← Frameworks / API 1164 / Control Mappings

API Standard 1164 Pipeline Control Systems Cybersecurity 3rd Edition

Industry standard for cybersecurity of pipeline SCADA and control systems in the oil and natural gas sector. 12 requirement areas covering risk management, security architecture, access control, system integrity, data protection, monitoring and detection, incident response, business continuity, supply chain security, personnel security, physical security, and compliance assessment. Aligned with NIST CSF and TSA Pipeline Security Directives. Used by pipeline operators for control system cybersecurity programs.

Controls: 88

Total Mappings: 90

Publisher: American Petroleum Institute (API) Version: 3rd Edition (2021)

API 1164 → SP 800-53 SP 800-53 → API 1164 Coverage Analysis

AC (7) AT (3) AU (3) CA (5) CM (6) CP (7) IA (4) IR (6) MP (2) PE (8) PL (1) PM (3) PS (6) RA (6) SA (3) SC (8) SI (4) SR (6)

AC Access Control

Control	Name	API 1164 References
AC-02	Account Management	Sec 6
AC-03	Access Enforcement	Sec 6
AC-04	Information Flow Enforcement	Sec 5Sec 8
AC-05	Separation Of Duties	Sec 6
AC-06	Least Privilege	Sec 6
AC-07	Unsuccessful Login Attempts	Sec 6
AC-17	Remote Access	Sec 6

AT Awareness and Training

Control	Name	API 1164 References
AT-01	Security Awareness And Training Policy And Procedures	Sec 13
AT-02	Security Awareness	Sec 13
AT-03	Security Training	Sec 13

AU Audit and Accountability

Control	Name	API 1164 References
AU-02	Auditable Events	Sec 9
AU-03	Content Of Audit Records	Sec 9
AU-06	Audit Monitoring, Analysis, And Reporting	Sec 9

CA Security Assessment and Authorization

Control	Name	API 1164 References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	Sec 15
CA-02	Security Assessments	Sec 15
CA-05	Plan Of Action And Milestones	Sec 15
CA-07	Continuous Monitoring	Sec 9Sec 15
CA-08	Penetration Testing	Sec 15

CM Configuration Management

Control	Name	API 1164 References
CM-02	Baseline Configuration	Sec 7
CM-03	Configuration Change Control	Sec 7
CM-04	Monitoring Configuration Changes	Sec 7
CM-06	Configuration Settings	Sec 7
CM-07	Least Functionality	Sec 7
CM-14	Signed Components	Sec 7

CP Contingency Planning

Control	Name	API 1164 References
CP-01	Contingency Planning Policy And Procedures	Sec 11
CP-02	Contingency Plan	Sec 11
CP-04	Contingency Plan Testing And Exercises	Sec 11
CP-06	Alternate Storage Site	Sec 11
CP-07	Alternate Processing Site	Sec 11
CP-09	Information System Backup	Sec 11
CP-10	Information System Recovery And Reconstitution	Sec 11

IA Identification and Authentication

Control	Name	API 1164 References
IA-02	User Identification And Authentication	Sec 6
IA-03	Device Identification And Authentication	Sec 6
IA-05	Authenticator Management	Sec 6
IA-08	Identification and Authentication (Non-Organizational Users)	Sec 6

IR Incident Response

Control	Name	API 1164 References
IR-01	Incident Response Policy And Procedures	Sec 10
IR-02	Incident Response Training	Sec 10
IR-04	Incident Handling	Sec 10
IR-05	Incident Monitoring	Sec 10
IR-06	Incident Reporting	Sec 10
IR-08	Incident Response Plan	Sec 10

MP Media Protection

Control	Name	API 1164 References
MP-02	Media Access	Sec 8
MP-04	Media Storage	Sec 8

PE Physical and Environmental Protection

Control	Name	API 1164 References
PE-01	Physical And Environmental Protection Policy And Procedures	Sec 14
PE-02	Physical Access Authorizations	Sec 14
PE-03	Physical Access Control	Sec 14
PE-04	Access Control For Transmission Medium	Sec 14
PE-06	Monitoring Physical Access	Sec 14
PE-08	Access Records	Sec 14
PE-09	Power Equipment And Power Cabling	Sec 14
PE-11	Emergency Power	Sec 14

PL Planning

Control	Name	API 1164 References
PL-08	Security and Privacy Architectures	Sec 5

PM Program Management

Control	Name	API 1164 References
PM-06	Measures of Performance	Sec 15
PM-09	Risk Management Strategy	Sec 4
PM-14	Testing, Training, and Monitoring	Sec 15

PS Personnel Security

Control	Name	API 1164 References
PS-01	Personnel Security Policy And Procedures	Sec 13
PS-02	Position Categorization	Sec 13
PS-03	Personnel Screening	Sec 13
PS-04	Personnel Termination	Sec 13
PS-06	Access Agreements	Sec 13
PS-07	Third-Party Personnel Security	Sec 13

RA Risk Assessment

Control	Name	API 1164 References
RA-01	Risk Assessment Policy And Procedures	Sec 4
RA-02	Security Categorization	Sec 4
RA-03	Risk Assessment	Sec 4
RA-05	Vulnerability Scanning	Sec 4
RA-07	Risk Response	Sec 4
RA-09	Criticality Analysis	Sec 4

SA System and Services Acquisition

Control	Name	API 1164 References
SA-04	Acquisitions	Sec 12
SA-08	Security Engineering Principles	Sec 5
SA-09	External Information System Services	Sec 12

SC System and Communications Protection

Control	Name	API 1164 References
SC-07	Boundary Protection	Sec 5
SC-08	Transmission Integrity	Sec 8
SC-12	Cryptographic Key Establishment And Management	Sec 8
SC-13	Use Of Cryptography	Sec 8
SC-28	Protection of Information at Rest	Sec 8
SC-32	System Partitioning	Sec 5
SC-46	Cross Domain Policy Enforcement	Sec 5
SC-48	Sensor Relocation	Sec 9

SI System and Information Integrity

Control	Name	API 1164 References
SI-02	Flaw Remediation	Sec 7
SI-03	Malicious Code Protection	Sec 7
SI-04	Information System Monitoring Tools And Techniques	Sec 9
SI-07	Software And Information Integrity	Sec 7

SR Supply Chain Risk Management

Control	Name	API 1164 References
SR-01	Policy and Procedures	Sec 12
SR-02	Supply Chain Risk Management Plan	Sec 12
SR-03	Supply Chain Controls and Processes	Sec 12
SR-05	Acquisition Strategies, Tools, and Methods	Sec 12
SR-06	Supplier Assessments and Reviews	Sec 12
SR-11	Component Authenticity	Sec 12