← Frameworks / Security Framework

ANSSI Hygiene Guide, RGS & SecNumCloud

French national cybersecurity guidelines from the Agence nationale de la securite des systemes d'information. Includes the 42-measure Hygiene Guide (cyber hygiene essentials), Referentiel General de Securite (government IS security framework), and SecNumCloud 3.2 (cloud security qualification for trusted cloud providers).

Clauses: 96

Avg Coverage: 87.1%

Publisher: ANSSI (Agence nationale de la securite des systemes d'information) Version: 2022

ANSSI → SP 800-53 SP 800-53 → ANSSI Coverage Analysis

Clause	Title	SP 800-53 Controls
Hygiene.1	Sensitise and train	AT-01 AT-02 AT-05 AT-06 PL-04
Hygiene.2	Define and apply a security policy	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PL-02 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
Hygiene.3	Carry out regular audits	CA-02 CA-07 CA-09 AT-02 AT-04 PL-04
Hygiene.4	Identify the person responsible for information systems security	AT-03 AT-04 AT-05 CP-03 IR-02 PM-02 PS-09
Hygiene.5	Establish an inventory of IT assets	CM-01 CM-02 CM-08 CM-12 IA-03 PL-02 SA-05
Hygiene.6	Establish access control procedures	AC-02 AC-13 IA-04
Hygiene.7	Manage arrivals, departures and movements of staff	AC-02 IA-04 MA-05 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09
Hygiene.8	Classify information to know how to protect it	AC-15 AC-16 CM-08 MP-03 PT-03 PT-07 RA-02 SI-12 CM-13
Hygiene.9	Control access to external services	AC-20 CA-03 CA-09 SA-09 SR-03
Hygiene.10	Implement strong authentication	AC-01 AC-07 IA-01 IA-02 IA-05 IA-06
Hygiene.11	Distinguish user, admin, and service accounts	AC-02 AC-14 IA-01 IA-02 IA-04 PS-09
Hygiene.12	Protect passwords and secret keys	AC-07 AC-10 AC-12 IA-02 IA-05 IA-07 SC-10 SC-12 SC-13 SC-17 SC-23 SC-38
Hygiene.13	Regularly review authorisations	AC-02
Hygiene.14	Implement least privilege	AC-01 AC-03 AC-06 MP-02 PS-05 SI-09
Hygiene.15	Implement separation of duties	AC-03 AC-05 AC-06 CM-05 MA-05 PS-02
Hygiene.16	Control access to administration functions	AC-06 CM-05 MA-04
Hygiene.17	Segment networks to limit admin access	AC-03 AC-05 AC-06 CM-05 SC-46
Hygiene.18	Keep software up to date	CM-02 CM-06 CM-07 CM-14 SI-02
Hygiene.19	Protect data stored on workstations	AC-19 MP-01 MP-02 MP-04 MP-05 MP-06 MP-08 SC-04 SC-13 SC-28 SI-12 SR-12
Hygiene.20	Restrict software installation	CM-06 CM-07 CM-14 MA-03 SA-06 SA-07 SC-18 SI-07
Hygiene.21	Protect against malware	SI-03 SI-08 SI-16 SC-44
Hygiene.22	Secure email usage	AC-20 SC-05 SC-07 SC-14 SC-15 SC-18 SI-08
Hygiene.23	Segment and filter network flows	AC-04 SA-08 SC-01 SC-02 SC-03 SC-06 SC-07 SC-20 SC-21 SC-22 SC-46
Hygiene.24	Implement secure remote access	AC-17 MA-04 SC-08 SC-11 SC-16 SC-23 SC-47
Hygiene.25	Secure wireless networks	AC-18 SC-40
Hygiene.26	Secure interconnections with partners	AC-18 CA-03 CA-09 IA-03 PE-04 SA-09
Hygiene.27	Use firewalls to protect internal networks	AC-04 SC-05 SC-07
Hygiene.28	Protect administration of network equipment	AC-17 MA-04 MA-07 SC-11
Hygiene.29	Implement centralised log management	AC-09 AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 CA-07 IR-05 SI-04 SI-11
Hygiene.30	Implement regular data backups	CP-01 CP-02 CP-06 CP-07 CP-08 CP-09 CP-10
Hygiene.31	Perform vulnerability management	AC-13 CA-02 CA-04 CA-07 RA-05 RA-07 SA-11 SI-06 SR-06 SR-10
Hygiene.32	Manage user account lifecycle	AC-02 IA-04 PS-04 PS-05
Hygiene.33	Apply security patches promptly	RA-05 SA-11 SI-01 SI-02 SI-05 SI-10 CM-14
Hygiene.34	Manage changes carefully	CM-03 CM-04 CM-05 CM-14 MA-01 MA-02 MA-03 MA-04 MA-06 SA-03 SA-10 SI-01 SI-02 SI-07
Hygiene.35	Define and test an incident response plan	CP-02 CP-03 CP-04 CP-05 CP-10 IR-01 IR-02 IR-03 IR-04 IR-09
Hygiene.36	Establish a governance and risk framework	CA-01 CA-05 CA-06 CM-03 CP-05 PL-01 PL-02 PL-03 PL-06 PL-09 PL-10 PL-11 RA-04 RA-07 RA-09 SA-01 SA-02 SA-03 SA-08 SA-10 SR-01 SR-02
Hygiene.37	Secure premises and physical access	MP-04 PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-16 PE-17 PE-18 PE-19 PE-21 PE-22 PE-23 SR-09
Hygiene.38	Protect environmental infrastructure	PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-18 PE-21
Hygiene.39	Implement monitoring and detection	AU-06 CA-07 IR-04 IR-05 PE-06 SI-04 SI-05 SC-48
Hygiene.40	Report and handle incidents	IR-01 IR-04 IR-06 IR-07 IR-09 SR-08
Hygiene.41	Conduct risk assessments	CA-02 CA-06 PL-05 RA-01 RA-02 RA-03 RA-04 RA-07 RA-09
Hygiene.42	Manage third-party and supply chain security	IR-07 SA-04 SA-09 SA-21 SR-01 SR-02 SR-03 SR-04 SR-05 SR-06 SR-07 SR-08 SR-09 SR-10 SR-11
RGS.1.2	Security awareness and competence	AT-01 AT-06
RGS.1.3	Security policy framework	AC-01 AU-01 CA-01 PL-01 PL-09 RA-01 SC-01
RGS.2.1	Non-repudiation and electronic signatures	AU-10
RGS.2.2	Authentication mechanisms	IA-01 IA-02 IA-05 SC-16
RGS.2.3	Cryptographic requirements	IA-07 SC-08 SC-12 SC-13 SC-17 SC-38
RGS.3.1	Risk assessment methodology	RA-03 RA-07 RA-09
RGS.4.1	Security qualification and compliance assessment	CA-02 CA-04 CA-06
SecNumCloud.6.1	Information security policies for cloud services	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
SecNumCloud.6.2	Review and update of information security policies	PL-02 PL-03 PL-06
SecNumCloud.7.2	Risk assessment specific to cloud services	RA-03 RA-04 RA-07 RA-09
SecNumCloud.8.1	Human resources screening and roles	MA-05 PS-01 PS-02 PS-03 PS-07 PS-09
SecNumCloud.8.2	Terms and conditions of employment	PL-04 PS-06
SecNumCloud.8.3	Information security awareness, education and training	AT-02 AT-03 AT-04 AT-06
SecNumCloud.8.4	Disciplinary process and termination	PS-04 PS-05 PS-08
SecNumCloud.9.1	Asset inventory for cloud infrastructure	CM-08 CM-12 RA-02
SecNumCloud.9.2	Media handling and disposal	MP-01 MP-02 MP-03 MP-04 MP-05 MP-08 SI-12
SecNumCloud.9.3	Information disposal and data remanence	MP-06 MP-08 SC-04 SR-12
SecNumCloud.10.1	Access control policy for cloud services	AC-01 AC-08 AC-14 IA-01
SecNumCloud.10.2	User registration and identity management	AC-02 AC-13 IA-04
SecNumCloud.10.3	Access rights management	AC-03 AC-06 SI-09
SecNumCloud.10.4	Privileged access management	AC-05 AC-06
SecNumCloud.10.5	User authentication for cloud services	AC-07 AC-10 IA-02 IA-03 IA-05 IA-06 SC-23
SecNumCloud.10.6	Session management and timeout	AC-11 AC-12 AC-19 SC-10
SecNumCloud.10.7	Remote access to cloud administration	AC-17 SC-47
SecNumCloud.11.1	Cryptographic controls and key management	IA-07 SC-08 SC-12 SC-13 SC-17 SC-38
SecNumCloud.12.1	Physical security of cloud data centres	MP-04 PE-01 PE-17 PE-18 PE-23
SecNumCloud.12.2	Physical access controls for cloud facilities	PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-16 PE-19 PE-22 SR-09
SecNumCloud.12.3	Environmental protection for cloud infrastructure	PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-21
SecNumCloud.13.1	Operational procedures and hardening	CM-01 CM-02 CM-06 CM-07 CM-14 SA-06 SA-07 SC-18 SI-03 SI-08
SecNumCloud.13.2	Change management for cloud services	CM-03 CM-04 CM-05 CM-14
SecNumCloud.13.3	Capacity management	SC-06 SI-13
SecNumCloud.13.4	Maintenance and support	MA-01 MA-02 MA-03 MA-04 MA-06 MA-07
SecNumCloud.13.5	Backup and restoration for cloud services	CP-09
SecNumCloud.13.6	Vulnerability and patch management	RA-05 RA-07 SI-01 SI-02 SI-05 SI-06 SI-07
SecNumCloud.13.7	Logging and monitoring for cloud services	AC-09 AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 CA-07 SI-04
SecNumCloud.14.1	Network security for cloud infrastructure	AC-04 CA-03 SC-01 SC-02 SC-03 SC-07 SC-15 SC-20 SC-21 SC-22 SC-46
SecNumCloud.14.2	Secure communications and data in transit	AC-17 SC-08 SC-11 SC-16 SC-38
SecNumCloud.14.3	Wireless network security	AC-18 SC-40
SecNumCloud.14.4	Protection against denial of service	SC-05 SC-07 SC-14 SC-47
SecNumCloud.15.1	Security in development and acquisition	SA-01 SA-02 SA-03 SA-04 SA-20 SA-21
SecNumCloud.15.2	System documentation and change control	SA-05
SecNumCloud.15.3	Technical security requirements	SA-08 SA-23 SI-10 SI-11
SecNumCloud.15.4	Configuration management for cloud platforms	SA-10 CM-14
SecNumCloud.15.5	Security testing for cloud services	SA-11 SA-20
SecNumCloud.16.1	Supplier and subcontractor management	AC-20 PS-07 SA-04 SA-09 SA-21 SR-01 SR-02 SR-03 SR-04 SR-05 SR-07 SR-08 SR-09 SR-11
SecNumCloud.16.2	Supplier assessment and monitoring	SA-09 SR-03 SR-06 SR-10
SecNumCloud.17.1	Incident management for cloud services	AU-06 IR-01 IR-02 IR-04 IR-05 IR-06 IR-07 IR-09
SecNumCloud.17.2	Incident response testing and exercises	IR-03 IR-04
SecNumCloud.18.1	Business continuity planning for cloud services	CP-01 CP-02 CP-05 SI-13
SecNumCloud.18.2	Business continuity testing	CP-03 CP-04
SecNumCloud.18.3	Redundancy and disaster recovery	CP-06 CP-07 CP-08 CP-10 SC-47
SecNumCloud.19.1	Compliance with legal and contractual requirements	CA-01 CA-05
SecNumCloud.19.2	Independent security audits and ANSSI qualification	CA-02 CA-04 CA-06 CA-07
SecNumCloud.19.3	Data protection and privacy compliance	PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08 SI-18 SI-19