Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a

3,009 views
2,792 views

Published on

http://www.CouncilonCyberSecurity.org
Map the Critical Security Controls (CSC) v4.1 to NIST SP 800-53 Rev.4-final (r6a)

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,009
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
124
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a

  1. 1. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–01 Inventory of Authorized & Unauthorized Devices CSC–01 CA–07 Continuous Monitoring CSC–01 CM–08 Information System Component Inventory CSC–01 IA–03 Device Identification and Authentication CSC–01 SA–04 Acquisition Process CSC–01 SC–17 Public Key Infrastructure Certificates CSC–01 SI–04 Information System Monitoring CSC–01 PM–05 Information System Inventory CSC–02 Inventory of Authorized and Unauthorized Software CSC–02 CA–07 Continuous Monitoring CSC–02 CM–02 Baseline Configuration CSC–02 CM–08 Information System Component Inventory CSC–02 CM–10 Software Usage Restrictions CSC–02 CM–11 User–Installed Software CSC–02 SA–04 Acquisition Process CSC–02 SC–18 Mobile Code CSC–02 SC–34 Non–Modifiable Executable Programs CSC–02 SI–04 Information System Monitoring CSC–02 PM–05 Information System Inventory CSC–03 Secure Configurations for Mobile Devices, Workstations, Servers CSC–03 CA–07 Continuous Monitoring CSC–03 CM–02 Baseline Configuration CSC–03 CM–03 Configuration Change Control CSC–03 CM–05 Access Restrictions for Change CSC–03 CM–06 Configuration Settings CSC–03 CM–07 Least Functionality CSC–03 CM–08 Information System Component Inventory CSC–03 CM–09 Configuration Management Plan CSC–03 CM–11 User–Installed Software CSC–03 MA–04 Nonlocal Maintenance CSC–03 RA–05 Vulnerability Scanning CSC–03 SA–04 Acquisition Process CSC–03 SC–15 Collaborative Computing Devices CSC–03 SC–34 Non–Modifiable Executable Programs CSC–03 SI–02 Flaw Remediation CSC–03 SI–04 Information System Monitoring CSC–04 Continuous Vulnerability Assessment and Remediation CSC–04 CA–02 Security Assessments Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 1 of 69
  2. 2. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–04 CA–07 Continuous Monitoring CSC–04 RA–05 Vulnerability Scanning CSC–04 SC–34 Non–Modifiable Executable Programs CSC–04 SI–04 Information System Monitoring CSC–04 SI–07 Software, Firmware, and Information Integrity CSC–05 Malware Defenses CSC–05 CA–07 Continuous Monitoring CSC–05 SC–39 Process Isolation CSC–05 SC–44 Detonation Chambers CSC–05 SI–03 Malicious Code Protection CSC–05 SI–04 Information System Monitoring CSC–05 SI–08 Spam Protection CSC–06 Application Software Security CSC–06 RA–05 Vulnerability Scanning CSC–06 SA–03 System Development Life Cycle CSC–06 SA–10 Developer Configuration Management CSC–06 SA–11 Developer Security Testing and Evaluation CSC–06 SA–13 Trustworthiness CSC–06 SA–15 Development Process, Standards, and Tools CSC–06 SA–16 Developer–Provided Training CSC–06 SA–17 Developer Security Architecture and Design CSC–06 SA–20 Customized Development of Critical Components CSC–06 SA–21 Developer Screening CSC–06 SC–39 Process Isolation CSC–06 SI–10 Information Input Validation CSC–06 SI–11 Error Handling CSC–06 SI–15 Information Output Filtering CSC–06 SI–16 Memory Protection CSC–07 Wireless Device Control CSC–07 AC–18 Wireless Access CSC–07 AC–19 Access Control for Mobile Devices CSC–07 CA–03 System Interconnections CSC–07 CA–07 Continuous Monitoring CSC–07 CM–02 Baseline Configuration CSC–07 IA–03 Device Identification and Authentication CSC–07 SC–08 Transmission Confidentiality and Integrity CSC–07 SC–17 Public Key Infrastructure Certificates CSC–07 SC–40 Wireless Link Protection Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 2 of 69
  3. 3. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–07 SI–04 Information System Monitoring CSC–08 Data Recovery Capability CSC–08 CP–09 Information System Backup CSC–08 CP–10 Information System Recovery and Reconstitution CSC–08 MP–04 Media Storage CSC–09 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–09 AT–01 Security Awareness and Training Policy and Procedures CSC–09 AT–02 Security Awareness Training CSC–09 AT–03 Role–Based Security Training CSC–09 AT–04 Security Training Records CSC–09 SA–11 Developer Security Testing and Evaluation CSC–09 SA–16 Developer–Provided Training CSC–09 PM–13 Information Security Workforce CSC–09 PM–14 Testing, Training, & Monitoring CSC–09 PM–16 Threat Awareness Program CSC–10 Secure Configurations for Network Infrastructure & Security Devices CSC–10 AC–04 Information Flow Enforcement CSC–10 CA–03 System Interconnections CSC–10 CA–07 Continuous Monitoring CSC–10 CA–09 Internal System Connections CSC–10 CM–02 Baseline Configuration CSC–10 CM–03 Configuration Change Control CSC–10 CM–05 Access Restrictions for Change CSC–10 CM–06 Configuration Settings CSC–10 CM–08 Information System Component Inventory CSC–10 MA–04 Nonlocal Maintenance CSC–10 SC–24 Fail in Known State CSC–10 SI–04 Information System Monitoring CSC–11 Ports, Protocols, and Services Management CSC–11 AC–04 Information Flow Enforcement CSC–11 CA–07 Continuous Monitoring CSC–11 CA–09 Internal System Connections CSC–11 CM–02 Baseline Configuration CSC–11 CM–06 Configuration Settings CSC–11 CM–08 Information System Component Inventory CSC–11 SC–20 Secure Name /Address Resolution Service (Authoritative Source) CSC–11 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) CSC–11 SC–22 Architecture and Provisioning for Name/Address Resolution Service Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 3 of 69
  4. 4. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–11 SC–41 Port and I/O Device Access CSC–11 SI–04 Information System Monitoring CSC–12 Controlled Use of Administrative Privileges CSC–12 AC–02 Account Management CSC–12 AC–06 Least Privilege CSC–12 AC–17 Remote Access CSC–12 AC–19 Access Control for Mobile Devices CSC–12 CA–07 Continuous Monitoring CSC–12 IA–02 Identification and Authentication (Organizational Users) CSC–12 IA–04 Identifier Management CSC–12 IA–05 Authenticator Management CSC–12 SI–04 Information System Monitoring CSC–13 Boundary Defense CSC–13 AC–04 Information Flow Enforcement CSC–13 AC–17 Remote Access CSC–13 AC–20 Use of External Information Systems CSC–13 CA–03 System Interconnections CSC–13 CA–07 Continuous Monitoring CSC–13 CA–09 Internal System Connections CSC–13 CM–02 Baseline Configuration CSC–13 SA–09 External Information System Services CSC–13 SC–07 Boundary Protection CSC–13 SC–08 Transmission Confidentiality and Integrity CSC–13 SI–04 Information System Monitoring CSC–14 Maintenance, Monitoring and Analysis of Audit Logs CSC–14 AC–23 Data Mining Protection CSC–14 AU–02 Audit Events CSC–14 AU–03 Content of Audit Records CSC–14 AU–04 Audit Storage Capacity CSC–14 AU–05 Response to Audit Processing Failures CSC–14 AU–06 Audit Review, Analysis, and Reporting CSC–14 AU–07 Audit Reduction and Report Generation CSC–14 AU–08 Time Stamps CSC–14 AU–09 Protection of Audit Information CSC–14 AU–10 Non–repudiation CSC–14 AU–11 Audit Record Retention CSC–14 AU–12 Audit Generation CSC–14 AU–13 Monitoring for Information Disclosure Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 4 of 69
  5. 5. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 CSC–14 AU–14 Session Audit CSC–14 CA–07 Continuous Monitoring CSC–14 IA–10 Adaptive Identification and Authentication CSC–14 SI–04 Information System Monitoring CSC–15 Controlled Access Based on the Need to Know CSC–15 AC–01 Access Control Policy and Procedures CSC–15 AC–02 Account Management CSC–15 AC–03 Access Enforcement CSC–15 AC–06 Least Privilege CSC–15 AC–24 Access Control Decisions CSC–15 CA–07 Continuous Monitoring CSC–15 MP–03 Media Marking CSC–15 RA–02 Security Categorization CSC–15 SC–16 Transmission of Security Attributes CSC–15 SI–04 Information System Monitoring CSC–16 Account Monitoring and Control CSC–16 AC–02 Account Management CSC–16 AC–03 Access Enforcement CSC–16 AC–07 Unsuccessful Logon Attempts CSC–16 AC–11 Session Lock CSC–16 AC–12 Session Termination CSC–16 CA–07 Continuous Monitoring CSC–16 IA–05 Authenticator Management CSC–16 IA–10 Adaptive Identification and Authentication CSC–16 SC–17 Public Key Infrastructure Certificates CSC–16 SC–23 Session Authenticity CSC–16 SI–04 Information System Monitoring CSC–17 Data Loss Prevention CSC–17 AC–03 Access Enforcement CSC–17 AC–04 Information Flow Enforcement CSC–17 AC–23 Data Mining Protection CSC–17 CA–07 Continuous Monitoring CSC–17 CA–09 Internal System Connections CSC–17 IR–09 Information Spillage Response CSC–17 MP–05 Media Transport CSC–17 SA–18 Tamper Resistance and Detection CSC–17 SC–08 Transmission Confidentiality and Integrity CSC–17 SC–28 http://www.counciloncybersecurity.org Protection of Information at Rest Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 5 of 69
  6. 6. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–17 SC–31 Covert Channel Analysis CSC–17 SC–41 Port and I/O Device Access CSC–17 SI–04 Information System Monitoring CSC–18 Incident Response and Management CSC–18 IR–01 Incident Response Policy and Procedures CSC–18 IR–02 Incident Response Training CSC–18 IR–03 Incident Response Testing CSC–18 IR–04 Incident Handling CSC–18 IR–05 Incident Monitoring CSC–18 IR–06 Incident Reporting CSC–18 IR–07 Incident Response Assistance CSC–18 IR–08 Incident Response Plan CSC–18 IR–10 Integrated Information Security Analysis Team CSC–19 Secure Network Engineering CSC–19 AC–04 Information Flow Enforcement CSC–19 CA–03 System Interconnections CSC–19 CA–09 Internal System Connections CSC–19 SA–08 Security Engineering Principles CSC–19 SC–20 Secure Name /Address Resolution Service (Authoritative Source) CSC–19 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) CSC–19 SC–22 Architecture and Provisioning for Name/Address Resolution Service CSC–19 SC–32 Information System Partitioning CSC–19 SC–37 Out–of–Band Channels CSC–20 Penetration Tests and Red Team Exercises CSC–20 PM–16 Threat Awareness Program CSC–20 CA–02 Security Assessments CSC–20 CA–05 Plan of Action and Milestones CSC–20 CA–06 Security Authorization CSC–20 CA–08 Penetration Testing CSC–20 RA–06 Technical Surveillance Countermeasures Survey CSC–20 SI–06 Security Function Verification CSC–20 PM–06 Information Security Measures of Performance CSC–20 PM–14 Testing, Training, & Monitoring Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 6 of 69
  7. 7. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X Secure Configurations for Network Infrastructure & Security Devices PRI 01 02 03 04 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 19 CSC–20 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 1 CSC–01 CA–07 Continuous Monitoring P3 X S S 2 CSC–01 CM–08 Information System Component Inventory P1 X S S 3 CSC–01 IA–03 Device Identification and Authentication P1 X 4 CSC–01 SA–04 Acquisition Process P1 X 5 CSC–01 SC–17 Public Key Infrastructure Certificates P1 X 6 CSC–01 SI–04 Information System Monitoring P1 X 7 CSC–01 PM–05 Information System Inventory P1 X S 8 CSC–02 CA–07 Continuous Monitoring P3 S 9 CSC–02 CM–02 Baseline Configuration P1 10 CSC–02 CM–08 Information System Component Inventory P1 11 CSC–02 CM–10 Software Usage Restrictions P2 X 12 CSC–02 CM–11 User–Installed Software P1 X S 2 13 CSC–02 SA–04 Acquisition Process P1 X S 3 14 CSC–02 SC–18 Mobile Code P2 X 15 CSC–02 SC–34 Non–Modifiable Executable Programs P0 X S S 16 CSC–02 SI–04 Information System Monitoring P1 S X S S S S S S S S S S S S 14 17 CSC–02 PM–05 Information System Inventory P1 S X 18 CSC–03 CA–07 Continuous Monitoring P3 S S X S S S S S S S S S S S 14 19 CSC–03 CM–02 Baseline Configuration P1 S S 20 CSC–03 CM–03 Configuration Change Control P1 X S 21 CSC–03 CM–05 Access Restrictions for Change P1 X S 22 CSC–03 CM–06 Configuration Settings P1 X S S 3 23 CSC–03 CM–07 Least Functionality P1 X 24 CSC–03 CM–08 Information System Component Inventory P1 S S 5 25 CSC–03 CM–09 Configuration Management Plan P1 26 CSC–03 CM–11 User–Installed Software P1 27 CSC–03 MA–04 Nonlocal Maintenance P1 X 28 CSC–03 RA–05 Vulnerability Scanning P1 X 29 CSC–03 SA–04 Acquisition Process P1 30 CSC–03 SC–15 Collaborative Computing Devices P1 31 CSC–03 SC–34 Non–Modifiable Executable Programs P0 32 CSC–03 SI–02 Flaw Remediation P1 33 CSC–03 SI–04 Information System Monitoring P1 34 CSC–04 CA–02 Security Assessments P2 35 CSC–04 CA–07 Continuous Monitoring P3 36 CSC–04 RA–05 Vulnerability Scanning P1 37 CSC–04 SC–34 Non–Modifiable Executable Programs P0 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S S S S S S S S S S S S S 14 5 S S 2 S 3 S 3 S S S S S S S S S S S S S 14 X S S S S S S S S S S S S 14 X S S S S S S S X S S S S S S 2 S 6 5 1 1 3 2 X S S 6 2 2 1 X X S S S 1 X 2 S S 2 S 3 X 3 X S X 1 S 3 X 1 S S X S S S S X S X S X S S S S S S S S S S S S S S S S S S S S X S Page 7 of 69 14 S S 2 14 3 3
  8. 8. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X Secure Configurations for Network Infrastructure & Security Devices PRI 01 02 03 04 05 ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 38 CSC–04 SI–04 Information System Monitoring P1 39 CSC–04 SI–07 Software, Firmware, and Information Integrity P1 40 CSC–05 CA–07 Continuous Monitoring P3 41 CSC–05 SC–39 Process Isolation P1 X 42 CSC–05 SC–44 Detonation Chambers P0 CSC–05 SI–03 Malicious Code Protection P1 CSC–05 SI–04 Information System Monitoring P1 45 CSC–05 SI–08 Spam Protection P2 46 CSC–06 RA–05 Vulnerability Scanning P1 47 CSC–06 SA–03 System Development Life Cycle 48 CSC–06 SA–10 Developer Configuration Management 49 CSC–06 SA–11 50 CSC–06 51 CSC–06 52 08 09 10 11 12 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 X 44 07 CSC X 43 06 01 S S S X S S S S S S S S CNT S S S S S S S S S 14 X S S S S S S S S S 14 X S 20 S 1 S S 2 1 1 X S S S S S S S S S 14 X 1 X 3 P1 X 1 P1 X Developer Security Testing and Evaluation P1 X SA–13 Trustworthiness P0 X SA–15 Development Process, Standards, and Tools P2 X CSC–06 SA–16 Developer–Provided Training P2 X 53 CSC–06 SA–17 Developer Security Architecture and Design P1 X 1 54 CSC–06 SA–20 Customized Development of Critical Components P0 X 1 55 CSC–06 SA–21 Developer Screening P0 X 1 56 CSC–06 SC–39 Process Isolation P1 X 2 57 CSC–06 SI–10 Information Input Validation P1 X 1 58 CSC–06 SI–11 Error Handling P2 X 1 59 CSC–06 SI–15 Information Output Filtering P0 X 1 60 CSC–06 SI–16 Memory Protection P1 X 61 CSC–07 AC–18 Wireless Access P1 X 62 CSC–07 AC–19 Access Control for Mobile Devices P1 X 63 CSC–07 CA–03 System Interconnections P1 64 CSC–07 CA–07 Continuous Monitoring P3 65 CSC–07 CM–02 Baseline Configuration P1 66 CSC–07 IA–03 Device Identification and Authentication P1 67 CSC–07 SC–08 Transmission Confidentiality and Integrity P1 68 CSC–07 SC–17 Public Key Infrastructure Certificates P1 69 CSC–07 SC–40 Wireless Link Protection P0 70 CSC–07 SI–04 Information System Monitoring P1 71 CSC–08 CP–09 Information System Backup P1 X 1 72 CSC–08 CP–10 Information System Recovery and Reconstitution P1 X 1 73 CSC–08 MP–04 Media Storage P1 X 1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S 1 S 2 1 1 S 2 1 1 S X S S S S S S S S X S S X S S S 2 S S S S S S S S S 6 X 2 X S S S X S S S Page 8 of 69 S S 3 3 X S 4 14 1 X S S S S S S S S 14
  9. 9. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X 02 04 Secure Configurations for Network Infrastructure & Security Devices PRI 01 03 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 74 CSC–09 AT–01 Security Awareness and Training Policy and Procedures P1 X 1 75 CSC–09 AT–02 Security Awareness Training P1 X 1 76 CSC–09 AT–03 Role–Based Security Training P1 X 1 77 CSC–09 AT–04 Security Training Records P3 X 1 78 CSC–09 SA–11 Developer Security Testing and Evaluation P1 S X 2 79 CSC–09 SA–16 Developer–Provided Training P2 S X 2 80 CSC–09 PM–13 Information Security Workforce P1 X 81 CSC–09 PM–14 Testing, Training, & Monitoring P1 X 82 CSC–09 PM–16 Threat Awareness Program P1 X 83 CSC–10 AC–04 Information Flow Enforcement P1 84 CSC–10 CA–03 System Interconnections P1 85 CSC–10 CA–07 Continuous Monitoring P3 86 CSC–10 CA–09 Internal System Connections P2 87 CSC–10 CM–02 Baseline Configuration P1 88 CSC–10 CM–03 Configuration Change Control P1 S X 89 CSC–10 CM–05 Access Restrictions for Change P1 S X 90 CSC–10 CM–06 Configuration Settings P1 S X S 91 CSC–10 CM–08 Information System Component Inventory P1 S X S 92 CSC–10 MA–04 Nonlocal Maintenance P1 S X 93 CSC–10 SC–24 Fail in Known State P1 94 CSC–10 SI–04 Information System Monitoring P1 95 CSC–11 AC–04 Information Flow Enforcement P1 96 CSC–11 CA–07 Continuous Monitoring P3 97 CSC–11 CA–09 Internal System Connections P2 98 CSC–11 CM–02 Baseline Configuration P1 99 CSC–11 CM–06 Configuration Settings P1 100 CSC–11 CM–08 Information System Component Inventory P1 101 CSC–11 SC–20 Secure Name /Address Resolution Service (Authoritative Source) P1 X S CSC–11 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) P1 X S 103 CSC–11 SC–22 Architecture and Provisioning for Name/Address Resolution Service P1 X S 104 CSC–11 SC–41 Port and I/O Device Access P0 X 105 CSC–11 SI–04 Information System Monitoring P1 106 CSC–12 AC–02 Account Management P1 107 CSC–12 AC–06 Least Privilege P1 108 CSC–12 AC–17 Remote Access P1 X 109 CSC–12 AC–19 Access Control for Mobile Devices P1 102 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 1 S 1 X S S S S S S S S S S S X S X S X S S S S S X S S S S S S S S S S S S S S S S S S S S S S S S S S 3 5 2 1 S X S X X S S X S S S S S S S X S S X S S S S S S S S S S S S S S S S 14 S S S 5 14 S 5 6 3 5 2 2 2 S S S S S X Page 9 of 69 X S X S S 5 6 2 S S 4 2 X S 5 14 X S 2 S S X S S S 2 S 14 3 2 2 2
  10. 10. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X Secure Configurations for Network Infrastructure & Security Devices PRI 01 02 03 04 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 110 CSC–12 CA–07 Continuous Monitoring P3 111 CSC–12 IA–02 Identification and Authentication (Organizational Users) P1 X 112 CSC–12 IA–04 Identifier Management P1 X 113 CSC–12 IA–05 Authenticator Management P1 X 114 CSC–12 SI–04 Information System Monitoring P1 115 CSC–13 AC–04 Information Flow Enforcement P1 116 CSC–13 AC–17 Remote Access P1 117 CSC–13 AC–20 Use of External Information Systems P1 118 CSC–13 CA–03 System Interconnections P1 119 CSC–13 CA–07 Continuous Monitoring P3 120 CSC–13 CA–09 Internal System Connections P2 121 CSC–13 CM–02 Baseline Configuration P1 122 CSC–13 SA–09 External Information System Services 123 CSC–13 SC–07 Boundary Protection 124 CSC–13 SC–08 Transmission Confidentiality and Integrity P1 125 CSC–13 SI–04 Information System Monitoring P1 126 CSC–14 AC–23 Data Mining Protection P0 X 127 CSC–14 AU–02 Audit Events P1 X 1 128 CSC–14 AU–03 Content of Audit Records P1 X 1 129 CSC–14 AU–04 Audit Storage Capacity P1 X 1 130 CSC–14 AU–05 Response to Audit Processing Failures P1 X 1 131 CSC–14 AU–06 Audit Review, Analysis, and Reporting P1 X 1 132 CSC–14 AU–07 Audit Reduction and Report Generation P2 X 1 133 CSC–14 AU–08 Time Stamps P1 X 1 134 CSC–14 AU–09 Protection of Audit Information P1 X 1 135 CSC–14 AU–10 Non–repudiation P1 X 1 136 CSC–14 AU–11 Audit Record Retention P3 X 1 137 CSC–14 AU–12 Audit Generation P1 X 1 138 CSC–14 AU–13 Monitoring for Information Disclosure P0 X 1 139 CSC–14 AU–14 Session Audit P0 X 140 CSC–14 CA–07 Continuous Monitoring P3 141 CSC–14 IA–10 Adaptive Identification and Authentication P0 142 CSC–14 SI–04 Information System Monitoring P1 143 CSC–15 AC–01 Access Control Policy and Procedures P1 144 CSC–15 AC–02 Account Management P1 145 CSC–15 AC–03 Access Enforcement P1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S S S S S S S S S S S S S S S S S X S X S S S S 14 1 1 S S S S S X S S 2 S S 14 S X X S S S S S S X S S X 6 P1 X 1 P1 X S S S S S S S X S S S S S S X S S S S S S S S S S S S S S S S S S S S S X X S S 14 S S 3 2 1 S S S 14 S 14 S S S 2 X 1 X S X Page 10 of 69 5 S X S 14 S 1 X S S 4 S S S S S S S 1 X S S S S 5 2 S 3 S 3
  11. 11. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X 02 04 Secure Configurations for Network Infrastructure & Security Devices PRI 01 03 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 146 CSC–15 AC–06 Least Privilege P1 147 CSC–15 AC–24 Access Control Decisions P0 148 CSC–15 CA–07 Continuous Monitoring P3 149 CSC–15 MP–03 Media Marking P2 X 1 150 CSC–15 RA–02 Security Categorization P1 X 1 151 CSC–15 SC–16 Transmission of Security Attributes P0 X 152 CSC–15 SI–04 Information System Monitoring P1 153 CSC–16 AC–02 Account Management P1 154 CSC–16 AC–03 Access Enforcement P1 155 CSC–16 AC–07 Unsuccessful Logon Attempts P2 X 1 156 CSC–16 AC–11 Session Lock P3 X 1 157 CSC–16 AC–12 Session Termination P2 X 158 CSC–16 CA–07 Continuous Monitoring P3 159 CSC–16 IA–05 Authenticator Management P1 160 CSC–16 IA–10 Adaptive Identification and Authentication P0 161 CSC–16 SC–17 Public Key Infrastructure Certificates P1 162 CSC–16 SC–23 Session Authenticity P1 163 CSC–16 SI–04 Information System Monitoring P1 164 CSC–17 AC–03 Access Enforcement P1 165 CSC–17 AC–04 Information Flow Enforcement P1 166 CSC–17 AC–23 Data Mining Protection P0 167 CSC–17 CA–07 Continuous Monitoring P3 168 CSC–17 CA–09 Internal System Connections P2 169 CSC–17 IR–09 Information Spillage Response P0 X 1 170 CSC–17 MP–05 Media Transport P1 X 1 171 CSC–17 SA–18 Tamper Resistance and Detection P0 X 1 172 CSC–17 SC–08 Transmission Confidentiality and Integrity P1 X 3 173 CSC–17 SC–28 Protection of Information at Rest P1 X 1 174 CSC–17 SC–31 Covert Channel Analysis P0 X 1 175 CSC–17 SC–41 Port and I/O Device Access P0 X 2 176 CSC–17 SI–04 Information System Monitoring P1 177 CSC–18 IR–01 Incident Response Policy and Procedures P1 X 1 178 CSC–18 IR–02 Incident Response Training P2 X 1 179 CSC–18 IR–03 Incident Response Testing P2 X 1 180 CSC–18 IR–04 Incident Handling P1 X 1 181 CSC–18 IR–05 Incident Monitoring P1 X 1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S X 2 X S S S S S S S S S S S S S S S S S S S S S S S X X 1 S S S S S S S S S S S S S 14 X X S S X 3 S 3 1 S 14 X 2 X S 2 X S S 14 1 S S S S 3 X S S S S S S S S S S S S S 1 S X S S S X S S S S S S S S S S S S S S S S S S Page 11 of 69 S S S S S S S S S S 5 2 X 14 X S S S X S S 3 X S S 14 S X 5 14
  12. 12. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X 02 04 Secure Configurations for Network Infrastructure & Security Devices PRI 01 03 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 16 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 182 CSC–18 IR–06 Incident Reporting P1 X 1 183 CSC–18 IR–07 Incident Response Assistance P3 X 1 184 CSC–18 IR–08 Incident Response Plan P1 X 1 185 CSC–18 IR–10 Integrated Information Security Analysis Team P0 X 186 CSC–19 AC–04 Information Flow Enforcement P1 187 CSC–19 CA–03 System Interconnections P1 188 CSC–19 CA–09 Internal System Connections P2 189 CSC–19 SA–08 Security Engineering Principles P1 190 CSC–19 SC–20 Secure Name /Address Resolution Service (Authoritative Source) P1 CSC–19 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) 192 CSC–19 SC–22 193 CSC–19 194 S S S S S S S S S 5 X S S 1 X 4 X 5 X 1 S X 2 P1 S X Architecture and Provisioning for Name/Address Resolution Service P1 S X 2 SC–32 Information System Partitioning P0 X 1 CSC–19 SC–37 Out–of–Band Channels P0 X 195 CSC–20 PM–16 Threat Awareness Program P1 196 CSC–20 CA–02 Security Assessments P2 197 CSC–20 CA–05 Plan of Action and Milestones P3 198 CSC–20 CA–06 Security Authorization 199 CSC–20 CA–08 200 CSC–20 201 191 1 x 2 X 2 X 1 P3 X 1 Penetration Testing P1 X 1 RA–06 Technical Surveillance Countermeasures Survey P0 X 1 CSC–20 SI–06 Security Function Verification P1 X 1 202 CSC–20 PM–06 Information Security Measures of Performance P1 X 1 203 CSC–20 PM–14 Testing, Training, & Monitoring P1 X 2 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S 2 S S Page 12 of 69
  13. 13. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 FAMILY ID–CN CONTROL NAME Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI Occurences MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 01 02 7 03 10 16 04 05 6 Access Control 06 6 15 07 08 10 09 3 10 9 11 12 13 Ports, Protocols, and Services Management Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 14 15 16 17 18 11 9 11 17 10 11 13 1 2 12 1 4 3 1 5 5 3 19 9 20 9 CNT 9 203 1 26 X 1 3 3 5 AC AC–01 Access Control Policy and Procedures P1 X AC AC–02 Account Management P1 AC AC–03 Access Enforcement P1 AC AC–04 Information Flow Enforcement P1 AC AC–05 Separation of Duties P1 AC AC–06 Least Privilege P1 AC AC–07 Unsuccessful Logon Attempts P2 AC AC–08 System Use Notification P1 AC AC–09 Previous Logon (Access) Notification P0 AC AC–10 Concurrent Session Control P2 AC AC–11 Session Lock P3 X 1 AC AC–12 Session Termination P2 X 1 AC AC–13 Withdrawn AC AC–14 Permitted Actions without Identification or Authentication AC AC–15 Withdrawn AC AC–16 Security Attributes P0 AC AC–17 Remote Access P1 AC AC–18 Wireless Access P1 X AC AC–19 Access Control for Mobile Devices P1 X AC AC–20 Use of External Information Systems P1 AC AC–21 Information Sharing P2 AC AC–22 Publicly Accessible Content P2 AC AC–23 Data Mining Protection P0 AC AC–24 Access Control Decisions P0 AC AC–25 Reference Monitor P0 X X X X X X X X X X X 2 1 X X ––– P1 ––– X X 2 1 X 2 X 1 X X X Awareness and Training 2 1 4 4 AT AT–01 Security Awareness and Training Policy and Procedures P1 X 1 AT AT–02 Security Awareness Training P1 X 1 AT AT–03 Role–Based Security Training P1 X 1 AT AT–04 Security Training Records P3 X 1 AT AT–05 Withdrawn ––– Audit & Accountability 13 13 P1 X 1 P1 X 1 Audit Storage Capacity P1 X 1 AU–05 Response to Audit Processing Failures P1 X 1 AU AU–06 Audit Review, Analysis, and Reporting P1 X 1 AU AU–07 Audit Reduction and Report Generation P2 X 1 AU AU–01 Audit and Accountability Policy and Procedures P1 AU AU–02 Audit Events AU AU–03 Content of Audit Records AU AU–04 AU Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 13 of 69
  14. 14. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 02 08 09 10 11 Penetration Tests and Red Team Exercises X 1 AU AU–09 Protection of Audit Information P1 X 1 AU AU–10 Non–repudiation P1 X 1 AU AU–11 Audit Record Retention P3 X 1 AU AU–12 Audit Generation P1 X 1 AU AU–13 Monitoring for Information Disclosure P0 X 1 AU AU–14 Session Audit P0 X 1 AU AU–15 Alternate Audit Capability P0 AU AU–16 Cross–Organizational Auditing P0 3 X 2 13 Secure Network Engineering P1 2 12 Incident Response and Management CONTROL NAME 1 07 Data Loss Prevention Time Stamps 2 06 Account Monitoring and Control ID–CN 1 05 Controlled Access Based on the Need to Know AU–08 1 04 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs FAMILY 1 03 Controlled Use of Administrative Privileges AU Security Assessment and Authorization 01 Ports, Protocols, and Services Management 1 X 14 3 15 1 16 1 17 1 18 2 19 20 2 CNT 4 CA CA–01 Security Assessment and Authorization Policies and Procedures CA CA–02 Security Assessments P2 CA CA–03 System Interconnections P1 CA CA–04 Withdrawn CA CA–05 Plan of Action and Milestones P3 X CA CA–06 Security Authorization P3 X CA CA–07 Continuous Monitoring P3 CA CA–08 Penetration Testing P1 CA CA–09 Internal System Connections P2 28 P1 X X X X 2 4 ––– Configuration Management X X X X X X X X X X X X X X X X X 1 1 14 X X 1 X 1 5 4 8 1 5 3 1 23 X X X X X X 6 CM CM–01 Configuration Management Policy and Procedures P1 CM CM–02 Baseline Configuration P1 CM CM–03 Configuration Change Control P1 CM CM–04 Security Impact Analysis P2 CM CM–05 Access Restrictions for Change CM CM–06 Configuration Settings CM CM–07 Least Functionality P1 X CM CM–08 Information System Component Inventory P1 CM CM–09 Configuration Management Plan P1 CM CM–10 Software Usage Restrictions P2 X CM CM–11 User–Installed Software P1 X X X P1 X X P1 X X X 3 X X 5 X X X 1 X 2 1 2 CP–01 Contingency Planning Policy and Procedures P1 CP CP–02 Contingency Plan P1 CP CP–03 Contingency Training P2 CP CP–04 Contingency Plan Testing CP CP–05 Withdrawn CP CP–06 Alternate Storage Site Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 2 1 X Contingency Planning CP 2 P2 ––– P1 Page 14 of 69 2
  15. 15. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 06 07 08 11 13 Penetration Tests and Red Team Exercises CP CP–08 Telecommunications Services P1 CP CP–09 Information System Backup P1 X 1 CP CP–10 Information System Recovery and Reconstitution P1 X 1 CP CP–11 Alternate Communications Protocols P0 CP CP–12 Safe Mode P0 CP CP–13 Alternative Security Mechanisms P0 1 12 Secure Network Engineering P1 X 10 Incident Response and Management CONTROL NAME 1 09 Data Loss Prevention Alternate Processing Site IA 05 Account Monitoring and Control ID–CN IA 04 Controlled Access Based on the Need to Know CP–07 IA–01 03 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs FAMILY IA 02 Controlled Use of Administrative Privileges CP Identification and Authentication 01 Ports, Protocols, and Services Management 3 14 15 16 18 19 X Identification and Authentication Policy and Procedures Identification and Authentication (Organizational Users) P1 IA–03 Device Identification and Authentication P1 IA IA–04 Identifier Management P1 IA–05 Authenticator Management P1 X IA IA–06 Authenticator Feedback P1 IA IA–07 Cryptographic Module Authentication P1 IA IA–08 Identification and Authentication (Non– Organizational Users) P1 IA IA–09 Service Identification and Authentication P0 IA IA–10 Adaptive Identification and Authentication P0 IA IA–11 Re–authentication CNT 8 X IA 2 20 P1 IA–02 1 17 P0 X 1 2 1 X X X Incident Response 2 2 9 10 IR IR–01 Incident Response Policy and Procedures P1 1 X 1 IR IR–02 Incident Response Training P2 X 1 IR IR–03 Incident Response Testing P2 X 1 IR IR–04 Incident Handling P1 X 1 IR IR–05 Incident Monitoring P1 X 1 IR IR–06 Incident Reporting P1 X 1 IR IR–07 Incident Response Assistance P3 X 1 IR IR–08 Incident Response Plan P1 X 1 IR IR–09 Information Spillage Response P0 IR IR–10 Integrated Information Security Analysis Team P0 Maintenance X 1 X 1 1 MA MA–01 System Maintenance Policy and Procedures MA–02 Controlled Maintenance MA–03 Maintenance Tools MA–04 Nonlocal Maintenance P1 MA MA–05 Maintenance Personnel MA–06 Timely Maintenance 2 P1 MA X P2 MA X P2 MA 2 P1 MA 1 P2 Media Protection Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 1 Page 15 of 69 1 1 3
  16. 16. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 FAMILY ID–CN CONTROL NAME MP MP–01 Media Protection Policy and Procedures PRI MP–02 Media Access MP–03 Media Marking MP–04 Media Storage MP–05 Media Transport MP–06 Media Sanitization MP–07 Media Use MP–08 Media Downgrading Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices P1 MP Application Software Security P1 MP Malware Defenses P1 MP Continuous Vulnerability Assessment and Remediation P1 MP Secure Configurations for Mobile Devices, Workstations, Servers P2 MP Inventory of Authorized and Unauthorized Software 01 02 03 04 P0 PE–01 Physical and Environmental Protection Policy and Procedures PE PE–02 Physical Access Authorizations PE–03 Physical Access Control PE–04 Access Control for Transmission Medium P1 PE PE–05 Access Control for Output Devices P2 PE PE–06 Monitoring Physical Access P1 PE PE–07 Withdrawn PE PE–08 Visitor Access Records PE PE–09 Power Equipment and Cabling P1 PE PE–10 Emergency Shutoff P1 PE PE–11 Emergency Power P1 PE PE–12 Emergency Lighting P1 PE PE–13 Fire Protection P1 PE PE–14 Temperature and Humidity Controls P1 PE PE–15 Water Damage Protection P1 PE PE–16 Delivery and Removal P2 PE PE–17 Alternate Work Site P2 PE PE–18 Location of Information System Components P3 PE PE–19 Information Leakage P0 PE PE–20 Asset Monitoring and Tracking P0 PL PL–01 Security Planning Policy and Procedures P1 PL PL–02 System Security Plan P1 PL PL–03 Withdrawn PL PL–04 Rules of Behavior PL PL–05 Withdrawn ––– PL PL–06 Withdrawn ––– PL PL–07 Security Concept of Operations P0 PL PL–08 Information Security Architecture P1 P1 ––– P3 Planning Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 08 09 10 11 12 13 Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 14 15 16 17 ––– P2 Page 16 of 69 18 19 20 CNT 1 1 X P1 PE 07 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs X P1 PE 06 Controlled Use of Administrative Privileges X Physical and Environmental Protection PE 05 Ports, Protocols, and Services Management P1 MP CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 P1 MP MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 1
  17. 17. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 FAMILY ID–CN CONTROL NAME PL PL–09 Central Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 01 02 03 04 05 06 07 08 09 10 11 12 13 Ports, Protocols, and Services Management Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 14 15 16 17 18 19 20 CNT P0 Personnel Security PS PS–01 Personnel Security Policy and Procedures P1 PS PS–02 Position Risk Designation P1 PS PS–03 Personnel Screening P1 PS PS–04 Personnel Termination P1 PS PS–05 Personnel Transfer P2 PS PS–06 Access Agreements P3 PS PS–07 Third–Party Personnel Security P1 PS PS–08 Personnel Sanctions P3 P1 Risk Assessment 1 RA RA–01 Risk Assessment Policy and Procedures RA RA–02 Security Categorization RA–03 Risk Assessment RA–04 Withdrawn RA RA–05 Vulnerability Scanning P1 RA RA–06 Technical Surveillance Countermeasures Survey 1 1 P0 5 P1 RA 1 P1 RA 1 X 1 ––– System and Services Acquisition X X X 3 X 1 1 1 X X 9 X SA SA–01 System and Services Acquisition Policy and Procedures SA–02 Allocation of Resources SA–03 System Development Life Cycle P1 SA SA–04 Acquisition Process P1 SA SA–05 Information System Documentation SA SA–06 Withdrawn SA–07 Withdrawn SA–08 Security Engineering Principles P1 SA SA–09 External Information System Services P1 SA SA–10 Developer Configuration Management P1 X SA SA–11 Developer Security Testing and Evaluation P1 X SA SA–12 Supply Chain Protection P1 SA SA–13 Trustworthiness P0 SA SA–14 Criticality Analysis P0 SA SA–15 Development Process, Standards, and Tools P2 X SA SA–16 Developer–Provided Training P2 X SA SA–17 Developer Security Architecture and Design P1 X SA SA–18 Tamper Resistance and Detection P0 SA SA–19 Component Authenticity P0 SA SA–20 Customized Development of Critical Components P0 1 17 ––– SA 1 ––– SA 1 P1 SA 1 P1 SA 2 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X 1 3 P2 X X 1 1 X 2 X 1 1 X 2 1 X X Page 17 of 69 1 1 1
  18. 18. Print Date: 3/1/2014, 12:02 PM Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 FAMILY ID–CN CONTROL NAME SA SA–21 Developer Screening PRI SA–22 Unsupported System Components CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices P0 SA MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 02 03 04 05 06 07 08 09 10 11 12 13 Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises P0 System and Communications Protection 01 Ports, Protocols, and Services Management 14 15 16 17 18 19 20 X 1 2 2 1 2 1 CNT 1 3 1 4 2 1 2 4 5 SC SC–01 System and Communications Protection Policy and Procedures SC SC–02 Application Partitioning P1 SC SC–03 Security Function Isolation P1 SC SC–04 Information in Shared Resources P1 SC SC–05 Denial of Service Protection P1 SC SC–06 Resource Availability P0 SC SC–07 Boundary Protection P1 SC SC–08 Transmission Confidentiality and Integrity P1 SC SC–09 Withdrawn SC SC–10 Network Disconnect P2 SC SC–11 Trusted Path P0 SC SC–12 Cryptographic Key Establishment and Management P1 SC SC–13 Cryptographic Protection SC SC–14 Withdrawn SC SC–15 Collaborative Computing Devices P1 SC SC–16 Transmission of Security Attributes P0 SC SC–17 Public Key Infrastructure Certificates P1 SC SC–18 Mobile Code P2 SC SC–19 Voice Over Internet Protocol P1 SC SC–20 Secure Name /Address Resolution Service (Authoritative Source) P1 X X SC SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) P1 X X SC SC–22 Architecture and Provisioning for Name/Address Resolution Service P1 X X SC SC–23 Session Authenticity P1 SC SC–24 Fail in Known State P1 SC SC–25 Thin Nodes P0 SC SC–26 Honeypots P0 SC SC–27 Platform–Independent Applications P0 SC SC–28 Protection of Information at Rest P1 SC SC–29 Heterogeneity P0 SC SC–30 Concealment and Misdirection P0 SC SC–31 Covert Channel Analysis P0 SC SC–32 Information System Partitioning P0 SC SC–33 Withdrawn SC SC–34 Non–Modifiable Executable Programs P0 SC SC–35 Honeyclients P0 31 P1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X X 1 X X 3 ––– P1 ––– X 1 X X X 1 X 3 X 1 X 2 2 2 1 X 1 X 1 X 1 X 1 ––– X X X Page 18 of 69 3
  19. 19. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 FAMILY ID–CN CONTROL NAME SC SC–36 Distributed Processing and Storage PRI SC–37 Out–of–Band Channels SC–38 Operations Security SC–39 Process Isolation SC–40 Wireless Link Protection SC–41 Port and I/O Device Access SC–42 Sensor Capability and Data SC–43 Usage Restrictions SC–44 Detonation Chambers Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices P0 System and Information Integrity 01 02 03 04 05 06 07 08 09 10 11 12 13 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises P0 SC Wireless Device Control Controlled Use of Administrative Privileges P0 SC Application Software Security P0 SC Malware Defenses P0 SC Continuous Vulnerability Assessment and Remediation P1 SC Secure Configurations for Mobile Devices, Workstations, Servers P0 SC Inventory of Authorized and Unauthorized Software Ports, Protocols, and Services Management P0 SC CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 P0 SC MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 14 15 16 17 18 19 20 CNT X X 1 X 2 X 1 X X 2 X 1 1 2 2 3 1 4 1 1 1 1 1 1 1 1 1 1 23 SI SI–01 System and Information Integrity Policy and Procedures P1 SI SI–02 Flaw Remediation P1 SI SI–03 Malicious Code Protection P1 SI SI–04 Information System Monitoring P1 SI SI–05 Security Alerts, Advisories, and Directives P1 SI SI–06 Security Function Verification P1 SI SI–07 Software, Firmware, and Information Integrity P1 SI SI–08 Spam Protection P2 SI SI–09 Withdrawn SI SI–10 Information Input Validation P1 X 1 SI SI–11 Error Handling P2 X 1 SI SI–12 Information Handling and Retention P2 SI SI–13 Predictable Failure Prevention P0 SI SI–14 Non–Persistence P0 SI SI–15 Information Output Filtering P0 X 1 SI SI–16 Memory Protection P1 X 1 SI SI–17 Fail–Safe Procedures P0 X 1 X X X X X 1 X X X X X X X X X X 14 X X 1 1 X 1 ––– Program Management 1 PM PM–01 Information Security Program Plan PM PM–02 Senior Information Security Officer PM–03 Information Security Resources PM–04 Plan of Action and Milestones Process PM–05 Information System Inventory P1 PM PM–06 Information Security Measures of Performance PM PM–07 Enterprise Architecture PM–08 Critical Infrastructure Plan P1 PM PM–09 Risk Management Strategy P1 PM PM–10 Security Authorization Process X P1 PM X P1 P1 8 P1 PM 3 P1 PM 3 P1 PM 1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx P1 2 X Page 19 of 69 1
  20. 20. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 01 02 03 04 06 07 08 09 10 11 12 13 Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises FAMILY ID–CN CONTROL NAME PM–11 Mission/Business Process Definition P1 PM PM–12 Isider Threat Program P1 PM PM–13 Information Security Workforce P1 X PM PM–14 Testing, Training, & Monitoring P1 X X 2 PM PM–15 Contacts with Security Groups and Associations P1 PM PM–16 Threat Awareness Program P1 X X 2 Page 20 of 69 05 Ports, Protocols, and Services Management PM Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 14 15 16 17 18 19 20 CNT 1
  21. 21. CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 10 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control 15 Wireless Device Control AC–09 Previous Logon (Access) Notification 6 Application Software Security AC–08 System Use Notification 6 Malware Defenses AU 16 Continuous Vulnerability Assessment and Remediation AT 10 Secure Configurations for Mobile Devices, Workstations, Servers HMAP_53r4_to_CSCv4.1_&_NIST_PUBS 7 Inventory of Authorized and Unauthorized Software AC–07 Unsuccessful Logon Attempts CSC Inventory of Authorized & Unauthorized Devices AC–06 Least Privilege Total AC AC–05 Separation of Duties Critical Security Controls ? AC–04 Information Flow Enforcement Access Control AC–01 Access Control Policy and Procedures Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–03 Access Enforcement Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–02 Account Management Print Date: 3/1/2014, 12:02 PM X X 2 Data Recovery Capability CSC–08 3 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–09 9 Secure Configurations for Network Infrastructure & Security Devices CSC–10 12 1 X Inventory of Authorized & Unauthorized Devices CSC–11 11 1 X Inventory of Authorized and Unauthorized Software CSC–12 9 4 Secure Configurations for Mobile Devices, Workstations, Servers CSC–13 11 3 Continuous Vulnerability Assessment and Remediation CSC–14 17 1 Malware Defenses CSC–15 10 5 X X X Application Software Security CSC–16 11 5 Wireless Device Control CSC–17 13 3 X X Data Recovery Capability CSC–18 9 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–19 9 1 X Secure Configurations for Network Infrastructure & Security Devices CSC–20 9 NIST 800 Series Special Publications 4 X X X X X X X Page 21 of 69 13 X X SP 800-13 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X X X X SP 800-12 Telecommunications Security Guidelines for Telecommunications Manageme X X 1 An Introduction to Computer Security: The NIST Handbook X X X X X X X X X X X X
  22. 22. MISPC Minimum Interoperability Specification for PKI Components SP 800-14 SP 800-15 Version 1 Information Technology Security Training Requirements: A Role- and Perform SP 800-16 DRAFT Information Security Training Requirements: A Role- and Performanc SP 800-16 Rev. 1 Modes of Operation Validation System (MOVS): Requirements and Procedure SP 800-17 Guide for Developing Security Plans for Federal Information Systems SP 800-18 Rev.1 Mobile Agent Security SP 800-19 Modes of Operation Validation System for the Triple Data Encryption Algorith Guideline for Implementing Cryptography in the Federal Government SP 800-20 800-21 2nd edition A Statistical Test Suite for Random and Pseudorandom Number Generators f SP 800-22 Rev. 1a Guidelines to Federal Organizations on Security Assurance and Acquisition/U SP 800-23 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else D SP 800-24 Federal Agency Use of Public Key Technology for Digital Signatures and Auth SP 800-25 Engineering Principles for Information Technology Security (A Baseline for A Guidelines on Active Content and Mobile Code SP 800-27 Rev. A SP 800-28 Version 2 A Comparison of the Security Requirements for Cryptographic Modules in FI SP 800-29 Risk Management Guide for Information Technology Systems SP 800-30 Guide for Conducting Risk Assessments SP 800-30 Rev. 1 Introduction to Public Key Technology and the Federal PKI Infrastructure Underlying Technical Models for Information Technology Security Contingency Planning Guide for Federal Information Systems (Errata Page - 1 SP 800-32 SP 800-33 SP 800-34 Rev. 1 Guide to Information Technology Security Services SP 800-35 Guide to Selecting Information Technology Security Products SP 800-36 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 22 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC Generally Accepted Principles and Practices for Securing Information Techno AC–04 Information Flow Enforcement Critical Security Controls AC Total ? AC–03 Access Enforcement Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  23. 23. SP 800-37 Rev. 1 Recommendation for Block Cipher Modes of Operation - Methods and Techni SP 800-38 A 8 Recommendation for Block Cipher Modes of Operation: Three Variants of Cip 00-38 A - Addendum Recommendation for Block Cipher Modes of Operation: The CMAC Mode for A SP 800-38 B Recommendation for Block Cipher Modes of Operation: the CCM Mode for Au SP 800-38 C Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode SP 800-38 D Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode f SP 800-38 E DRAFT Recommendation for Block Cipher Modes of Operation: Methods for K SP 800-38 F Managing Information Security Risk: Organization, Mission, and Information Creating a Patch and Vulnerability Management Program SP 800-39 800-40 Version 2.0 Guidelines on Firewalls and Firewall Policy SP 800-41 Rev. 1 Systems Administration Guidance for Windows 2000 Professional System SP 800-43 Guidelines on Securing Public Web Servers SP 800-44 Version 2 Guidelines on Electronic Mail Security SP 800-45 Version 2 Guide to Enterprise Telework and Remote Access Security SP 800-46 Rev. 1 Security Guide for Interconnecting Information Technology Systems Guide to Securing Legacy IEEE 802.11 Wireless Networks SP 800-47 SP 800-48 Rev. 1 Federal S/MIME V3 Client Profile SP 800-49 Building an Information Technology Security Awareness and Training Progra SP 800-50 Guide to Using Vulnerability Naming Schemes SP 800-51 Rev. 1 Guidelines for the Selection and Use of Transport Layer Security (TLS) Imple SP 800-52 Guide for Assessing the Security Controls in Federal Information Systems an SP 800-53 A Rev. 1 Recommended Security Controls for Federal Information Systems and Organ SP 800-53 Rev. 3 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 23 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls Guide for Applying the Risk Management Framework to Federal Information AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  24. 24. SP 800-53 Rev. 4 Border Gateway Protocol Security SP 800-54 Performance Measurement Guide for Information Security SP 800-55 Rev. 1 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete L SP 800-56 A Recommendation for Pair-Wise Key Establishment Schemes Using Integer Fa SP 800-56 B Recommendation for Key Derivation through Extraction-then-Expansion SP 800-56 C Recommendation for Key Management SP 800-57 DRAFT Recommendation for Key Management: Part 1: General SP 800-57 Part 1 Security Considerations for Voice Over IP Systems SP 800-58 Guideline for Identifying an Information System as a National Security Syste SP 800-59 Guide for Mapping Types of Information and Information Systems to Securit SP 800-60 Rev. 1 Computer Security Incident Handling Guide SP 800-61 Rev. 1 DRAFT Computer Security Incident Handling Guide SP 800-61 Rev. 2 Electronic Authentication Guideline SP 800-63 Rev. 1 Electronic Authentication Guideline 00-63 Version 1.0.2 Security Considerations in the System Development Life Cycle SP 800-64 Rev. 2 Integrating IT Security into the Capital Planning and Investment Control Pro SP 800-65 DRAFT Recommendations for Integrating Information Security into the Capit SP 800-65 Rev. 1 An Introductory Resource Guide for Implementing the Health Insurance Port SP 800-66 Rev 1 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Ciph SP 800-67 Rev. 1 Guide to Securing Microsoft Windows XP Systems for IT Professionals SP 800-68 Rev. 1 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security National Checklist Program for IT Products: Guidelines for Checklist Users an SP 800-69 SP 800-70 Rev. 2 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 24 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls DRAFT Security and Privacy Controls for Federal Information Systems and O AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  25. 25. SP 800-72 Interfaces for Personal Identity Verification (4 Parts) SP 800-73 -3 Biometric Data Specification for Personal Identity Verification SP 800-76 -1 DRAFT Biometric Data Specification for Personal Identity Verification SP 800-76 -2 Guide to IPsec VPNs SP 800-77 Cryptographic Algorithms and Key Sizes for Personal Identification Verificatio SP 800-78 -3 Guidelines for the Accreditation of Personal Identity Verification (PIV) Card I SP 800-79 -1 Secure Domain Name System (DNS) Deployment Guide SP 800-81 Rev. 1 Guide to Industrial Control Systems (ICS) Security SP 800-82 Guide to Malware Incident Prevention and Handling SP 800-83 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities SP 800-84 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 SP 800-85 A-2 PIV Data Model Test Guidelines DRAFT PIV Data Model Conformance Test Guidelines Guide to Integrating Forensic Techniques into Incident Response Codes for Identification of Federal and Federally-Assisted Organizations Guidelines for Media Sanitization SP 800-85 B SP 800-85 B-1 SP 800-86 SP 800-87 Rev 1 SP 800-88 Recommendation for Obtaining Assurances for Digital Signature Applications SP 800-89 Recommendation for Random Number Generation Using Deterministic Rando SP 800-90 A Guide to Computer Security Log Management SP 800-92 Guide to Intrusion Detection and Prevention Systems (IDPS) SP 800-94 Guide to Secure Web Services SP 800-95 PIV Card to Reader Interoperability Guidelines SP 800-96 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 25 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls Guidelines on PDA Forensics AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  26. 26. SP 800-97 Guidelines for Securing Radio Frequency Identification (RFID) Systems SP 800-98 Information Security Handbook: A Guide for Managers SP 800-100 Guidelines on Cell Phone Forensics SP 800-101 Recommendation for Digital Signature Timeliness SP 800-102 DRAFT An Ontology of Identity Credentials, Part I: Background and Formula SP 800-103 A Scheme for PIV Visual Card Topography SP 800-104 Randomized Hashing for Digital Signatures SP 800-106 Recommendation for Applications Using Approved Hash Algorithms SP 800-107 DRAFT Recommendation for Applications Using Approved Hash Algorithms SP 800-107 Revised Recommendation for Key Derivation Using Pseudorandom Functions SP 800-108 Guide to Storage Encryption Technologies for End User Devices SP 800-111 Guide to SSL VPNs SP 800-113 User's Guide to Securing External Devices for Telework and Remote Access SP 800-114 Technical Guide to Information Security Testing and Assessment SP 800-115 A Recommendation for the Use of PIV Credentials in Physical Access Control SP 800-116 Guide to Adopting and Using the Security Content Automation Protocol (SCA SP 800-117 DRAFT Guide to Adopting and Using the Security Content Automation Protoc SP 800-117 Rev. 1 DRAFT Guide to Enterprise Password Management SP 800-118 Guidelines for the Secure Deployment of IPv6 SP 800-119 Recommendation for EAP Methods Used in Wireless Network Access Authent SP 800-120 Guide to Bluetooth Security SP 800-121 Rev. 1 Guide to Protecting the Confidentiality of Personally Identifiable Information Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx SP 800-122 Page 26 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  27. 27. SP 800-123 Guidelines on Cell Phone and PDA Security SP 800-124 Guide to Security for Full Virtualization Technologies SP 800-125 The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 Rev. 1 The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 Rev. 2 Guide to Securing WiMAX Wireless Communications SP 800-127 Guide for Security-Focused Configuration Management of Information Syste SP 800-128 DRAFT A Framework for Designing Cryptographic Key Management Systems SP 800-130 Transitions: Recommendation for Transitioning the Use of Cryptographic Alg SP 800-131 A DRAFT Transitions: Validation of Transitioning Cryptographic Algorithm and SP 800-131 B DRAFT Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3 SP 800-131 C Recommendation for Password-Based Key Derivation Part 1: Storage Applica SP 800-132 DRAFT Recommendation for Cryptographic Key Generation Recommendation for Existing Application-Specific Key Derivation Functions SP 800-133 SP 800-135 Rev. 1 Information Security Continuous Monitoring for Federal Information Systems SP 800-137 Practical Combinatorial Testing SP 800-142 Guidelines on Security and Privacy in Public Cloud Computing SP 800-144 A NIST Definition of Cloud Computing SP 800-145 Cloud Computing Synopsis and Recommendations SP 800-146 Basic Input/Output System (BIOS) Protection Guidelines SP 800-147 Guidelines for Securing Wireless Local Area Networks (WLANs) SP 800-153 DRAFT BIOS Integrity Measurement Guidelines SP 800-155 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 27 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls Guide to General Server Security AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  28. 28. Inventory of Authorized & Unauthorized Devices CSC–01 7 1 X CSC–02 10 1 X 4 CSC–03 16 1 X 8 X X Continuous Vulnerability Assessment and Remediation CSC–04 6 2 Malware Defenses CSC–05 6 1 Application Software Security CSC–06 CSC–07 10 1 CSC–08 CSC–09 9 Secure Configurations for Network Infrastructure & Security Devices CSC–10 12 Inventory of Authorized & Unauthorized Devices CSC–11 11 2 Inventory of Authorized and Unauthorized Software CSC–12 9 1 Secure Configurations for Mobile Devices, Workstations, Servers CSC–13 11 3 Continuous Vulnerability Assessment and Remediation CSC–14 17 X X X X X X 1 X Malware Defenses CSC–15 10 1 X Application Software Security CSC–16 11 1 X Wireless Device Control CSC–17 13 2 X Data Recovery Capability CSC–18 9 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–19 9 2 Secure Configurations for Network Infrastructure & Security Devices CSC–20 9 4 X 1 1 1 CP–09 Information System Backup CP–08 Telecommunications Services CP–07 Alternate Processing Site CP–06 Alternate Storage Site CP–05 Withdrawn CP–04 Contingency Plan Testing CP–03 Contingency Training CP–02 Contingency Plan Contingency Planning CP–01 Contingency Planning Policy and Procedures CM–11 User–Installed Software CM–10 Software Usage Restrictions CM–09 Configuration Management Plan CM–08 Information System Component Inventory 3 Security Skills Assessment and Appropriate Training to Fill Gaps CM–07 Least Functionality X Data Recovery Capability CP 15 Wireless Device Control CM–06 Configuration Settings X Secure Configurations for Mobile Devices, Workstations, Servers CM–05 Access Restrictions for Change 1 Inventory of Authorized and Unauthorized Software CM–04 Security Impact Analysis CM–03 Configuration Change Control CM–02 Baseline Configuration Configuration Management CM CM–01 Configuration Management Policy and Procedures CA–09 Internal System Connections HMAP_53r4_to_CSCv4.1_&_NIST_PUBS CA–08 Penetration Testing CA–07 Continuous Monitoring CA–06 Security Authorization CA–05 Plan of Action and Milestones CA–04 Withdrawn CA–03 System Interconnections CA CA–02 Security Assessments Security Assessment and Authorization CA–01 Security Assessment and Authorization Policies and Pro AU–16 Cross–Organizational Auditing AU–15 Alternate Audit Capability AU–14 Session Audit AU–13 Monitoring for Information Disclosure Total CSC AU–12 Audit Generation Critical Security Controls ? AU–09 Protection of Audit Information Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AU–11 Audit Record Retention Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AU–10 Non–repudiation Print Date: 3/1/2014, 12:02 PM NIST 800 Series Special Publications An Introduction to Computer Security: The NIST Handbook X X X X X X 2 X Page 28 of 69 X X 5 X X X 3 SP 800-13 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X X X X X X X 2 SP 800-12 Telecommunications Security Guidelines for Telecommunications Manageme X X X 3 X X 1 X X X X X X X X X X X X X X X X
  29. 29. MISPC Minimum Interoperability Specification for PKI Components SP 800-14 SP 800-15 Version 1 Information Technology Security Training Requirements: A Role- and Perform SP 800-16 DRAFT Information Security Training Requirements: A Role- and Performanc SP 800-16 Rev. 1 Modes of Operation Validation System (MOVS): Requirements and Procedure SP 800-17 Guide for Developing Security Plans for Federal Information Systems SP 800-18 Rev.1 Mobile Agent Security SP 800-19 Modes of Operation Validation System for the Triple Data Encryption Algorith Guideline for Implementing Cryptography in the Federal Government SP 800-20 800-21 2nd edition A Statistical Test Suite for Random and Pseudorandom Number Generators f SP 800-22 Rev. 1a Guidelines to Federal Organizations on Security Assurance and Acquisition/U SP 800-23 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else D SP 800-24 Federal Agency Use of Public Key Technology for Digital Signatures and Auth SP 800-25 Engineering Principles for Information Technology Security (A Baseline for A Guidelines on Active Content and Mobile Code SP 800-27 Rev. A SP 800-28 Version 2 A Comparison of the Security Requirements for Cryptographic Modules in FI SP 800-29 Risk Management Guide for Information Technology Systems SP 800-30 Guide for Conducting Risk Assessments Introduction to Public Key Technology and the Federal PKI Infrastructure Underlying Technical Models for Information Technology Security Contingency Planning Guide for Federal Information Systems (Errata Page - SP 800-30 Rev. 1 1 1 SP 800-32 SP 800-33 SP 800-34 Rev. 1 Guide to Information Technology Security Services SP 800-35 Guide to Selecting Information Technology Security Products SP 800-36 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 29 of 69 x CP–09 Information System Backup CP–08 Telecommunications Services CP–07 Alternate Processing Site CP–06 Alternate Storage Site CP–05 Withdrawn CP–04 Contingency Plan Testing CP–03 Contingency Training CP–02 Contingency Plan Contingency Planning CP CP–01 Contingency Planning Policy and Procedures CM–11 User–Installed Software CM–10 Software Usage Restrictions CM–09 Configuration Management Plan CM–08 Information System Component Inventory CM–07 Least Functionality CM–06 Configuration Settings CM–05 Access Restrictions for Change CM–04 Security Impact Analysis CM–03 Configuration Change Control CM–02 Baseline Configuration Configuration Management CM CM–01 Configuration Management Policy and Procedures CA–09 Internal System Connections HMAP_53r4_to_CSCv4.1_&_NIST_PUBS CA–08 Penetration Testing CA–07 Continuous Monitoring CA–06 Security Authorization CA–05 Plan of Action and Milestones CA–04 Withdrawn CA–03 System Interconnections CA CA–02 Security Assessments Security Assessment and Authorization CA–01 Security Assessment and Authorization Policies and Pro AU–16 Cross–Organizational Auditing AU–15 Alternate Audit Capability AU–14 Session Audit AU–13 Monitoring for Information Disclosure CSC Generally Accepted Principles and Practices for Securing Information Techno AU–12 Audit Generation Critical Security Controls Total ? AU–09 Protection of Audit Information Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AU–11 Audit Record Retention Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AU–10 Non–repudiation Print Date: 3/1/2014, 12:02 PM
  30. 30. SP 800-38 A 8 Recommendation for Block Cipher Modes of Operation: Three Variants of Cip 00-38 A - Addendum Recommendation for Block Cipher Modes of Operation: The CMAC Mode for A SP 800-38 B Recommendation for Block Cipher Modes of Operation: the CCM Mode for Au SP 800-38 C Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode SP 800-38 D Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode f SP 800-38 E DRAFT Recommendation for Block Cipher Modes of Operation: Methods for K SP 800-38 F Managing Information Security Risk: Organization, Mission, and Information Creating a Patch and Vulnerability Management Program SP 800-39 800-40 Version 2.0 Guidelines on Firewalls and Firewall Policy SP 800-41 Rev. 1 Systems Administration Guidance for Windows 2000 Professional System SP 800-43 Guidelines on Securing Public Web Servers SP 800-44 Version 2 Guidelines on Electronic Mail Security SP 800-45 Version 2 Guide to Enterprise Telework and Remote Access Security Security Guide for Interconnecting Information Technology Systems Guide to Securing Legacy IEEE 802.11 Wireless Networks SP 800-46 Rev. 1 SP 800-47 SP 800-48 Rev. 1 Federal S/MIME V3 Client Profile SP 800-49 Building an Information Technology Security Awareness and Training Progra SP 800-50 Guide to Using Vulnerability Naming Schemes Guidelines for the Selection and Use of Transport Layer Security (TLS) Imple SP 800-51 Rev. 1 SP 800-52 Guide for Assessing the Security Controls in Federal Information Systems an SP 800-53 A Rev. 1 Recommended Security Controls for Federal Information Systems and Organ Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx SP 800-53 Rev. 3 Page 30 of 69 CP–09 Information System Backup CP–08 Telecommunications Services CP–07 Alternate Processing Site CP–06 Alternate Storage Site CP–05 Withdrawn CP–04 Contingency Plan Testing CP–03 Contingency Training CP–02 Contingency Plan Contingency Planning CP CP–01 Contingency Planning Policy and Procedures CM–11 User–Installed Software CM–10 Software Usage Restrictions CM–09 Configuration Management Plan CM–08 Information System Component Inventory CM–07 Least Functionality CM–06 Configuration Settings CM–05 Access Restrictions for Change CM–04 Security Impact Analysis CM–03 Configuration Change Control CM–02 Baseline Configuration Configuration Management CM CM–01 Configuration Management Policy and Procedures CA–09 Internal System Connections HMAP_53r4_to_CSCv4.1_&_NIST_PUBS CA–08 Penetration Testing CA–07 Continuous Monitoring CA–06 Security Authorization CA–05 Plan of Action and Milestones CA–04 Withdrawn CA–03 System Interconnections CA–02 Security Assessments Security Assessment and Authorization CA CA–01 Security Assessment and Authorization Policies and Pro AU–16 Cross–Organizational Auditing AU–15 Alternate Audit Capability AU–14 Session Audit SP 800-37 Rev. 1 Recommendation for Block Cipher Modes of Operation - Methods and Techni AU–13 Monitoring for Information Disclosure CSC AU–12 Audit Generation Critical Security Controls Guide for Applying the Risk Management Framework to Federal Information AU–11 Audit Record Retention ? Total Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AU–10 Non–repudiation Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AU–09 Protection of Audit Information Print Date: 3/1/2014, 12:02 PM

×