SlideShare a Scribd company logo
1 of 69
Download to read offline
Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4

http://www.counciloncybersecurity.org

CSC–01

Inventory of Authorized & Unauthorized Devices

CSC–01

CA–07

Continuous Monitoring

CSC–01

CM–08

Information System Component Inventory

CSC–01

IA–03

Device Identification and Authentication

CSC–01

SA–04

Acquisition Process

CSC–01

SC–17

Public Key Infrastructure Certificates

CSC–01

SI–04

Information System Monitoring

CSC–01

PM–05

Information System Inventory

CSC–02

Inventory of Authorized and Unauthorized Software

CSC–02

CA–07

Continuous Monitoring

CSC–02

CM–02

Baseline Configuration

CSC–02

CM–08

Information System Component Inventory

CSC–02

CM–10

Software Usage Restrictions

CSC–02

CM–11

User–Installed Software

CSC–02

SA–04

Acquisition Process

CSC–02

SC–18

Mobile Code

CSC–02

SC–34

Non–Modifiable Executable Programs

CSC–02

SI–04

Information System Monitoring

CSC–02

PM–05

Information System Inventory

CSC–03

Secure Configurations for Mobile Devices, Workstations, Servers

CSC–03

CA–07

Continuous Monitoring

CSC–03

CM–02

Baseline Configuration

CSC–03

CM–03

Configuration Change Control

CSC–03

CM–05

Access Restrictions for Change

CSC–03

CM–06

Configuration Settings

CSC–03

CM–07

Least Functionality

CSC–03

CM–08

Information System Component Inventory

CSC–03

CM–09

Configuration Management Plan

CSC–03

CM–11

User–Installed Software

CSC–03

MA–04

Nonlocal Maintenance

CSC–03

RA–05

Vulnerability Scanning

CSC–03

SA–04

Acquisition Process

CSC–03

SC–15

Collaborative Computing Devices

CSC–03

SC–34

Non–Modifiable Executable Programs

CSC–03

SI–02

Flaw Remediation

CSC–03

SI–04

Information System Monitoring

CSC–04

Continuous Vulnerability Assessment and Remediation

CSC–04

CA–02

Security Assessments

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 1 of 69
Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4

http://www.counciloncybersecurity.org

CSC–04

CA–07

Continuous Monitoring

CSC–04

RA–05

Vulnerability Scanning

CSC–04

SC–34

Non–Modifiable Executable Programs

CSC–04

SI–04

Information System Monitoring

CSC–04

SI–07

Software, Firmware, and Information Integrity

CSC–05

Malware Defenses

CSC–05

CA–07

Continuous Monitoring

CSC–05

SC–39

Process Isolation

CSC–05

SC–44

Detonation Chambers

CSC–05

SI–03

Malicious Code Protection

CSC–05

SI–04

Information System Monitoring

CSC–05

SI–08

Spam Protection

CSC–06

Application Software Security

CSC–06

RA–05

Vulnerability Scanning

CSC–06

SA–03

System Development Life Cycle

CSC–06

SA–10

Developer Configuration Management

CSC–06

SA–11

Developer Security Testing and Evaluation

CSC–06

SA–13

Trustworthiness

CSC–06

SA–15

Development Process, Standards, and Tools

CSC–06

SA–16

Developer–Provided Training

CSC–06

SA–17

Developer Security Architecture and Design

CSC–06

SA–20

Customized Development of Critical Components

CSC–06

SA–21

Developer Screening

CSC–06

SC–39

Process Isolation

CSC–06

SI–10

Information Input Validation

CSC–06

SI–11

Error Handling

CSC–06

SI–15

Information Output Filtering

CSC–06

SI–16

Memory Protection

CSC–07

Wireless Device Control

CSC–07

AC–18

Wireless Access

CSC–07

AC–19

Access Control for Mobile Devices

CSC–07

CA–03

System Interconnections

CSC–07

CA–07

Continuous Monitoring

CSC–07

CM–02

Baseline Configuration

CSC–07

IA–03

Device Identification and Authentication

CSC–07

SC–08

Transmission Confidentiality and Integrity

CSC–07

SC–17

Public Key Infrastructure Certificates

CSC–07

SC–40

Wireless Link Protection

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 2 of 69
Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4

http://www.counciloncybersecurity.org

CSC–07

SI–04

Information System Monitoring

CSC–08

Data Recovery Capability

CSC–08

CP–09

Information System Backup

CSC–08

CP–10

Information System Recovery and Reconstitution

CSC–08

MP–04

Media Storage

CSC–09

Security Skills Assessment and Appropriate Training to Fill Gaps

CSC–09

AT–01

Security Awareness and Training Policy and Procedures

CSC–09

AT–02

Security Awareness Training

CSC–09

AT–03

Role–Based Security Training

CSC–09

AT–04

Security Training Records

CSC–09

SA–11

Developer Security Testing and Evaluation

CSC–09

SA–16

Developer–Provided Training

CSC–09

PM–13

Information Security Workforce

CSC–09

PM–14

Testing, Training, & Monitoring

CSC–09

PM–16

Threat Awareness Program

CSC–10

Secure Configurations for Network Infrastructure & Security Devices

CSC–10

AC–04

Information Flow Enforcement

CSC–10

CA–03

System Interconnections

CSC–10

CA–07

Continuous Monitoring

CSC–10

CA–09

Internal System Connections

CSC–10

CM–02

Baseline Configuration

CSC–10

CM–03

Configuration Change Control

CSC–10

CM–05

Access Restrictions for Change

CSC–10

CM–06

Configuration Settings

CSC–10

CM–08

Information System Component Inventory

CSC–10

MA–04

Nonlocal Maintenance

CSC–10

SC–24

Fail in Known State

CSC–10

SI–04

Information System Monitoring

CSC–11

Ports, Protocols, and Services Management

CSC–11

AC–04

Information Flow Enforcement

CSC–11

CA–07

Continuous Monitoring

CSC–11

CA–09

Internal System Connections

CSC–11

CM–02

Baseline Configuration

CSC–11

CM–06

Configuration Settings

CSC–11

CM–08

Information System Component Inventory

CSC–11

SC–20

Secure Name /Address Resolution Service (Authoritative Source)

CSC–11

SC–21

Secure Name /Address Resolution Service (Recursive or Caching Resolver)

CSC–11

SC–22

Architecture and Provisioning for Name/Address Resolution Service

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 3 of 69
Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4

http://www.counciloncybersecurity.org

CSC–11

SC–41

Port and I/O Device Access

CSC–11

SI–04

Information System Monitoring

CSC–12

Controlled Use of Administrative Privileges

CSC–12

AC–02

Account Management

CSC–12

AC–06

Least Privilege

CSC–12

AC–17

Remote Access

CSC–12

AC–19

Access Control for Mobile Devices

CSC–12

CA–07

Continuous Monitoring

CSC–12

IA–02

Identification and Authentication (Organizational Users)

CSC–12

IA–04

Identifier Management

CSC–12

IA–05

Authenticator Management

CSC–12

SI–04

Information System Monitoring

CSC–13

Boundary Defense

CSC–13

AC–04

Information Flow Enforcement

CSC–13

AC–17

Remote Access

CSC–13

AC–20

Use of External Information Systems

CSC–13

CA–03

System Interconnections

CSC–13

CA–07

Continuous Monitoring

CSC–13

CA–09

Internal System Connections

CSC–13

CM–02

Baseline Configuration

CSC–13

SA–09

External Information System Services

CSC–13

SC–07

Boundary Protection

CSC–13

SC–08

Transmission Confidentiality and Integrity

CSC–13

SI–04

Information System Monitoring

CSC–14

Maintenance, Monitoring and Analysis of Audit Logs

CSC–14

AC–23

Data Mining Protection

CSC–14

AU–02

Audit Events

CSC–14

AU–03

Content of Audit Records

CSC–14

AU–04

Audit Storage Capacity

CSC–14

AU–05

Response to Audit Processing Failures

CSC–14

AU–06

Audit Review, Analysis, and Reporting

CSC–14

AU–07

Audit Reduction and Report Generation

CSC–14

AU–08

Time Stamps

CSC–14

AU–09

Protection of Audit Information

CSC–14

AU–10

Non–repudiation

CSC–14

AU–11

Audit Record Retention

CSC–14

AU–12

Audit Generation

CSC–14

AU–13

Monitoring for Information Disclosure

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 4 of 69
Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4
CSC–14

AU–14

Session Audit

CSC–14

CA–07

Continuous Monitoring

CSC–14

IA–10

Adaptive Identification and Authentication

CSC–14

SI–04

Information System Monitoring

CSC–15

Controlled Access Based on the Need to Know

CSC–15

AC–01

Access Control Policy and Procedures

CSC–15

AC–02

Account Management

CSC–15

AC–03

Access Enforcement

CSC–15

AC–06

Least Privilege

CSC–15

AC–24

Access Control Decisions

CSC–15

CA–07

Continuous Monitoring

CSC–15

MP–03

Media Marking

CSC–15

RA–02

Security Categorization

CSC–15

SC–16

Transmission of Security Attributes

CSC–15

SI–04

Information System Monitoring

CSC–16

Account Monitoring and Control

CSC–16

AC–02

Account Management

CSC–16

AC–03

Access Enforcement

CSC–16

AC–07

Unsuccessful Logon Attempts

CSC–16

AC–11

Session Lock

CSC–16

AC–12

Session Termination

CSC–16

CA–07

Continuous Monitoring

CSC–16

IA–05

Authenticator Management

CSC–16

IA–10

Adaptive Identification and Authentication

CSC–16

SC–17

Public Key Infrastructure Certificates

CSC–16

SC–23

Session Authenticity

CSC–16

SI–04

Information System Monitoring

CSC–17

Data Loss Prevention

CSC–17

AC–03

Access Enforcement

CSC–17

AC–04

Information Flow Enforcement

CSC–17

AC–23

Data Mining Protection

CSC–17

CA–07

Continuous Monitoring

CSC–17

CA–09

Internal System Connections

CSC–17

IR–09

Information Spillage Response

CSC–17

MP–05

Media Transport

CSC–17

SA–18

Tamper Resistance and Detection

CSC–17

SC–08

Transmission Confidentiality and Integrity

CSC–17

SC–28

http://www.counciloncybersecurity.org

Protection of Information at Rest

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 5 of 69
Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4

http://www.counciloncybersecurity.org

CSC–17

SC–31

Covert Channel Analysis

CSC–17

SC–41

Port and I/O Device Access

CSC–17

SI–04

Information System Monitoring

CSC–18

Incident Response and Management

CSC–18

IR–01

Incident Response Policy and Procedures

CSC–18

IR–02

Incident Response Training

CSC–18

IR–03

Incident Response Testing

CSC–18

IR–04

Incident Handling

CSC–18

IR–05

Incident Monitoring

CSC–18

IR–06

Incident Reporting

CSC–18

IR–07

Incident Response Assistance

CSC–18

IR–08

Incident Response Plan

CSC–18

IR–10

Integrated Information Security Analysis Team

CSC–19

Secure Network Engineering

CSC–19

AC–04

Information Flow Enforcement

CSC–19

CA–03

System Interconnections

CSC–19

CA–09

Internal System Connections

CSC–19

SA–08

Security Engineering Principles

CSC–19

SC–20

Secure Name /Address Resolution Service (Authoritative Source)

CSC–19

SC–21

Secure Name /Address Resolution Service (Recursive or Caching Resolver)

CSC–19

SC–22

Architecture and Provisioning for Name/Address Resolution Service

CSC–19

SC–32

Information System Partitioning

CSC–19

SC–37

Out–of–Band Channels

CSC–20

Penetration Tests and Red Team Exercises

CSC–20

PM–16

Threat Awareness Program

CSC–20

CA–02

Security Assessments

CSC–20

CA–05

Plan of Action and Milestones

CSC–20

CA–06

Security Authorization

CSC–20

CA–08

Penetration Testing

CSC–20

RA–06

Technical Surveillance Countermeasures Survey

CSC–20

SI–06

Security Function Verification

CSC–20

PM–06

Information Security Measures of Performance

CSC–20

PM–14

Testing, Training, & Monitoring

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 6 of 69
Print Date: 3/1/2014, 12:02 PM
CNT:
203

7
10
16
6
6
15
10
3
9

Bl CSC

Inventory of Authorized & Unauthorized Devices

CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

12
#

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

CSC–01

Inventory of Authorized and Unauthorized Software

MAP_CSCv4.1_to_800‐53r4_SORTCSC

11
9
11
17
10
11
13
9
9

Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps

Ports, Protocols, and Services Management

CSC

Controlled Use of Administrative Privileges

CSC–01 X

CSC–06 X

CSC–11 X

Boundary Defense

CSC

CSC

CSC

Maintenance, Monitoring & Analysis of Audit Logs

CSC–02 X

CSC–07 X

CSC–12 X

Controlled Access Based on the Need to Know

CSC

CSC

CSC

Account Monitoring and Control

CSC–03 X

CSC–08 X

CSC–13 X

Data Loss Prevention

CSC

CSC

CSC

Incident Response and Management

CSC–04 X

CSC–09 X

CSC–14 X

Secure Network Engineering

CSC

CSC

CSC

9

Secure Configurations for Mobile Devices, Workstations, Servers

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Penetration Tests and Red Team Exercises

CSC–05 X

Secure Configurations for Network Infrastructure & Security Devices

PRI

01

02

03

04

05

06

07

08

09

10

11

12

01

CSC

02

03

04

05

06

CSC

07

08

09

10

CSC–10 X

13

14

15

11

CSC
CSC–16

12

CSC
CSC–17

13

CSC
CSC–18

14

CSC
CSC–19

15

CSC

CSC–15 X

16

17

18

19

CSC–20

20

CNT

ID–CN

NIST_SP_800-53_REV_4_CONTROL_NAME

1

CSC–01

CA–07

Continuous Monitoring

P3

X

S

S

2

CSC–01

CM–08

Information System Component Inventory

P1

X

S

S

3

CSC–01

IA–03

Device Identification and Authentication

P1

X

4

CSC–01

SA–04

Acquisition Process

P1

X

5

CSC–01

SC–17

Public Key Infrastructure Certificates

P1

X

6

CSC–01

SI–04

Information System Monitoring

P1

X

7

CSC–01

PM–05

Information System Inventory

P1

X

S

8

CSC–02

CA–07

Continuous Monitoring

P3

S

9

CSC–02

CM–02

Baseline Configuration

P1

10

CSC–02

CM–08

Information System Component Inventory

P1

11

CSC–02

CM–10

Software Usage Restrictions

P2

X

12

CSC–02

CM–11

User–Installed Software

P1

X

S

2

13

CSC–02

SA–04

Acquisition Process

P1

X

S

3

14

CSC–02

SC–18

Mobile Code

P2

X

15

CSC–02

SC–34

Non–Modifiable Executable Programs

P0

X

S

S

16

CSC–02

SI–04

Information System Monitoring

P1

S

X

S

S

S

S

S

S

S

S

S

S

S

S

14

17

CSC–02

PM–05

Information System Inventory

P1

S

X

18

CSC–03

CA–07

Continuous Monitoring

P3

S

S

X

S

S

S

S

S

S

S

S

S

S

S

14

19

CSC–03

CM–02

Baseline Configuration

P1

S

S

20

CSC–03

CM–03

Configuration Change Control

P1

X

S

21

CSC–03

CM–05

Access Restrictions for Change

P1

X

S

22

CSC–03

CM–06

Configuration Settings

P1

X

S

S

3

23

CSC–03

CM–07

Least Functionality

P1

X

24

CSC–03

CM–08

Information System Component Inventory

P1

S

S

5

25

CSC–03

CM–09

Configuration Management Plan

P1

26

CSC–03

CM–11

User–Installed Software

P1

27

CSC–03

MA–04

Nonlocal Maintenance

P1

X

28

CSC–03

RA–05

Vulnerability Scanning

P1

X

29

CSC–03

SA–04

Acquisition Process

P1

30

CSC–03

SC–15

Collaborative Computing Devices

P1

31

CSC–03

SC–34

Non–Modifiable Executable Programs

P0

32

CSC–03

SI–02

Flaw Remediation

P1

33

CSC–03

SI–04

Information System Monitoring

P1

34

CSC–04

CA–02

Security Assessments

P2

35

CSC–04

CA–07

Continuous Monitoring

P3

36

CSC–04

RA–05

Vulnerability Scanning

P1

37

CSC–04

SC–34

Non–Modifiable Executable Programs

P0

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

S

S

S

S

S

S

S

S

S

S

S

S

S

14
5

S
S

2

S

3
S

3

S

S

S

S

S

S

S

S

S

S

S

S

S

14

X

S

S

S

S

S

S

S

S

S

S

S

S

14

X
S

S

S

S

S

S

S

X

S

S

S

S

S

S

2
S

6
5
1

1
3
2
X

S

S

6
2
2
1

X
X

S

S

S

1

X

2
S
S

2

S

3

X

3

X
S

X

1
S

3

X

1

S

S

X

S

S

S

S

X

S

X

S

X

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

X

S

Page 7 of 69

14
S

S

2
14
3
3
Print Date: 3/1/2014, 12:02 PM
CNT:
203

7
10
16
6
6
15
10
3
9

Bl CSC

Inventory of Authorized & Unauthorized Devices

CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

12
#

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

CSC–01

Inventory of Authorized and Unauthorized Software

MAP_CSCv4.1_to_800‐53r4_SORTCSC

11
9
11
17
10
11
13
9
9

Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps

Ports, Protocols, and Services Management

CSC

Controlled Use of Administrative Privileges

CSC–01 X

CSC–06 X

CSC–11 X

Boundary Defense

CSC

CSC

CSC

Maintenance, Monitoring & Analysis of Audit Logs

CSC–02 X

CSC–07 X

CSC–12 X

Controlled Access Based on the Need to Know

CSC

CSC

CSC

Account Monitoring and Control

CSC–03 X

CSC–08 X

CSC–13 X

Data Loss Prevention

CSC

CSC

CSC

Incident Response and Management

CSC–04 X

CSC–09 X

CSC–14 X

Secure Network Engineering

CSC

CSC

CSC

9

Secure Configurations for Mobile Devices, Workstations, Servers

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Penetration Tests and Red Team Exercises

CSC–05 X

Secure Configurations for Network Infrastructure & Security Devices

PRI

01

02

03

04

05

ID–CN

NIST_SP_800-53_REV_4_CONTROL_NAME

38

CSC–04

SI–04

Information System Monitoring

P1

39

CSC–04

SI–07

Software, Firmware, and Information Integrity

P1

40

CSC–05

CA–07

Continuous Monitoring

P3

41

CSC–05

SC–39

Process Isolation

P1

X

42

CSC–05

SC–44

Detonation Chambers

P0

CSC–05

SI–03

Malicious Code Protection

P1

CSC–05

SI–04

Information System Monitoring

P1

45

CSC–05

SI–08

Spam Protection

P2

46

CSC–06

RA–05

Vulnerability Scanning

P1

47

CSC–06

SA–03

System Development Life Cycle

48

CSC–06

SA–10

Developer Configuration Management

49

CSC–06

SA–11

50

CSC–06

51

CSC–06

52

08

09

10

11

12

02

03

04

05

06

CSC

07

08

09

10

CSC–10 X

13

14

15

11

CSC
CSC–16

12

CSC
CSC–17

13

CSC
CSC–18

14

CSC
CSC–19

15

CSC

CSC–15 X

16

17

18

CSC–20

19

X

44

07

CSC

X

43

06

01

S

S

S

X

S

S

S

S

S

S

S

S

CNT

S

S

S

S

S

S

S

S

S

14

X

S

S

S

S

S

S

S

S

S

14

X
S

20

S

1

S

S

2
1
1

X

S

S

S

S

S

S

S

S

S

14

X

1
X

3

P1

X

1

P1

X

Developer Security Testing and Evaluation

P1

X

SA–13

Trustworthiness

P0

X

SA–15

Development Process, Standards, and Tools

P2

X

CSC–06

SA–16

Developer–Provided Training

P2

X

53

CSC–06

SA–17

Developer Security Architecture and Design

P1

X

1

54

CSC–06

SA–20

Customized Development of Critical Components

P0

X

1

55

CSC–06

SA–21

Developer Screening

P0

X

1

56

CSC–06

SC–39

Process Isolation

P1

X

2

57

CSC–06

SI–10

Information Input Validation

P1

X

1

58

CSC–06

SI–11

Error Handling

P2

X

1

59

CSC–06

SI–15

Information Output Filtering

P0

X

1

60

CSC–06

SI–16

Memory Protection

P1

X

61

CSC–07

AC–18

Wireless Access

P1

X

62

CSC–07

AC–19

Access Control for Mobile Devices

P1

X

63

CSC–07

CA–03

System Interconnections

P1

64

CSC–07

CA–07

Continuous Monitoring

P3

65

CSC–07

CM–02

Baseline Configuration

P1

66

CSC–07

IA–03

Device Identification and Authentication

P1

67

CSC–07

SC–08

Transmission Confidentiality and Integrity

P1

68

CSC–07

SC–17

Public Key Infrastructure Certificates

P1

69

CSC–07

SC–40

Wireless Link Protection

P0

70

CSC–07

SI–04

Information System Monitoring

P1

71

CSC–08

CP–09

Information System Backup

P1

X

1

72

CSC–08

CP–10

Information System Recovery and Reconstitution

P1

X

1

73

CSC–08

MP–04

Media Storage

P1

X

1

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

S

1
S

2
1
1

S

2

1
1
S

X
S

S

S

S

S

S

S

S

X

S

S

X

S

S

S

2
S

S

S

S
S

S

S

S

S

6

X

2

X
S

S

S

X

S

S

S

Page 8 of 69

S

S

3
3

X
S

4
14

1

X

S

S

S

S

S

S

S

S

14
Print Date: 3/1/2014, 12:02 PM
CNT:
203

7
10
16
6
6
15
10
3
9

Inventory of Authorized and Unauthorized Software

MAP_CSCv4.1_to_800‐53r4_SORTCSC

11
9
11
17
10
11
13
9
9

Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps

Ports, Protocols, and Services Management

CSC

Controlled Use of Administrative Privileges

CSC–01 X

CSC–06 X

CSC–11 X

Boundary Defense

CSC

CSC

CSC

Maintenance, Monitoring & Analysis of Audit Logs

CSC–02 X

CSC–07 X

CSC–12 X

Controlled Access Based on the Need to Know

CSC

CSC

CSC

Account Monitoring and Control

CSC–03 X

CSC–08 X

CSC–13 X

Data Loss Prevention

CSC

CSC

CSC

Incident Response and Management

CSC–04 X

CSC–09 X

CSC–14 X

Secure Network Engineering

CSC

CSC

CSC

9

Secure Configurations for Mobile Devices, Workstations, Servers

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Penetration Tests and Red Team Exercises

CSC–05 X

02

04

Secure Configurations for Network Infrastructure & Security Devices

PRI

01

03

05

06

07

08

09

10

11

12

01

CSC

02

03

04

05

06

CSC

07

08

09

10

CSC–10 X

13

14

15

11

CSC
CSC–16

12

CSC
CSC–17

13

CSC
CSC–18

14

CSC
CSC–19

15

CSC

CSC–15 X

16

17

18

CSC–20

19

20

CNT

ID–CN

NIST_SP_800-53_REV_4_CONTROL_NAME

74

CSC–09

AT–01

Security Awareness and Training Policy and Procedures

P1

X

1

75

CSC–09

AT–02

Security Awareness Training

P1

X

1

76

CSC–09

AT–03

Role–Based Security Training

P1

X

1

77

CSC–09

AT–04

Security Training Records

P3

X

1

78

CSC–09

SA–11

Developer Security Testing and Evaluation

P1

S

X

2

79

CSC–09

SA–16

Developer–Provided Training

P2

S

X

2

80

CSC–09

PM–13

Information Security Workforce

P1

X

81

CSC–09

PM–14

Testing, Training, & Monitoring

P1

X

82

CSC–09

PM–16

Threat Awareness Program

P1

X

83

CSC–10

AC–04

Information Flow Enforcement

P1

84

CSC–10

CA–03

System Interconnections

P1

85

CSC–10

CA–07

Continuous Monitoring

P3

86

CSC–10

CA–09

Internal System Connections

P2

87

CSC–10

CM–02

Baseline Configuration

P1

88

CSC–10

CM–03

Configuration Change Control

P1

S

X

89

CSC–10

CM–05

Access Restrictions for Change

P1

S

X

90

CSC–10

CM–06

Configuration Settings

P1

S

X

S

91

CSC–10

CM–08

Information System Component Inventory

P1

S

X

S

92

CSC–10

MA–04

Nonlocal Maintenance

P1

S

X

93

CSC–10

SC–24

Fail in Known State

P1

94

CSC–10

SI–04

Information System Monitoring

P1

95

CSC–11

AC–04

Information Flow Enforcement

P1

96

CSC–11

CA–07

Continuous Monitoring

P3

97

CSC–11

CA–09

Internal System Connections

P2

98

CSC–11

CM–02

Baseline Configuration

P1

99

CSC–11

CM–06

Configuration Settings

P1

100

CSC–11

CM–08

Information System Component Inventory

P1

101

CSC–11

SC–20

Secure Name /Address Resolution Service (Authoritative Source)

P1

X

S

CSC–11

SC–21

Secure Name /Address Resolution Service (Recursive or Caching Resolver)

P1

X

S

103

CSC–11

SC–22

Architecture and Provisioning for Name/Address Resolution Service

P1

X

S

104

CSC–11

SC–41

Port and I/O Device Access

P0

X

105

CSC–11

SI–04

Information System Monitoring

P1

106

CSC–12

AC–02

Account Management

P1

107

CSC–12

AC–06

Least Privilege

P1

108

CSC–12

AC–17

Remote Access

P1

X

109

CSC–12

AC–19

Access Control for Mobile Devices

P1

102

Bl CSC

Inventory of Authorized & Unauthorized Devices

CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

12
#

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

CSC–01

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

1
S

1
X

S

S

S
S

S

S

S

S

S

S

S

X

S

X

S

X

S

S
S

S

S

X

S

S

S

S

S

S

S
S

S

S

S
S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

3
5
2
1

S

X

S

X
X

S

S

X

S

S

S

S

S

S

S

X

S

S

X

S

S

S

S

S

S

S

S

S

S

S

S
S

S

S
S

14
S

S
S

5
14

S

5
6
3
5
2
2
2

S
S

S

S

S

X

Page 9 of 69

X

S

X

S

S

5
6
2

S

S

4

2

X

S

5
14

X
S

2

S

S

X

S

S

S

2

S

14
3
2
2
2
Print Date: 3/1/2014, 12:02 PM
CNT:
203

7
10
16
6
6
15
10
3
9

Bl CSC

Inventory of Authorized & Unauthorized Devices

CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

12
#

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

CSC–01

Inventory of Authorized and Unauthorized Software

MAP_CSCv4.1_to_800‐53r4_SORTCSC

11
9
11
17
10
11
13
9
9

Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps

Ports, Protocols, and Services Management

CSC

Controlled Use of Administrative Privileges

CSC–01 X

CSC–06 X

CSC–11 X

Boundary Defense

CSC

CSC

CSC

Maintenance, Monitoring & Analysis of Audit Logs

CSC–02 X

CSC–07 X

CSC–12 X

Controlled Access Based on the Need to Know

CSC

CSC

CSC

Account Monitoring and Control

CSC–03 X

CSC–08 X

CSC–13 X

Data Loss Prevention

CSC

CSC

CSC

Incident Response and Management

CSC–04 X

CSC–09 X

CSC–14 X

Secure Network Engineering

CSC

CSC

CSC

9

Secure Configurations for Mobile Devices, Workstations, Servers

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Penetration Tests and Red Team Exercises

CSC–05 X

Secure Configurations for Network Infrastructure & Security Devices

PRI

01

02

03

04

05

06

07

08

09

10

11

12

01

CSC

02

03

04

05

06

CSC

07

08

09

10

CSC–10 X

13

14

15

11

CSC
CSC–16

12

CSC
CSC–17

13

CSC
CSC–18

14

CSC
CSC–19

15

CSC

CSC–15 X

16

17

18

CSC–20

19

20

CNT

ID–CN

NIST_SP_800-53_REV_4_CONTROL_NAME

110

CSC–12

CA–07

Continuous Monitoring

P3

111

CSC–12

IA–02

Identification and Authentication (Organizational Users)

P1

X

112

CSC–12

IA–04

Identifier Management

P1

X

113

CSC–12

IA–05

Authenticator Management

P1

X

114

CSC–12

SI–04

Information System Monitoring

P1

115

CSC–13

AC–04

Information Flow Enforcement

P1

116

CSC–13

AC–17

Remote Access

P1

117

CSC–13

AC–20

Use of External Information Systems

P1

118

CSC–13

CA–03

System Interconnections

P1

119

CSC–13

CA–07

Continuous Monitoring

P3

120

CSC–13

CA–09

Internal System Connections

P2

121

CSC–13

CM–02

Baseline Configuration

P1

122

CSC–13

SA–09

External Information System Services

123

CSC–13

SC–07

Boundary Protection

124

CSC–13

SC–08

Transmission Confidentiality and Integrity

P1

125

CSC–13

SI–04

Information System Monitoring

P1

126

CSC–14

AC–23

Data Mining Protection

P0

X

127

CSC–14

AU–02

Audit Events

P1

X

1

128

CSC–14

AU–03

Content of Audit Records

P1

X

1

129

CSC–14

AU–04

Audit Storage Capacity

P1

X

1

130

CSC–14

AU–05

Response to Audit Processing Failures

P1

X

1

131

CSC–14

AU–06

Audit Review, Analysis, and Reporting

P1

X

1

132

CSC–14

AU–07

Audit Reduction and Report Generation

P2

X

1

133

CSC–14

AU–08

Time Stamps

P1

X

1

134

CSC–14

AU–09

Protection of Audit Information

P1

X

1

135

CSC–14

AU–10

Non–repudiation

P1

X

1

136

CSC–14

AU–11

Audit Record Retention

P3

X

1

137

CSC–14

AU–12

Audit Generation

P1

X

1

138

CSC–14

AU–13

Monitoring for Information Disclosure

P0

X

1

139

CSC–14

AU–14

Session Audit

P0

X

140

CSC–14

CA–07

Continuous Monitoring

P3

141

CSC–14

IA–10

Adaptive Identification and Authentication

P0

142

CSC–14

SI–04

Information System Monitoring

P1

143

CSC–15

AC–01

Access Control Policy and Procedures

P1

144

CSC–15

AC–02

Account Management

P1

145

CSC–15

AC–03

Access Enforcement

P1

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

X

S

X

S

S

S

S

14
1
1

S
S

S

S

S

X
S

S

2
S
S

14
S

X
X

S
S

S

S

S

S

X

S

S

X

6

P1

X

1

P1

X
S
S

S

S

S

S

S

X

S

S

S

S

S

S

X

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

X

X

S

S

14

S

S

3
2

1
S

S

S

14

S

14

S
S

S

2

X

1

X

S

X

Page 10 of 69

5

S

X

S

14
S

1

X
S

S

4

S

S

S

S

S

S

S

1

X

S
S

S

S

5
2

S

3
S

3
Print Date: 3/1/2014, 12:02 PM
CNT:
203

7
10
16
6
6
15
10
3
9

Bl CSC

Inventory of Authorized & Unauthorized Devices

CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

12
#

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

CSC–01

Inventory of Authorized and Unauthorized Software

MAP_CSCv4.1_to_800‐53r4_SORTCSC

11
9
11
17
10
11
13
9
9

Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps

Ports, Protocols, and Services Management

CSC

Controlled Use of Administrative Privileges

CSC–01 X

CSC–06 X

CSC–11 X

Boundary Defense

CSC

CSC

CSC

Maintenance, Monitoring & Analysis of Audit Logs

CSC–02 X

CSC–07 X

CSC–12 X

Controlled Access Based on the Need to Know

CSC

CSC

CSC

Account Monitoring and Control

CSC–03 X

CSC–08 X

CSC–13 X

Data Loss Prevention

CSC

CSC

CSC

Incident Response and Management

CSC–04 X

CSC–09 X

CSC–14 X

Secure Network Engineering

CSC

CSC

CSC

9

Secure Configurations for Mobile Devices, Workstations, Servers

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Penetration Tests and Red Team Exercises

CSC–05 X

02

04

Secure Configurations for Network Infrastructure & Security Devices

PRI

01

03

05

06

07

08

09

10

11

12

01

CSC

02

03

04

05

06

CSC

07

08

09

10

CSC–10 X

13

14

15

11

CSC
CSC–16

12

CSC
CSC–17

13

CSC
CSC–18

14

CSC
CSC–19

15

CSC

CSC–15 X

16

17

18

CSC–20

19

20

CNT

ID–CN

NIST_SP_800-53_REV_4_CONTROL_NAME

146

CSC–15

AC–06

Least Privilege

P1

147

CSC–15

AC–24

Access Control Decisions

P0

148

CSC–15

CA–07

Continuous Monitoring

P3

149

CSC–15

MP–03

Media Marking

P2

X

1

150

CSC–15

RA–02

Security Categorization

P1

X

1

151

CSC–15

SC–16

Transmission of Security Attributes

P0

X

152

CSC–15

SI–04

Information System Monitoring

P1

153

CSC–16

AC–02

Account Management

P1

154

CSC–16

AC–03

Access Enforcement

P1

155

CSC–16

AC–07

Unsuccessful Logon Attempts

P2

X

1

156

CSC–16

AC–11

Session Lock

P3

X

1

157

CSC–16

AC–12

Session Termination

P2

X

158

CSC–16

CA–07

Continuous Monitoring

P3

159

CSC–16

IA–05

Authenticator Management

P1

160

CSC–16

IA–10

Adaptive Identification and Authentication

P0

161

CSC–16

SC–17

Public Key Infrastructure Certificates

P1

162

CSC–16

SC–23

Session Authenticity

P1

163

CSC–16

SI–04

Information System Monitoring

P1

164

CSC–17

AC–03

Access Enforcement

P1

165

CSC–17

AC–04

Information Flow Enforcement

P1

166

CSC–17

AC–23

Data Mining Protection

P0

167

CSC–17

CA–07

Continuous Monitoring

P3

168

CSC–17

CA–09

Internal System Connections

P2

169

CSC–17

IR–09

Information Spillage Response

P0

X

1

170

CSC–17

MP–05

Media Transport

P1

X

1

171

CSC–17

SA–18

Tamper Resistance and Detection

P0

X

1

172

CSC–17

SC–08

Transmission Confidentiality and Integrity

P1

X

3

173

CSC–17

SC–28

Protection of Information at Rest

P1

X

1

174

CSC–17

SC–31

Covert Channel Analysis

P0

X

1

175

CSC–17

SC–41

Port and I/O Device Access

P0

X

2

176

CSC–17

SI–04

Information System Monitoring

P1

177

CSC–18

IR–01

Incident Response Policy and Procedures

P1

X

1

178

CSC–18

IR–02

Incident Response Training

P2

X

1

179

CSC–18

IR–03

Incident Response Testing

P2

X

1

180

CSC–18

IR–04

Incident Handling

P1

X

1

181

CSC–18

IR–05

Incident Monitoring

P1

X

1

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

S

X

2

X
S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

X

X

1
S

S

S

S

S

S

S

S

S

S

S

S

S

14

X
X

S

S

X

3
S

3

1
S

14

X

2

X

S

2

X

S
S

14

1
S

S

S

S

3

X
S

S

S

S

S

S

S

S

S

S

S

S

S

1

S

X

S

S

S

X

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

Page 11 of 69

S

S

S

S

S

S

S

S

S

S

5
2

X

14

X

S
S

S

X

S

S

3

X
S

S

14

S

X

5

14
Print Date: 3/1/2014, 12:02 PM
CNT:
203

7
10
16
6
6
15
10
3
9

Bl CSC

Inventory of Authorized & Unauthorized Devices

CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

12
#

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

CSC–01

Inventory of Authorized and Unauthorized Software

MAP_CSCv4.1_to_800‐53r4_SORTCSC

11
9
11
17
10
11
13
9
9

Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps

Ports, Protocols, and Services Management

CSC

Controlled Use of Administrative Privileges

CSC–01 X

CSC–06 X

CSC–11 X

Boundary Defense

CSC

CSC

CSC

Maintenance, Monitoring & Analysis of Audit Logs

CSC–02 X

CSC–07 X

CSC–12 X

Controlled Access Based on the Need to Know

CSC

CSC

CSC

Account Monitoring and Control

CSC–03 X

CSC–08 X

CSC–13 X

Data Loss Prevention

CSC

CSC

CSC

Incident Response and Management

CSC–04 X

CSC–09 X

CSC–14 X

Secure Network Engineering

CSC

CSC

CSC

9

Secure Configurations for Mobile Devices, Workstations, Servers

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Penetration Tests and Red Team Exercises

CSC–05 X

02

04

Secure Configurations for Network Infrastructure & Security Devices

PRI

01

03

05

06

07

08

09

10

11

12

01

CSC

02

03

04

05

06

CSC

07

08

09

10

CSC–10 X

13

14

15

16

11

CSC
CSC–16

12

CSC
CSC–17

13

CSC
CSC–18

14

CSC
CSC–19

15

CSC

CSC–15 X

17

18

CSC–20

19

20

CNT

ID–CN

NIST_SP_800-53_REV_4_CONTROL_NAME

182

CSC–18

IR–06

Incident Reporting

P1

X

1

183

CSC–18

IR–07

Incident Response Assistance

P3

X

1

184

CSC–18

IR–08

Incident Response Plan

P1

X

1

185

CSC–18

IR–10

Integrated Information Security Analysis Team

P0

X

186

CSC–19

AC–04

Information Flow Enforcement

P1

187

CSC–19

CA–03

System Interconnections

P1

188

CSC–19

CA–09

Internal System Connections

P2

189

CSC–19

SA–08

Security Engineering Principles

P1

190

CSC–19

SC–20

Secure Name /Address Resolution Service (Authoritative Source)

P1

CSC–19

SC–21

Secure Name /Address Resolution Service (Recursive or Caching Resolver)

192

CSC–19

SC–22

193

CSC–19

194

S
S

S

S
S

S

S

S

S

5

X

S
S

1
X

4

X

5

X

1

S

X

2

P1

S

X

Architecture and Provisioning for Name/Address Resolution Service

P1

S

X

2

SC–32

Information System Partitioning

P0

X

1

CSC–19

SC–37

Out–of–Band Channels

P0

X

195

CSC–20

PM–16

Threat Awareness Program

P1

196

CSC–20

CA–02

Security Assessments

P2

197

CSC–20

CA–05

Plan of Action and Milestones

P3

198

CSC–20

CA–06

Security Authorization

199

CSC–20

CA–08

200

CSC–20

201

191

1
x

2

X

2

X

1

P3

X

1

Penetration Testing

P1

X

1

RA–06

Technical Surveillance Countermeasures Survey

P0

X

1

CSC–20

SI–06

Security Function Verification

P1

X

1

202

CSC–20

PM–06

Information Security Measures of Performance

P1

X

1

203

CSC–20

PM–14

Testing, Training, & Monitoring

P1

X

2

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

S

2

S

S

Page 12 of 69
Print Date: 3/1/2014, 12:02 PM

Mapping	NIST	SP	800–53	Revision	4	to
Critical	Security	Controls	(CSC)	v4.1

FAMILY

ID–CN

CONTROL NAME

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
PRI

Occurences

MAP_CSCv4.1_to_800‐53r4_SORT_ID

Inventory of Authorized & Unauthorized Devices

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices

01

02
7

03

10

16

04

05
6

Access Control

06
6

15

07

08

10

09
3

10
9

11

12

13

Ports, Protocols, and Services Management
Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises

14

15

16

17

18

11

9

11

17

10

11

13

1

2

12

1

4

3

1

5

5

3

19
9

20
9

CNT
9

203

1

26

X

1
3
3
5

AC

AC–01

Access Control Policy and Procedures

P1

X

AC

AC–02

Account Management

P1

AC

AC–03

Access Enforcement

P1

AC

AC–04

Information Flow Enforcement

P1

AC

AC–05

Separation of Duties

P1

AC

AC–06

Least Privilege

P1

AC

AC–07

Unsuccessful Logon Attempts

P2

AC

AC–08

System Use Notification

P1

AC

AC–09

Previous Logon (Access) Notification

P0

AC

AC–10

Concurrent Session Control

P2

AC

AC–11

Session Lock

P3

X

1

AC

AC–12

Session Termination

P2

X

1

AC

AC–13

Withdrawn

AC

AC–14

Permitted Actions without Identification or Authentication

AC

AC–15

Withdrawn

AC

AC–16

Security Attributes

P0

AC

AC–17

Remote Access

P1

AC

AC–18

Wireless Access

P1

X

AC

AC–19

Access Control for Mobile Devices

P1

X

AC

AC–20

Use of External Information Systems

P1

AC

AC–21

Information Sharing

P2

AC

AC–22

Publicly Accessible Content

P2

AC

AC–23

Data Mining Protection

P0

AC

AC–24

Access Control Decisions

P0

AC

AC–25

Reference Monitor

P0

X
X

X

X
X

X

X

X

X
X

X

2
1

X
X

–––
P1
–––

X

X

2
1

X

2
X

1

X

X
X

Awareness and Training

2
1

4

4

AT

AT–01

Security Awareness and Training Policy and Procedures

P1

X

1

AT

AT–02

Security Awareness Training

P1

X

1

AT

AT–03

Role–Based Security Training

P1

X

1

AT

AT–04

Security Training Records

P3

X

1

AT

AT–05

Withdrawn

–––

Audit & Accountability

13

13

P1

X

1

P1

X

1

Audit Storage Capacity

P1

X

1

AU–05

Response to Audit Processing Failures

P1

X

1

AU

AU–06

Audit Review, Analysis, and Reporting

P1

X

1

AU

AU–07

Audit Reduction and Report Generation

P2

X

1

AU

AU–01

Audit and Accountability Policy and Procedures

P1

AU

AU–02

Audit Events

AU

AU–03

Content of Audit Records

AU

AU–04

AU

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 13 of 69
Print Date: 3/1/2014, 12:02 PM

Mapping	NIST	SP	800–53	Revision	4	to
Critical	Security	Controls	(CSC)	v4.1

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
PRI

MAP_CSCv4.1_to_800‐53r4_SORT_ID

Inventory of Authorized & Unauthorized Devices

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices

02

08

09

10

11

Penetration Tests and Red Team Exercises

X

1

AU

AU–09

Protection of Audit Information

P1

X

1

AU

AU–10

Non–repudiation

P1

X

1

AU

AU–11

Audit Record Retention

P3

X

1

AU

AU–12

Audit Generation

P1

X

1

AU

AU–13

Monitoring for Information Disclosure

P0

X

1

AU

AU–14

Session Audit

P0

X

1

AU

AU–15

Alternate Audit Capability

P0

AU

AU–16

Cross–Organizational Auditing

P0

3

X

2

13

Secure Network Engineering

P1

2

12

Incident Response and Management

CONTROL NAME

1

07

Data Loss Prevention

Time Stamps

2

06

Account Monitoring and Control

ID–CN

1

05

Controlled Access Based on the Need to Know

AU–08

1

04

Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs

FAMILY

1

03

Controlled Use of Administrative Privileges

AU

Security Assessment and Authorization

01

Ports, Protocols, and Services Management

1

X

14

3

15

1

16

1

17

1

18

2

19

20

2

CNT

4

CA

CA–01

Security Assessment and Authorization Policies and Procedures

CA

CA–02

Security Assessments

P2

CA

CA–03

System Interconnections

P1

CA

CA–04

Withdrawn

CA

CA–05

Plan of Action and Milestones

P3

X

CA

CA–06

Security Authorization

P3

X

CA

CA–07

Continuous Monitoring

P3

CA

CA–08

Penetration Testing

P1

CA

CA–09

Internal System Connections

P2

28

P1
X

X
X

X

2
4

–––

Configuration Management

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

1

1
14

X
X

1

X

1
5

4

8

1

5

3

1

23

X

X

X

X

X

X

6

CM

CM–01

Configuration Management Policy and Procedures

P1

CM

CM–02

Baseline Configuration

P1

CM

CM–03

Configuration Change Control

P1

CM

CM–04

Security Impact Analysis

P2

CM

CM–05

Access Restrictions for Change

CM

CM–06

Configuration Settings

CM

CM–07

Least Functionality

P1

X

CM

CM–08

Information System Component Inventory

P1

CM

CM–09

Configuration Management Plan

P1

CM

CM–10

Software Usage Restrictions

P2

X

CM

CM–11

User–Installed Software

P1

X

X

X

P1

X

X

P1

X

X

X

3

X

X

5

X

X

X

1

X

2

1
2

CP–01

Contingency Planning Policy and Procedures

P1

CP

CP–02

Contingency Plan

P1

CP

CP–03

Contingency Training

P2

CP

CP–04

Contingency Plan Testing

CP

CP–05

Withdrawn

CP

CP–06

Alternate Storage Site

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

2
1

X

Contingency Planning
CP

2

P2
–––
P1

Page 14 of 69

2
Print Date: 3/1/2014, 12:02 PM

Mapping	NIST	SP	800–53	Revision	4	to
Critical	Security	Controls	(CSC)	v4.1

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
PRI

MAP_CSCv4.1_to_800‐53r4_SORT_ID

Inventory of Authorized & Unauthorized Devices

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices

06

07

08

11

13

Penetration Tests and Red Team Exercises

CP

CP–08

Telecommunications Services

P1

CP

CP–09

Information System Backup

P1

X

1

CP

CP–10

Information System Recovery and Reconstitution

P1

X

1

CP

CP–11

Alternate Communications Protocols

P0

CP

CP–12

Safe Mode

P0

CP

CP–13

Alternative Security Mechanisms

P0

1

12

Secure Network Engineering

P1

X

10

Incident Response and Management

CONTROL NAME

1

09

Data Loss Prevention

Alternate Processing Site

IA

05

Account Monitoring and Control

ID–CN

IA

04

Controlled Access Based on the Need to Know

CP–07

IA–01

03

Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs

FAMILY

IA

02

Controlled Use of Administrative Privileges

CP

Identification and Authentication

01

Ports, Protocols, and Services Management

3

14

15

16

18

19

X

Identification and Authentication Policy and Procedures
Identification and Authentication (Organizational Users)

P1

IA–03

Device Identification and Authentication

P1

IA

IA–04

Identifier Management

P1

IA–05

Authenticator Management

P1

X

IA

IA–06

Authenticator Feedback

P1

IA

IA–07

Cryptographic Module Authentication

P1

IA

IA–08

Identification and Authentication (Non– Organizational Users)

P1

IA

IA–09

Service Identification and Authentication

P0

IA

IA–10

Adaptive Identification and Authentication

P0

IA

IA–11

Re–authentication

CNT

8

X

IA

2

20

P1

IA–02

1

17

P0

X

1
2
1
X

X

X

Incident Response

2

2
9

10

IR

IR–01

Incident Response Policy and Procedures

P1

1

X

1

IR

IR–02

Incident Response Training

P2

X

1

IR

IR–03

Incident Response Testing

P2

X

1

IR

IR–04

Incident Handling

P1

X

1

IR

IR–05

Incident Monitoring

P1

X

1

IR

IR–06

Incident Reporting

P1

X

1

IR

IR–07

Incident Response Assistance

P3

X

1

IR

IR–08

Incident Response Plan

P1

X

1

IR

IR–09

Information Spillage Response

P0

IR

IR–10

Integrated Information Security Analysis Team

P0

Maintenance

X

1
X

1

1

MA

MA–01

System Maintenance Policy and Procedures

MA–02

Controlled Maintenance

MA–03

Maintenance Tools

MA–04

Nonlocal Maintenance

P1

MA

MA–05

Maintenance Personnel

MA–06

Timely Maintenance

2

P1

MA

X

P2

MA

X

P2

MA

2

P1

MA

1

P2

Media Protection

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

1

Page 15 of 69

1

1

3
Print Date: 3/1/2014, 12:02 PM

Mapping	NIST	SP	800–53	Revision	4	to
Critical	Security	Controls	(CSC)	v4.1

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

FAMILY

ID–CN

CONTROL NAME

MP

MP–01

Media Protection Policy and Procedures

PRI

MP–02

Media Access

MP–03

Media Marking

MP–04

Media Storage

MP–05

Media Transport

MP–06

Media Sanitization

MP–07

Media Use

MP–08

Media Downgrading

Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices

P1

MP

Application Software Security

P1

MP

Malware Defenses

P1

MP

Continuous Vulnerability Assessment and Remediation

P1

MP

Secure Configurations for Mobile Devices, Workstations, Servers

P2

MP

Inventory of Authorized and Unauthorized Software

01

02

03

04

P0

PE–01

Physical and Environmental Protection Policy and Procedures

PE

PE–02

Physical Access Authorizations

PE–03

Physical Access Control

PE–04

Access Control for Transmission Medium

P1

PE

PE–05

Access Control for Output Devices

P2

PE

PE–06

Monitoring Physical Access

P1

PE

PE–07

Withdrawn

PE

PE–08

Visitor Access Records

PE

PE–09

Power Equipment and Cabling

P1

PE

PE–10

Emergency Shutoff

P1

PE

PE–11

Emergency Power

P1

PE

PE–12

Emergency Lighting

P1

PE

PE–13

Fire Protection

P1

PE

PE–14

Temperature and Humidity Controls

P1

PE

PE–15

Water Damage Protection

P1

PE

PE–16

Delivery and Removal

P2

PE

PE–17

Alternate Work Site

P2

PE

PE–18

Location of Information System Components

P3

PE

PE–19

Information Leakage

P0

PE

PE–20

Asset Monitoring and Tracking

P0

PL

PL–01

Security Planning Policy and Procedures

P1

PL

PL–02

System Security Plan

P1

PL

PL–03

Withdrawn

PL

PL–04

Rules of Behavior

PL

PL–05

Withdrawn

–––

PL

PL–06

Withdrawn

–––

PL

PL–07

Security Concept of Operations

P0

PL

PL–08

Information Security Architecture

P1

P1

–––
P3

Planning

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

08

09

10

11

12

13

Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises

14

15

16

17

–––
P2

Page 16 of 69

18

19

20

CNT

1
1
X

P1

PE

07

Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs

X

P1

PE

06

Controlled Use of Administrative Privileges

X

Physical and Environmental Protection
PE

05

Ports, Protocols, and Services Management

P1

MP

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

P1

MP

MAP_CSCv4.1_to_800‐53r4_SORT_ID

Inventory of Authorized & Unauthorized Devices

1
Print Date: 3/1/2014, 12:02 PM

Mapping	NIST	SP	800–53	Revision	4	to
Critical	Security	Controls	(CSC)	v4.1

FAMILY

ID–CN

CONTROL NAME

PL

PL–09

Central Management

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
PRI

MAP_CSCv4.1_to_800‐53r4_SORT_ID

Inventory of Authorized & Unauthorized Devices

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices

01

02

03

04

05

06

07

08

09

10

11

12

13

Ports, Protocols, and Services Management
Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises

14

15

16

17

18

19

20

CNT

P0

Personnel Security
PS

PS–01

Personnel Security Policy and Procedures

P1

PS

PS–02

Position Risk Designation

P1

PS

PS–03

Personnel Screening

P1

PS

PS–04

Personnel Termination

P1

PS

PS–05

Personnel Transfer

P2

PS

PS–06

Access Agreements

P3

PS

PS–07

Third–Party Personnel Security

P1

PS

PS–08

Personnel Sanctions

P3

P1

Risk Assessment

1

RA

RA–01

Risk Assessment Policy and Procedures

RA

RA–02

Security Categorization

RA–03

Risk Assessment

RA–04

Withdrawn

RA

RA–05

Vulnerability Scanning

P1

RA

RA–06

Technical Surveillance Countermeasures Survey

1

1

P0

5

P1

RA

1

P1

RA

1

X

1

–––

System and Services Acquisition

X

X

X

3
X

1

1

1

X

X

9

X

SA

SA–01

System and Services Acquisition Policy and Procedures

SA–02

Allocation of Resources

SA–03

System Development Life Cycle

P1

SA

SA–04

Acquisition Process

P1

SA

SA–05

Information System Documentation

SA

SA–06

Withdrawn

SA–07

Withdrawn

SA–08

Security Engineering Principles

P1

SA

SA–09

External Information System Services

P1

SA

SA–10

Developer Configuration Management

P1

X

SA

SA–11

Developer Security Testing and Evaluation

P1

X

SA

SA–12

Supply Chain Protection

P1

SA

SA–13

Trustworthiness

P0

SA

SA–14

Criticality Analysis

P0

SA

SA–15

Development Process, Standards, and Tools

P2

X

SA

SA–16

Developer–Provided Training

P2

X

SA

SA–17

Developer Security Architecture and Design

P1

X

SA

SA–18

Tamper Resistance and Detection

P0

SA

SA–19

Component Authenticity

P0

SA

SA–20

Customized Development of Critical Components

P0

1
17

–––

SA

1

–––

SA

1

P1

SA

1

P1

SA

2

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

X

1
3

P2

X
X

1
1

X

2

X

1
1
X

2
1
X

X

Page 17 of 69

1

1
1
Print Date: 3/1/2014, 12:02 PM

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

Mapping	NIST	SP	800–53	Revision	4	to
Critical	Security	Controls	(CSC)	v4.1

CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

FAMILY

ID–CN

CONTROL NAME

SA

SA–21

Developer Screening

PRI

SA–22

Unsupported System Components

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices

P0

SA

MAP_CSCv4.1_to_800‐53r4_SORT_ID

Inventory of Authorized & Unauthorized Devices

02

03

04

05

06

07

08

09

10

11

12

13

Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises

P0

System and Communications Protection

01

Ports, Protocols, and Services Management

14

15

16

17

18

19

20

X

1

2

2

1

2

1

CNT
1

3

1

4

2

1

2

4

5

SC

SC–01

System and Communications Protection Policy and Procedures

SC

SC–02

Application Partitioning

P1

SC

SC–03

Security Function Isolation

P1

SC

SC–04

Information in Shared Resources

P1

SC

SC–05

Denial of Service Protection

P1

SC

SC–06

Resource Availability

P0

SC

SC–07

Boundary Protection

P1

SC

SC–08

Transmission Confidentiality and Integrity

P1

SC

SC–09

Withdrawn

SC

SC–10

Network Disconnect

P2

SC

SC–11

Trusted Path

P0

SC

SC–12

Cryptographic Key Establishment and Management

P1

SC

SC–13

Cryptographic Protection

SC

SC–14

Withdrawn

SC

SC–15

Collaborative Computing Devices

P1

SC

SC–16

Transmission of Security Attributes

P0

SC

SC–17

Public Key Infrastructure Certificates

P1

SC

SC–18

Mobile Code

P2

SC

SC–19

Voice Over Internet Protocol

P1

SC

SC–20

Secure Name /Address Resolution Service (Authoritative Source)

P1

X

X

SC

SC–21

Secure Name /Address Resolution Service (Recursive or Caching Resolver)

P1

X

X

SC

SC–22

Architecture and Provisioning for Name/Address Resolution Service

P1

X

X

SC

SC–23

Session Authenticity

P1

SC

SC–24

Fail in Known State

P1

SC

SC–25

Thin Nodes

P0

SC

SC–26

Honeypots

P0

SC

SC–27

Platform–Independent Applications

P0

SC

SC–28

Protection of Information at Rest

P1

SC

SC–29

Heterogeneity

P0

SC

SC–30

Concealment and Misdirection

P0

SC

SC–31

Covert Channel Analysis

P0

SC

SC–32

Information System Partitioning

P0

SC

SC–33

Withdrawn

SC

SC–34

Non–Modifiable Executable Programs

P0

SC

SC–35

Honeyclients

P0

31

P1

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

X
X

1

X

X

3

–––

P1
–––
X

1
X

X

X

1
X

3

X

1

X

2
2
2
1

X

1

X

1

X

1
X

1

–––
X

X

X

Page 18 of 69

3
Print Date: 3/1/2014, 12:02 PM

Mapping	NIST	SP	800–53	Revision	4	to
Critical	Security	Controls	(CSC)	v4.1

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

FAMILY

ID–CN

CONTROL NAME

SC

SC–36

Distributed Processing and Storage

PRI

SC–37

Out–of–Band Channels

SC–38

Operations Security

SC–39

Process Isolation

SC–40

Wireless Link Protection

SC–41

Port and I/O Device Access

SC–42

Sensor Capability and Data

SC–43

Usage Restrictions

SC–44

Detonation Chambers

Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices

P0

System and Information Integrity

01

02

03

04

05

06

07

08

09

10

11

12

13

Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises

P0

SC

Wireless Device Control

Controlled Use of Administrative Privileges

P0

SC

Application Software Security

P0

SC

Malware Defenses

P0

SC

Continuous Vulnerability Assessment and Remediation

P1

SC

Secure Configurations for Mobile Devices, Workstations, Servers

P0

SC

Inventory of Authorized and Unauthorized Software

Ports, Protocols, and Services Management

P0

SC

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

P0

SC

MAP_CSCv4.1_to_800‐53r4_SORT_ID

Inventory of Authorized & Unauthorized Devices

14

15

16

17

18

19

20

CNT

X

X

1

X

2
X

1
X

X

2

X

1

1

2

2

3

1
4

1

1

1

1

1

1

1

1

1

1

23

SI

SI–01

System and Information Integrity Policy and Procedures

P1

SI

SI–02

Flaw Remediation

P1

SI

SI–03

Malicious Code Protection

P1

SI

SI–04

Information System Monitoring

P1

SI

SI–05

Security Alerts, Advisories, and Directives

P1

SI

SI–06

Security Function Verification

P1

SI

SI–07

Software, Firmware, and Information Integrity

P1

SI

SI–08

Spam Protection

P2

SI

SI–09

Withdrawn

SI

SI–10

Information Input Validation

P1

X

1

SI

SI–11

Error Handling

P2

X

1

SI

SI–12

Information Handling and Retention

P2

SI

SI–13

Predictable Failure Prevention

P0

SI

SI–14

Non–Persistence

P0

SI

SI–15

Information Output Filtering

P0

X

1

SI

SI–16

Memory Protection

P1

X

1

SI

SI–17

Fail–Safe Procedures

P0

X

1
X

X

X

X

X

1

X

X

X

X

X

X

X

X

X

X

14
X

X

1
1

X

1

–––

Program Management

1

PM

PM–01

Information Security Program Plan

PM

PM–02

Senior Information Security Officer

PM–03

Information Security Resources

PM–04

Plan of Action and Milestones Process

PM–05

Information System Inventory

P1

PM

PM–06

Information Security Measures of Performance

PM

PM–07

Enterprise Architecture

PM–08

Critical Infrastructure Plan

P1

PM

PM–09

Risk Management Strategy

P1

PM

PM–10

Security Authorization Process

X

P1

PM

X

P1

P1

8

P1

PM

3

P1

PM

3

P1

PM

1

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

P1

2
X

Page 19 of 69

1
Print Date: 3/1/2014, 12:02 PM

Mapping	NIST	SP	800–53	Revision	4	to
Critical	Security	Controls	(CSC)	v4.1

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10

CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20

Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices

01

02

03

04

06

07

08

09

10

11

12

13

Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises

FAMILY

ID–CN

CONTROL NAME

PM–11

Mission/Business Process Definition

P1

PM

PM–12

Isider Threat Program

P1

PM

PM–13

Information Security Workforce

P1

X

PM

PM–14

Testing, Training, & Monitoring

P1

X

X

2

PM

PM–15

Contacts with Security Groups and Associations

P1

PM

PM–16

Threat Awareness Program

P1

X

X

2

Page 20 of 69

05

Ports, Protocols, and Services Management

PM

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

PRI

MAP_CSCv4.1_to_800‐53r4_SORT_ID

Inventory of Authorized & Unauthorized Devices

14

15

16

17

18

19

20

CNT

1
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07

10

AU–08 Time Stamps

AU–07 Audit Reduction and Report Generation

AU–06 Audit Review, Analysis, and Reporting

AU–05 Response to Audit Processing Failures

AU–04 Audit Storage Capacity

AU–03 Content of Audit Records

AU–02 Audit Events

Audit & Accountability

AU–01 Audit and Accountability Policy and Procedures

AT–05 Withdrawn

AT–04 Security Training Records

AT–03 Role–Based Security Training

AT–02 Security Awareness Training

AT–01 Security Awareness and Training Policy and Procedures

Awareness and Training

AC–25 Reference Monitor

AC–24 Access Control Decisions

AC–23 Data Mining Protection

AC–22 Publicly Accessible Content

AC–21 Information Sharing

AC–20 Use of External Information Systems

AC–19 Access Control for Mobile Devices

AC–18 Wireless Access

AC–17 Remote Access

AC–16 Security Attributes

AC–15 Withdrawn

AC–14 Permitted Actions without Identification or Authenticatio

AC–13 Withdrawn

AC–12 Session Termination

AC–11 Session Lock

AC–10 Concurrent Session Control

15

Wireless Device Control

AC–09 Previous Logon (Access) Notification

6

Application Software Security

AC–08 System Use Notification

6

Malware Defenses

AU

16

Continuous Vulnerability Assessment and Remediation

AT

10

Secure Configurations for Mobile Devices, Workstations, Servers

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

7

Inventory of Authorized and Unauthorized Software

AC–07 Unsuccessful Logon Attempts

CSC

Inventory of Authorized & Unauthorized Devices

AC–06 Least Privilege

Total

AC

AC–05 Separation of Duties

Critical	Security	Controls

?

AC–04 Information Flow Enforcement

Access Control

AC–01 Access Control Policy and Procedures

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AC–03 Access Enforcement

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AC–02 Account Management

Print Date: 3/1/2014, 12:02 PM

X X

2

Data Recovery Capability

CSC–08

3

Security Skills Assessment and Appropriate Training to Fill Gaps

CSC–09

9

Secure Configurations for Network Infrastructure & Security Devices

CSC–10

12

1

X

Inventory of Authorized & Unauthorized Devices

CSC–11

11

1

X

Inventory of Authorized and Unauthorized Software

CSC–12

9

4

Secure Configurations for Mobile Devices, Workstations, Servers

CSC–13

11

3

Continuous Vulnerability Assessment and Remediation

CSC–14

17

1

Malware Defenses

CSC–15

10

5 X X X

Application Software Security

CSC–16

11

5

Wireless Device Control

CSC–17

13

3

X X

Data Recovery Capability

CSC–18

9

Security Skills Assessment and Appropriate Training to Fill Gaps

CSC–19

9

1

X

Secure Configurations for Network Infrastructure & Security Devices

CSC–20

9

NIST 800 Series Special Publications

4 X X X X

X

X

X

Page 21 of 69

13
X

X

SP 800-13

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

X

X

X X

SP 800-12

Telecommunications Security Guidelines for Telecommunications Manageme

X

X

1

An Introduction to Computer Security: The NIST Handbook

X

X

X X
X

X X X X X X X
MISPC Minimum Interoperability Specification for PKI Components

SP 800-14

SP 800-15 Version 1

Information Technology Security Training Requirements: A Role- and Perform

SP 800-16

DRAFT Information Security Training Requirements: A Role- and Performanc

SP 800-16 Rev. 1

Modes of Operation Validation System (MOVS): Requirements and Procedure

SP 800-17

Guide for Developing Security Plans for Federal Information Systems

SP 800-18 Rev.1

Mobile Agent Security

SP 800-19

Modes of Operation Validation System for the Triple Data Encryption Algorith
Guideline for Implementing Cryptography in the Federal Government

SP 800-20

800-21 2nd edition

A Statistical Test Suite for Random and Pseudorandom Number Generators f SP 800-22 Rev. 1a
Guidelines to Federal Organizations on Security Assurance and Acquisition/U

SP 800-23

PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else D

SP 800-24

Federal Agency Use of Public Key Technology for Digital Signatures and Auth

SP 800-25

Engineering Principles for Information Technology Security (A Baseline for A
Guidelines on Active Content and Mobile Code

SP 800-27 Rev. A

SP 800-28 Version 2

A Comparison of the Security Requirements for Cryptographic Modules in FI

SP 800-29

Risk Management Guide for Information Technology Systems

SP 800-30

Guide for Conducting Risk Assessments

SP 800-30 Rev. 1

Introduction to Public Key Technology and the Federal PKI Infrastructure
Underlying Technical Models for Information Technology Security
Contingency Planning Guide for Federal Information Systems (Errata Page -

1

SP 800-32
SP 800-33
SP 800-34 Rev. 1

Guide to Information Technology Security Services

SP 800-35

Guide to Selecting Information Technology Security Products

SP 800-36

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 22 of 69

AU–08 Time Stamps

AU–07 Audit Reduction and Report Generation

AU–06 Audit Review, Analysis, and Reporting

AU–05 Response to Audit Processing Failures

AU–04 Audit Storage Capacity

AU–03 Content of Audit Records

AU–02 Audit Events

Audit & Accountability
AU

AU–01 Audit and Accountability Policy and Procedures

AT–05 Withdrawn

AT–04 Security Training Records

AT–03 Role–Based Security Training

AT–02 Security Awareness Training

AT

AT–01 Security Awareness and Training Policy and Procedures

Awareness and Training

AC–25 Reference Monitor

AC–24 Access Control Decisions

AC–23 Data Mining Protection

AC–22 Publicly Accessible Content

AC–21 Information Sharing

AC–20 Use of External Information Systems

AC–19 Access Control for Mobile Devices

AC–18 Wireless Access

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

AC–17 Remote Access

AC–16 Security Attributes

AC–15 Withdrawn

AC–14 Permitted Actions without Identification or Authenticatio

AC–13 Withdrawn

AC–12 Session Termination

AC–11 Session Lock

AC–10 Concurrent Session Control

AC–09 Previous Logon (Access) Notification

AC–08 System Use Notification

AC–07 Unsuccessful Logon Attempts

AC–06 Least Privilege

AC–05 Separation of Duties

CSC

Generally Accepted Principles and Practices for Securing Information Techno

AC–04 Information Flow Enforcement

Critical	Security	Controls

AC

Total

?

AC–03 Access Enforcement

Access Control

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AC–02 Account Management

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AC–01 Access Control Policy and Procedures

Print Date: 3/1/2014, 12:02 PM
SP 800-37 Rev. 1

Recommendation for Block Cipher Modes of Operation - Methods and Techni

SP 800-38 A

8
Recommendation for Block Cipher Modes of Operation: Three Variants of Cip 00-38 A - Addendum
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for A

SP 800-38 B

Recommendation for Block Cipher Modes of Operation: the CCM Mode for Au

SP 800-38 C

Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode

SP 800-38 D

Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode f

SP 800-38 E

DRAFT Recommendation for Block Cipher Modes of Operation: Methods for K

SP 800-38 F

Managing Information Security Risk: Organization, Mission, and Information
Creating a Patch and Vulnerability Management Program

SP 800-39
800-40 Version 2.0

Guidelines on Firewalls and Firewall Policy

SP 800-41 Rev. 1

Systems Administration Guidance for Windows 2000 Professional System

SP 800-43

Guidelines on Securing Public Web Servers

SP 800-44 Version 2

Guidelines on Electronic Mail Security

SP 800-45 Version 2

Guide to Enterprise Telework and Remote Access Security

SP 800-46 Rev. 1

Security Guide for Interconnecting Information Technology Systems
Guide to Securing Legacy IEEE 802.11 Wireless Networks

SP 800-47
SP 800-48 Rev. 1

Federal S/MIME V3 Client Profile

SP 800-49

Building an Information Technology Security Awareness and Training Progra

SP 800-50

Guide to Using Vulnerability Naming Schemes

SP 800-51 Rev. 1

Guidelines for the Selection and Use of Transport Layer Security (TLS) Imple

SP 800-52

Guide for Assessing the Security Controls in Federal Information Systems an SP 800-53 A Rev. 1
Recommended Security Controls for Federal Information Systems and Organ

SP 800-53 Rev. 3

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 23 of 69

AU–08 Time Stamps

AU–07 Audit Reduction and Report Generation

AU–06 Audit Review, Analysis, and Reporting

AU–05 Response to Audit Processing Failures

AU–04 Audit Storage Capacity

AU–03 Content of Audit Records

AU–02 Audit Events

Audit & Accountability
AU

AU–01 Audit and Accountability Policy and Procedures

AT–05 Withdrawn

AT–04 Security Training Records

AT–03 Role–Based Security Training

AT–02 Security Awareness Training

AT

AT–01 Security Awareness and Training Policy and Procedures

Awareness and Training

AC–25 Reference Monitor

AC–24 Access Control Decisions

AC–23 Data Mining Protection

AC–22 Publicly Accessible Content

AC–21 Information Sharing

AC–20 Use of External Information Systems

AC–19 Access Control for Mobile Devices

AC–18 Wireless Access

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

AC–17 Remote Access

AC–16 Security Attributes

AC–15 Withdrawn

AC–14 Permitted Actions without Identification or Authenticatio

AC–13 Withdrawn

AC–12 Session Termination

AC–11 Session Lock

AC–10 Concurrent Session Control

AC–09 Previous Logon (Access) Notification

AC–08 System Use Notification

AC–07 Unsuccessful Logon Attempts

AC–06 Least Privilege

AC–05 Separation of Duties

CSC

AC–04 Information Flow Enforcement

Critical	Security	Controls
Guide for Applying the Risk Management Framework to Federal Information

AC

AC–03 Access Enforcement

?

Total

Access Control

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AC–02 Account Management

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AC–01 Access Control Policy and Procedures

Print Date: 3/1/2014, 12:02 PM
SP 800-53 Rev. 4

Border Gateway Protocol Security

SP 800-54

Performance Measurement Guide for Information Security

SP 800-55 Rev. 1

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete L

SP 800-56 A

Recommendation for Pair-Wise Key Establishment Schemes Using Integer Fa

SP 800-56 B

Recommendation for Key Derivation through Extraction-then-Expansion

SP 800-56 C

Recommendation for Key Management

SP 800-57

DRAFT Recommendation for Key Management: Part 1: General

SP 800-57 Part 1

Security Considerations for Voice Over IP Systems

SP 800-58

Guideline for Identifying an Information System as a National Security Syste

SP 800-59

Guide for Mapping Types of Information and Information Systems to Securit

SP 800-60 Rev. 1

Computer Security Incident Handling Guide

SP 800-61 Rev. 1

DRAFT Computer Security Incident Handling Guide

SP 800-61 Rev. 2

Electronic Authentication Guideline

SP 800-63 Rev. 1

Electronic Authentication Guideline

00-63 Version 1.0.2

Security Considerations in the System Development Life Cycle

SP 800-64 Rev. 2

Integrating IT Security into the Capital Planning and Investment Control Pro

SP 800-65

DRAFT Recommendations for Integrating Information Security into the Capit

SP 800-65 Rev. 1

An Introductory Resource Guide for Implementing the Health Insurance Port

SP 800-66 Rev 1

Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Ciph

SP 800-67 Rev. 1

Guide to Securing Microsoft Windows XP Systems for IT Professionals

SP 800-68 Rev. 1

Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security
National Checklist Program for IT Products: Guidelines for Checklist Users an

SP 800-69
SP 800-70 Rev. 2

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 24 of 69

AU–08 Time Stamps

AU–07 Audit Reduction and Report Generation

AU–06 Audit Review, Analysis, and Reporting

AU–05 Response to Audit Processing Failures

AU–04 Audit Storage Capacity

AU–03 Content of Audit Records

AU–02 Audit Events

Audit & Accountability
AU

AU–01 Audit and Accountability Policy and Procedures

AT–05 Withdrawn

AT–04 Security Training Records

AT–03 Role–Based Security Training

AT–02 Security Awareness Training

AT

AT–01 Security Awareness and Training Policy and Procedures

Awareness and Training

AC–25 Reference Monitor

AC–24 Access Control Decisions

AC–23 Data Mining Protection

AC–22 Publicly Accessible Content

AC–21 Information Sharing

AC–20 Use of External Information Systems

AC–19 Access Control for Mobile Devices

AC–18 Wireless Access

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

AC–17 Remote Access

AC–16 Security Attributes

AC–15 Withdrawn

AC–14 Permitted Actions without Identification or Authenticatio

AC–13 Withdrawn

AC–12 Session Termination

AC–11 Session Lock

AC–10 Concurrent Session Control

AC–09 Previous Logon (Access) Notification

AC–08 System Use Notification

AC–07 Unsuccessful Logon Attempts

AC–06 Least Privilege

AC–05 Separation of Duties

CSC

AC–04 Information Flow Enforcement

Critical	Security	Controls
DRAFT Security and Privacy Controls for Federal Information Systems and O

AC

AC–03 Access Enforcement

?

Total

Access Control

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AC–02 Account Management

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AC–01 Access Control Policy and Procedures

Print Date: 3/1/2014, 12:02 PM
SP 800-72

Interfaces for Personal Identity Verification (4 Parts)

SP 800-73 -3

Biometric Data Specification for Personal Identity Verification

SP 800-76 -1

DRAFT Biometric Data Specification for Personal Identity Verification

SP 800-76 -2

Guide to IPsec VPNs

SP 800-77

Cryptographic Algorithms and Key Sizes for Personal Identification Verificatio

SP 800-78 -3

Guidelines for the Accreditation of Personal Identity Verification (PIV) Card I

SP 800-79 -1

Secure Domain Name System (DNS) Deployment Guide

SP 800-81 Rev. 1

Guide to Industrial Control Systems (ICS) Security

SP 800-82

Guide to Malware Incident Prevention and Handling

SP 800-83

Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities

SP 800-84

PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3

SP 800-85 A-2

PIV Data Model Test Guidelines
DRAFT PIV Data Model Conformance Test Guidelines
Guide to Integrating Forensic Techniques into Incident Response
Codes for Identification of Federal and Federally-Assisted Organizations
Guidelines for Media Sanitization

SP 800-85 B
SP 800-85 B-1
SP 800-86
SP 800-87 Rev 1
SP 800-88

Recommendation for Obtaining Assurances for Digital Signature Applications

SP 800-89

Recommendation for Random Number Generation Using Deterministic Rando

SP 800-90 A

Guide to Computer Security Log Management

SP 800-92

Guide to Intrusion Detection and Prevention Systems (IDPS)

SP 800-94

Guide to Secure Web Services

SP 800-95

PIV Card to Reader Interoperability Guidelines

SP 800-96

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 25 of 69

AU–08 Time Stamps

AU–07 Audit Reduction and Report Generation

AU–06 Audit Review, Analysis, and Reporting

AU–05 Response to Audit Processing Failures

AU–04 Audit Storage Capacity

AU–03 Content of Audit Records

AU–02 Audit Events

Audit & Accountability
AU

AU–01 Audit and Accountability Policy and Procedures

AT–05 Withdrawn

AT–04 Security Training Records

AT–03 Role–Based Security Training

AT–02 Security Awareness Training

AT

AT–01 Security Awareness and Training Policy and Procedures

Awareness and Training

AC–25 Reference Monitor

AC–24 Access Control Decisions

AC–23 Data Mining Protection

AC–22 Publicly Accessible Content

AC–21 Information Sharing

AC–20 Use of External Information Systems

AC–19 Access Control for Mobile Devices

AC–18 Wireless Access

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

AC–17 Remote Access

AC–16 Security Attributes

AC–15 Withdrawn

AC–14 Permitted Actions without Identification or Authenticatio

AC–13 Withdrawn

AC–12 Session Termination

AC–11 Session Lock

AC–10 Concurrent Session Control

AC–09 Previous Logon (Access) Notification

AC–08 System Use Notification

AC–07 Unsuccessful Logon Attempts

AC–06 Least Privilege

AC–05 Separation of Duties

CSC

AC–04 Information Flow Enforcement

Critical	Security	Controls
Guidelines on PDA Forensics

AC

AC–03 Access Enforcement

?

Total

Access Control

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AC–02 Account Management

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AC–01 Access Control Policy and Procedures

Print Date: 3/1/2014, 12:02 PM
SP 800-97

Guidelines for Securing Radio Frequency Identification (RFID) Systems

SP 800-98

Information Security Handbook: A Guide for Managers

SP 800-100

Guidelines on Cell Phone Forensics

SP 800-101

Recommendation for Digital Signature Timeliness

SP 800-102

DRAFT An Ontology of Identity Credentials, Part I: Background and Formula

SP 800-103

A Scheme for PIV Visual Card Topography

SP 800-104

Randomized Hashing for Digital Signatures

SP 800-106

Recommendation for Applications Using Approved Hash Algorithms

SP 800-107

DRAFT Recommendation for Applications Using Approved Hash Algorithms

SP 800-107 Revised

Recommendation for Key Derivation Using Pseudorandom Functions

SP 800-108

Guide to Storage Encryption Technologies for End User Devices

SP 800-111

Guide to SSL VPNs

SP 800-113

User's Guide to Securing External Devices for Telework and Remote Access

SP 800-114

Technical Guide to Information Security Testing and Assessment

SP 800-115

A Recommendation for the Use of PIV Credentials in Physical Access Control

SP 800-116

Guide to Adopting and Using the Security Content Automation Protocol (SCA

SP 800-117

DRAFT Guide to Adopting and Using the Security Content Automation Protoc SP 800-117 Rev. 1
DRAFT Guide to Enterprise Password Management

SP 800-118

Guidelines for the Secure Deployment of IPv6

SP 800-119

Recommendation for EAP Methods Used in Wireless Network Access Authent

SP 800-120

Guide to Bluetooth Security

SP 800-121 Rev. 1

Guide to Protecting the Confidentiality of Personally Identifiable Information

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

SP 800-122

Page 26 of 69

AU–08 Time Stamps

AU–07 Audit Reduction and Report Generation

AU–06 Audit Review, Analysis, and Reporting

AU–05 Response to Audit Processing Failures

AU–04 Audit Storage Capacity

AU–03 Content of Audit Records

AU–02 Audit Events

Audit & Accountability
AU

AU–01 Audit and Accountability Policy and Procedures

AT–05 Withdrawn

AT–04 Security Training Records

AT–03 Role–Based Security Training

AT–02 Security Awareness Training

AT

AT–01 Security Awareness and Training Policy and Procedures

Awareness and Training

AC–25 Reference Monitor

AC–24 Access Control Decisions

AC–23 Data Mining Protection

AC–22 Publicly Accessible Content

AC–21 Information Sharing

AC–20 Use of External Information Systems

AC–19 Access Control for Mobile Devices

AC–18 Wireless Access

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

AC–17 Remote Access

AC–16 Security Attributes

AC–15 Withdrawn

AC–14 Permitted Actions without Identification or Authenticatio

AC–13 Withdrawn

AC–12 Session Termination

AC–11 Session Lock

AC–10 Concurrent Session Control

AC–09 Previous Logon (Access) Notification

AC–08 System Use Notification

AC–07 Unsuccessful Logon Attempts

AC–06 Least Privilege

AC–05 Separation of Duties

CSC

AC–04 Information Flow Enforcement

Critical	Security	Controls
Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i

AC

AC–03 Access Enforcement

?

Total

Access Control

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AC–02 Account Management

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AC–01 Access Control Policy and Procedures

Print Date: 3/1/2014, 12:02 PM
SP 800-123

Guidelines on Cell Phone and PDA Security

SP 800-124

Guide to Security for Full Virtualization Technologies

SP 800-125

The Technical Specification for the Security Content Automation Protocol (SC

SP 800-126

The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 Rev. 1
The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 Rev. 2
Guide to Securing WiMAX Wireless Communications

SP 800-127

Guide for Security-Focused Configuration Management of Information Syste

SP 800-128

DRAFT A Framework for Designing Cryptographic Key Management Systems

SP 800-130

Transitions: Recommendation for Transitioning the Use of Cryptographic Alg

SP 800-131 A

DRAFT Transitions: Validation of Transitioning Cryptographic Algorithm and

SP 800-131 B

DRAFT Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3

SP 800-131 C

Recommendation for Password-Based Key Derivation Part 1: Storage Applica

SP 800-132

DRAFT Recommendation for Cryptographic Key Generation
Recommendation for Existing Application-Specific Key Derivation Functions

SP 800-133
SP 800-135 Rev. 1

Information Security Continuous Monitoring for Federal Information Systems

SP 800-137

Practical Combinatorial Testing

SP 800-142

Guidelines on Security and Privacy in Public Cloud Computing

SP 800-144

A NIST Definition of Cloud Computing

SP 800-145

Cloud Computing Synopsis and Recommendations

SP 800-146

Basic Input/Output System (BIOS) Protection Guidelines

SP 800-147

Guidelines for Securing Wireless Local Area Networks (WLANs)

SP 800-153

DRAFT BIOS Integrity Measurement Guidelines

SP 800-155

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 27 of 69

AU–08 Time Stamps

AU–07 Audit Reduction and Report Generation

AU–06 Audit Review, Analysis, and Reporting

AU–05 Response to Audit Processing Failures

AU–04 Audit Storage Capacity

AU–03 Content of Audit Records

AU–02 Audit Events

Audit & Accountability
AU

AU–01 Audit and Accountability Policy and Procedures

AT–05 Withdrawn

AT–04 Security Training Records

AT–03 Role–Based Security Training

AT–02 Security Awareness Training

AT

AT–01 Security Awareness and Training Policy and Procedures

Awareness and Training

AC–25 Reference Monitor

AC–24 Access Control Decisions

AC–23 Data Mining Protection

AC–22 Publicly Accessible Content

AC–21 Information Sharing

AC–20 Use of External Information Systems

AC–19 Access Control for Mobile Devices

AC–18 Wireless Access

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

AC–17 Remote Access

AC–16 Security Attributes

AC–15 Withdrawn

AC–14 Permitted Actions without Identification or Authenticatio

AC–13 Withdrawn

AC–12 Session Termination

AC–11 Session Lock

AC–10 Concurrent Session Control

AC–09 Previous Logon (Access) Notification

AC–08 System Use Notification

AC–07 Unsuccessful Logon Attempts

AC–06 Least Privilege

AC–05 Separation of Duties

CSC

AC–04 Information Flow Enforcement

Critical	Security	Controls
Guide to General Server Security

AC

AC–03 Access Enforcement

?

Total

Access Control

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AC–02 Account Management

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AC–01 Access Control Policy and Procedures

Print Date: 3/1/2014, 12:02 PM
Inventory of Authorized & Unauthorized Devices

CSC–01

7

1

X

CSC–02

10

1

X

4

CSC–03

16

1

X

8

X X

Continuous Vulnerability Assessment and Remediation

CSC–04

6

2

Malware Defenses

CSC–05

6

1

Application Software Security

CSC–06
CSC–07

10

1

CSC–08
CSC–09

9

Secure Configurations for Network Infrastructure & Security Devices

CSC–10

12

Inventory of Authorized & Unauthorized Devices

CSC–11

11

2

Inventory of Authorized and Unauthorized Software

CSC–12

9

1

Secure Configurations for Mobile Devices, Workstations, Servers

CSC–13

11

3

Continuous Vulnerability Assessment and Remediation

CSC–14

17 X X X X X X

1

X

Malware Defenses

CSC–15

10

1

X

Application Software Security

CSC–16

11

1

X

Wireless Device Control

CSC–17

13

2

X

Data Recovery Capability

CSC–18

9

Security Skills Assessment and Appropriate Training to Fill Gaps

CSC–19

9

2

Secure Configurations for Network Infrastructure & Security Devices

CSC–20

9

4

X

1

1

1

CP–09 Information System Backup

CP–08 Telecommunications Services

CP–07 Alternate Processing Site

CP–06 Alternate Storage Site

CP–05 Withdrawn

CP–04 Contingency Plan Testing

CP–03 Contingency Training

CP–02 Contingency Plan

Contingency Planning

CP–01 Contingency Planning Policy and Procedures

CM–11 User–Installed Software

CM–10 Software Usage Restrictions

CM–09 Configuration Management Plan

CM–08 Information System Component Inventory

3

Security Skills Assessment and Appropriate Training to Fill Gaps

CM–07 Least Functionality

X

Data Recovery Capability

CP

15

Wireless Device Control

CM–06 Configuration Settings

X

Secure Configurations for Mobile Devices, Workstations, Servers

CM–05 Access Restrictions for Change

1

Inventory of Authorized and Unauthorized Software

CM–04 Security Impact Analysis

CM–03 Configuration Change Control

CM–02 Baseline Configuration

Configuration Management
CM

CM–01 Configuration Management Policy and Procedures

CA–09 Internal System Connections

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

CA–08 Penetration Testing

CA–07 Continuous Monitoring

CA–06 Security Authorization

CA–05 Plan of Action and Milestones

CA–04 Withdrawn

CA–03 System Interconnections

CA

CA–02 Security Assessments

Security Assessment and Authorization

CA–01 Security Assessment and Authorization Policies and Pro

AU–16 Cross–Organizational Auditing

AU–15 Alternate Audit Capability

AU–14 Session Audit

AU–13 Monitoring for Information Disclosure

Total

CSC

AU–12 Audit Generation

Critical	Security	Controls

?

AU–09 Protection of Audit Information

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AU–11 Audit Record Retention

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AU–10 Non–repudiation

Print Date: 3/1/2014, 12:02 PM

NIST 800 Series Special Publications
An Introduction to Computer Security: The NIST Handbook

X X
X

X

X

X

2
X

Page 28 of 69

X

X

5

X X

X

3

SP 800-13

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

X
X X X X X

X

2

SP 800-12

Telecommunications Security Guidelines for Telecommunications Manageme

X

X

X

3

X

X

1

X

X
X

X

X

X

X
X X

X

X X

X

X

X

X
MISPC Minimum Interoperability Specification for PKI Components

SP 800-14

SP 800-15 Version 1

Information Technology Security Training Requirements: A Role- and Perform

SP 800-16

DRAFT Information Security Training Requirements: A Role- and Performanc

SP 800-16 Rev. 1

Modes of Operation Validation System (MOVS): Requirements and Procedure

SP 800-17

Guide for Developing Security Plans for Federal Information Systems

SP 800-18 Rev.1

Mobile Agent Security

SP 800-19

Modes of Operation Validation System for the Triple Data Encryption Algorith
Guideline for Implementing Cryptography in the Federal Government

SP 800-20

800-21 2nd edition

A Statistical Test Suite for Random and Pseudorandom Number Generators f SP 800-22 Rev. 1a
Guidelines to Federal Organizations on Security Assurance and Acquisition/U

SP 800-23

PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else D

SP 800-24

Federal Agency Use of Public Key Technology for Digital Signatures and Auth

SP 800-25

Engineering Principles for Information Technology Security (A Baseline for A
Guidelines on Active Content and Mobile Code

SP 800-27 Rev. A

SP 800-28 Version 2

A Comparison of the Security Requirements for Cryptographic Modules in FI

SP 800-29

Risk Management Guide for Information Technology Systems

SP 800-30

Guide for Conducting Risk Assessments
Introduction to Public Key Technology and the Federal PKI Infrastructure
Underlying Technical Models for Information Technology Security
Contingency Planning Guide for Federal Information Systems (Errata Page -

SP 800-30 Rev. 1

1

1

SP 800-32
SP 800-33
SP 800-34 Rev. 1

Guide to Information Technology Security Services

SP 800-35

Guide to Selecting Information Technology Security Products

SP 800-36

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

Page 29 of 69

x

CP–09 Information System Backup

CP–08 Telecommunications Services

CP–07 Alternate Processing Site

CP–06 Alternate Storage Site

CP–05 Withdrawn

CP–04 Contingency Plan Testing

CP–03 Contingency Training

CP–02 Contingency Plan

Contingency Planning
CP

CP–01 Contingency Planning Policy and Procedures

CM–11 User–Installed Software

CM–10 Software Usage Restrictions

CM–09 Configuration Management Plan

CM–08 Information System Component Inventory

CM–07 Least Functionality

CM–06 Configuration Settings

CM–05 Access Restrictions for Change

CM–04 Security Impact Analysis

CM–03 Configuration Change Control

CM–02 Baseline Configuration

Configuration Management
CM

CM–01 Configuration Management Policy and Procedures

CA–09 Internal System Connections

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

CA–08 Penetration Testing

CA–07 Continuous Monitoring

CA–06 Security Authorization

CA–05 Plan of Action and Milestones

CA–04 Withdrawn

CA–03 System Interconnections

CA

CA–02 Security Assessments

Security Assessment and Authorization

CA–01 Security Assessment and Authorization Policies and Pro

AU–16 Cross–Organizational Auditing

AU–15 Alternate Audit Capability

AU–14 Session Audit

AU–13 Monitoring for Information Disclosure

CSC

Generally Accepted Principles and Practices for Securing Information Techno

AU–12 Audit Generation

Critical	Security	Controls

Total

?

AU–09 Protection of Audit Information

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AU–11 Audit Record Retention

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AU–10 Non–repudiation

Print Date: 3/1/2014, 12:02 PM
SP 800-38 A

8
Recommendation for Block Cipher Modes of Operation: Three Variants of Cip 00-38 A - Addendum
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for A

SP 800-38 B

Recommendation for Block Cipher Modes of Operation: the CCM Mode for Au

SP 800-38 C

Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode

SP 800-38 D

Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode f

SP 800-38 E

DRAFT Recommendation for Block Cipher Modes of Operation: Methods for K

SP 800-38 F

Managing Information Security Risk: Organization, Mission, and Information
Creating a Patch and Vulnerability Management Program

SP 800-39
800-40 Version 2.0

Guidelines on Firewalls and Firewall Policy

SP 800-41 Rev. 1

Systems Administration Guidance for Windows 2000 Professional System

SP 800-43

Guidelines on Securing Public Web Servers

SP 800-44 Version 2

Guidelines on Electronic Mail Security

SP 800-45 Version 2

Guide to Enterprise Telework and Remote Access Security
Security Guide for Interconnecting Information Technology Systems
Guide to Securing Legacy IEEE 802.11 Wireless Networks

SP 800-46 Rev. 1
SP 800-47
SP 800-48 Rev. 1

Federal S/MIME V3 Client Profile

SP 800-49

Building an Information Technology Security Awareness and Training Progra

SP 800-50

Guide to Using Vulnerability Naming Schemes
Guidelines for the Selection and Use of Transport Layer Security (TLS) Imple

SP 800-51 Rev. 1
SP 800-52

Guide for Assessing the Security Controls in Federal Information Systems an SP 800-53 A Rev. 1
Recommended Security Controls for Federal Information Systems and Organ

Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx

SP 800-53 Rev. 3

Page 30 of 69

CP–09 Information System Backup

CP–08 Telecommunications Services

CP–07 Alternate Processing Site

CP–06 Alternate Storage Site

CP–05 Withdrawn

CP–04 Contingency Plan Testing

CP–03 Contingency Training

CP–02 Contingency Plan

Contingency Planning
CP

CP–01 Contingency Planning Policy and Procedures

CM–11 User–Installed Software

CM–10 Software Usage Restrictions

CM–09 Configuration Management Plan

CM–08 Information System Component Inventory

CM–07 Least Functionality

CM–06 Configuration Settings

CM–05 Access Restrictions for Change

CM–04 Security Impact Analysis

CM–03 Configuration Change Control

CM–02 Baseline Configuration

Configuration Management
CM

CM–01 Configuration Management Policy and Procedures

CA–09 Internal System Connections

HMAP_53r4_to_CSCv4.1_&_NIST_PUBS

CA–08 Penetration Testing

CA–07 Continuous Monitoring

CA–06 Security Authorization

CA–05 Plan of Action and Milestones

CA–04 Withdrawn

CA–03 System Interconnections

CA–02 Security Assessments

Security Assessment and Authorization
CA

CA–01 Security Assessment and Authorization Policies and Pro

AU–16 Cross–Organizational Auditing

AU–15 Alternate Audit Capability

AU–14 Session Audit

SP 800-37 Rev. 1

Recommendation for Block Cipher Modes of Operation - Methods and Techni

AU–13 Monitoring for Information Disclosure

CSC

AU–12 Audit Generation

Critical	Security	Controls
Guide for Applying the Risk Management Framework to Federal Information

AU–11 Audit Record Retention

?

Total

Map	NIST	Special	Publication	(SP)	
800–53	Revision	4	to	Critical	
Security	Controls	(CSC)	Version	4.1	
and		NIST	800	Series	Special	
Publications.

AU–10 Non–repudiation

Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4

AU–09 Protection of Audit Information

Print Date: 3/1/2014, 12:02 PM
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a

More Related Content

What's hot

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture  Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Cloud security certifications landscape
Cloud security certifications landscapeCloud security certifications landscape
Cloud security certifications landscapeMoshe Ferber
 

What's hot (20)

SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture  Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Cloud security certifications landscape
Cloud security certifications landscapeCloud security certifications landscape
Cloud security certifications landscape
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 

Viewers also liked

Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)James W. De Rienzo
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...James W. De Rienzo
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...James W. De Rienzo
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)James W. De Rienzo
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...James W. De Rienzo
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4James W. De Rienzo
 
Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoringmnescot
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)James W. De Rienzo
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)James W. De Rienzo
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...James W. De Rienzo
 
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...James W. De Rienzo
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the CloudNetStandard
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJames W. De Rienzo
 
Nist 800 60 data types catgorization tables
Nist 800 60 data types catgorization  tablesNist 800 60 data types catgorization  tables
Nist 800 60 data types catgorization tablesDaniel Kerberos
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...North Texas Chapter of the ISSA
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security FundamentalsJames W. De Rienzo
 

Viewers also liked (20)

Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
Mnescot controls monitoring
Mnescot controls monitoringMnescot controls monitoring
Mnescot controls monitoring
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
 
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
 
Nist 800 60 data types catgorization tables
Nist 800 60 data types catgorization  tablesNist 800 60 data types catgorization  tables
Nist 800 60 data types catgorization tables
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security Fundamentals
 

Similar to Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a

Are You Prepared For More High-Impact Vulnerabilties?
Are You Prepared For More High-Impact Vulnerabilties?Are You Prepared For More High-Impact Vulnerabilties?
Are You Prepared For More High-Impact Vulnerabilties?Tripwire
 
Cisco 6500 config
Cisco 6500 configCisco 6500 config
Cisco 6500 configglmalpica
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Canada
 
Cisco 2960 Switch Configuration
Cisco 2960 Switch ConfigurationCisco 2960 Switch Configuration
Cisco 2960 Switch Configurationkabisurya
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guideRichardsCCNA
 
Cisco San switch troublehooting Guide
Cisco San switch troublehooting GuideCisco San switch troublehooting Guide
Cisco San switch troublehooting GuideDayal Ghosh
 
The Impact of Digital Transformation on Enterprise Security
The Impact of Digital Transformation on Enterprise SecurityThe Impact of Digital Transformation on Enterprise Security
The Impact of Digital Transformation on Enterprise SecurityDevOps.com
 
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...VMworld
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804James W. De Rienzo
 
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 solarisyougood
 
Cisco End User Guide for Video Security Platform
Cisco End User Guide for Video Security PlatformCisco End User Guide for Video Security Platform
Cisco End User Guide for Video Security PlatformContent Rules, Inc.
 
Remote Access Security
Remote Access SecurityRemote Access Security
Remote Access Securitysyrinxtech
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214Mac An
 
Manual cisco 2950
Manual cisco 2950Manual cisco 2950
Manual cisco 2950liviuisr
 
Getting started with cisco configuration
Getting started with cisco configurationGetting started with cisco configuration
Getting started with cisco configurationMario Pellegrino
 
Data Center Transformation
Data Center TransformationData Center Transformation
Data Center TransformationArraya Solutions
 

Similar to Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a (20)

Are You Prepared For More High-Impact Vulnerabilties?
Are You Prepared For More High-Impact Vulnerabilties?Are You Prepared For More High-Impact Vulnerabilties?
Are You Prepared For More High-Impact Vulnerabilties?
 
Cisco 6500 config
Cisco 6500 configCisco 6500 config
Cisco 6500 config
 
CME
CMECME
CME
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group Tagging
 
Ap config
Ap configAp config
Ap config
 
Cisco 2960 Switch Configuration
Cisco 2960 Switch ConfigurationCisco 2960 Switch Configuration
Cisco 2960 Switch Configuration
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guide
 
Cisco San switch troublehooting Guide
Cisco San switch troublehooting GuideCisco San switch troublehooting Guide
Cisco San switch troublehooting Guide
 
The Impact of Digital Transformation on Enterprise Security
The Impact of Digital Transformation on Enterprise SecurityThe Impact of Digital Transformation on Enterprise Security
The Impact of Digital Transformation on Enterprise Security
 
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
 
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0
 
Cisco End User Guide for Video Security Platform
Cisco End User Guide for Video Security PlatformCisco End User Guide for Video Security Platform
Cisco End User Guide for Video Security Platform
 
Remote Access Security
Remote Access SecurityRemote Access Security
Remote Access Security
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214
 
Manual cisco 2950
Manual cisco 2950Manual cisco 2950
Manual cisco 2950
 
Getting started with cisco configuration
Getting started with cisco configurationGetting started with cisco configuration
Getting started with cisco configuration
 
Arcsight explained
Arcsight explainedArcsight explained
Arcsight explained
 
Data Center Transformation
Data Center TransformationData Center Transformation
Data Center Transformation
 

More from James W. De Rienzo

Nist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributesNist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributesJames W. De Rienzo
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
 
NIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisNIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisJames W. De Rienzo
 
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...James W. De Rienzo
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkJames W. De Rienzo
 
VDI and Application Virtualization
VDI and Application VirtualizationVDI and Application Virtualization
VDI and Application VirtualizationJames W. De Rienzo
 

More from James W. De Rienzo (9)

Nist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributesNist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributes
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
 
NIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisNIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database Analysis
 
SEI CERT Podcast Series
SEI CERT Podcast SeriesSEI CERT Podcast Series
SEI CERT Podcast Series
 
CNDSP Assessment Template
CNDSP Assessment TemplateCNDSP Assessment Template
CNDSP Assessment Template
 
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual Framework
 
VDI and Application Virtualization
VDI and Application VirtualizationVDI and Application Virtualization
VDI and Application Virtualization
 

Recently uploaded

UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 

Recently uploaded (20)

UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 

Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a

  • 1. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–01 Inventory of Authorized & Unauthorized Devices CSC–01 CA–07 Continuous Monitoring CSC–01 CM–08 Information System Component Inventory CSC–01 IA–03 Device Identification and Authentication CSC–01 SA–04 Acquisition Process CSC–01 SC–17 Public Key Infrastructure Certificates CSC–01 SI–04 Information System Monitoring CSC–01 PM–05 Information System Inventory CSC–02 Inventory of Authorized and Unauthorized Software CSC–02 CA–07 Continuous Monitoring CSC–02 CM–02 Baseline Configuration CSC–02 CM–08 Information System Component Inventory CSC–02 CM–10 Software Usage Restrictions CSC–02 CM–11 User–Installed Software CSC–02 SA–04 Acquisition Process CSC–02 SC–18 Mobile Code CSC–02 SC–34 Non–Modifiable Executable Programs CSC–02 SI–04 Information System Monitoring CSC–02 PM–05 Information System Inventory CSC–03 Secure Configurations for Mobile Devices, Workstations, Servers CSC–03 CA–07 Continuous Monitoring CSC–03 CM–02 Baseline Configuration CSC–03 CM–03 Configuration Change Control CSC–03 CM–05 Access Restrictions for Change CSC–03 CM–06 Configuration Settings CSC–03 CM–07 Least Functionality CSC–03 CM–08 Information System Component Inventory CSC–03 CM–09 Configuration Management Plan CSC–03 CM–11 User–Installed Software CSC–03 MA–04 Nonlocal Maintenance CSC–03 RA–05 Vulnerability Scanning CSC–03 SA–04 Acquisition Process CSC–03 SC–15 Collaborative Computing Devices CSC–03 SC–34 Non–Modifiable Executable Programs CSC–03 SI–02 Flaw Remediation CSC–03 SI–04 Information System Monitoring CSC–04 Continuous Vulnerability Assessment and Remediation CSC–04 CA–02 Security Assessments Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 1 of 69
  • 2. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–04 CA–07 Continuous Monitoring CSC–04 RA–05 Vulnerability Scanning CSC–04 SC–34 Non–Modifiable Executable Programs CSC–04 SI–04 Information System Monitoring CSC–04 SI–07 Software, Firmware, and Information Integrity CSC–05 Malware Defenses CSC–05 CA–07 Continuous Monitoring CSC–05 SC–39 Process Isolation CSC–05 SC–44 Detonation Chambers CSC–05 SI–03 Malicious Code Protection CSC–05 SI–04 Information System Monitoring CSC–05 SI–08 Spam Protection CSC–06 Application Software Security CSC–06 RA–05 Vulnerability Scanning CSC–06 SA–03 System Development Life Cycle CSC–06 SA–10 Developer Configuration Management CSC–06 SA–11 Developer Security Testing and Evaluation CSC–06 SA–13 Trustworthiness CSC–06 SA–15 Development Process, Standards, and Tools CSC–06 SA–16 Developer–Provided Training CSC–06 SA–17 Developer Security Architecture and Design CSC–06 SA–20 Customized Development of Critical Components CSC–06 SA–21 Developer Screening CSC–06 SC–39 Process Isolation CSC–06 SI–10 Information Input Validation CSC–06 SI–11 Error Handling CSC–06 SI–15 Information Output Filtering CSC–06 SI–16 Memory Protection CSC–07 Wireless Device Control CSC–07 AC–18 Wireless Access CSC–07 AC–19 Access Control for Mobile Devices CSC–07 CA–03 System Interconnections CSC–07 CA–07 Continuous Monitoring CSC–07 CM–02 Baseline Configuration CSC–07 IA–03 Device Identification and Authentication CSC–07 SC–08 Transmission Confidentiality and Integrity CSC–07 SC–17 Public Key Infrastructure Certificates CSC–07 SC–40 Wireless Link Protection Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 2 of 69
  • 3. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–07 SI–04 Information System Monitoring CSC–08 Data Recovery Capability CSC–08 CP–09 Information System Backup CSC–08 CP–10 Information System Recovery and Reconstitution CSC–08 MP–04 Media Storage CSC–09 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–09 AT–01 Security Awareness and Training Policy and Procedures CSC–09 AT–02 Security Awareness Training CSC–09 AT–03 Role–Based Security Training CSC–09 AT–04 Security Training Records CSC–09 SA–11 Developer Security Testing and Evaluation CSC–09 SA–16 Developer–Provided Training CSC–09 PM–13 Information Security Workforce CSC–09 PM–14 Testing, Training, & Monitoring CSC–09 PM–16 Threat Awareness Program CSC–10 Secure Configurations for Network Infrastructure & Security Devices CSC–10 AC–04 Information Flow Enforcement CSC–10 CA–03 System Interconnections CSC–10 CA–07 Continuous Monitoring CSC–10 CA–09 Internal System Connections CSC–10 CM–02 Baseline Configuration CSC–10 CM–03 Configuration Change Control CSC–10 CM–05 Access Restrictions for Change CSC–10 CM–06 Configuration Settings CSC–10 CM–08 Information System Component Inventory CSC–10 MA–04 Nonlocal Maintenance CSC–10 SC–24 Fail in Known State CSC–10 SI–04 Information System Monitoring CSC–11 Ports, Protocols, and Services Management CSC–11 AC–04 Information Flow Enforcement CSC–11 CA–07 Continuous Monitoring CSC–11 CA–09 Internal System Connections CSC–11 CM–02 Baseline Configuration CSC–11 CM–06 Configuration Settings CSC–11 CM–08 Information System Component Inventory CSC–11 SC–20 Secure Name /Address Resolution Service (Authoritative Source) CSC–11 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) CSC–11 SC–22 Architecture and Provisioning for Name/Address Resolution Service Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 3 of 69
  • 4. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–11 SC–41 Port and I/O Device Access CSC–11 SI–04 Information System Monitoring CSC–12 Controlled Use of Administrative Privileges CSC–12 AC–02 Account Management CSC–12 AC–06 Least Privilege CSC–12 AC–17 Remote Access CSC–12 AC–19 Access Control for Mobile Devices CSC–12 CA–07 Continuous Monitoring CSC–12 IA–02 Identification and Authentication (Organizational Users) CSC–12 IA–04 Identifier Management CSC–12 IA–05 Authenticator Management CSC–12 SI–04 Information System Monitoring CSC–13 Boundary Defense CSC–13 AC–04 Information Flow Enforcement CSC–13 AC–17 Remote Access CSC–13 AC–20 Use of External Information Systems CSC–13 CA–03 System Interconnections CSC–13 CA–07 Continuous Monitoring CSC–13 CA–09 Internal System Connections CSC–13 CM–02 Baseline Configuration CSC–13 SA–09 External Information System Services CSC–13 SC–07 Boundary Protection CSC–13 SC–08 Transmission Confidentiality and Integrity CSC–13 SI–04 Information System Monitoring CSC–14 Maintenance, Monitoring and Analysis of Audit Logs CSC–14 AC–23 Data Mining Protection CSC–14 AU–02 Audit Events CSC–14 AU–03 Content of Audit Records CSC–14 AU–04 Audit Storage Capacity CSC–14 AU–05 Response to Audit Processing Failures CSC–14 AU–06 Audit Review, Analysis, and Reporting CSC–14 AU–07 Audit Reduction and Report Generation CSC–14 AU–08 Time Stamps CSC–14 AU–09 Protection of Audit Information CSC–14 AU–10 Non–repudiation CSC–14 AU–11 Audit Record Retention CSC–14 AU–12 Audit Generation CSC–14 AU–13 Monitoring for Information Disclosure Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 4 of 69
  • 5. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 CSC–14 AU–14 Session Audit CSC–14 CA–07 Continuous Monitoring CSC–14 IA–10 Adaptive Identification and Authentication CSC–14 SI–04 Information System Monitoring CSC–15 Controlled Access Based on the Need to Know CSC–15 AC–01 Access Control Policy and Procedures CSC–15 AC–02 Account Management CSC–15 AC–03 Access Enforcement CSC–15 AC–06 Least Privilege CSC–15 AC–24 Access Control Decisions CSC–15 CA–07 Continuous Monitoring CSC–15 MP–03 Media Marking CSC–15 RA–02 Security Categorization CSC–15 SC–16 Transmission of Security Attributes CSC–15 SI–04 Information System Monitoring CSC–16 Account Monitoring and Control CSC–16 AC–02 Account Management CSC–16 AC–03 Access Enforcement CSC–16 AC–07 Unsuccessful Logon Attempts CSC–16 AC–11 Session Lock CSC–16 AC–12 Session Termination CSC–16 CA–07 Continuous Monitoring CSC–16 IA–05 Authenticator Management CSC–16 IA–10 Adaptive Identification and Authentication CSC–16 SC–17 Public Key Infrastructure Certificates CSC–16 SC–23 Session Authenticity CSC–16 SI–04 Information System Monitoring CSC–17 Data Loss Prevention CSC–17 AC–03 Access Enforcement CSC–17 AC–04 Information Flow Enforcement CSC–17 AC–23 Data Mining Protection CSC–17 CA–07 Continuous Monitoring CSC–17 CA–09 Internal System Connections CSC–17 IR–09 Information Spillage Response CSC–17 MP–05 Media Transport CSC–17 SA–18 Tamper Resistance and Detection CSC–17 SC–08 Transmission Confidentiality and Integrity CSC–17 SC–28 http://www.counciloncybersecurity.org Protection of Information at Rest Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 5 of 69
  • 6. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–17 SC–31 Covert Channel Analysis CSC–17 SC–41 Port and I/O Device Access CSC–17 SI–04 Information System Monitoring CSC–18 Incident Response and Management CSC–18 IR–01 Incident Response Policy and Procedures CSC–18 IR–02 Incident Response Training CSC–18 IR–03 Incident Response Testing CSC–18 IR–04 Incident Handling CSC–18 IR–05 Incident Monitoring CSC–18 IR–06 Incident Reporting CSC–18 IR–07 Incident Response Assistance CSC–18 IR–08 Incident Response Plan CSC–18 IR–10 Integrated Information Security Analysis Team CSC–19 Secure Network Engineering CSC–19 AC–04 Information Flow Enforcement CSC–19 CA–03 System Interconnections CSC–19 CA–09 Internal System Connections CSC–19 SA–08 Security Engineering Principles CSC–19 SC–20 Secure Name /Address Resolution Service (Authoritative Source) CSC–19 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) CSC–19 SC–22 Architecture and Provisioning for Name/Address Resolution Service CSC–19 SC–32 Information System Partitioning CSC–19 SC–37 Out–of–Band Channels CSC–20 Penetration Tests and Red Team Exercises CSC–20 PM–16 Threat Awareness Program CSC–20 CA–02 Security Assessments CSC–20 CA–05 Plan of Action and Milestones CSC–20 CA–06 Security Authorization CSC–20 CA–08 Penetration Testing CSC–20 RA–06 Technical Surveillance Countermeasures Survey CSC–20 SI–06 Security Function Verification CSC–20 PM–06 Information Security Measures of Performance CSC–20 PM–14 Testing, Training, & Monitoring Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 6 of 69
  • 7. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X Secure Configurations for Network Infrastructure & Security Devices PRI 01 02 03 04 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 19 CSC–20 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 1 CSC–01 CA–07 Continuous Monitoring P3 X S S 2 CSC–01 CM–08 Information System Component Inventory P1 X S S 3 CSC–01 IA–03 Device Identification and Authentication P1 X 4 CSC–01 SA–04 Acquisition Process P1 X 5 CSC–01 SC–17 Public Key Infrastructure Certificates P1 X 6 CSC–01 SI–04 Information System Monitoring P1 X 7 CSC–01 PM–05 Information System Inventory P1 X S 8 CSC–02 CA–07 Continuous Monitoring P3 S 9 CSC–02 CM–02 Baseline Configuration P1 10 CSC–02 CM–08 Information System Component Inventory P1 11 CSC–02 CM–10 Software Usage Restrictions P2 X 12 CSC–02 CM–11 User–Installed Software P1 X S 2 13 CSC–02 SA–04 Acquisition Process P1 X S 3 14 CSC–02 SC–18 Mobile Code P2 X 15 CSC–02 SC–34 Non–Modifiable Executable Programs P0 X S S 16 CSC–02 SI–04 Information System Monitoring P1 S X S S S S S S S S S S S S 14 17 CSC–02 PM–05 Information System Inventory P1 S X 18 CSC–03 CA–07 Continuous Monitoring P3 S S X S S S S S S S S S S S 14 19 CSC–03 CM–02 Baseline Configuration P1 S S 20 CSC–03 CM–03 Configuration Change Control P1 X S 21 CSC–03 CM–05 Access Restrictions for Change P1 X S 22 CSC–03 CM–06 Configuration Settings P1 X S S 3 23 CSC–03 CM–07 Least Functionality P1 X 24 CSC–03 CM–08 Information System Component Inventory P1 S S 5 25 CSC–03 CM–09 Configuration Management Plan P1 26 CSC–03 CM–11 User–Installed Software P1 27 CSC–03 MA–04 Nonlocal Maintenance P1 X 28 CSC–03 RA–05 Vulnerability Scanning P1 X 29 CSC–03 SA–04 Acquisition Process P1 30 CSC–03 SC–15 Collaborative Computing Devices P1 31 CSC–03 SC–34 Non–Modifiable Executable Programs P0 32 CSC–03 SI–02 Flaw Remediation P1 33 CSC–03 SI–04 Information System Monitoring P1 34 CSC–04 CA–02 Security Assessments P2 35 CSC–04 CA–07 Continuous Monitoring P3 36 CSC–04 RA–05 Vulnerability Scanning P1 37 CSC–04 SC–34 Non–Modifiable Executable Programs P0 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S S S S S S S S S S S S S 14 5 S S 2 S 3 S 3 S S S S S S S S S S S S S 14 X S S S S S S S S S S S S 14 X S S S S S S S X S S S S S S 2 S 6 5 1 1 3 2 X S S 6 2 2 1 X X S S S 1 X 2 S S 2 S 3 X 3 X S X 1 S 3 X 1 S S X S S S S X S X S X S S S S S S S S S S S S S S S S S S S S X S Page 7 of 69 14 S S 2 14 3 3
  • 8. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X Secure Configurations for Network Infrastructure & Security Devices PRI 01 02 03 04 05 ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 38 CSC–04 SI–04 Information System Monitoring P1 39 CSC–04 SI–07 Software, Firmware, and Information Integrity P1 40 CSC–05 CA–07 Continuous Monitoring P3 41 CSC–05 SC–39 Process Isolation P1 X 42 CSC–05 SC–44 Detonation Chambers P0 CSC–05 SI–03 Malicious Code Protection P1 CSC–05 SI–04 Information System Monitoring P1 45 CSC–05 SI–08 Spam Protection P2 46 CSC–06 RA–05 Vulnerability Scanning P1 47 CSC–06 SA–03 System Development Life Cycle 48 CSC–06 SA–10 Developer Configuration Management 49 CSC–06 SA–11 50 CSC–06 51 CSC–06 52 08 09 10 11 12 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 X 44 07 CSC X 43 06 01 S S S X S S S S S S S S CNT S S S S S S S S S 14 X S S S S S S S S S 14 X S 20 S 1 S S 2 1 1 X S S S S S S S S S 14 X 1 X 3 P1 X 1 P1 X Developer Security Testing and Evaluation P1 X SA–13 Trustworthiness P0 X SA–15 Development Process, Standards, and Tools P2 X CSC–06 SA–16 Developer–Provided Training P2 X 53 CSC–06 SA–17 Developer Security Architecture and Design P1 X 1 54 CSC–06 SA–20 Customized Development of Critical Components P0 X 1 55 CSC–06 SA–21 Developer Screening P0 X 1 56 CSC–06 SC–39 Process Isolation P1 X 2 57 CSC–06 SI–10 Information Input Validation P1 X 1 58 CSC–06 SI–11 Error Handling P2 X 1 59 CSC–06 SI–15 Information Output Filtering P0 X 1 60 CSC–06 SI–16 Memory Protection P1 X 61 CSC–07 AC–18 Wireless Access P1 X 62 CSC–07 AC–19 Access Control for Mobile Devices P1 X 63 CSC–07 CA–03 System Interconnections P1 64 CSC–07 CA–07 Continuous Monitoring P3 65 CSC–07 CM–02 Baseline Configuration P1 66 CSC–07 IA–03 Device Identification and Authentication P1 67 CSC–07 SC–08 Transmission Confidentiality and Integrity P1 68 CSC–07 SC–17 Public Key Infrastructure Certificates P1 69 CSC–07 SC–40 Wireless Link Protection P0 70 CSC–07 SI–04 Information System Monitoring P1 71 CSC–08 CP–09 Information System Backup P1 X 1 72 CSC–08 CP–10 Information System Recovery and Reconstitution P1 X 1 73 CSC–08 MP–04 Media Storage P1 X 1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S 1 S 2 1 1 S 2 1 1 S X S S S S S S S S X S S X S S S 2 S S S S S S S S S 6 X 2 X S S S X S S S Page 8 of 69 S S 3 3 X S 4 14 1 X S S S S S S S S 14
  • 9. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X 02 04 Secure Configurations for Network Infrastructure & Security Devices PRI 01 03 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 74 CSC–09 AT–01 Security Awareness and Training Policy and Procedures P1 X 1 75 CSC–09 AT–02 Security Awareness Training P1 X 1 76 CSC–09 AT–03 Role–Based Security Training P1 X 1 77 CSC–09 AT–04 Security Training Records P3 X 1 78 CSC–09 SA–11 Developer Security Testing and Evaluation P1 S X 2 79 CSC–09 SA–16 Developer–Provided Training P2 S X 2 80 CSC–09 PM–13 Information Security Workforce P1 X 81 CSC–09 PM–14 Testing, Training, & Monitoring P1 X 82 CSC–09 PM–16 Threat Awareness Program P1 X 83 CSC–10 AC–04 Information Flow Enforcement P1 84 CSC–10 CA–03 System Interconnections P1 85 CSC–10 CA–07 Continuous Monitoring P3 86 CSC–10 CA–09 Internal System Connections P2 87 CSC–10 CM–02 Baseline Configuration P1 88 CSC–10 CM–03 Configuration Change Control P1 S X 89 CSC–10 CM–05 Access Restrictions for Change P1 S X 90 CSC–10 CM–06 Configuration Settings P1 S X S 91 CSC–10 CM–08 Information System Component Inventory P1 S X S 92 CSC–10 MA–04 Nonlocal Maintenance P1 S X 93 CSC–10 SC–24 Fail in Known State P1 94 CSC–10 SI–04 Information System Monitoring P1 95 CSC–11 AC–04 Information Flow Enforcement P1 96 CSC–11 CA–07 Continuous Monitoring P3 97 CSC–11 CA–09 Internal System Connections P2 98 CSC–11 CM–02 Baseline Configuration P1 99 CSC–11 CM–06 Configuration Settings P1 100 CSC–11 CM–08 Information System Component Inventory P1 101 CSC–11 SC–20 Secure Name /Address Resolution Service (Authoritative Source) P1 X S CSC–11 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) P1 X S 103 CSC–11 SC–22 Architecture and Provisioning for Name/Address Resolution Service P1 X S 104 CSC–11 SC–41 Port and I/O Device Access P0 X 105 CSC–11 SI–04 Information System Monitoring P1 106 CSC–12 AC–02 Account Management P1 107 CSC–12 AC–06 Least Privilege P1 108 CSC–12 AC–17 Remote Access P1 X 109 CSC–12 AC–19 Access Control for Mobile Devices P1 102 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 1 S 1 X S S S S S S S S S S S X S X S X S S S S S X S S S S S S S S S S S S S S S S S S S S S S S S S S 3 5 2 1 S X S X X S S X S S S S S S S X S S X S S S S S S S S S S S S S S S S 14 S S S 5 14 S 5 6 3 5 2 2 2 S S S S S X Page 9 of 69 X S X S S 5 6 2 S S 4 2 X S 5 14 X S 2 S S X S S S 2 S 14 3 2 2 2
  • 10. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X Secure Configurations for Network Infrastructure & Security Devices PRI 01 02 03 04 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 110 CSC–12 CA–07 Continuous Monitoring P3 111 CSC–12 IA–02 Identification and Authentication (Organizational Users) P1 X 112 CSC–12 IA–04 Identifier Management P1 X 113 CSC–12 IA–05 Authenticator Management P1 X 114 CSC–12 SI–04 Information System Monitoring P1 115 CSC–13 AC–04 Information Flow Enforcement P1 116 CSC–13 AC–17 Remote Access P1 117 CSC–13 AC–20 Use of External Information Systems P1 118 CSC–13 CA–03 System Interconnections P1 119 CSC–13 CA–07 Continuous Monitoring P3 120 CSC–13 CA–09 Internal System Connections P2 121 CSC–13 CM–02 Baseline Configuration P1 122 CSC–13 SA–09 External Information System Services 123 CSC–13 SC–07 Boundary Protection 124 CSC–13 SC–08 Transmission Confidentiality and Integrity P1 125 CSC–13 SI–04 Information System Monitoring P1 126 CSC–14 AC–23 Data Mining Protection P0 X 127 CSC–14 AU–02 Audit Events P1 X 1 128 CSC–14 AU–03 Content of Audit Records P1 X 1 129 CSC–14 AU–04 Audit Storage Capacity P1 X 1 130 CSC–14 AU–05 Response to Audit Processing Failures P1 X 1 131 CSC–14 AU–06 Audit Review, Analysis, and Reporting P1 X 1 132 CSC–14 AU–07 Audit Reduction and Report Generation P2 X 1 133 CSC–14 AU–08 Time Stamps P1 X 1 134 CSC–14 AU–09 Protection of Audit Information P1 X 1 135 CSC–14 AU–10 Non–repudiation P1 X 1 136 CSC–14 AU–11 Audit Record Retention P3 X 1 137 CSC–14 AU–12 Audit Generation P1 X 1 138 CSC–14 AU–13 Monitoring for Information Disclosure P0 X 1 139 CSC–14 AU–14 Session Audit P0 X 140 CSC–14 CA–07 Continuous Monitoring P3 141 CSC–14 IA–10 Adaptive Identification and Authentication P0 142 CSC–14 SI–04 Information System Monitoring P1 143 CSC–15 AC–01 Access Control Policy and Procedures P1 144 CSC–15 AC–02 Account Management P1 145 CSC–15 AC–03 Access Enforcement P1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S S S S S S S S S S S S S S S S S X S X S S S S 14 1 1 S S S S S X S S 2 S S 14 S X X S S S S S S X S S X 6 P1 X 1 P1 X S S S S S S S X S S S S S S X S S S S S S S S S S S S S S S S S S S S S X X S S 14 S S 3 2 1 S S S 14 S 14 S S S 2 X 1 X S X Page 10 of 69 5 S X S 14 S 1 X S S 4 S S S S S S S 1 X S S S S 5 2 S 3 S 3
  • 11. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X 02 04 Secure Configurations for Network Infrastructure & Security Devices PRI 01 03 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 146 CSC–15 AC–06 Least Privilege P1 147 CSC–15 AC–24 Access Control Decisions P0 148 CSC–15 CA–07 Continuous Monitoring P3 149 CSC–15 MP–03 Media Marking P2 X 1 150 CSC–15 RA–02 Security Categorization P1 X 1 151 CSC–15 SC–16 Transmission of Security Attributes P0 X 152 CSC–15 SI–04 Information System Monitoring P1 153 CSC–16 AC–02 Account Management P1 154 CSC–16 AC–03 Access Enforcement P1 155 CSC–16 AC–07 Unsuccessful Logon Attempts P2 X 1 156 CSC–16 AC–11 Session Lock P3 X 1 157 CSC–16 AC–12 Session Termination P2 X 158 CSC–16 CA–07 Continuous Monitoring P3 159 CSC–16 IA–05 Authenticator Management P1 160 CSC–16 IA–10 Adaptive Identification and Authentication P0 161 CSC–16 SC–17 Public Key Infrastructure Certificates P1 162 CSC–16 SC–23 Session Authenticity P1 163 CSC–16 SI–04 Information System Monitoring P1 164 CSC–17 AC–03 Access Enforcement P1 165 CSC–17 AC–04 Information Flow Enforcement P1 166 CSC–17 AC–23 Data Mining Protection P0 167 CSC–17 CA–07 Continuous Monitoring P3 168 CSC–17 CA–09 Internal System Connections P2 169 CSC–17 IR–09 Information Spillage Response P0 X 1 170 CSC–17 MP–05 Media Transport P1 X 1 171 CSC–17 SA–18 Tamper Resistance and Detection P0 X 1 172 CSC–17 SC–08 Transmission Confidentiality and Integrity P1 X 3 173 CSC–17 SC–28 Protection of Information at Rest P1 X 1 174 CSC–17 SC–31 Covert Channel Analysis P0 X 1 175 CSC–17 SC–41 Port and I/O Device Access P0 X 2 176 CSC–17 SI–04 Information System Monitoring P1 177 CSC–18 IR–01 Incident Response Policy and Procedures P1 X 1 178 CSC–18 IR–02 Incident Response Training P2 X 1 179 CSC–18 IR–03 Incident Response Testing P2 X 1 180 CSC–18 IR–04 Incident Handling P1 X 1 181 CSC–18 IR–05 Incident Monitoring P1 X 1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S X 2 X S S S S S S S S S S S S S S S S S S S S S S S X X 1 S S S S S S S S S S S S S 14 X X S S X 3 S 3 1 S 14 X 2 X S 2 X S S 14 1 S S S S 3 X S S S S S S S S S S S S S 1 S X S S S X S S S S S S S S S S S S S S S S S S Page 11 of 69 S S S S S S S S S S 5 2 X 14 X S S S X S S 3 X S S 14 S X 5 14
  • 12. Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X 02 04 Secure Configurations for Network Infrastructure & Security Devices PRI 01 03 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 16 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 182 CSC–18 IR–06 Incident Reporting P1 X 1 183 CSC–18 IR–07 Incident Response Assistance P3 X 1 184 CSC–18 IR–08 Incident Response Plan P1 X 1 185 CSC–18 IR–10 Integrated Information Security Analysis Team P0 X 186 CSC–19 AC–04 Information Flow Enforcement P1 187 CSC–19 CA–03 System Interconnections P1 188 CSC–19 CA–09 Internal System Connections P2 189 CSC–19 SA–08 Security Engineering Principles P1 190 CSC–19 SC–20 Secure Name /Address Resolution Service (Authoritative Source) P1 CSC–19 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) 192 CSC–19 SC–22 193 CSC–19 194 S S S S S S S S S 5 X S S 1 X 4 X 5 X 1 S X 2 P1 S X Architecture and Provisioning for Name/Address Resolution Service P1 S X 2 SC–32 Information System Partitioning P0 X 1 CSC–19 SC–37 Out–of–Band Channels P0 X 195 CSC–20 PM–16 Threat Awareness Program P1 196 CSC–20 CA–02 Security Assessments P2 197 CSC–20 CA–05 Plan of Action and Milestones P3 198 CSC–20 CA–06 Security Authorization 199 CSC–20 CA–08 200 CSC–20 201 191 1 x 2 X 2 X 1 P3 X 1 Penetration Testing P1 X 1 RA–06 Technical Surveillance Countermeasures Survey P0 X 1 CSC–20 SI–06 Security Function Verification P1 X 1 202 CSC–20 PM–06 Information Security Measures of Performance P1 X 1 203 CSC–20 PM–14 Testing, Training, & Monitoring P1 X 2 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S 2 S S Page 12 of 69
  • 13. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 FAMILY ID–CN CONTROL NAME Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI Occurences MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 01 02 7 03 10 16 04 05 6 Access Control 06 6 15 07 08 10 09 3 10 9 11 12 13 Ports, Protocols, and Services Management Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 14 15 16 17 18 11 9 11 17 10 11 13 1 2 12 1 4 3 1 5 5 3 19 9 20 9 CNT 9 203 1 26 X 1 3 3 5 AC AC–01 Access Control Policy and Procedures P1 X AC AC–02 Account Management P1 AC AC–03 Access Enforcement P1 AC AC–04 Information Flow Enforcement P1 AC AC–05 Separation of Duties P1 AC AC–06 Least Privilege P1 AC AC–07 Unsuccessful Logon Attempts P2 AC AC–08 System Use Notification P1 AC AC–09 Previous Logon (Access) Notification P0 AC AC–10 Concurrent Session Control P2 AC AC–11 Session Lock P3 X 1 AC AC–12 Session Termination P2 X 1 AC AC–13 Withdrawn AC AC–14 Permitted Actions without Identification or Authentication AC AC–15 Withdrawn AC AC–16 Security Attributes P0 AC AC–17 Remote Access P1 AC AC–18 Wireless Access P1 X AC AC–19 Access Control for Mobile Devices P1 X AC AC–20 Use of External Information Systems P1 AC AC–21 Information Sharing P2 AC AC–22 Publicly Accessible Content P2 AC AC–23 Data Mining Protection P0 AC AC–24 Access Control Decisions P0 AC AC–25 Reference Monitor P0 X X X X X X X X X X X 2 1 X X ––– P1 ––– X X 2 1 X 2 X 1 X X X Awareness and Training 2 1 4 4 AT AT–01 Security Awareness and Training Policy and Procedures P1 X 1 AT AT–02 Security Awareness Training P1 X 1 AT AT–03 Role–Based Security Training P1 X 1 AT AT–04 Security Training Records P3 X 1 AT AT–05 Withdrawn ––– Audit & Accountability 13 13 P1 X 1 P1 X 1 Audit Storage Capacity P1 X 1 AU–05 Response to Audit Processing Failures P1 X 1 AU AU–06 Audit Review, Analysis, and Reporting P1 X 1 AU AU–07 Audit Reduction and Report Generation P2 X 1 AU AU–01 Audit and Accountability Policy and Procedures P1 AU AU–02 Audit Events AU AU–03 Content of Audit Records AU AU–04 AU Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 13 of 69
  • 14. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 02 08 09 10 11 Penetration Tests and Red Team Exercises X 1 AU AU–09 Protection of Audit Information P1 X 1 AU AU–10 Non–repudiation P1 X 1 AU AU–11 Audit Record Retention P3 X 1 AU AU–12 Audit Generation P1 X 1 AU AU–13 Monitoring for Information Disclosure P0 X 1 AU AU–14 Session Audit P0 X 1 AU AU–15 Alternate Audit Capability P0 AU AU–16 Cross–Organizational Auditing P0 3 X 2 13 Secure Network Engineering P1 2 12 Incident Response and Management CONTROL NAME 1 07 Data Loss Prevention Time Stamps 2 06 Account Monitoring and Control ID–CN 1 05 Controlled Access Based on the Need to Know AU–08 1 04 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs FAMILY 1 03 Controlled Use of Administrative Privileges AU Security Assessment and Authorization 01 Ports, Protocols, and Services Management 1 X 14 3 15 1 16 1 17 1 18 2 19 20 2 CNT 4 CA CA–01 Security Assessment and Authorization Policies and Procedures CA CA–02 Security Assessments P2 CA CA–03 System Interconnections P1 CA CA–04 Withdrawn CA CA–05 Plan of Action and Milestones P3 X CA CA–06 Security Authorization P3 X CA CA–07 Continuous Monitoring P3 CA CA–08 Penetration Testing P1 CA CA–09 Internal System Connections P2 28 P1 X X X X 2 4 ––– Configuration Management X X X X X X X X X X X X X X X X X 1 1 14 X X 1 X 1 5 4 8 1 5 3 1 23 X X X X X X 6 CM CM–01 Configuration Management Policy and Procedures P1 CM CM–02 Baseline Configuration P1 CM CM–03 Configuration Change Control P1 CM CM–04 Security Impact Analysis P2 CM CM–05 Access Restrictions for Change CM CM–06 Configuration Settings CM CM–07 Least Functionality P1 X CM CM–08 Information System Component Inventory P1 CM CM–09 Configuration Management Plan P1 CM CM–10 Software Usage Restrictions P2 X CM CM–11 User–Installed Software P1 X X X P1 X X P1 X X X 3 X X 5 X X X 1 X 2 1 2 CP–01 Contingency Planning Policy and Procedures P1 CP CP–02 Contingency Plan P1 CP CP–03 Contingency Training P2 CP CP–04 Contingency Plan Testing CP CP–05 Withdrawn CP CP–06 Alternate Storage Site Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 2 1 X Contingency Planning CP 2 P2 ––– P1 Page 14 of 69 2
  • 15. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 06 07 08 11 13 Penetration Tests and Red Team Exercises CP CP–08 Telecommunications Services P1 CP CP–09 Information System Backup P1 X 1 CP CP–10 Information System Recovery and Reconstitution P1 X 1 CP CP–11 Alternate Communications Protocols P0 CP CP–12 Safe Mode P0 CP CP–13 Alternative Security Mechanisms P0 1 12 Secure Network Engineering P1 X 10 Incident Response and Management CONTROL NAME 1 09 Data Loss Prevention Alternate Processing Site IA 05 Account Monitoring and Control ID–CN IA 04 Controlled Access Based on the Need to Know CP–07 IA–01 03 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs FAMILY IA 02 Controlled Use of Administrative Privileges CP Identification and Authentication 01 Ports, Protocols, and Services Management 3 14 15 16 18 19 X Identification and Authentication Policy and Procedures Identification and Authentication (Organizational Users) P1 IA–03 Device Identification and Authentication P1 IA IA–04 Identifier Management P1 IA–05 Authenticator Management P1 X IA IA–06 Authenticator Feedback P1 IA IA–07 Cryptographic Module Authentication P1 IA IA–08 Identification and Authentication (Non– Organizational Users) P1 IA IA–09 Service Identification and Authentication P0 IA IA–10 Adaptive Identification and Authentication P0 IA IA–11 Re–authentication CNT 8 X IA 2 20 P1 IA–02 1 17 P0 X 1 2 1 X X X Incident Response 2 2 9 10 IR IR–01 Incident Response Policy and Procedures P1 1 X 1 IR IR–02 Incident Response Training P2 X 1 IR IR–03 Incident Response Testing P2 X 1 IR IR–04 Incident Handling P1 X 1 IR IR–05 Incident Monitoring P1 X 1 IR IR–06 Incident Reporting P1 X 1 IR IR–07 Incident Response Assistance P3 X 1 IR IR–08 Incident Response Plan P1 X 1 IR IR–09 Information Spillage Response P0 IR IR–10 Integrated Information Security Analysis Team P0 Maintenance X 1 X 1 1 MA MA–01 System Maintenance Policy and Procedures MA–02 Controlled Maintenance MA–03 Maintenance Tools MA–04 Nonlocal Maintenance P1 MA MA–05 Maintenance Personnel MA–06 Timely Maintenance 2 P1 MA X P2 MA X P2 MA 2 P1 MA 1 P2 Media Protection Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 1 Page 15 of 69 1 1 3
  • 16. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 FAMILY ID–CN CONTROL NAME MP MP–01 Media Protection Policy and Procedures PRI MP–02 Media Access MP–03 Media Marking MP–04 Media Storage MP–05 Media Transport MP–06 Media Sanitization MP–07 Media Use MP–08 Media Downgrading Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices P1 MP Application Software Security P1 MP Malware Defenses P1 MP Continuous Vulnerability Assessment and Remediation P1 MP Secure Configurations for Mobile Devices, Workstations, Servers P2 MP Inventory of Authorized and Unauthorized Software 01 02 03 04 P0 PE–01 Physical and Environmental Protection Policy and Procedures PE PE–02 Physical Access Authorizations PE–03 Physical Access Control PE–04 Access Control for Transmission Medium P1 PE PE–05 Access Control for Output Devices P2 PE PE–06 Monitoring Physical Access P1 PE PE–07 Withdrawn PE PE–08 Visitor Access Records PE PE–09 Power Equipment and Cabling P1 PE PE–10 Emergency Shutoff P1 PE PE–11 Emergency Power P1 PE PE–12 Emergency Lighting P1 PE PE–13 Fire Protection P1 PE PE–14 Temperature and Humidity Controls P1 PE PE–15 Water Damage Protection P1 PE PE–16 Delivery and Removal P2 PE PE–17 Alternate Work Site P2 PE PE–18 Location of Information System Components P3 PE PE–19 Information Leakage P0 PE PE–20 Asset Monitoring and Tracking P0 PL PL–01 Security Planning Policy and Procedures P1 PL PL–02 System Security Plan P1 PL PL–03 Withdrawn PL PL–04 Rules of Behavior PL PL–05 Withdrawn ––– PL PL–06 Withdrawn ––– PL PL–07 Security Concept of Operations P0 PL PL–08 Information Security Architecture P1 P1 ––– P3 Planning Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 08 09 10 11 12 13 Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 14 15 16 17 ––– P2 Page 16 of 69 18 19 20 CNT 1 1 X P1 PE 07 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs X P1 PE 06 Controlled Use of Administrative Privileges X Physical and Environmental Protection PE 05 Ports, Protocols, and Services Management P1 MP CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 P1 MP MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 1
  • 17. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 FAMILY ID–CN CONTROL NAME PL PL–09 Central Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 01 02 03 04 05 06 07 08 09 10 11 12 13 Ports, Protocols, and Services Management Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 14 15 16 17 18 19 20 CNT P0 Personnel Security PS PS–01 Personnel Security Policy and Procedures P1 PS PS–02 Position Risk Designation P1 PS PS–03 Personnel Screening P1 PS PS–04 Personnel Termination P1 PS PS–05 Personnel Transfer P2 PS PS–06 Access Agreements P3 PS PS–07 Third–Party Personnel Security P1 PS PS–08 Personnel Sanctions P3 P1 Risk Assessment 1 RA RA–01 Risk Assessment Policy and Procedures RA RA–02 Security Categorization RA–03 Risk Assessment RA–04 Withdrawn RA RA–05 Vulnerability Scanning P1 RA RA–06 Technical Surveillance Countermeasures Survey 1 1 P0 5 P1 RA 1 P1 RA 1 X 1 ––– System and Services Acquisition X X X 3 X 1 1 1 X X 9 X SA SA–01 System and Services Acquisition Policy and Procedures SA–02 Allocation of Resources SA–03 System Development Life Cycle P1 SA SA–04 Acquisition Process P1 SA SA–05 Information System Documentation SA SA–06 Withdrawn SA–07 Withdrawn SA–08 Security Engineering Principles P1 SA SA–09 External Information System Services P1 SA SA–10 Developer Configuration Management P1 X SA SA–11 Developer Security Testing and Evaluation P1 X SA SA–12 Supply Chain Protection P1 SA SA–13 Trustworthiness P0 SA SA–14 Criticality Analysis P0 SA SA–15 Development Process, Standards, and Tools P2 X SA SA–16 Developer–Provided Training P2 X SA SA–17 Developer Security Architecture and Design P1 X SA SA–18 Tamper Resistance and Detection P0 SA SA–19 Component Authenticity P0 SA SA–20 Customized Development of Critical Components P0 1 17 ––– SA 1 ––– SA 1 P1 SA 1 P1 SA 2 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X 1 3 P2 X X 1 1 X 2 X 1 1 X 2 1 X X Page 17 of 69 1 1 1
  • 18. Print Date: 3/1/2014, 12:02 PM Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 FAMILY ID–CN CONTROL NAME SA SA–21 Developer Screening PRI SA–22 Unsupported System Components CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices P0 SA MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 02 03 04 05 06 07 08 09 10 11 12 13 Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises P0 System and Communications Protection 01 Ports, Protocols, and Services Management 14 15 16 17 18 19 20 X 1 2 2 1 2 1 CNT 1 3 1 4 2 1 2 4 5 SC SC–01 System and Communications Protection Policy and Procedures SC SC–02 Application Partitioning P1 SC SC–03 Security Function Isolation P1 SC SC–04 Information in Shared Resources P1 SC SC–05 Denial of Service Protection P1 SC SC–06 Resource Availability P0 SC SC–07 Boundary Protection P1 SC SC–08 Transmission Confidentiality and Integrity P1 SC SC–09 Withdrawn SC SC–10 Network Disconnect P2 SC SC–11 Trusted Path P0 SC SC–12 Cryptographic Key Establishment and Management P1 SC SC–13 Cryptographic Protection SC SC–14 Withdrawn SC SC–15 Collaborative Computing Devices P1 SC SC–16 Transmission of Security Attributes P0 SC SC–17 Public Key Infrastructure Certificates P1 SC SC–18 Mobile Code P2 SC SC–19 Voice Over Internet Protocol P1 SC SC–20 Secure Name /Address Resolution Service (Authoritative Source) P1 X X SC SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) P1 X X SC SC–22 Architecture and Provisioning for Name/Address Resolution Service P1 X X SC SC–23 Session Authenticity P1 SC SC–24 Fail in Known State P1 SC SC–25 Thin Nodes P0 SC SC–26 Honeypots P0 SC SC–27 Platform–Independent Applications P0 SC SC–28 Protection of Information at Rest P1 SC SC–29 Heterogeneity P0 SC SC–30 Concealment and Misdirection P0 SC SC–31 Covert Channel Analysis P0 SC SC–32 Information System Partitioning P0 SC SC–33 Withdrawn SC SC–34 Non–Modifiable Executable Programs P0 SC SC–35 Honeyclients P0 31 P1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X X 1 X X 3 ––– P1 ––– X 1 X X X 1 X 3 X 1 X 2 2 2 1 X 1 X 1 X 1 X 1 ––– X X X Page 18 of 69 3
  • 19. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 FAMILY ID–CN CONTROL NAME SC SC–36 Distributed Processing and Storage PRI SC–37 Out–of–Band Channels SC–38 Operations Security SC–39 Process Isolation SC–40 Wireless Link Protection SC–41 Port and I/O Device Access SC–42 Sensor Capability and Data SC–43 Usage Restrictions SC–44 Detonation Chambers Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices P0 System and Information Integrity 01 02 03 04 05 06 07 08 09 10 11 12 13 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises P0 SC Wireless Device Control Controlled Use of Administrative Privileges P0 SC Application Software Security P0 SC Malware Defenses P0 SC Continuous Vulnerability Assessment and Remediation P1 SC Secure Configurations for Mobile Devices, Workstations, Servers P0 SC Inventory of Authorized and Unauthorized Software Ports, Protocols, and Services Management P0 SC CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 P0 SC MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 14 15 16 17 18 19 20 CNT X X 1 X 2 X 1 X X 2 X 1 1 2 2 3 1 4 1 1 1 1 1 1 1 1 1 1 23 SI SI–01 System and Information Integrity Policy and Procedures P1 SI SI–02 Flaw Remediation P1 SI SI–03 Malicious Code Protection P1 SI SI–04 Information System Monitoring P1 SI SI–05 Security Alerts, Advisories, and Directives P1 SI SI–06 Security Function Verification P1 SI SI–07 Software, Firmware, and Information Integrity P1 SI SI–08 Spam Protection P2 SI SI–09 Withdrawn SI SI–10 Information Input Validation P1 X 1 SI SI–11 Error Handling P2 X 1 SI SI–12 Information Handling and Retention P2 SI SI–13 Predictable Failure Prevention P0 SI SI–14 Non–Persistence P0 SI SI–15 Information Output Filtering P0 X 1 SI SI–16 Memory Protection P1 X 1 SI SI–17 Fail–Safe Procedures P0 X 1 X X X X X 1 X X X X X X X X X X 14 X X 1 1 X 1 ––– Program Management 1 PM PM–01 Information Security Program Plan PM PM–02 Senior Information Security Officer PM–03 Information Security Resources PM–04 Plan of Action and Milestones Process PM–05 Information System Inventory P1 PM PM–06 Information Security Measures of Performance PM PM–07 Enterprise Architecture PM–08 Critical Infrastructure Plan P1 PM PM–09 Risk Management Strategy P1 PM PM–10 Security Authorization Process X P1 PM X P1 P1 8 P1 PM 3 P1 PM 3 P1 PM 1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx P1 2 X Page 19 of 69 1
  • 20. Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 01 02 03 04 06 07 08 09 10 11 12 13 Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises FAMILY ID–CN CONTROL NAME PM–11 Mission/Business Process Definition P1 PM PM–12 Isider Threat Program P1 PM PM–13 Information Security Workforce P1 X PM PM–14 Testing, Training, & Monitoring P1 X X 2 PM PM–15 Contacts with Security Groups and Associations P1 PM PM–16 Threat Awareness Program P1 X X 2 Page 20 of 69 05 Ports, Protocols, and Services Management PM Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 14 15 16 17 18 19 20 CNT 1
  • 21. CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 10 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control 15 Wireless Device Control AC–09 Previous Logon (Access) Notification 6 Application Software Security AC–08 System Use Notification 6 Malware Defenses AU 16 Continuous Vulnerability Assessment and Remediation AT 10 Secure Configurations for Mobile Devices, Workstations, Servers HMAP_53r4_to_CSCv4.1_&_NIST_PUBS 7 Inventory of Authorized and Unauthorized Software AC–07 Unsuccessful Logon Attempts CSC Inventory of Authorized & Unauthorized Devices AC–06 Least Privilege Total AC AC–05 Separation of Duties Critical Security Controls ? AC–04 Information Flow Enforcement Access Control AC–01 Access Control Policy and Procedures Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–03 Access Enforcement Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–02 Account Management Print Date: 3/1/2014, 12:02 PM X X 2 Data Recovery Capability CSC–08 3 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–09 9 Secure Configurations for Network Infrastructure & Security Devices CSC–10 12 1 X Inventory of Authorized & Unauthorized Devices CSC–11 11 1 X Inventory of Authorized and Unauthorized Software CSC–12 9 4 Secure Configurations for Mobile Devices, Workstations, Servers CSC–13 11 3 Continuous Vulnerability Assessment and Remediation CSC–14 17 1 Malware Defenses CSC–15 10 5 X X X Application Software Security CSC–16 11 5 Wireless Device Control CSC–17 13 3 X X Data Recovery Capability CSC–18 9 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–19 9 1 X Secure Configurations for Network Infrastructure & Security Devices CSC–20 9 NIST 800 Series Special Publications 4 X X X X X X X Page 21 of 69 13 X X SP 800-13 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X X X X SP 800-12 Telecommunications Security Guidelines for Telecommunications Manageme X X 1 An Introduction to Computer Security: The NIST Handbook X X X X X X X X X X X X
  • 22. MISPC Minimum Interoperability Specification for PKI Components SP 800-14 SP 800-15 Version 1 Information Technology Security Training Requirements: A Role- and Perform SP 800-16 DRAFT Information Security Training Requirements: A Role- and Performanc SP 800-16 Rev. 1 Modes of Operation Validation System (MOVS): Requirements and Procedure SP 800-17 Guide for Developing Security Plans for Federal Information Systems SP 800-18 Rev.1 Mobile Agent Security SP 800-19 Modes of Operation Validation System for the Triple Data Encryption Algorith Guideline for Implementing Cryptography in the Federal Government SP 800-20 800-21 2nd edition A Statistical Test Suite for Random and Pseudorandom Number Generators f SP 800-22 Rev. 1a Guidelines to Federal Organizations on Security Assurance and Acquisition/U SP 800-23 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else D SP 800-24 Federal Agency Use of Public Key Technology for Digital Signatures and Auth SP 800-25 Engineering Principles for Information Technology Security (A Baseline for A Guidelines on Active Content and Mobile Code SP 800-27 Rev. A SP 800-28 Version 2 A Comparison of the Security Requirements for Cryptographic Modules in FI SP 800-29 Risk Management Guide for Information Technology Systems SP 800-30 Guide for Conducting Risk Assessments SP 800-30 Rev. 1 Introduction to Public Key Technology and the Federal PKI Infrastructure Underlying Technical Models for Information Technology Security Contingency Planning Guide for Federal Information Systems (Errata Page - 1 SP 800-32 SP 800-33 SP 800-34 Rev. 1 Guide to Information Technology Security Services SP 800-35 Guide to Selecting Information Technology Security Products SP 800-36 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 22 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC Generally Accepted Principles and Practices for Securing Information Techno AC–04 Information Flow Enforcement Critical Security Controls AC Total ? AC–03 Access Enforcement Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  • 23. SP 800-37 Rev. 1 Recommendation for Block Cipher Modes of Operation - Methods and Techni SP 800-38 A 8 Recommendation for Block Cipher Modes of Operation: Three Variants of Cip 00-38 A - Addendum Recommendation for Block Cipher Modes of Operation: The CMAC Mode for A SP 800-38 B Recommendation for Block Cipher Modes of Operation: the CCM Mode for Au SP 800-38 C Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode SP 800-38 D Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode f SP 800-38 E DRAFT Recommendation for Block Cipher Modes of Operation: Methods for K SP 800-38 F Managing Information Security Risk: Organization, Mission, and Information Creating a Patch and Vulnerability Management Program SP 800-39 800-40 Version 2.0 Guidelines on Firewalls and Firewall Policy SP 800-41 Rev. 1 Systems Administration Guidance for Windows 2000 Professional System SP 800-43 Guidelines on Securing Public Web Servers SP 800-44 Version 2 Guidelines on Electronic Mail Security SP 800-45 Version 2 Guide to Enterprise Telework and Remote Access Security SP 800-46 Rev. 1 Security Guide for Interconnecting Information Technology Systems Guide to Securing Legacy IEEE 802.11 Wireless Networks SP 800-47 SP 800-48 Rev. 1 Federal S/MIME V3 Client Profile SP 800-49 Building an Information Technology Security Awareness and Training Progra SP 800-50 Guide to Using Vulnerability Naming Schemes SP 800-51 Rev. 1 Guidelines for the Selection and Use of Transport Layer Security (TLS) Imple SP 800-52 Guide for Assessing the Security Controls in Federal Information Systems an SP 800-53 A Rev. 1 Recommended Security Controls for Federal Information Systems and Organ SP 800-53 Rev. 3 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 23 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls Guide for Applying the Risk Management Framework to Federal Information AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  • 24. SP 800-53 Rev. 4 Border Gateway Protocol Security SP 800-54 Performance Measurement Guide for Information Security SP 800-55 Rev. 1 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete L SP 800-56 A Recommendation for Pair-Wise Key Establishment Schemes Using Integer Fa SP 800-56 B Recommendation for Key Derivation through Extraction-then-Expansion SP 800-56 C Recommendation for Key Management SP 800-57 DRAFT Recommendation for Key Management: Part 1: General SP 800-57 Part 1 Security Considerations for Voice Over IP Systems SP 800-58 Guideline for Identifying an Information System as a National Security Syste SP 800-59 Guide for Mapping Types of Information and Information Systems to Securit SP 800-60 Rev. 1 Computer Security Incident Handling Guide SP 800-61 Rev. 1 DRAFT Computer Security Incident Handling Guide SP 800-61 Rev. 2 Electronic Authentication Guideline SP 800-63 Rev. 1 Electronic Authentication Guideline 00-63 Version 1.0.2 Security Considerations in the System Development Life Cycle SP 800-64 Rev. 2 Integrating IT Security into the Capital Planning and Investment Control Pro SP 800-65 DRAFT Recommendations for Integrating Information Security into the Capit SP 800-65 Rev. 1 An Introductory Resource Guide for Implementing the Health Insurance Port SP 800-66 Rev 1 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Ciph SP 800-67 Rev. 1 Guide to Securing Microsoft Windows XP Systems for IT Professionals SP 800-68 Rev. 1 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security National Checklist Program for IT Products: Guidelines for Checklist Users an SP 800-69 SP 800-70 Rev. 2 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 24 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls DRAFT Security and Privacy Controls for Federal Information Systems and O AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  • 25. SP 800-72 Interfaces for Personal Identity Verification (4 Parts) SP 800-73 -3 Biometric Data Specification for Personal Identity Verification SP 800-76 -1 DRAFT Biometric Data Specification for Personal Identity Verification SP 800-76 -2 Guide to IPsec VPNs SP 800-77 Cryptographic Algorithms and Key Sizes for Personal Identification Verificatio SP 800-78 -3 Guidelines for the Accreditation of Personal Identity Verification (PIV) Card I SP 800-79 -1 Secure Domain Name System (DNS) Deployment Guide SP 800-81 Rev. 1 Guide to Industrial Control Systems (ICS) Security SP 800-82 Guide to Malware Incident Prevention and Handling SP 800-83 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities SP 800-84 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 SP 800-85 A-2 PIV Data Model Test Guidelines DRAFT PIV Data Model Conformance Test Guidelines Guide to Integrating Forensic Techniques into Incident Response Codes for Identification of Federal and Federally-Assisted Organizations Guidelines for Media Sanitization SP 800-85 B SP 800-85 B-1 SP 800-86 SP 800-87 Rev 1 SP 800-88 Recommendation for Obtaining Assurances for Digital Signature Applications SP 800-89 Recommendation for Random Number Generation Using Deterministic Rando SP 800-90 A Guide to Computer Security Log Management SP 800-92 Guide to Intrusion Detection and Prevention Systems (IDPS) SP 800-94 Guide to Secure Web Services SP 800-95 PIV Card to Reader Interoperability Guidelines SP 800-96 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 25 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls Guidelines on PDA Forensics AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  • 26. SP 800-97 Guidelines for Securing Radio Frequency Identification (RFID) Systems SP 800-98 Information Security Handbook: A Guide for Managers SP 800-100 Guidelines on Cell Phone Forensics SP 800-101 Recommendation for Digital Signature Timeliness SP 800-102 DRAFT An Ontology of Identity Credentials, Part I: Background and Formula SP 800-103 A Scheme for PIV Visual Card Topography SP 800-104 Randomized Hashing for Digital Signatures SP 800-106 Recommendation for Applications Using Approved Hash Algorithms SP 800-107 DRAFT Recommendation for Applications Using Approved Hash Algorithms SP 800-107 Revised Recommendation for Key Derivation Using Pseudorandom Functions SP 800-108 Guide to Storage Encryption Technologies for End User Devices SP 800-111 Guide to SSL VPNs SP 800-113 User's Guide to Securing External Devices for Telework and Remote Access SP 800-114 Technical Guide to Information Security Testing and Assessment SP 800-115 A Recommendation for the Use of PIV Credentials in Physical Access Control SP 800-116 Guide to Adopting and Using the Security Content Automation Protocol (SCA SP 800-117 DRAFT Guide to Adopting and Using the Security Content Automation Protoc SP 800-117 Rev. 1 DRAFT Guide to Enterprise Password Management SP 800-118 Guidelines for the Secure Deployment of IPv6 SP 800-119 Recommendation for EAP Methods Used in Wireless Network Access Authent SP 800-120 Guide to Bluetooth Security SP 800-121 Rev. 1 Guide to Protecting the Confidentiality of Personally Identifiable Information Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx SP 800-122 Page 26 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  • 27. SP 800-123 Guidelines on Cell Phone and PDA Security SP 800-124 Guide to Security for Full Virtualization Technologies SP 800-125 The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 Rev. 1 The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 Rev. 2 Guide to Securing WiMAX Wireless Communications SP 800-127 Guide for Security-Focused Configuration Management of Information Syste SP 800-128 DRAFT A Framework for Designing Cryptographic Key Management Systems SP 800-130 Transitions: Recommendation for Transitioning the Use of Cryptographic Alg SP 800-131 A DRAFT Transitions: Validation of Transitioning Cryptographic Algorithm and SP 800-131 B DRAFT Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3 SP 800-131 C Recommendation for Password-Based Key Derivation Part 1: Storage Applica SP 800-132 DRAFT Recommendation for Cryptographic Key Generation Recommendation for Existing Application-Specific Key Derivation Functions SP 800-133 SP 800-135 Rev. 1 Information Security Continuous Monitoring for Federal Information Systems SP 800-137 Practical Combinatorial Testing SP 800-142 Guidelines on Security and Privacy in Public Cloud Computing SP 800-144 A NIST Definition of Cloud Computing SP 800-145 Cloud Computing Synopsis and Recommendations SP 800-146 Basic Input/Output System (BIOS) Protection Guidelines SP 800-147 Guidelines for Securing Wireless Local Area Networks (WLANs) SP 800-153 DRAFT BIOS Integrity Measurement Guidelines SP 800-155 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 27 of 69 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access HMAP_53r4_to_CSCv4.1_&_NIST_PUBS AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control AC–09 Previous Logon (Access) Notification AC–08 System Use Notification AC–07 Unsuccessful Logon Attempts AC–06 Least Privilege AC–05 Separation of Duties CSC AC–04 Information Flow Enforcement Critical Security Controls Guide to General Server Security AC AC–03 Access Enforcement ? Total Access Control Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–02 Account Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–01 Access Control Policy and Procedures Print Date: 3/1/2014, 12:02 PM
  • 28. Inventory of Authorized & Unauthorized Devices CSC–01 7 1 X CSC–02 10 1 X 4 CSC–03 16 1 X 8 X X Continuous Vulnerability Assessment and Remediation CSC–04 6 2 Malware Defenses CSC–05 6 1 Application Software Security CSC–06 CSC–07 10 1 CSC–08 CSC–09 9 Secure Configurations for Network Infrastructure & Security Devices CSC–10 12 Inventory of Authorized & Unauthorized Devices CSC–11 11 2 Inventory of Authorized and Unauthorized Software CSC–12 9 1 Secure Configurations for Mobile Devices, Workstations, Servers CSC–13 11 3 Continuous Vulnerability Assessment and Remediation CSC–14 17 X X X X X X 1 X Malware Defenses CSC–15 10 1 X Application Software Security CSC–16 11 1 X Wireless Device Control CSC–17 13 2 X Data Recovery Capability CSC–18 9 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–19 9 2 Secure Configurations for Network Infrastructure & Security Devices CSC–20 9 4 X 1 1 1 CP–09 Information System Backup CP–08 Telecommunications Services CP–07 Alternate Processing Site CP–06 Alternate Storage Site CP–05 Withdrawn CP–04 Contingency Plan Testing CP–03 Contingency Training CP–02 Contingency Plan Contingency Planning CP–01 Contingency Planning Policy and Procedures CM–11 User–Installed Software CM–10 Software Usage Restrictions CM–09 Configuration Management Plan CM–08 Information System Component Inventory 3 Security Skills Assessment and Appropriate Training to Fill Gaps CM–07 Least Functionality X Data Recovery Capability CP 15 Wireless Device Control CM–06 Configuration Settings X Secure Configurations for Mobile Devices, Workstations, Servers CM–05 Access Restrictions for Change 1 Inventory of Authorized and Unauthorized Software CM–04 Security Impact Analysis CM–03 Configuration Change Control CM–02 Baseline Configuration Configuration Management CM CM–01 Configuration Management Policy and Procedures CA–09 Internal System Connections HMAP_53r4_to_CSCv4.1_&_NIST_PUBS CA–08 Penetration Testing CA–07 Continuous Monitoring CA–06 Security Authorization CA–05 Plan of Action and Milestones CA–04 Withdrawn CA–03 System Interconnections CA CA–02 Security Assessments Security Assessment and Authorization CA–01 Security Assessment and Authorization Policies and Pro AU–16 Cross–Organizational Auditing AU–15 Alternate Audit Capability AU–14 Session Audit AU–13 Monitoring for Information Disclosure Total CSC AU–12 Audit Generation Critical Security Controls ? AU–09 Protection of Audit Information Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AU–11 Audit Record Retention Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AU–10 Non–repudiation Print Date: 3/1/2014, 12:02 PM NIST 800 Series Special Publications An Introduction to Computer Security: The NIST Handbook X X X X X X 2 X Page 28 of 69 X X 5 X X X 3 SP 800-13 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X X X X X X X 2 SP 800-12 Telecommunications Security Guidelines for Telecommunications Manageme X X X 3 X X 1 X X X X X X X X X X X X X X X X
  • 29. MISPC Minimum Interoperability Specification for PKI Components SP 800-14 SP 800-15 Version 1 Information Technology Security Training Requirements: A Role- and Perform SP 800-16 DRAFT Information Security Training Requirements: A Role- and Performanc SP 800-16 Rev. 1 Modes of Operation Validation System (MOVS): Requirements and Procedure SP 800-17 Guide for Developing Security Plans for Federal Information Systems SP 800-18 Rev.1 Mobile Agent Security SP 800-19 Modes of Operation Validation System for the Triple Data Encryption Algorith Guideline for Implementing Cryptography in the Federal Government SP 800-20 800-21 2nd edition A Statistical Test Suite for Random and Pseudorandom Number Generators f SP 800-22 Rev. 1a Guidelines to Federal Organizations on Security Assurance and Acquisition/U SP 800-23 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else D SP 800-24 Federal Agency Use of Public Key Technology for Digital Signatures and Auth SP 800-25 Engineering Principles for Information Technology Security (A Baseline for A Guidelines on Active Content and Mobile Code SP 800-27 Rev. A SP 800-28 Version 2 A Comparison of the Security Requirements for Cryptographic Modules in FI SP 800-29 Risk Management Guide for Information Technology Systems SP 800-30 Guide for Conducting Risk Assessments Introduction to Public Key Technology and the Federal PKI Infrastructure Underlying Technical Models for Information Technology Security Contingency Planning Guide for Federal Information Systems (Errata Page - SP 800-30 Rev. 1 1 1 SP 800-32 SP 800-33 SP 800-34 Rev. 1 Guide to Information Technology Security Services SP 800-35 Guide to Selecting Information Technology Security Products SP 800-36 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 29 of 69 x CP–09 Information System Backup CP–08 Telecommunications Services CP–07 Alternate Processing Site CP–06 Alternate Storage Site CP–05 Withdrawn CP–04 Contingency Plan Testing CP–03 Contingency Training CP–02 Contingency Plan Contingency Planning CP CP–01 Contingency Planning Policy and Procedures CM–11 User–Installed Software CM–10 Software Usage Restrictions CM–09 Configuration Management Plan CM–08 Information System Component Inventory CM–07 Least Functionality CM–06 Configuration Settings CM–05 Access Restrictions for Change CM–04 Security Impact Analysis CM–03 Configuration Change Control CM–02 Baseline Configuration Configuration Management CM CM–01 Configuration Management Policy and Procedures CA–09 Internal System Connections HMAP_53r4_to_CSCv4.1_&_NIST_PUBS CA–08 Penetration Testing CA–07 Continuous Monitoring CA–06 Security Authorization CA–05 Plan of Action and Milestones CA–04 Withdrawn CA–03 System Interconnections CA CA–02 Security Assessments Security Assessment and Authorization CA–01 Security Assessment and Authorization Policies and Pro AU–16 Cross–Organizational Auditing AU–15 Alternate Audit Capability AU–14 Session Audit AU–13 Monitoring for Information Disclosure CSC Generally Accepted Principles and Practices for Securing Information Techno AU–12 Audit Generation Critical Security Controls Total ? AU–09 Protection of Audit Information Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AU–11 Audit Record Retention Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AU–10 Non–repudiation Print Date: 3/1/2014, 12:02 PM
  • 30. SP 800-38 A 8 Recommendation for Block Cipher Modes of Operation: Three Variants of Cip 00-38 A - Addendum Recommendation for Block Cipher Modes of Operation: The CMAC Mode for A SP 800-38 B Recommendation for Block Cipher Modes of Operation: the CCM Mode for Au SP 800-38 C Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode SP 800-38 D Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode f SP 800-38 E DRAFT Recommendation for Block Cipher Modes of Operation: Methods for K SP 800-38 F Managing Information Security Risk: Organization, Mission, and Information Creating a Patch and Vulnerability Management Program SP 800-39 800-40 Version 2.0 Guidelines on Firewalls and Firewall Policy SP 800-41 Rev. 1 Systems Administration Guidance for Windows 2000 Professional System SP 800-43 Guidelines on Securing Public Web Servers SP 800-44 Version 2 Guidelines on Electronic Mail Security SP 800-45 Version 2 Guide to Enterprise Telework and Remote Access Security Security Guide for Interconnecting Information Technology Systems Guide to Securing Legacy IEEE 802.11 Wireless Networks SP 800-46 Rev. 1 SP 800-47 SP 800-48 Rev. 1 Federal S/MIME V3 Client Profile SP 800-49 Building an Information Technology Security Awareness and Training Progra SP 800-50 Guide to Using Vulnerability Naming Schemes Guidelines for the Selection and Use of Transport Layer Security (TLS) Imple SP 800-51 Rev. 1 SP 800-52 Guide for Assessing the Security Controls in Federal Information Systems an SP 800-53 A Rev. 1 Recommended Security Controls for Federal Information Systems and Organ Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx SP 800-53 Rev. 3 Page 30 of 69 CP–09 Information System Backup CP–08 Telecommunications Services CP–07 Alternate Processing Site CP–06 Alternate Storage Site CP–05 Withdrawn CP–04 Contingency Plan Testing CP–03 Contingency Training CP–02 Contingency Plan Contingency Planning CP CP–01 Contingency Planning Policy and Procedures CM–11 User–Installed Software CM–10 Software Usage Restrictions CM–09 Configuration Management Plan CM–08 Information System Component Inventory CM–07 Least Functionality CM–06 Configuration Settings CM–05 Access Restrictions for Change CM–04 Security Impact Analysis CM–03 Configuration Change Control CM–02 Baseline Configuration Configuration Management CM CM–01 Configuration Management Policy and Procedures CA–09 Internal System Connections HMAP_53r4_to_CSCv4.1_&_NIST_PUBS CA–08 Penetration Testing CA–07 Continuous Monitoring CA–06 Security Authorization CA–05 Plan of Action and Milestones CA–04 Withdrawn CA–03 System Interconnections CA–02 Security Assessments Security Assessment and Authorization CA CA–01 Security Assessment and Authorization Policies and Pro AU–16 Cross–Organizational Auditing AU–15 Alternate Audit Capability AU–14 Session Audit SP 800-37 Rev. 1 Recommendation for Block Cipher Modes of Operation - Methods and Techni AU–13 Monitoring for Information Disclosure CSC AU–12 Audit Generation Critical Security Controls Guide for Applying the Risk Management Framework to Federal Information AU–11 Audit Record Retention ? Total Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AU–10 Non–repudiation Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AU–09 Protection of Audit Information Print Date: 3/1/2014, 12:02 PM