(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
DESCRIPTION
Map The Council on CyberSecurity Critical Security Controls (CSC) Version 5 to NIST SP 800-53 Revision 4 (controls & enhancements)TRANSCRIPT
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
ACCESS CONTROL ACCESS CONTROL
AC-01 ACCESS CONTROL POLICY AND PROCEDURES • AC-01
P1 LOW •
AC-02 ACCOUNT MANAGEMENT • • • AC-02
P1 LOW AC-2 (1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT • • • AC-2 (1)
AC-2 (2) REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS • • • AC-2 (2)
AC-2 (3) DISABLE INACTIVE ACCOUNTS • • • AC-2 (3)
AC-2 (4) AUTOMATED AUDIT ACTIONS • • • AC-2 (4)
AC-2 (5) INACTIVITY LOGOUT • • • AC-2 (5)
AC-2 (6) DYNAMIC PRIVILEGE MANAGEMENT • • • AC-2 (6)
AC-2 (7) ROLE-BASED SCHEMES • • • AC-2 (7)
AC-2 (8) DYNAMIC ACCOUNT CREATION • • • AC-2 (8)
AC-2 (9) RESTRICTIONS ON USE OF SHARED GROUPS / ACCOUNTS • • • AC-2 (9)
AC-2 (10) SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION • • • AC-2 (10)
AC-2 (11) USAGE CONDITIONS • • • AC-2 (11)
AC-2 (12) ACCOUNT MONITORING / ATYPICAL USAGE • • • AC-2 (12)
AC-2 (13) DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS • • • AC-2 (13)
AC-03 ACCESS ENFORCEMENT • • • AC-03
P1 LOW AC-3 (1) RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS • • • AC-3 (1)
AC-3 (2) DUAL AUTHORIZATION • • • AC-3 (2)
AC-3 (3) MANDATORY ACCESS CONTROL • • • AC-3 (3)
AC-3 (4) DISCRETIONARY ACCESS CONTROL • • • AC-3 (4)
AC-3 (5) SECURITY-RELEVANT INFORMATION • • • AC-3 (5)
AC-3 (6) PROTECTION OF USER AND SYSTEM INFORMATION • • • AC-3 (6)
AC-3 (7) ROLE-BASED ACCESS CONTROL • • • AC-3 (7)
AC-3 (8) REVOCATION OF ACCESS AUTHORIZATIONS • • • AC-3 (8)
AC-3 (9) CONTROLLED RELEASE • • • AC-3 (9)
AC-3 (10) AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS • • • AC-3 (10)
AC-04 INFORMATION FLOW ENFORCEMENT • • • • • AC-04
P1 MODERATE AC-4 (1) OBJECT SECURITY ATTRIBUTES • • • • • AC-4 (1)
AC-4 (2) PROCESSING DOMAINS • • • • • AC-4 (2)
AC-4 (3) DYNAMIC INFORMATION FLOW CONTROL • • • • • AC-4 (3)
AC-4 (4) CONTENT CHECK ENCRYPTED INFORMATION • • • • • AC-4 (4)
AC-4 (5) EMBEDDED DATA TYPES • • • • • AC-4 (5)
AC-4 (6) METADATA • • • • • AC-4 (6)
AC-4 (7) ONE-WAY FLOW MECHANISMS • • • • • AC-4 (7)
AC-4 (8) SECURITY POLICY FILTERS • • • • • AC-4 (8)
AC-4 (9) HUMAN REVIEWS • • • • • AC-4 (9)
AC-4 (10) ENABLE / DISABLE SECURITY POLICY FILTERS • • • • • AC-4 (10)
AC-4 (11) CONFIGURATION OF SECURITY POLICY FILTERS • • • • • AC-4 (11)
AC-4 (12) DATA TYPE IDENTIFIERS • • • • • AC-4 (12)
AC-4 (13) DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS • • • • • AC-4 (13)
AC-4 (14) SECURITY POLICY FILTER CONSTRAINTS • • • • • AC-4 (14)
AC-4 (15) DETECTION OF UNSANCTIONED INFORMATION • • • • • AC-4 (15)
ENHANCEMENTS TABLE Page 1 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
AC-04 P1 MODERATE AC-4 (16) INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS • • • • • AC-4 (16)
AC-4 (17) DOMAIN AUTHENTICATION • • • • • AC-4 (17)
AC-4 (18) SECURITY ATTRIBUTE BINDING • • • • • AC-4 (18)
AC-4 (19) VALIDATION OF METADATA • • • • • AC-4 (19)
AC-4 (20) APPROVED SOLUTIONS • • • • • AC-4 (20)
AC-4 (21) PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS • • • • • AC-4 (21)
AC-4 (22) ACCESS ONLY • • • • • AC-4 (22)
AC-05 SEPARATION OF DUTIES AC-05
P1 MODERATE
AC-06 LEAST PRIVILEGE • • AC-06
P1 MODERATE AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS • • AC-6 (1)
AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS • • AC-6 (2)
AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS • • AC-6 (3)
AC-6 (4) SEPARATE PROCESSING DOMAINS • • AC-6 (4)
AC-6 (5) PRIVILEGED ACCOUNTS • • AC-6 (5)
AC-6 (6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS • • AC-6 (6)
AC-6 (7) REVIEW OF USER PRIVILEGES • • AC-6 (7)
AC-6 (8) PRIVILEGE LEVELS FOR CODE EXECUTION • • AC-6 (8)
AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS • • AC-6 (9)
AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS • • AC-6 (10)
AC-07 UNSUCCESSFUL LOGON ATTEMPTS • AC-07
P2 LOW AC-7 (1) AUTOMATIC ACCOUNT LOCK • AC-7 (1)
AC-7 (2) PURGE / WIPE MOBILE DEVICE • AC-7 (2)
AC-08 SYSTEM USE NOTIFICATION AC-08
P1 LOW
AC-09 PREVIOUS LOGON (ACCESS) NOTIFICATION AC-09
P0 AC-9 (1) UNSUCCESSFUL LOGONS AC-9 (1)
AC-9 (2) SUCCESSFUL / UNSUCCESSFUL LOGONS AC-9 (2)
AC-9 (3) NOTIFICATION OF ACCOUNT CHANGES AC-9 (3)
AC-9 (4) ADDITIONAL LOGON INFORMATION AC-9 (4)
AC-10 CONCURRENT SESSION CONTROL AC-10
P3 HIGH
AC-11 SESSION LOCK • AC-11
P3 MODERATE AC-11 (1) PATTERN-HIDING DISPLAYS • AC-11 (1)
AC-12 SESSION TERMINATION • AC-12
P2 MODERATE AC-12 (1) USER-INITIATED LOGOUTS / MESSAGE DISPLAYS • AC-12 (1)
AC-13 SUPERVISION AND REVIEW ' ACCESS CONTROL AC-13
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION AC-14
P3 LOW AC-14 (1) NECESSARY USES AC-14 (1)
AC-15 AUTOMATED MARKING AC-15
ENHANCEMENTS TABLE Page 2 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
AC-15
AC-16 SECURITY ATTRIBUTES AC-16
P0 AC-16 (1) DYNAMIC ATTRIBUTE ASSOCIATION AC-16 (1)
AC-16 (2) ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS AC-16 (2)
AC-16 (3) MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM AC-16 (3)
AC-16 (4) ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS AC-16 (4)
AC-16 (5) ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES AC-16 (5)
AC-16 (6) MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION AC-16 (6)
AC-16 (7) CONSISTENT ATTRIBUTE INTERPRETATION AC-16 (7)
AC-16 (8) ASSOCIATION TECHNIQUES / TECHNOLOGIES AC-16 (8)
AC-16 (9) ATTRIBUTE REASSIGNMENT AC-16 (9)
AC-16 (10) ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS AC-16 (10)
AC-17 REMOTE ACCESS • • AC-17
P1 LOW AC-17 (1) AUTOMATED MONITORING / CONTROL • • AC-17 (1)
AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION • • AC-17 (2)
AC-17 (3) MANAGED ACCESS CONTROL POINTS • • AC-17 (3)
AC-17 (4) PRIVILEGED COMMANDS / ACCESS • • AC-17 (4)
AC-17 (5) MONITORING FOR UNAUTHORIZED CONNECTIONS • • AC-17 (5)
AC-17 (6) PROTECTION OF INFORMATION • • AC-17 (6)
AC-17 (7) ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS • • AC-17 (7)
AC-17 (8) DISABLE NONSECURE NETWORK PROTOCOLS • • AC-17 (8)
AC-17 (9) DISCONNECT / DISABLE ACCESS • • AC-17 (9)
AC-18 WIRELESS ACCESS • AC-18
P1 LOW AC-18 (1) AUTHENTICATION AND ENCRYPTION • AC-18 (1)
AC-18 (2) MONITORING UNAUTHORIZED CONNECTIONS • AC-18 (2)
AC-18 (3) DISABLE WIRELESS NETWORKING • AC-18 (3)
AC-18 (4) RESTRICT CONFIGURATIONS BY USERS • AC-18 (4)
AC-18 (5) ANTENNAS / TRANSMISSION POWER LEVELS • AC-18 (5)
AC-19 ACCESS CONTROL FOR MOBILE DEVICES • • AC-19
P1 LOW AC-19 (1) USE OF WRITABLE / PORTABLE STORAGE DEVICES • • AC-19 (1)
AC-19 (2) USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES • • AC-19 (2)
AC-19 (3) USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER • • AC-19 (3)
AC-19 (4) RESTRICTIONS FOR CLASSIFIED INFORMATION • • AC-19 (4)
AC-19 (5) FULL DEVICE / CONTAINER-BASED ENCRYPTION • • AC-19 (5)
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS • AC-20
P1 LOW AC-20 (1) LIMITS ON AUTHORIZED USE • AC-20 (1)
AC-20 (2) PORTABLE STORAGE DEVICES • AC-20 (2)
AC-20 (3) NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES • AC-20 (3)
AC-20 (4) NETWORK ACCESSIBLE STORAGE DEVICES • AC-20 (4)
AC-21 INFORMATION SHARING AC-21
P2 MODERATE AC-21 (1) AUTOMATED DECISION SUPPORT AC-21 (1)
AC-21 (2) INFORMATION SEARCH AND RETRIEVAL AC-21 (2)
ENHANCEMENTS TABLE Page 3 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
AC-22 PUBLICLY ACCESSIBLE CONTENT AC-22
P3 LOW
AC-23 DATA MINING PROTECTION • • AC-23
P0 • •
AC-24 ACCESS CONTROL DECISIONS • AC-24
P0 AC-24 (1) TRANSMIT ACCESS AUTHORIZATION INFORMATION • AC-24 (1)
AC-24 (2) NO USER OR PROCESS IDENTITY • AC-24 (2)
AC-25 REFERENCE MONITOR AC-25
P0
AUDIT AND ACCOUNTABILITY AUDIT AND ACCOUNTABILITY
AU-01 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES AU-01
P1 LOW
AU-02 AUDIT EVENTS • AU-02
P1 LOW AU-2 (1) COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES • AU-2 (1)
AU-2 (2) SELECTION OF AUDIT EVENTS BY COMPONENT • AU-2 (2)
AU-2 (3) REVIEWS AND UPDATES • AU-2 (3)
AU-2 (4) PRIVILEGED FUNCTIONS • AU-2 (4)
AU-03 CONTENT OF AUDIT RECORDS • AU-03
P1 LOW AU-3 (1) ADDITIONAL AUDIT INFORMATION • AU-3 (1)
AU-3 (2) CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT • AU-3 (2)
AU-04 AUDIT STORAGE CAPACITY • AU-04
P1 LOW AU-4 (1) TRANSFER TO ALTERNATE STORAGE • AU-4 (1)
AU-05 RESPONSE TO AUDIT PROCESSING FAILURES • AU-05
P1 LOW AU-5 (1) AUDIT STORAGE CAPACITY • AU-5 (1)
AU-5 (2) REAL-TIME ALERTS • AU-5 (2)
AU-5 (3) CONFIGURABLE TRAFFIC VOLUME THRESHOLDS • AU-5 (3)
AU-5 (4) SHUTDOWN ON FAILURE • AU-5 (4)
AU-06 AUDIT REVIEW, ANALYSIS, AND REPORTING • AU-06
P1 LOW AU-6 (1) PROCESS INTEGRATION • AU-6 (1)
AU-6 (2) AUTOMATED SECURITY ALERTS • AU-6 (2)
AU-6 (3) CORRELATE AUDIT REPOSITORIES • AU-6 (3)
AU-6 (4) CENTRAL REVIEW AND ANALYSIS • AU-6 (4)
AU-6 (5) INTEGRATION / SCANNING AND MONITORING CAPABILITIES • AU-6 (5)
AU-6 (6) CORRELATION WITH PHYSICAL MONITORING • AU-6 (6)
AU-6 (7) PERMITTED ACTIONS • AU-6 (7)
AU-6 (8) FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS • AU-6 (8)
AU-6 (9) CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES • AU-6 (9)
AU-6 (10) AUDIT LEVEL ADJUSTMENT • AU-6 (10)
AU-07 AUDIT REDUCTION AND REPORT GENERATION • AU-07
P2 MODERATE AU-7 (1) AUTOMATIC PROCESSING • AU-7 (1)
AU-7 (2) AUTOMATIC SORT AND SEARCH • AU-7 (2)
ENHANCEMENTS TABLE Page 4 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
AU-07 P2 MODERATE
AU-08 TIME STAMPS • AU-08
P1 LOW AU-8 (1) SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE • AU-8 (1)
AU-8 (2) SECONDARY AUTHORITATIVE TIME SOURCE • AU-8 (2)
AU-09 PROTECTION OF AUDIT INFORMATION • AU-09
P1 LOW AU-9 (1) HARDWARE WRITE-ONCE MEDIA • AU-9 (1)
AU-9 (2) AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS • AU-9 (2)
AU-9 (3) CRYPTOGRAPHIC PROTECTION • AU-9 (3)
AU-9 (4) ACCESS BY SUBSET OF PRIVILEGED USERS • AU-9 (4)
AU-9 (5) DUAL AUTHORIZATION • AU-9 (5)
AU-9 (6) READ ONLY ACCESS • AU-9 (6)
AU-10 NON-REPUDIATION • AU-10
P2 HIGH AU-10 (1) ASSOCIATION OF IDENTITIES • AU-10 (1)
AU-10 (2) VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY • AU-10 (2)
AU-10 (3) CHAIN OF CUSTODY • AU-10 (3)
AU-10 (4) VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY • AU-10 (4)
AU-10 (5) DIGITAL SIGNATURES • AU-10 (5)
AU-11 AUDIT RECORD RETENTION • AU-11
P3 LOW AU-11 (1) LONG-TERM RETRIEVAL CAPABILITY • AU-11 (1)
AU-12 AUDIT GENERATION • AU-12
P1 LOW AU-12 (1) SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL • AU-12 (1)
AU-12 (2) STANDARDIZED FORMATS • AU-12 (2)
AU-12 (3) CHANGES BY AUTHORIZED INDIVIDUALS • AU-12 (3)
AU-13 MONITORING FOR INFORMATION DISCLOSURE • AU-13
P0 AU-13 (1) USE OF AUTOMATED TOOLS • AU-13 (1)
AU-13 (2) REVIEW OF MONITORED SITES • AU-13 (2)
AU-14 SESSION AUDIT • AU-14
P0 AU-14 (1) SYSTEM START-UP • AU-14 (1)
AU-14 (2) CAPTURE/RECORD AND LOG CONTENT • AU-14 (2)
AU-14 (3) REMOTE VIEWING / LISTENING • AU-14 (3)
AU-15 ALTERNATE AUDIT CAPABILITY AU-15
P0
AU-16 CROSS-ORGANIZATIONAL AUDITING AU-16
P0 AU-16 (1) IDENTITY PRESERVATION AU-16 (1)
AU-16 (2) SHARING OF AUDIT INFORMATION AU-16 (2)
AWARENESS AND TRAINING AWARENESS AND TRAINING
AT-01 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES • AT-01
P1 LOW •
AT-02 SECURITY AWARENESS TRAINING • AT-02
ENHANCEMENTS TABLE Page 5 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
AT-02 P1 LOW AT-2 (1) PRACTICAL EXERCISES • AT-2 (1)
AT-2 (2) INSIDER THREAT • AT-2 (2)
AT-03 ROLE-BASED SECURITY TRAINING • AT-03
P1 LOW AT-3 (1) ENVIRONMENTAL CONTROLS • AT-3 (1)
AT-3 (2) PHYSICAL SECURITY CONTROLS • AT-3 (2)
AT-3 (3) PRACTICAL EXERCISES • AT-3 (3)
AT-3 (4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR • AT-3 (4)
AT-04 SECURITY TRAINING RECORDS • AT-04
P3 LOW •
AT-05 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS AT-05
CONFIGURATION MANAGEMENT CONFIGURATION MANAGEMENT
CM-01 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES CM-01
P1 LOW
CM-02 BASELINE CONFIGURATION • • • • • • CM-02
P1 LOW CM-2 (1) REVIEWS AND UPDATES • • • • • • CM-2 (1)
CM-2 (2) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY • • • • • • CM-2 (2)
CM-2 (3) RETENTION OF PREVIOUS CONFIGURATIONS • • • • • • CM-2 (3)
CM-2 (4) UNAUTHORIZED SOFTWARE • • • • • • CM-2 (4)
CM-2 (5) AUTHORIZED SOFTWARE • • • • • • CM-2 (5)
CM-2 (6) DEVELOPMENT AND TEST ENVIRONMENTS • • • • • • CM-2 (6)
CM-2 (7) CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS • • • • • • CM-2 (7)
CM-03 CONFIGURATION CHANGE CONTROL • • CM-03
P1 MODERATE CM-3 (1) AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES • • CM-3 (1)
CM-3 (2) TEST / VALIDATE / DOCUMENT CHANGES • • CM-3 (2)
CM-3 (3) AUTOMATED CHANGE IMPLEMENTATION • • CM-3 (3)
CM-3 (4) SECURITY REPRESENTATIVE • • CM-3 (4)
CM-3 (5) AUTOMATED SECURITY RESPONSE • • CM-3 (5)
CM-3 (6) CRYPTOGRAPHY MANAGEMENT • • CM-3 (6)
CM-04 SECURITY IMPACT ANALYSIS CM-04
P2 LOW CM-4 (1) SEPARATE TEST ENVIRONMENTS CM-4 (1)
CM-4 (2) VERIFICATION OF SECURITY FUNCTIONS CM-4 (2)
CM-05 ACCESS RESTRICTIONS FOR CHANGE • • CM-05
P1 MODERATE CM-5 (1) AUTOMATED ACCESS ENFORCEMENT / AUDITING • • CM-5 (1)
CM-5 (2) REVIEW SYSTEM CHANGES • • CM-5 (2)
CM-5 (3) SIGNED COMPONENTS • • CM-5 (3)
CM-5 (4) DUAL AUTHORIZATION • • CM-5 (4)
CM-5 (5) LIMIT PRODUCTION / OPERATIONAL PRIVILEGES • • CM-5 (5)
CM-5 (6) LIMIT LIBRARY PRIVILEGES • • CM-5 (6)
CM-5 (7) AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS • • CM-5 (7)
CM-06 CONFIGURATION SETTINGS • • • CM-06
ENHANCEMENTS TABLE Page 6 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
CM-06 P1 LOW CM-6 (1) AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION • • • CM-6 (1)
CM-6 (2) RESPOND TO UNAUTHORIZED CHANGES • • • CM-6 (2)
CM-6 (3) UNAUTHORIZED CHANGE DETECTION • • • CM-6 (3)
CM-6 (4) CONFORMANCE DEMONSTRATION • • • CM-6 (4)
CM-07 LEAST FUNCTIONALITY • CM-07
P1 LOW CM-7 (1) PERIODIC REVIEW • CM-7 (1)
CM-7 (2) PREVENT PROGRAM EXECUTION • CM-7 (2)
CM-7 (3) REGISTRATION COMPLIANCE • CM-7 (3)
CM-7 (4) UNAUTHORIZED SOFTWARE / BLACKLISTING • CM-7 (4)
CM-7 (5) AUTHORIZED SOFTWARE / WHITELISTING • CM-7 (5)
CM-08 INFORMATION SYSTEM COMPONENT INVENTORY • • • • • CM-08
P1 LOW CM-8 (1) UPDATES DURING INSTALLATIONS / REMOVALS • • • • • CM-8 (1)
CM-8 (2) AUTOMATED MAINTENANCE • • • • • CM-8 (2)
CM-8 (3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION • • • • • CM-8 (3)
CM-8 (4) ACCOUNTABILITY INFORMATION • • • • • CM-8 (4)
CM-8 (5) NO DUPLICATE ACCOUNTING OF COMPONENTS • • • • • CM-8 (5)
CM-8 (6) ASSESSED CONFIGURATIONS / APPROVED DEVIATIONS • • • • • CM-8 (6)
CM-8 (7) CENTRALIZED REPOSITORY • • • • • CM-8 (7)
CM-8 (8) AUTOMATED LOCATION TRACKING • • • • • CM-8 (8)
CM-8 (9) ASSIGNMENT OF COMPONENTS TO SYSTEMS • • • • • CM-8 (9)
CM-09 CONFIGURATION MANAGEMENT PLAN • CM-09
P1 MODERATE CM-9 (1) ASSIGNMENT OF RESPONSIBILITY • CM-9 (1)
CM-10 SOFTWARE USAGE RESTRICTIONS • CM-10
P2 LOW CM-10 (1) OPEN SOURCE SOFTWARE • CM-10 (1)
CM-11 USER-INSTALLED SOFTWARE • • CM-11
P1 LOW CM-11 (1) ALERTS FOR UNAUTHORIZED INSTALLATIONS • • CM-11 (1)
CM-11 (2) PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS • • CM-11 (2)
CONTINGENCY PLANNING CONTINGENCY PLANNING
CP-01 CONTINGENCY PLANNING POLICY AND PROCEDURES CP-01
P1 LOW
CP-02 CONTINGENCY PLAN CP-02
P1 LOW CP-2 (1) COORDINATE WITH RELATED PLANS CP-2 (1)
CP-2 (2) CAPACITY PLANNING CP-2 (2)
CP-2 (3) RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS CP-2 (3)
CP-2 (4) RESUME ALL MISSIONS / BUSINESS FUNCTIONS CP-2 (4)
CP-2 (5) CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONS CP-2 (5)
CP-2 (6) ALTERNATE PROCESSING / STORAGE SITE CP-2 (6)
CP-2 (7) COORDINATE WITH EXTERNAL SERVICE PROVIDERS CP-2 (7)
CP-2 (8) IDENTIFY CRITICAL ASSETS CP-2 (8)
CP-03 CONTINGENCY TRAINING CP-03
ENHANCEMENTS TABLE Page 7 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
CP-03 P2 LOW CP-3 (1) SIMULATED EVENTS CP-3 (1)
CP-3 (2) AUTOMATED TRAINING ENVIRONMENTS CP-3 (2)
CP-04 CONTINGENCY PLAN TESTING CP-04
P2 LOW CP-4 (1) COORDINATE WITH RELATED PLANS CP-4 (1)
CP-4 (2) ALTERNATE PROCESSING SITE CP-4 (2)
CP-4 (3) AUTOMATED TESTING CP-4 (3)
CP-4 (4) FULL RECOVERY / RECONSTITUTION CP-4 (4)
CP-05 CONTINGENCY PLAN UPDATE CP-05
CP-06 ALTERNATE STORAGE SITE CP-06
P1 MODERATE CP-6 (1) SEPARATION FROM PRIMARY SITE CP-6 (1)
CP-6 (2) RECOVERY TIME / POINT OBJECTIVES CP-6 (2)
CP-6 (3) ACCESSIBILITY CP-6 (3)
CP-07 ALTERNATE PROCESSING SITE CP-07
P1 MODERATE CP-7 (1) SEPARATION FROM PRIMARY SITE CP-7 (1)
CP-7 (2) ACCESSIBILITY CP-7 (2)
CP-7 (3) PRIORITY OF SERVICE CP-7 (3)
CP-7 (4) PREPARATION FOR USE CP-7 (4)
CP-7 (5) EQUIVALENT INFORMATION SECURITY SAFEGUARDS CP-7 (5)
CP-7 (6) INABILITY TO RETURN TO PRIMARY SITE CP-7 (6)
CP-08 TELECOMMUNICATIONS SERVICES CP-08
P1 MODERATE CP-8 (1) PRIORITY OF SERVICE PROVISIONS CP-8 (1)
CP-8 (2) SINGLE POINTS OF FAILURE CP-8 (2)
CP-8 (3) SEPARATION OF PRIMARY / ALTERNATE PROVIDERS CP-8 (3)
CP-8 (4) PROVIDER CONTINGENCY PLAN CP-8 (4)
CP-8 (5) ALTERNATE TELECOMMUNICATION SERVICE TESTING CP-8 (5)
CP-09 INFORMATION SYSTEM BACKUP • CP-09
P1 LOW CP-9 (1) TESTING FOR RELIABILITY / INTEGRITY • CP-9 (1)
CP-9 (2) TEST RESTORATION USING SAMPLING • CP-9 (2)
CP-9 (3) SEPARATE STORAGE FOR CRITICAL INFORMATION • CP-9 (3)
CP-9 (4) PROTECTION FROM UNAUTHORIZED MODIFICATION • CP-9 (4)
CP-9 (5) TRANSFER TO ALTERNATE STORAGE SITE • CP-9 (5)
CP-9 (6) REDUNDANT SECONDARY SYSTEM • CP-9 (6)
CP-9 (7) DUAL AUTHORIZATION • CP-9 (7)
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION • CP-10
P1 LOW CP-10 (1) CONTINGENCY PLAN TESTING • CP-10 (1)
CP-10 (2) TRANSACTION RECOVERY • CP-10 (2)
CP-10 (3) COMPENSATING SECURITY CONTROLS • CP-10 (3)
CP-10 (4) RESTORE WITHIN TIME PERIOD • CP-10 (4)
CP-10 (5) FAILOVER CAPABILITY • CP-10 (5)
CP-10 (6) COMPONENT PROTECTION • CP-10 (6)
ENHANCEMENTS TABLE Page 8 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS CP-11
P0
CP-12 SAFE MODE CP-12
P0
CP-13 ALTERNATIVE SECURITY MECHANISMS CP-13
P0
IDENTIFICATION AND AUTHENTICATION IDENTIFICATION AND AUTHENTICATION
IA-01 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IA-01
P1 LOW
IA-02 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) • IA-02
P1 LOW IA-2 (1) NETWORK ACCESS TO PRIVILEGED ACCOUNTS • IA-2 (1)
IA-2 (2) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS • IA-2 (2)
IA-2 (3) LOCAL ACCESS TO PRIVILEGED ACCOUNTS • IA-2 (3)
IA-2 (4) LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS • IA-2 (4)
IA-2 (5) GROUP AUTHENTICATION • IA-2 (5)
IA-2 (6) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - SEPARATE DEVICE • IA-2 (6)
IA-2 (7) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - SEPARATE DEVICE • IA-2 (7)
IA-2 (8) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT • IA-2 (8)
IA-2 (9) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT • IA-2 (9)
IA-2 (10) SINGLE SIGN-ON • IA-2 (10)
IA-2 (11) REMOTE ACCESS - SEPARATE DEVICE • IA-2 (11)
IA-2 (12) ACCEPTANCE OF PIV CREDENTIALS • IA-2 (12)
IA-2 (13) OUT-OF-BAND AUTHENTICATION • IA-2 (13)
IA-03 DEVICE IDENTIFICATION AND AUTHENTICATION • • IA-03
P1 MODERATE IA-3 (1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION • • IA-3 (1)
IA-3 (2) CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION • • IA-3 (2)
IA-3 (3) DYNAMIC ADDRESS ALLOCATION • • IA-3 (3)
IA-3 (4) DEVICE ATTESTATION • • IA-3 (4)
IA-04 IDENTIFIER MANAGEMENT • IA-04
P1 LOW IA-4 (1) PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS • IA-4 (1)
IA-4 (2) SUPERVISOR AUTHORIZATION • IA-4 (2)
IA-4 (3) MULTIPLE FORMS OF CERTIFICATION • IA-4 (3)
IA-4 (4) IDENTIFY USER STATUS • IA-4 (4)
IA-4 (5) DYNAMIC MANAGEMENT • IA-4 (5)
IA-4 (6) CROSS-ORGANIZATION MANAGEMENT • IA-4 (6)
IA-4 (7) IN-PERSON REGISTRATION • IA-4 (7)
IA-05 AUTHENTICATOR MANAGEMENT • • IA-05
P1 LOW IA-5 (1) PASSWORD-BASED AUTHENTICATION • • IA-5 (1)
IA-5 (2) PKI-BASED AUTHENTICATION • • IA-5 (2)
IA-5 (3) IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION • • IA-5 (3)
IA-5 (4) AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION • • IA-5 (4)
IA-5 (5) CHANGE AUTHENTICATORS PRIOR TO DELIVERY • • IA-5 (5)
IA-5 (6) PROTECTION OF AUTHENTICATORS • • IA-5 (6)
IA-5 (7) NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS • • IA-5 (7)
ENHANCEMENTS TABLE Page 9 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
P1 LOW IA-5 (8) MULTIPLE INFORMATION SYSTEM ACCOUNTS • • IA-5 (8)
IA-5 (9) CROSS-ORGANIZATION CREDENTIAL MANAGEMENT • • IA-5 (9)
IA-5 (10) DYNAMIC CREDENTIAL ASSOCIATION • • IA-5 (10)
IA-5 (11) HARDWARE TOKEN-BASED AUTHENTICATION • • IA-5 (11)
IA-5 (12) BIOMETRIC AUTHENTICATION • • IA-5 (12)
IA-5 (13) EXPIRATION OF CACHED AUTHENTICATORS • • IA-5 (13)
IA-5 (14) MANAGING CONTENT OF PKI TRUST STORES • • IA-5 (14)
IA-5 (15) FICAM-APPROVED PRODUCTS AND SERVICES • • IA-5 (15)
IA-06 AUTHENTICATOR FEEDBACK IA-06
P2 LOW
IA-07 CRYPTOGRAPHIC MODULE AUTHENTICATION IA-07
P1 LOW
IA-08 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) IA-08
P1 LOW IA-8 (1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES IA-8 (1)
IA-8 (2) ACCEPTANCE OF THIRD-PARTY CREDENTIALS IA-8 (2)
IA-8 (3) USE OF FICAM-APPROVED PRODUCTS IA-8 (3)
IA-8 (4) USE OF FICAM-ISSUED PROFILES IA-8 (4)
IA-8 (5) ACCEPTANCE OF PIV-I CREDENTIALS IA-8 (5)
IA-09 SERVICE IDENTIFICATION AND AUTHENTICATION IA-09
P0 IA-9 (1) INFORMATION EXCHANGE IA-9 (1)
IA-9 (2) TRANSMISSION OF DECISIONS IA-9 (2)
IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION • • IA-10
P0 • •
IA-11 RE-AUTHENTICATION IA-11
P0
INCIDENT RESPONSE INCIDENT RESPONSE
IR-01 INCIDENT RESPONSE POLICY AND PROCEDURES • IR-01
P1 LOW •
IR-02 INCIDENT RESPONSE TRAINING • IR-02
P2 LOW IR-2 (1) SIMULATED EVENTS • IR-2 (1)
IR-2 (2) AUTOMATED TRAINING ENVIRONMENTS • IR-2 (2)
IR-03 INCIDENT RESPONSE TESTING • IR-03
P2 MODERATE IR-3 (1) AUTOMATED TESTING • IR-3 (1)
IR-3 (2) COORDINATION WITH RELATED PLANS • IR-3 (2)
IR-04 INCIDENT HANDLING • IR-04
P1 LOW IR-4 (1) AUTOMATED INCIDENT HANDLING PROCESSES • IR-4 (1)
IR-4 (2) DYNAMIC RECONFIGURATION • IR-4 (2)
IR-4 (3) CONTINUITY OF OPERATIONS • IR-4 (3)
IR-4 (4) INFORMATION CORRELATION • IR-4 (4)
IR-4 (5) AUTOMATIC DISABLING OF INFORMATION SYSTEM • IR-4 (5)
IR-4 (6) INSIDER THREATS - SPECIFIC CAPABILITIES • IR-4 (6)
IR-4 (7) INSIDER THREATS - INTRA-ORGANIZATION COORDINATION • IR-4 (7)
ENHANCEMENTS TABLE Page 10 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
IR-04 P1 LOW IR-4 (8) CORRELATION WITH EXTERNAL ORGANIZATIONS • IR-4 (8)
IR-4 (9) DYNAMIC RESPONSE CAPABILITY • IR-4 (9)
IR-4 (10) SUPPLY CHAIN COORDINATION • IR-4 (10)
IR-05 INCIDENT MONITORING • IR-05
P1 LOW IR-5 (1) AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS IR-5 (1)
IR-06 INCIDENT REPORTING • IR-06
P1 LOW IR-6 (1) AUTOMATED REPORTING • IR-6 (1)
IR-6 (2) VULNERABILITIES RELATED TO INCIDENTS • IR-6 (2)
IR-6 (3) COORDINATION WITH SUPPLY CHAIN • IR-6 (3)
IR-07 INCIDENT RESPONSE ASSISTANCE • IR-07
P2 LOW IR-7 (1) AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT • IR-7 (1)
IR-7 (2) COORDINATION WITH EXTERNAL PROVIDERS • IR-7 (2)
IR-08 INCIDENT RESPONSE PLAN • IR-08
P1 LOW •
IR-09 INFORMATION SPILLAGE RESPONSE • IR-09
P0 IR-9 (1) RESPONSIBLE PERSONNEL • IR-9 (1)
IR-9 (2) TRAINING • IR-9 (2)
IR-9 (3) POST-SPILL OPERATIONS • IR-9 (3)
IR-9 (4) EXPOSURE TO UNAUTHORIZED PERSONNEL • IR-9 (4)
IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM • IR-10
P0 •
MAINTENANCE MAINTENANCE
MA-01 SYSTEM MAINTENANCE POLICY AND PROCEDURES MA-01
P1 LOW
MA-02 CONTROLLED MAINTENANCE MA-02
P2 LOW MA-2 (1) RECORD CONTENT MA-2 (1)
MA-2 (2) AUTOMATED MAINTENANCE ACTIVITIES MA-2 (2)
MA-03 MAINTENANCE TOOLS MA-03
P3 MODERATE MA-3 (1) INSPECT TOOLS MA-3 (1)
MA-3 (2) INSPECT MEDIA MA-3 (2)
MA-3 (3) PREVENT UNAUTHORIZED REMOVAL MA-3 (3)
MA-3 (4) RESTRICTED TOOL USE MA-3 (4)
MA-04 NONLOCAL MAINTENANCE • • MA-04
P2 LOW MA-4 (1) AUDITING AND REVIEW • • MA-4 (1)
MA-4 (2) DOCUMENT NONLOCAL MAINTENANCE • • MA-4 (2)
MA-4 (3) COMPARABLE SECURITY / SANITIZATION • • MA-4 (3)
MA-4 (4) AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS • • MA-4 (4)
MA-4 (5) APPROVALS AND NOTIFICATIONS • • MA-4 (5)
MA-4 (6) CRYPTOGRAPHIC PROTECTION • • MA-4 (6)
MA-4 (7) REMOTE DISCONNECT VERIFICATION • • MA-4 (7)
ENHANCEMENTS TABLE Page 11 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
MA-04 P2 LOW
MA-05 MAINTENANCE PERSONNEL MA-05
P2 LOW MA-5 (1) INDIVIDUALS WITHOUT APPROPRIATE ACCESS MA-5 (1)
MA-5 (2) SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS MA-5 (2)
MA-5 (3) CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS MA-5 (3)
MA-5 (4) FOREIGN NATIONALS MA-5 (4)
MA-5 (5) NONSYSTEM-RELATED MAINTENANCE MA-5 (5)
MA-06 TIMELY MAINTENANCE MA-06
P2 MODERATE MA-6 (1) PREVENTIVE MAINTENANCE MA-6 (1)
MA-6 (2) PREDICTIVE MAINTENANCE MA-6 (2)
MA-6 (3) AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE MA-6 (3)
MEDIA PROTECTION MEDIA PROTECTION
MP-01 MEDIA PROTECTION POLICY AND PROCEDURES MP-01
P1 LOW
MP-02 MEDIA ACCESS MP-02
P1 LOW MP-2 (1) AUTOMATED RESTRICTED ACCESS MP-2 (1)
MP-2 (2) CRYPTOGRAPHIC PROTECTION MP-2 (2)
MP-03 MEDIA MARKING • MP-03
P2 MODERATE •
MP-04 MEDIA STORAGE • MP-04
P1 MODERATE MP-4 (1) CRYPTOGRAPHIC PROTECTION • MP-4 (1)
MP-4 (2) AUTOMATED RESTRICTED ACCESS • MP-4 (2)
MP-05 MEDIA TRANSPORT • MP-05
P1 MODERATE MP-5 (1) PROTECTION OUTSIDE OF CONTROLLED AREAS • MP-5 (1)
MP-5 (2) DOCUMENTATION OF ACTIVITIES • MP-5 (2)
MP-5 (3) CUSTODIANS • MP-5 (3)
MP-5 (4) CRYPTOGRAPHIC PROTECTION • MP-5 (4)
MP-06 MEDIA SANITIZATION MP-06
P1 LOW MP-6 (1) REVIEW / APPROVE / TRACK / DOCUMENT / VERIFY MP-6 (1)
MP-6 (2) EQUIPMENT TESTING MP-6 (2)
MP-6 (3) NONDESTRUCTIVE TECHNIQUES MP-6 (3)
MP-6 (4) CONTROLLED UNCLASSIFIED INFORMATION MP-6 (4)
MP-6 (5) CLASSIFIED INFORMATION MP-6 (5)
MP-6 (6) MEDIA DESTRUCTION MP-6 (6)
MP-6 (7) DUAL AUTHORIZATION MP-6 (7)
MP-6 (8) REMOTE PURGING / WIPING OF INFORMATION MP-6 (8)
MP-07 MEDIA USE MP-07
P1 LOW MP-7 (1) PROHIBIT USE WITHOUT OWNER MP-7 (1)
MP-7 (2) PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA MP-7 (2)
MP-08 MEDIA DOWNGRADING MP-08
ENHANCEMENTS TABLE Page 12 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
MP-08 P0 MP-8 (1) DOCUMENTATION OF PROCESS MP-8 (1)
MP-8 (2) EQUIPMENT TESTING MP-8 (2)
MP-8 (3) CONTROLLED UNCLASSIFIED INFORMATION MP-8 (3)
MP-8 (4) CLASSIFIED INFORMATION MP-8 (4)
PERSONNEL SECURITY PERSONNEL SECURITY
PS-01 PERSONNEL SECURITY POLICY AND PROCEDURES PS-01
P1 LOW
PS-02 POSITION RISK DESIGNATION PS-02
P1 LOW
PS-03 PERSONNEL SCREENING PS-03
P1 LOW PS-3 (1) CLASSIFIED INFORMATION PS-3 (1)
PS-3 (2) FORMAL INDOCTRINATION PS-3 (2)
PS-3 (3) INFORMATION WITH SPECIAL PROTECTION MEASURES PS-3 (3)
PS-04 PERSONNEL TERMINATION PS-04
P1 LOW PS-4 (1) POST-EMPLOYMENT REQUIREMENTS PS-4 (1)
PS-4 (2) AUTOMATED NOTIFICATION PS-4 (2)
PS-05 PERSONNEL TRANSFER PS-05
P2 LOW
PS-06 ACCESS AGREEMENTS PS-06
P3 LOW PS-6 (1) INFORMATION REQUIRING SPECIAL PROTECTION PS-6 (1)
PS-6 (2) CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION PS-6 (2)
PS-6 (3) POST-EMPLOYMENT REQUIREMENTS PS-6 (3)
PS-07 THIRD-PARTY PERSONNEL SECURITY PS-07
P1 LOW
PS-08 PERSONNEL SANCTIONS PS-08
P3 LOW
PHYSICAL AND ENVIRONMENTAL PROTECTION PHYSICAL AND ENVIRONMENTAL PROTECTION
PE-01 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES PE-01
P1 LOW
PE-02 PHYSICAL ACCESS AUTHORIZATIONS PE-02
P1 LOW PE-2 (1) ACCESS BY POSITION / ROLE PE-2 (1)
PE-2 (2) TWO FORMS OF IDENTIFICATION PE-2 (2)
PE-2 (3) RESTRICT UNESCORTED ACCESS PE-2 (3)
PE-03 PHYSICAL ACCESS CONTROL PE-03
P1 LOW PE-3 (1) INFORMATION SYSTEM ACCESS PE-3 (1)
PE-3 (2) FACILITY / INFORMATION SYSTEM BOUNDARIES PE-3 (2)
PE-3 (3) CONTINUOUS GUARDS / ALARMS / MONITORING PE-3 (3)
PE-3 (4) LOCKABLE CASINGS PE-3 (4)
PE-3 (5) TAMPER PROTECTION PE-3 (5)
PE-3 (6) FACILITY PENETRATION TESTING PE-3 (6)
ENHANCEMENTS TABLE Page 13 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
PE-04 ACCESS CONTROL FOR TRANSMISSION MEDIUM PE-04
P1 MODERATE
PE-05 ACCESS CONTROL FOR OUTPUT DEVICES PE-05
P2 MODERATE PE-5 (1) ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS PE-5 (1)
PE-5 (2) ACCESS TO OUTPUT BY INDIVIDUAL IDENTITY PE-5 (2)
PE-5 (3) MARKING OUTPUT DEVICES PE-5 (3)
PE-06 MONITORING PHYSICAL ACCESS PE-06
P1 LOW PE-6 (1) INTRUSION ALARMS / SURVEILLANCE EQUIPMENT PE-6 (1)
PE-6 (2) AUTOMATED INTRUSION RECOGNITION / RESPONSES PE-6 (2)
PE-6 (3) VIDEO SURVEILLANCE PE-6 (3)
PE-6 (4) MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS PE-6 (4)
PE-07 VISITOR CONTROL PE-07
PE-08 VISITOR ACCESS RECORDS PE-08
P3 LOW PE-8 (1) AUTOMATED RECORDS MAINTENANCE / REVIEW PE-8 (1)
PE-8 (2) PHYSICAL ACCESS RECORDS PE-8 (2)
PE-09 POWER EQUIPMENT AND CABLING PE-09
P1 MODERATE PE-9 (1) REDUNDANT CABLING PE-9 (1)
PE-9 (2) AUTOMATIC VOLTAGE CONTROLS PE-9 (2)
PE-10 EMERGENCY SHUTOFF PE-10
P1 MODERATE PE-10 (1) ACCIDENTAL / UNAUTHORIZED ACTIVATION PE-10 (1)
PE-11 EMERGENCY POWER PE-11
P1 MODERATE PE-11 (1) LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY PE-11 (1)
PE-11 (2) LONG-TERM ALTERNATE POWER SUPPLY - SELF-CONTAINED PE-11 (2)
PE-12 EMERGENCY LIGHTING PE-12
P1 LOW PE-12 (1) ESSENTIAL MISSIONS / BUSINESS FUNCTIONS PE-12 (1)
PE-13 FIRE PROTECTION PE-13
P1 LOW PE-13 (1) DETECTION DEVICES / SYSTEMS PE-13 (1)
PE-13 (2) SUPPRESSION DEVICES / SYSTEMS PE-13 (2)
PE-13 (3) AUTOMATIC FIRE SUPPRESSION PE-13 (3)
PE-13 (4) INSPECTIONS PE-13 (4)
PE-14 TEMPERATURE AND HUMIDITY CONTROLS PE-14
P1 LOW PE-14 (1) AUTOMATIC CONTROLS PE-14 (1)
PE-14 (2) MONITORING WITH ALARMS / NOTIFICATIONS PE-14 (2)
PE-15 WATER DAMAGE PROTECTION PE-15
P1 LOW PE-15 (1) AUTOMATION SUPPORT PE-15 (1)
PE-16 DELIVERY AND REMOVAL PE-16
P2 LOW
ENHANCEMENTS TABLE Page 14 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
PE-17 ALTERNATE WORK SITE PE-17
P2 MODERATE
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS PE-18
P3 HIGH PE-18 (1) FACILITY SITE PE-18 (1)
PE-19 INFORMATION LEAKAGE PE-19
P0 PE-19 (1) NATIONAL EMISSIONS / TEMPEST POLICIES AND PROCEDURES PE-19 (1)
PE-20 ASSET MONITORING AND TRACKING PE-20
P0
PLANNING PLANNING
PL-01 SECURITY PLANNING POLICY AND PROCEDURES PL-01
P1 LOW
PL-02 SYSTEM SECURITY PLAN PL-02
P1 LOW PL-2 (1) CONCEPT OF OPERATIONS PL-2 (1)
PL-2 (2) FUNCTIONAL ARCHITECTURE PL-2 (2)
PL-2 (3) PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES PL-2 (3)
PL-03 SYSTEM SECURITY PLAN UPDATE PL-03
PL-04 RULES OF BEHAVIOR PL-04
P2 LOW PL-4 (1) SOCIAL MEDIA AND NETWORKING RESTRICTIONS PL-4 (1)
PL-05 PRIVACY IMPACT ASSESSMENT PL-05
PL-06 SECURITY-RELATED ACTIVITY PLANNING PL-06
PL-07 SECURITY CONCEPT OF OPERATIONS PL-07
P0
PL-08 INFORMATION SECURITY ARCHITECTURE PL-08
P1 MODERATE PL-8 (1) DEFENSE-IN-DEPTH PL-8 (1)
PL-8 (2) SUPPLIER DIVERSITY PL-8 (2)
PL-09 CENTRAL MANAGEMENT PL-09
P0
Program Management Program Management
PM-01 INFORMATION SECURITY PROGRAM PLAN PM-01
PM-02 SENIOR INFORMATION SECURITY OFFICER PM-02
PM-03 INFORMATION SECURITY RESOURCES PM-03
PM-04 PLAN OF ACTION AND MILESTONES PROCESS PM-04
PM-05 INFORMATION SYSTEM INVENTORY • • PM-05
ENHANCEMENTS TABLE Page 15 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
PM-06 INFORMATION SECURITY MEASURES OF PERFORMANCE • PM-06
PM-07 ENTERPRISE ARCHITECTURE PM-07
PM-08 CRITICAL INFRASTRUCTURE PLAN PM-08
PM-09 RISK MANAGEMENT STRATEGY PM-09
PM-10 SECURITY AUTHORIZATION PROCESS PM-10
PM-11 MISSION/BUSINESS PROCESS DEFINITION PM-11
PM-12 INSIDER THREAT PROGRAM PM-12
PM-13 INFORMATION SECURITY WORKFORCE • PM-13
PM-14 TESTING, TRAINING, AND MONITORING • • PM-14
PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS PM-15
PM-16 THREAT AWARENESS PROGRAM • • PM-16
RISK ASSESSMENT RISK ASSESSMENT
RA-01 RISK ASSESSMENT POLICY AND PROCEDURES RA-01
P1 LOW
RA-02 SECURITY CATEGORIZATION • RA-02
P1 LOW •
RA-03 RISK ASSESSMENT RA-03
P1 LOW
RA-04 RISK ASSESSMENT UPDATE RA-04
RA-05 VULNERABILITY SCANNING • • • RA-05
P1 LOW RA-5 (1) UPDATE TOOL CAPABILITY • • • RA-5 (1)
RA-5 (2) UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED • • • RA-5 (2)
RA-5 (3) BREADTH / DEPTH OF COVERAGE • • • RA-5 (3)
RA-5 (4) DISCOVERABLE INFORMATION • • • RA-5 (4)
RA-5 (5) PRIVILEGED ACCESS • • • RA-5 (5)
RA-5 (6) AUTOMATED TREND ANALYSES • • • RA-5 (6)
RA-5 (7) AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS • • • RA-5 (7)
RA-5 (8) REVIEW HISTORIC AUDIT LOGS • • • RA-5 (8)
RA-5 (9) PENETRATION TESTING AND ANALYSES • • • RA-5 (9)
RA-5 (10) CORRELATE SCANNING INFORMATION • • • RA-5 (10)
RA-06 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY • RA-06
P0 •
SECURITY ASSESSMENT AND AUTHORIZATION SECURITY ASSESSMENT AND AUTHORIZATION
ENHANCEMENTS TABLE Page 16 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
CA-01 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES CA-01
P1 LOW
CA-02 SECURITY ASSESSMENTS • • CA-02
P2 LOW CA-2 (1) INDEPENDENT ASSESSORS • • CA-2 (1)
CA-2 (2) SPECIALIZED ASSESSMENTS • • CA-2 (2)
CA-2 (3) EXTERNAL ORGANIZATIONS • • CA-2 (3)
CA-03 SYSTEM INTERCONNECTIONS • • • • CA-03
P1 LOW CA-3 (1) UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS • • • • CA-3 (1)
CA-3 (2) CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS • • • • CA-3 (2)
CA-3 (3) UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS • • • • CA-3 (3)
CA-3 (4) CONNECTIONS TO PUBLIC NETWORKS • • • • CA-3 (4)
CA-3 (5) RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS • • • • CA-3 (5)
CA-04 SECURITY CERTIFICATION CA-04
CA-05 PLAN OF ACTION AND MILESTONES • CA-05
P3 LOW CA-5 (1) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY • CA-5 (1)
CA-06 SECURITY AUTHORIZATION • CA-06
P2 LOW •
CA-07 CONTINUOUS MONITORING • • • • • • • • • • • • • • CA-07
P2 LOW CA-7 (1) INDEPENDENT ASSESSMENT • • • • • • • • • • • • • • CA-7 (1)
CA-7 (2) TYPES OF ASSESSMENTS • • • • • • • • • • • • • • CA-7 (2)
CA-7 (3) TREND ANALYSES • • • • • • • • • • • • • • CA-7 (3)
CA-08 PENETRATION TESTING • CA-08
P2 HIGH CA-8 (1) INDEPENDENT PENETRATION AGENT OR TEAM • CA-8 (1)
CA-8 (2) RED TEAM EXERCISES • CA-8 (2)
CA-09 INTERNAL SYSTEM CONNECTIONS • • • • • CA-09
P2 LOW CA-9 (1) SECURITY COMPLIANCE CHECKS • • • • • CA-9 (1)
SYSTEM AND COMMUNICATIONS PROTECTION SYSTEM AND COMMUNICATIONS PROTECTION
SC-01 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES SC-01
P1 LOW
SC-02 APPLICATION PARTITIONING SC-02
P1 MODERATE SC-2 (1) INTERFACES FOR NON-PRIVILEGED USERS SC-2 (1)
SC-03 SECURITY FUNCTION ISOLATION SC-03
P1 HIGH SC-3 (1) HARDWARE SEPARATION SC-3 (1)
SC-3 (2) ACCESS / FLOW CONTROL FUNCTIONS SC-3 (2)
SC-3 (3) MINIMIZE NONSECURITY FUNCTIONALITY SC-3 (3)
SC-3 (4) MODULE COUPLING AND COHESIVENESS SC-3 (4)
SC-3 (5) LAYERED STRUCTURES SC-3 (5)
SC-04 INFORMATION IN SHARED RESOURCES SC-04
ENHANCEMENTS TABLE Page 17 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
SC-04 P1 MODERATE SC-4 (1) SECURITY LEVELS SC-4 (1)
SC-4 (2) PERIODS PROCESSING SC-4 (2)
SC-05 DENIAL OF SERVICE PROTECTION SC-05
P1 LOW SC-5 (1) RESTRICT INTERNAL USERS SC-5 (1)
SC-5 (2) EXCESS CAPACITY / BANDWIDTH / REDUNDANCY SC-5 (2)
SC-5 (3) DETECTION / MONITORING SC-5 (3)
SC-06 RESOURCE AVAILABILITY SC-06
P0
SC-07 BOUNDARY PROTECTION • SC-07
P1 LOW SC-7 (1) PHYSICALLY SEPARATED SUBNETWORKS • SC-7 (1)
SC-7 (2) PUBLIC ACCESS • SC-7 (2)
SC-7 (3) ACCESS POINTS • SC-7 (3)
SC-7 (4) EXTERNAL TELECOMMUNICATIONS SERVICES • SC-7 (4)
SC-7 (5) DENY BY DEFAULT / ALLOW BY EXCEPTION • SC-7 (5)
SC-7 (6) RESPONSE TO RECOGNIZED FAILURES • SC-7 (6)
SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES • SC-7 (7)
SC-7 (8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS • SC-7 (8)
SC-7 (9) RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC • SC-7 (9)
SC-7 (10) PREVENT UNAUTHORIZED EXFILTRATION • SC-7 (10)
SC-7 (11) RESTRICT INCOMING COMMUNICATIONS TRAFFIC • SC-7 (11)
SC-7 (12) HOST-BASED PROTECTION • SC-7 (12)
SC-7 (13) ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS • SC-7 (13)
SC-7 (14) PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS • SC-7 (14)
SC-7 (15) ROUTE PRIVILEGED NETWORK ACCESSES • SC-7 (15)
SC-7 (16) PREVENT DISCOVERY OF COMPONENTS / DEVICES • SC-7 (16)
SC-7 (17) AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS • SC-7 (17)
SC-7 (18) FAIL SECURE • SC-7 (18)
SC-7 (19) BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS • SC-7 (19)
SC-7 (20) DYNAMIC ISOLATION / SEGREGATION • SC-7 (20)
SC-7 (21) ISOLATION OF INFORMATION SYSTEM COMPONENTS • SC-7 (21)
SC-7 (22) SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS • SC-7 (22)
SC-7 (23) DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE • SC-7 (23)
SC-08 TRANSMISSION CONFIDENTIALITY AND INTEGRITY • • • SC-08
P1 MODERATE SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION • • • SC-8 (1)
SC-8 (2) PRE / POST TRANSMISSION HANDLING • • • SC-8 (2)
SC-8 (3) CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS • • • SC-8 (3)
SC-8 (4) CONCEAL / RANDOMIZE COMMUNICATIONS • • • SC-8 (4)
SC-09 TRANSMISSION CONFIDENTIALITY SC-09
SC-10 NETWORK DISCONNECT SC-10
P2 MODERATE
SC-11 TRUSTED PATH SC-11
P0 SC-11 (1) LOGICAL ISOLATION SC-11 (1)
ENHANCEMENTS TABLE Page 18 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT SC-12
P1 LOW SC-12 (1) AVAILABILITY SC-12 (1)
SC-12 (2) SYMMETRIC KEYS SC-12 (2)
SC-12 (3) ASYMMETRIC KEYS SC-12 (3)
SC-12 (4) PKI CERTIFICATES SC-12 (4)
SC-12 (5) PKI CERTIFICATES / HARDWARE TOKENS SC-12 (5)
SC-13 CRYPTOGRAPHIC PROTECTION SC-13
P1 LOW SC-13 (1) FIPS-VALIDATED CRYPTOGRAPHY SC-13 (1)
SC-13 (2) NSA-APPROVED CRYPTOGRAPHY SC-13 (2)
SC-13 (3) INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS SC-13 (3)
SC-13 (4) DIGITAL SIGNATURES SC-13 (4)
SC-14 PUBLIC ACCESS PROTECTIONS SC-14
SC-15 COLLABORATIVE COMPUTING DEVICES • SC-15
P1 LOW SC-15 (1) PHYSICAL DISCONNECT • SC-15 (1)
SC-15 (2) BLOCKING INBOUND / OUTBOUND COMMUNICATIONS TRAFFIC • SC-15 (2)
SC-15 (3) DISABLING / REMOVAL IN SECURE WORK AREAS • SC-15 (3)
SC-15 (4) EXPLICITLY INDICATE CURRENT PARTICIPANTS • SC-15 (4)
SC-16 TRANSMISSION OF SECURITY ATTRIBUTES • SC-16
P0 SC-16 (1) INTEGRITY VALIDATION • SC-16 (1)
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES • • SC-17
P1 MODERATE • •
SC-18 MOBILE CODE • SC-18
P2 MODERATE SC-18 (1) IDENTIFY UNACCEPTABLE CODE / TAKE CORRECTIVE ACTIONS • SC-18 (1)
SC-18 (2) ACQUISITION / DEVELOPMENT / USE • SC-18 (2)
SC-18 (3) PREVENT DOWNLOADING / EXECUTION • SC-18 (3)
SC-18 (4) PREVENT AUTOMATIC EXECUTION • SC-18 (4)
SC-18 (5) ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS • SC-18 (5)
SC-19 VOICE OVER INTERNET PROTOCOL SC-19
P1 MODERATE
SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) • • SC-20
P1 LOW SC-20 (1) CHILD SUBSPACES • • SC-20 (1)
SC-20 (2) DATA ORIGIN / INTEGRITY • • SC-20 (2)
SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) • • SC-21
P1 LOW SC-21 (1) DATA ORIGIN / INTEGRITY • • SC-21 (1)
SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE • • SC-22
P1 LOW • •
SC-23 SESSION AUTHENTICITY • SC-23
P1 MODERATE SC-23 (1) INVALIDATE SESSION IDENTIFIERS AT LOGOUT • SC-23 (1)
SC-23 (2) USER-INITIATED LOGOUTS / MESSAGE DISPLAYS • SC-23 (2)
SC-23 (3) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION • SC-23 (3)
ENHANCEMENTS TABLE Page 19 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
SC-23 P1 MODERATE SC-23 (4) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION • SC-23 (4)
SC-23 (5) ALLOWED CERTIFICATE AUTHORITIES • SC-23 (5)
SC-24 FAIL IN KNOWN STATE • SC-24
P1 HIGH •
SC-25 THIN NODES SC-25
P0
SC-26 HONEYPOTS SC-26
P0 SC-26 (1) DETECTION OF MALICIOUS CODE SC-26 (1)
SC-27 PLATFORM-INDEPENDENT APPLICATIONS SC-27
P0
SC-28 PROTECTION OF INFORMATION AT REST • SC-28
P1 MODERATE SC-28 (1) CRYPTOGRAPHIC PROTECTION • SC-28 (1)
SC-28 (2) OFF-LINE STORAGE • SC-28 (2)
SC-29 HETEROGENEITY SC-29
P0 SC-29 (1) VIRTUALIZATION TECHNIQUES SC-29 (1)
SC-30 CONCEALMENT AND MISDIRECTION SC-30
P0 SC-30 (1) VIRTUALIZATION TECHNIQUES SC-30 (1)
SC-30 (2) RANDOMNESS SC-30 (2)
SC-30 (3) CHANGE PROCESSING / STORAGE LOCATIONS SC-30 (3)
SC-30 (4) MISLEADING INFORMATION SC-30 (4)
SC-30 (5) CONCEALMENT OF SYSTEM COMPONENTS SC-30 (5)
SC-31 COVERT CHANNEL ANALYSIS • SC-31
P0 SC-31 (1) TEST COVERT CHANNELS FOR EXPLOITABILITY • SC-31 (1)
SC-31 (2) MAXIMUM BANDWIDTH • SC-31 (2)
SC-31 (3) MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS • SC-31 (3)
SC-32 INFORMATION SYSTEM PARTITIONING • SC-32
P0 •
SC-33 TRANSMISSION PREPARATION INTEGRITY SC-33
SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS • • • SC-34
P0 SC-34 (1) NO WRITABLE STORAGE • • • SC-34 (1)
SC-34 (2) INTEGRITY PROTECTION / READ-ONLY MEDIA • • • SC-34 (2)
SC-34 (3) HARDWARE-BASED PROTECTION • • • SC-34 (3)
SC-35 HONEYCLIENTS SC-35
P0
SC-36 DISTRIBUTED PROCESSING AND STORAGE SC-36
P0 SC-36 (1) POLLING TECHNIQUES SC-36 (1)
SC-37 OUT-OF-BAND CHANNELS • SC-37
P0 SC-37 (1) ENSURE DELIVERY / TRANSMISSION • SC-37 (1)
ENHANCEMENTS TABLE Page 20 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
SC-38 OPERATIONS SECURITY SC-38
P0
SC-39 PROCESS ISOLATION • • SC-39
P1 LOW SC-39 (1) HARDWARE SEPARATION • • SC-39 (1)
SC-39 (2) THREAD ISOLATION • • SC-39 (2)
SC-40 WIRELESS LINK PROTECTION • SC-40
P0 SC-40 (1) ELECTROMAGNETIC INTERFERENCE • SC-40 (1)
SC-40 (2) REDUCE DETECTION POTENTIAL • SC-40 (2)
SC-40 (3) IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION • SC-40 (3)
SC-40 (4) SIGNAL PARAMETER IDENTIFICATION • SC-40 (4)
SC-41 PORT AND I/O DEVICE ACCESS • • SC-41
P0 • •
SC-42 SENSOR CAPABILITY AND DATA SC-42
P0 SC-42 (1) REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES SC-42 (1)
SC-42 (2) AUTHORIZED USE SC-42 (2)
SC-42 (3) PROHIBIT USE OF DEVICES SC-42 (3)
SC-43 USAGE RESTRICTIONS SC-43
P0
SC-44 DETONATION CHAMBERS • SC-44
P0 •
SYSTEM AND INFORMATION INTEGRITY SYSTEM AND INFORMATION INTEGRITY
SI-01 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES SI-01
P1 LOW
SI-02 FLAW REMEDIATION • SI-02
P1 LOW SI-2 (1) CENTRAL MANAGEMENT • SI-2 (1)
SI-2 (2) AUTOMATED FLAW REMEDIATION STATUS • SI-2 (2)
SI-2 (3) TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS • SI-2 (3)
SI-2 (4) AUTOMATED PATCH MANAGEMENT TOOLS • SI-2 (4)
SI-2 (5) AUTOMATIC SOFTWARE / FIRMWARE UPDATES • SI-2 (5)
SI-2 (6) REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE / FIRMWARE • SI-2 (6)
SI-03 MALICIOUS CODE PROTECTION • SI-03
P1 LOW SI-3 (1) CENTRAL MANAGEMENT • SI-3 (1)
SI-3 (2) AUTOMATIC UPDATES • SI-3 (2)
SI-3 (3) NON-PRIVILEGED USERS • SI-3 (3)
SI-3 (4) UPDATES ONLY BY PRIVILEGED USERS • SI-3 (4)
SI-3 (5) PORTABLE STORAGE DEVICES • SI-3 (5)
SI-3 (6) TESTING / VERIFICATION • SI-3 (6)
SI-3 (7) NONSIGNATURE-BASED DETECTION • SI-3 (7)
SI-3 (8) DETECT UNAUTHORIZED COMMANDS • SI-3 (8)
SI-3 (9) AUTHENTICATE REMOTE COMMANDS • SI-3 (9)
SI-3 (10) MALICIOUS CODE ANALYSIS • SI-3 (10)
SI-04 INFORMATION SYSTEM MONITORING • • • • • • • • • • • • • • SI-04
ENHANCEMENTS TABLE Page 21 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
SI-04 P1 LOW SI-4 (1) SYSTEM-WIDE INTRUSION DETECTION SYSTEM • • • • • • • • • • • • • • SI-4 (1)
SI-4 (2) AUTOMATED TOOLS FOR REAL-TIME ANALYSIS • • • • • • • • • • • • • • SI-4 (2)
SI-4 (3) AUTOMATED TOOL INTEGRATION • • • • • • • • • • • • • • SI-4 (3)
SI-4 (4) INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC • • • • • • • • • • • • • • SI-4 (4)
SI-4 (5) SYSTEM-GENERATED ALERTS • • • • • • • • • • • • • • SI-4 (5)
SI-4 (6) RESTRICT NON-PRIVILEGED USERS • • • • • • • • • • • • • • SI-4 (6)
SI-4 (7) AUTOMATED RESPONSE TO SUSPICIOUS EVENTS • • • • • • • • • • • • • • SI-4 (7)
SI-4 (8) PROTECTION OF MONITORING INFORMATION • • • • • • • • • • • • • • SI-4 (8)
SI-4 (9) TESTING OF MONITORING TOOLS • • • • • • • • • • • • • • SI-4 (9)
SI-4 (10) VISIBILITY OF ENCRYPTED COMMUNICATIONS • • • • • • • • • • • • • • SI-4 (10)
SI-4 (11) ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES • • • • • • • • • • • • • • SI-4 (11)
SI-4 (12) AUTOMATED ALERTS • • • • • • • • • • • • • • SI-4 (12)
SI-4 (13) ANALYZE TRAFFIC / EVENT PATTERNS • • • • • • • • • • • • • • SI-4 (13)
SI-4 (14) WIRELESS INTRUSION DETECTION • • • • • • • • • • • • • • SI-4 (14)
SI-4 (15) WIRELESS TO WIRELINE COMMUNICATIONS • • • • • • • • • • • • • • SI-4 (15)
SI-4 (16) CORRELATE MONITORING INFORMATION • • • • • • • • • • • • • • SI-4 (16)
SI-4 (17) INTEGRATED SITUATIONAL AWARENESS • • • • • • • • • • • • • • SI-4 (17)
SI-4 (18) ANALYZE TRAFFIC / COVERT EXFILTRATION • • • • • • • • • • • • • • SI-4 (18)
SI-4 (19) INDIVIDUALS POSING GREATER RISK • • • • • • • • • • • • • • SI-4 (19)
SI-4 (20) PRIVILEGED USER • • • • • • • • • • • • • • SI-4 (20)
SI-4 (21) PROBATIONARY PERIODS • • • • • • • • • • • • • • SI-4 (21)
SI-4 (22) UNAUTHORIZED NETWORK SERVICES • • • • • • • • • • • • • • SI-4 (22)
SI-4 (23) HOST-BASED DEVICES • • • • • • • • • • • • • • SI-4 (23)
SI-4 (24) INDICATORS OF COMPROMISE • • • • • • • • • • • • • • SI-4 (24)
SI-05 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES SI-05
P1 LOW SI-5 (1) AUTOMATED ALERTS AND ADVISORIES SI-5 (1)
SI-06 SECURITY FUNCTION VERIFICATION • SI-06
P1 HIGH SI-6 (1) NOTIFICATION OF FAILED SECURITY TESTS SI-6 (1)
SI-6 (2) AUTOMATION SUPPORT FOR DISTRIBUTED TESTING SI-6 (2)
SI-6 (3) REPORT VERIFICATION RESULTS SI-6 (3)
SI-07 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY • SI-07
P1 MODERATE SI-7 (1) INTEGRITY CHECKS • SI-7 (1)
SI-7 (2) AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS • SI-7 (2)
SI-7 (3) CENTRALLY-MANAGED INTEGRITY TOOLS • SI-7 (3)
SI-7 (4) TAMPER-EVIDENT PACKAGING • SI-7 (4)
SI-7 (5) AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS • SI-7 (5)
SI-7 (6) CRYPTOGRAPHIC PROTECTION • SI-7 (6)
SI-7 (7) INTEGRATION OF DETECTION AND RESPONSE • SI-7 (7)
SI-7 (8) AUDITING CAPABILITY FOR SIGNIFICANT EVENTS • SI-7 (8)
SI-7 (9) VERIFY BOOT PROCESS • SI-7 (9)
SI-7 (10) PROTECTION OF BOOT FIRMWARE • SI-7 (10)
SI-7 (11) CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES • SI-7 (11)
SI-7 (12) INTEGRITY VERIFICATION • SI-7 (12)
SI-7 (13) CODE EXECUTION IN PROTECTED ENVIRONMENTS • SI-7 (13)
SI-7 (14) BINARY OR MACHINE EXECUTABLE CODE • SI-7 (14)
ENHANCEMENTS TABLE Page 22 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
SI-07 P1 MODERATE SI-7 (15) CODE AUTHENTICATION • SI-7 (15)
SI-7 (16) TIME LIMIT ON PROCESS EXECUTION W/O SUPERVISION • SI-7 (16)
SI-08 SPAM PROTECTION • SI-08
P2 MODERATE SI-8 (1) CENTRAL MANAGEMENT • SI-8 (1)
SI-8 (2) AUTOMATIC UPDATES • SI-8 (2)
SI-8 (3) CONTINUOUS LEARNING CAPABILITY • SI-8 (3)
SI-09 INFORMATION INPUT RESTRICTIONS SI-09
SI-10 INFORMATION INPUT VALIDATION • SI-10
P1 MODERATE SI-10 (1) MANUAL OVERRIDE CAPABILITY • SI-10 (1)
SI-10 (2) REVIEW / RESOLUTION OF ERRORS • SI-10 (2)
SI-10 (3) PREDICTABLE BEHAVIOR • SI-10 (3)
SI-10 (4) REVIEW / TIMING INTERACTIONS • SI-10 (4)
SI-10 (5) RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS • SI-10 (5)
SI-11 ERROR HANDLING • SI-11
P2 MODERATE •
SI-12 INFORMATION HANDLING AND RETENTION SI-12
P2 LOW
SI-13 PREDICTABLE FAILURE PREVENTION SI-13
P0 SI-13 (1) TRANSFERRING COMPONENT RESPONSIBILITIES SI-13 (1)
SI-13 (2) TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION SI-13 (2)
SI-13 (3) MANUAL TRANSFER BETWEEN COMPONENTS SI-13 (3)
SI-13 (4) STANDBY COMPONENT INSTALLATION / NOTIFICATION SI-13 (4)
SI-13 (5) FAILOVER CAPABILITY SI-13 (5)
SI-14 NON-PERSISTENCE SI-14
P0 SI-14 (1) REFRESH FROM TRUSTED SOURCES SI-14 (1)
SI-15 INFORMATION OUTPUT FILTERING • SI-15
P0 •
SI-16 MEMORY PROTECTION • SI-16
P1 MODERATE •
SI-17 FAIL-SAFE PROCEDURES SI-17
P0
SYSTEM AND SERVICES ACQUISITION SYSTEM AND SERVICES ACQUISITION
SA-01 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES SA-01
P1 LOW
SA-02 ALLOCATION OF RESOURCES SA-02
P1 LOW
SA-03 SYSTEM DEVELOPMENT LIFE CYCLE • SA-03
P1 LOW •
SA-04 ACQUISITION PROCESS • • • SA-04
P1 LOW SA-4 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS • • • SA-4 (1)
SA-4 (2) DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS • • • SA-4 (2)
ENHANCEMENTS TABLE Page 23 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
SA-04 P1 LOW SA-4 (3) DEVELOPMENT METHODS / TECHNIQUES / PRACTICES • • • SA-4 (3)
SA-4 (4) ASSIGNMENT OF COMPONENTS TO SYSTEMS • • • SA-4 (4)
SA-4 (5) SYSTEM / COMPONENT / SERVICE CONFIGURATIONS • • • SA-4 (5)
SA-4 (6) USE OF INFORMATION ASSURANCE PRODUCTS • • • SA-4 (6)
SA-4 (7) NIAP-APPROVED PROTECTION PROFILES • • • SA-4 (7)
SA-4 (8) CONTINUOUS MONITORING PLAN • • • SA-4 (8)
SA-4 (9) FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE • • • SA-4 (9)
SA-4 (10) USE OF APPROVED PIV PRODUCTS • • • SA-4 (10)
SA-05 INFORMATION SYSTEM DOCUMENTATION SA-05
P2 LOW SA-5 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS SA-5 (1)
SA-5 (2) SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES SA-5 (2)
SA-5 (3) HIGH-LEVEL DESIGN SA-5 (3)
SA-5 (4) LOW-LEVEL DESIGN SA-5 (4)
SA-5 (5) SOURCE CODE SA-5 (5)
SA-06 SOFTWARE USAGE RESTRICTIONS SA-06
SA-07 USER-INSTALLED SOFTWARE SA-07
SA-08 SECURITY ENGINEERING PRINCIPLES • SA-08
P1 MODERATE •
SA-09 EXTERNAL INFORMATION SYSTEM SERVICES • SA-09
P1 LOW SA-9 (1) RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS • SA-9 (1)
SA-9 (2) IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES • SA-9 (2)
SA-9 (3) ESTABLISH / MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS • SA-9 (3)
SA-9 (4) CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS • SA-9 (4)
SA-9 (5) PROCESSING, STORAGE, AND SERVICE LOCATION • SA-9 (5)
SA-10 DEVELOPER CONFIGURATION MANAGEMENT • SA-10
P1 MODERATE SA-10 (1) SOFTWARE / FIRMWARE INTEGRITY VERIFICATION • SA-10 (1)
SA-10 (2) ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES • SA-10 (2)
SA-10 (3) HARDWARE INTEGRITY VERIFICATION • SA-10 (3)
SA-10 (4) TRUSTED GENERATION • SA-10 (4)
SA-10 (5) MAPPING INTEGRITY FOR VERSION CONTROL • SA-10 (5)
SA-10 (6) TRUSTED DISTRIBUTION • SA-10 (6)
SA-11 DEVELOPER SECURITY TESTING AND EVALUATION • • SA-11
P1 MODERATE SA-11 (1) STATIC CODE ANALYSIS • • SA-11 (1)
SA-11 (2) THREAT AND VULNERABILITY ANALYSES • • SA-11 (2)
SA-11 (3) INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCE • • SA-11 (3)
SA-11 (4) MANUAL CODE REVIEWS • • SA-11 (4)
SA-11 (5) PENETRATION TESTING / ANALYSIS • • SA-11 (5)
SA-11 (6) ATTACK SURFACE REVIEWS • • SA-11 (6)
SA-11 (7) VERIFY SCOPE OF TESTING / EVALUATION • • SA-11 (7)
SA-11 (8) DYNAMIC CODE ANALYSIS • • SA-11 (8)
SA-12 SUPPLY CHAIN PROTECTION SA-12
ENHANCEMENTS TABLE Page 24 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
SA-12 P1 HIGH SA-12 (1) ACQUISITION STRATEGIES / TOOLS / METHODS SA-12 (1)
SA-12 (2) SUPPLIER REVIEWS SA-12 (2)
SA-12 (3) TRUSTED SHIPPING AND WAREHOUSING SA-12 (3)
SA-12 (4) DIVERSITY OF SUPPLIERS SA-12 (4)
SA-12 (5) LIMITATION OF HARM SA-12 (5)
SA-12 (6) MINIMIZING PROCUREMENT TIME SA-12 (6)
SA-12 (7) ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE SA-12 (7)
SA-12 (8) USE OF ALL-SOURCE INTELLIGENCE SA-12 (8)
SA-12 (9) OPERATIONS SECURITY SA-12 (9)
SA-12 (10) VALIDATE AS GENUINE AND NOT ALTERED SA-12 (10)
SA-12 (11) PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS SA-12 (11)
SA-12 (12) INTER-ORGANIZATIONAL AGREEMENTS SA-12 (12)
SA-12 (13) CRITICAL INFORMATION SYSTEM COMPONENTS SA-12 (13)
SA-12 (14) IDENTITY AND TRACEABILITY SA-12 (14)
SA-12 (15) PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES SA-12 (15)
SA-13 TRUSTWORTHINESS • SA-13
P0 •
SA-14 CRITICALITY ANALYSIS SA-14
P0 SA-14 (1) CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING SA-14 (1)
SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS • SA-15
P2 HIGH SA-15 (1) QUALITY METRICS • SA-15 (1)
SA-15 (2) SECURITY TRACKING TOOLS • SA-15 (2)
SA-15 (3) CRITICALITY ANALYSIS • SA-15 (3)
SA-15 (4) THREAT MODELING / VULNERABILITY ANALYSIS • SA-15 (4)
SA-15 (5) ATTACK SURFACE REDUCTION • SA-15 (5)
SA-15 (6) CONTINUOUS IMPROVEMENT • SA-15 (6)
SA-15 (7) AUTOMATED VULNERABILITY ANALYSIS • SA-15 (7)
SA-15 (8) REUSE OF THREAT / VULNERABILITY INFORMATION • SA-15 (8)
SA-15 (9) USE OF LIVE DATA • SA-15 (9)
SA-15 (10) INCIDENT RESPONSE PLAN • SA-15 (10)
SA-15 (11) ARCHIVE INFORMATION SYSTEM / COMPONENT • SA-15 (11)
SA-16 DEVELOPER-PROVIDED TRAINING • • SA-16
P2 HIGH • •
SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN • • SA-17
P1 HIGH SA-17 (1) FORMAL POLICY MODEL • • SA-17 (1)
SA-17 (2) SECURITY-RELEVANT COMPONENTS • • SA-17 (2)
SA-17 (3) FORMAL CORRESPONDENCE • • SA-17 (3)
SA-17 (4) INFORMAL CORRESPONDENCE • • SA-17 (4)
SA-17 (5) CONCEPTUALLY SIMPLE DESIGN • • SA-17 (5)
SA-17 (6) STRUCTURE FOR TESTING • • SA-17 (6)
SA-17 (7) STRUCTURE FOR LEAST PRIVILEGE • • SA-17 (7)
SA-18 TAMPER RESISTANCE AND DETECTION • SA-18
P0 SA-18 (1) MULTIPLE PHASES OF SDLC • SA-18 (1)
SA-18 (2) INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICES • SA-18 (2)
ENHANCEMENTS TABLE Page 25 of 26
Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Cou
nt
SA-18 P0
SA-19 COMPONENT AUTHENTICITY SA-19
P0 SA-19 (1) ANTI-COUNTERFEIT TRAINING SA-19 (1)
SA-19 (2) CONFIGURATION CONTROL FOR COMPONENT SERVICE / REPAIR SA-19 (2)
SA-19 (3) COMPONENT DISPOSAL SA-19 (3)
SA-19 (4) ANTI-COUNTERFEIT SCANNING SA-19 (4)
SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS • SA-20
P0 •
SA-21 DEVELOPER SCREENING • SA-21
P0 SA-21 (1) VALIDATION OF SCREENING • SA-21 (1)
SA-22 UNSUPPORTED SYSTEM COMPONENTS SA-22
P0 SA-22 (1) ALTERNATIVE SOURCES FOR CONTINUED SUPPORT SA-22 (1)
ENHANCEMENTS TABLE Page 26 of 26