NIST Special Publication 800-53 (Rev. 4)

Security and Privacy Controls for Federal Information Systems and Organizations

High Impact Controls

Showing 170 controls:
No. Control Priority Low Moderate High
AC-1 ACCESS CONTROL POLICY AND PROCEDURES P1
AC-1
AC-1
AC-1
AC-2 ACCOUNT MANAGEMENT P1
AC-2
AC-2 (1) (2) (3) (4)
AC-2 (1) (2) (3) (4) (5) (11) (12) (13)
AC-3 ACCESS ENFORCEMENT P1
AC-3
AC-3
AC-3
AC-4 INFORMATION FLOW ENFORCEMENT P1
AC-4
AC-4
AC-5 SEPARATION OF DUTIES P1
AC-5
AC-5
AC-6 LEAST PRIVILEGE P1
AC-6 (1) (2) (5) (9) (10)
AC-6 (1) (2) (3) (5) (9) (10)
AC-7 UNSUCCESSFUL LOGON ATTEMPTS P2
AC-7
AC-7
AC-7
AC-8 SYSTEM USE NOTIFICATION P1
AC-8
AC-8
AC-8
AC-10 CONCURRENT SESSION CONTROL P3
AC-10
AC-11 SESSION LOCK P3
AC-11 (1)
AC-11 (1)
AC-12 SESSION TERMINATION P2
AC-12
AC-12
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION P3
AC-14
AC-14
AC-14
AC-17 REMOTE ACCESS P1
AC-17
AC-17 (1) (2) (3) (4)
AC-17 (1) (2) (3) (4)
AC-18 WIRELESS ACCESS P1
AC-18
AC-18 (1)
AC-18 (1) (4) (5)
AC-19 ACCESS CONTROL FOR MOBILE DEVICES P1
AC-19
AC-19 (5)
AC-19 (5)
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS P1
AC-20
AC-20 (1) (2)
AC-20 (1) (2)
AC-21 INFORMATION SHARING P2
AC-21
AC-21
AC-22 PUBLICLY ACCESSIBLE CONTENT P3
AC-22
AC-22
AC-22
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES P1
AT-1
AT-1
AT-1
AT-2 SECURITY AWARENESS TRAINING P1
AT-2
AT-2 (2)
AT-2 (2)
AT-3 ROLE-BASED SECURITY TRAINING P1
AT-3
AT-3
AT-3
AT-4 SECURITY TRAINING RECORDS P3
AT-4
AT-4
AT-4
AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES P1
AU-1
AU-1
AU-1
AU-2 AUDIT EVENTS P1
AU-2
AU-2 (3)
AU-2 (3)
AU-3 CONTENT OF AUDIT RECORDS P1
AU-3
AU-3 (1)
AU-3 (1) (2)
AU-4 AUDIT STORAGE CAPACITY P1
AU-4
AU-4
AU-4
AU-5 RESPONSE TO AUDIT PROCESSING FAILURES P1
AU-5
AU-5
AU-5 (1) (2)
AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING P1
AU-6
AU-6 (1) (3)
AU-6 (1) (3) (5) (6)
AU-7 AUDIT REDUCTION AND REPORT GENERATION P2
AU-7 (1)
AU-7 (1)
AU-8 TIME STAMPS P1
AU-8
AU-8 (1)
AU-8 (1)
AU-9 PROTECTION OF AUDIT INFORMATION P1
AU-9
AU-9 (4)
AU-9 (2) (3) (4)
AU-10 NON-REPUDIATION P2
AU-10
AU-11 AUDIT RECORD RETENTION P3
AU-11
AU-11
AU-11
AU-12 AUDIT GENERATION P1
AU-12
AU-12
AU-12 (1) (3)
CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES P1
CA-1
CA-1
CA-1
CA-2 SECURITY ASSESSMENTS P2
CA-2
CA-2 (1)
CA-2 (1) (2)
CA-3 SYSTEM INTERCONNECTIONS P1
CA-3
CA-3 (5)
CA-3 (5)
CA-5 PLAN OF ACTION AND MILESTONES P3
CA-5
CA-5
CA-5
CA-6 SECURITY AUTHORIZATION P2
CA-6
CA-6
CA-6
CA-7 CONTINUOUS MONITORING P2
CA-7
CA-7 (1)
CA-7 (1)
CA-8 PENETRATION TESTING P2
CA-8
CA-9 INTERNAL SYSTEM CONNECTIONS P2
CA-9
CA-9
CA-9
CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES P1
CM-1
CM-1
CM-1
CM-2 BASELINE CONFIGURATION P1
CM-2
CM-2 (1) (3) (7)
CM-2 (1) (2) (3) (7)
CM-3 CONFIGURATION CHANGE CONTROL P1
CM-3 (2)
CM-3 (1) (2)
CM-4 SECURITY IMPACT ANALYSIS P2
CM-4
CM-4
CM-4 (1)
CM-5 ACCESS RESTRICTIONS FOR CHANGE P1
CM-5
CM-5 (1) (2) (3)
CM-6 CONFIGURATION SETTINGS P1
CM-6
CM-6
CM-6 (1) (2)
CM-7 LEAST FUNCTIONALITY P1
CM-7
CM-7 (1) (2) (4)
CM-7 (1) (2) (5)
CM-8 INFORMATION SYSTEM COMPONENT INVENTORY P1
CM-8
CM-8 (1) (3) (5)
CM-8 (1) (2) (3) (4) (5)
CM-9 CONFIGURATION MANAGEMENT PLAN P1
CM-9
CM-9
CM-10 SOFTWARE USAGE RESTRICTIONS P2
CM-10
CM-10
CM-10
CM-11 USER-INSTALLED SOFTWARE P1
CM-11
CM-11
CM-11
CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES P1
CP-1
CP-1
CP-1
CP-2 CONTINGENCY PLAN P1
CP-2
CP-2 (1) (3) (8)
CP-2 (1) (2) (3) (4) (5) (8)
CP-3 CONTINGENCY TRAINING P2
CP-3
CP-3
CP-3 (1)
CP-4 CONTINGENCY PLAN TESTING P2
CP-4
CP-4 (1)
CP-4 (1) (2)
CP-6 ALTERNATE STORAGE SITE P1
CP-6 (1) (3)
CP-6 (1) (2) (3)
CP-7 ALTERNATE PROCESSING SITE P1
CP-7 (1) (2) (3)
CP-7 (1) (2) (3) (4)
CP-8 TELECOMMUNICATIONS SERVICES P1
CP-8 (1) (2)
CP-8 (1) (2) (3) (4)
CP-9 INFORMATION SYSTEM BACKUP P1
CP-9
CP-9 (1)
CP-9 (1) (2) (3) (5)
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION P1
CP-10
CP-10 (2)
CP-10 (2) (4)
IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES P1
IA-1
IA-1
IA-1
IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) P1
IA-2 (1) (12)
IA-2 (1) (2) (3) (8) (11) (12)
IA-2 (1) (2) (3) (4) (8) (9) (11) (12)
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION P1
IA-3
IA-3
IA-4 IDENTIFIER MANAGEMENT P1
IA-4
IA-4
IA-4
IA-5 AUTHENTICATOR MANAGEMENT P1
IA-5 (1) (11)
IA-5 (1) (2) (3) (11)
IA-5 (1) (2) (3) (11)
IA-6 AUTHENTICATOR FEEDBACK P2
IA-6
IA-6
IA-6
IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION P1
IA-7
IA-7
IA-7
IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) P1
IA-8 (1) (2) (3) (4)
IA-8 (1) (2) (3) (4)
IA-8 (1) (2) (3) (4)
IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES P1
IR-1
IR-1
IR-1
IR-2 INCIDENT RESPONSE TRAINING P2
IR-2
IR-2
IR-2 (1) (2)
IR-3 INCIDENT RESPONSE TESTING P2
IR-3 (2)
IR-3 (2)
IR-4 INCIDENT HANDLING P1
IR-4
IR-4 (1)
IR-4 (1) (4)
IR-5 INCIDENT MONITORING P1
IR-5
IR-5
IR-5 (1)
IR-6 INCIDENT REPORTING P1
IR-6
IR-6 (1)
IR-6 (1)
IR-7 INCIDENT RESPONSE ASSISTANCE P2
IR-7
IR-7 (1)
IR-7 (1)
IR-8 INCIDENT RESPONSE PLAN P1
IR-8
IR-8
IR-8
MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES P1
MA-1
MA-1
MA-1
MA-2 CONTROLLED MAINTENANCE P2
MA-2
MA-2
MA-2 (2)
MA-3 MAINTENANCE TOOLS P3
MA-3 (1) (2)
MA-3 (1) (2) (3)
MA-4 NONLOCAL MAINTENANCE P2
MA-4
MA-4 (2)
MA-4 (2) (3)
MA-5 MAINTENANCE PERSONNEL P2
MA-5
MA-5
MA-5 (1)
MA-6 TIMELY MAINTENANCE P2
MA-6
MA-6
MP-1 MEDIA PROTECTION POLICY AND PROCEDURES P1
MP-1
MP-1
MP-1
MP-2 MEDIA ACCESS P1
MP-2
MP-2
MP-2
MP-3 MEDIA MARKING P2
MP-3
MP-3
MP-4 MEDIA STORAGE P1
MP-4
MP-4
MP-5 MEDIA TRANSPORT P1
MP-5 (4)
MP-5 (4)
MP-6 MEDIA SANITIZATION P1
MP-6
MP-6
MP-6 (1) (2) (3)
MP-7 MEDIA USE P1
MP-7
MP-7 (1)
MP-7 (1)
PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES P1
PE-1
PE-1
PE-1
PE-2 PHYSICAL ACCESS AUTHORIZATIONS P1
PE-2
PE-2
PE-2
PE-3 PHYSICAL ACCESS CONTROL P1
PE-3
PE-3
PE-3 (1)
PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM P1
PE-4
PE-4
PE-5 ACCESS CONTROL FOR OUTPUT DEVICES P2
PE-5
PE-5
PE-6 MONITORING PHYSICAL ACCESS P1
PE-6
PE-6 (1)
PE-6 (1) (4)
PE-8 VISITOR ACCESS RECORDS P3
PE-8
PE-8
PE-8 (1)
PE-9 POWER EQUIPMENT AND CABLING P1
PE-9
PE-9
PE-10 EMERGENCY SHUTOFF P1
PE-10
PE-10
PE-11 EMERGENCY POWER P1
PE-11
PE-11 (1)
PE-12 EMERGENCY LIGHTING P1
PE-12
PE-12
PE-12
PE-13 FIRE PROTECTION P1
PE-13
PE-13 (3)
PE-13 (1) (2) (3)
PE-14 TEMPERATURE AND HUMIDITY CONTROLS P1
PE-14
PE-14
PE-14
PE-15 WATER DAMAGE PROTECTION P1
PE-15
PE-15
PE-15 (1)
PE-16 DELIVERY AND REMOVAL P2
PE-16
PE-16
PE-16
PE-17 ALTERNATE WORK SITE P2
PE-17
PE-17
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS P3
PE-18
PL-1 SECURITY PLANNING POLICY AND PROCEDURES P1
PL-1
PL-1
PL-1
PL-2 SYSTEM SECURITY PLAN P1
PL-2
PL-2 (3)
PL-2 (3)
PL-4 RULES OF BEHAVIOR P2
PL-4
PL-4 (1)
PL-4 (1)
PL-8 INFORMATION SECURITY ARCHITECTURE P1
PL-8
PL-8
PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES P1
PS-1
PS-1
PS-1
PS-2 POSITION RISK DESIGNATION P1
PS-2
PS-2
PS-2
PS-3 PERSONNEL SCREENING P1
PS-3
PS-3
PS-3
PS-4 PERSONNEL TERMINATION P1
PS-4
PS-4
PS-4 (2)
PS-5 PERSONNEL TRANSFER P2
PS-5
PS-5
PS-5
PS-6 ACCESS AGREEMENTS P3
PS-6
PS-6
PS-6
PS-7 THIRD-PARTY PERSONNEL SECURITY P1
PS-7
PS-7
PS-7
PS-8 PERSONNEL SANCTIONS P3
PS-8
PS-8
PS-8
RA-1 RISK ASSESSMENT POLICY AND PROCEDURES P1
RA-1
RA-1
RA-1
RA-2 SECURITY CATEGORIZATION P1
RA-2
RA-2
RA-2
RA-3 RISK ASSESSMENT P1
RA-3
RA-3
RA-3
RA-5 VULNERABILITY SCANNING P1
RA-5
RA-5 (1) (2) (5)
RA-5 (1) (2) (4) (5)
SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES P1
SA-1
SA-1
SA-1
SA-2 ALLOCATION OF RESOURCES P1
SA-2
SA-2
SA-2
SA-3 SYSTEM DEVELOPMENT LIFE CYCLE P1
SA-3
SA-3
SA-3
SA-4 ACQUISITION PROCESS P1
SA-4 (10)
SA-4 (1) (2) (9) (10)
SA-4 (1) (2) (9) (10)
SA-5 INFORMATION SYSTEM DOCUMENTATION P2
SA-5
SA-5
SA-5
SA-8 SECURITY ENGINEERING PRINCIPLES P1
SA-8
SA-8
SA-9 EXTERNAL INFORMATION SYSTEM SERVICES P1
SA-9
SA-9 (2)
SA-9 (2)
SA-10 DEVELOPER CONFIGURATION MANAGEMENT P1
SA-10
SA-10
SA-11 DEVELOPER SECURITY TESTING AND EVALUATION P1
SA-11
SA-11
SA-12 SUPPLY CHAIN PROTECTION P1
SA-12
SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS P2
SA-15
SA-16 DEVELOPER-PROVIDED TRAINING P2
SA-16
SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN P1
SA-17
SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES P1
SC-1
SC-1
SC-1
SC-2 APPLICATION PARTITIONING P1
SC-2
SC-2
SC-3 SECURITY FUNCTION ISOLATION P1
SC-3
SC-4 INFORMATION IN SHARED RESOURCES P1
SC-4
SC-4
SC-5 DENIAL OF SERVICE PROTECTION P1
SC-5
SC-5
SC-5
SC-7 BOUNDARY PROTECTION P1
SC-7
SC-7 (3) (4) (5) (7)
SC-7 (3) (4) (5) (7) (8) (18) (21)
SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY P1
SC-8 (1)
SC-8 (1)
SC-10 NETWORK DISCONNECT P2
SC-10
SC-10
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT P1
SC-12
SC-12
SC-12 (1)
SC-13 CRYPTOGRAPHIC PROTECTION P1
SC-13
SC-13
SC-13
SC-15 COLLABORATIVE COMPUTING DEVICES P1
SC-15
SC-15
SC-15
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES P1
SC-17
SC-17
SC-18 MOBILE CODE P2
SC-18
SC-18
SC-19 VOICE OVER INTERNET PROTOCOL P1
SC-19
SC-19
SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) P1
SC-20
SC-20
SC-20
SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) P1
SC-21
SC-21
SC-21
SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE P1
SC-22
SC-22
SC-22
SC-23 SESSION AUTHENTICITY P1
SC-23
SC-23
SC-24 FAIL IN KNOWN STATE P1
SC-24
SC-28 PROTECTION OF INFORMATION AT REST P1
SC-28
SC-28
SC-39 PROCESS ISOLATION P1
SC-39
SC-39
SC-39
SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES P1
SI-1
SI-1
SI-1
SI-2 FLAW REMEDIATION P1
SI-2
SI-2 (2)
SI-2 (1) (2)
SI-3 MALICIOUS CODE PROTECTION P1
SI-3
SI-3 (1) (2)
SI-3 (1) (2)
SI-4 INFORMATION SYSTEM MONITORING P1
SI-4
SI-4 (2) (4) (5)
SI-4 (2) (4) (5)
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES P1
SI-5
SI-5
SI-5 (1)
SI-6 SECURITY FUNCTION VERIFICATION P1
SI-6
SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY P1
SI-7 (1) (7)
SI-7 (1) (2) (5) (7) (14)
SI-8 SPAM PROTECTION P2
SI-8 (1) (2)
SI-8 (1) (2)
SI-10 INFORMATION INPUT VALIDATION P1
SI-10
SI-10
SI-11 ERROR HANDLING P2
SI-11
SI-11
SI-12 INFORMATION HANDLING AND RETENTION P2
SI-12
SI-12
SI-12
SI-16 MEMORY PROTECTION P1
SI-16
SI-16