NIST 800-53 Rev 5 Control Catalogue
191 security and privacy controls organized by family. Each control includes mappings to ISO 27001:2022, ISO 27002:2022, COBIT 2019, CIS Controls v8, NIST CSF 2.0, and SOC 2 TSC.
AC Access Control
20 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| AC-01 | Access Control Policies and Procedures | ✓ | ✓ | ✓ |
| AC-02 | Account Management | ✓ | ✓ | ✓ |
| AC-03 | Access Enforcement | ✓ | ✓ | ✓ |
| AC-04 | Information Flow Enforcement | ✓ | ✓ | ✓ |
| AC-05 | Separation Of Duties | ✓ | ✓ | ✓ |
| AC-06 | Least Privilege | ✓ | ✓ | ✓ |
| AC-07 | Unsuccessful Login Attempts | ✓ | ✓ | ✓ |
| AC-08 | System Use Notification | ✓ | ✓ | ✓ |
| AC-09 | Previous Logon Notification | ✓ | ✓ | ✓ |
| AC-10 | Concurrent Session Control | ✓ | ✓ | ✓ |
| AC-11 | Session Lock | ✓ | ✓ | ✓ |
| AC-12 | Session Termination | ✓ | ✓ | ✓ |
| AC-13 | Supervision And Review -- Access Control | ✓ | ✓ | ✓ |
| AC-14 | Permitted Actions Without Identification Or Authentication | ✓ | ✓ | ✓ |
| AC-15 | Automated Marking | ✓ | ✓ | ✓ |
| AC-16 | Automated Labeling | ✓ | ✓ | ✓ |
| AC-17 | Remote Access | ✓ | ✓ | ✓ |
| AC-18 | Wireless Access Restrictions | ✓ | ✓ | ✓ |
| AC-19 | Access Control For Portable And Mobile Devices | ✓ | ✓ | ✓ |
| AC-20 | Use Of External Information Systems | ✓ | ✓ | ✓ |
AT Awareness and Training
5 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| AT-01 | Security Awareness And Training Policy And Procedures | ✓ | ✓ | ✓ |
| AT-02 | Security Awareness | ✓ | ✓ | ✓ |
| AT-03 | Security Training | ✓ | ✓ | ✓ |
| AT-04 | Security Training Records | ✓ | ✓ | ✓ |
| AT-05 | Contacts With Security Groups And Associations | ✓ | ✓ | ✓ |
AU Audit and Accountability
11 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | ✓ | ✓ | ✓ |
| AU-02 | Auditable Events | ✓ | ✓ | ✓ |
| AU-03 | Content Of Audit Records | ✓ | ✓ | ✓ |
| AU-04 | Audit Storage Capacity | ✓ | ✓ | ✓ |
| AU-05 | Response To Audit Processing Failures | ✓ | ✓ | ✓ |
| AU-06 | Audit Monitoring, Analysis, And Reporting | ✓ | ✓ | ✓ |
| AU-07 | Audit Reduction And Report Generation | ✓ | ✓ | ✓ |
| AU-08 | Time Stamps | ✓ | ✓ | ✓ |
| AU-09 | Protection Of Audit Information | ✓ | ✓ | ✓ |
| AU-10 | Non-Repudiation | ✓ | ✓ | ✓ |
| AU-11 | Audit Record Retention | ✓ | ✓ | ✓ |
CA Security Assessment and Authorization
7 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | ✓ | ✓ | ✓ |
| CA-02 | Security Assessments | ✓ | ✓ | ✓ |
| CA-03 | Information System Connections | ✓ | ✓ | ✓ |
| CA-04 | Security Certification | ✓ | ✓ | ✓ |
| CA-05 | Plan Of Action And Milestones | ✓ | ✓ | ✓ |
| CA-06 | Security Accreditation | ✓ | ✓ | ✓ |
| CA-07 | Continuous Monitoring | ✓ | ✓ | ✓ |
CM Configuration Management
8 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | ✓ | ✓ | ✓ |
| CM-02 | Baseline Configuration | ✓ | ✓ | ✓ |
| CM-03 | Configuration Change Control | ✓ | ✓ | ✓ |
| CM-04 | Monitoring Configuration Changes | ✓ | ✓ | ✓ |
| CM-05 | Access Restrictions For Change | ✓ | ✓ | ✓ |
| CM-06 | Configuration Settings | ✓ | ✓ | ✓ |
| CM-07 | Least Functionality | ✓ | ✓ | ✓ |
| CM-08 | Information System Component Inventory | ✓ | ✓ | ✓ |
CP Contingency Planning
10 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | ✓ | ✓ | ✓ |
| CP-02 | Contingency Plan | ✓ | ✓ | ✓ |
| CP-03 | Contingency Training | ✓ | ✓ | ✓ |
| CP-04 | Contingency Plan Testing And Exercises | ✓ | ✓ | ✓ |
| CP-05 | Contingency Plan Update | ✓ | ✓ | ✓ |
| CP-06 | Alternate Storage Site | ✓ | ✓ | ✓ |
| CP-07 | Alternate Processing Site | ✓ | ✓ | ✓ |
| CP-08 | Telecommunications Services | ✓ | ✓ | ✓ |
| CP-09 | Information System Backup | ✓ | ✓ | ✓ |
| CP-10 | Information System Recovery And Reconstitution | ✓ | ✓ | ✓ |
IA Identification and Authentication
7 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | ✓ | ✓ | ✓ |
| IA-02 | User Identification And Authentication | ✓ | ✓ | ✓ |
| IA-03 | Device Identification And Authentication | ✓ | ✓ | ✓ |
| IA-04 | Identifier Management | ✓ | ✓ | ✓ |
| IA-05 | Authenticator Management | ✓ | ✓ | ✓ |
| IA-06 | Authenticator Feedback | ✓ | ✓ | ✓ |
| IA-07 | Cryptographic Module Authentication | ✓ | ✓ | ✓ |
IR Incident Response
7 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| IR-01 | Incident Response Policy And Procedures | ✓ | ✓ | ✓ |
| IR-02 | Incident Response Training | ✓ | ✓ | ✓ |
| IR-03 | Incident Response Testing And Exercises | ✓ | ✓ | ✓ |
| IR-04 | Incident Handling | ✓ | ✓ | ✓ |
| IR-05 | Incident Monitoring | ✓ | ✓ | ✓ |
| IR-06 | Incident Reporting | ✓ | ✓ | ✓ |
| IR-07 | Incident Response Assistance | ✓ | ✓ | ✓ |
MA Maintenance
6 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| MA-01 | System Maintenance Policy And Procedures | ✓ | ✓ | ✓ |
| MA-02 | Controlled Maintenance | ✓ | ✓ | ✓ |
| MA-03 | Maintenance Tools | ✓ | ✓ | ✓ |
| MA-04 | Remote Maintenance | ✓ | ✓ | ✓ |
| MA-05 | Maintenance Personnel | ✓ | ✓ | ✓ |
| MA-06 | Timely Maintenance | ✓ | ✓ | ✓ |
MP Media Protection
6 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| MP-01 | Media Protection Policy And Procedures | ✓ | ✓ | ✓ |
| MP-02 | Media Access | ✓ | ✓ | ✓ |
| MP-03 | Media Labeling | ✓ | ✓ | ✓ |
| MP-04 | Media Storage | ✓ | ✓ | ✓ |
| MP-05 | Media Transport | ✓ | ✓ | ✓ |
| MP-06 | Media Sanitization And Disposal | ✓ | ✓ | ✓ |
PE Physical and Environmental Protection
19 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | ✓ | ✓ | ✓ |
| PE-02 | Physical Access Authorizations | ✓ | ✓ | ✓ |
| PE-03 | Physical Access Control | ✓ | ✓ | ✓ |
| PE-04 | Access Control For Transmission Medium | ✓ | ✓ | ✓ |
| PE-05 | Access Control For Display Medium | ✓ | ✓ | ✓ |
| PE-06 | Monitoring Physical Access | ✓ | ✓ | ✓ |
| PE-07 | Visitor Control | ✓ | ✓ | ✓ |
| PE-08 | Access Records | ✓ | ✓ | ✓ |
| PE-09 | Power Equipment And Power Cabling | ✓ | ✓ | ✓ |
| PE-10 | Emergency Shutoff | ✓ | ✓ | ✓ |
| PE-11 | Emergency Power | ✓ | ✓ | ✓ |
| PE-12 | Emergency Lighting | ✓ | ✓ | ✓ |
| PE-13 | Fire Protection | ✓ | ✓ | ✓ |
| PE-14 | Temperature And Humidity Controls | ✓ | ✓ | ✓ |
| PE-15 | Water Damage Protection | ✓ | ✓ | ✓ |
| PE-16 | Delivery And Removal | ✓ | ✓ | ✓ |
| PE-17 | Alternate Work Site | ✓ | ✓ | ✓ |
| PE-18 | Location Of Information System Components | ✓ | ✓ | ✓ |
| PE-19 | Information Leakage | ✓ | ✓ | ✓ |
PL Planning
6 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| PL-01 | Security Planning Policy And Procedures | ✓ | ✓ | ✓ |
| PL-02 | System Security Plan | ✓ | ✓ | ✓ |
| PL-03 | System Security Plan Update | ✓ | ✓ | ✓ |
| PL-04 | Rules Of Behavior | ✓ | ✓ | ✓ |
| PL-05 | Privacy Impact Assessment | ✓ | ✓ | ✓ |
| PL-06 | Security-Related Activity Planning | ✓ | ✓ | ✓ |
PS Personnel Security
8 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | ✓ | ✓ | ✓ |
| PS-02 | Position Categorization | ✓ | ✓ | ✓ |
| PS-03 | Personnel Screening | ✓ | ✓ | ✓ |
| PS-04 | Personnel Termination | ✓ | ✓ | ✓ |
| PS-05 | Personnel Transfer | ✓ | ✓ | ✓ |
| PS-06 | Access Agreements | ✓ | ✓ | ✓ |
| PS-07 | Third-Party Personnel Security | ✓ | ✓ | ✓ |
| PS-08 | Personnel Sanctions | ✓ | ✓ | ✓ |
PT Personally Identifiable Information Processing and Transparency
8 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| PT-01 | Policy and Procedures | - | - | - |
| PT-02 | Authority to Process Personally Identifiable Information | - | - | - |
| PT-03 | Personally Identifiable Information Processing Purposes | - | - | - |
| PT-04 | Consent | - | - | - |
| PT-05 | Privacy Notice | - | - | - |
| PT-06 | System of Records Notice | - | - | - |
| PT-07 | Specific Categories of Personally Identifiable Information | - | - | - |
| PT-08 | Computer Matching Requirements | - | - | - |
RA Risk Assessment
5 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | ✓ | ✓ | ✓ |
| RA-02 | Security Categorization | ✓ | ✓ | ✓ |
| RA-03 | Risk Assessment | ✓ | ✓ | ✓ |
| RA-04 | Risk Assessment Update | ✓ | ✓ | ✓ |
| RA-05 | Vulnerability Scanning | ✓ | ✓ | ✓ |
SA System and Services Acquisition
11 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | ✓ | ✓ | ✓ |
| SA-02 | Allocation Of Resources | ✓ | ✓ | ✓ |
| SA-03 | Life Cycle Support | ✓ | ✓ | ✓ |
| SA-04 | Acquisitions | ✓ | ✓ | ✓ |
| SA-05 | Information System Documentation | ✓ | ✓ | ✓ |
| SA-06 | Software Usage Restrictions | ✓ | ✓ | ✓ |
| SA-07 | User Installed Software | ✓ | ✓ | ✓ |
| SA-08 | Security Engineering Principles | ✓ | ✓ | ✓ |
| SA-09 | External Information System Services | ✓ | ✓ | ✓ |
| SA-10 | Developer Configuration Management | ✓ | ✓ | ✓ |
| SA-11 | Developer Security Testing | - | - | - |
SC System and Communications Protection
23 controls
SI System and Information Integrity
12 controls
SR Supply Chain Risk Management
12 controls
| ID | Name | Low | Mod | High |
|---|---|---|---|---|
| SR-01 | Policy and Procedures | ✓ | ✓ | ✓ |
| SR-02 | Supply Chain Risk Management Plan | ✓ | ✓ | ✓ |
| SR-03 | Supply Chain Controls and Processes | ✓ | ✓ | ✓ |
| SR-04 | Provenance | - | - | - |
| SR-05 | Acquisition Strategies, Tools, and Methods | ✓ | ✓ | ✓ |
| SR-06 | Supplier Assessments and Reviews | - | ✓ | ✓ |
| SR-07 | Supply Chain Operations Security | - | - | - |
| SR-08 | Notification Agreements | ✓ | ✓ | ✓ |
| SR-09 | Tamper Resistance and Detection | - | - | ✓ |
| SR-10 | Inspection of Systems or Components | ✓ | ✓ | ✓ |
| SR-11 | Component Authenticity | ✓ | ✓ | ✓ |
| SR-12 | Component Disposal | ✓ | ✓ | ✓ |