CBN Risk-Based Cybersecurity Framework for DMBs and PSBs — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each CBN CSF requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clausePart1.1 Cybersecurity Governance — Board of Directors Oversight
Rationale
PM-01 information security program plan establishes the organisational security programme that the board is expected to approve. PM-02 assigns a senior information security leadership role, partially mapping to the CISO appointment. PM-03 addresses resource allocation for the cyber programme, supporting the CBN requirement for a dedicated cybersecurity budget approved by the board. PM-09 risk management strategy provides the strategic risk framework that aligns with board-level risk appetite. PM-13 security and privacy workforce addresses staffing governance. PM-28 risk framing establishes the organisational context for risk decisions. PM-29 (new in Rev 5) risk management program leadership roles formalises senior leadership accountability. PL-09 (new in Rev 5) central management enables unified governance across the organisation. PS-09 (new in Rev 5) position descriptions defines security responsibilities including CISO-type roles.
Gaps
CBN mandates very specific board-level governance structures: a Board Risk or IT Committee with direct oversight of the cybersecurity programme, at least two non-executive directors (NEDs) with requisite knowledge in fintech/ICT/cybersecurity (one must be independent), and quarterly cybersecurity status reports to the board covering risk posture, incidents, and compliance. The requirement for board members to participate in cybersecurity awareness training goes beyond SP 800-53 governance controls. SP 800-53 does not prescribe Nigerian banking-specific board committee composition, NED qualification criteria, or CBN-mandated board reporting cadences.
Part1.2 Cybersecurity Governance — Senior Management and CISO
Rationale
PM-02 assigns a senior information security officer role, partially mapping to the mandatory CISO appointment. PM-29 (new in Rev 5) risk management program leadership roles formalises senior management accountability for the cybersecurity programme. PS-01 personnel security policy and procedures establishes the personnel governance framework. PS-02 position risk designation supports risk-based role categorisation. PS-03 personnel screening addresses background vetting. PS-06 access agreements and PS-07 external personnel extend controls to third-party staff. PS-09 (new in Rev 5) position descriptions defines roles and responsibilities. AT-03 role-based training addresses specialised training for security personnel including CISO competency.
Gaps
CBN mandates the CISO have a minimum of ten years of in-depth experience in cybersecurity, IT, IT risk management, or IT audit, plus specific certifications (CISM or equivalent). The CISO must report directly to the MD/CEO rather than the Head of IT Operations or CRO, ensuring independence — SP 800-53 does not prescribe specific reporting lines or minimum years of experience. CBN requires establishment of an Information Security Steering Committee (ISSC) to govern cybersecurity initiatives and align policies with organisational objectives. Senior management must incorporate cybersecurity into the governance framework and ensure staff training and incident reporting — requirements that are more prescriptive about organisational structure than SP 800-53 provides.
Part1.3 Cybersecurity Policy Framework
Rationale
PL-01 planning policy and procedures establishes the policy governance framework. PL-02 system security and privacy plans addresses formal security plan documentation. PL-04 rules of behaviour covers acceptable use policies. PL-09 (new in Rev 5) central management enables unified policy management across the SFI. PL-10 (new in Rev 5) baseline selection and PL-11 (new in Rev 5) baseline tailoring enable systematic control selection aligned with risk tolerance. PM-01 information security program plan provides the overarching programme plan. PM-04 plan of action and milestones tracks policy implementation progress. PM-10 authorisation process supports policy approval workflows. AC-01, AT-01, AU-01, IR-01, and SC-01 provide family-level policy and procedures for access control, training, audit, incident response, and system communications respectively — together covering the CBN requirement for comprehensive cybersecurity policy development and enforcement.
Gaps
CBN requires policies to be specifically approved by the board and reviewed periodically. The framework mandates policies covering areas including cybersecurity strategy, acceptable use, data classification, incident management, and third-party management — while SP 800-53 addresses these topically, CBN requires them as a coordinated suite approved through a defined governance hierarchy. CBN-specific policy requirements around BOFIA 2020 compliance and alignment with Nigerian Data Protection Act (NDPA) 2023 are jurisdiction-specific.
Part2.1 Cybersecurity Risk Assessment and Measurement
Rationale
RA-01 risk assessment policy and procedures establishes the risk assessment framework. RA-02 security categorisation classifies information systems by risk level. RA-03 risk assessment and RA-04 risk assessment update create a comprehensive risk assessment lifecycle with annual reviews and updates upon significant changes, aligning with CBN's annual assessment requirement. RA-07 (new in Rev 5) risk response adds explicit risk treatment options covering risk reduction, acceptance, avoidance, and transfer — directly mapping to CBN's risk treatment selection requirement. RA-09 (new in Rev 5) criticality analysis identifies critical components for risk-based prioritisation of financial systems. PM-09 risk management strategy and PM-28 risk framing establish the enterprise risk context and risk appetite. PL-10 (new in Rev 5) baseline selection and PL-11 (new in Rev 5) baseline tailoring enable risk-based control selection. CA-05 plan of action and milestones tracks remediation.
Gaps
CBN mandates SFIs quantify the financial impact of cybersecurity risks through a formal risk measurement process — SP 800-53 addresses risk assessment qualitatively but does not prescribe financial impact quantification methodologies specific to banking. CBN requires a cybersecurity risk control self-assessment (RCSA) that documents all risk assessment outcomes. The requirement for an independent risk management function responsible for assessing, measuring, monitoring, and reporting IT infrastructure risks goes beyond SP 800-53's general risk assessment framework. CBN-specific risk appetite articulation linked to the board-approved tolerance thresholds needs supplementation.
Part2.2 Risk Monitoring, Risk Register and Reporting
Rationale
RA-03 risk assessment and RA-04 risk assessment update support ongoing risk evaluation. RA-07 (new in Rev 5) risk response documents treatment decisions. CA-05 plan of action and milestones tracks risk remediation actions analogous to risk register entries. CA-07 continuous monitoring provides the ongoing monitoring programme. PM-04 plan of action and milestones process governs tracking at the programme level. PM-06 measures of performance addresses metrics for risk reporting. PM-09 risk management strategy and PM-28 risk framing establish the risk governance context for reporting. SI-04 system monitoring provides technical risk indicator feeds.
Gaps
CBN requires a formal risk register maintained with specific attributes including risk ownership, scoring, and treatment status, reported regularly to both the board and senior management. The requirement for regular risk reporting to the board at defined cadences (quarterly at minimum) with specific content expectations goes beyond PM-06 measures of performance. CBN mandates integration of cybersecurity risk reporting with the SFI's enterprise risk management framework. The independent risk management function reporting requirement is an organisational structure mandate not addressed by SP 800-53.
Part2.3 Vulnerability Assessment and Penetration Testing
Rationale
RA-05 vulnerability monitoring and scanning directly addresses the CBN requirement for quarterly vulnerability scans and annual vulnerability assessments. CA-08 penetration testing covers the third-party penetration testing mandate. CA-02 control assessments provides the broader assessment framework. CA-07 continuous monitoring supports ongoing security posture evaluation. CA-09 (new in Rev 5) internal system connections extends testing to internal network pathways. PM-14 testing, training, and monitoring establishes the overarching testing programme. RA-09 (new in Rev 5) criticality analysis enables risk-prioritised testing of critical banking infrastructure. RA-06 technical surveillance countermeasures survey addresses advanced threat detection. SI-02 flaw remediation addresses remediation of discovered vulnerabilities.
Gaps
CBN mandates specific testing cadences: quarterly vulnerability scans and annual vulnerability assessments at minimum. Third-party penetration testing is explicitly required rather than optional. The CBN Cybersecurity Self-Assessment Tool (CSAT) is a CBN-specific assessment instrument with no SP 800-53 equivalent — SFIs must submit CSAT results annually. Remediation tracking with CBN-expected SLAs for critical and high findings and mandatory retesting after remediation are CBN-specific requirements beyond general PM-14 scope.
Part2.4 Third-Party Risk Management
Rationale
SA-04 acquisition process integrates security requirements into vendor procurement. SA-09 external system services addresses ongoing third-party service management and SLA monitoring. SA-21 (new in Rev 5) developer screening adds vetting for third-party development personnel. SA-22 (new in Rev 5) unsupported system components addresses risk from end-of-life vendor products. SR-01 supply chain risk management policy, SR-02 supply chain risk assessment, and SR-03 supply chain controls and processes establish the third-party risk management programme. SR-05 acquisition strategies and SR-06 supplier assessments cover due diligence. PM-30 supply chain risk management strategy, PM-31 supply chain risk management plan, and PM-32 (new in Rev 5) purposeful attack surface reduction address strategic third-party risk governance. PS-07 external personnel covers third-party personnel controls. AC-20 use of external systems addresses SFI connections to third-party environments.
Gaps
CBN requires SFIs to periodically review records to ensure discontinued third parties' access credentials are revoked and network connections terminated. SFIs must identify and document all connections to third parties including wholesale customers, vendors, and switches providing Value-Added-Services (VAS), with objectives documented and reviewed regularly. Third-party cybersecurity awareness requirements and business continuity planning for third-party dependencies are CBN-specific mandates. CBN requires vendor compliance monitoring and periodic reassessment of third-party risk posture that goes beyond initial due diligence. Concentration risk analysis for critical service providers is a CBN expectation not explicitly addressed by SP 800-53.
Part3.1 Know Your Environment — Asset Management
Rationale
CM-08 system component inventory directly addresses the CBN requirement to maintain up-to-date inventories of critical assets, software, hardware, and network connections. CM-09 configuration management plan ensures inventory governance and baseline documentation. CM-12 (new in Rev 5) information location tracking identifies where critical data resides across assets. PM-05 system inventory provides organisational-level asset tracking. RA-02 security categorisation classifies assets by criticality and sensitivity, aligning with the CBN requirement to identify critical assets. RA-09 (new in Rev 5) criticality analysis enables risk-based prioritisation of business IT assets. SC-07 boundary protection addresses network architecture documentation and segmentation. PL-02 system security and privacy plans ties asset documentation to security planning.
Gaps
Minor: CBN requires asset ownership assignment with a designated responsible person for each asset — while CM-08 covers inventory, the specific ownership assignment governance structure is CBN-specific. Asset classification specifically aligned to Nigerian banking business criticality tiers and integration with the SFI's business impact analysis require supplementation beyond general NIST categorisation.
Part3.2 Preventive Controls — Access Control and Identity Management
Rationale
AC-01 access control policy establishes the access control framework. AC-02 account management covers user lifecycle including provisioning, modification, disabling, and removal. AC-03 access enforcement and AC-04 information flow enforcement implement the access control model. AC-05 separation of duties and AC-06 least privilege address the CBN requirement for role-based access restriction. AC-07 unsuccessful logon attempts, AC-10 concurrent session control, AC-11 device lock, and AC-12 session termination enforce session management. AC-17 remote access, AC-19 access control for mobile devices, and AC-20 use of external systems cover extended access scenarios. AC-24 access control decisions addresses dynamic authorisation. IA-01 through IA-06 establish identification and authentication including multi-factor authentication via IA-02. IA-08 covers non-organisational users. IA-11 re-authentication and IA-12 (new in Rev 5) identity proofing strengthen the identity lifecycle.
Gaps
Minor: CBN requires specific periodic access review cadences for privileged and standard accounts that go beyond AC-02 general account management. Privileged access management (PAM) solution deployment with session recording and vault-based credential management are implied CBN expectations. CBN-specific requirements for access controls over payment systems, SWIFT interfaces, and core banking platforms are sector-specific obligations not explicitly addressed by SP 800-53.
Part3.3 Preventive Controls — Network and Infrastructure Security
Rationale
SC-07 boundary protection provides network segmentation and firewall controls directly mapping to the CBN requirement for firewalls and intrusion detection systems. SC-05 denial-of-service protection, SC-20/SC-21/SC-22 DNS security, and SC-39 process isolation address infrastructure resilience. SC-08 transmission confidentiality and integrity covers encryption in transit. SC-12 cryptographic key management and SC-13 cryptographic protection address encryption requirements. SC-28 protection of information at rest covers data-at-rest encryption. SC-41 (new in Rev 5) port and I/O device access restriction strengthens endpoint hardening. CM-01 through CM-07 provide comprehensive configuration management covering policy, baselines, change control, access restrictions, settings, and least functionality. SI-02 flaw remediation addresses patch management. SI-03 malicious code protection covers endpoint security including antivirus/EDR. SI-04 system monitoring maps to IDS/IPS requirements. SI-07 software integrity and SI-16 (new in Rev 5) memory protection add integrity controls. RA-05 vulnerability scanning provides the vulnerability assessment foundation. MA-01 system maintenance policy, MA-02 controlled maintenance, MA-03 maintenance tools, MA-04 nonlocal maintenance, and MA-05 maintenance personnel address infrastructure maintenance governance including scheduled maintenance windows, controlled use of diagnostic tools, and vetting of maintenance staff — supporting the CBN requirement for secure system lifecycle management of critical banking infrastructure.
Gaps
Minor: CBN mandates specific deployment of firewalls and IDS to monitor traffic and prevent unauthorised access — SP 800-53 addresses the capability requirements but does not prescribe specific technology deployments. Patch management SLAs (timeframes for critical and high patches) may be CBN-specific expectations. CBN requirements around network architecture documentation with defined security zones aligned with data classification are more prescriptive than SP 800-53 boundary protection guidance.
Part3.4 Preventive Controls — Data Protection and Encryption
Rationale
MP-01 through MP-07 provide comprehensive media protection covering data handling, marking, storage, transport, sanitisation, and use. SC-08 transmission confidentiality and integrity protects data in transit via TLS. SC-13 cryptographic protection establishes encryption standards. SC-28 protection of information at rest covers data-at-rest encryption. AC-04 information flow enforcement and AC-16 security and privacy attributes enable data classification enforcement. AC-23 data mining protection addresses advanced data loss scenarios. PT-01 through PT-03 and PT-05 address privacy authority, consent, purpose specification, and use limitation. SI-12 information management and retention covers data retention and disposal. CM-12 (new in Rev 5) information location identifies where sensitive data resides, supporting data mapping.
Gaps
CBN requires compliance with the Nigerian Data Protection Act (NDPA) 2023 including specific data residency and data protection requirements for Nigerian financial institutions. Data classification schemes specifically aligned with the sensitivity of banking and customer data need CBN-specific supplementation. Data loss prevention (DLP) tool deployment covering email, web, endpoint, and cloud channels is a CBN expectation. Database activity monitoring for critical financial databases and specific privacy requirements under NDPA 2023 are jurisdiction-specific obligations not addressed by SP 800-53.
Part3.5 Monitoring, Detection and 24/7 Security Operations
Rationale
SI-04 system monitoring provides the core monitoring capability for continuous 24/7 monitoring of IT systems as mandated by CBN. AU-02/AU-03/AU-04/AU-05 establish event logging, content, storage capacity, and response to audit processing failures. AU-06 audit record review, analysis, and reporting addresses security analytics and SIEM-style correlation. AU-07 audit record reduction and report generation enables log aggregation. AU-08 time stamps and AU-09 protection of audit information ensure log integrity. AU-12 audit record generation completes the logging framework. CA-07 continuous monitoring provides the overarching monitoring programme. PM-16 threat awareness program addresses threat intelligence feeds integration into SOC operations. RA-10 (new in Rev 5) threat hunting adds proactive threat detection capabilities. SC-26 (new in Rev 5) honeypots provide deception technology. SC-44 (new in Rev 5) detonation chambers enables sandbox analysis. IR-04 incident handling provides the response linkage from detection.
Gaps
Minor: CBN requires establishment of capacity for monitoring and detecting cyber anomalies with 24/7 operations. Specific SOC staffing requirements and SOC maturity expectations for larger SFIs are CBN-specific. Log retention periods for financial transaction logs may need to exceed SP 800-53 default guidance to meet BOFIA 2020 record-keeping requirements. Integration with NigFinCERT threat feeds and Nigerian financial sector ISACs is a jurisdiction-specific expectation.
Part3.6 Incident Response and Recovery
Rationale
IR-01 incident response policy establishes the incident management framework. IR-02 incident response training ensures team readiness. IR-03 incident response testing validates response capabilities through exercises. IR-04 incident handling covers detection, analysis, containment, eradication, and recovery. IR-05 incident monitoring and IR-06 incident reporting address tracking and internal reporting. IR-07 incident response assistance provides help desk and escalation. IR-08 incident response plan defines the formal plan structure. IR-09 (new in Rev 5) information spillage response addresses data breach-specific handling, critical for financial data breach scenarios. CP-01 contingency planning policy, CP-02 contingency plan, CP-04 contingency plan testing, CP-09 system backup, and CP-10 system recovery address the CBN mandate for disaster recovery measures to restore normal operations after a breach.
Gaps
CBN mandates reporting of all cybersecurity threats, incidents, and attacks to the CBN within 24 hours of occurrence — a specific regulatory notification obligation with no SP 800-53 equivalent. Supplementary incident details must be submitted as required by CBN. Digital forensics requirements including chain of custody and evidence preservation for potential law enforcement engagement under the Cybercrimes Act 2015 are Nigeria-specific. Post-incident root cause analysis and lessons-learned reporting to the board are CBN governance expectations. The in-house or outsourced incident response capacity requirement at short notice is more prescriptive than IR-07 general assistance.
Part3.7 Cyber Resilience — Business Continuity and Disaster Recovery
Rationale
CP-01 contingency planning policy establishes the resilience framework. CP-02 contingency plan and CP-03 contingency training provide planning and readiness. CP-04 contingency plan testing validates recovery capabilities, mapping to the CBN requirement to test DR/BCP documents. CP-06 alternate storage site, CP-07 alternate processing site, and CP-08 telecommunications services address infrastructure redundancy. CP-09 system backup and CP-10 system recovery cover backup and recovery. CP-11 alternate communications and CP-12 (new in Rev 5) information system recovery and reconstitution address advanced recovery scenarios. CP-13 (new in Rev 5) alternative security mechanisms provides fallback controls during disruption. SC-24 (new in Rev 5) fail in known state ensures systems preserve security during failures, critical for financial transaction integrity. SI-13 (new in Rev 5) predictive maintenance enables proactive failure prevention. SI-17 (new in Rev 5) fail-safe procedures provide failure handling. PM-08 critical infrastructure plan and PM-11 mission and business process definition link resilience to business impact.
Gaps
CBN requires SFIs to review their Disaster Recovery/Business Continuity documents to ensure adequacy in supporting breaches, with testing to identify necessary improvements. Business impact analysis (BIA) with specific RTO/RPO targets for critical banking services (core banking, payments, treasury) is a CBN expectation. Prevention of single points of failure in critical systems is explicitly mandated. CBN requires participation in industry-specific cyber exercises and drills. Crisis management coordination with Nigerian national response entities and CBN supervisory expectations for resilience testing results are jurisdiction-specific.
Part3.8 Cyber Drills and Industry Exercises
Rationale
IR-03 incident response testing validates response capabilities through tabletop exercises, functional exercises, and full-scale tests. CP-04 contingency plan testing covers disaster recovery exercises. PM-14 testing, training, and monitoring establishes the overarching testing programme that can encompass industry-wide exercises. CA-08 penetration testing provides technical assessment that may be incorporated into drill scenarios. AT-02 literacy training and awareness supports the awareness component of cyber drill participation.
Gaps
CBN mandates participation in industry-specific cyber exercises conducted by NigFinCERT or similar bodies — this is a sector-specific mandatory participation requirement with no SP 800-53 equivalent. The exercises must assess preparedness for cyber incidents within the Nigerian financial sector context. War-game style exercises and cross-institutional coordination requirements are CBN-specific mandates. SP 800-53 addresses organisational testing but does not require participation in regulator-led or industry-coordinated drills.
Part4 Cyber Threat Intelligence
Rationale
PM-15 security and privacy groups and associations supports participation in threat intelligence sharing communities. PM-16 threat awareness program directly addresses the requirement for a structured threat intelligence programme with threat feeds and sharing. RA-03 risk assessment incorporates threat information into risk decisions. RA-10 (new in Rev 5) threat hunting adds proactive threat detection using intelligence-driven hypotheses. SI-04 system monitoring enables detection of indicators of compromise (IoCs). SI-05 security alerts, advisories, and directives addresses consumption of external threat advisories. SC-26 (new in Rev 5) honeypots and SC-44 (new in Rev 5) detonation chambers provide active deception and analysis capabilities for threat intelligence collection. SA-08 security and privacy engineering principles supports threat modelling to inform intelligence requirements.
Gaps
CBN requires SFIs to possess fact-based objective knowledge of all emerging threats, cyberattacks, attack vectors, mechanisms, and indicators of compromise to their information assets for informed decision-making. Establishing a formal cyber threat intelligence programme with specific capabilities including threat feed consumption, analysis, and dissemination is a CBN-specific mandate. Integration with NigFinCERT and Nigerian financial sector threat intelligence sharing arrangements are jurisdiction-specific. SP 800-53 provides threat awareness mechanisms but does not prescribe the comprehensive CTI programme structure that CBN envisions.
Part5.1 Emerging Technologies — AI, Cloud, and DLT Governance
Rationale
SA-04 acquisition process integrates security requirements into emerging technology procurement. SA-08 security and privacy engineering principles addresses security-by-design for new technology deployments. SA-09 external system services covers cloud service provider management. SA-17 developer security and privacy architecture and design supports threat modelling for AI and DLT implementations. PM-32 (new in Rev 5) purposeful attack surface reduction addresses risk from expanded attack surfaces introduced by emerging technologies. SC-07 boundary protection provides network controls for cloud and IoT connectivity. RA-03 risk assessment and RA-09 (new in Rev 5) criticality analysis enable risk-based evaluation of emerging technology deployments. CA-02 control assessments provides assessment of emerging technology controls. PT-01 authority to collect and PT-02 consent address privacy considerations for AI data processing.
Gaps
CBN requires all SFIs to obtain CBN approval before deploying emerging technologies and products — a regulatory pre-approval requirement with no SP 800-53 equivalent. The prohibition on products from non-approved countries is a geopolitical compliance requirement beyond SP 800-53 scope. Technology-specific security controls for contactless payments, open banking APIs, distributed ledger technology, AI/ML, cloud computing, IoT, and FinTech integrations are CBN-mandated areas that SP 800-53 addresses generically but not with sector-specific depth. Due diligence maintenance for ongoing technology assessment is a CBN expectation. SP 800-53 lacks specific controls for AI governance, algorithmic bias, or DLT-specific security considerations.
Part5.2 Emerging Technologies — Open Banking and API Security
Rationale
SA-04 acquisition process ensures security requirements are embedded in API platform procurement. SA-08 security and privacy engineering principles supports secure API design. SA-11 developer testing and evaluation addresses API security testing including OWASP API Top 10 coverage. SC-07 boundary protection provides API gateway and perimeter controls. SC-08 transmission confidentiality and integrity covers TLS for API communications. SC-13 cryptographic protection addresses token and payload encryption. SC-23 session authenticity protects API session integrity. AC-03 access enforcement and AC-04 information flow enforcement implement API authorisation controls. IA-02 identification and authentication covers OAuth 2.0/OpenID Connect patterns. IA-08 identification and authentication for non-organisational users addresses third-party API consumer authentication. SI-10 information input validation covers API input validation and schema enforcement.
Gaps
CBN requires specific controls for open banking implementations including API gateway management, rate limiting, schema validation, and standards-based authentication. FinTech integration security requirements including sandbox testing environments for new products are CBN expectations. CBN mandates that financial products delivered through APIs comply with all applicable regulations including KYC/AML requirements — cross-cutting compliance obligations that SP 800-53 does not address. API versioning, deprecation management, and consumer notification requirements are CBN-specific operational mandates.
Part6.1 Cybersecurity Metrics and Performance Measurement
Rationale
PM-06 measures of performance directly addresses the CBN requirement for cybersecurity metrics including key performance indicators (KPIs), risk indicators (KRIs), and goal indicators aligned with strategy. PM-14 testing, training, and monitoring provides the testing and measurement programme. CA-07 continuous monitoring supports ongoing measurement of security posture. PM-04 plan of action and milestones tracks remediation performance. PM-01 information security program plan establishes the programme context within which metrics are defined and reported.
Gaps
CBN mandates annual review of cybersecurity metrics to ensure continued relevance and alignment with the SFI's cybersecurity strategy. Specific KPI and KRI requirements with board-level reporting expectations go beyond PM-06 general measures of performance. CBN requires goal indicators that demonstrate progress toward target maturity states as assessed by the CSAT tool — this maturity measurement framework is CBN-specific. The integration of metrics with the Information Security Steering Committee reporting cycle is a governance requirement not addressed by SP 800-53.
Part6.2 Regulatory Reporting and Self-Assessment
Rationale
CA-01 assessment, authorisation, and monitoring policy establishes the compliance framework. CA-02 control assessments provides the assessment methodology supporting the annual CSAT self-assessment. CA-05 plan of action and milestones tracks remediation of assessment findings. CA-06 authorisation supports formal approval of system security posture. CA-07 continuous monitoring provides ongoing compliance assurance. PM-04 plan of action and milestones process and PM-06 measures of performance support compliance tracking and reporting. PM-10 authorisation process governs approval workflows. PL-01 planning policy and PL-02 system security plans establish the planning foundation.
Gaps
CBN mandates submission of a Cybersecurity Self-Assessment Tool (CSAT) report, signed by the CISO and approved by senior management, to the CBN Director of OFI Supervision no later than 31 March annually — this is a jurisdiction-specific regulatory reporting obligation with no SP 800-53 equivalent. Quarterly cybersecurity status reports to the board covering risk, incidents, and compliance are CBN governance mandates. Incident reporting to CBN within 24 hours is a notification requirement beyond SP 800-53 general incident reporting. CBN supervisory review and evaluation exercises, risk-based examinations, and periodic spot checks are regulator-imposed compliance mechanisms.
Part7.1 Compliance with Statutory and Regulatory Requirements
Rationale
PL-04 rules of behaviour establishes compliance with acceptable use requirements. PM-10 authorisation process supports regulatory compliance workflows. PM-01 information security program plan provides the programme that must align with statutory requirements. SI-12 information management and retention addresses data retention obligations under BOFIA 2020. PT-01 authority to collect, PT-02 consent, PT-03 purpose specification, PT-05 use limitation, and PT-06 quality address privacy requirements that partially map to NDPA 2023 compliance.
Gaps
CBN mandates compliance with multiple Nigerian statutes and regulations: Cybercrimes Act 2015, Nigerian Data Protection Act (NDPA) 2023, National Cybersecurity Policy, Banks and Other Financial Institutions Act (BOFIA) 2020, and all applicable CBN directives. Each of these has jurisdiction-specific requirements with no SP 800-53 equivalent. Annual compliance reviews by the CBN, industry compliance audits, and risk-based examinations are enforcement mechanisms. The requirement to comply with applicable statutes covering anti-money laundering, counter-terrorism financing, and fraud prevention creates cross-cutting obligations that SP 800-53 is not designed to address.
Part7.2 Enforcement and CBN Supervisory Oversight
Rationale
CA-02 control assessments provides the assessment methodology that supports supervisory examinations. CA-07 continuous monitoring demonstrates ongoing compliance readiness. PM-04 plan of action and milestones tracks remediation of supervisory findings. PM-06 measures of performance provides metrics that may be reported to the CBN. PM-14 testing, training, and monitoring establishes the programme that the CBN evaluates during supervisory reviews.
Gaps
CBN enforcement mechanisms are entirely jurisdiction-specific: annual cybersecurity supervisory review and evaluation exercises, risk-based examinations, annual industry compliance audits, and periodic spot checks. Sanctions for non-compliance are provided under BOFIA 2020 and other regulations — SP 800-53 provides no equivalent regulatory enforcement framework. The CBN's authority to mandate remediation timelines, impose sanctions, and conduct unannounced examinations are regulatory powers that do not map to any NIST control family. NigFinCERT-led exercises and industry coordination requirements are Nigeria-specific supervisory instruments.
Part8 Cybersecurity Awareness and Training
Rationale
AT-01 training policy and procedures establishes the training framework. AT-02 literacy training and awareness provides the general awareness programme covering phishing, social engineering, and cyber hygiene — directly mapping to CBN's mandate that all employees from junior staff to senior executives be trained. AT-03 role-based training addresses specialised training for CISO, security personnel, developers, and system administrators. AT-04 training records tracks training completion and compliance. AT-05 (new in Rev 5) contacts with groups and associations supports ongoing professional development and knowledge sharing. AT-06 (new in Rev 5) training feedback enables measurement of training effectiveness. PM-13 security and privacy workforce addresses competency requirements for the cyber workforce. PM-15 security and privacy groups and associations supports participation in industry awareness forums.
Gaps
CBN mandates board-level cybersecurity awareness training — board members must participate in awareness training, not merely receive reports. Third-party cybersecurity awareness requirements extend awareness obligations beyond the SFI's own employees. Training effectiveness metrics with specific KPIs (phishing click rates, reporting rates) and reporting to the board/ISSC are CBN governance expectations. CBN does not specify language requirements but awareness materials appropriate for the Nigerian banking workforce context need supplementation.
Part9 Personnel Security and Insider Threat
Rationale
PS-01 personnel security policy establishes the framework for personnel security. PS-02 position risk designation categorises roles by risk level. PS-03 personnel screening addresses background vetting before granting access. PS-04 personnel termination and PS-05 personnel transfer cover access revocation upon role changes, supporting the CBN requirement to revoke discontinued credentials. PS-06 access agreements and PS-07 external personnel extend controls to contractors and third parties. PS-08 personnel sanctions addresses disciplinary actions. AC-05 separation of duties and AC-06 least privilege enforce role-based access restrictions to prevent insider abuse. AU-06 audit record review and AU-13 monitoring for information disclosure support insider threat detection. PM-12 insider threat program establishes the formal insider threat programme.
Gaps
CBN requirements for personnel security are embedded across governance and access control sections rather than consolidated. Specific Nigerian employment law considerations for personnel screening, the interplay with NDPA 2023 for employee monitoring, and CBN-specific requirements for vetting of staff with access to critical banking systems need supplementation. PM-12 insider threat program addresses the programme but CBN's integration of insider threat with the broader fraud prevention framework for Nigerian banking is sector-specific.
Part10 Physical and Environmental Security
Rationale
PE-01 physical and environmental protection policy establishes the physical security framework. PE-02 physical access authorisations and PE-03 physical access control implement access restrictions for data centres and critical facilities. PE-04 access control for transmission and PE-05 access control for output devices protect communications infrastructure. PE-06 monitoring physical access provides surveillance and logging of physical access. PE-08 visitor access records tracks visitor activity. PE-09 power equipment and cabling, PE-10 emergency shutoff, PE-11 emergency power, and PE-12 emergency lighting address power resilience. PE-13 fire protection, PE-14 environmental controls (temperature/humidity), and PE-15 water damage protection address environmental hazards. PE-17 alternate work site covers remote/alternate facility security.
Gaps
Minor: CBN's physical security requirements for Nigerian banking environments including ATM security, branch security, and vault protection are sector-specific considerations. Physical security controls for data centres hosting critical banking infrastructure in the Nigerian operating context (including power stability and generator backup requirements specific to the Nigerian grid) may need supplementation. CBN alignment with the NCC and other Nigerian regulatory bodies for telecommunications facility security is jurisdiction-specific.
Methodology and Disclaimer
This coverage analysis maps from CBN CSF clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.