1. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4
http://www.counciloncybersecurity.org
CSC–01
Inventory of Authorized & Unauthorized Devices
CSC–01
CA–07
Continuous Monitoring
CSC–01
CM–08
Information System Component Inventory
CSC–01
IA–03
Device Identification and Authentication
CSC–01
SA–04
Acquisition Process
CSC–01
SC–17
Public Key Infrastructure Certificates
CSC–01
SI–04
Information System Monitoring
CSC–01
PM–05
Information System Inventory
CSC–02
Inventory of Authorized and Unauthorized Software
CSC–02
CA–07
Continuous Monitoring
CSC–02
CM–02
Baseline Configuration
CSC–02
CM–08
Information System Component Inventory
CSC–02
CM–10
Software Usage Restrictions
CSC–02
CM–11
User–Installed Software
CSC–02
SA–04
Acquisition Process
CSC–02
SC–18
Mobile Code
CSC–02
SC–34
Non–Modifiable Executable Programs
CSC–02
SI–04
Information System Monitoring
CSC–02
PM–05
Information System Inventory
CSC–03
Secure Configurations for Mobile Devices, Workstations, Servers
CSC–03
CA–07
Continuous Monitoring
CSC–03
CM–02
Baseline Configuration
CSC–03
CM–03
Configuration Change Control
CSC–03
CM–05
Access Restrictions for Change
CSC–03
CM–06
Configuration Settings
CSC–03
CM–07
Least Functionality
CSC–03
CM–08
Information System Component Inventory
CSC–03
CM–09
Configuration Management Plan
CSC–03
CM–11
User–Installed Software
CSC–03
MA–04
Nonlocal Maintenance
CSC–03
RA–05
Vulnerability Scanning
CSC–03
SA–04
Acquisition Process
CSC–03
SC–15
Collaborative Computing Devices
CSC–03
SC–34
Non–Modifiable Executable Programs
CSC–03
SI–02
Flaw Remediation
CSC–03
SI–04
Information System Monitoring
CSC–04
Continuous Vulnerability Assessment and Remediation
CSC–04
CA–02
Security Assessments
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 1 of 69
2. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4
http://www.counciloncybersecurity.org
CSC–04
CA–07
Continuous Monitoring
CSC–04
RA–05
Vulnerability Scanning
CSC–04
SC–34
Non–Modifiable Executable Programs
CSC–04
SI–04
Information System Monitoring
CSC–04
SI–07
Software, Firmware, and Information Integrity
CSC–05
Malware Defenses
CSC–05
CA–07
Continuous Monitoring
CSC–05
SC–39
Process Isolation
CSC–05
SC–44
Detonation Chambers
CSC–05
SI–03
Malicious Code Protection
CSC–05
SI–04
Information System Monitoring
CSC–05
SI–08
Spam Protection
CSC–06
Application Software Security
CSC–06
RA–05
Vulnerability Scanning
CSC–06
SA–03
System Development Life Cycle
CSC–06
SA–10
Developer Configuration Management
CSC–06
SA–11
Developer Security Testing and Evaluation
CSC–06
SA–13
Trustworthiness
CSC–06
SA–15
Development Process, Standards, and Tools
CSC–06
SA–16
Developer–Provided Training
CSC–06
SA–17
Developer Security Architecture and Design
CSC–06
SA–20
Customized Development of Critical Components
CSC–06
SA–21
Developer Screening
CSC–06
SC–39
Process Isolation
CSC–06
SI–10
Information Input Validation
CSC–06
SI–11
Error Handling
CSC–06
SI–15
Information Output Filtering
CSC–06
SI–16
Memory Protection
CSC–07
Wireless Device Control
CSC–07
AC–18
Wireless Access
CSC–07
AC–19
Access Control for Mobile Devices
CSC–07
CA–03
System Interconnections
CSC–07
CA–07
Continuous Monitoring
CSC–07
CM–02
Baseline Configuration
CSC–07
IA–03
Device Identification and Authentication
CSC–07
SC–08
Transmission Confidentiality and Integrity
CSC–07
SC–17
Public Key Infrastructure Certificates
CSC–07
SC–40
Wireless Link Protection
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 2 of 69
3. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4
http://www.counciloncybersecurity.org
CSC–07
SI–04
Information System Monitoring
CSC–08
Data Recovery Capability
CSC–08
CP–09
Information System Backup
CSC–08
CP–10
Information System Recovery and Reconstitution
CSC–08
MP–04
Media Storage
CSC–09
Security Skills Assessment and Appropriate Training to Fill Gaps
CSC–09
AT–01
Security Awareness and Training Policy and Procedures
CSC–09
AT–02
Security Awareness Training
CSC–09
AT–03
Role–Based Security Training
CSC–09
AT–04
Security Training Records
CSC–09
SA–11
Developer Security Testing and Evaluation
CSC–09
SA–16
Developer–Provided Training
CSC–09
PM–13
Information Security Workforce
CSC–09
PM–14
Testing, Training, & Monitoring
CSC–09
PM–16
Threat Awareness Program
CSC–10
Secure Configurations for Network Infrastructure & Security Devices
CSC–10
AC–04
Information Flow Enforcement
CSC–10
CA–03
System Interconnections
CSC–10
CA–07
Continuous Monitoring
CSC–10
CA–09
Internal System Connections
CSC–10
CM–02
Baseline Configuration
CSC–10
CM–03
Configuration Change Control
CSC–10
CM–05
Access Restrictions for Change
CSC–10
CM–06
Configuration Settings
CSC–10
CM–08
Information System Component Inventory
CSC–10
MA–04
Nonlocal Maintenance
CSC–10
SC–24
Fail in Known State
CSC–10
SI–04
Information System Monitoring
CSC–11
Ports, Protocols, and Services Management
CSC–11
AC–04
Information Flow Enforcement
CSC–11
CA–07
Continuous Monitoring
CSC–11
CA–09
Internal System Connections
CSC–11
CM–02
Baseline Configuration
CSC–11
CM–06
Configuration Settings
CSC–11
CM–08
Information System Component Inventory
CSC–11
SC–20
Secure Name /Address Resolution Service (Authoritative Source)
CSC–11
SC–21
Secure Name /Address Resolution Service (Recursive or Caching Resolver)
CSC–11
SC–22
Architecture and Provisioning for Name/Address Resolution Service
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 3 of 69
4. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4
http://www.counciloncybersecurity.org
CSC–11
SC–41
Port and I/O Device Access
CSC–11
SI–04
Information System Monitoring
CSC–12
Controlled Use of Administrative Privileges
CSC–12
AC–02
Account Management
CSC–12
AC–06
Least Privilege
CSC–12
AC–17
Remote Access
CSC–12
AC–19
Access Control for Mobile Devices
CSC–12
CA–07
Continuous Monitoring
CSC–12
IA–02
Identification and Authentication (Organizational Users)
CSC–12
IA–04
Identifier Management
CSC–12
IA–05
Authenticator Management
CSC–12
SI–04
Information System Monitoring
CSC–13
Boundary Defense
CSC–13
AC–04
Information Flow Enforcement
CSC–13
AC–17
Remote Access
CSC–13
AC–20
Use of External Information Systems
CSC–13
CA–03
System Interconnections
CSC–13
CA–07
Continuous Monitoring
CSC–13
CA–09
Internal System Connections
CSC–13
CM–02
Baseline Configuration
CSC–13
SA–09
External Information System Services
CSC–13
SC–07
Boundary Protection
CSC–13
SC–08
Transmission Confidentiality and Integrity
CSC–13
SI–04
Information System Monitoring
CSC–14
Maintenance, Monitoring and Analysis of Audit Logs
CSC–14
AC–23
Data Mining Protection
CSC–14
AU–02
Audit Events
CSC–14
AU–03
Content of Audit Records
CSC–14
AU–04
Audit Storage Capacity
CSC–14
AU–05
Response to Audit Processing Failures
CSC–14
AU–06
Audit Review, Analysis, and Reporting
CSC–14
AU–07
Audit Reduction and Report Generation
CSC–14
AU–08
Time Stamps
CSC–14
AU–09
Protection of Audit Information
CSC–14
AU–10
Non–repudiation
CSC–14
AU–11
Audit Record Retention
CSC–14
AU–12
Audit Generation
CSC–14
AU–13
Monitoring for Information Disclosure
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 4 of 69
5. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4
CSC–14
AU–14
Session Audit
CSC–14
CA–07
Continuous Monitoring
CSC–14
IA–10
Adaptive Identification and Authentication
CSC–14
SI–04
Information System Monitoring
CSC–15
Controlled Access Based on the Need to Know
CSC–15
AC–01
Access Control Policy and Procedures
CSC–15
AC–02
Account Management
CSC–15
AC–03
Access Enforcement
CSC–15
AC–06
Least Privilege
CSC–15
AC–24
Access Control Decisions
CSC–15
CA–07
Continuous Monitoring
CSC–15
MP–03
Media Marking
CSC–15
RA–02
Security Categorization
CSC–15
SC–16
Transmission of Security Attributes
CSC–15
SI–04
Information System Monitoring
CSC–16
Account Monitoring and Control
CSC–16
AC–02
Account Management
CSC–16
AC–03
Access Enforcement
CSC–16
AC–07
Unsuccessful Logon Attempts
CSC–16
AC–11
Session Lock
CSC–16
AC–12
Session Termination
CSC–16
CA–07
Continuous Monitoring
CSC–16
IA–05
Authenticator Management
CSC–16
IA–10
Adaptive Identification and Authentication
CSC–16
SC–17
Public Key Infrastructure Certificates
CSC–16
SC–23
Session Authenticity
CSC–16
SI–04
Information System Monitoring
CSC–17
Data Loss Prevention
CSC–17
AC–03
Access Enforcement
CSC–17
AC–04
Information Flow Enforcement
CSC–17
AC–23
Data Mining Protection
CSC–17
CA–07
Continuous Monitoring
CSC–17
CA–09
Internal System Connections
CSC–17
IR–09
Information Spillage Response
CSC–17
MP–05
Media Transport
CSC–17
SA–18
Tamper Resistance and Detection
CSC–17
SC–08
Transmission Confidentiality and Integrity
CSC–17
SC–28
http://www.counciloncybersecurity.org
Protection of Information at Rest
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 5 of 69
6. Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4
http://www.counciloncybersecurity.org
CSC–17
SC–31
Covert Channel Analysis
CSC–17
SC–41
Port and I/O Device Access
CSC–17
SI–04
Information System Monitoring
CSC–18
Incident Response and Management
CSC–18
IR–01
Incident Response Policy and Procedures
CSC–18
IR–02
Incident Response Training
CSC–18
IR–03
Incident Response Testing
CSC–18
IR–04
Incident Handling
CSC–18
IR–05
Incident Monitoring
CSC–18
IR–06
Incident Reporting
CSC–18
IR–07
Incident Response Assistance
CSC–18
IR–08
Incident Response Plan
CSC–18
IR–10
Integrated Information Security Analysis Team
CSC–19
Secure Network Engineering
CSC–19
AC–04
Information Flow Enforcement
CSC–19
CA–03
System Interconnections
CSC–19
CA–09
Internal System Connections
CSC–19
SA–08
Security Engineering Principles
CSC–19
SC–20
Secure Name /Address Resolution Service (Authoritative Source)
CSC–19
SC–21
Secure Name /Address Resolution Service (Recursive or Caching Resolver)
CSC–19
SC–22
Architecture and Provisioning for Name/Address Resolution Service
CSC–19
SC–32
Information System Partitioning
CSC–19
SC–37
Out–of–Band Channels
CSC–20
Penetration Tests and Red Team Exercises
CSC–20
PM–16
Threat Awareness Program
CSC–20
CA–02
Security Assessments
CSC–20
CA–05
Plan of Action and Milestones
CSC–20
CA–06
Security Authorization
CSC–20
CA–08
Penetration Testing
CSC–20
RA–06
Technical Surveillance Countermeasures Survey
CSC–20
SI–06
Security Function Verification
CSC–20
PM–06
Information Security Measures of Performance
CSC–20
PM–14
Testing, Training, & Monitoring
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 6 of 69
7. Print Date: 3/1/2014, 12:02 PM
CNT:
203
7
10
16
6
6
15
10
3
9
Bl CSC
Inventory of Authorized & Unauthorized Devices
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
12
#
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
Inventory of Authorized and Unauthorized Software
MAP_CSCv4.1_to_800‐53r4_SORTCSC
11
9
11
17
10
11
13
9
9
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Ports, Protocols, and Services Management
CSC
Controlled Use of Administrative Privileges
CSC–01 X
CSC–06 X
CSC–11 X
Boundary Defense
CSC
CSC
CSC
Maintenance, Monitoring & Analysis of Audit Logs
CSC–02 X
CSC–07 X
CSC–12 X
Controlled Access Based on the Need to Know
CSC
CSC
CSC
Account Monitoring and Control
CSC–03 X
CSC–08 X
CSC–13 X
Data Loss Prevention
CSC
CSC
CSC
Incident Response and Management
CSC–04 X
CSC–09 X
CSC–14 X
Secure Network Engineering
CSC
CSC
CSC
9
Secure Configurations for Mobile Devices, Workstations, Servers
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Penetration Tests and Red Team Exercises
CSC–05 X
Secure Configurations for Network Infrastructure & Security Devices
PRI
01
02
03
04
05
06
07
08
09
10
11
12
01
CSC
02
03
04
05
06
CSC
07
08
09
10
CSC–10 X
13
14
15
11
CSC
CSC–16
12
CSC
CSC–17
13
CSC
CSC–18
14
CSC
CSC–19
15
CSC
CSC–15 X
16
17
18
19
CSC–20
20
CNT
ID–CN
NIST_SP_800-53_REV_4_CONTROL_NAME
1
CSC–01
CA–07
Continuous Monitoring
P3
X
S
S
2
CSC–01
CM–08
Information System Component Inventory
P1
X
S
S
3
CSC–01
IA–03
Device Identification and Authentication
P1
X
4
CSC–01
SA–04
Acquisition Process
P1
X
5
CSC–01
SC–17
Public Key Infrastructure Certificates
P1
X
6
CSC–01
SI–04
Information System Monitoring
P1
X
7
CSC–01
PM–05
Information System Inventory
P1
X
S
8
CSC–02
CA–07
Continuous Monitoring
P3
S
9
CSC–02
CM–02
Baseline Configuration
P1
10
CSC–02
CM–08
Information System Component Inventory
P1
11
CSC–02
CM–10
Software Usage Restrictions
P2
X
12
CSC–02
CM–11
User–Installed Software
P1
X
S
2
13
CSC–02
SA–04
Acquisition Process
P1
X
S
3
14
CSC–02
SC–18
Mobile Code
P2
X
15
CSC–02
SC–34
Non–Modifiable Executable Programs
P0
X
S
S
16
CSC–02
SI–04
Information System Monitoring
P1
S
X
S
S
S
S
S
S
S
S
S
S
S
S
14
17
CSC–02
PM–05
Information System Inventory
P1
S
X
18
CSC–03
CA–07
Continuous Monitoring
P3
S
S
X
S
S
S
S
S
S
S
S
S
S
S
14
19
CSC–03
CM–02
Baseline Configuration
P1
S
S
20
CSC–03
CM–03
Configuration Change Control
P1
X
S
21
CSC–03
CM–05
Access Restrictions for Change
P1
X
S
22
CSC–03
CM–06
Configuration Settings
P1
X
S
S
3
23
CSC–03
CM–07
Least Functionality
P1
X
24
CSC–03
CM–08
Information System Component Inventory
P1
S
S
5
25
CSC–03
CM–09
Configuration Management Plan
P1
26
CSC–03
CM–11
User–Installed Software
P1
27
CSC–03
MA–04
Nonlocal Maintenance
P1
X
28
CSC–03
RA–05
Vulnerability Scanning
P1
X
29
CSC–03
SA–04
Acquisition Process
P1
30
CSC–03
SC–15
Collaborative Computing Devices
P1
31
CSC–03
SC–34
Non–Modifiable Executable Programs
P0
32
CSC–03
SI–02
Flaw Remediation
P1
33
CSC–03
SI–04
Information System Monitoring
P1
34
CSC–04
CA–02
Security Assessments
P2
35
CSC–04
CA–07
Continuous Monitoring
P3
36
CSC–04
RA–05
Vulnerability Scanning
P1
37
CSC–04
SC–34
Non–Modifiable Executable Programs
P0
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
S
S
S
S
S
S
S
S
S
S
S
S
S
14
5
S
S
2
S
3
S
3
S
S
S
S
S
S
S
S
S
S
S
S
S
14
X
S
S
S
S
S
S
S
S
S
S
S
S
14
X
S
S
S
S
S
S
S
X
S
S
S
S
S
S
2
S
6
5
1
1
3
2
X
S
S
6
2
2
1
X
X
S
S
S
1
X
2
S
S
2
S
3
X
3
X
S
X
1
S
3
X
1
S
S
X
S
S
S
S
X
S
X
S
X
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
X
S
Page 7 of 69
14
S
S
2
14
3
3
8. Print Date: 3/1/2014, 12:02 PM
CNT:
203
7
10
16
6
6
15
10
3
9
Bl CSC
Inventory of Authorized & Unauthorized Devices
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
12
#
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
Inventory of Authorized and Unauthorized Software
MAP_CSCv4.1_to_800‐53r4_SORTCSC
11
9
11
17
10
11
13
9
9
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Ports, Protocols, and Services Management
CSC
Controlled Use of Administrative Privileges
CSC–01 X
CSC–06 X
CSC–11 X
Boundary Defense
CSC
CSC
CSC
Maintenance, Monitoring & Analysis of Audit Logs
CSC–02 X
CSC–07 X
CSC–12 X
Controlled Access Based on the Need to Know
CSC
CSC
CSC
Account Monitoring and Control
CSC–03 X
CSC–08 X
CSC–13 X
Data Loss Prevention
CSC
CSC
CSC
Incident Response and Management
CSC–04 X
CSC–09 X
CSC–14 X
Secure Network Engineering
CSC
CSC
CSC
9
Secure Configurations for Mobile Devices, Workstations, Servers
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Penetration Tests and Red Team Exercises
CSC–05 X
Secure Configurations for Network Infrastructure & Security Devices
PRI
01
02
03
04
05
ID–CN
NIST_SP_800-53_REV_4_CONTROL_NAME
38
CSC–04
SI–04
Information System Monitoring
P1
39
CSC–04
SI–07
Software, Firmware, and Information Integrity
P1
40
CSC–05
CA–07
Continuous Monitoring
P3
41
CSC–05
SC–39
Process Isolation
P1
X
42
CSC–05
SC–44
Detonation Chambers
P0
CSC–05
SI–03
Malicious Code Protection
P1
CSC–05
SI–04
Information System Monitoring
P1
45
CSC–05
SI–08
Spam Protection
P2
46
CSC–06
RA–05
Vulnerability Scanning
P1
47
CSC–06
SA–03
System Development Life Cycle
48
CSC–06
SA–10
Developer Configuration Management
49
CSC–06
SA–11
50
CSC–06
51
CSC–06
52
08
09
10
11
12
02
03
04
05
06
CSC
07
08
09
10
CSC–10 X
13
14
15
11
CSC
CSC–16
12
CSC
CSC–17
13
CSC
CSC–18
14
CSC
CSC–19
15
CSC
CSC–15 X
16
17
18
CSC–20
19
X
44
07
CSC
X
43
06
01
S
S
S
X
S
S
S
S
S
S
S
S
CNT
S
S
S
S
S
S
S
S
S
14
X
S
S
S
S
S
S
S
S
S
14
X
S
20
S
1
S
S
2
1
1
X
S
S
S
S
S
S
S
S
S
14
X
1
X
3
P1
X
1
P1
X
Developer Security Testing and Evaluation
P1
X
SA–13
Trustworthiness
P0
X
SA–15
Development Process, Standards, and Tools
P2
X
CSC–06
SA–16
Developer–Provided Training
P2
X
53
CSC–06
SA–17
Developer Security Architecture and Design
P1
X
1
54
CSC–06
SA–20
Customized Development of Critical Components
P0
X
1
55
CSC–06
SA–21
Developer Screening
P0
X
1
56
CSC–06
SC–39
Process Isolation
P1
X
2
57
CSC–06
SI–10
Information Input Validation
P1
X
1
58
CSC–06
SI–11
Error Handling
P2
X
1
59
CSC–06
SI–15
Information Output Filtering
P0
X
1
60
CSC–06
SI–16
Memory Protection
P1
X
61
CSC–07
AC–18
Wireless Access
P1
X
62
CSC–07
AC–19
Access Control for Mobile Devices
P1
X
63
CSC–07
CA–03
System Interconnections
P1
64
CSC–07
CA–07
Continuous Monitoring
P3
65
CSC–07
CM–02
Baseline Configuration
P1
66
CSC–07
IA–03
Device Identification and Authentication
P1
67
CSC–07
SC–08
Transmission Confidentiality and Integrity
P1
68
CSC–07
SC–17
Public Key Infrastructure Certificates
P1
69
CSC–07
SC–40
Wireless Link Protection
P0
70
CSC–07
SI–04
Information System Monitoring
P1
71
CSC–08
CP–09
Information System Backup
P1
X
1
72
CSC–08
CP–10
Information System Recovery and Reconstitution
P1
X
1
73
CSC–08
MP–04
Media Storage
P1
X
1
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
S
1
S
2
1
1
S
2
1
1
S
X
S
S
S
S
S
S
S
S
X
S
S
X
S
S
S
2
S
S
S
S
S
S
S
S
S
6
X
2
X
S
S
S
X
S
S
S
Page 8 of 69
S
S
3
3
X
S
4
14
1
X
S
S
S
S
S
S
S
S
14
9. Print Date: 3/1/2014, 12:02 PM
CNT:
203
7
10
16
6
6
15
10
3
9
Inventory of Authorized and Unauthorized Software
MAP_CSCv4.1_to_800‐53r4_SORTCSC
11
9
11
17
10
11
13
9
9
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Ports, Protocols, and Services Management
CSC
Controlled Use of Administrative Privileges
CSC–01 X
CSC–06 X
CSC–11 X
Boundary Defense
CSC
CSC
CSC
Maintenance, Monitoring & Analysis of Audit Logs
CSC–02 X
CSC–07 X
CSC–12 X
Controlled Access Based on the Need to Know
CSC
CSC
CSC
Account Monitoring and Control
CSC–03 X
CSC–08 X
CSC–13 X
Data Loss Prevention
CSC
CSC
CSC
Incident Response and Management
CSC–04 X
CSC–09 X
CSC–14 X
Secure Network Engineering
CSC
CSC
CSC
9
Secure Configurations for Mobile Devices, Workstations, Servers
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Penetration Tests and Red Team Exercises
CSC–05 X
02
04
Secure Configurations for Network Infrastructure & Security Devices
PRI
01
03
05
06
07
08
09
10
11
12
01
CSC
02
03
04
05
06
CSC
07
08
09
10
CSC–10 X
13
14
15
11
CSC
CSC–16
12
CSC
CSC–17
13
CSC
CSC–18
14
CSC
CSC–19
15
CSC
CSC–15 X
16
17
18
CSC–20
19
20
CNT
ID–CN
NIST_SP_800-53_REV_4_CONTROL_NAME
74
CSC–09
AT–01
Security Awareness and Training Policy and Procedures
P1
X
1
75
CSC–09
AT–02
Security Awareness Training
P1
X
1
76
CSC–09
AT–03
Role–Based Security Training
P1
X
1
77
CSC–09
AT–04
Security Training Records
P3
X
1
78
CSC–09
SA–11
Developer Security Testing and Evaluation
P1
S
X
2
79
CSC–09
SA–16
Developer–Provided Training
P2
S
X
2
80
CSC–09
PM–13
Information Security Workforce
P1
X
81
CSC–09
PM–14
Testing, Training, & Monitoring
P1
X
82
CSC–09
PM–16
Threat Awareness Program
P1
X
83
CSC–10
AC–04
Information Flow Enforcement
P1
84
CSC–10
CA–03
System Interconnections
P1
85
CSC–10
CA–07
Continuous Monitoring
P3
86
CSC–10
CA–09
Internal System Connections
P2
87
CSC–10
CM–02
Baseline Configuration
P1
88
CSC–10
CM–03
Configuration Change Control
P1
S
X
89
CSC–10
CM–05
Access Restrictions for Change
P1
S
X
90
CSC–10
CM–06
Configuration Settings
P1
S
X
S
91
CSC–10
CM–08
Information System Component Inventory
P1
S
X
S
92
CSC–10
MA–04
Nonlocal Maintenance
P1
S
X
93
CSC–10
SC–24
Fail in Known State
P1
94
CSC–10
SI–04
Information System Monitoring
P1
95
CSC–11
AC–04
Information Flow Enforcement
P1
96
CSC–11
CA–07
Continuous Monitoring
P3
97
CSC–11
CA–09
Internal System Connections
P2
98
CSC–11
CM–02
Baseline Configuration
P1
99
CSC–11
CM–06
Configuration Settings
P1
100
CSC–11
CM–08
Information System Component Inventory
P1
101
CSC–11
SC–20
Secure Name /Address Resolution Service (Authoritative Source)
P1
X
S
CSC–11
SC–21
Secure Name /Address Resolution Service (Recursive or Caching Resolver)
P1
X
S
103
CSC–11
SC–22
Architecture and Provisioning for Name/Address Resolution Service
P1
X
S
104
CSC–11
SC–41
Port and I/O Device Access
P0
X
105
CSC–11
SI–04
Information System Monitoring
P1
106
CSC–12
AC–02
Account Management
P1
107
CSC–12
AC–06
Least Privilege
P1
108
CSC–12
AC–17
Remote Access
P1
X
109
CSC–12
AC–19
Access Control for Mobile Devices
P1
102
Bl CSC
Inventory of Authorized & Unauthorized Devices
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
12
#
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
1
S
1
X
S
S
S
S
S
S
S
S
S
S
S
X
S
X
S
X
S
S
S
S
S
X
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
3
5
2
1
S
X
S
X
X
S
S
X
S
S
S
S
S
S
S
X
S
S
X
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
14
S
S
S
5
14
S
5
6
3
5
2
2
2
S
S
S
S
S
X
Page 9 of 69
X
S
X
S
S
5
6
2
S
S
4
2
X
S
5
14
X
S
2
S
S
X
S
S
S
2
S
14
3
2
2
2
10. Print Date: 3/1/2014, 12:02 PM
CNT:
203
7
10
16
6
6
15
10
3
9
Bl CSC
Inventory of Authorized & Unauthorized Devices
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
12
#
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
Inventory of Authorized and Unauthorized Software
MAP_CSCv4.1_to_800‐53r4_SORTCSC
11
9
11
17
10
11
13
9
9
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Ports, Protocols, and Services Management
CSC
Controlled Use of Administrative Privileges
CSC–01 X
CSC–06 X
CSC–11 X
Boundary Defense
CSC
CSC
CSC
Maintenance, Monitoring & Analysis of Audit Logs
CSC–02 X
CSC–07 X
CSC–12 X
Controlled Access Based on the Need to Know
CSC
CSC
CSC
Account Monitoring and Control
CSC–03 X
CSC–08 X
CSC–13 X
Data Loss Prevention
CSC
CSC
CSC
Incident Response and Management
CSC–04 X
CSC–09 X
CSC–14 X
Secure Network Engineering
CSC
CSC
CSC
9
Secure Configurations for Mobile Devices, Workstations, Servers
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Penetration Tests and Red Team Exercises
CSC–05 X
Secure Configurations for Network Infrastructure & Security Devices
PRI
01
02
03
04
05
06
07
08
09
10
11
12
01
CSC
02
03
04
05
06
CSC
07
08
09
10
CSC–10 X
13
14
15
11
CSC
CSC–16
12
CSC
CSC–17
13
CSC
CSC–18
14
CSC
CSC–19
15
CSC
CSC–15 X
16
17
18
CSC–20
19
20
CNT
ID–CN
NIST_SP_800-53_REV_4_CONTROL_NAME
110
CSC–12
CA–07
Continuous Monitoring
P3
111
CSC–12
IA–02
Identification and Authentication (Organizational Users)
P1
X
112
CSC–12
IA–04
Identifier Management
P1
X
113
CSC–12
IA–05
Authenticator Management
P1
X
114
CSC–12
SI–04
Information System Monitoring
P1
115
CSC–13
AC–04
Information Flow Enforcement
P1
116
CSC–13
AC–17
Remote Access
P1
117
CSC–13
AC–20
Use of External Information Systems
P1
118
CSC–13
CA–03
System Interconnections
P1
119
CSC–13
CA–07
Continuous Monitoring
P3
120
CSC–13
CA–09
Internal System Connections
P2
121
CSC–13
CM–02
Baseline Configuration
P1
122
CSC–13
SA–09
External Information System Services
123
CSC–13
SC–07
Boundary Protection
124
CSC–13
SC–08
Transmission Confidentiality and Integrity
P1
125
CSC–13
SI–04
Information System Monitoring
P1
126
CSC–14
AC–23
Data Mining Protection
P0
X
127
CSC–14
AU–02
Audit Events
P1
X
1
128
CSC–14
AU–03
Content of Audit Records
P1
X
1
129
CSC–14
AU–04
Audit Storage Capacity
P1
X
1
130
CSC–14
AU–05
Response to Audit Processing Failures
P1
X
1
131
CSC–14
AU–06
Audit Review, Analysis, and Reporting
P1
X
1
132
CSC–14
AU–07
Audit Reduction and Report Generation
P2
X
1
133
CSC–14
AU–08
Time Stamps
P1
X
1
134
CSC–14
AU–09
Protection of Audit Information
P1
X
1
135
CSC–14
AU–10
Non–repudiation
P1
X
1
136
CSC–14
AU–11
Audit Record Retention
P3
X
1
137
CSC–14
AU–12
Audit Generation
P1
X
1
138
CSC–14
AU–13
Monitoring for Information Disclosure
P0
X
1
139
CSC–14
AU–14
Session Audit
P0
X
140
CSC–14
CA–07
Continuous Monitoring
P3
141
CSC–14
IA–10
Adaptive Identification and Authentication
P0
142
CSC–14
SI–04
Information System Monitoring
P1
143
CSC–15
AC–01
Access Control Policy and Procedures
P1
144
CSC–15
AC–02
Account Management
P1
145
CSC–15
AC–03
Access Enforcement
P1
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
X
S
X
S
S
S
S
14
1
1
S
S
S
S
S
X
S
S
2
S
S
14
S
X
X
S
S
S
S
S
S
X
S
S
X
6
P1
X
1
P1
X
S
S
S
S
S
S
S
X
S
S
S
S
S
S
X
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
X
X
S
S
14
S
S
3
2
1
S
S
S
14
S
14
S
S
S
2
X
1
X
S
X
Page 10 of 69
5
S
X
S
14
S
1
X
S
S
4
S
S
S
S
S
S
S
1
X
S
S
S
S
5
2
S
3
S
3
11. Print Date: 3/1/2014, 12:02 PM
CNT:
203
7
10
16
6
6
15
10
3
9
Bl CSC
Inventory of Authorized & Unauthorized Devices
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
12
#
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
Inventory of Authorized and Unauthorized Software
MAP_CSCv4.1_to_800‐53r4_SORTCSC
11
9
11
17
10
11
13
9
9
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Ports, Protocols, and Services Management
CSC
Controlled Use of Administrative Privileges
CSC–01 X
CSC–06 X
CSC–11 X
Boundary Defense
CSC
CSC
CSC
Maintenance, Monitoring & Analysis of Audit Logs
CSC–02 X
CSC–07 X
CSC–12 X
Controlled Access Based on the Need to Know
CSC
CSC
CSC
Account Monitoring and Control
CSC–03 X
CSC–08 X
CSC–13 X
Data Loss Prevention
CSC
CSC
CSC
Incident Response and Management
CSC–04 X
CSC–09 X
CSC–14 X
Secure Network Engineering
CSC
CSC
CSC
9
Secure Configurations for Mobile Devices, Workstations, Servers
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Penetration Tests and Red Team Exercises
CSC–05 X
02
04
Secure Configurations for Network Infrastructure & Security Devices
PRI
01
03
05
06
07
08
09
10
11
12
01
CSC
02
03
04
05
06
CSC
07
08
09
10
CSC–10 X
13
14
15
11
CSC
CSC–16
12
CSC
CSC–17
13
CSC
CSC–18
14
CSC
CSC–19
15
CSC
CSC–15 X
16
17
18
CSC–20
19
20
CNT
ID–CN
NIST_SP_800-53_REV_4_CONTROL_NAME
146
CSC–15
AC–06
Least Privilege
P1
147
CSC–15
AC–24
Access Control Decisions
P0
148
CSC–15
CA–07
Continuous Monitoring
P3
149
CSC–15
MP–03
Media Marking
P2
X
1
150
CSC–15
RA–02
Security Categorization
P1
X
1
151
CSC–15
SC–16
Transmission of Security Attributes
P0
X
152
CSC–15
SI–04
Information System Monitoring
P1
153
CSC–16
AC–02
Account Management
P1
154
CSC–16
AC–03
Access Enforcement
P1
155
CSC–16
AC–07
Unsuccessful Logon Attempts
P2
X
1
156
CSC–16
AC–11
Session Lock
P3
X
1
157
CSC–16
AC–12
Session Termination
P2
X
158
CSC–16
CA–07
Continuous Monitoring
P3
159
CSC–16
IA–05
Authenticator Management
P1
160
CSC–16
IA–10
Adaptive Identification and Authentication
P0
161
CSC–16
SC–17
Public Key Infrastructure Certificates
P1
162
CSC–16
SC–23
Session Authenticity
P1
163
CSC–16
SI–04
Information System Monitoring
P1
164
CSC–17
AC–03
Access Enforcement
P1
165
CSC–17
AC–04
Information Flow Enforcement
P1
166
CSC–17
AC–23
Data Mining Protection
P0
167
CSC–17
CA–07
Continuous Monitoring
P3
168
CSC–17
CA–09
Internal System Connections
P2
169
CSC–17
IR–09
Information Spillage Response
P0
X
1
170
CSC–17
MP–05
Media Transport
P1
X
1
171
CSC–17
SA–18
Tamper Resistance and Detection
P0
X
1
172
CSC–17
SC–08
Transmission Confidentiality and Integrity
P1
X
3
173
CSC–17
SC–28
Protection of Information at Rest
P1
X
1
174
CSC–17
SC–31
Covert Channel Analysis
P0
X
1
175
CSC–17
SC–41
Port and I/O Device Access
P0
X
2
176
CSC–17
SI–04
Information System Monitoring
P1
177
CSC–18
IR–01
Incident Response Policy and Procedures
P1
X
1
178
CSC–18
IR–02
Incident Response Training
P2
X
1
179
CSC–18
IR–03
Incident Response Testing
P2
X
1
180
CSC–18
IR–04
Incident Handling
P1
X
1
181
CSC–18
IR–05
Incident Monitoring
P1
X
1
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
S
X
2
X
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
X
X
1
S
S
S
S
S
S
S
S
S
S
S
S
S
14
X
X
S
S
X
3
S
3
1
S
14
X
2
X
S
2
X
S
S
14
1
S
S
S
S
3
X
S
S
S
S
S
S
S
S
S
S
S
S
S
1
S
X
S
S
S
X
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
Page 11 of 69
S
S
S
S
S
S
S
S
S
S
5
2
X
14
X
S
S
S
X
S
S
3
X
S
S
14
S
X
5
14
12. Print Date: 3/1/2014, 12:02 PM
CNT:
203
7
10
16
6
6
15
10
3
9
Bl CSC
Inventory of Authorized & Unauthorized Devices
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
12
#
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
Inventory of Authorized and Unauthorized Software
MAP_CSCv4.1_to_800‐53r4_SORTCSC
11
9
11
17
10
11
13
9
9
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Ports, Protocols, and Services Management
CSC
Controlled Use of Administrative Privileges
CSC–01 X
CSC–06 X
CSC–11 X
Boundary Defense
CSC
CSC
CSC
Maintenance, Monitoring & Analysis of Audit Logs
CSC–02 X
CSC–07 X
CSC–12 X
Controlled Access Based on the Need to Know
CSC
CSC
CSC
Account Monitoring and Control
CSC–03 X
CSC–08 X
CSC–13 X
Data Loss Prevention
CSC
CSC
CSC
Incident Response and Management
CSC–04 X
CSC–09 X
CSC–14 X
Secure Network Engineering
CSC
CSC
CSC
9
Secure Configurations for Mobile Devices, Workstations, Servers
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Penetration Tests and Red Team Exercises
CSC–05 X
02
04
Secure Configurations for Network Infrastructure & Security Devices
PRI
01
03
05
06
07
08
09
10
11
12
01
CSC
02
03
04
05
06
CSC
07
08
09
10
CSC–10 X
13
14
15
16
11
CSC
CSC–16
12
CSC
CSC–17
13
CSC
CSC–18
14
CSC
CSC–19
15
CSC
CSC–15 X
17
18
CSC–20
19
20
CNT
ID–CN
NIST_SP_800-53_REV_4_CONTROL_NAME
182
CSC–18
IR–06
Incident Reporting
P1
X
1
183
CSC–18
IR–07
Incident Response Assistance
P3
X
1
184
CSC–18
IR–08
Incident Response Plan
P1
X
1
185
CSC–18
IR–10
Integrated Information Security Analysis Team
P0
X
186
CSC–19
AC–04
Information Flow Enforcement
P1
187
CSC–19
CA–03
System Interconnections
P1
188
CSC–19
CA–09
Internal System Connections
P2
189
CSC–19
SA–08
Security Engineering Principles
P1
190
CSC–19
SC–20
Secure Name /Address Resolution Service (Authoritative Source)
P1
CSC–19
SC–21
Secure Name /Address Resolution Service (Recursive or Caching Resolver)
192
CSC–19
SC–22
193
CSC–19
194
S
S
S
S
S
S
S
S
S
5
X
S
S
1
X
4
X
5
X
1
S
X
2
P1
S
X
Architecture and Provisioning for Name/Address Resolution Service
P1
S
X
2
SC–32
Information System Partitioning
P0
X
1
CSC–19
SC–37
Out–of–Band Channels
P0
X
195
CSC–20
PM–16
Threat Awareness Program
P1
196
CSC–20
CA–02
Security Assessments
P2
197
CSC–20
CA–05
Plan of Action and Milestones
P3
198
CSC–20
CA–06
Security Authorization
199
CSC–20
CA–08
200
CSC–20
201
191
1
x
2
X
2
X
1
P3
X
1
Penetration Testing
P1
X
1
RA–06
Technical Surveillance Countermeasures Survey
P0
X
1
CSC–20
SI–06
Security Function Verification
P1
X
1
202
CSC–20
PM–06
Information Security Measures of Performance
P1
X
1
203
CSC–20
PM–14
Testing, Training, & Monitoring
P1
X
2
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
S
2
S
S
Page 12 of 69
13. Print Date: 3/1/2014, 12:02 PM
Mapping NIST SP 800–53 Revision 4 to
Critical Security Controls (CSC) v4.1
FAMILY
ID–CN
CONTROL NAME
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
PRI
Occurences
MAP_CSCv4.1_to_800‐53r4_SORT_ID
Inventory of Authorized & Unauthorized Devices
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices
01
02
7
03
10
16
04
05
6
Access Control
06
6
15
07
08
10
09
3
10
9
11
12
13
Ports, Protocols, and Services Management
Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises
14
15
16
17
18
11
9
11
17
10
11
13
1
2
12
1
4
3
1
5
5
3
19
9
20
9
CNT
9
203
1
26
X
1
3
3
5
AC
AC–01
Access Control Policy and Procedures
P1
X
AC
AC–02
Account Management
P1
AC
AC–03
Access Enforcement
P1
AC
AC–04
Information Flow Enforcement
P1
AC
AC–05
Separation of Duties
P1
AC
AC–06
Least Privilege
P1
AC
AC–07
Unsuccessful Logon Attempts
P2
AC
AC–08
System Use Notification
P1
AC
AC–09
Previous Logon (Access) Notification
P0
AC
AC–10
Concurrent Session Control
P2
AC
AC–11
Session Lock
P3
X
1
AC
AC–12
Session Termination
P2
X
1
AC
AC–13
Withdrawn
AC
AC–14
Permitted Actions without Identification or Authentication
AC
AC–15
Withdrawn
AC
AC–16
Security Attributes
P0
AC
AC–17
Remote Access
P1
AC
AC–18
Wireless Access
P1
X
AC
AC–19
Access Control for Mobile Devices
P1
X
AC
AC–20
Use of External Information Systems
P1
AC
AC–21
Information Sharing
P2
AC
AC–22
Publicly Accessible Content
P2
AC
AC–23
Data Mining Protection
P0
AC
AC–24
Access Control Decisions
P0
AC
AC–25
Reference Monitor
P0
X
X
X
X
X
X
X
X
X
X
X
2
1
X
X
–––
P1
–––
X
X
2
1
X
2
X
1
X
X
X
Awareness and Training
2
1
4
4
AT
AT–01
Security Awareness and Training Policy and Procedures
P1
X
1
AT
AT–02
Security Awareness Training
P1
X
1
AT
AT–03
Role–Based Security Training
P1
X
1
AT
AT–04
Security Training Records
P3
X
1
AT
AT–05
Withdrawn
–––
Audit & Accountability
13
13
P1
X
1
P1
X
1
Audit Storage Capacity
P1
X
1
AU–05
Response to Audit Processing Failures
P1
X
1
AU
AU–06
Audit Review, Analysis, and Reporting
P1
X
1
AU
AU–07
Audit Reduction and Report Generation
P2
X
1
AU
AU–01
Audit and Accountability Policy and Procedures
P1
AU
AU–02
Audit Events
AU
AU–03
Content of Audit Records
AU
AU–04
AU
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 13 of 69
14. Print Date: 3/1/2014, 12:02 PM
Mapping NIST SP 800–53 Revision 4 to
Critical Security Controls (CSC) v4.1
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
PRI
MAP_CSCv4.1_to_800‐53r4_SORT_ID
Inventory of Authorized & Unauthorized Devices
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices
02
08
09
10
11
Penetration Tests and Red Team Exercises
X
1
AU
AU–09
Protection of Audit Information
P1
X
1
AU
AU–10
Non–repudiation
P1
X
1
AU
AU–11
Audit Record Retention
P3
X
1
AU
AU–12
Audit Generation
P1
X
1
AU
AU–13
Monitoring for Information Disclosure
P0
X
1
AU
AU–14
Session Audit
P0
X
1
AU
AU–15
Alternate Audit Capability
P0
AU
AU–16
Cross–Organizational Auditing
P0
3
X
2
13
Secure Network Engineering
P1
2
12
Incident Response and Management
CONTROL NAME
1
07
Data Loss Prevention
Time Stamps
2
06
Account Monitoring and Control
ID–CN
1
05
Controlled Access Based on the Need to Know
AU–08
1
04
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
FAMILY
1
03
Controlled Use of Administrative Privileges
AU
Security Assessment and Authorization
01
Ports, Protocols, and Services Management
1
X
14
3
15
1
16
1
17
1
18
2
19
20
2
CNT
4
CA
CA–01
Security Assessment and Authorization Policies and Procedures
CA
CA–02
Security Assessments
P2
CA
CA–03
System Interconnections
P1
CA
CA–04
Withdrawn
CA
CA–05
Plan of Action and Milestones
P3
X
CA
CA–06
Security Authorization
P3
X
CA
CA–07
Continuous Monitoring
P3
CA
CA–08
Penetration Testing
P1
CA
CA–09
Internal System Connections
P2
28
P1
X
X
X
X
2
4
–––
Configuration Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
1
1
14
X
X
1
X
1
5
4
8
1
5
3
1
23
X
X
X
X
X
X
6
CM
CM–01
Configuration Management Policy and Procedures
P1
CM
CM–02
Baseline Configuration
P1
CM
CM–03
Configuration Change Control
P1
CM
CM–04
Security Impact Analysis
P2
CM
CM–05
Access Restrictions for Change
CM
CM–06
Configuration Settings
CM
CM–07
Least Functionality
P1
X
CM
CM–08
Information System Component Inventory
P1
CM
CM–09
Configuration Management Plan
P1
CM
CM–10
Software Usage Restrictions
P2
X
CM
CM–11
User–Installed Software
P1
X
X
X
P1
X
X
P1
X
X
X
3
X
X
5
X
X
X
1
X
2
1
2
CP–01
Contingency Planning Policy and Procedures
P1
CP
CP–02
Contingency Plan
P1
CP
CP–03
Contingency Training
P2
CP
CP–04
Contingency Plan Testing
CP
CP–05
Withdrawn
CP
CP–06
Alternate Storage Site
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
2
1
X
Contingency Planning
CP
2
P2
–––
P1
Page 14 of 69
2
15. Print Date: 3/1/2014, 12:02 PM
Mapping NIST SP 800–53 Revision 4 to
Critical Security Controls (CSC) v4.1
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
PRI
MAP_CSCv4.1_to_800‐53r4_SORT_ID
Inventory of Authorized & Unauthorized Devices
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices
06
07
08
11
13
Penetration Tests and Red Team Exercises
CP
CP–08
Telecommunications Services
P1
CP
CP–09
Information System Backup
P1
X
1
CP
CP–10
Information System Recovery and Reconstitution
P1
X
1
CP
CP–11
Alternate Communications Protocols
P0
CP
CP–12
Safe Mode
P0
CP
CP–13
Alternative Security Mechanisms
P0
1
12
Secure Network Engineering
P1
X
10
Incident Response and Management
CONTROL NAME
1
09
Data Loss Prevention
Alternate Processing Site
IA
05
Account Monitoring and Control
ID–CN
IA
04
Controlled Access Based on the Need to Know
CP–07
IA–01
03
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
FAMILY
IA
02
Controlled Use of Administrative Privileges
CP
Identification and Authentication
01
Ports, Protocols, and Services Management
3
14
15
16
18
19
X
Identification and Authentication Policy and Procedures
Identification and Authentication (Organizational Users)
P1
IA–03
Device Identification and Authentication
P1
IA
IA–04
Identifier Management
P1
IA–05
Authenticator Management
P1
X
IA
IA–06
Authenticator Feedback
P1
IA
IA–07
Cryptographic Module Authentication
P1
IA
IA–08
Identification and Authentication (Non– Organizational Users)
P1
IA
IA–09
Service Identification and Authentication
P0
IA
IA–10
Adaptive Identification and Authentication
P0
IA
IA–11
Re–authentication
CNT
8
X
IA
2
20
P1
IA–02
1
17
P0
X
1
2
1
X
X
X
Incident Response
2
2
9
10
IR
IR–01
Incident Response Policy and Procedures
P1
1
X
1
IR
IR–02
Incident Response Training
P2
X
1
IR
IR–03
Incident Response Testing
P2
X
1
IR
IR–04
Incident Handling
P1
X
1
IR
IR–05
Incident Monitoring
P1
X
1
IR
IR–06
Incident Reporting
P1
X
1
IR
IR–07
Incident Response Assistance
P3
X
1
IR
IR–08
Incident Response Plan
P1
X
1
IR
IR–09
Information Spillage Response
P0
IR
IR–10
Integrated Information Security Analysis Team
P0
Maintenance
X
1
X
1
1
MA
MA–01
System Maintenance Policy and Procedures
MA–02
Controlled Maintenance
MA–03
Maintenance Tools
MA–04
Nonlocal Maintenance
P1
MA
MA–05
Maintenance Personnel
MA–06
Timely Maintenance
2
P1
MA
X
P2
MA
X
P2
MA
2
P1
MA
1
P2
Media Protection
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
1
Page 15 of 69
1
1
3
16. Print Date: 3/1/2014, 12:02 PM
Mapping NIST SP 800–53 Revision 4 to
Critical Security Controls (CSC) v4.1
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
FAMILY
ID–CN
CONTROL NAME
MP
MP–01
Media Protection Policy and Procedures
PRI
MP–02
Media Access
MP–03
Media Marking
MP–04
Media Storage
MP–05
Media Transport
MP–06
Media Sanitization
MP–07
Media Use
MP–08
Media Downgrading
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices
P1
MP
Application Software Security
P1
MP
Malware Defenses
P1
MP
Continuous Vulnerability Assessment and Remediation
P1
MP
Secure Configurations for Mobile Devices, Workstations, Servers
P2
MP
Inventory of Authorized and Unauthorized Software
01
02
03
04
P0
PE–01
Physical and Environmental Protection Policy and Procedures
PE
PE–02
Physical Access Authorizations
PE–03
Physical Access Control
PE–04
Access Control for Transmission Medium
P1
PE
PE–05
Access Control for Output Devices
P2
PE
PE–06
Monitoring Physical Access
P1
PE
PE–07
Withdrawn
PE
PE–08
Visitor Access Records
PE
PE–09
Power Equipment and Cabling
P1
PE
PE–10
Emergency Shutoff
P1
PE
PE–11
Emergency Power
P1
PE
PE–12
Emergency Lighting
P1
PE
PE–13
Fire Protection
P1
PE
PE–14
Temperature and Humidity Controls
P1
PE
PE–15
Water Damage Protection
P1
PE
PE–16
Delivery and Removal
P2
PE
PE–17
Alternate Work Site
P2
PE
PE–18
Location of Information System Components
P3
PE
PE–19
Information Leakage
P0
PE
PE–20
Asset Monitoring and Tracking
P0
PL
PL–01
Security Planning Policy and Procedures
P1
PL
PL–02
System Security Plan
P1
PL
PL–03
Withdrawn
PL
PL–04
Rules of Behavior
PL
PL–05
Withdrawn
–––
PL
PL–06
Withdrawn
–––
PL
PL–07
Security Concept of Operations
P0
PL
PL–08
Information Security Architecture
P1
P1
–––
P3
Planning
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
08
09
10
11
12
13
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises
14
15
16
17
–––
P2
Page 16 of 69
18
19
20
CNT
1
1
X
P1
PE
07
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
X
P1
PE
06
Controlled Use of Administrative Privileges
X
Physical and Environmental Protection
PE
05
Ports, Protocols, and Services Management
P1
MP
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
P1
MP
MAP_CSCv4.1_to_800‐53r4_SORT_ID
Inventory of Authorized & Unauthorized Devices
1
17. Print Date: 3/1/2014, 12:02 PM
Mapping NIST SP 800–53 Revision 4 to
Critical Security Controls (CSC) v4.1
FAMILY
ID–CN
CONTROL NAME
PL
PL–09
Central Management
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
PRI
MAP_CSCv4.1_to_800‐53r4_SORT_ID
Inventory of Authorized & Unauthorized Devices
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices
01
02
03
04
05
06
07
08
09
10
11
12
13
Ports, Protocols, and Services Management
Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises
14
15
16
17
18
19
20
CNT
P0
Personnel Security
PS
PS–01
Personnel Security Policy and Procedures
P1
PS
PS–02
Position Risk Designation
P1
PS
PS–03
Personnel Screening
P1
PS
PS–04
Personnel Termination
P1
PS
PS–05
Personnel Transfer
P2
PS
PS–06
Access Agreements
P3
PS
PS–07
Third–Party Personnel Security
P1
PS
PS–08
Personnel Sanctions
P3
P1
Risk Assessment
1
RA
RA–01
Risk Assessment Policy and Procedures
RA
RA–02
Security Categorization
RA–03
Risk Assessment
RA–04
Withdrawn
RA
RA–05
Vulnerability Scanning
P1
RA
RA–06
Technical Surveillance Countermeasures Survey
1
1
P0
5
P1
RA
1
P1
RA
1
X
1
–––
System and Services Acquisition
X
X
X
3
X
1
1
1
X
X
9
X
SA
SA–01
System and Services Acquisition Policy and Procedures
SA–02
Allocation of Resources
SA–03
System Development Life Cycle
P1
SA
SA–04
Acquisition Process
P1
SA
SA–05
Information System Documentation
SA
SA–06
Withdrawn
SA–07
Withdrawn
SA–08
Security Engineering Principles
P1
SA
SA–09
External Information System Services
P1
SA
SA–10
Developer Configuration Management
P1
X
SA
SA–11
Developer Security Testing and Evaluation
P1
X
SA
SA–12
Supply Chain Protection
P1
SA
SA–13
Trustworthiness
P0
SA
SA–14
Criticality Analysis
P0
SA
SA–15
Development Process, Standards, and Tools
P2
X
SA
SA–16
Developer–Provided Training
P2
X
SA
SA–17
Developer Security Architecture and Design
P1
X
SA
SA–18
Tamper Resistance and Detection
P0
SA
SA–19
Component Authenticity
P0
SA
SA–20
Customized Development of Critical Components
P0
1
17
–––
SA
1
–––
SA
1
P1
SA
1
P1
SA
2
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
X
1
3
P2
X
X
1
1
X
2
X
1
1
X
2
1
X
X
Page 17 of 69
1
1
1
18. Print Date: 3/1/2014, 12:02 PM
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
Mapping NIST SP 800–53 Revision 4 to
Critical Security Controls (CSC) v4.1
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
FAMILY
ID–CN
CONTROL NAME
SA
SA–21
Developer Screening
PRI
SA–22
Unsupported System Components
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices
P0
SA
MAP_CSCv4.1_to_800‐53r4_SORT_ID
Inventory of Authorized & Unauthorized Devices
02
03
04
05
06
07
08
09
10
11
12
13
Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises
P0
System and Communications Protection
01
Ports, Protocols, and Services Management
14
15
16
17
18
19
20
X
1
2
2
1
2
1
CNT
1
3
1
4
2
1
2
4
5
SC
SC–01
System and Communications Protection Policy and Procedures
SC
SC–02
Application Partitioning
P1
SC
SC–03
Security Function Isolation
P1
SC
SC–04
Information in Shared Resources
P1
SC
SC–05
Denial of Service Protection
P1
SC
SC–06
Resource Availability
P0
SC
SC–07
Boundary Protection
P1
SC
SC–08
Transmission Confidentiality and Integrity
P1
SC
SC–09
Withdrawn
SC
SC–10
Network Disconnect
P2
SC
SC–11
Trusted Path
P0
SC
SC–12
Cryptographic Key Establishment and Management
P1
SC
SC–13
Cryptographic Protection
SC
SC–14
Withdrawn
SC
SC–15
Collaborative Computing Devices
P1
SC
SC–16
Transmission of Security Attributes
P0
SC
SC–17
Public Key Infrastructure Certificates
P1
SC
SC–18
Mobile Code
P2
SC
SC–19
Voice Over Internet Protocol
P1
SC
SC–20
Secure Name /Address Resolution Service (Authoritative Source)
P1
X
X
SC
SC–21
Secure Name /Address Resolution Service (Recursive or Caching Resolver)
P1
X
X
SC
SC–22
Architecture and Provisioning for Name/Address Resolution Service
P1
X
X
SC
SC–23
Session Authenticity
P1
SC
SC–24
Fail in Known State
P1
SC
SC–25
Thin Nodes
P0
SC
SC–26
Honeypots
P0
SC
SC–27
Platform–Independent Applications
P0
SC
SC–28
Protection of Information at Rest
P1
SC
SC–29
Heterogeneity
P0
SC
SC–30
Concealment and Misdirection
P0
SC
SC–31
Covert Channel Analysis
P0
SC
SC–32
Information System Partitioning
P0
SC
SC–33
Withdrawn
SC
SC–34
Non–Modifiable Executable Programs
P0
SC
SC–35
Honeyclients
P0
31
P1
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
X
X
1
X
X
3
–––
P1
–––
X
1
X
X
X
1
X
3
X
1
X
2
2
2
1
X
1
X
1
X
1
X
1
–––
X
X
X
Page 18 of 69
3
19. Print Date: 3/1/2014, 12:02 PM
Mapping NIST SP 800–53 Revision 4 to
Critical Security Controls (CSC) v4.1
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
FAMILY
ID–CN
CONTROL NAME
SC
SC–36
Distributed Processing and Storage
PRI
SC–37
Out–of–Band Channels
SC–38
Operations Security
SC–39
Process Isolation
SC–40
Wireless Link Protection
SC–41
Port and I/O Device Access
SC–42
Sensor Capability and Data
SC–43
Usage Restrictions
SC–44
Detonation Chambers
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices
P0
System and Information Integrity
01
02
03
04
05
06
07
08
09
10
11
12
13
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises
P0
SC
Wireless Device Control
Controlled Use of Administrative Privileges
P0
SC
Application Software Security
P0
SC
Malware Defenses
P0
SC
Continuous Vulnerability Assessment and Remediation
P1
SC
Secure Configurations for Mobile Devices, Workstations, Servers
P0
SC
Inventory of Authorized and Unauthorized Software
Ports, Protocols, and Services Management
P0
SC
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
P0
SC
MAP_CSCv4.1_to_800‐53r4_SORT_ID
Inventory of Authorized & Unauthorized Devices
14
15
16
17
18
19
20
CNT
X
X
1
X
2
X
1
X
X
2
X
1
1
2
2
3
1
4
1
1
1
1
1
1
1
1
1
1
23
SI
SI–01
System and Information Integrity Policy and Procedures
P1
SI
SI–02
Flaw Remediation
P1
SI
SI–03
Malicious Code Protection
P1
SI
SI–04
Information System Monitoring
P1
SI
SI–05
Security Alerts, Advisories, and Directives
P1
SI
SI–06
Security Function Verification
P1
SI
SI–07
Software, Firmware, and Information Integrity
P1
SI
SI–08
Spam Protection
P2
SI
SI–09
Withdrawn
SI
SI–10
Information Input Validation
P1
X
1
SI
SI–11
Error Handling
P2
X
1
SI
SI–12
Information Handling and Retention
P2
SI
SI–13
Predictable Failure Prevention
P0
SI
SI–14
Non–Persistence
P0
SI
SI–15
Information Output Filtering
P0
X
1
SI
SI–16
Memory Protection
P1
X
1
SI
SI–17
Fail–Safe Procedures
P0
X
1
X
X
X
X
X
1
X
X
X
X
X
X
X
X
X
X
14
X
X
1
1
X
1
–––
Program Management
1
PM
PM–01
Information Security Program Plan
PM
PM–02
Senior Information Security Officer
PM–03
Information Security Resources
PM–04
Plan of Action and Milestones Process
PM–05
Information System Inventory
P1
PM
PM–06
Information Security Measures of Performance
PM
PM–07
Enterprise Architecture
PM–08
Critical Infrastructure Plan
P1
PM
PM–09
Risk Management Strategy
P1
PM
PM–10
Security Authorization Process
X
P1
PM
X
P1
P1
8
P1
PM
3
P1
PM
3
P1
PM
1
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
P1
2
X
Page 19 of 69
1
20. Print Date: 3/1/2014, 12:02 PM
Mapping NIST SP 800–53 Revision 4 to
Critical Security Controls (CSC) v4.1
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
CSC–08
CSC–09
CSC–10
CSC–11
CSC–12
CSC–13
CSC–14
CSC–15
CSC–16
CSC–17
CSC–18
CSC–19
CSC–20
Inventory of Authorized and Unauthorized Software
Secure Configurations for Mobile Devices, Workstations, Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
Secure Configurations for Network Infrastructure & Security Devices
01
02
03
04
06
07
08
09
10
11
12
13
Controlled Use of Administrative Privileges
Boundary Defense
Maintenance, Monitoring and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Loss Prevention
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises
FAMILY
ID–CN
CONTROL NAME
PM–11
Mission/Business Process Definition
P1
PM
PM–12
Isider Threat Program
P1
PM
PM–13
Information Security Workforce
P1
X
PM
PM–14
Testing, Training, & Monitoring
P1
X
X
2
PM
PM–15
Contacts with Security Groups and Associations
P1
PM
PM–16
Threat Awareness Program
P1
X
X
2
Page 20 of 69
05
Ports, Protocols, and Services Management
PM
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
PRI
MAP_CSCv4.1_to_800‐53r4_SORT_ID
Inventory of Authorized & Unauthorized Devices
14
15
16
17
18
19
20
CNT
1
21. CSC–01
CSC–02
CSC–03
CSC–04
CSC–05
CSC–06
CSC–07
10
AU–08 Time Stamps
AU–07 Audit Reduction and Report Generation
AU–06 Audit Review, Analysis, and Reporting
AU–05 Response to Audit Processing Failures
AU–04 Audit Storage Capacity
AU–03 Content of Audit Records
AU–02 Audit Events
Audit & Accountability
AU–01 Audit and Accountability Policy and Procedures
AT–05 Withdrawn
AT–04 Security Training Records
AT–03 Role–Based Security Training
AT–02 Security Awareness Training
AT–01 Security Awareness and Training Policy and Procedures
Awareness and Training
AC–25 Reference Monitor
AC–24 Access Control Decisions
AC–23 Data Mining Protection
AC–22 Publicly Accessible Content
AC–21 Information Sharing
AC–20 Use of External Information Systems
AC–19 Access Control for Mobile Devices
AC–18 Wireless Access
AC–17 Remote Access
AC–16 Security Attributes
AC–15 Withdrawn
AC–14 Permitted Actions without Identification or Authenticatio
AC–13 Withdrawn
AC–12 Session Termination
AC–11 Session Lock
AC–10 Concurrent Session Control
15
Wireless Device Control
AC–09 Previous Logon (Access) Notification
6
Application Software Security
AC–08 System Use Notification
6
Malware Defenses
AU
16
Continuous Vulnerability Assessment and Remediation
AT
10
Secure Configurations for Mobile Devices, Workstations, Servers
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
7
Inventory of Authorized and Unauthorized Software
AC–07 Unsuccessful Logon Attempts
CSC
Inventory of Authorized & Unauthorized Devices
AC–06 Least Privilege
Total
AC
AC–05 Separation of Duties
Critical Security Controls
?
AC–04 Information Flow Enforcement
Access Control
AC–01 Access Control Policy and Procedures
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AC–03 Access Enforcement
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AC–02 Account Management
Print Date: 3/1/2014, 12:02 PM
X X
2
Data Recovery Capability
CSC–08
3
Security Skills Assessment and Appropriate Training to Fill Gaps
CSC–09
9
Secure Configurations for Network Infrastructure & Security Devices
CSC–10
12
1
X
Inventory of Authorized & Unauthorized Devices
CSC–11
11
1
X
Inventory of Authorized and Unauthorized Software
CSC–12
9
4
Secure Configurations for Mobile Devices, Workstations, Servers
CSC–13
11
3
Continuous Vulnerability Assessment and Remediation
CSC–14
17
1
Malware Defenses
CSC–15
10
5 X X X
Application Software Security
CSC–16
11
5
Wireless Device Control
CSC–17
13
3
X X
Data Recovery Capability
CSC–18
9
Security Skills Assessment and Appropriate Training to Fill Gaps
CSC–19
9
1
X
Secure Configurations for Network Infrastructure & Security Devices
CSC–20
9
NIST 800 Series Special Publications
4 X X X X
X
X
X
Page 21 of 69
13
X
X
SP 800-13
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
X
X
X X
SP 800-12
Telecommunications Security Guidelines for Telecommunications Manageme
X
X
1
An Introduction to Computer Security: The NIST Handbook
X
X
X X
X
X X X X X X X
22. MISPC Minimum Interoperability Specification for PKI Components
SP 800-14
SP 800-15 Version 1
Information Technology Security Training Requirements: A Role- and Perform
SP 800-16
DRAFT Information Security Training Requirements: A Role- and Performanc
SP 800-16 Rev. 1
Modes of Operation Validation System (MOVS): Requirements and Procedure
SP 800-17
Guide for Developing Security Plans for Federal Information Systems
SP 800-18 Rev.1
Mobile Agent Security
SP 800-19
Modes of Operation Validation System for the Triple Data Encryption Algorith
Guideline for Implementing Cryptography in the Federal Government
SP 800-20
800-21 2nd edition
A Statistical Test Suite for Random and Pseudorandom Number Generators f SP 800-22 Rev. 1a
Guidelines to Federal Organizations on Security Assurance and Acquisition/U
SP 800-23
PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else D
SP 800-24
Federal Agency Use of Public Key Technology for Digital Signatures and Auth
SP 800-25
Engineering Principles for Information Technology Security (A Baseline for A
Guidelines on Active Content and Mobile Code
SP 800-27 Rev. A
SP 800-28 Version 2
A Comparison of the Security Requirements for Cryptographic Modules in FI
SP 800-29
Risk Management Guide for Information Technology Systems
SP 800-30
Guide for Conducting Risk Assessments
SP 800-30 Rev. 1
Introduction to Public Key Technology and the Federal PKI Infrastructure
Underlying Technical Models for Information Technology Security
Contingency Planning Guide for Federal Information Systems (Errata Page -
1
SP 800-32
SP 800-33
SP 800-34 Rev. 1
Guide to Information Technology Security Services
SP 800-35
Guide to Selecting Information Technology Security Products
SP 800-36
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 22 of 69
AU–08 Time Stamps
AU–07 Audit Reduction and Report Generation
AU–06 Audit Review, Analysis, and Reporting
AU–05 Response to Audit Processing Failures
AU–04 Audit Storage Capacity
AU–03 Content of Audit Records
AU–02 Audit Events
Audit & Accountability
AU
AU–01 Audit and Accountability Policy and Procedures
AT–05 Withdrawn
AT–04 Security Training Records
AT–03 Role–Based Security Training
AT–02 Security Awareness Training
AT
AT–01 Security Awareness and Training Policy and Procedures
Awareness and Training
AC–25 Reference Monitor
AC–24 Access Control Decisions
AC–23 Data Mining Protection
AC–22 Publicly Accessible Content
AC–21 Information Sharing
AC–20 Use of External Information Systems
AC–19 Access Control for Mobile Devices
AC–18 Wireless Access
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
AC–17 Remote Access
AC–16 Security Attributes
AC–15 Withdrawn
AC–14 Permitted Actions without Identification or Authenticatio
AC–13 Withdrawn
AC–12 Session Termination
AC–11 Session Lock
AC–10 Concurrent Session Control
AC–09 Previous Logon (Access) Notification
AC–08 System Use Notification
AC–07 Unsuccessful Logon Attempts
AC–06 Least Privilege
AC–05 Separation of Duties
CSC
Generally Accepted Principles and Practices for Securing Information Techno
AC–04 Information Flow Enforcement
Critical Security Controls
AC
Total
?
AC–03 Access Enforcement
Access Control
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AC–02 Account Management
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AC–01 Access Control Policy and Procedures
Print Date: 3/1/2014, 12:02 PM
23. SP 800-37 Rev. 1
Recommendation for Block Cipher Modes of Operation - Methods and Techni
SP 800-38 A
8
Recommendation for Block Cipher Modes of Operation: Three Variants of Cip 00-38 A - Addendum
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for A
SP 800-38 B
Recommendation for Block Cipher Modes of Operation: the CCM Mode for Au
SP 800-38 C
Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode
SP 800-38 D
Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode f
SP 800-38 E
DRAFT Recommendation for Block Cipher Modes of Operation: Methods for K
SP 800-38 F
Managing Information Security Risk: Organization, Mission, and Information
Creating a Patch and Vulnerability Management Program
SP 800-39
800-40 Version 2.0
Guidelines on Firewalls and Firewall Policy
SP 800-41 Rev. 1
Systems Administration Guidance for Windows 2000 Professional System
SP 800-43
Guidelines on Securing Public Web Servers
SP 800-44 Version 2
Guidelines on Electronic Mail Security
SP 800-45 Version 2
Guide to Enterprise Telework and Remote Access Security
SP 800-46 Rev. 1
Security Guide for Interconnecting Information Technology Systems
Guide to Securing Legacy IEEE 802.11 Wireless Networks
SP 800-47
SP 800-48 Rev. 1
Federal S/MIME V3 Client Profile
SP 800-49
Building an Information Technology Security Awareness and Training Progra
SP 800-50
Guide to Using Vulnerability Naming Schemes
SP 800-51 Rev. 1
Guidelines for the Selection and Use of Transport Layer Security (TLS) Imple
SP 800-52
Guide for Assessing the Security Controls in Federal Information Systems an SP 800-53 A Rev. 1
Recommended Security Controls for Federal Information Systems and Organ
SP 800-53 Rev. 3
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 23 of 69
AU–08 Time Stamps
AU–07 Audit Reduction and Report Generation
AU–06 Audit Review, Analysis, and Reporting
AU–05 Response to Audit Processing Failures
AU–04 Audit Storage Capacity
AU–03 Content of Audit Records
AU–02 Audit Events
Audit & Accountability
AU
AU–01 Audit and Accountability Policy and Procedures
AT–05 Withdrawn
AT–04 Security Training Records
AT–03 Role–Based Security Training
AT–02 Security Awareness Training
AT
AT–01 Security Awareness and Training Policy and Procedures
Awareness and Training
AC–25 Reference Monitor
AC–24 Access Control Decisions
AC–23 Data Mining Protection
AC–22 Publicly Accessible Content
AC–21 Information Sharing
AC–20 Use of External Information Systems
AC–19 Access Control for Mobile Devices
AC–18 Wireless Access
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
AC–17 Remote Access
AC–16 Security Attributes
AC–15 Withdrawn
AC–14 Permitted Actions without Identification or Authenticatio
AC–13 Withdrawn
AC–12 Session Termination
AC–11 Session Lock
AC–10 Concurrent Session Control
AC–09 Previous Logon (Access) Notification
AC–08 System Use Notification
AC–07 Unsuccessful Logon Attempts
AC–06 Least Privilege
AC–05 Separation of Duties
CSC
AC–04 Information Flow Enforcement
Critical Security Controls
Guide for Applying the Risk Management Framework to Federal Information
AC
AC–03 Access Enforcement
?
Total
Access Control
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AC–02 Account Management
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AC–01 Access Control Policy and Procedures
Print Date: 3/1/2014, 12:02 PM
24. SP 800-53 Rev. 4
Border Gateway Protocol Security
SP 800-54
Performance Measurement Guide for Information Security
SP 800-55 Rev. 1
Recommendation for Pair-Wise Key Establishment Schemes Using Discrete L
SP 800-56 A
Recommendation for Pair-Wise Key Establishment Schemes Using Integer Fa
SP 800-56 B
Recommendation for Key Derivation through Extraction-then-Expansion
SP 800-56 C
Recommendation for Key Management
SP 800-57
DRAFT Recommendation for Key Management: Part 1: General
SP 800-57 Part 1
Security Considerations for Voice Over IP Systems
SP 800-58
Guideline for Identifying an Information System as a National Security Syste
SP 800-59
Guide for Mapping Types of Information and Information Systems to Securit
SP 800-60 Rev. 1
Computer Security Incident Handling Guide
SP 800-61 Rev. 1
DRAFT Computer Security Incident Handling Guide
SP 800-61 Rev. 2
Electronic Authentication Guideline
SP 800-63 Rev. 1
Electronic Authentication Guideline
00-63 Version 1.0.2
Security Considerations in the System Development Life Cycle
SP 800-64 Rev. 2
Integrating IT Security into the Capital Planning and Investment Control Pro
SP 800-65
DRAFT Recommendations for Integrating Information Security into the Capit
SP 800-65 Rev. 1
An Introductory Resource Guide for Implementing the Health Insurance Port
SP 800-66 Rev 1
Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Ciph
SP 800-67 Rev. 1
Guide to Securing Microsoft Windows XP Systems for IT Professionals
SP 800-68 Rev. 1
Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security
National Checklist Program for IT Products: Guidelines for Checklist Users an
SP 800-69
SP 800-70 Rev. 2
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 24 of 69
AU–08 Time Stamps
AU–07 Audit Reduction and Report Generation
AU–06 Audit Review, Analysis, and Reporting
AU–05 Response to Audit Processing Failures
AU–04 Audit Storage Capacity
AU–03 Content of Audit Records
AU–02 Audit Events
Audit & Accountability
AU
AU–01 Audit and Accountability Policy and Procedures
AT–05 Withdrawn
AT–04 Security Training Records
AT–03 Role–Based Security Training
AT–02 Security Awareness Training
AT
AT–01 Security Awareness and Training Policy and Procedures
Awareness and Training
AC–25 Reference Monitor
AC–24 Access Control Decisions
AC–23 Data Mining Protection
AC–22 Publicly Accessible Content
AC–21 Information Sharing
AC–20 Use of External Information Systems
AC–19 Access Control for Mobile Devices
AC–18 Wireless Access
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
AC–17 Remote Access
AC–16 Security Attributes
AC–15 Withdrawn
AC–14 Permitted Actions without Identification or Authenticatio
AC–13 Withdrawn
AC–12 Session Termination
AC–11 Session Lock
AC–10 Concurrent Session Control
AC–09 Previous Logon (Access) Notification
AC–08 System Use Notification
AC–07 Unsuccessful Logon Attempts
AC–06 Least Privilege
AC–05 Separation of Duties
CSC
AC–04 Information Flow Enforcement
Critical Security Controls
DRAFT Security and Privacy Controls for Federal Information Systems and O
AC
AC–03 Access Enforcement
?
Total
Access Control
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AC–02 Account Management
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AC–01 Access Control Policy and Procedures
Print Date: 3/1/2014, 12:02 PM
25. SP 800-72
Interfaces for Personal Identity Verification (4 Parts)
SP 800-73 -3
Biometric Data Specification for Personal Identity Verification
SP 800-76 -1
DRAFT Biometric Data Specification for Personal Identity Verification
SP 800-76 -2
Guide to IPsec VPNs
SP 800-77
Cryptographic Algorithms and Key Sizes for Personal Identification Verificatio
SP 800-78 -3
Guidelines for the Accreditation of Personal Identity Verification (PIV) Card I
SP 800-79 -1
Secure Domain Name System (DNS) Deployment Guide
SP 800-81 Rev. 1
Guide to Industrial Control Systems (ICS) Security
SP 800-82
Guide to Malware Incident Prevention and Handling
SP 800-83
Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
SP 800-84
PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3
SP 800-85 A-2
PIV Data Model Test Guidelines
DRAFT PIV Data Model Conformance Test Guidelines
Guide to Integrating Forensic Techniques into Incident Response
Codes for Identification of Federal and Federally-Assisted Organizations
Guidelines for Media Sanitization
SP 800-85 B
SP 800-85 B-1
SP 800-86
SP 800-87 Rev 1
SP 800-88
Recommendation for Obtaining Assurances for Digital Signature Applications
SP 800-89
Recommendation for Random Number Generation Using Deterministic Rando
SP 800-90 A
Guide to Computer Security Log Management
SP 800-92
Guide to Intrusion Detection and Prevention Systems (IDPS)
SP 800-94
Guide to Secure Web Services
SP 800-95
PIV Card to Reader Interoperability Guidelines
SP 800-96
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 25 of 69
AU–08 Time Stamps
AU–07 Audit Reduction and Report Generation
AU–06 Audit Review, Analysis, and Reporting
AU–05 Response to Audit Processing Failures
AU–04 Audit Storage Capacity
AU–03 Content of Audit Records
AU–02 Audit Events
Audit & Accountability
AU
AU–01 Audit and Accountability Policy and Procedures
AT–05 Withdrawn
AT–04 Security Training Records
AT–03 Role–Based Security Training
AT–02 Security Awareness Training
AT
AT–01 Security Awareness and Training Policy and Procedures
Awareness and Training
AC–25 Reference Monitor
AC–24 Access Control Decisions
AC–23 Data Mining Protection
AC–22 Publicly Accessible Content
AC–21 Information Sharing
AC–20 Use of External Information Systems
AC–19 Access Control for Mobile Devices
AC–18 Wireless Access
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
AC–17 Remote Access
AC–16 Security Attributes
AC–15 Withdrawn
AC–14 Permitted Actions without Identification or Authenticatio
AC–13 Withdrawn
AC–12 Session Termination
AC–11 Session Lock
AC–10 Concurrent Session Control
AC–09 Previous Logon (Access) Notification
AC–08 System Use Notification
AC–07 Unsuccessful Logon Attempts
AC–06 Least Privilege
AC–05 Separation of Duties
CSC
AC–04 Information Flow Enforcement
Critical Security Controls
Guidelines on PDA Forensics
AC
AC–03 Access Enforcement
?
Total
Access Control
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AC–02 Account Management
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AC–01 Access Control Policy and Procedures
Print Date: 3/1/2014, 12:02 PM
26. SP 800-97
Guidelines for Securing Radio Frequency Identification (RFID) Systems
SP 800-98
Information Security Handbook: A Guide for Managers
SP 800-100
Guidelines on Cell Phone Forensics
SP 800-101
Recommendation for Digital Signature Timeliness
SP 800-102
DRAFT An Ontology of Identity Credentials, Part I: Background and Formula
SP 800-103
A Scheme for PIV Visual Card Topography
SP 800-104
Randomized Hashing for Digital Signatures
SP 800-106
Recommendation for Applications Using Approved Hash Algorithms
SP 800-107
DRAFT Recommendation for Applications Using Approved Hash Algorithms
SP 800-107 Revised
Recommendation for Key Derivation Using Pseudorandom Functions
SP 800-108
Guide to Storage Encryption Technologies for End User Devices
SP 800-111
Guide to SSL VPNs
SP 800-113
User's Guide to Securing External Devices for Telework and Remote Access
SP 800-114
Technical Guide to Information Security Testing and Assessment
SP 800-115
A Recommendation for the Use of PIV Credentials in Physical Access Control
SP 800-116
Guide to Adopting and Using the Security Content Automation Protocol (SCA
SP 800-117
DRAFT Guide to Adopting and Using the Security Content Automation Protoc SP 800-117 Rev. 1
DRAFT Guide to Enterprise Password Management
SP 800-118
Guidelines for the Secure Deployment of IPv6
SP 800-119
Recommendation for EAP Methods Used in Wireless Network Access Authent
SP 800-120
Guide to Bluetooth Security
SP 800-121 Rev. 1
Guide to Protecting the Confidentiality of Personally Identifiable Information
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
SP 800-122
Page 26 of 69
AU–08 Time Stamps
AU–07 Audit Reduction and Report Generation
AU–06 Audit Review, Analysis, and Reporting
AU–05 Response to Audit Processing Failures
AU–04 Audit Storage Capacity
AU–03 Content of Audit Records
AU–02 Audit Events
Audit & Accountability
AU
AU–01 Audit and Accountability Policy and Procedures
AT–05 Withdrawn
AT–04 Security Training Records
AT–03 Role–Based Security Training
AT–02 Security Awareness Training
AT
AT–01 Security Awareness and Training Policy and Procedures
Awareness and Training
AC–25 Reference Monitor
AC–24 Access Control Decisions
AC–23 Data Mining Protection
AC–22 Publicly Accessible Content
AC–21 Information Sharing
AC–20 Use of External Information Systems
AC–19 Access Control for Mobile Devices
AC–18 Wireless Access
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
AC–17 Remote Access
AC–16 Security Attributes
AC–15 Withdrawn
AC–14 Permitted Actions without Identification or Authenticatio
AC–13 Withdrawn
AC–12 Session Termination
AC–11 Session Lock
AC–10 Concurrent Session Control
AC–09 Previous Logon (Access) Notification
AC–08 System Use Notification
AC–07 Unsuccessful Logon Attempts
AC–06 Least Privilege
AC–05 Separation of Duties
CSC
AC–04 Information Flow Enforcement
Critical Security Controls
Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
AC
AC–03 Access Enforcement
?
Total
Access Control
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AC–02 Account Management
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AC–01 Access Control Policy and Procedures
Print Date: 3/1/2014, 12:02 PM
27. SP 800-123
Guidelines on Cell Phone and PDA Security
SP 800-124
Guide to Security for Full Virtualization Technologies
SP 800-125
The Technical Specification for the Security Content Automation Protocol (SC
SP 800-126
The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 Rev. 1
The Technical Specification for the Security Content Automation Protocol (SC SP 800-126 Rev. 2
Guide to Securing WiMAX Wireless Communications
SP 800-127
Guide for Security-Focused Configuration Management of Information Syste
SP 800-128
DRAFT A Framework for Designing Cryptographic Key Management Systems
SP 800-130
Transitions: Recommendation for Transitioning the Use of Cryptographic Alg
SP 800-131 A
DRAFT Transitions: Validation of Transitioning Cryptographic Algorithm and
SP 800-131 B
DRAFT Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3
SP 800-131 C
Recommendation for Password-Based Key Derivation Part 1: Storage Applica
SP 800-132
DRAFT Recommendation for Cryptographic Key Generation
Recommendation for Existing Application-Specific Key Derivation Functions
SP 800-133
SP 800-135 Rev. 1
Information Security Continuous Monitoring for Federal Information Systems
SP 800-137
Practical Combinatorial Testing
SP 800-142
Guidelines on Security and Privacy in Public Cloud Computing
SP 800-144
A NIST Definition of Cloud Computing
SP 800-145
Cloud Computing Synopsis and Recommendations
SP 800-146
Basic Input/Output System (BIOS) Protection Guidelines
SP 800-147
Guidelines for Securing Wireless Local Area Networks (WLANs)
SP 800-153
DRAFT BIOS Integrity Measurement Guidelines
SP 800-155
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 27 of 69
AU–08 Time Stamps
AU–07 Audit Reduction and Report Generation
AU–06 Audit Review, Analysis, and Reporting
AU–05 Response to Audit Processing Failures
AU–04 Audit Storage Capacity
AU–03 Content of Audit Records
AU–02 Audit Events
Audit & Accountability
AU
AU–01 Audit and Accountability Policy and Procedures
AT–05 Withdrawn
AT–04 Security Training Records
AT–03 Role–Based Security Training
AT–02 Security Awareness Training
AT
AT–01 Security Awareness and Training Policy and Procedures
Awareness and Training
AC–25 Reference Monitor
AC–24 Access Control Decisions
AC–23 Data Mining Protection
AC–22 Publicly Accessible Content
AC–21 Information Sharing
AC–20 Use of External Information Systems
AC–19 Access Control for Mobile Devices
AC–18 Wireless Access
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
AC–17 Remote Access
AC–16 Security Attributes
AC–15 Withdrawn
AC–14 Permitted Actions without Identification or Authenticatio
AC–13 Withdrawn
AC–12 Session Termination
AC–11 Session Lock
AC–10 Concurrent Session Control
AC–09 Previous Logon (Access) Notification
AC–08 System Use Notification
AC–07 Unsuccessful Logon Attempts
AC–06 Least Privilege
AC–05 Separation of Duties
CSC
AC–04 Information Flow Enforcement
Critical Security Controls
Guide to General Server Security
AC
AC–03 Access Enforcement
?
Total
Access Control
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AC–02 Account Management
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AC–01 Access Control Policy and Procedures
Print Date: 3/1/2014, 12:02 PM
28. Inventory of Authorized & Unauthorized Devices
CSC–01
7
1
X
CSC–02
10
1
X
4
CSC–03
16
1
X
8
X X
Continuous Vulnerability Assessment and Remediation
CSC–04
6
2
Malware Defenses
CSC–05
6
1
Application Software Security
CSC–06
CSC–07
10
1
CSC–08
CSC–09
9
Secure Configurations for Network Infrastructure & Security Devices
CSC–10
12
Inventory of Authorized & Unauthorized Devices
CSC–11
11
2
Inventory of Authorized and Unauthorized Software
CSC–12
9
1
Secure Configurations for Mobile Devices, Workstations, Servers
CSC–13
11
3
Continuous Vulnerability Assessment and Remediation
CSC–14
17 X X X X X X
1
X
Malware Defenses
CSC–15
10
1
X
Application Software Security
CSC–16
11
1
X
Wireless Device Control
CSC–17
13
2
X
Data Recovery Capability
CSC–18
9
Security Skills Assessment and Appropriate Training to Fill Gaps
CSC–19
9
2
Secure Configurations for Network Infrastructure & Security Devices
CSC–20
9
4
X
1
1
1
CP–09 Information System Backup
CP–08 Telecommunications Services
CP–07 Alternate Processing Site
CP–06 Alternate Storage Site
CP–05 Withdrawn
CP–04 Contingency Plan Testing
CP–03 Contingency Training
CP–02 Contingency Plan
Contingency Planning
CP–01 Contingency Planning Policy and Procedures
CM–11 User–Installed Software
CM–10 Software Usage Restrictions
CM–09 Configuration Management Plan
CM–08 Information System Component Inventory
3
Security Skills Assessment and Appropriate Training to Fill Gaps
CM–07 Least Functionality
X
Data Recovery Capability
CP
15
Wireless Device Control
CM–06 Configuration Settings
X
Secure Configurations for Mobile Devices, Workstations, Servers
CM–05 Access Restrictions for Change
1
Inventory of Authorized and Unauthorized Software
CM–04 Security Impact Analysis
CM–03 Configuration Change Control
CM–02 Baseline Configuration
Configuration Management
CM
CM–01 Configuration Management Policy and Procedures
CA–09 Internal System Connections
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
CA–08 Penetration Testing
CA–07 Continuous Monitoring
CA–06 Security Authorization
CA–05 Plan of Action and Milestones
CA–04 Withdrawn
CA–03 System Interconnections
CA
CA–02 Security Assessments
Security Assessment and Authorization
CA–01 Security Assessment and Authorization Policies and Pro
AU–16 Cross–Organizational Auditing
AU–15 Alternate Audit Capability
AU–14 Session Audit
AU–13 Monitoring for Information Disclosure
Total
CSC
AU–12 Audit Generation
Critical Security Controls
?
AU–09 Protection of Audit Information
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AU–11 Audit Record Retention
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AU–10 Non–repudiation
Print Date: 3/1/2014, 12:02 PM
NIST 800 Series Special Publications
An Introduction to Computer Security: The NIST Handbook
X X
X
X
X
X
2
X
Page 28 of 69
X
X
5
X X
X
3
SP 800-13
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
X
X X X X X
X
2
SP 800-12
Telecommunications Security Guidelines for Telecommunications Manageme
X
X
X
3
X
X
1
X
X
X
X
X
X
X
X X
X
X X
X
X
X
X
29. MISPC Minimum Interoperability Specification for PKI Components
SP 800-14
SP 800-15 Version 1
Information Technology Security Training Requirements: A Role- and Perform
SP 800-16
DRAFT Information Security Training Requirements: A Role- and Performanc
SP 800-16 Rev. 1
Modes of Operation Validation System (MOVS): Requirements and Procedure
SP 800-17
Guide for Developing Security Plans for Federal Information Systems
SP 800-18 Rev.1
Mobile Agent Security
SP 800-19
Modes of Operation Validation System for the Triple Data Encryption Algorith
Guideline for Implementing Cryptography in the Federal Government
SP 800-20
800-21 2nd edition
A Statistical Test Suite for Random and Pseudorandom Number Generators f SP 800-22 Rev. 1a
Guidelines to Federal Organizations on Security Assurance and Acquisition/U
SP 800-23
PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else D
SP 800-24
Federal Agency Use of Public Key Technology for Digital Signatures and Auth
SP 800-25
Engineering Principles for Information Technology Security (A Baseline for A
Guidelines on Active Content and Mobile Code
SP 800-27 Rev. A
SP 800-28 Version 2
A Comparison of the Security Requirements for Cryptographic Modules in FI
SP 800-29
Risk Management Guide for Information Technology Systems
SP 800-30
Guide for Conducting Risk Assessments
Introduction to Public Key Technology and the Federal PKI Infrastructure
Underlying Technical Models for Information Technology Security
Contingency Planning Guide for Federal Information Systems (Errata Page -
SP 800-30 Rev. 1
1
1
SP 800-32
SP 800-33
SP 800-34 Rev. 1
Guide to Information Technology Security Services
SP 800-35
Guide to Selecting Information Technology Security Products
SP 800-36
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
Page 29 of 69
x
CP–09 Information System Backup
CP–08 Telecommunications Services
CP–07 Alternate Processing Site
CP–06 Alternate Storage Site
CP–05 Withdrawn
CP–04 Contingency Plan Testing
CP–03 Contingency Training
CP–02 Contingency Plan
Contingency Planning
CP
CP–01 Contingency Planning Policy and Procedures
CM–11 User–Installed Software
CM–10 Software Usage Restrictions
CM–09 Configuration Management Plan
CM–08 Information System Component Inventory
CM–07 Least Functionality
CM–06 Configuration Settings
CM–05 Access Restrictions for Change
CM–04 Security Impact Analysis
CM–03 Configuration Change Control
CM–02 Baseline Configuration
Configuration Management
CM
CM–01 Configuration Management Policy and Procedures
CA–09 Internal System Connections
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
CA–08 Penetration Testing
CA–07 Continuous Monitoring
CA–06 Security Authorization
CA–05 Plan of Action and Milestones
CA–04 Withdrawn
CA–03 System Interconnections
CA
CA–02 Security Assessments
Security Assessment and Authorization
CA–01 Security Assessment and Authorization Policies and Pro
AU–16 Cross–Organizational Auditing
AU–15 Alternate Audit Capability
AU–14 Session Audit
AU–13 Monitoring for Information Disclosure
CSC
Generally Accepted Principles and Practices for Securing Information Techno
AU–12 Audit Generation
Critical Security Controls
Total
?
AU–09 Protection of Audit Information
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AU–11 Audit Record Retention
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AU–10 Non–repudiation
Print Date: 3/1/2014, 12:02 PM
30. SP 800-38 A
8
Recommendation for Block Cipher Modes of Operation: Three Variants of Cip 00-38 A - Addendum
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for A
SP 800-38 B
Recommendation for Block Cipher Modes of Operation: the CCM Mode for Au
SP 800-38 C
Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode
SP 800-38 D
Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode f
SP 800-38 E
DRAFT Recommendation for Block Cipher Modes of Operation: Methods for K
SP 800-38 F
Managing Information Security Risk: Organization, Mission, and Information
Creating a Patch and Vulnerability Management Program
SP 800-39
800-40 Version 2.0
Guidelines on Firewalls and Firewall Policy
SP 800-41 Rev. 1
Systems Administration Guidance for Windows 2000 Professional System
SP 800-43
Guidelines on Securing Public Web Servers
SP 800-44 Version 2
Guidelines on Electronic Mail Security
SP 800-45 Version 2
Guide to Enterprise Telework and Remote Access Security
Security Guide for Interconnecting Information Technology Systems
Guide to Securing Legacy IEEE 802.11 Wireless Networks
SP 800-46 Rev. 1
SP 800-47
SP 800-48 Rev. 1
Federal S/MIME V3 Client Profile
SP 800-49
Building an Information Technology Security Awareness and Training Progra
SP 800-50
Guide to Using Vulnerability Naming Schemes
Guidelines for the Selection and Use of Transport Layer Security (TLS) Imple
SP 800-51 Rev. 1
SP 800-52
Guide for Assessing the Security Controls in Federal Information Systems an SP 800-53 A Rev. 1
Recommended Security Controls for Federal Information Systems and Organ
Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx
SP 800-53 Rev. 3
Page 30 of 69
CP–09 Information System Backup
CP–08 Telecommunications Services
CP–07 Alternate Processing Site
CP–06 Alternate Storage Site
CP–05 Withdrawn
CP–04 Contingency Plan Testing
CP–03 Contingency Training
CP–02 Contingency Plan
Contingency Planning
CP
CP–01 Contingency Planning Policy and Procedures
CM–11 User–Installed Software
CM–10 Software Usage Restrictions
CM–09 Configuration Management Plan
CM–08 Information System Component Inventory
CM–07 Least Functionality
CM–06 Configuration Settings
CM–05 Access Restrictions for Change
CM–04 Security Impact Analysis
CM–03 Configuration Change Control
CM–02 Baseline Configuration
Configuration Management
CM
CM–01 Configuration Management Policy and Procedures
CA–09 Internal System Connections
HMAP_53r4_to_CSCv4.1_&_NIST_PUBS
CA–08 Penetration Testing
CA–07 Continuous Monitoring
CA–06 Security Authorization
CA–05 Plan of Action and Milestones
CA–04 Withdrawn
CA–03 System Interconnections
CA–02 Security Assessments
Security Assessment and Authorization
CA
CA–01 Security Assessment and Authorization Policies and Pro
AU–16 Cross–Organizational Auditing
AU–15 Alternate Audit Capability
AU–14 Session Audit
SP 800-37 Rev. 1
Recommendation for Block Cipher Modes of Operation - Methods and Techni
AU–13 Monitoring for Information Disclosure
CSC
AU–12 Audit Generation
Critical Security Controls
Guide for Applying the Risk Management Framework to Federal Information
AU–11 Audit Record Retention
?
Total
Map NIST Special Publication (SP)
800–53 Revision 4 to Critical
Security Controls (CSC) Version 4.1
and NIST 800 Series Special
Publications.
AU–10 Non–repudiation
Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4
AU–09 Protection of Audit Information
Print Date: 3/1/2014, 12:02 PM