← Frameworks / ANSSI / Coverage Analysis

ANSSI Hygiene Guide, RGS & SecNumCloud — SP 800-53 Coverage

How well do NIST SP 800-53 Rev 5 controls address each ANSSI requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.

Clauses: 96
Avg Coverage: 87.1%
Publisher: ANSSI (Agence nationale de la securite des systemes d'information)
Coverage Distribution
Full (85-100%): 76 Substantial (65-84%): 20 Partial (40-64%): 0 Weak (1-39%): 0
ANSSI → SP 800-53 SP 800-53 → ANSSI Coverage Analysis

Clause-by-Clause Analysis

Sorted by clause
Hygiene.1 Sensitise and train
AT-01 AT-02 AT-05 AT-06 +1
92%

Rationale

AT-01 awareness policy; AT-02 security awareness; AT-05 contacts with security groups; AT-06 (new in Rev 5) training feedback measures training effectiveness and captures lessons learned, directly supporting ANSSI requirements for awareness programme evaluation; PL-04 rules of behaviour.

Gaps

Minimal gap. AT-06 improves training effectiveness measurement.

Mapped Controls

AT-01 AT-02 AT-05 AT-06 PL-04
Hygiene.2 Define and apply a security policy
AC-01 AT-01 AU-01 CA-01 +16
90%

Rationale

Comprehensive policy controls across all families. No new Rev 5 controls materially change policy definition coverage — the -01 family policy controls were already comprehensive.

Gaps

Minimal gap. SP 800-53 requires comprehensive security policies across all control families.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PL-02 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
Hygiene.3 Carry out regular audits
CA-02 CA-07 CA-09 AT-02 +2
88%

Rationale

CA-02 security assessments; CA-07 continuous monitoring; CA-09 (new in Rev 5) internal system connections supports audit scope by providing visibility into internal interconnections that require assessment; AT-02 security awareness; AT-04 training records; PL-04 rules of behaviour.

Gaps

Minor: CA-09 improves audit scope coverage. ANSSI emphasizes regular independent audits; SP 800-53 CA-02 covers assessment but the practical audit cadence focus is less explicit.

Mapped Controls

CA-02 CA-07 CA-09 AT-02 AT-04 PL-04
Hygiene.4 Identify the person responsible for information systems security
AT-03 AT-04 AT-05 CP-03 +3
92%

Rationale

AT-03 security training; AT-04 training records; AT-05 contacts; CP-03 contingency training; IR-02 incident response training; PM-02 senior information security officer; PS-09 (new in Rev 5) position descriptions defines security responsibilities in role descriptions, directly supporting the requirement to formally designate RSSI/CISO.

Gaps

Minimal gap. PS-09 strengthens security role designation.

Mapped Controls

AT-03 AT-04 AT-05 CP-03 IR-02 PM-02 PS-09
Hygiene.5 Establish an inventory of IT assets
CM-01 CM-02 CM-08 CM-12 +3
92%

Rationale

CM-01 configuration management policy; CM-02 baseline configuration; CM-08 system component inventory; CM-12 (new in Rev 5) information location identifies where sensitive data resides across infrastructure, directly supporting ANSSI asset inventory requirements by linking data to infrastructure components; IA-03 device identification; PL-02 system security plan; SA-05 documentation.

Gaps

Minimal gap. CM-12 strengthens data-to-asset mapping.

Mapped Controls

CM-01 CM-02 CM-08 CM-12 IA-03 PL-02 SA-05
Hygiene.6 Establish access control procedures
AC-02 AC-13 IA-04
90%

Rationale

AC-02 account management; AC-13 supervision and review; IA-04 identifier management. No new Rev 5 controls materially improve access control procedure coverage.

Gaps

Minimal gap.

Mapped Controls

AC-02 AC-13 IA-04
Hygiene.7 Manage arrivals, departures and movements of staff
AC-02 IA-04 MA-05 PS-01 +8
92%

Rationale

AC-02 account management; IA-04 identifier management; MA-05 maintenance personnel; PS family personnel security; PS-09 (new in Rev 5) position descriptions ensures security responsibilities are defined in role descriptions, supporting onboarding and role transition processes.

Gaps

Minimal gap. PS-09 strengthens personnel lifecycle management.

Mapped Controls

AC-02 IA-04 MA-05 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09
Hygiene.8 Classify information to know how to protect it
AC-15 AC-16 CM-08 MP-03 +5
88%

Rationale

AC-15 automated marking; AC-16 automated labelling; CM-08 component inventory; MP-03 media labelling; PT-07 specific categories of PII; RA-02 security categorization; SI-12 information management; CM-13 (new in Rev 5) data action mapping documents data processing flows across systems, supporting classification by identifying where classified data is processed and stored.

Gaps

Minor: CM-13 improves classification mapping. ANSSI emphasizes a practical classification scheme; SP 800-53 RA-02 uses FIPS 199 categorization which is US-specific. French classification levels (e.g., Diffusion Restreinte) not addressed.

Mapped Controls

AC-15 AC-16 CM-08 MP-03 PT-03 PT-07 RA-02 SI-12 CM-13
Hygiene.9 Control access to external services
AC-20 CA-03 CA-09 SA-09 +1
88%

Rationale

AC-20 use of external systems; CA-03 system connections; SA-09 external information system services; SR-03 supply chain controls; CA-09 (new in Rev 5) internal system connections extends governance to internal interconnections with external-facing services, providing better visibility into the full access chain.

Gaps

Minor: CA-09 improves interconnection governance. ANSSI specifically targets cloud and SaaS service access governance. SP 800-53 covers external systems but is less prescriptive on modern cloud service access patterns.

Mapped Controls

AC-20 CA-03 CA-09 SA-09 SR-03
Hygiene.10 Implement strong authentication
AC-01 AC-07 IA-01 IA-02 +2
90%

Rationale

AC-01 access control policy; AC-07 unsuccessful login attempts; IA-01 identification and authentication policy; IA-02 user identification and authentication; IA-05 authenticator management; IA-06 authenticator feedback. IA family provides comprehensive authentication controls.

Gaps

Minimal gap. SP 800-53 IA family directly addresses strong authentication requirements.

Mapped Controls

AC-01 AC-07 IA-01 IA-02 IA-05 IA-06
Hygiene.11 Distinguish user, admin, and service accounts
AC-02 AC-14 IA-01 IA-02 +2
92%

Rationale

AC-02 account management; AC-14 permitted actions without identification; IA-01 identification and authentication policy; IA-02 user identification; IA-04 identifier management; PS-09 (new in Rev 5) position descriptions formally links account types to role definitions, supporting account type differentiation.

Gaps

Minimal gap. PS-09 strengthens account-to-role alignment.

Mapped Controls

AC-02 AC-14 IA-01 IA-02 IA-04 PS-09
Hygiene.12 Protect passwords and secret keys
AC-07 AC-10 AC-12 IA-02 +8
92%

Rationale

AC-07 unsuccessful login attempts; AC-10 concurrent session control; AC-12 session termination; IA-02 user identification; IA-05 authenticator management; IA-07 cryptographic module authentication; SC-10 network disconnect; SC-12 cryptographic key management; SC-13 use of cryptography; SC-17 PKI certificates; SC-23 session authenticity; SC-38 (new in Rev 5) operations security protects cryptographic key operations from side-channel attacks.

Gaps

Minimal gap. SC-38 strengthens key protection during operations.

Mapped Controls

AC-07 AC-10 AC-12 IA-02 IA-05 IA-07 SC-10 SC-12 SC-13 SC-17 SC-23 SC-38
Hygiene.13 Regularly review authorisations
AC-02
85%

Rationale

AC-02 account management includes periodic review of accounts. No new Rev 5 controls materially add to authorisation review.

Gaps

Minor: ANSSI measure focuses on regular, systematic review of all authorisations. AC-02 covers account review but the broader entitlement review scope is less prescriptive.

Mapped Controls

AC-02
Hygiene.14 Implement least privilege
AC-01 AC-03 AC-06 MP-02 +2
90%

Rationale

AC-01 access control policy; AC-03 access enforcement; AC-06 least privilege; MP-02 media access; PS-05 personnel transfer; SI-09 information input restrictions. AC-06 directly maps to least privilege. No new Rev 5 controls materially improve coverage.

Gaps

Minimal gap.

Mapped Controls

AC-01 AC-03 AC-06 MP-02 PS-05 SI-09
Hygiene.15 Implement separation of duties
AC-03 AC-05 AC-06 CM-05 +2
90%

Rationale

AC-03 access enforcement; AC-05 separation of duties; AC-06 least privilege; CM-05 access restrictions for change; MA-05 maintenance personnel; PS-02 position categorization. AC-05 directly addresses separation of duties.

Gaps

Minimal gap.

Mapped Controls

AC-03 AC-05 AC-06 CM-05 MA-05 PS-02
Hygiene.16 Control access to administration functions
AC-06 CM-05 MA-04
90%

Rationale

AC-06 least privilege; CM-05 access restrictions for change; MA-04 remote maintenance. No new Rev 5 controls materially add here.

Gaps

Minimal gap.

Mapped Controls

AC-06 CM-05 MA-04
Hygiene.17 Segment networks to limit admin access
AC-03 AC-05 AC-06 CM-05 +1
88%

Rationale

AC-03 access enforcement; AC-05 separation of duties; AC-06 least privilege; CM-05 access restrictions for change; SC-46 (new in Rev 5) cross-domain policy enforcement provides policy enforcement between network security domains, directly supporting dedicated administration network segmentation.

Gaps

Minor: SC-46 strengthens network domain separation. ANSSI emphasizes dedicated administration networks; SC-46 improves this but the specific requirement for physically or logically separate admin networks is still less prescriptive.

Mapped Controls

AC-03 AC-05 AC-06 CM-05 SC-46
Hygiene.18 Keep software up to date
CM-02 CM-06 CM-07 CM-14 +1
92%

Rationale

CM-02 baseline configuration; CM-06 configuration settings; CM-07 least functionality; CM-14 (new in Rev 5) signed components verifies update/patch integrity through cryptographic signatures; SI-02 flaw remediation directly addresses software updates.

Gaps

Minimal gap. CM-14 adds patch integrity verification.

Mapped Controls

CM-02 CM-06 CM-07 CM-14 SI-02
Hygiene.19 Protect data stored on workstations
AC-19 MP-01 MP-02 MP-04 +8
92%

Rationale

AC-19 mobile devices; MP-01 media protection policy; MP-02 media access; MP-04 media storage; MP-05 media transport; MP-06 media sanitization; MP-08 (new in Rev 5) media downgrading provides procedures for downgrading workstation media classification after sanitisation; SC-04 information remnance; SC-13 use of cryptography; SC-28 data at rest; SI-12 information management; SR-12 component disposal.

Gaps

Minimal gap. MP-08 adds media downgrading for workstation data.

Mapped Controls

AC-19 MP-01 MP-02 MP-04 MP-05 MP-06 MP-08 SC-04 SC-13 SC-28 SI-12 SR-12
Hygiene.20 Restrict software installation
CM-06 CM-07 CM-14 MA-03 +4
92%

Rationale

CM-06 configuration settings; CM-07 least functionality; CM-14 (new in Rev 5) signed components verifies software authenticity before installation through cryptographic signatures; MA-03 maintenance tools; SA-06 software usage restrictions; SA-07 user installed software; SC-18 mobile code; SI-07 software and information integrity.

Gaps

Minimal gap. CM-14 strengthens software installation integrity.

Mapped Controls

CM-06 CM-07 CM-14 MA-03 SA-06 SA-07 SC-18 SI-07
Hygiene.21 Protect against malware
SI-03 SI-08 SI-16 SC-44
92%

Rationale

SI-03 malicious code protection; SI-08 spam protection; SI-16 (new in Rev 5) memory protection (DEP/ASLR) hardens against exploit-based malware; SC-44 (new in Rev 5) detonation chambers provides sandboxing for suspicious file analysis.

Gaps

Minimal gap. SI-16 and SC-44 add defence-in-depth.

Mapped Controls

SI-03 SI-08 SI-16 SC-44
Hygiene.22 Secure email usage
AC-20 SC-05 SC-07 SC-14 +3
85%

Rationale

AC-20 use of external systems; SC-05 denial of service protection; SC-07 boundary protection; SC-14 public access protections; SC-15 collaborative computing; SC-18 mobile code; SI-08 spam protection. No new Rev 5 controls directly address email-specific security.

Gaps

Minor: ANSSI provides specific email security guidance. SP 800-53 covers email through general controls but email-specific measures (e.g., SPF, DKIM, DMARC requirements) less explicit.

Mapped Controls

AC-20 SC-05 SC-07 SC-14 SC-15 SC-18 SI-08
Hygiene.23 Segment and filter network flows
AC-04 SA-08 SC-01 SC-02 +7
92%

Rationale

AC-04 information flow enforcement; SC-07 boundary protection; SC-02 application partitioning; SC-03 security function isolation; SC-06 resource priority; SC-20/SC-21/SC-22 secure name resolution; SA-08 security engineering principles; SC-46 (new in Rev 5) cross-domain policy enforcement strengthens segmentation between security domains with explicit policy enforcement at domain boundaries.

Gaps

Minimal gap. SC-46 adds cross-domain enforcement.

Mapped Controls

AC-04 SA-08 SC-01 SC-02 SC-03 SC-06 SC-07 SC-20 SC-21 SC-22 SC-46
Hygiene.24 Implement secure remote access
AC-17 MA-04 SC-08 SC-11 +3
92%

Rationale

AC-17 remote access; MA-04 remote maintenance; SC-08 transmission integrity; SC-11 trusted path; SC-16 transmission of security parameters; SC-23 session authenticity; SC-47 (new in Rev 5) alternate communications paths provides resilient remote access by defining backup communication channels.

Gaps

Minimal gap. SC-47 adds remote access resilience.

Mapped Controls

AC-17 MA-04 SC-08 SC-11 SC-16 SC-23 SC-47
Hygiene.25 Secure wireless networks
AC-18 SC-40
88%

Rationale

AC-18 wireless access restrictions; SC-40 (new in Rev 5) wireless link protection provides specific protections for wireless communication links against eavesdropping and manipulation.

Gaps

Minor: SC-40 adds wireless link protection. ANSSI provides detailed wireless security guidance including specific protocol requirements. SP 800-53 covers wireless access but French-specific wireless standards less detailed.

Mapped Controls

AC-18 SC-40
Hygiene.26 Secure interconnections with partners
AC-18 CA-03 CA-09 IA-03 +2
88%

Rationale

AC-18 wireless access restrictions; CA-03 system connections; IA-03 device identification; PE-04 access control for transmission medium; SA-09 external services; CA-09 (new in Rev 5) internal system connections authorizes and monitors internal connections that support partner interconnection governance.

Gaps

Minor: CA-09 improves interconnection governance. ANSSI emphasizes specific interconnection security requirements with partner organisations.

Mapped Controls

AC-18 CA-03 CA-09 IA-03 PE-04 SA-09
Hygiene.27 Use firewalls to protect internal networks
AC-04 SC-05 SC-07
90%

Rationale

AC-04 information flow enforcement; SC-05 denial of service protection; SC-07 boundary protection. SC-07 directly addresses firewall and boundary protection. No new Rev 5 controls materially add here.

Gaps

Minimal gap.

Mapped Controls

AC-04 SC-05 SC-07
Hygiene.28 Protect administration of network equipment
AC-17 MA-04 MA-07 SC-11
88%

Rationale

AC-17 remote access; MA-04 remote maintenance; SC-11 trusted path; MA-07 (new in Rev 5) field maintenance addresses maintenance of network equipment at remote/field locations with appropriate security controls.

Gaps

Minor: MA-07 extends to field maintenance of network equipment. ANSSI emphasizes dedicated out-of-band management networks; SP 800-53 covers through AC-17 and MA-04 but dedicated management network requirements are less explicit.

Mapped Controls

AC-17 MA-04 MA-07 SC-11
Hygiene.29 Implement centralised log management
AC-09 AU-01 AU-02 AU-03 +13
92%

Rationale

AC-09 previous logon notification; AU family comprehensive for logging; AU-12 (added) audit record generation; CA-07 continuous monitoring; IR-05 incident monitoring; SI-04 system monitoring; SI-11 error handling. No new Rev 5 controls materially improve centralised logging — the AU family was already comprehensive.

Gaps

Minimal gap.

Mapped Controls

AC-09 AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 CA-07 IR-05 SI-04 SI-11
Hygiene.30 Implement regular data backups
CP-01 CP-02 CP-06 CP-07 +3
90%

Rationale

CP-01 contingency planning policy; CP-02 contingency plan; CP-06 alternate storage site; CP-07 alternate processing site; CP-08 telecommunications services; CP-09 system backup; CP-10 system recovery. No new Rev 5 controls materially add to backup coverage.

Gaps

Minimal gap.

Mapped Controls

CP-01 CP-02 CP-06 CP-07 CP-08 CP-09 CP-10
Hygiene.31 Perform vulnerability management
AC-13 CA-02 CA-04 CA-07 +6
92%

Rationale

AC-13 supervision and review; CA-02 security assessments; CA-04 security certification; CA-07 continuous monitoring; RA-05 vulnerability scanning; RA-07 (new in Rev 5) risk response adds explicit risk treatment actions for identified vulnerabilities; SA-11 developer security testing; SI-06 security functionality verification; SR-06 supplier assessments; SR-10 inspection.

Gaps

Minimal gap. RA-07 adds formal risk response for vulnerabilities.

Mapped Controls

AC-13 CA-02 CA-04 CA-07 RA-05 RA-07 SA-11 SI-06 SR-06 SR-10
Hygiene.32 Manage user account lifecycle
AC-02 IA-04 PS-04 PS-05
90%

Rationale

AC-02 account management; IA-04 identifier management; PS-04 personnel termination; PS-05 personnel transfer. No new Rev 5 controls materially add here.

Gaps

Minimal gap.

Mapped Controls

AC-02 IA-04 PS-04 PS-05
Hygiene.33 Apply security patches promptly
RA-05 SA-11 SI-01 SI-02 +3
92%

Rationale

RA-05 vulnerability scanning; SA-11 developer testing; SI-01 system integrity policy; SI-02 flaw remediation; SI-05 security alerts; SI-10 information accuracy; CM-14 (new in Rev 5) signed components verifies patch integrity through cryptographic signatures.

Gaps

Minimal gap. CM-14 adds patch integrity verification.

Mapped Controls

RA-05 SA-11 SI-01 SI-02 SI-05 SI-10 CM-14
Hygiene.34 Manage changes carefully
CM-03 CM-04 CM-05 CM-14 +10
92%

Rationale

CM-03 configuration change control; CM-04 monitoring configuration changes; CM-05 access restrictions for change; CM-14 (new in Rev 5) signed components verifies integrity of software changes through cryptographic signatures; MA family maintenance; SA-03 lifecycle support; SA-10 developer configuration management; SI-01 system integrity policy; SI-02 flaw remediation; SI-07 software integrity.

Gaps

Minimal gap. CM-14 adds change integrity verification.

Mapped Controls

CM-03 CM-04 CM-05 CM-14 MA-01 MA-02 MA-03 MA-04 MA-06 SA-03 SA-10 SI-01 SI-02 SI-07
Hygiene.35 Define and test an incident response plan
CP-02 CP-03 CP-04 CP-05 +6
92%

Rationale

CP-02 contingency plan; CP-03 contingency training; CP-04 contingency plan testing; CP-05 contingency plan update; CP-10 system recovery; IR-01 incident response policy; IR-02 incident response training; IR-03 incident response testing; IR-04 incident handling; IR-09 (new in Rev 5) information spillage response adds specific handling for data breach/spillage incidents.

Gaps

Minimal gap. IR-09 adds spillage-specific response procedures.

Mapped Controls

CP-02 CP-03 CP-04 CP-05 CP-10 IR-01 IR-02 IR-03 IR-04 IR-09
Hygiene.36 Establish a governance and risk framework
CA-01 CA-05 CA-06 CM-03 +18
88%

Rationale

CA-01 assessment policy; CA-05 plan of action; CA-06 security accreditation; PL-01/PL-02/PL-03 security planning; PL-06 security-related activity planning; PL-09 (new in Rev 5) central management enables unified governance; PL-10 (new in Rev 5) baseline selection provides structured control selection; PL-11 (new in Rev 5) baseline tailoring adapts to context; RA-04 risk assessment update; RA-07 (new in Rev 5) risk response provides explicit treatment; RA-09 (new in Rev 5) criticality analysis identifies critical components; SA/SR families.

Gaps

Minor: PL-09/10/11 and RA-07/RA-09 significantly strengthen governance and risk management coverage. ANSSI governance framework expectations include French regulatory integration (CNIL, ANSSI regulations) which SP 800-53 does not address.

Mapped Controls

CA-01 CA-05 CA-06 CM-03 CP-05 PL-01 PL-02 PL-03 PL-06 PL-09 PL-10 PL-11 RA-04 RA-07 RA-09 SA-01 SA-02 SA-03 SA-08 SA-10 SR-01 SR-02
Hygiene.37 Secure premises and physical access
MP-04 PE-01 PE-02 PE-03 +13
92%

Rationale

MP-04 media storage; PE family physical protection; PE-21 (new in Rev 5) electromagnetic pulse protection; PE-22 (new in Rev 5) component marking aids physical asset identification; PE-23 (new in Rev 5) facility location provides guidance on secure facility siting; SR-09 tamper resistance.

Gaps

Minimal gap. PE-21/22/23 add EMP protection, asset marking, and facility siting.

Mapped Controls

MP-04 PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-16 PE-17 PE-18 PE-19 PE-21 PE-22 PE-23 SR-09
Hygiene.38 Protect environmental infrastructure
PE-09 PE-10 PE-11 PE-12 +5
92%

Rationale

PE-09 power equipment; PE-10 emergency shutoff; PE-11 emergency power; PE-12 emergency lighting; PE-13 fire protection; PE-14 temperature and humidity controls; PE-15 water damage protection; PE-18 location of components; PE-21 (new in Rev 5) electromagnetic pulse protection addresses infrastructure resilience against EMP events.

Gaps

Minimal gap. PE-21 adds EMP protection.

Mapped Controls

PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-18 PE-21
Hygiene.39 Implement monitoring and detection
AU-06 CA-07 IR-04 IR-05 +4
92%

Rationale

AU-06 audit review and reporting; CA-07 continuous monitoring; IR-04 incident handling; IR-05 incident monitoring; PE-06 monitoring physical access; SI-04 system monitoring; SI-05 security alerts; SC-48 (new in Rev 5) sensor relocation provides dynamic sensor repositioning to improve detection coverage against adaptive threats.

Gaps

Minimal gap. SC-48 adds dynamic detection positioning.

Mapped Controls

AU-06 CA-07 IR-04 IR-05 PE-06 SI-04 SI-05 SC-48
Hygiene.40 Report and handle incidents
IR-01 IR-04 IR-06 IR-07 +2
92%

Rationale

IR-01 incident response policy; IR-04 incident handling; IR-06 incident reporting; IR-07 incident response assistance; IR-09 (new in Rev 5) information spillage response adds specific handling for data breach/spillage incidents including notification procedures; SR-08 notification agreements.

Gaps

Minimal gap. IR-09 adds spillage-specific incident handling.

Mapped Controls

IR-01 IR-04 IR-06 IR-07 IR-09 SR-08
Hygiene.41 Conduct risk assessments
CA-02 CA-06 PL-05 RA-01 +5
92%

Rationale

CA-02 security assessments; CA-06 security accreditation; PL-05 privacy impact assessment; RA-01 risk assessment policy; RA-02 security categorization; RA-03 risk assessment; RA-04 risk assessment update; RA-07 (new in Rev 5) risk response provides explicit treatment actions; RA-09 (new in Rev 5) criticality analysis identifies critical components for risk prioritization.

Gaps

Minimal gap. RA-07 and RA-09 strengthen risk assessment coverage.

Mapped Controls

CA-02 CA-06 PL-05 RA-01 RA-02 RA-03 RA-04 RA-07 RA-09
Hygiene.42 Manage third-party and supply chain security
IR-07 SA-04 SA-09 SA-21 +11
88%

Rationale

SA-04 acquisitions; SA-09 external services; SA-21 (new in Rev 5) developer screening adds personnel vetting for third-party development teams; IR-07 incident response assistance; SR family comprehensive supply chain risk management.

Gaps

Minor: SA-21 adds developer screening. ANSSI emphasizes French/EU supply chain sovereignty requirements. SP 800-53 SR family provides strong supply chain risk management but sovereignty and data localisation requirements not covered.

Mapped Controls

IR-07 SA-04 SA-09 SA-21 SR-01 SR-02 SR-03 SR-04 SR-05 SR-06 SR-07 SR-08 SR-09 SR-10 SR-11
RGS.1.2 Security awareness and competence
AT-01 AT-06
88%

Rationale

AT-01 awareness training policy; AT-06 (new in Rev 5) training feedback measures training effectiveness, supporting RGS requirements for awareness programme evaluation.

Gaps

Minor: AT-06 adds training effectiveness measurement. RGS requires awareness programmes aligned with French government security classification framework.

Mapped Controls

AT-01 AT-06
RGS.1.3 Security policy framework
AC-01 AU-01 CA-01 PL-01 +3
82%

Rationale

AC-01 access control policy; AU-01 audit policy; CA-01 assessment policy; PL-01 security planning policy; PL-09 (new in Rev 5) central management enables unified policy governance across the security programme; RA-01 risk assessment policy; SC-01 system and communications protection policy.

Gaps

PL-09 improves policy governance. RGS requires security policies aligned with French General Security Framework (RGS v2.0) and ANSSI requirements. SP 800-53 provides comprehensive policies but French-specific RGS alignment not addressed.

Mapped Controls

AC-01 AU-01 CA-01 PL-01 PL-09 RA-01 SC-01
RGS.2.1 Non-repudiation and electronic signatures
AU-10
75%

Rationale

AU-10 non-repudiation. No new Rev 5 controls address EU eIDAS electronic signature requirements.

Gaps

RGS mandates compliance with eIDAS regulation and French electronic signature standards. SP 800-53 AU-10 covers non-repudiation but EU eIDAS-qualified electronic signatures and French trust services not addressed.

Mapped Controls

AU-10
RGS.2.2 Authentication mechanisms
IA-01 IA-02 IA-05 SC-16
80%

Rationale

IA-01 identification and authentication policy; IA-02 user identification; IA-05 authenticator management; SC-16 transmission of security parameters. No new Rev 5 controls address French trust level requirements.

Gaps

RGS mandates specific authentication levels (one-factor, two-factor, qualified) aligned with French government trust framework. SP 800-53 IA family covers authentication but RGS-specific trust levels and French qualification requirements not addressed.

Mapped Controls

IA-01 IA-02 IA-05 SC-16
RGS.2.3 Cryptographic requirements
IA-07 SC-08 SC-12 SC-13 +2
78%

Rationale

IA-07 cryptographic module authentication; SC-08 transmission integrity; SC-12 cryptographic key management; SC-13 use of cryptography; SC-17 PKI certificates; SC-38 (new in Rev 5) operations security protects cryptographic operations from side-channel attacks.

Gaps

SC-38 strengthens cryptographic operation security. RGS mandates ANSSI-approved cryptographic algorithms and key sizes (Annexe B of RGS). SP 800-53 references FIPS 140-2/3 (US standards). French/ANSSI cryptographic requirements differ from US NIST standards.

Mapped Controls

IA-07 SC-08 SC-12 SC-13 SC-17 SC-38
RGS.3.1 Risk assessment methodology
RA-03 RA-07 RA-09
82%

Rationale

RA-03 risk assessment; RA-07 (new in Rev 5) risk response adds explicit risk treatment; RA-09 (new in Rev 5) criticality analysis identifies critical components for risk prioritization.

Gaps

RA-07 and RA-09 improve risk methodology coverage. RGS recommends EBIOS RM methodology (French risk assessment framework developed by ANSSI). SP 800-53 RA-03 covers risk assessment but EBIOS RM methodology not addressed.

Mapped Controls

RA-03 RA-07 RA-09
RGS.4.1 Security qualification and compliance assessment
CA-02 CA-04 CA-06
65%

Rationale

CA-02 security assessments; CA-04 security certification; CA-06 security accreditation. No new Rev 5 controls address ANSSI-specific qualification.

Gaps

Significant: RGS qualification requires assessment by ANSSI-accredited bodies following French government audit methodology. SP 800-53 CA family covers assessment but RGS-specific qualification (visa de securite) has no equivalent.

Mapped Controls

CA-02 CA-04 CA-06
SecNumCloud.6.1 Information security policies for cloud services
AC-01 AT-01 AU-01 CA-01 +15
80%

Rationale

Comprehensive policy controls across all families. No new Rev 5 controls materially change cloud security policy coverage.

Gaps

SecNumCloud requires cloud-specific security policies aligned with ANSSI certification requirements and French regulatory framework. SP 800-53 policies are comprehensive but not aligned to ANSSI qualification process.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
SecNumCloud.6.2 Review and update of information security policies
PL-02 PL-03 PL-06
85%

Rationale

PL-02 system security plan; PL-03 security plan update; PL-06 security-related activity planning. No new Rev 5 controls materially add here.

Gaps

Minor: SecNumCloud requires policy review aligned with ANSSI certification renewal cycles.

Mapped Controls

PL-02 PL-03 PL-06
SecNumCloud.7.2 Risk assessment specific to cloud services
RA-03 RA-04 RA-07 RA-09
82%

Rationale

RA-03 risk assessment; RA-04 risk assessment update; RA-07 (new in Rev 5) risk response adds explicit risk treatment actions for cloud-specific risks; RA-09 (new in Rev 5) criticality analysis identifies critical cloud components for risk prioritization.

Gaps

RA-07 and RA-09 improve risk management coverage. SecNumCloud requires cloud-specific risk assessment methodology addressing multi-tenancy, data sovereignty, and jurisdictional risks. SP 800-53 risk assessment is general-purpose.

Mapped Controls

RA-03 RA-04 RA-07 RA-09
SecNumCloud.8.1 Human resources screening and roles
MA-05 PS-01 PS-02 PS-03 +2
88%

Rationale

MA-05 maintenance personnel; PS-01 personnel security policy; PS-02 position categorization; PS-03 personnel screening; PS-07 third-party personnel; PS-09 (new in Rev 5) position descriptions defines security responsibilities in cloud operations role descriptions.

Gaps

Minor: PS-09 strengthens role definition. SecNumCloud requires nationality-based screening for certain roles handling sensitive data. SP 800-53 PS-03 covers screening but French/EU nationality requirements not addressed.

Mapped Controls

MA-05 PS-01 PS-02 PS-03 PS-07 PS-09
SecNumCloud.8.2 Terms and conditions of employment
PL-04 PS-06
85%

Rationale

PL-04 rules of behaviour; PS-06 access agreements. No new Rev 5 controls materially add here.

Gaps

Minor: SecNumCloud requires specific contractual clauses for cloud service personnel aligned with French labour law.

Mapped Controls

PL-04 PS-06
SecNumCloud.8.3 Information security awareness, education and training
AT-02 AT-03 AT-04 AT-06
92%

Rationale

AT-02 security awareness; AT-03 security training; AT-04 training records; AT-06 (new in Rev 5) training feedback measures training effectiveness for cloud operations staff.

Gaps

Minimal gap. AT-06 improves training effectiveness measurement.

Mapped Controls

AT-02 AT-03 AT-04 AT-06
SecNumCloud.8.4 Disciplinary process and termination
PS-04 PS-05 PS-08
85%

Rationale

PS-04 personnel termination; PS-05 personnel transfer; PS-08 personnel sanctions. No new Rev 5 controls materially add here.

Gaps

Minor: SecNumCloud requires specific French labour law compliance for disciplinary actions.

Mapped Controls

PS-04 PS-05 PS-08
SecNumCloud.9.1 Asset inventory for cloud infrastructure
CM-08 CM-12 RA-02
88%

Rationale

CM-08 system component inventory; CM-12 (new in Rev 5) information location identifies where data resides across cloud infrastructure components, directly supporting cloud asset-to-data mapping; RA-02 security categorization.

Gaps

Minor: CM-12 adds data location mapping. SecNumCloud requires cloud-specific asset inventory including virtual resources, tenant isolation boundaries, and data localisation tracking.

Mapped Controls

CM-08 CM-12 RA-02
SecNumCloud.9.2 Media handling and disposal
MP-01 MP-02 MP-03 MP-04 +3
88%

Rationale

MP-01 media protection policy; MP-02 media access; MP-03 media labelling; MP-04 media storage; MP-05 media transport; MP-08 (new in Rev 5) media downgrading provides procedures for downgrading cloud media classification after sanitisation; SI-12 information management.

Gaps

Minor: MP-08 adds media downgrading. SecNumCloud requires specific media handling procedures for multi-tenant environments and certified destruction processes.

Mapped Controls

MP-01 MP-02 MP-03 MP-04 MP-05 MP-08 SI-12
SecNumCloud.9.3 Information disposal and data remanence
MP-06 MP-08 SC-04 SR-12
88%

Rationale

MP-06 media sanitization; MP-08 (new in Rev 5) media downgrading provides formal downgrading procedures after data erasure, supporting cloud-specific proof-of-deletion requirements; SC-04 information remnance; SR-12 component disposal.

Gaps

Minor: MP-08 improves data disposal governance. SecNumCloud has strict requirements on data erasure in multi-tenant cloud environments, including proof of deletion.

Mapped Controls

MP-06 MP-08 SC-04 SR-12
SecNumCloud.10.1 Access control policy for cloud services
AC-01 AC-08 AC-14 IA-01
85%

Rationale

AC-01 access control policy; AC-08 system use notification; AC-14 permitted actions without identification; IA-01 identification and authentication policy. No new Rev 5 controls materially add here.

Gaps

Minor: SecNumCloud requires specific access control policies for cloud provider administrative access and tenant isolation.

Mapped Controls

AC-01 AC-08 AC-14 IA-01
SecNumCloud.10.2 User registration and identity management
AC-02 AC-13 IA-04
90%

Rationale

AC-02 account management; AC-13 supervision and review; IA-04 identifier management. No new Rev 5 controls materially add here.

Gaps

Minimal gap.

Mapped Controls

AC-02 AC-13 IA-04
SecNumCloud.10.3 Access rights management
AC-03 AC-06 SI-09
90%

Rationale

AC-03 access enforcement; AC-06 least privilege; SI-09 information input restrictions. No new Rev 5 controls materially add here.

Gaps

Minimal gap.

Mapped Controls

AC-03 AC-06 SI-09
SecNumCloud.10.4 Privileged access management
AC-05 AC-06
85%

Rationale

AC-05 separation of duties; AC-06 least privilege. No new Rev 5 controls materially add here.

Gaps

Minor: SecNumCloud requires specific privileged access management for cloud infrastructure administrators with French nationality requirements for certain operations.

Mapped Controls

AC-05 AC-06
SecNumCloud.10.5 User authentication for cloud services
AC-07 AC-10 IA-02 IA-03 +3
90%

Rationale

AC-07 unsuccessful login attempts; AC-10 concurrent session control; IA-02 user identification; IA-03 device identification; IA-05 authenticator management; IA-06 authenticator feedback; SC-23 session authenticity.

Gaps

Minimal gap.

Mapped Controls

AC-07 AC-10 IA-02 IA-03 IA-05 IA-06 SC-23
SecNumCloud.10.6 Session management and timeout
AC-11 AC-12 AC-19 SC-10
90%

Rationale

AC-11 session lock; AC-12 session termination; AC-19 mobile devices; SC-10 network disconnect. No new Rev 5 controls materially add here.

Gaps

Minimal gap.

Mapped Controls

AC-11 AC-12 AC-19 SC-10
SecNumCloud.10.7 Remote access to cloud administration
AC-17 SC-47
82%

Rationale

AC-17 remote access; SC-47 (new in Rev 5) alternate communications paths provides backup administration channels, supporting resilient remote administration for cloud infrastructure.

Gaps

SC-47 adds administrative access resilience. SecNumCloud requires administration access from within EU/France only. SP 800-53 covers remote access security but geographic restrictions on administrative access not addressed.

Mapped Controls

AC-17 SC-47
SecNumCloud.11.1 Cryptographic controls and key management
IA-07 SC-08 SC-12 SC-13 +2
82%

Rationale

IA-07 cryptographic module authentication; SC-08 transmission integrity; SC-12 cryptographic key management; SC-13 use of cryptography; SC-17 PKI certificates; SC-38 (new in Rev 5) operations security protects cryptographic key operations from side-channel attacks.

Gaps

SC-38 strengthens key operation security. SecNumCloud mandates ANSSI-approved cryptographic algorithms and French/EU-qualified key management. SP 800-53 references FIPS standards (US) rather than ANSSI/EU cryptographic qualifications.

Mapped Controls

IA-07 SC-08 SC-12 SC-13 SC-17 SC-38
SecNumCloud.12.1 Physical security of cloud data centres
MP-04 PE-01 PE-17 PE-18 +1
88%

Rationale

MP-04 media storage; PE-01 physical protection policy; PE-17 alternate work site; PE-18 location of components; PE-23 (new in Rev 5) facility location provides guidance on data centre siting decisions including environmental and security factors.

Gaps

Minor: PE-23 adds facility siting guidance. SecNumCloud requires data centres to be located within EU territory with specific physical security certifications. Data localisation requirements not addressed.

Mapped Controls

MP-04 PE-01 PE-17 PE-18 PE-23
SecNumCloud.12.2 Physical access controls for cloud facilities
PE-02 PE-03 PE-04 PE-05 +7
92%

Rationale

PE-02 physical access authorizations; PE-03 physical access control; PE-04 access control for transmission medium; PE-05 access control for display medium; PE-06 monitoring physical access; PE-07 visitor control; PE-08 access records; PE-16 delivery and removal; PE-19 information leakage; PE-22 (new in Rev 5) component marking aids physical equipment identification in cloud facilities; SR-09 tamper resistance.

Gaps

Minimal gap. PE-22 adds physical component identification.

Mapped Controls

PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-16 PE-19 PE-22 SR-09
SecNumCloud.12.3 Environmental protection for cloud infrastructure
PE-09 PE-10 PE-11 PE-12 +4
92%

Rationale

PE-09 power equipment; PE-10 emergency shutoff; PE-11 emergency power; PE-12 emergency lighting; PE-13 fire protection; PE-14 temperature and humidity controls; PE-15 water damage protection; PE-21 (new in Rev 5) electromagnetic pulse protection addresses cloud infrastructure resilience against EMP events.

Gaps

Minimal gap. PE-21 adds EMP protection.

Mapped Controls

PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-21
SecNumCloud.13.1 Operational procedures and hardening
CM-01 CM-02 CM-06 CM-07 +6
88%

Rationale

CM-01 configuration management policy; CM-02 baseline configuration; CM-06 configuration settings; CM-07 least functionality; CM-14 (new in Rev 5) signed components verifies software/firmware integrity for cloud infrastructure hardening; SA-06 software usage restrictions; SA-07 user installed software; SC-18 mobile code; SI-03 malicious code protection; SI-08 spam protection.

Gaps

Minor: CM-14 adds hardening integrity verification. SecNumCloud requires specific cloud infrastructure hardening procedures and documented operational runbooks aligned with ANSSI guidelines.

Mapped Controls

CM-01 CM-02 CM-06 CM-07 CM-14 SA-06 SA-07 SC-18 SI-03 SI-08
SecNumCloud.13.2 Change management for cloud services
CM-03 CM-04 CM-05 CM-14
92%

Rationale

CM-03 configuration change control; CM-04 monitoring configuration changes; CM-05 access restrictions for change; CM-14 (new in Rev 5) signed components verifies integrity of cloud service changes through cryptographic signatures.

Gaps

Minimal gap. CM-14 adds change integrity verification.

Mapped Controls

CM-03 CM-04 CM-05 CM-14
SecNumCloud.13.3 Capacity management
SC-06 SI-13
78%

Rationale

SC-06 resource priority; SI-13 (new in Rev 5) predictive maintenance enables proactive failure prevention through monitoring component reliability, directly supporting capacity planning by predicting resource exhaustion.

Gaps

SI-13 improves capacity prediction. SecNumCloud requires specific capacity management for multi-tenant cloud environments including tenant resource isolation and guaranteed SLAs. SP 800-53 covers resource priority but cloud-specific capacity planning less detailed.

Mapped Controls

SC-06 SI-13
SecNumCloud.13.4 Maintenance and support
MA-01 MA-02 MA-03 MA-04 +2
92%

Rationale

MA-01 maintenance policy; MA-02 controlled maintenance; MA-03 maintenance tools; MA-04 remote maintenance; MA-06 timely maintenance; MA-07 (new in Rev 5) field maintenance addresses maintenance of cloud infrastructure equipment at remote locations.

Gaps

Minimal gap. MA-07 adds field maintenance for distributed cloud infrastructure.

Mapped Controls

MA-01 MA-02 MA-03 MA-04 MA-06 MA-07
SecNumCloud.13.5 Backup and restoration for cloud services
CP-09
85%

Rationale

CP-09 system backup. No new Rev 5 controls materially improve backup coverage.

Gaps

Minor: SecNumCloud requires specific backup procedures for multi-tenant environments including tenant data isolation in backups and guaranteed restoration within defined SLAs.

Mapped Controls

CP-09
SecNumCloud.13.6 Vulnerability and patch management
RA-05 RA-07 SI-01 SI-02 +3
92%

Rationale

RA-05 vulnerability scanning; RA-07 (new in Rev 5) risk response adds explicit treatment actions for identified vulnerabilities in cloud infrastructure; SI-01 system integrity policy; SI-02 flaw remediation; SI-05 security alerts; SI-06 security functionality verification; SI-07 software integrity.

Gaps

Minimal gap. RA-07 adds formal vulnerability response.

Mapped Controls

RA-05 RA-07 SI-01 SI-02 SI-05 SI-06 SI-07
SecNumCloud.13.7 Logging and monitoring for cloud services
AC-09 AU-01 AU-02 AU-03 +11
92%

Rationale

AC-09 previous logon notification; AU family comprehensive for logging; AU-12 audit record generation; CA-07 continuous monitoring; SI-04 system monitoring. No new Rev 5 controls materially add to cloud logging.

Gaps

Minimal gap.

Mapped Controls

AC-09 AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 CA-07 SI-04
SecNumCloud.14.1 Network security for cloud infrastructure
AC-04 CA-03 SC-01 SC-02 +7
88%

Rationale

AC-04 information flow enforcement; CA-03 system connections; SC-01 system and communications protection policy; SC-02 application partitioning; SC-03 security function isolation; SC-07 boundary protection; SC-15 collaborative computing; SC-20/SC-21/SC-22 secure name resolution; SC-46 (new in Rev 5) cross-domain policy enforcement strengthens tenant network isolation through explicit policy enforcement at domain boundaries.

Gaps

Minor: SC-46 adds cross-domain enforcement. SecNumCloud requires cloud-specific network segmentation including tenant isolation at network level.

Mapped Controls

AC-04 CA-03 SC-01 SC-02 SC-03 SC-07 SC-15 SC-20 SC-21 SC-22 SC-46
SecNumCloud.14.2 Secure communications and data in transit
AC-17 SC-08 SC-11 SC-16 +1
88%

Rationale

AC-17 remote access; SC-08 transmission integrity; SC-11 trusted path; SC-16 transmission of security parameters; SC-38 (new in Rev 5) operations security protects communication channel cryptographic operations from side-channel attacks.

Gaps

Minor: SC-38 strengthens data-in-transit cryptographic operations. SecNumCloud requires ANSSI-approved protocols and cipher suites for all data in transit within cloud infrastructure.

Mapped Controls

AC-17 SC-08 SC-11 SC-16 SC-38
SecNumCloud.14.3 Wireless network security
AC-18 SC-40
82%

Rationale

AC-18 wireless access restrictions; SC-40 (new in Rev 5) wireless link protection provides specific protections for wireless communication links in cloud facilities.

Gaps

SC-40 adds wireless link protection. SecNumCloud restricts or prohibits wireless networks in sensitive cloud infrastructure zones. SP 800-53 covers wireless access but the stringent restrictions for cloud data centres less explicit.

Mapped Controls

AC-18 SC-40
SecNumCloud.14.4 Protection against denial of service
SC-05 SC-07 SC-14 SC-47
88%

Rationale

SC-05 denial of service protection; SC-07 boundary protection; SC-14 public access protections; SC-47 (new in Rev 5) alternate communications paths provides resilient communications that can maintain service during DoS attacks.

Gaps

Minor: SC-47 adds DoS resilience through alternate paths. SecNumCloud requires specific DDoS mitigation capabilities with EU-based scrubbing centres.

Mapped Controls

SC-05 SC-07 SC-14 SC-47
SecNumCloud.15.1 Security in development and acquisition
SA-01 SA-02 SA-03 SA-04 +2
88%

Rationale

SA-01 acquisition policy; SA-02 allocation of resources; SA-03 lifecycle support; SA-04 acquisitions; SA-20 (new in Rev 5) customized development of critical components addresses bespoke development for cloud infrastructure; SA-21 (new in Rev 5) developer screening adds personnel vetting for cloud development teams.

Gaps

Minor: SA-20/SA-21 add critical component development and developer screening. SecNumCloud requires secure development lifecycle aligned with ANSSI secure coding guidelines.

Mapped Controls

SA-01 SA-02 SA-03 SA-04 SA-20 SA-21
SecNumCloud.15.2 System documentation and change control
SA-05
85%

Rationale

SA-05 system documentation. No new Rev 5 controls materially add to documentation coverage.

Gaps

Minor: SecNumCloud requires cloud-specific technical documentation for ANSSI qualification assessment.

Mapped Controls

SA-05
SecNumCloud.15.3 Technical security requirements
SA-08 SA-23 SI-10 SI-11
82%

Rationale

SA-08 security engineering principles; SI-10 information accuracy; SI-11 error handling; SA-23 (new in Rev 5) specialization addresses domain-specific security engineering including cloud platform technical security patterns (hypervisor security, container isolation, API security).

Gaps

SA-23 adds domain-specific engineering. SecNumCloud defines specific technical security requirements for cloud platforms. SP 800-53 covers general engineering principles but cloud-native technical requirements less detailed.

Mapped Controls

SA-08 SA-23 SI-10 SI-11
SecNumCloud.15.4 Configuration management for cloud platforms
SA-10 CM-14
88%

Rationale

SA-10 developer configuration management; CM-14 (new in Rev 5) signed components verifies integrity of configuration changes for cloud platform components (hypervisors, orchestrators, containers).

Gaps

Minor: CM-14 adds configuration integrity verification. SecNumCloud requires specific configuration management for cloud infrastructure components.

Mapped Controls

SA-10 CM-14
SecNumCloud.15.5 Security testing for cloud services
SA-11 SA-20
88%

Rationale

SA-11 developer security testing; SA-20 (new in Rev 5) customized development of critical components includes testing requirements for high-assurance cloud components.

Gaps

Minor: SA-20 adds testing for critical cloud components. SecNumCloud requires penetration testing aligned with ANSSI PASSI methodology.

Mapped Controls

SA-11 SA-20
SecNumCloud.16.1 Supplier and subcontractor management
AC-20 PS-07 SA-04 SA-09 +10
78%

Rationale

AC-20 use of external systems; PS-07 third-party personnel; SA-04 acquisitions; SA-09 external services; SA-21 (new in Rev 5) developer screening adds vetting for subcontractor development personnel; SR family supply chain risk management.

Gaps

SA-21 adds subcontractor developer screening. SecNumCloud requires that all subcontractors and suppliers comply with EU data sovereignty requirements and that no non-EU entity has access to cloud data or administration. SP 800-53 SR family covers supply chain risk but EU sovereignty and extraterritorial law protection (e.g., against US CLOUD Act) not addressed.

Mapped Controls

AC-20 PS-07 SA-04 SA-09 SA-21 SR-01 SR-02 SR-03 SR-04 SR-05 SR-07 SR-08 SR-09 SR-11
SecNumCloud.16.2 Supplier assessment and monitoring
SA-09 SR-03 SR-06 SR-10
80%

Rationale

SA-09 external services; SR-03 supply chain controls; SR-06 supplier assessments; SR-10 inspection of systems. No new Rev 5 controls materially add to supplier assessment.

Gaps

SecNumCloud requires supplier qualification aligned with ANSSI requirements including EU sovereignty verification. SP 800-53 covers supplier assessment but ANSSI-specific qualification process not addressed.

Mapped Controls

SA-09 SR-03 SR-06 SR-10
SecNumCloud.17.1 Incident management for cloud services
AU-06 IR-01 IR-02 IR-04 +4
88%

Rationale

AU-06 audit review and reporting; IR-01 incident response policy; IR-02 incident response training; IR-04 incident handling; IR-05 incident monitoring; IR-06 incident reporting; IR-07 incident response assistance; IR-09 (new in Rev 5) information spillage response adds specific handling for data breach/spillage incidents.

Gaps

Minor: IR-09 adds spillage-specific response. SecNumCloud requires incident reporting to ANSSI (French CERT-FR) within specific timeframes and notification of tenants according to French regulatory requirements.

Mapped Controls

AU-06 IR-01 IR-02 IR-04 IR-05 IR-06 IR-07 IR-09
SecNumCloud.17.2 Incident response testing and exercises
IR-03 IR-04
90%

Rationale

IR-03 incident response testing; IR-04 incident handling. No new Rev 5 controls materially add here.

Gaps

Minimal gap.

Mapped Controls

IR-03 IR-04
SecNumCloud.18.1 Business continuity planning for cloud services
CP-01 CP-02 CP-05 SI-13
82%

Rationale

CP-01 contingency planning policy; CP-02 contingency plan; CP-05 contingency plan update; SI-13 (new in Rev 5) predictive maintenance enables proactive failure prevention for cloud infrastructure.

Gaps

SI-13 improves continuity through proactive failure prevention. SecNumCloud requires cloud-specific business continuity plans including multi-region EU failover and tenant data portability. SP 800-53 CP family covers continuity but cloud-specific and EU-localised failover requirements less detailed.

Mapped Controls

CP-01 CP-02 CP-05 SI-13
SecNumCloud.18.2 Business continuity testing
CP-03 CP-04
85%

Rationale

CP-03 contingency training; CP-04 contingency plan testing. No new Rev 5 controls materially add here.

Gaps

Minor: SecNumCloud requires testing of cloud-specific failover scenarios including tenant isolation during recovery.

Mapped Controls

CP-03 CP-04
SecNumCloud.18.3 Redundancy and disaster recovery
CP-06 CP-07 CP-08 CP-10 +1
82%

Rationale

CP-06 alternate storage site; CP-07 alternate processing site; CP-08 telecommunications services; CP-10 system recovery; SC-47 (new in Rev 5) alternate communications paths provides resilient communication channels for disaster recovery scenarios.

Gaps

SC-47 improves DR communications resilience. SecNumCloud requires all redundant infrastructure to be located within EU territory. SP 800-53 covers disaster recovery but geographic constraints on alternate sites not addressed.

Mapped Controls

CP-06 CP-07 CP-08 CP-10 SC-47
SecNumCloud.19.1 Compliance with legal and contractual requirements
CA-01 CA-05
65%

Rationale

CA-01 assessment policy; CA-05 plan of action. No new Rev 5 controls materially add to compliance management.

Gaps

Significant: SecNumCloud compliance requires adherence to French and EU law including GDPR, French data protection law (Loi Informatique et Libertes), and protection against extraterritorial non-EU laws. SP 800-53 focuses on US federal compliance framework.

Mapped Controls

CA-01 CA-05
SecNumCloud.19.2 Independent security audits and ANSSI qualification
CA-02 CA-04 CA-06 CA-07
70%

Rationale

CA-02 security assessments; CA-04 security certification; CA-06 security accreditation; CA-07 continuous monitoring. No new Rev 5 controls address ANSSI-specific qualification.

Gaps

Significant: SecNumCloud requires qualification by ANSSI through accredited PASSI audit providers, following specific French certification methodology. SP 800-53 CA family covers assessment but ANSSI-specific qualification process (SecNumCloud label) has no equivalent.

Mapped Controls

CA-02 CA-04 CA-06 CA-07
SecNumCloud.19.3 Data protection and privacy compliance
PT-01 PT-02 PT-03 PT-04 +6
72%

Rationale

PT-01 policy and procedures; PT-02 authority to process PII; PT-03 PII processing purposes; PT-04 consent; PT-05 privacy notice; PT-06 system of records notice; PT-07 specific categories of PII; PT-08 computer matching requirements; SI-18 (new in Rev 5) PII quality and accuracy supports GDPR accuracy requirements; SI-19 (new in Rev 5) de-identification supports GDPR pseudonymisation.

Gaps

SI-18/SI-19 improve GDPR alignment for data quality and pseudonymisation. SecNumCloud data protection requirements are aligned with GDPR and French CNIL requirements, including data residency within EU, Data Protection Impact Assessments (DPIA), and specific cloud data protection obligations. SP 800-53 PT family addresses US privacy requirements but EU/French data protection framework materially different.

Mapped Controls

PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08 SI-18 SI-19

Methodology and Disclaimer

This coverage analysis maps from ANSSI clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.

Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.

This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.