NIST 800-53 Rev 5 Control Catalogue

315 security and privacy controls organized by family. Each control includes mappings to ISO 27001:2022, ISO 27002:2022, COBIT 2019, CIS Controls v8, NIST CSF 2.0, SOC 2 TSC, PCI DSS v4.0.1, CSA CCM v4, CSA AICM v1, FINOS CCC, ISO 42001:2023, IEC 62443, NIS2 Directive, PRA Operational Resilience, MAS TRM, APRA CPS 234, ASD Essential Eight, BSI IT-Grundschutz, ANSSI, FINMA Circular 2023/1, OSFI B-13, EU GDPR, EU DORA, BIO2, RBI CSF, FISC Security Guidelines, LGPD + BCB 4893, HKMA TM-E-1, MLPS 2.0, DNB Good Practice, EU CRA, SWIFT CSCF, SAMA CSF, NCA ECC, UAE IA, CBB TM, Qatar NIA, CBUAE, CBE CSF, SA JS2, CBN CSF, BoG CISD, POPIA, BoM CTRM, IOSCO Cyber Resilience, BCBS 239, CPMI-IOSCO PFMI, FFIEC IS, NYDFS 500, HIPAA Security Rule, ECB CROE, EBA ICT Guidelines, SEBI CSCRF, BOT Cyber Resilience, CMMC 2.0, NERC CIP, 10 CFR 73.54, TSA Pipeline SD, IEEE 1686-2022, FERC CIP Orders, DOE C2M2 v2.1, API 1164, AWIA, IAEA NSS 17-T, PCI PTS v6, FIPS 140-3, CBEST, TIBER-EU, PCI HSM, Common Criteria, ISAE 3402, Solvency II, Lloyd's Minimum Standards, NAIC Insurance Data Security, PRA SS1/23, FCA SYSC 13, HITRUST CSF v11, FDA 21 CFR Part 11, FDA Cybersecurity Guidance, ISO 27799, NHS DSPT, OWASP MASVS v2.1, CCSS v9.0, MiCA, Basel SCO60, BSSC Standards, and SEC Custody (Digital Assets).

ATT&CK v18.1 Coverage Matrix — See how these controls map to MITRE ATT&CK Enterprise techniques across 14 tactics. Filter by threat group or search by technique. →

AC (25) AT (6) AU (16) CA (9) CM (14) CP (13) IA (12) IR (9) MA (7) MP (8) PE (23) PL (11) PM (32) PS (9) PT (8) RA (10) SA (18) SC (50) SI (23) SR (12)

AC Access Control

25 controls

ID	Name	Low	Mod	High
AC-01	Access Control Policies and Procedures	✓	✓	✓
AC-02	Account Management	✓	✓	✓
AC-03	Access Enforcement	✓	✓	✓
AC-04	Information Flow Enforcement	✓	✓	✓
AC-05	Separation Of Duties	✓	✓	✓
AC-06	Least Privilege	✓	✓	✓
AC-07	Unsuccessful Login Attempts	✓	✓	✓
AC-08	System Use Notification	✓	✓	✓
AC-09	Previous Logon Notification	✓	✓	✓
AC-10	Concurrent Session Control	✓	✓	✓
AC-11	Session Lock	✓	✓	✓
AC-12	Session Termination	✓	✓	✓
AC-13	Supervision And Review -- Access Control	✓	✓	✓
AC-14	Permitted Actions Without Identification Or Authentication	✓	✓	✓
AC-15	Automated Marking	✓	✓	✓
AC-16	Automated Labeling	✓	✓	✓
AC-17	Remote Access	✓	✓	✓
AC-18	Wireless Access Restrictions	✓	✓	✓
AC-19	Access Control For Portable And Mobile Devices	✓	✓	✓
AC-20	Use Of External Information Systems	✓	✓	✓
AC-21	Information Sharing	-	✓	✓
AC-22	Publicly Accessible Content	✓	✓	✓
AC-23	Data Mining Protection	-	-	-
AC-24	Access Control Decisions	-	-	-
AC-25	Reference Monitor	-	-	-

AT Awareness and Training

6 controls

ID	Name	Low	Mod	High
AT-01	Security Awareness And Training Policy And Procedures	✓	✓	✓
AT-02	Security Awareness	✓	✓	✓
AT-03	Security Training	✓	✓	✓
AT-04	Security Training Records	✓	✓	✓
AT-05	Contacts With Security Groups And Associations	✓	✓	✓
AT-06	Training Feedback	-	-	-

AU Audit and Accountability

16 controls

ID	Name	Low	Mod	High
AU-01	Audit And Accountability Policy And Procedures	✓	✓	✓
AU-02	Auditable Events	✓	✓	✓
AU-03	Content Of Audit Records	✓	✓	✓
AU-04	Audit Storage Capacity	✓	✓	✓
AU-05	Response To Audit Processing Failures	✓	✓	✓
AU-06	Audit Monitoring, Analysis, And Reporting	✓	✓	✓
AU-07	Audit Reduction And Report Generation	✓	✓	✓
AU-08	Time Stamps	✓	✓	✓
AU-09	Protection Of Audit Information	✓	✓	✓
AU-10	Non-Repudiation	✓	✓	✓
AU-11	Audit Record Retention	✓	✓	✓
AU-12	Audit Record Generation	✓	✓	✓
AU-13	Monitoring for Information Disclosure	-	-	-
AU-14	Session Audit	-	-	-
AU-15	Alternate Audit Logging Capability	-	-	-
AU-16	Cross-Organizational Audit Logging	-	-	-

CA Security Assessment and Authorization

9 controls

ID	Name	Low	Mod	High
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	✓	✓	✓
CA-02	Security Assessments	✓	✓	✓
CA-03	Information System Connections	✓	✓	✓
CA-04	Security Certification	✓	✓	✓
CA-05	Plan Of Action And Milestones	✓	✓	✓
CA-06	Security Accreditation	✓	✓	✓
CA-07	Continuous Monitoring	✓	✓	✓
CA-08	Penetration Testing	-	-	✓
CA-09	Internal System Connections	✓	✓	✓

CM Configuration Management

14 controls

ID	Name	Low	Mod	High
CM-01	Configuration Management Policy And Procedures	✓	✓	✓
CM-02	Baseline Configuration	✓	✓	✓
CM-03	Configuration Change Control	✓	✓	✓
CM-04	Monitoring Configuration Changes	✓	✓	✓
CM-05	Access Restrictions For Change	✓	✓	✓
CM-06	Configuration Settings	✓	✓	✓
CM-07	Least Functionality	✓	✓	✓
CM-08	Information System Component Inventory	✓	✓	✓
CM-09	Configuration Management Plan	-	✓	✓
CM-10	Software Usage Restrictions	✓	✓	✓
CM-11	User-Installed Software	✓	✓	✓
CM-12	Information Location	-	✓	✓
CM-13	Data Action Mapping	-	-	-
CM-14	Signed Components	-	-	-

CP Contingency Planning

13 controls

ID	Name	Low	Mod	High
CP-01	Contingency Planning Policy And Procedures	✓	✓	✓
CP-02	Contingency Plan	✓	✓	✓
CP-03	Contingency Training	✓	✓	✓
CP-04	Contingency Plan Testing And Exercises	✓	✓	✓
CP-05	Contingency Plan Update	✓	✓	✓
CP-06	Alternate Storage Site	✓	✓	✓
CP-07	Alternate Processing Site	✓	✓	✓
CP-08	Telecommunications Services	✓	✓	✓
CP-09	Information System Backup	✓	✓	✓
CP-10	Information System Recovery And Reconstitution	✓	✓	✓
CP-11	Alternate Communications Protocols	-	-	-
CP-12	Safe Mode	-	-	-
CP-13	Alternative Security Mechanisms	-	-	-

IA Identification and Authentication

12 controls

ID	Name	Low	Mod	High
IA-01	Identification And Authentication Policy And Procedures	✓	✓	✓
IA-02	User Identification And Authentication	✓	✓	✓
IA-03	Device Identification And Authentication	✓	✓	✓
IA-04	Identifier Management	✓	✓	✓
IA-05	Authenticator Management	✓	✓	✓
IA-06	Authenticator Feedback	✓	✓	✓
IA-07	Cryptographic Module Authentication	✓	✓	✓
IA-08	Identification and Authentication (Non-Organizational Users)	✓	✓	✓
IA-09	Service Identification and Authentication	-	-	-
IA-10	Adaptive Authentication	-	-	-
IA-11	Re-authentication	-	-	-
IA-12	Identity Proofing	✓	✓	✓

IR Incident Response

9 controls

ID	Name	Low	Mod	High
IR-01	Incident Response Policy And Procedures	✓	✓	✓
IR-02	Incident Response Training	✓	✓	✓
IR-03	Incident Response Testing And Exercises	✓	✓	✓
IR-04	Incident Handling	✓	✓	✓
IR-05	Incident Monitoring	✓	✓	✓
IR-06	Incident Reporting	✓	✓	✓
IR-07	Incident Response Assistance	✓	✓	✓
IR-08	Incident Response Plan	✓	✓	✓
IR-09	Information Spillage Response	-	-	-

MA Maintenance

7 controls

ID	Name	Low	Mod	High
MA-01	System Maintenance Policy And Procedures	✓	✓	✓
MA-02	Controlled Maintenance	✓	✓	✓
MA-03	Maintenance Tools	✓	✓	✓
MA-04	Remote Maintenance	✓	✓	✓
MA-05	Maintenance Personnel	✓	✓	✓
MA-06	Timely Maintenance	✓	✓	✓
MA-07	Field Maintenance	-	-	-

MP Media Protection

8 controls

ID	Name	Low	Mod	High
MP-01	Media Protection Policy And Procedures	✓	✓	✓
MP-02	Media Access	✓	✓	✓
MP-03	Media Labeling	✓	✓	✓
MP-04	Media Storage	✓	✓	✓
MP-05	Media Transport	✓	✓	✓
MP-06	Media Sanitization And Disposal	✓	✓	✓
MP-07	Media Use	✓	✓	✓
MP-08	Media Downgrading	-	-	-

PE Physical and Environmental Protection

23 controls

ID	Name	Low	Mod	High
PE-01	Physical And Environmental Protection Policy And Procedures	✓	✓	✓
PE-02	Physical Access Authorizations	✓	✓	✓
PE-03	Physical Access Control	✓	✓	✓
PE-04	Access Control For Transmission Medium	✓	✓	✓
PE-05	Access Control For Display Medium	✓	✓	✓
PE-06	Monitoring Physical Access	✓	✓	✓
PE-07	Visitor Control	✓	✓	✓
PE-08	Access Records	✓	✓	✓
PE-09	Power Equipment And Power Cabling	✓	✓	✓
PE-10	Emergency Shutoff	✓	✓	✓
PE-11	Emergency Power	✓	✓	✓
PE-12	Emergency Lighting	✓	✓	✓
PE-13	Fire Protection	✓	✓	✓
PE-14	Temperature And Humidity Controls	✓	✓	✓
PE-15	Water Damage Protection	✓	✓	✓
PE-16	Delivery And Removal	✓	✓	✓
PE-17	Alternate Work Site	✓	✓	✓
PE-18	Location Of Information System Components	✓	✓	✓
PE-19	Information Leakage	✓	✓	✓
PE-20	Asset Monitoring and Tracking	-	-	-
PE-21	Electromagnetic Pulse Protection	-	-	-
PE-22	Component Marking	-	-	-
PE-23	Facility Location	-	-	-

PL Planning

11 controls

ID	Name	Low	Mod	High
PL-01	Security Planning Policy And Procedures	✓	✓	✓
PL-02	System Security Plan	✓	✓	✓
PL-03	System Security Plan Update	✓	✓	✓
PL-04	Rules Of Behavior	✓	✓	✓
PL-05	Privacy Impact Assessment	✓	✓	✓
PL-06	Security-Related Activity Planning	✓	✓	✓
PL-07	Concept of Operations	-	-	-
PL-08	Security and Privacy Architectures	-	✓	✓
PL-09	Central Management	-	-	-
PL-10	Baseline Selection	✓	✓	✓
PL-11	Baseline Tailoring	✓	✓	✓

PM Program Management

32 controls

ID	Name	Low	Mod	High
PM-01	Information Security Program Plan	-	-	-
PM-02	Information Security Program Leadership Role	-	-	-
PM-03	Information Security and Privacy Resources	-	-	-
PM-04	Plan of Action and Milestones Process	-	-	-
PM-05	System Inventory	-	-	-
PM-06	Measures of Performance	-	-	-
PM-07	Enterprise Architecture	-	-	-
PM-08	Critical Infrastructure Plan	-	-	-
PM-09	Risk Management Strategy	-	-	-
PM-10	Authorization Process	-	-	-
PM-11	Mission and Business Process Definition	-	-	-
PM-12	Insider Threat Program	-	-	-
PM-13	Security and Privacy Workforce	-	-	-
PM-14	Testing, Training, and Monitoring	-	-	-
PM-15	Security and Privacy Groups and Associations	-	-	-
PM-16	Threat Awareness Program	-	-	-
PM-17	Protecting Controlled Unclassified Information on External Systems	-	-	-
PM-18	Privacy Program Plan	-	-	-
PM-19	Privacy Program Leadership Role	-	-	-
PM-20	Dissemination of Privacy Program Information	-	-	-
PM-21	Accounting of Disclosures	-	-	-
PM-22	Personally Identifiable Information Quality Management	-	-	-
PM-23	Data Governance Body	-	-	-
PM-24	Data Integrity Board	-	-	-
PM-25	Minimization of Personally Identifiable Information Used in Testing, Training, and Research	-	-	-
PM-26	Complaint Management	-	-	-
PM-27	Privacy Reporting	-	-	-
PM-28	Risk Framing	-	-	-
PM-29	Risk Management Program Leadership Roles	-	-	-
PM-30	Supply Chain Risk Management Strategy	-	-	-
PM-31	Continuous Monitoring Strategy	-	-	-
PM-32	Purposing	-	-	-

PS Personnel Security

9 controls

ID	Name	Low	Mod	High
PS-01	Personnel Security Policy And Procedures	✓	✓	✓
PS-02	Position Categorization	✓	✓	✓
PS-03	Personnel Screening	✓	✓	✓
PS-04	Personnel Termination	✓	✓	✓
PS-05	Personnel Transfer	✓	✓	✓
PS-06	Access Agreements	✓	✓	✓
PS-07	Third-Party Personnel Security	✓	✓	✓
PS-08	Personnel Sanctions	✓	✓	✓
PS-09	Position Descriptions	✓	✓	✓

PT Personally Identifiable Information Processing and Transparency

8 controls

ID	Name	Low	Mod	High
PT-01	Policy and Procedures	-	-	-
PT-02	Authority to Process Personally Identifiable Information	-	-	-
PT-03	Personally Identifiable Information Processing Purposes	-	-	-
PT-04	Consent	-	-	-
PT-05	Privacy Notice	-	-	-
PT-06	System of Records Notice	-	-	-
PT-07	Specific Categories of Personally Identifiable Information	-	-	-
PT-08	Computer Matching Requirements	-	-	-

RA Risk Assessment

10 controls

ID	Name	Low	Mod	High
RA-01	Risk Assessment Policy And Procedures	✓	✓	✓
RA-02	Security Categorization	✓	✓	✓
RA-03	Risk Assessment	✓	✓	✓
RA-04	Risk Assessment Update	✓	✓	✓
RA-05	Vulnerability Scanning	✓	✓	✓
RA-06	Technical Surveillance Countermeasures Survey	-	-	-
RA-07	Risk Response	✓	✓	✓
RA-08	Privacy Impact Assessments	-	-	-
RA-09	Criticality Analysis	-	✓	✓
RA-10	Threat Hunting	-	-	-

SA System and Services Acquisition

18 controls

ID	Name	Low	Mod	High
SA-01	System And Services Acquisition Policy And Procedures	✓	✓	✓
SA-02	Allocation Of Resources	✓	✓	✓
SA-03	Life Cycle Support	✓	✓	✓
SA-04	Acquisitions	✓	✓	✓
SA-05	Information System Documentation	✓	✓	✓
SA-06	Software Usage Restrictions	✓	✓	✓
SA-07	User Installed Software	✓	✓	✓
SA-08	Security Engineering Principles	✓	✓	✓
SA-09	External Information System Services	✓	✓	✓
SA-10	Developer Configuration Management	✓	✓	✓
SA-11	Developer Security Testing	-	-	-
SA-15	Development Process, Standards, and Tools	-	-	✓
SA-16	Developer-Provided Training	-	-	-
SA-17	Developer Security and Privacy Architecture and Design	-	-	✓
SA-20	Customized Development of Critical Components	-	-	-
SA-21	Developer Screening	-	-	✓
SA-22	Unsupported System Components	-	-	-
SA-23	Specialization	-	-	-

SC System and Communications Protection

50 controls

ID	Name	Low	Mod	High
SC-01	System And Communications Protection Policy And Procedures	✓	✓	✓
SC-02	Application Partitioning	✓	✓	✓
SC-03	Security Function Isolation	✓	✓	✓
SC-04	Information Remnance	✓	✓	✓
SC-05	Denial Of Service Protection	✓	✓	✓
SC-06	Resource Priority	✓	✓	✓
SC-07	Boundary Protection	✓	✓	✓
SC-08	Transmission Integrity	✓	✓	✓
SC-09	Transmission Confidentiality	✓	✓	✓
SC-10	Network Disconnect	✓	✓	✓
SC-11	Trusted Path	✓	✓	✓
SC-12	Cryptographic Key Establishment And Management	✓	✓	✓
SC-13	Use Of Cryptography	✓	✓	✓
SC-14	Public Access Protections	✓	✓	✓
SC-15	Collaborative Computing	✓	✓	✓
SC-16	Transmission Of Security Parameters	✓	✓	✓
SC-17	Public Key Infrastructure Certificates	✓	✓	✓
SC-18	Mobile Code	✓	✓	✓
SC-19	Voice Over Internet Protocol	✓	✓	✓
SC-20	Secure Name / Address Resolution Service (Authoritative Source)	✓	✓	✓
SC-21	Secure Name / Address Resolution Service (Recursive Or Caching Resolver)	✓	✓	✓
SC-22	Architecture And Provisioning For Name / Address Resolution Service	✓	✓	✓
SC-23	Session Authenticity	✓	✓	✓
SC-24	Fail in Known State	-	-	✓
SC-25	Thin Nodes	-	-	-
SC-26	Decoys	-	-	-
SC-27	Platform-independent Applications	-	-	-
SC-28	Protection of Information at Rest	-	✓	✓
SC-29	Heterogeneity	-	-	-
SC-30	Concealment and Misdirection	-	-	-
SC-31	Covert Channel Analysis	-	-	-
SC-32	System Partitioning	-	-	-
SC-34	Non-modifiable Executable Programs	-	-	-
SC-35	External Malicious Code Identification	-	-	-
SC-36	Distributed Processing and Storage	-	-	-
SC-37	Out-of-band Channels	-	-	-
SC-38	Operations Security	-	-	-
SC-39	Process Isolation	✓	✓	✓
SC-40	Wireless Link Protection	-	-	-
SC-41	Port and I/O Device Access	-	-	-
SC-42	Sensor Capability and Data	-	-	-
SC-43	Usage Restrictions	-	-	-
SC-44	Detonation Chambers	-	-	-
SC-45	System Time Synchronization	-	-	-
SC-46	Cross Domain Policy Enforcement	-	-	-
SC-47	Alternate Communications Paths	-	-	-
SC-48	Sensor Relocation	-	-	-
SC-49	Hardware-enforced Separation and Policy Enforcement	-	-	-
SC-50	Software-enforced Separation and Policy Enforcement	-	-	-
SC-51	Hardware-based Protection	-	-	-

SI System and Information Integrity

23 controls

ID	Name	Low	Mod	High
SI-01	System And Information Integrity Policy And Procedures	✓	✓	✓
SI-02	Flaw Remediation	✓	✓	✓
SI-03	Malicious Code Protection	✓	✓	✓
SI-04	Information System Monitoring Tools And Techniques	✓	✓	✓
SI-05	Security Alerts And Advisories	✓	✓	✓
SI-06	Security Functionality Verification	✓	✓	✓
SI-07	Software And Information Integrity	✓	✓	✓
SI-08	Spam Protection	✓	✓	✓
SI-09	Information Input Restrictions	✓	✓	✓
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	✓	✓	✓
SI-11	Error Handling	✓	✓	✓
SI-12	Information Output Handling And Retention	✓	✓	✓
SI-13	Predictable Failure Prevention	-	-	-
SI-14	Non-persistence	-	-	-
SI-15	Information Output Filtering	-	-	-
SI-16	Memory Protection	-	✓	✓
SI-17	Fail-safe Procedures	-	-	-
SI-18	Personally Identifiable Information Quality Operations	-	-	-
SI-19	De-identification	-	-	-
SI-20	Tainting	-	-	-
SI-21	Information Refresh	-	-	-
SI-22	Information Diversity	-	-	-
SI-23	Information Fragmentation	-	-	-

SR Supply Chain Risk Management

12 controls

ID	Name	Low	Mod	High
SR-01	Policy and Procedures	✓	✓	✓
SR-02	Supply Chain Risk Management Plan	✓	✓	✓
SR-03	Supply Chain Controls and Processes	✓	✓	✓
SR-04	Provenance	-	-	-
SR-05	Acquisition Strategies, Tools, and Methods	✓	✓	✓
SR-06	Supplier Assessments and Reviews	-	✓	✓
SR-07	Supply Chain Operations Security	-	-	-
SR-08	Notification Agreements	✓	✓	✓
SR-09	Tamper Resistance and Detection	-	-	✓
SR-10	Inspection of Systems or Components	✓	✓	✓
SR-11	Component Authenticity	✓	✓	✓
SR-12	Component Disposal	✓	✓	✓