CBUAE Cyber Risk and Operational Resilience Framework — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each CBUAE requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseCR-1 Cyber Risk Governance
Rationale
PM-01 information security program plan establishes the organisational security programme. PM-02 assigns a senior information security leadership role, partially mapping to CISO appointment. PM-03 addresses resource allocation for the cyber programme. PM-09 risk management strategy provides the strategic risk framework. PM-13 security and privacy workforce addresses staffing governance. PM-28 risk framing establishes the organisational context for risk decisions and partially addresses risk appetite. PM-29 (new in Rev 5) risk management program leadership roles formalises senior leadership accountability for risk management. PS-09 (new in Rev 5) position descriptions defines security responsibilities including CISO-type roles. PL-09 (new in Rev 5) central management enables unified governance of controls across the organisation.
Gaps
CBUAE mandates specific board-level cyber risk oversight structures including a dedicated cyber risk committee with defined composition and charter. The requirement for board-approved cyber risk appetite articulation with quantitative and qualitative thresholds goes beyond PM-28 risk framing. CBUAE requires formal CISO appointment with direct board reporting lines and independence from IT operations. Regular board reporting cadence (at minimum quarterly) on cyber risk posture, material incidents, and remediation status are CBUAE-specific obligations. SP 800-53 provides programme governance but does not prescribe UAE-specific board committee structures or CBUAE-mandated reporting frequency.
CR-2 Cyber Risk Management
Rationale
PM-09 risk management strategy and PM-28 risk framing establish the enterprise risk context. RA-01 risk assessment policy, RA-02 security categorisation, RA-03 risk assessment, and RA-04 risk assessment update create a comprehensive risk assessment lifecycle. RA-07 (new in Rev 5) risk response adds explicit risk treatment actions covering risk acceptance, avoidance, mitigation, sharing, and transfer. RA-09 (new in Rev 5) criticality analysis identifies critical components for risk-based prioritisation of financial systems. PL-10 (new in Rev 5) baseline selection and PL-11 (new in Rev 5) baseline tailoring enable systematic risk-based control selection. CA-05 plan of action and milestones tracks risk treatment progress.
Gaps
CBUAE requires a formal cyber risk register maintained with specific attributes including risk ownership, risk scoring aligned with the institution's enterprise risk taxonomy, and escalation thresholds linked to the board-approved risk appetite. CBUAE-mandated cyber risk appetite articulation with explicit quantitative tolerances (e.g., maximum acceptable downtime, data loss thresholds) goes beyond RA-07 risk response. Continuous risk monitoring tied to CBUAE supervisory expectations and integration with the institution's operational risk framework need supplementation.
CR-3 Cyber Security Operations
Rationale
SI-04 system monitoring provides the core monitoring capability for SOC operations. AU-02/AU-03/AU-04/AU-05 establish event logging, content, storage capacity, and response to audit processing failures. AU-06 audit record review, analysis, and reporting addresses security analytics. AU-07 audit record reduction and report generation enables log aggregation and SIEM-style analysis. AU-08 time stamps and AU-09 protection of audit information ensure log integrity. AU-10 non-repudiation and AU-12 audit record generation complete the logging framework. CA-07 continuous monitoring provides the overarching monitoring programme. PM-16 threat awareness program addresses threat intelligence feeds and sharing. RA-10 (new in Rev 5) threat hunting adds proactive threat detection capabilities within the SOC. SC-26 (new in Rev 5) honeypots provide deception technology for advanced threat detection. SC-44 (new in Rev 5) detonation chambers enables sandbox analysis of suspicious files. IR-04 incident handling provides the operational response linkage from SOC detection.
Gaps
Minor: CBUAE requires a dedicated 24x7 Security Operations Centre (SOC) with specified staffing levels for regulated financial institutions above a certain size. SOC maturity requirements including use of threat intelligence platforms, automated correlation, and SOAR integration are CBUAE expectations beyond general monitoring controls. CBUAE-specific log retention periods (minimum 5 years for financial transaction logs) may exceed SP 800-53 default guidance.
CR-4 Identity and Access Management
Rationale
AC-01 access control policy and IA-01 identification and authentication policy establish the policy framework. AC-02 account management covers user lifecycle management including provisioning, modification, disabling, and removal. AC-03 access enforcement and AC-04 information flow enforcement implement the access control model. AC-05 separation of duties and AC-06 least privilege address privileged access management principles. AC-07 unsuccessful logon attempts, AC-08 system use notification, AC-10 concurrent session control, AC-11 device lock, and AC-12 session termination enforce session management. AC-14 permitted actions without identification, AC-17 remote access, AC-19 access control for mobile devices, and AC-20 use of external systems cover extended access scenarios. AC-24 access control decisions addresses dynamic authorisation. IA-02 identification and authentication covers authentication mechanisms including MFA. IA-03 device identification, IA-04 identifier management, IA-05 authenticator management, IA-06 authentication feedback, IA-08 identification and authentication for non-organisational users, IA-09 service identification and authentication, IA-11 re-authentication, and IA-12 (new in Rev 5) identity proofing strengthen the full identity lifecycle.
Gaps
Minor: CBUAE requires periodic access reviews at defined frequencies (quarterly for privileged accounts, semi-annually for standard accounts). Specific CBUAE requirements for privileged access management (PAM) solutions including session recording, just-in-time access, and vault-based credential management are implied but not explicitly mandated by SP 800-53. Remote access requirements for UAE-based financial institutions include CBUAE-specific conditions for offshore access to critical banking systems.
CR-5 Data Protection
Rationale
MP-01 through MP-07 provide comprehensive media protection covering data handling, marking, storage, transport, sanitisation, and use. SC-08 transmission confidentiality and integrity protects data in transit. SC-13 cryptographic protection and SC-28 protection of information at rest address encryption requirements. CM-12 (new in Rev 5) information location identifies where sensitive data resides across infrastructure, supporting data mapping. PT-01 through PT-08 address privacy requirements including authority to collect, consent, purpose specification, data minimisation, use limitation, quality, and processing transparency. AC-04 information flow enforcement and AC-16 security and privacy attributes enable data classification enforcement. AC-23 data mining protection addresses advanced data loss scenarios. SI-12 information management and retention covers data retention and disposal.
Gaps
CBUAE requires compliance with UAE Federal Decree-Law No. 45 of 2021 (UAE Data Protection Law) including data localisation requirements for certain categories of financial data within the UAE. CBUAE mandates specific data classification schemes aligned with the sensitivity of financial and customer data. Data loss prevention (DLP) tool deployment is a CBUAE expectation with specific channel coverage (email, web, endpoint, cloud). Database activity monitoring for critical financial databases and specific privacy requirements for UAE national ID data (Emirates ID) go beyond SP 800-53 general controls.
CR-6 Application Security
Rationale
SA-03 system development life cycle establishes the secure SDLC framework. SA-04 acquisition process integrates security into procurement. SA-08 security and privacy engineering principles provides security-by-design. SA-10 developer configuration management and SA-11 developer testing and evaluation address code security testing and review. SA-15 development process and standards and SA-16 developer-provided training ensure development rigour. SA-17 developer security and privacy architecture and design covers threat modelling. SA-20 (new in Rev 5) customized development of critical components addresses bespoke development for high-assurance financial systems. SA-21 (new in Rev 5) developer screening adds vetting for development personnel. CM-14 (new in Rev 5) signed components ensures software integrity through cryptographic verification. SI-10 information input validation, SI-11 error handling, and SI-15 information output filtering address web application security fundamentals (OWASP).
Gaps
CBUAE requires specific application security testing cadences including mandatory penetration testing before production deployment and after significant changes. API security requirements including API gateway controls, rate limiting, schema validation, and OAuth 2.0/OpenID Connect standards are CBUAE expectations for open banking implementations. CBUAE alignment with UAE National Electronic Security Authority (NESA) standards for government-integrated financial applications needs supplementation.
CR-7 Infrastructure Security
Rationale
SC-07 boundary protection provides network architecture and segmentation controls. SC-05 denial-of-service protection, SC-20/SC-21/SC-22 DNS security, and SC-39 process isolation address infrastructure resilience. SC-41 (new in Rev 5) port and I/O device access restriction strengthens endpoint hardening. CM-01 through CM-09 provide comprehensive configuration management covering policy, baselines, change control, access restrictions for change, settings, least functionality, inventory, and configuration management plan. SI-02 flaw remediation addresses patch management directly. SI-03 malicious code protection covers endpoint security. SI-04 system monitoring and SI-07 software, firmware, and information integrity address integrity monitoring. SI-16 (new in Rev 5) memory protection adds DEP/ASLR-type protections for server hardening. RA-05 vulnerability monitoring and scanning provides the vulnerability assessment foundation.
Gaps
Minor: CBUAE requires network architecture documentation with defined security zones aligned with data classification. Specific endpoint detection and response (EDR) tool deployment requirements and next-generation firewall capabilities are CBUAE expectations. Patch management SLAs (critical patches within 72 hours, high within 30 days) are CBUAE-specific timelines that go beyond SI-02 general flaw remediation.
CR-8 Cryptography
Rationale
SC-12 cryptographic key establishment and management addresses key management lifecycle including generation, distribution, storage, rotation, and destruction. SC-13 cryptographic protection establishes the overarching cryptographic standards. SC-08 transmission confidentiality and integrity covers encryption in transit (TLS 1.2+). SC-17 public key infrastructure certificates addresses certificate management including certificate authority governance, certificate lifecycle, and revocation. SC-28 protection of information at rest covers encryption at rest. SC-40 (new in Rev 5) wireless link protection adds cryptographic protection for wireless communications, relevant to branch network security.
Gaps
CBUAE mandates specific cryptographic algorithm standards aligned with international best practice and requires migration plans for post-quantum cryptography readiness. Certificate management requirements include HSM-backed certificate authorities for critical financial systems. CBUAE requires encryption of all customer financial data at rest and in transit with specific algorithm and key length requirements. UAE NESA cryptographic standards compliance for government-integrated systems needs supplementation.
CR-9 Cyber Incident Management
Rationale
IR-01 incident response policy and procedures establishes the incident management framework. IR-02 incident response training ensures team readiness. IR-03 incident response testing validates response capabilities through exercises. IR-04 incident handling covers detection, analysis, containment, eradication, and recovery procedures. IR-05 incident monitoring and IR-06 incident reporting address tracking and internal reporting. IR-07 incident response assistance provides help desk and escalation paths. IR-08 incident response plan defines the formal plan structure. IR-09 (new in Rev 5) information spillage response addresses data breach-specific handling procedures, critical for financial data breach scenarios.
Gaps
CBUAE requires notification of material cyber incidents to the CBUAE within 24 hours of detection, with detailed follow-up reports within 72 hours. The CBUAE incident classification taxonomy mandates specific severity tiers (critical, major, minor) with defined escalation criteria linked to customer impact, financial loss, and data compromise. Digital forensics requirements including chain of custody, evidence preservation for potential law enforcement engagement under UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021) are CBUAE-specific. Post-incident review requirements with mandatory root cause analysis and lessons-learned reporting to the CBUAE Board go beyond IR-08.
CR-10 Cyber Security Testing
Rationale
CA-02 control assessments provides the assessment framework. CA-07 continuous monitoring supports ongoing security posture evaluation. CA-08 penetration testing addresses both standard and advanced penetration testing. CA-09 (new in Rev 5) internal system connections extends testing to internal network pathways. RA-05 vulnerability monitoring and scanning covers vulnerability assessment. RA-06 technical surveillance countermeasures survey addresses advanced threat detection. PM-14 testing, training, and monitoring establishes the overarching testing programme. RA-09 (new in Rev 5) criticality analysis enables risk-prioritised testing of critical financial infrastructure.
Gaps
CBUAE requires red team exercises (threat-led penetration testing, similar to CBEST/TIBER) for systemically important financial institutions on a periodic basis. CBUAE mandates specific testing frequencies: vulnerability assessments quarterly, penetration tests annually, and red team exercises every two to three years for significant institutions. Remediation tracking with defined SLAs for critical and high findings (30 and 90 days respectively) and mandatory retesting after remediation are CBUAE-specific requirements that go beyond general PM-14 testing programme scope.
CR-11 Cybersecurity Awareness and Training
Rationale
AT-01 training policy and procedures establishes the training framework. AT-02 literacy training and awareness provides the general awareness programme including phishing simulations and social engineering awareness. AT-03 role-based training addresses specialised training for security personnel, developers, system administrators, and privileged users. AT-04 training records tracks training completion and compliance. AT-06 (new in Rev 5) training feedback enables measurement of training effectiveness through evaluation and assessment. PM-13 security and privacy workforce addresses competency requirements for the cyber workforce. PM-15 security and privacy groups and associations supports external knowledge sharing and professional development.
Gaps
Minor: CBUAE requires board-level cyber awareness briefings at defined frequencies. Phishing simulation requirements with specific metrics (click rates, reporting rates) and progressive difficulty are CBUAE expectations. CBUAE mandates Arabic-language awareness materials for UAE-based staff and culturally appropriate training content. Training effectiveness measurement through AT-06 partially addresses CBUAE requirements but specific KPI thresholds and board reporting of training metrics need supplementation.
CR-12 Third-Party Cyber Risk
Rationale
SA-04 acquisition process integrates security requirements into vendor procurement. SA-09 external system services addresses ongoing third-party service management. SA-12 supply chain protection provides the broader supply chain risk framework. SA-21 (new in Rev 5) developer screening adds vetting for third-party development personnel. SA-22 (new in Rev 5) unsupported system components addresses risk from end-of-life vendor products. SR-01 supply chain risk management policy, SR-02 supply chain risk assessment, and SR-03 supply chain controls and processes establish the third-party risk management programme. SR-05 acquisition strategies and SR-06 supplier assessments cover due diligence. PM-30 supply chain risk management strategy, PM-31 supply chain risk management plan, and PM-32 (new in Rev 5) purposeful attack surface reduction address strategic third-party risk governance.
Gaps
CBUAE requires specific outsourcing due diligence including CBUAE notification and approval for material outsourcing arrangements. Cloud services risk assessment must address data residency within the UAE or approved jurisdictions per CBUAE circular. SLA requirements must include specific security clauses, right-to-audit provisions, incident notification obligations from third parties, and exit/transition management plans. CBUAE mandates ongoing monitoring of third-party risk posture with periodic reassessment and concentration risk analysis for critical service providers.
CR-13 Operational Resilience
Rationale
CP-01 contingency planning policy establishes the resilience framework. CP-02 contingency plan and CP-03 contingency training provide planning and readiness. CP-04 contingency plan testing validates recovery capabilities. CP-06 alternate storage site, CP-07 alternate processing site, and CP-08 telecommunications services address infrastructure redundancy. CP-09 system backup and CP-10 system recovery cover backup and recovery operations. CP-11 alternate communications and CP-12 (new in Rev 5) information system recovery and reconstitution address advanced recovery scenarios. CP-13 (new in Rev 5) alternative security mechanisms provides fallback controls during disruption. SC-24 (new in Rev 5) fail in known state ensures systems preserve a secure state during failures, critical for financial transaction integrity. SI-13 (new in Rev 5) predictive maintenance enables proactive failure prevention. SI-17 (new in Rev 5) fail-safe procedures provide additional failure handling. PM-08 critical infrastructure plan and PM-11 mission and business process definition link resilience to business impact.
Gaps
CBUAE requires business impact analysis (BIA) with specific RTO/RPO targets for critical banking services (core banking, payments, treasury systems). Crisis management requirements include crisis communication plans, senior management crisis teams, and coordination with UAE national CERT (aeCERT). Resilience testing must include full disaster recovery exercises at least annually with documented results reported to the board. CBUAE mandates impact tolerance statements for important business services aligned with the broader operational resilience framework. Scenario-based resilience testing covering cyber attacks, technology failures, and third-party disruptions are CBUAE-specific requirements.
CR-14 Regulatory Compliance and Reporting
Rationale
CA-01 assessment, authorisation, and monitoring policy establishes the compliance framework. CA-02 control assessments provides the assessment methodology. CA-03 information exchange and CA-05 plan of action and milestones address compliance tracking. CA-06 authorisation and CA-07 continuous monitoring provide ongoing compliance assurance. PM-04 plan of action and milestones process, PM-06 measures of performance, and PM-10 authorisation process support compliance programme governance. PL-01 planning policy, PL-02 system security and privacy plans, and PL-04 rules of behaviour establish planning and behavioural compliance.
Gaps
CBUAE notification requirements mandate specific regulatory reporting obligations including material cyber incident notification within 24 hours, annual cyber risk self-assessment submissions, and periodic compliance attestation reports. CBUAE regulatory examination preparation requires maintaining evidence repositories and designated liaison officers for supervisory inspections. Remediation plans for CBUAE examination findings must include defined timelines and board-level tracking. Compliance with UAE-specific regulations including UAE Cybercrime Law, UAE Data Protection Law, UAE Electronic Transactions and Commerce Law, and CBUAE circulars on technology risk are jurisdiction-specific obligations with no SP 800-53 equivalent. Integration with CBUAE's supervisory technology (SupTech) reporting platforms is a UAE-specific requirement.
Methodology and Disclaimer
This coverage analysis maps from CBUAE clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.