867

APPENDIX D PAGE 428

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15868 TABLE D-8: INCIDENT RESPONSE FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

IR-1 Policy and Procedures O √

IR-2 Incident Response Training O √
IR-2(1) SIMULATED EVENTS O √
IR-2(2) AUTOMATED TRAINING ENVIRONMENTS O √
IR-3 Incident Response Testing O √
IR-3(1) AUTOMATED TESTING O √
IR-3(2) COORDINATION WITH RELATED PLANS O √
IR-3(3) CONTINUOUS IMPROVEMENT O √
IR-4 Incident Handling O
IR-4(1) AUTOMATED INCIDENT HANDLING PROCESSES O
IR-4(2) DYNAMIC RECONFIGURATION O
IR-4(3) CONTINUITY OF OPERATIONS O
IR-4(4) INFORMATION CORRELATION O
IR-4(5) AUTOMATIC DISABLING OF SYSTEM O /S
IR-4(6) INSIDER THREATS — SPECIFIC CAPABILITIES O
IR-4(7) INSIDER THREATS — INTRA-ORGANIZATION COORDINATION O
IR-4(8) CORRELATION WITH EXTERNAL ORGANIZATIONS O
IR-4(9) DYNAMIC RESPONSE CAPABILITY O
IR-4(10) SUPPLY CHAIN COORDINATION O
IR-4(11) INTEGRATED INCIDENT RESPONSE TEAM O
IR-4(12) MALICIOUS CODE AND FORENSIC ANALYSIS O
IR-4(13) BEHAVIOR ANALYSIS O
IR-4(14) SECURITY OPERATIONS CENTER O /S
IR-4(15) PUBLIC RELATIONS AND REPUTATION REPAIR O
IR-5 Incident Monitoring O √
IR-5(1) AUTOMATED TRACKING, DATA COLLECTION, AND ANALYSIS O √
IR-6 Incident Reporting O
IR-6(1) AUTOMATED REPORTING O
IR-6(2) VULNERABILITIES RELATED TO INCIDENTS O
IR-6(3) SUPPLY CHAIN COORDINATION O
IR-7 Incident Response Assistance O
IR-7(1) AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION AND SUPPORT O
IR-7(2) COORDINATION WITH EXTERNAL PROVIDERS O
IR-8 Incident Response Plan O
IR-8(1) PRIVACY BREACHES O
IR-9 Information Spillage Response O
IR-9(1) RESPONSIBLE PERSONNEL W: Incorporated into IR-9.
IR-9(2) TRAINING O
IR-9(3) POST-SPILL OPERATIONS O
IR-9(4) EXPOSURE TO UNAUTHORIZED PERSONNEL O
IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS W: Moved to IR-4(11).

APPENDIX D PAGE 429

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15869 TABLE D-9: MAINTENANCE FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

MA-1 Policy and Procedures O √

MA-2 Controlled Maintenance O
MA-2(1) RECORD CONTENT W: Incorporated into MA-2.
MA-2(2) AUTOMATED MAINTENANCE ACTIVITIES O
MA-3 Maintenance Tools O
MA-3(1) INSPECT TOOLS O
MA-3(2) INSPECT MEDIA O
MA-3(3) PREVENT UNAUTHORIZED REMOVAL O
MA-3(4) RESTRICTED TOOL USE O /S
MA-3(5) EXECUTION WITH PRIVILEGE O /S
MA-3(6) SOFTWARE UPDATES AND PATCHES O /S
MA-4 Nonlocal Maintenance O
MA-4(1) LOGGING AND REVIEW O
MA-4(2) DOCUMENT NONLOCAL MAINTENANCE W: Incorporated into MA-1, MA-4.
MA-4(3) COMPARABLE SECURITY AND SANITIZATION O
MA-4(4) AUTHENTICATION AND SEPARATION OF MAINTENANCE SESSIONS O
MA-4(5) APPROVALS AND NOTIFICATIONS O
MA-4(6) CRYPTOGRAPHIC PROTECTION O /S
MA-4(7) DISCONNECT VERIFICATION S
MA-5 Maintenance Personnel O
MA-5(1) INDIVIDUALS WITHOUT APPROPRIATE ACCESS O
MA-5(2) SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS O
MA-5(3) CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS O
MA-5(4) FOREIGN NATIONALS O
MA-5(5) NON-SYSTEM MAINTENANCE O
MA-6 Timely Maintenance O
MA-6(1) PREVENTIVE MAINTENANCE O
MA-6(2) PREDICTIVE MAINTENANCE O
MA-6(3) AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE O
MA-7 Field Maintenance O

15870
15871

APPENDIX D PAGE 430

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15872 TABLE D-10: MEDIA PROTECTION FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

MP-1 Policy and Procedures O √

MP-2 Media Access O
MP-2(1) AUTOMATED RESTRICTED ACCESS W: Incorporated into MP-4(2).
MP-2(2) CRYPTOGRAPHIC PROTECTION W: Incorporated into SC-28(1).
MP-3 Media Marking O
MP-4 Media Storage O
MP-4(1) CRYPTOGRAPHIC PROTECTION W: Incorporated into SC-28(1).
MP-4(2) AUTOMATED RESTRICTED ACCESS O
MP-5 Media Transport O
MP-5(1) PROTECTION OUTSIDE OF CONTROLLED AREAS W: Incorporated into MP-5.
MP-5(2) DOCUMENTATION OF ACTIVITIES W: Incorporated into MP-5.
MP-5(3) CUSTODIANS O
MP-5(4) CRYPTOGRAPHIC PROTECTION W: Incorporated into SC-28(1).
MP-6 Media Sanitization O
MP-6(1) REVIEW, APPROVE, TRACK, DOCUMENT, AND VERIFY O
MP-6(2) EQUIPMENT TESTING O
MP-6(3) NONDESTRUCTIVE TECHNIQUES O
MP-6(4) CONTROLLED UNCLASSIFIED INFORMATION W: Incorporated into MP-6.
MP-6(5) CLASSIFIED INFORMATION W: Incorporated into MP-6.
MP-6(6) MEDIA DESTRUCTION W: Incorporated into MP-6.
MP-6(7) DUAL AUTHORIZATION O
MP-6(8) REMOTE PURGING OR WIPING OF INFORMATION O
MP-7 Media Use O
MP-7(1) PROHIBIT USE WITHOUT OWNER W: Incorporated into MP-7.
MP-7(2) PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA O
MP-8 Media Downgrading O
MP-8(1) DOCUMENTATION OF PROCESS O
MP-8(2) EQUIPMENT TESTING O
MP-8(3) CONTROLLED UNCLASSIFIED INFORMATION O
MP-8(4) CLASSIFIED INFORMATION O

15873
15874

APPENDIX D PAGE 431

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15875 TABLE D-11: PHYSICAL AND ENVIRONMENTAL PROTECTION FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

PE-1 Policy and Procedures O √

PE-2 Physical Access Authorizations O
PE-2(1) ACCESS BY POSITION AND ROLE O
PE-2(2) TWO FORMS OF IDENTIFICATION O
PE-2(3) RESTRICT UNESCORTED ACCESS O
PE-3 Physical Access Control O
PE-3(1) SYSTEM ACCESS O
PE-3(2) FACILITY AND SYSTEMS O
PE-3(3) CONTINUOUS GUARDS O
PE-3(4) LOCKABLE CASINGS O
PE-3(5) TAMPER PROTECTION O
PE-3(6) FACILITY PENETRATION TESTING W: Incorporated into CA-8.
PE-3(7) PHYSICAL BARRIERS O
PE-3(8) ACCESS CONTROL VESTIBULES O
PE-4 Access Control for Transmission O
PE-5 Access Control for Output Devices O
PE-5(1) ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS W: Incorporated into PE-5.
PE-5(2) LINK TO INDIVIDUAL IDENTITY S
PE-5(3) MARKING OUTPUT DEVICES O
PE-6 Monitoring Physical Access O √
PE-6(1) INTRUSION ALARMS AND SURVEILLANCE EQUIPMENT O √
PE-6(2) AUTOMATED INTRUSION RECOGNITION AND RESPONSES O √
PE-6(3) VIDEO SURVEILLANCE O √
PE-6(4) MONITORING PHYSICAL ACCESS TO SYSTEMS O √
PE-7 Visitor Control W: Incorporated into PE-2, PE-3.
PE-8 Visitor Access Records O √
PE-8(1) AUTOMATED RECORDS MAINTENANCE AND REVIEW O
PE-8(2) PHYSICAL ACCESS RECORDS W: Incorporated into PE-2.
PE-9 Power Equipment and Cabling O
PE-9(1) REDUNDANT CABLING O
PE-9(2) AUTOMATIC VOLTAGE CONTROLS O
PE-10 Emergency Shutoff O
PE-10(1) ACCIDENTAL AND UNAUTHORIZED ACTIVATION W: Incorporated into PE-10.
PE-11 Emergency Power O
PE-11(1) ALTERNATE POWER SUPPLY — MINIMAL OPERATIONAL CAPABILITY O
PE-11(2) ALTERNATE POWER SUPPLY — SELF-CONTAINED O
PE-12 Emergency Lighting O
PE-12(1) ESSENTIAL MISSIONS AND BUSINESS FUNCTIONS O
PE-13 Fire Protection O
PE-13(1) DETECTION SYSTEMS — AUTOMATIC ACTIVATION AND NOTIFICATION O
PE-13(2) SUPPRESSION SYSTEMS — AUTOMATIC ACTIVATION AND NOTIFICATION O
PE-13(3) AUTOMATIC FIRE SUPPRESSION W: Incorporated into PE-13(2).

APPENDIX D PAGE 432

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

PE-13(4) INSPECTIONS O
PE-14 Environmental Controls O
PE-14(1) AUTOMATIC CONTROLS O
PE-14(2) MONITORING WITH ALARMS AND NOTIFICATIONS O
PE-15 Water Damage Protection O
PE-15(1) AUTOMATION SUPPORT O
PE-16 Delivery and Removal O
PE-17 Alternate Work Site O
PE-18 Location of System Components O
PE-18(1) FACILITY SITE W: Moved to PE-23.
PE-19 Information Leakage O
PE-19(1) NATIONAL EMISSIONS AND TEMPEST POLICIES AND PROCEDURES O
PE-20 Asset Monitoring and Tracking O
PE-21 Electromagnetic Pulse Protection O
PE-22 Component Marking O
PE-23 Facility Location O

15876
15877

APPENDIX D PAGE 433

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15878 TABLE D-12: PLANNING FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

PL-1 Policy and Procedures O √

PL-2 System Security and Privacy Plans O √
PL-2(1) CONCEPT OF OPERATIONS W: Incorporated into PL-7.
PL-2(2) FUNCTIONAL ARCHITECTURE W: Incorporated into PL-8.
PL-2(3) PLAN AND COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES W: Incorporated into PL-2.
PL-3 System Security Plan Update W: Incorporated into PL-2.
PL-4 Rules of Behavior O √
PL-4(1) SOCIAL MEDIA AND EXTERNAL SITE/APPLICATION USAGE RESTRICTIONS O √
PL-5 Privacy Impact Assessment W: Incorporated into RA-8.
PL-6 Security-Related Activity Planning W: Incorporated into PL-2.
PL-7 Concept of Operations O
PL-8 Security and Privacy Architectures O √
PL-8(1) DEFENSE-IN-DEPTH O √
PL-8(2) SUPPLIER DIVERSITY O √
PL-9 Central Management O √
PL-10 Baseline Selection O
PL-11 Baseline Tailoring O

15879

APPENDIX D PAGE 434

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15880 TABLE D-13: PROGRAM MANAGEMENT FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

PM-1 Information Security Program Plan O

PM-2 Information Security Program Leadership Role O
PM-3 Information Security and Privacy Resources O
PM-4 Plan of Action and Milestones Process O
PM-5 System Inventory O
PM-5(1) INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION O
PM-6 Measures of Performance O √
PM-7 Enterprise Architecture O
PM-7(1) OFFLOADING O
PM-8 Critical Infrastructure Plan O
PM-9 Risk Management Strategy O √
PM-10 Authorization Process O √
PM-11 Mission and Business Process Definition O
PM-12 Insider Threat Program O √
PM-13 Security and Privacy Workforce O
PM-14 Testing, Training, and Monitoring O √
PM-15 Security and Privacy Groups and Associations O
PM-16 Threat Awareness Program O √
PM-16(1) AUTOMATED MEANS FOR SHARING THREAT INTELLIGENCE O √
PM-17 Protecting CUI on External Systems O √
PM-18 Privacy Program Plan O
PM-19 Privacy Program Leadership Role O
PM-20 Dissemination of Privacy Program Information O
PM-21 Accounting of Disclosures O
PM-22 Personally Identifiable Information Quality Management O √
PM-23 Data Governance Body O √
PM-24 Data Integrity Board O √
PM-25 Minimization of PII Used in Testing Training, and Research O
PM-26 Complaint Management O
PM-27 Privacy Reporting O
PM-28 Risk Framing O √
PM-29 Risk Management Program Leadership Roles O
PM-30 Supply Chain Risk Management Strategy O √
PM-31 Continuous Monitoring Strategy O
PM-32 Purposing O √
PM-33 Privacy Policies on Websites, Applications, and Digital O √
Services

15881

APPENDIX D PAGE 435

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15882 TABLE D-14: PERSONNEL SECURITY FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

PS-1 Policy and Procedures O √

PS-2 Position Risk Designation O
PS-3 Personnel Screening O
PS-3(1) CLASSIFIED INFORMATION O
PS-3(2) FORMAL INDOCTRINATION O
PS-3(3) INFORMATION WITH SPECIAL PROTECTION MEASURES O
PS-3(4) CITIZENSHIP REQUIREMENTS O
PS-4 Personnel Termination O
PS-4(1) POST-EMPLOYMENT REQUIREMENTS O
PS-4(2) AUTOMATED NOTIFICATION O
PS-5 Personnel Transfer O
PS-6 Access Agreements O √
PS-6(1) INFORMATION REQUIRING SPECIAL PROTECTION W: Incorporated into PS-3.
PS-6(2) CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION O √
PS-6(3) POST-EMPLOYMENT REQUIREMENTS O √
PS-7 External Personnel Security O √
PS-8 Personnel Sanctions O

15883

APPENDIX D PAGE 436

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15884 TABLE D-15: PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

PT-1 Policy and Procedures O √

PT-2 Authority to Process Personally Identifiable Information O √
PT-2(1) DATA TAGGING S √
PT-2(2) AUTOMATION O √
PT-3 Personally Identifiable Information Processing Purposes O
PT-3(1) DATA TAGGING S √
PT-3(2) AUTOMATION O √
PT-4 Minimization O √
PT-5 Consent O
PT-5(1) TAILORED CONSENT O
PT-5(2) JUST-IN-TIME CONSENT O
PT-6 Privacy Notice O
PT-6(1) JUST-IN-TIME NOTICE O
PT-6(2) PRIVACY ACT STATEMENTS O
PT-7 System of Records Notice O
PT-7(1) ROUTINE USES O
PT-7(2) EXEMPTION RULES O
PT-8 Specific Categories of Personally Identifiable Information O
PT-8(1) SOCIAL SECURITY NUMBERS O
PT-8(2) FIRST AMENDMENT INFORMATION O
PT-9 Computer Matching Requirements O

15885

APPENDIX D PAGE 437

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15886 TABLE D-16: RISK ASSESSMENT FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

RA-1 Policy and Procedures O √

RA-2 Security Categorization O
RA-2(1) IMPACT-LEVEL PRIORITIZATION O
RA-3 Risk Assessment O √
RA-3(1) SUPPLY CHAIN RISK ASSESSMENT O √
RA-3(2) USE OF ALL-SOURCE INTELLIGENCE O √
RA-3(3) DYNAMIC THREAT AWARENESS O √
RA-3(4) PREDICTIVE CYBER ANALYTICS O √
RA-4 Risk Assessment Update W: Incorporated into RA-3.
RA-5 Vulnerability Monitoring and Scanning O √
RA-5(1) UPDATE TOOL CAPABILITY W: Incorporated into RA-5.
RA-5(2) UPDATE SYSTEM VULNERABILITIES O √
RA-5(3) BREADTH AND DEPTH OF COVERAGE O √
RA-5(4) DISCOVERABLE INFORMATION O √
RA-5(5) PRIVILEGED ACCESS O √
RA-5(6) AUTOMATED TREND ANALYSES O √
RA-5(7) AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED W: Incorporated into CM-8.
COMPONENTS
RA-5(8) REVIEW HISTORIC AUDIT LOGS O √
RA-5(9) PENETRATION TESTING AND ANALYSES W: Incorporated into CA-8.
RA-5(10) CORRELATE SCANNING INFORMATION O √
RA-5(11) PUBLIC DISCLOSURE PROGRAM O √
RA-6 Technical Surveillance Countermeasures Survey O √
RA-7 Risk Response O √
RA-8 Privacy Impact Assessments O √
RA-9 Criticality Analysis O
RA-10 Threat Hunting O /S √

15887

APPENDIX D PAGE 438

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15888 TABLE D-17: SYSTEM AND SERVICES ACQUISITION FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SA-1 Policy and Procedures O √

SA-2 Allocation of Resources O √
SA-3 System Development Life Cycle O √
SA-3(1) MANAGE PREPRODUCTION ENVIRONMENT O √
SA-3(2) USE OF LIVE OR OPERATIONAL DATA O √
SA-3(3) TECHNOLOGY REFRESH O √
SA-4 Acquisition Process O √
SA-4(1) FUNCTIONAL PROPERTIES OF CONTROLS O √
SA-4(2) DESIGN AND IMPLEMENTATION INFORMATION FOR CONTROLS O √
SA-4(3) DEVELOPMENT METHODS, TECHNIQUES, AND PRACTICES O √
SA-4(4) ASSIGNMENT OF COMPONENTS TO SYSTEMS W: Incorporated into CM-8(9).
SA-4(5) SYSTEM, COMPONENT, AND SERVICE CONFIGURATIONS O √
SA-4(6) USE OF INFORMATION ASSURANCE PRODUCTS O √
SA-4(7) NIAP-APPROVED PROTECTION PROFILES O √
SA-4(8) CONTINUOUS MONITORING PLAN FOR CONTROLS O √
SA-4(9) FUNCTIONS, PORTS, PROTOCOLS, AND SERVICES IN USE O √
SA-4(10) USE OF APPROVED PIV PRODUCTS O √
SA-4(11) SYSTEM OF RECORDS O √
SA-4(12) DATA OWNERSHIP O √
SA-5 System Documentation O √
SA-5(1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS W: Incorporated into SA-4(1).
SA-5(2) SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES W: Incorporated into SA-4(2).
SA-5(3) HIGH-LEVEL DESIGN W: Incorporated into SA-4(2).
SA-5(4) LOW-LEVEL DESIGN W: Incorporated into SA-4(2).
SA-5(5) SOURCE CODE W: Incorporated into SA-4(2).
SA-6 Software Usage Restrictions W: Incorporated into CM-10, SI-7.
SA-7 User-Installed Software W: Incorporated into CM-11, SI-7.
SA-8 Security and Privacy Engineering Principles O √
SA-8(1) CLEAR ABSTRACTIONS O /S √
SA-8(2) LEAST COMMON MECHANISM O /S √
SA-8(3) MODULARITY AND LAYERING O /S √
SA-8(4) PARTIALLY ORDERED DEPENDENCIES O /S √
SA-8(5) EFFICIENTLY MEDIATED ACCESS O /S √
SA-8(6) MINIMIZED SHARING O /S √
SA-8(7) REDUCED COMPLEXITY O /S √
SA-8(8) SECURE EVOLVABILITY O /S √
SA-8(9) TRUSTED COMPONENTS O /S √
SA-8(10) HIERARCHICAL TRUST O /S √
SA-8(11) INVERSE MODIFICATION THRESHOLD O /S √
SA-8(12) HIERARCHICAL PROTECTION O /S √
SA-8(13) MINIMIZED SECURITY ELEMENTS O /S √
SA-8(14) LEAST PRIVILEGE O /S √

APPENDIX D PAGE 439

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SA-8(15) PREDICATE PERMISSION O /S √

SA-8(16) SELF-RELIANT TRUSTWORTHINESS O /S √
SA-8(17) SECURE DISTRIBUTED COMPOSITION O /S √
SA-8(18) TRUSTED COMMUNICATIONS CHANNELS O /S √
SA-8(19) CONTINUOUS PROTECTION O /S √
SA-8(20) SECURE METADATA MANAGEMENT O /S √
SA-8(21) SELF-ANALYSIS O /S √
SA-8(22) ACCOUNTABILITY AND TRACEABILITY O /S √
SA-8(23) SECURE DEFAULTS O /S √
SA-8(24) SECURE FAILURE AND RECOVERY O /S √
SA-8(25) ECONOMIC SECURITY O /S √
SA-8(26) PERFORMANCE SECURITY O /S √
SA-8(27) HUMAN FACTORED SECURITY O /S √
SA-8(28) ACCEPTABLE SECURITY O /S √
SA-8(29) REPEATABLE AND DOCUMENTED PROCEDURES O /S √
SA-8(30) PROCEDURAL RIGOR O /S √
SA-8(31) SECURE SYSTEM MODIFICATION O /S √
SA-8(32) SUFFICIENT DOCUMENTATION O /S √
SA-9 External System Services O √
SA-9(1) RISK ASSESSMENTS AND ORGANIZATIONAL APPROVALS O √
SA-9(2) IDENTIFICATION OF FUNCTIONS, PORTS, PROTOCOLS, AND SERVICES O √
SA-9(3) ESTABLISH AND MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS O √
SA-9(4) CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS O √
SA-9(5) PROCESSING, STORAGE, AND SERVICE LOCATION O √
SA-9(6) ORGANIZATION-CONTROLLED CRYPTOGRAPHIC KEYS O √
SA-9(7) ORGANIZATION-CONTROLLED INTEGRITY CHECKING O √
SA-9(8) PROCESSING AND STORAGE LOCATION — U.S. JURISDICTION O √
SA-10 Developer Configuration Management O √
SA-10(1) SOFTWARE AND FIRMWARE INTEGRITY VERIFICATION O √
SA-10(2) ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES O √
SA-10(3) HARDWARE INTEGRITY VERIFICATION O √
SA-10(4) TRUSTED GENERATION O √
SA-10(5) MAPPING INTEGRITY FOR VERSION CONTROL O √
SA-10(6) TRUSTED DISTRIBUTION O √
SA-11 Developer Testing and Evaluation O √
SA-11(1) STATIC CODE ANALYSIS O √
SA-11(2) THREAT MODELING AND VULNERABILITY ANALYSES O √
SA-11(3) INDEPENDENT VERIFICATION OF ASSESSMENT PLANS AND EVIDENCE O √
SA-11(4) MANUAL CODE REVIEWS O √
SA-11(5) PENETRATION TESTING O √
SA-11(6) ATTACK SURFACE REVIEWS O √
SA-11(7) VERIFY SCOPE OF TESTING AND EVALUATION O √
SA-11(8) DYNAMIC CODE ANALYSIS O √

APPENDIX D PAGE 440

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SA-11(9) INTERACTIVE APPLICATION SECURITY TESTING O √

SA-12 Supply Chain Protection W: Moved to SR Family.
SA-12(1) ACQUISITION STRATEGIES, TOOLS, AND METHODS W: Moved to SR-5.
SA-12(2) SUPPLIER REVIEWS W: Moved to SR-6.
SA-12(3) TRUSTED SHIPPING AND WAREHOUSING W: Incorporated into SR-3.
SA-12(4) DIVERSITY OF SUPPLIERS W: Moved to SR-3(1).
SA-12(5) LIMITATION OF HARM W: Moved to SR-3(2).
SA-12(6) MINIMIZING PROCUREMENT TIME W: Incorporated into SR-5(1).
SA-12(7) ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE W: Moved to SR-5(2).
SA-12(8) USE OF ALL-SOURCE INTELLIGENCE W: Incorporated into RA-3(2).
SA-12(9) OPERATIONS SECURITY W: Moved to SR-7.
SA-12(10) VALIDATE AS GENUINE AND NOT ALTERED W: Moved to SR-4(3).
SA-12(11) PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND W: Moved to SR-6(1).
ACTORS
SA-12(12) INTER-ORGANIZATIONAL AGREEMENTS W: Moved to SR-8.
SA-12(13) CRITICAL INFORMATION SYSTEM COMPONENTS W: Incorporated into MA-6, RA-9.
SA-12(14) IDENTITY AND TRACEABILITY W: Moved to SR-4(1)(2).
SA-12(15) PROCESS TO ADDRESS WEAKNESSES OR DEFICIENCIES W: Incorporated into SR-3.
SA-13 Trustworthiness W: Incorporated into SA-8.
SA-14 Criticality Analysis W: Incorporated into RA-9.
SA-14(1) CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING W: Incorporated into SA-20.
SA-15 Development Process, Standards, and Tools O √
SA-15(1) QUALITY METRICS O √
SA-15(2) SECURITY TRACKING TOOLS O √
SA-15(3) CRITICALITY ANALYSIS O √
SA-15(4) THREAT MODELING AND VULNERABILITY ANALYSIS W: Incorporated into SA-11(2).
SA-15(5) ATTACK SURFACE REDUCTION O √
SA-15(6) CONTINUOUS IMPROVEMENT O √
SA-15(7) AUTOMATED VULNERABILITY ANALYSIS O √
SA-15(8) REUSE OF THREAT AND VULNERABILITY INFORMATION O √
SA-15(9) USE OF LIVE DATA W: Incorporated into SA-3(2).
SA-15(10) INCIDENT RESPONSE PLAN O √
SA-15(11) ARCHIVE SYSTEM OR COMPONENT O √
SA-15(12) MINIMIZE PERSONALLY IDENTIFIABLE INFORMATION O √
SA-16 Developer-Provided Training O √
SA-17 Developer Security Architecture and Design O √
SA-17(1) FORMAL POLICY MODEL O √
SA-17(2) SECURITY-RELEVANT COMPONENTS O √
SA-17(3) FORMAL CORRESPONDENCE O √
SA-17(4) INFORMAL CORRESPONDENCE O √
SA-17(5) CONCEPTUALLY SIMPLE DESIGN O √
SA-17(6) STRUCTURE FOR TESTING O √
SA-17(7) STRUCTURE FOR LEAST PRIVILEGE O √

APPENDIX D PAGE 441

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SA-17(8) ORCHESTRATION O √
SA-17(9) DESIGN DIVERSITY O √
SA-18 Tamper Resistance and Detection W: Moved to SR-9.
SA-18(1) MULTIPLE PHASES OF SYSTEM DEVELOPMENT LIFE CYCLE W: Moved to SR-9(1).
SA-18(2) INSPECTION OF SYSTEMS OR COMPONENTS W: Moved to SR-10.
SA-19 Component Authenticity W: Moved to SR-11.
SA-19(1) ANTI-COUNTERFEIT TRAINING W: Moved to SR-11(1).
SA-19(2) CONFIGURATION CONTROL FOR COMPONENT SERVICE AND REPAIR W: Moved to SR-11(2).
SA-19(3) COMPONENT DISPOSAL W: Moved to SR-11(3).
SA-19(4) ANTI-COUNTERFEIT SCANNING W: Moved to SR-11(4).
SA-20 Customized Development of Critical Components O √
SA-21 Developer Screening O √
SA-21(1) VALIDATION OF SCREENING W: Incorporated into SA-21.
SA-22 Unsupported System Components O √
SA-22(1) ALTERNATIVE SOURCES FOR CONTINUED SUPPORT W: Incorporated into SA-22.
SA-23 Specialization O √

15889

APPENDIX D PAGE 442

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15890 TABLE D-18: SYSTEM AND COMMUNICATIONS PROTECTION FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SC-1 Policy and Procedures O √

SC-2 Separation of System and User Functionality S √
SC-2(1) INTERFACES FOR NON-PRIVILEGED USERS S √
SC-2(2) DISASSOCIABILITY S √
SC-3 Security Function Isolation S √
SC-3(1) HARDWARE SEPARATION S √
SC-3(2) ACCESS AND FLOW CONTROL FUNCTIONS S √
SC-3(3) MINIMIZE NONSECURITY FUNCTIONALITY O /S √
SC-3(4) MODULE COUPLING AND COHESIVENESS O /S √
SC-3(5) LAYERED STRUCTURES O /S √
SC-4 Information in Shared System Resources S
SC-4(1) SECURITY LEVELS W: Incorporated into SC-4.
SC-4(2) MULTILEVEL OR PERIODS PROCESSING S
SC-5 Denial of Service Protection S
SC-5(1) RESTRICT ABILITY TO ATTACK OTHER SYSTEMS S
SC-5(2) CAPACITY, BANDWIDTH, AND REDUNDANCY S
SC-5(3) DETECTION AND MONITORING S
SC-6 Resource Availability S √
SC-7 Boundary Protection S
SC-7(1) PHYSICALLY SEPARATED SUBNETWORKS W: Incorporated into SC-7.
SC-7(2) PUBLIC ACCESS W: Incorporated into SC-7.
SC-7(3) ACCESS POINTS S
SC-7(4) EXTERNAL TELECOMMUNICATIONS SERVICES O
SC-7(5) DENY BY DEFAULT — ALLOW BY EXCEPTION S
SC-7(6) RESPONSE TO RECOGNIZED FAILURES W: Incorporated into SC-7(18).
SC-7(7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES S
SC-7(8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS S
SC-7(9) RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC S
SC-7(10) PREVENT EXFILTRATION S
SC-7(11) RESTRICT INCOMING COMMUNICATIONS TRAFFIC S
SC-7(12) HOST-BASED PROTECTION S
SC-7(13) ISOLATION OF SECURITY TOOLS, MECHANISMS, AND SUPPORT S
COMPONENTS
SC-7(14) PROTECT AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS S
SC-7(15) NETWORKED PRIVILEGED ACCESSES S
SC-7(16) PREVENT DISCOVERY OF COMPONENTS AND DEVICES S
SC-7(17) AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS S
SC-7(18) FAIL SECURE S √
SC-7(19) BLOCK COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED S
HOSTS
SC-7(20) DYNAMIC ISOLATION AND SEGREGATION S
SC-7(21) ISOLATION OF SYSTEM COMPONENTS O /S √

APPENDIX D PAGE 443

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SC-7(22) SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS S √

SC-7(23) DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE S
SC-7(24) PERSONALLY IDENTIFIABLE INFORMATION O /S
SC-7(25) UNCLASSIFIED NATIONAL SECURITY CONNECTIONS O
SC-7(26) CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS O
SC-7(27) UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS O
SC-7(28) CONNECTIONS TO PUBLIC NETWORKS O
SC-7(29) SEPARATE SUBNETS TO ISOLATE FUNCTIONS S
SC-8 Transmission Confidentiality and Integrity S
SC-8(1) CRYPTOGRAPHIC PROTECTION S
SC-8(2) PRE- AND POST-TRANSMISSION HANDLING S
SC-8(3) CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS S
SC-8(4) CONCEAL OR RANDOMIZE COMMUNICATIONS S
SC-8(5) PROTECTED DISTRIBUTION SYSTEM S
SC-9 Transmission Confidentiality W: Incorporated into SC-8.
SC-10 Network Disconnect S
SC-11 Trusted Path S √
SC-11(1) IRREFUTABLE COMMUNICATIONS PATH S √
SC-12 Cryptographic Key Establishment and Management O /S
SC-12(1) AVAILABILITY O /S
SC-12(2) SYMMETRIC KEYS O /S
SC-12(3) ASYMMETRIC KEYS O /S
SC-12(4) PKI CERTIFICATES W: Incorporated into SC-12.
SC-12(5) PKI CERTIFICATES / HARDWARE TOKENS W: Incorporated into SC-12.
SC-12(6) PHYSICAL CONTROL OF KEYS O /S
SC-13 Cryptographic Protection S
SC-13(1) FIPS-VALIDATED CRYPTOGRAPHY W: Incorporated into SC-13.
SC-13(2) NSA-APPROVED CRYPTOGRAPHY W: Incorporated into SC-13.
SC-13(3) INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS W: Incorporated into SC-13.
SC-13(4) DIGITAL SIGNATURES W: Incorporated into SC-13.
SC-14 Public Access Protections W: Incorporated into AC-2, AC-3, AC-5, SI-
3, SI-4, SI-5, SI-7, SI-10.
SC-15 Collaborative Computing Devices and Applications S
SC-15(1) PHYSICAL OR LOGICAL DISCONNECT S
SC-15(2) BLOCKING INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC W: Incorporated into SC-7.
SC-15(3) DISABLING AND REMOVAL IN SECURE WORK AREAS O
SC-15(4) EXPLICITLY INDICATE CURRENT PARTICIPANTS S
SC-16 Transmission of Security and Privacy Attributes S
SC-16(1) INTEGRITY VERIFICATION S
SC-16(2) ANTI-SPOOFING MECHANISMS S
SC-17 Public Key Infrastructure Certificates O /S
SC-18 Mobile Code O
SC-18(1) IDENTIFY UNACCEPTABLE CODE AND TAKE CORRECTIVE ACTIONS S
SC-18(2) ACQUISITION, DEVELOPMENT, AND USE O

APPENDIX D PAGE 444

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SC-18(3) PREVENT DOWNLOADING AND EXECUTION S

SC-18(4) PREVENT AUTOMATIC EXECUTION S
SC-18(5) ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS S
SC-19 Voice over Internet Protocol W: Technology-specific; addressed by
other controls for protocols.
SC-20 Secure Name/Address Resolution Service S
(Authoritative Source)
SC-20(1) CHILD SUBSPACES W: Incorporated into SC-20.
SC-20(2) DATA ORIGIN AND INTEGRITY S
SC-21 Secure Name/Address Resolution Service S
(Recursive or Caching Resolver)
SC-21(1) DATA ORIGIN AND INTEGRITY W: Incorporated into SC-21.
SC-22 Architecture and Provisioning for S
Name/Address Resolution Service
SC-23 Session Authenticity S
SC-23(1) INVALIDATE SESSION IDENTIFIERS AT LOGOUT S
SC-23(2) USER-INITIATED LOGOUTS AND MESSAGE DISPLAYS W: Incorporated into AC-12(1).
SC-23(3) UNIQUE SYSTEM-GENERATED SESSION IDENTIFIERS S
SC-23(4) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION W: Incorporated into SC-23(3).
SC-23(5) ALLOWED CERTIFICATE AUTHORITIES S
SC-24 Fail in Known State S √
SC-25 Thin Nodes S
SC-26 Decoys S
SC-26(1) DETECTION OF MALICIOUS CODE W: Incorporated into SC-35.
SC-27 Platform-Independent Applications S
SC-28 Protection of Information at Rest S
SC-28(1) CRYPTOGRAPHIC PROTECTION S
SC-28(2) OFF-LINE STORAGE O
SC-28(3) CRYPTOGRAPHIC KEYS O /S
SC-29 Heterogeneity O √
SC-29(1) VIRTUALIZATION TECHNIQUES O √
SC-30 Concealment and Misdirection O √
SC-30(1) VIRTUALIZATION TECHNIQUES W: Incorporated into SC-29(1).
SC-30(2) RANDOMNESS O √
SC-30(3) CHANGE PROCESSING AND STORAGE LOCATIONS O √
SC-30(4) MISLEADING INFORMATION O √
SC-30(5) CONCEALMENT OF SYSTEM COMPONENTS O √
SC-31 Covert Channel Analysis O √
SC-31(1) TEST COVERT CHANNELS FOR EXPLOITABILITY O √
SC-31(2) MAXIMUM BANDWIDTH O √
SC-31(3) MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS O √
SC-32 System Partitioning O /S √
SC-32(1) SEPARATE PHYSICAL DOMAINS FOR PRIVILEGED FUNCTIONS O /S √
SC-33 Transmission Preparation Integrity W: Incorporated into SC-8.

APPENDIX D PAGE 445

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SC-34 Non-Modifiable Executable Programs S √

SC-34(1) NO WRITABLE STORAGE O √
SC-34(2) INTEGRITY PROTECTION AND READ-ONLY MEDIA O √
SC-34(3) HARDWARE-BASED PROTECTION O √
SC-35 External Malicious Code Identification S
SC-36 Distributed Processing and Storage O √
SC-36(1) POLLING TECHNIQUES O √
SC-36(2) SYNCHRONIZATION O √
SC-37 Out-of-Band Channels O √
SC-37(1) ENSURE DELIVERY AND TRANSMISSION O √
SC-38 Operations Security O √
SC-39 Process Isolation S √
SC-39(1) HARDWARE SEPARATION S √
SC-39(2) SEPARATE EXECUTION DOMAIN PER THREAD S √
SC-40 Wireless Link Protection S
SC-40(1) ELECTROMAGNETIC INTERFERENCE S
SC-40(2) REDUCE DETECTION POTENTIAL S
SC-40(3) IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION S
SC-40(4) SIGNAL PARAMETER IDENTIFICATION S
SC-41 Port and I/O Device Access O /S
SC-42 Sensor Capability and Data S
SC-42(1) REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES O
SC-42(2) AUTHORIZED USE O
SC-42(3) PROHIBIT USE OF DEVICES O
SC-42(4) NOTICE OF COLLECTION O
SC-42(5) COLLECTION MINIMIZATION O
SC-43 Usage Restrictions O /S
SC-44 Detonation Chambers S
SC-45 System Time Synchronization S
SC-46 Cross Domain Policy Enforcement S
SC-47 Communications Path Diversity O /S
SC-48 Sensor Relocation O /S
SC-48(1) DYNAMIC RELOCATION OF SENSORS OR MONITORING CAPABILITIES O /S
SC-49 Hardware-Enforced Separation and Policy Enforcement O /S √
SC-50 Software-Enforced Separation and Policy Enforcement O /S √
SC-51 Operational and Internet-Based Technologies O /S √

15891

APPENDIX D PAGE 446

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15892 TABLE D-19: SYSTEM AND INFORMATION INTEGRITY FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SI-1 Policy and Procedures O √

SI-2 Flaw Remediation O
SI-2(1) CENTRAL MANAGEMENT O /S
SI-2(2) AUTOMATED FLAW REMEDIATION STATUS O
SI-2(3) TIME TO REMEDIATE FLAWS AND BENCHMARKS FOR CORRECTIVE ACTIONS O
SI-2(4) AUTOMATED PATCH MANAGEMENT TOOLS O /S
SI-2(5) AUTOMATIC SOFTWARE AND FIRMWARE UPDATES O /S
SI-2(6) REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE AND FIRMWARE O /S
SI-3 Malicious Code Protection O /S
SI-3(1) CENTRAL MANAGEMENT O
SI-3(2) AUTOMATIC UPDATES W: Incorporated into SI-3.
SI-3(3) NON-PRIVILEGED USERS W: Incorporated into AC-6(10).
SI-3(4) UPDATES ONLY BY PRIVILEGED USERS O /S
SI-3(5) PORTABLE STORAGE DEVICES W: Incorporated into MP-7.
SI-3(6) TESTING AND VERIFICATION O
SI-3(7) NONSIGNATURE-BASED DETECTION W: Incorporated into SI-3.
SI-3(8) DETECT UNAUTHORIZED COMMANDS S
SI-3(9) AUTHENTICATE REMOTE COMMANDS S
SI-3(10) MALICIOUS CODE ANALYSIS O
SI-4 System Monitoring O /S √
SI-4(1) SYSTEM-WIDE INTRUSION DETECTION SYSTEM O /S √
SI-4(2) AUTOMATED TOOLS AND MECHANISMS FOR REAL-TIME ANALYSIS S √
SI-4(3) AUTOMATED TOOL AND MECHANISM INTEGRATION S √
SI-4(4) INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC S √
SI-4(5) SYSTEM-GENERATED ALERTS S √
SI-4(6) RESTRICT NON-PRIVILEGED USERS W: Incorporated into AC-6(10).
SI-4(7) AUTOMATED RESPONSE TO SUSPICIOUS EVENTS S √
SI-4(8) PROTECTION OF MONITORING INFORMATION W: Incorporated into SI-4.
SI-4(9) TESTING OF MONITORING TOOLS AND MECHANISMS O √
SI-4(10) VISIBILITY OF ENCRYPTED COMMUNICATIONS O √
SI-4(11) ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES O /S √
SI-4(12) AUTOMATED ORGANIZATION-GENERATED ALERTS O /S √
SI-4(13) ANALYZE TRAFFIC AND EVENT PATTERNS O /S √
SI-4(14) WIRELESS INTRUSION DETECTION S √
SI-4(15) WIRELESS TO WIRELINE COMMUNICATIONS S √
SI-4(16) CORRELATE MONITORING INFORMATION O /S √
SI-4(17) INTEGRATED SITUATIONAL AWARENESS O √
SI-4(18) ANALYZE TRAFFIC AND COVERT EXFILTRATION O /S √
SI-4(19) RISK FOR INDIVIDUALS O √
SI-4(20) PRIVILEGED USERS S √
SI-4(21) PROBATIONARY PERIODS O √
SI-4(22) UNAUTHORIZED NETWORK SERVICES S √

APPENDIX D PAGE 447

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SI-4(23) HOST-BASED DEVICES O √

SI-4(24) INDICATORS OF COMPROMISE S √
SI-4(25) OPTIMIZE NETWORK TRAFFIC ANALYSIS S √
SI-5 Security Alerts, Advisories, and Directives O √
SI-5(1) AUTOMATED ALERTS AND ADVISORIES O √
SI-6 Security and Privacy Function Verification S √
SI-6(1) NOTIFICATION OF FAILED SECURITY TESTS W: Incorporated into SI-6.
SI-6(2) AUTOMATION SUPPORT FOR DISTRIBUTED TESTING S
SI-6(3) REPORT VERIFICATION RESULTS O
SI-7 Software, Firmware, and Information Integrity O /S √
SI-7(1) INTEGRITY CHECKS S √
SI-7(2) AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS S √
SI-7(3) CENTRALLY MANAGED INTEGRITY TOOLS O √
SI-7(4) TAMPER-EVIDENT PACKAGING W: Incorporated into SR-9.
SI-7(5) AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS S √
SI-7(6) CRYPTOGRAPHIC PROTECTION S √
SI-7(7) INTEGRATION OF DETECTION AND RESPONSE O √
SI-7(8) AUDITING CAPABILITY FOR SIGNIFICANT EVENTS S √
SI-7(9) VERIFY BOOT PROCESS S √
SI-7(10) PROTECTION OF BOOT FIRMWARE S √
SI-7(11) CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES W: Moved to CM-7(6).
SI-7(12) INTEGRITY VERIFICATION O /S √
SI-7(13) CODE EXECUTION IN PROTECTED ENVIRONMENTS W: Moved to CM-7(7).
SI-7(14) BINARY OR MACHINE EXECUTABLE CODE W: Moved to CM-7(8).
SI-7(15) CODE AUTHENTICATION S √
SI-7(16) TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION O √
SI-7(17) RUNTIME APPLICATION SELF-PROTECTION O /S √
SI-8 Spam Protection O
SI-8(1) CENTRAL MANAGEMENT O
SI-8(2) AUTOMATIC UPDATES S
SI-8(3) CONTINUOUS LEARNING CAPABILITY S
SI-9 Information Input Restrictions W: Incorporated into AC-2, AC-3, AC-5, AC-
6.
SI-10 Information Input Validation S √
SI-10(1) MANUAL OVERRIDE CAPABILITY O /S √
SI-10(2) REVIEW AND RESOLVE OF ERRORS O √
SI-10(3) PREDICTABLE BEHAVIOR O /S √
SI-10(4) TIMING INTERACTIONS S √
SI-10(5) RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS S √
SI-10(6) INJECTION PREVENTION S √
SI-11 Error Handling S
SI-12 Information Management and Retention O
SI-12(1) LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS O

APPENDIX D PAGE 448

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SI-12(2) MINIMIZE PERSONALLY IDENTIFIABLE INFORMATION IN TESTING, O

TRAINING, AND RESEARCH
SI-12(3) INFORMATION DISPOSAL O
SI-13 Predictable Failure Prevention O √
SI-13(1) TRANSFERRING COMPONENT RESPONSIBILITIES O √
SI-13(2) TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION W: Incorporated into SI-7(16).
SI-13(3) MANUAL TRANSFER BETWEEN COMPONENTS O √
SI-13(4) STANDBY COMPONENT INSTALLATION AND NOTIFICATION O /S √
SI-13(5) FAILOVER CAPABILITY O √
SI-14 Non-Persistence O √
SI-14(1) REFRESH FROM TRUSTED SOURCES O √
SI-14(2) NON-PERSISTENT INFORMATION O √
SI-14(3) NON-PERSISTENT CONNECTIVITY O √
SI-15 Information Output Filtering S √
SI-16 Memory Protection S √
SI-17 Fail-Safe Procedures S √
SI-18 Personally Identifiable Information Quality Operations O /S
SI-18(1) AUTOMATION O /S
SI-18(2) DATA TAGS O /S
SI-18(3) COLLECTION O /S
SI-18(4) INDIVIDUAL REQUESTS O /S
SI-18(5) NOTICE OF COLLECTION OR DELETION O /S
SI-19 De-Identification O /S
SI-19(1) COLLECTION O /S
SI-19(2) ARCHIVING O /S
SI-19(3) RELEASE O /S
SI-19(4) REMOVAL, MASKING, ENCRYPTION, HASHING, OR REPLACEMENT OF S
DIRECT IDENTIFIERS
SI-19(5) STATISTICAL DISCLOSURE CONTROL O /S
SI-19(6) DIFFERENTIAL PRIVACY O /S
SI-19(7) VALIDATED SOFTWARE O
SI-19(8) MOTIVATED INTRUDER O /S
SI-20 Tainting O /S √
SI-21 Information Refresh O /S √
SI-22 Information Diversity O /S √
SI-23 Information Fragmentation O /S √

15893

APPENDIX D PAGE 449

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15894 TABLE D-20: SUPPLY CHAIN RISK MANAGEMENT FAMILY

CONTROL CONTROL NAME IMPLEMENTED ASSURANCE

NUMBER BY
CONTROL ENHANCEMENT NAME

SR-1 Policy and Procedures O √

SR-2 Supply Chain Risk Management Plan O √
SR-2(1) ESTABLISH SCRM TEAM O √
SR-3 Supply Chain Controls and Processes O /S √
SR-3(1) DIVERSE SUPPLY BASE O √
SR-3(2) LIMITATION OF HARM O √
SR-4 Provenance O √
SR-4(1) IDENTITY O √
SR-4(2) TRACK AND TRACE O √
SR-4(3) VALIDATE AS GENUINE AND NOT ALTERED O √
SR-5 Acquisition Strategies, Tools, and Methods O √
SR-5(1) ADEQUATE SUPPLY O √
SR-5(2) ASSESSMENTS PRIOR TO SELECTION, ACCEPTANCE, MODIFICATION, OR O √
UPDATE
SR-6 Supplier Reviews O √
SR-6(1) PENETRATION TESTING AND ANALYSIS O √
SR-7 Supply Chain Operations Security O √
SR-8 Notification Agreements O √
SR-9 Tamper Resistance and Detection O √
SR-9(1) MULTIPLE STAGES OF SYSTEM DEVELOPMENT LIFE CYCLE O √
SR-10 Inspection of Systems or Components O √
SR-11 Component Authenticity O √
SR-11(1) ANTI-COUNTERFEIT TRAINING O √
SR-11(2) CONFIGURATION CONTROL FOR COMPONENT SERVICE AND REPAIR O √
SR-11(3) COMPONENT DISPOSAL O √
SR-11(4) ANTI-COUNTERFEIT SCANNING O √

15895

APPENDIX D PAGE 450

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15896 Notes to Reviewers Supplemental Material

15897 Notional Example: NIST SP 800-53 Controls Security and Privacy Collaboration Index
15898 The integration of security and privacy controls into one catalog recognizes the essential
15899 relationship between security and privacy objectives. Control implementation can often
15900 underscore this relationship. For example, security and privacy objectives are aligned in many
15901 circumstances, and therefore, the implementation of a particular control can support
15902 achievement of both sets of objectives. However, there are also circumstances when controls
15903 are implemented differently to achieve the respective objectives, or the method of
15904 implementation can impact the objectives of the other program. Thus, it is important that
15905 security and privacy programs collaborate effectively with respect to the implementation of
15906 controls to ensure that both programs’ objectives are met appropriately and assigned
15907 responsibilities are carried out.

15908 In an attempt to provide better guidance on implementation collaboration, NIST requests

15909 feedback on the concept of a collaboration index for each control. The index is intended to
15910 indicate the degree of collaboration between security and privacy programs for each control.
15911 Criteria for selecting controls (control baselines) will be addressed separately in forthcoming
15912 NIST Special Publication 800-53B.

15913 The following options are proposed for a collaboration index:

OPTION 1 OPTION 2

Controls are primarily implemented by security Security programs have primary

S programs – minimal collaboration needed responsibility for implementation – minimal
between security and privacy programs. collaboration needed between security and
S privacy programs.
Controls are generally implemented by security
SP programs – moderate collaboration needed
between security and privacy programs.
Controls are implemented by security and privacy Security and privacy programs both have
programs – full collaboration needed between responsibilities for implementation – more
SP security and privacy programs. SP than minimal collaboration is needed
between security and privacy programs.
Controls are generally implemented by privacy Privacy programs have primary responsibility
PS programs – moderate collaboration needed for implementation – minimal collaboration
between security and privacy programs. needed between security and privacy
P programs.
Controls are primarily implemented by privacy
P programs – minimal collaboration needed
between security and privacy programs.
15914

15915 This collaboration index is a starting point to facilitate discussion between security and privacy
15916 programs within organizations since the degree of collaboration needed for control
15917 implementation for specific systems depends on many factors.

NOTES TO REVIEWERS SUPPLEMENTAL MATERIAL

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15918 For purposes of review and comment, three control families are identified as notional examples
15919 – Access Control (AC), Program Management (PM), and Personally Identifiable Information
15920 Processing and Transparency (PT). Tables 1 through 3 below provide the sample security and
15921 privacy collaboration rating indices for the three controls families selected to demonstrate this
15922 approach.
15923 We are interested in comments in the following areas.
15924 • Does an implementation collaboration index for each control provide meaningful guidance
15925 to both privacy and security professionals? If so, how? If not, what are potential issues and
15926 concerns?
15927 • Which option (3-gradient scale or 5-gradient scale) is preferred and why?
15928 • Are there other recommendations for a collaboration index?
15929 • Are there recommendations on other ways to provide more guidance on collaboration?
15930
15931 TABLE 1: ACCESS CONTROL FAMILY

CONTROL COLLABORATION COLLABORATION

CONTROL NAME INDEX INDEX
NUMBER
CONTROL ENHANCEMENT NAME 3-GRADIENT 5-GRADIENT
SCALE SCALE

AC-1 Policy and Procedures SP SP

AC-2 Account Management SP SP
AC-2(1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT S S
AC-2(2) AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENT S S
AC-2(3) DISABLE ACCOUNTS S S
AC-2(4) AUTOMATED AUDIT ACTIONS S S
AC-2(5) INACTIVITY LOGOUT S S
AC-2(6) DYNAMIC PRIVILEGE MANAGEMENT S S
AC-2(7) PRIVILEGED USER ACCOUNTS SP SP
AC-2(8) DYNAMIC ACCOUNT MANAGEMENT S S
AC-2(9) RESTRICTIONS ON USE OF SHARED AND GROUP ACCOUNTS SP SP
AC-2(10) SHARED AND GROUP ACCOUNT CREDENTIAL CHANGE W: Incorporated into AC-2k.
AC-2(11) USAGE CONDITIONS SP SP
AC-2(12) ACCOUNT MONITORING FOR ATYPICAL USAGE SP SP
AC-2(13) DISABLE ACCOUNTS FOR HIGH-RISK USERS SP SP
AC-2(14) PROHIBIT SPECIFIC ACCOUNT TYPES SP SP
AC-3 Access Enforcement S S
AC-3(1) RESTRICTED ACCESS TO PRIVILEGED FUNCTION W: Incorporated into AC-6.
AC-3(2) DUAL AUTHORIZATION S S
AC-3(3) MANDATORY ACCESS CONTROL S S
AC-3(4) DISCRETIONARY ACCESS CONTROL S S
AC-3(5) SECURITY-RELEVANT INFORMATION S S
AC-3(6) PROTECTION OF USER AND SYSTEM INFORMATION W: Incorporated into MP-4, SC-28.
AC-3(7) ROLE-BASED ACCESS CONTROL S S
AC-3(8) REVOCATION OF ACCESS AUTHORIZATIONS S S
AC-3(9) CONTROLLED RELEASE SP SP

NOTES TO REVIEWERS SUPPLEMENTAL MATERIAL

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL COLLABORATION COLLABORATION

CONTROL NAME INDEX INDEX
NUMBER
CONTROL ENHANCEMENT NAME 3-GRADIENT 5-GRADIENT
SCALE SCALE

AC-3(10) AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS S S

AC-3(11) RESTRICT ACCESS TO SPECIFIC INFORMATION TYPES SP SP
AC-3(12) ASSERT AND ENFORCE APPLICATION ACCESS S S
AC-3(13) ATTRIBUTE-BASED ACCESS CONTROL SP SP
AC-3(14) INDIVIDUAL ACCESS SP SP
AC-3(15) DISCRETIONARY AND MANDATORY ACCESS CONTROL S S
AC-4 Information Flow Enforcement SP SP
AC-4(1) OBJECT SECURITY AND PRIVACY ATTRIBUTES SP SP
AC-4(2) PROCESSING DOMAINS S S
AC-4(3) DYNAMIC INFORMATION FLOW CONTROL S S
AC-4(4) FLOW CONTROL OF ENCRYPTED INFORMATION S S
AC-4(5) EMBEDDED DATA TYPES SP SP
AC-4(6) METADATA SP SP
AC-4(7) ONE-WAY FLOW MECHANISMS S S
AC-4(8) SECURITY AND PRIVACY POLICY FILTERS SP SP
AC-4(9) HUMAN REVIEWS SP SP
AC-4(10) ENABLE AND DISABLE SECURITY OR PRIVACY POLICY FILTERS S S
AC-4(11) CONFIGURATION OF SECURITY OR PRIVACY POLICY FILTERS S S
AC-4(12) DATA TYPE IDENTIFIERS S S
AC-4(13) DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS S S
AC-4(14) SECURITY OR PRIVACY POLICY FILTER CONSTRAINTS S S
AC-4(15) DETECTION OF UNSANCTIONED INFORMATION SP SP
AC-4(16) INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS W: Incorporated into AC-4.
AC-4(17) DOMAIN AUTHENTICATION S S
AC-4(18) SECURITY ATTRIBUTE BINDING W: Incorporated into AC-16.
AC-4(19) VALIDATION OF METADATA SP SP
AC-4(20) APPROVED SOLUTIONS S S
AC-4(21) PHYSICAL OR LOGICAL SEPARATION OF INFORMATION FLOWS SP SP
AC-4(22) ACCESS ONLY S S
AC-4(23) MODIFY NON-RELEASABLE INFORMATION SP SP
AC-4(24) INTERNAL NORMALIZED FORMAT S S
AC-4(25) DATA SANITIZATION S S
AC-4(26) AUDIT FILTERING ACTIONS S S
AC-4(27) REDUNDANT/INDEPENDENT FILTERING MECHANISMS S S
AC-4(28) LINEAR FILTER PIPELINES S S
AC-4(29) FILTER ORCHESTRATION ENGINES S S
AC-4(30) FILTER MECHANISMS USING MULTIPLE PROCESSES S S
AC-4(31) FAILED CONTENT TRANSFER PREVENTION S S
AC-4(32) PROCESS REQUIREMENTS FOR INFORMATION TRANSFER S S
AC-5 Separation of Duties SP SP
AC-6 Least Privilege SP SP
AC-6(1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS S S

NOTES TO REVIEWERS SUPPLEMENTAL MATERIAL

NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL COLLABORATION COLLABORATION

CONTROL NAME INDEX INDEX
NUMBER
CONTROL ENHANCEMENT NAME 3-GRADIENT 5-GRADIENT
SCALE SCALE

AC-6(2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS S S

AC-6(3) NETWORK ACCESS TO PRIVILEGED COMMANDS S S
AC-6(4) SEPARATE PROCESSING DOMAINS S S
AC-6(5) PRIVILEGED ACCOUNTS S S
AC-6(6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS S S
AC-6(7) REVIEW OF USER PRIVILEGES S S
AC-6(8) PRIVILEGE LEVELS FOR CODE EXECUTION S S
AC-6(9) LOG USE OF PRIVILEGED FUNCTIONS S S
AC-6(10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS S S
AC-7 Unsuccessful Logon Attempts S S
AC-7(1) AUTOMATIC ACCOUNT LOCK W: Incorporated into AC-7.
AC-7(2) PURGE OR WIPE MOBILE DEVICE S S
AC-7(3) BIOMETRIC ATTEMPT LIMITING S S
AC-7(4) USE OF ALTERNATE FACTOR S S
AC-8 System Use Notification SP SP
AC-9 Previous Logon Notification S S
AC-9(1) UNSUCCESSFUL LOGONS S S
AC-9(2) SUCCESSFUL AND UNSUCCESSFUL LOGONS S S
AC-9(3) NOTIFICATION OF ACCOUNT CHANGES S S
AC-9(4) ADDITIONAL LOGON INFORMATION S S
AC-10 Concurrent Session Control S S
AC-11 Device Lock S S
AC-11(1) PATTERN-HIDING DISPLAYS S S
AC-12 Session Termination S S
AC-12(1) USER-INITIATED LOGOUTS S S
AC-12(2) TERMINATION MESSAGE S S
AC-12(3) TIMEOUT WARNING MESSAGE S S
AC-13 Supervision and Review-Access Control W: Incorporated into AC-2, AU-6.
AC-14 Permitted Actions without Identification or Authentication SP SP
AC-14(1) NECESSARY USES W: Incorporated into AC-14.
AC-15 Automated Marking W: Incorporated into MP-3.
AC-16 Security and Privacy Attributes SP SP
AC-16(1) DYNAMIC ATTRIBUTE ASSOCIATION SP SP
AC-16(2) ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS S S
AC-16(3) MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY SYSTEM SP SP
AC-16(4) ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS SP SP
AC-16(5) ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES SP SP
AC-16(6) MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION SP SP
AC-16(7) CONSISTENT ATTRIBUTE INTERPRETATION S S
AC-16(8) ASSOCIATION TECHNIQUES AND TECHNOLOGIES S S
AC-16(9) ATTRIBUTE REASSIGNMENT SP SP
AC-16(10) ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS S S

NOTES TO REVIEWERS SUPPLEMENTAL MATERIAL

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

CONTROL COLLABORATION COLLABORATION

CONTROL NAME INDEX INDEX
NUMBER
CONTROL ENHANCEMENT NAME 3-GRADIENT 5-GRADIENT
SCALE SCALE

AC-17 Remote Access SP SP

AC-17(1) MONITORING AND CONTROL S S
AC-17(2) PROTECTION OF CONFIDENTIALITY AND INTEGRITY USING ENCRYPTION S S
AC-17(3) MANAGED ACCESS CONTROL POINTS S S
AC-17(4) PRIVILEGED COMMANDS AND ACCESS S S
AC-17(5) MONITORING FOR UNAUTHORIZED CONNECTIONS W: Incorporated into SI-4.
AC-17(6) PROTECTION OF MECHANISM INFORMATION SP SP
AC-17(7) ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS W: Incorporated into AC-3(10).
AC-17(8) DISABLE NONSECURE NETWORK PROTOCOLS W: Incorporated into CM-7.
AC-17(9) DISCONNECT OR DISABLE ACCESS S S
AC-17(10) AUTHENTICATE REMOTE COMMANDS S S
AC-18 Wireless Access SP SP
AC-18(1) AUTHENTICATION AND ENCRYPTION S S
AC-18(2) MONITORING UNAUTHORIZED CONNECTIONS W: Incorporated into SI-4.
AC-18(3) DISABLE WIRELESS NETWORKING S S
AC-18(4) RESTRICT CONFIGURATIONS BY USERS S S
AC-18(5) ANTENNAS AND TRANSMISSION POWER LEVELS S S
AC-19 Access Control for Mobile Devices SP SP
AC-19(1) USE OF WRITABLE AND PORTABLE STORAGE DEVICES W: Incorporated into MP-7.
AC-19(2) USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES W: Incorporated into MP-7.
AC-19(3) USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER W: Incorporated into MP-7.
AC-19(4) RESTRICTIONS FOR CLASSIFIED INFORMATION S S
AC-19(5) FULL DEVICE AND CONTAINER-BASED ENCRYPTION S S
AC-20 Use of External Systems SP SP
AC-20(1) LIMITS ON AUTHORIZED USE SP SP
AC-20(2) PORTABLE STORAGE DEVICES — RESTRICTED USE SP SP
AC-20(3) NON-ORGANIZATIONALLY OWNED SYSTEMS — RESTRICTED USE SP SP
AC-20(4) NETWORK ACCESSIBLE STORAGE DEVICES SP SP
AC-20(5) PORTABLE STORAGE DEVICES — PROHIBITED USE SP SP
AC-20(6) NON-ORGANIZATIONALLY OWNED SYSTEMS — PROHIBITED USE SP SP
AC-21 Information Sharing SP SP
AC-21(1) AUTOMATED DECISION SUPPORT S S
AC-21(2) INFORMATION SEARCH AND RETRIEVAL SP SP
AC-22 Publicly Accessible Content SP SP
AC-23 Data Mining Protection SP SP
AC-24 Access Control Decisions SP SP
AC-24(1) TRANSMIT ACCESS AUTHORIZATION INFORMATION S S
AC-24(2) NO USER OR PROCESS IDENTITY SP SP
AC-25 Reference Monitor S S

15932

NOTES TO REVIEWERS SUPPLEMENTAL MATERIAL

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15933 TABLE 2: PROGRAM MANAGEMENT FAMILY

CONTROL COLLABORATION COLLABORATION

CONTROL NAME INDEX INDEX
NUMBER
CONTROL ENHANCEMENT NAME 3-GRADIENT 5-GRADIENT
SCALE SCALE

PM-1 Information Security Program Plan S S

PM-2 Information Security Program Leadership Role S S
PM-3 Information Security and Privacy Resources SP SP
PM-4 Plan of Action and Milestones Process SP SP
PM-5 System Inventory SP SP
PM-5(1) INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION P PS
PM-6 Measures of Performance SP SP
PM-7 Enterprise Architecture SP SP
PM-7(1) OFFLOADING SP SP
PM-8 Critical Infrastructure Plan SP SP
PM-9 Risk Management Strategy SP SP
PM-10 Authorization Process SP SP
PM-11 Mission and Business Process Definition SP SP
PM-12 Insider Threat Program SP SP
PM-13 Security and Privacy Workforce SP SP
PM-14 Testing, Training, and Monitoring SP SP
PM-15 Security and Privacy Groups and Associations SP SP
PM-16 Threat Awareness Program SP SP
PM-16(1) AUTOMATED MEANS FOR SHARING THREAT INTELLIGENCE SP SP
PM-17 Protecting CUI on External Systems SP SP
PM-18 Privacy Program Plan P P
PM-19 Privacy Program Leadership Role P P
PM-20 Dissemination of Privacy Program Information P P
PM-21 Accounting of Disclosures P P
PM-22 Personally Identifiable Information Quality Management P P
PM-23 Data Governance Body SP SP
PM-24 Data Integrity Board P P
PM-25 Minimization of PII Used in Testing Training, and Research SP SP
PM-26 Complaint Management P P
PM-27 Privacy Reporting P P
PM-28 Risk Framing SP SP
PM-29 Risk Management Program Leadership Roles SP SP
PM-30 Supply Chain Risk Management Strategy SP SP
PM-31 Continuous Monitoring Strategy SP SP
PM-32 Purposing SP SP
PM-33 Privacy Policies on Websites, Applications, and Digital P P
Services

15934

NOTES TO REVIEWERS SUPPLEMENTAL MATERIAL

 NIST SP 800-53 REV. 5 (DRAFT) SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________

15935 TABLE 3: PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY FAMILY

CONTROL COLLABORATION COLLABORATION

CONTROL NAME INDEX INDEX
NUMBER
CONTROL ENHANCEMENT NAME 3-GRADIENT 5-GRADIENT
SCALE SCALE

PT-1 Policy and Procedures P P

PT-2 Authority to Process Personally Identifiable Information P P
PT-2(1) DATA TAGGING SP SP
PT-2(2) AUTOMATION SP SP
PT-3 Personally Identifiable Information Processing Purposes P P
PT-3(1) DATA TAGGING SP SP
PT-3(2) AUTOMATION SP SP
PT-4 Minimization P P
PT-5 Consent P P
PT-5(1) TAILORED CONSENT P P
PT-5(2) JUST-IN-TIME CONSENT P P
PT-6 Privacy Notice P P
PT-6(1) JUST-IN-TIME NOTICE P P
PT-6(2) PRIVACY ACT STATEMENTS P P
PT-7 System of Records Notice P P
PT-7(1) ROUTINE USES P P
PT-7(2) EXEMPTION RULES P P
PT-8 Specific Categories of Personally Identifiable Information P P
PT-8(1) SOCIAL SECURITY NUMBERS P P
PT-8(2) FIRST AMENDMENT INFORMATION P P
PT-9 Computer Matching Requirements P P

15936

NOTES TO REVIEWERS SUPPLEMENTAL MATERIAL