(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landscape) 20140804

1,020 views

Published on

Map The Council on CyberSecurity's Critical Security Controls (CSC) v5.0 to NIST SP 800 53 Revision 4 (landscape)

Published in: Government & Nonprofit
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,020
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
51
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landscape) 20140804

  1. 1. MAP CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls 01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control 02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection 03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Res 04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Se 05: Ma 10: Se 15: Co 20: Pe 203 7 10 16 6 6 15 10 3 9 12 11 9 11 17 10 11 13 9 9 9 FAMILY CTRL-ID CTRL-TITLE PRI BASELINE- IMPACT ENHANCE- ID ENHANCEMENT-TITLE Len 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 FAMILY CTRL-ID (ENH) ACCESS CONTROL 9 ACCESS CONTROL AC-01 ACCESS CONTROL POLICY AND PROCEDURES 23 • AC-01 AC-02 ACCOUNT MANAGEMENT 49 • • • AC-02 AC-03 ACCESS ENFORCEMENT 26 • • • AC-03 AC-04 INFORMATION FLOW ENFORCEMENT 26 • • • • • AC-04 AC-05 SEPARATION OF DUTIES 20 AC-05 AC-06 LEAST PRIVILEGE 55 • • AC-06 AC-07 UNSUCCESSFUL LOGON ATTEMPTS 34 • AC-07 AC-08 SYSTEM USE NOTIFICATION 41 AC-08 AC-09 PREVIOUS LOGON (ACCESS) NOTIFICATION 40 AC-09 AC-10 CONCURRENT SESSION CONTROL 17 AC-10 AC-11 SESSION LOCK 2 • AC-11 AC-12 SESSION TERMINATION 2 • AC-12 AC-13 SUPERVISION AND REVIEW ' ACCESS CONTROL 63 AC-13 AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION 2 AC-14 AC-15 AUTOMATED MARKING 24 AC-15 AC-16 SECURITY ATTRIBUTES 58 AC-16 AC-17 REMOTE ACCESS 67 • • AC-17 AC-18 WIRELESS ACCESS 44 • AC-18 AC-19 ACCESS CONTROL FOR MOBILE DEVICES 57 • • AC-19 AC-20 USE OF EXTERNAL INFORMATION SYSTEMS 33 • AC-20 AC-21 INFORMATION SHARING 41 AC-21 AC-22 PUBLICLY ACCESSIBLE CONTENT 27 AC-22 AC-23 DATA MINING PROTECTION 29 • • AC-23 AC-24 ACCESS CONTROL DECISIONS 36 • AC-24 AC-25 REFERENCE MONITOR AC-25 AUDIT AND ACCOUNTABILITY 9 AUDIT AND ACCOUNTABILITY AU-01 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 32 AU-01 AU-02 AUDIT EVENTS 22 • AU-02 AU-03 CONTENT OF AUDIT RECORDS 63 • AU-03 AU-04 AUDIT STORAGE CAPACITY 51 • AU-04 AU-05 RESPONSE TO AUDIT PROCESSING FAILURES 24 • AU-05 AU-06 AUDIT REVIEW, ANALYSIS, AND REPORTING 27 • AU-06 AU-07 AUDIT REDUCTION AND REPORT GENERATION 24 • AU-07 AU-08 TIME STAMPS 42 • AU-08 AU-09 PROTECTION OF AUDIT INFORMATION 35 • AU-09 AU-10 NON-REPUDIATION 42 • AU-10 AU-11 AUDIT RECORD RETENTION 2 • AU-11 AU-12 AUDIT GENERATION 62 • AU-12 AU-13 MONITORING FOR INFORMATION DISCLOSURE 2 • AU-13 AU-14 SESSION AUDIT 25 • AU-14 AU-15 ALTERNATE AUDIT CAPABILITY 46 AU-15 AU-16 CROSS-ORGANIZATIONAL AUDITING 21 AU-16 AWARENESS AND TRAINING 42 AWARENESS AND TRAINING AT-01 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES 35 • AT-01 AT-02 SECURITY AWARENESS TRAINING 2 • AT-02 AT-03 ROLE-BASED SECURITY TRAINING 35 • AT-03 AT-04 SECURITY TRAINING RECORDS 37 • AT-04 Count CONTROL TABLE LANDSCAPE Page 1 of 6
  2. 2. MAP CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls 01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control 02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection 03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Res 04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Se 05: Ma 10: Se 15: Co 20: Pe 203 7 10 16 6 6 15 10 3 9 12 11 9 11 17 10 11 13 9 9 9 FAMILY CTRL-ID CTRL-TITLE PRI BASELINE- IMPACT ENHANCE- ID ENHANCEMENT-TITLE Len 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 FAMILY CTRL-ID (ENH) Count AT-05 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS AT-05 CONFIGURATION MANAGEMENT 9 CONFIGURATION MANAGEMENT CM-01 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 25 CM-01 CM-02 BASELINE CONFIGURATION 31 • • • • • • CM-02 CM-03 CONFIGURATION CHANGE CONTROL 2 • • CM-03 CM-04 SECURITY IMPACT ANALYSIS 26 CM-04 CM-05 ACCESS RESTRICTIONS FOR CHANGE 2 • • CM-05 CM-06 CONFIGURATION SETTINGS 24 • • • CM-06 CM-07 LEAST FUNCTIONALITY 44 • CM-07 CM-08 INFORMATION SYSTEM COMPONENT INVENTORY 78 • • • • • CM-08 CM-09 CONFIGURATION MANAGEMENT PLAN 35 • CM-09 CM-10 SOFTWARE USAGE RESTRICTIONS 25 • CM-10 CM-11 USER-INSTALLED SOFTWARE 32 • • CM-11 CONTINGENCY PLANNING 39 CONTINGENCY PLANNING CP-01 CONTINGENCY PLANNING POLICY AND PROCEDURES 37 CP-01 CP-02 CONTINGENCY PLAN 2 CP-02 CP-03 CONTINGENCY TRAINING 29 CP-03 CP-04 CONTINGENCY PLAN TESTING 53 CP-04 CP-05 CONTINGENCY PLAN UPDATE 48 CP-05 CP-06 ALTERNATE STORAGE SITE 32 CP-06 CP-07 ALTERNATE PROCESSING SITE 56 CP-07 CP-08 TELECOMMUNICATIONS SERVICES 25 CP-08 CP-09 INFORMATION SYSTEM BACKUP 2 • CP-09 CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION 38 • CP-10 CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS 2 CP-11 CP-12 SAFE MODE 48 CP-12 CP-13 ALTERNATIVE SECURITY MECHANISMS 27 CP-13 IDENTIFICATION AND AUTHENTICATION 43 IDENTIFICATION AND AUTHENTICATION IA-01 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 2 IA-01 IA-02 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 50 • IA-02 IA-03 DEVICE IDENTIFICATION AND AUTHENTICATION 51 • • IA-03 IA-04 IDENTIFIER MANAGEMENT 29 • IA-04 IA-05 AUTHENTICATOR MANAGEMENT 33 • • IA-05 IA-06 AUTHENTICATOR FEEDBACK 2 IA-06 IA-07 CRYPTOGRAPHIC MODULE AUTHENTICATION 62 IA-07 IA-08 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) 34 IA-08 IA-09 SERVICE IDENTIFICATION AND AUTHENTICATION 28 IA-09 IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION 2 • • IA-10 IA-11 RE-AUTHENTICATION 44 IA-11 INCIDENT RESPONSE 62 INCIDENT RESPONSE IR-01 INCIDENT RESPONSE POLICY AND PROCEDURES 47 • IR-01 IR-02 INCIDENT RESPONSE TRAINING 53 • IR-02 IR-03 INCIDENT RESPONSE TESTING 44 • IR-03 IR-04 INCIDENT HANDLING 45 • IR-04 IR-05 INCIDENT MONITORING 2 • IR-05 IR-06 INCIDENT REPORTING 33 • IR-06 IR-07 INCIDENT RESPONSE ASSISTANCE 6 • IR-07 IR-08 INCIDENT RESPONSE PLAN 9 • IR-08 CONTROL TABLE LANDSCAPE Page 2 of 6
  3. 3. MAP CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls 01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control 02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection 03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Res 04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Se 05: Ma 10: Se 15: Co 20: Pe 203 7 10 16 6 6 15 10 3 9 12 11 9 11 17 10 11 13 9 9 9 FAMILY CTRL-ID CTRL-TITLE PRI BASELINE- IMPACT ENHANCE- ID ENHANCEMENT-TITLE Len 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 FAMILY CTRL-ID (ENH) Count IR-09 INFORMATION SPILLAGE RESPONSE 31 • IR-09 IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM 2 • IR-10 MAINTENANCE 31 MAINTENANCE MA-01 SYSTEM MAINTENANCE POLICY AND PROCEDURES 32 MA-01 MA-02 CONTROLLED MAINTENANCE 49 MA-02 MA-03 MAINTENANCE TOOLS 35 MA-03 MA-04 NONLOCAL MAINTENANCE 23 • • MA-04 MA-05 MAINTENANCE PERSONNEL 27 MA-05 MA-06 TIMELY MAINTENANCE 2 MA-06 MEDIA PROTECTION 9 MEDIA PROTECTION MP-01 MEDIA PROTECTION POLICY AND PROCEDURES 27 MP-01 MP-02 MEDIA ACCESS 40 MP-02 MP-03 MEDIA MARKING 21 • MP-03 MP-04 MEDIA STORAGE 27 • MP-04 MP-05 MEDIA TRANSPORT 37 • MP-05 MP-06 MEDIA SANITIZATION 2 MP-06 MP-07 MEDIA USE 30 MP-07 MP-08 MEDIA DOWNGRADING 16 MP-08 PERSONNEL SECURITY 18 PERSONNEL SECURITY PS-01 PERSONNEL SECURITY POLICY AND PROCEDURES 14 PS-01 PS-02 POSITION RISK DESIGNATION 44 PS-02 PS-03 PERSONNEL SCREENING 2 PS-03 PS-04 PERSONNEL TERMINATION 32 PS-04 PS-05 PERSONNEL TRANSFER 25 PS-05 PS-06 ACCESS AGREEMENTS 43 PS-06 PS-07 THIRD-PARTY PERSONNEL SECURITY 2 PS-07 PS-08 PERSONNEL SANCTIONS 41 PS-08 PHYSICAL AND ENVIRONMENTAL PROTECTION 22 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-01 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES 36 PE-01 PE-02 PHYSICAL ACCESS AUTHORIZATIONS 43 PE-02 PE-03 PHYSICAL ACCESS CONTROL 64 PE-03 PE-04 ACCESS CONTROL FOR TRANSMISSION MEDIUM 40 PE-04 PE-05 ACCESS CONTROL FOR OUTPUT DEVICES 47 PE-05 PE-06 MONITORING PHYSICAL ACCESS 43 PE-06 PE-07 VISITOR CONTROL 2 PE-07 PE-08 VISITOR ACCESS RECORDS 56 PE-08 PE-09 POWER EQUIPMENT AND CABLING 2 PE-09 PE-10 EMERGENCY SHUTOFF 53 PE-10 PE-11 EMERGENCY POWER 32 PE-11 PE-12 EMERGENCY LIGHTING 22 PE-12 PE-13 FIRE PROTECTION 20 PE-13 PE-14 TEMPERATURE AND HUMIDITY CONTROLS 2 PE-14 PE-15 WATER DAMAGE PROTECTION 35 PE-15 PE-16 DELIVERY AND REMOVAL 38 PE-16 PE-17 ALTERNATE WORK SITE 47 PE-17 PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS 28 PE-18 PE-19 INFORMATION LEAKAGE 25 PE-19 PE-20 ASSET MONITORING AND TRACKING 14 PE-20 CONTROL TABLE LANDSCAPE Page 3 of 6
  4. 4. MAP CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls 01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control 02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection 03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Res 04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Se 05: Ma 10: Se 15: Co 20: Pe 203 7 10 16 6 6 15 10 3 9 12 11 9 11 17 10 11 13 9 9 9 FAMILY CTRL-ID CTRL-TITLE PRI BASELINE- IMPACT ENHANCE- ID ENHANCEMENT-TITLE Len 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 FAMILY CTRL-ID (ENH) Count PLANNING 2 PLANNING PL-01 SECURITY PLANNING POLICY AND PROCEDURES 24 PL-01 PL-02 SYSTEM SECURITY PLAN 2 PL-02 PL-03 SYSTEM SECURITY PLAN UPDATE 44 PL-03 PL-04 RULES OF BEHAVIOR 25 PL-04 PL-05 PRIVACY IMPACT ASSESSMENT 60 PL-05 PL-06 SECURITY-RELATED ACTIVITY PLANNING 32 PL-06 PL-07 SECURITY CONCEPT OF OPERATIONS 22 PL-07 PL-08 INFORMATION SECURITY ARCHITECTURE 2 PL-08 PL-09 CENTRAL MANAGEMENT 4 PL-09 Program Management 38 Program Management PM-01 INFORMATION SECURITY PROGRAM PLAN 36 PM-01 PM-02 SENIOR INFORMATION SECURITY OFFICER 2 PM-02 PM-03 INFORMATION SECURITY RESOURCES 6 PM-03 PM-04 PLAN OF ACTION AND MILESTONES PROCESS 18 PM-04 PM-05 INFORMATION SYSTEM INVENTORY 4 • • PM-05 PM-06 INFORMATION SECURITY MEASURES OF PERFORMANCE 4 • PM-06 PM-07 ENTERPRISE ARCHITECTURE 4 PM-07 PM-08 CRITICAL INFRASTRUCTURE PLAN 4 PM-08 PM-09 RISK MANAGEMENT STRATEGY 4 PM-09 PM-10 SECURITY AUTHORIZATION PROCESS 4 PM-10 PM-11 MISSION/BUSINESS PROCESS DEFINITION 4 PM-11 PM-12 INSIDER THREAT PROGRAM 4 PM-12 PM-13 INFORMATION SECURITY WORKFORCE 4 • PM-13 PM-14 TESTING, TRAINING, AND MONITORING 4 • • PM-14 PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS 4 PM-15 PM-16 THREAT AWARENESS PROGRAM 4 • • PM-16 RISK ASSESSMENT 38 RISK ASSESSMENT RA-01 RISK ASSESSMENT POLICY AND PROCEDURES 4 RA-01 RA-02 SECURITY CATEGORIZATION 4 • RA-02 RA-03 RISK ASSESSMENT 4 RA-03 RA-04 RISK ASSESSMENT UPDATE 18 RA-04 RA-05 VULNERABILITY SCANNING 9 • • • RA-05 RA-06 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY 23 • RA-06 SECURITY ASSESSMENT AND AUTHORIZATION 55 SECURITY ASSESSMENT AND AUTHORIZATION CA-01 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES 59 CA-01 CA-02 SECURITY ASSESSMENTS 2 • • CA-02 CA-03 SYSTEM INTERCONNECTIONS • • • • CA-03 CA-04 SECURITY CERTIFICATION 9 CA-04 CA-05 PLAN OF ACTION AND MILESTONES 4 • CA-05 CA-06 SECURITY AUTHORIZATION 65 • CA-06 CA-07 CONTINUOUS MONITORING 32 • • • • • • • • • • • • • • CA-07 CA-08 PENETRATION TESTING 40 • CA-08 CA-09 INTERNAL SYSTEM CONNECTIONS 6 • • • • • CA-09 SYSTEM AND COMMUNICATIONS PROTECTION 9 SYSTEM AND COMMUNICATIONS PROTECTION SC-01 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES 28 SC-01 SC-02 APPLICATION PARTITIONING 34 SC-02 SC-03 SECURITY FUNCTION ISOLATION 57 SC-03 CONTROL TABLE LANDSCAPE Page 4 of 6
  5. 5. MAP CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls 01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control 02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection 03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Res 04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Se 05: Ma 10: Se 15: Co 20: Pe 203 7 10 16 6 6 15 10 3 9 12 11 9 11 17 10 11 13 9 9 9 FAMILY CTRL-ID CTRL-TITLE PRI BASELINE- IMPACT ENHANCE- ID ENHANCEMENT-TITLE Len 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 FAMILY CTRL-ID (ENH) Count SC-04 INFORMATION IN SHARED RESOURCES 34 SC-04 SC-05 DENIAL OF SERVICE PROTECTION 37 SC-05 SC-06 RESOURCE AVAILABILITY 19 SC-06 SC-07 BOUNDARY PROTECTION 32 • SC-07 SC-08 TRANSMISSION CONFIDENTIALITY AND INTEGRITY 28 • • • SC-08 SC-09 TRANSMISSION CONFIDENTIALITY 28 SC-09 SC-10 NETWORK DISCONNECT 25 SC-10 SC-11 TRUSTED PATH 31 SC-11 SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 61 SC-12 SC-13 CRYPTOGRAPHIC PROTECTION 35 SC-13 SC-14 PUBLIC ACCESS PROTECTIONS 69 SC-14 SC-15 COLLABORATIVE COMPUTING DEVICES 46 • SC-15 SC-16 TRANSMISSION OF SECURITY ATTRIBUTES 31 • SC-16 SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES 25 • • SC-17 SC-18 MOBILE CODE 48 • SC-18 SC-19 VOICE OVER INTERNET PROTOCOL 30 SC-19 SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) 35 • • SC-20 SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) 36 • • SC-21 SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE 2 • • SC-22 SC-23 SESSION AUTHENTICITY 38 • SC-23 SC-24 FAIL IN KNOWN STATE 24 • SC-24 SC-25 THIN NODES 2 SC-25 SC-26 HONEYPOTS 54 SC-26 SC-27 PLATFORM-INDEPENDENT APPLICATIONS 36 SC-27 SC-28 PROTECTION OF INFORMATION AT REST 9 • SC-28 SC-29 HETEROGENEITY 32 SC-29 SC-30 CONCEALMENT AND MISDIRECTION 42 SC-30 SC-31 COVERT CHANNEL ANALYSIS 2 • SC-31 SC-32 INFORMATION SYSTEM PARTITIONING 2 • SC-32 SC-33 TRANSMISSION PREPARATION INTEGRITY 6 SC-33 SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS 47 • • • SC-34 SC-35 HONEYCLIENTS 39 SC-35 SC-36 DISTRIBUTED PROCESSING AND STORAGE 52 SC-36 SC-37 OUT-OF-BAND CHANNELS 49 • SC-37 SC-38 OPERATIONS SECURITY 59 SC-38 SC-39 PROCESS ISOLATION 50 • • SC-39 SC-40 WIRELESS LINK PROTECTION 40 • SC-40 SC-41 PORT AND I/O DEVICE ACCESS 66 • • SC-41 SC-42 SENSOR CAPABILITY AND DATA 54 SC-42 SC-43 USAGE RESTRICTIONS 23 SC-43 SC-44 DETONATION CHAMBERS 17 • SC-44 SYSTEM AND INFORMATION INTEGRITY 51 SYSTEM AND INFORMATION INTEGRITY SI-01 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 28 SI-01 SI-02 FLAW REMEDIATION 24 • SI-02 SI-03 MALICIOUS CODE PROTECTION 27 • SI-03 SI-04 INFORMATION SYSTEM MONITORING 2 • • • • • • • • • • • • • • SI-04 SI-05 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 40 SI-05 SI-06 SECURITY FUNCTION VERIFICATION 10 • SI-06 CONTROL TABLE LANDSCAPE Page 5 of 6
  6. 6. MAP CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls 01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control 02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection 03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Res 04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Se 05: Ma 10: Se 15: Co 20: Pe 203 7 10 16 6 6 15 10 3 9 12 11 9 11 17 10 11 13 9 9 9 FAMILY CTRL-ID CTRL-TITLE PRI BASELINE- IMPACT ENHANCE- ID ENHANCEMENT-TITLE Len 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 FAMILY CTRL-ID (ENH) Count SI-07 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY 2 • SI-07 SI-08 SPAM PROTECTION 52 • SI-08 SI-09 INFORMATION INPUT RESTRICTIONS 6 SI-09 SI-10 INFORMATION INPUT VALIDATION 4 • SI-10 SI-11 ERROR HANDLING 6 • SI-11 SI-12 INFORMATION HANDLING AND RETENTION 31 SI-12 SI-13 PREDICTABLE FAILURE PREVENTION 25 SI-13 SI-14 NON-PERSISTENCE 25 SI-14 SI-15 INFORMATION OUTPUT FILTERING 41 • SI-15 SI-16 MEMORY PROTECTION 59 • SI-16 SI-17 FAIL-SAFE PROCEDURES 2 SI-17 SYSTEM AND SERVICES ACQUISITION 31 SYSTEM AND SERVICES ACQUISITION SA-01 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES 57 SA-01 SA-02 ALLOCATION OF RESOURCES 32 SA-02 SA-03 SYSTEM DEVELOPMENT LIFE CYCLE 23 • SA-03 SA-04 ACQUISITION PROCESS 24 • • • SA-04 SA-05 INFORMATION SYSTEM DOCUMENTATION 59 SA-05 SA-06 SOFTWARE USAGE RESTRICTIONS 32 SA-06 SA-07 USER-INSTALLED SOFTWARE 36 SA-07 SA-08 SECURITY ENGINEERING PRINCIPLES 36 • SA-08 SA-09 EXTERNAL INFORMATION SYSTEM SERVICES 2 • SA-09 SA-10 DEVELOPER CONFIGURATION MANAGEMENT 37 • SA-10 SA-11 DEVELOPER SECURITY TESTING AND EVALUATION 37 • • SA-11 SA-12 SUPPLY CHAIN PROTECTION 33 SA-12 SA-13 TRUSTWORTHINESS 45 • SA-13 SA-14 CRITICALITY ANALYSIS 27 SA-14 SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 31 • SA-15 SA-16 DEVELOPER-PROVIDED TRAINING 33 • • SA-16 SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN 38 • • SA-17 SA-18 TAMPER RESISTANCE AND DETECTION 35 • SA-18 SA-19 COMPONENT AUTHENTICITY 54 SA-19 SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS 33 • SA-20 SA-21 DEVELOPER SCREENING 22 • SA-21 SA-22 UNSUPPORTED SYSTEM COMPONENTS 6 SA-22 CONTROL TABLE LANDSCAPE Page 6 of 6

×