FFIEC IT Examination Handbook — Information Security — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each FFIEC IS requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseAppendix A Examination Procedures
Rationale
CA-01/CA-02 assessment policies and control assessments provide the methodology framework. CA-05 POA&M tracks examination findings. CA-06 security authorization addresses system acceptance. PM-01 program plan, PM-04 POA&M process, and PM-06 performance measures support examination evidence requirements. These controls support the documentation and assessment infrastructure that examiners use.
Gaps
Significant gap. The Appendix A examination procedures are the examiner's workprogram, defining how bank examiners conduct IT examinations, what evidence to request, and how to rate institutions. This is a supervisory tool, not an implementation requirement. SP 800-53 controls support the evidence base but do not address the examination process itself, URSIT ratings, or interagency examination coordination.
I.A Security Culture
Rationale
AT-01 security awareness policy and AT-02 awareness training establish the foundation for organizational security culture. AT-03 role-based training, AT-04 training records, AT-05 contacts with security groups, and AT-06 (Rev 5) training feedback provide measurable culture-building mechanisms. PM-01 information security program plan and PM-02 senior information security officer establish accountability. PM-13 security workforce and PM-14 testing/exercises reinforce a culture of continuous vigilance. PL-04 rules of behavior sets conduct expectations.
Gaps
FFIEC emphasizes board-level engagement in fostering security culture and tone-from-the-top leadership, which are governance concepts beyond SP 800-53's technical control scope. Examiner assessment of cultural maturity (attitudes, behaviors, awareness beyond training completion) is not directly addressed.
I.B Responsibility and Accountability
Rationale
PM-02 senior information security officer establishes CISO-equivalent accountability. PM-01 program plan defines organizational roles. PM-03 information security resources ties budget to responsibility. PM-10 security authorization process assigns system-level accountability. PM-13 security workforce addresses staffing. PM-29 (Rev 5) risk management program leadership formalizes senior management accountability. PL-02 system security plans assign system owner responsibilities. PS-01/PS-02 personnel security policy and position risk designation assign role-based accountability. PS-07 external personnel extends accountability to contractors. PL-04 rules of behavior codifies individual responsibility.
Gaps
FFIEC specifically requires board of directors oversight and committee structures (e.g., IT steering committee, risk committee) for information security governance. SP 800-53 addresses senior leadership but not board-level fiduciary duty or US banking regulatory reporting lines to examiners.
I.C Resources
Rationale
PM-03 information security resources directly addresses budgeting and resource allocation for the security program. PM-13 security workforce ensures adequate staffing levels and competencies. PM-16 threat awareness program leverages external resources and intelligence sharing (e.g., FS-ISAC). SA-01/SA-02/SA-03 cover acquisition planning, resource allocation in SDLC, and system development lifecycle integration. AT-01/AT-02/AT-03 address training investment as a key resource.
Gaps
FFIEC's resource guidance includes examiner expectations for staffing ratios, budgetary adequacy relative to institution size/complexity, and use of managed security service providers (MSSPs). These institution-specific adequacy assessments are beyond SP 800-53's scope.
II.A Risk Identification
Rationale
RA-02 security categorization and RA-03 risk assessment form the core of risk identification. RA-05 vulnerability monitoring and scanning identifies technical vulnerabilities. RA-07 (Rev 5) risk response identifies risk treatment options. RA-09 (Rev 5) criticality analysis identifies critical assets. RA-10 (Rev 5) threat hunting proactively identifies threats. PM-08 critical infrastructure plan, PM-09 risk management strategy, PM-11 mission/business process definition, PM-12 insider threat program, and PM-15/PM-16 information sharing/threat awareness address organizational risk context. CA-02 control assessments and CA-07 continuous monitoring identify risk through ongoing evaluation.
Gaps
FFIEC's risk identification includes financial-sector-specific threat categories (e.g., ATM/POS fraud, wire transfer manipulation, synthetic identity fraud) and references interagency guidance (OCC, FDIC, Fed). These sector-specific threat taxonomies are not enumerated in SP 800-53.
II.A.1 Threats
Rationale
RA-03 risk assessment includes threat identification. RA-10 (Rev 5) threat hunting provides proactive threat discovery. PM-12 insider threat program addresses internal threat actors. PM-15 information sharing and PM-16 threat awareness program address external threat intelligence (aligning with FFIEC's references to US-CERT and FS-ISAC). SI-05 security alerts/advisories handles threat notifications. SR-07 supply chain threat intelligence covers supply chain threats.
Gaps
FFIEC categorizes threats as hostile cyber/physical attacks, human errors, structural failures, and natural/man-made disasters. SP 800-53 covers these broadly but does not enumerate banking-specific threat scenarios (e.g., SWIFT compromise, jackpotting, card skimming) that examiners expect institutions to assess.
II.A.2 Vulnerabilities
Rationale
RA-05 vulnerability monitoring and scanning is the primary control for vulnerability identification and remediation tracking. RA-07 (Rev 5) risk response links identified vulnerabilities to risk treatment decisions. CA-02 control assessments identify control weaknesses. CA-07 continuous monitoring maintains ongoing vulnerability awareness. CA-08 penetration testing discovers exploitable vulnerabilities. SI-02 flaw remediation addresses patching. CM-04 impact analyses and CM-06 configuration settings prevent configuration-based vulnerabilities.
Gaps
FFIEC expects vulnerability assessment programs to cover all technology layers including legacy systems common in banking. SP 800-53 provides comprehensive vulnerability management but does not address banking-specific legacy system challenges (e.g., end-of-support mainframes running core banking).
II.B Risk Measurement
Rationale
RA-02 security categorization provides impact-based risk measurement. RA-03 risk assessment includes likelihood and impact analysis. RA-07 (Rev 5) risk response documents risk acceptance decisions. RA-09 (Rev 5) criticality analysis measures asset criticality. PM-09 risk management strategy establishes risk tolerance and measurement methodology. PM-28 (Rev 5) risk framing provides organizational context for risk measurement. CA-02 control assessments measure residual risk after controls.
Gaps
FFIEC's risk measurement guidance references specific methodologies including inherent risk profiling and maturity assessment (as in the FFIEC Cybersecurity Assessment Tool). These structured measurement frameworks and their specific rating scales are regulatory tools without SP 800-53 equivalents.
II.C.1 Policies, Standards, and Procedures
Rationale
SP 800-53 has a comprehensive policy control (-01) in every family, directly mapping to FFIEC's requirement for documented policies across all security domains. PL-01 planning policy, PL-02 system security plans, PL-03 plan updates, PL-07 concept of operations, and PL-08 security architecture provide the planning framework. PM-01 program plan, PM-04 POA&M process, PM-05 information system inventory, and PM-06 performance measures address program-level documentation. Each family's -01 control (AC-01 through SR-01) establishes domain-specific policies, standards, and procedures.
Gaps
FFIEC expects policies to reference specific regulatory requirements (GLBA, Reg P, BSA/AML, interagency guidance) and to be approved by the board of directors. SP 800-53 policy controls are comprehensive but do not reference banking regulatory requirements or board-level approval mandates.
II.C.2 Technology Design
Rationale
PL-08 security architecture and PL-09 (Rev 5) central management establish architectural design principles. SA-03 system development lifecycle, SA-04 acquisition process, SA-08 security engineering principles, and SA-17 developer security architecture/design address secure design methodology. SC-02 application partitioning, SC-03 security function isolation, SC-07 boundary protection, SC-32 system partitioning, and SC-39 process isolation implement defense-in-depth design. CM-02 baseline configuration establishes design standards.
Gaps
FFIEC's technology design guidance references layered security (defense-in-depth) specific to banking architectures including core banking interfaces, payment system integration, and ATM/POS network segmentation. SP 800-53 provides excellent design controls but without banking-specific architectural patterns.
II.C.3 Control Types
Rationale
FFIEC's control types section categorizes controls as preventive, detective, and corrective, aligning directly with SP 800-53's control classification. PL-02 system security plans document control selection. PL-08 security architecture designs layered controls. CA-02 control assessments evaluate control effectiveness across all types. CA-05 POA&M and PM-04 POA&M process manage control deficiencies. SA-08 security engineering principles guide control selection and layering.
Gaps
FFIEC's control types discussion is primarily educational/examination guidance explaining how examiners evaluate control adequacy. The prescriptive-vs-descriptive nature of examination guidance is not directly mappable to SP 800-53 implementation controls.
II.C.4 Control Implementation
Rationale
CA-02 control assessments verify implementation effectiveness. CA-05 POA&M tracks implementation gaps. CA-06 security authorization ensures controls are implemented before system operation. CA-07 continuous monitoring validates ongoing implementation. PM-04 POA&M process manages remediation. PM-06 performance measures evaluate implementation quality. PM-14 testing/exercises validate operational effectiveness. PL-02 system security plans document implemented controls.
Gaps
FFIEC expects institutions to demonstrate control implementation proportional to risk profile and institution complexity. Examiner assessment of implementation adequacy relative to institution size is a regulatory judgment not addressed by SP 800-53.
II.C.5 Inventory and Classification of Assets
Rationale
CM-08 system component inventory is the primary asset inventory control. CM-09 configuration management plan governs inventory processes. CM-12 (Rev 5) information location identifies where sensitive information resides, directly supporting FFIEC's data classification requirements. CM-13 (Rev 5) data action mapping documents data flows. PM-05 system inventory provides enterprise-level asset tracking. RA-02 security categorization classifies systems by impact level. RA-09 (Rev 5) criticality analysis identifies critical assets. MP-04 media storage addresses physical asset classification. SC-16 transmission of security attributes supports classification labels.
Gaps
FFIEC asset classification expects institutions to identify and classify customer financial data (deposits, loans, account records) per GLBA requirements. SP 800-53 provides excellent general classification controls but does not address banking-specific data categories or GLBA classification requirements.
II.C.6 Mitigating Interconnectivity Risk
Rationale
SC-07 boundary protection is the primary network segmentation control. SC-08 transmission confidentiality and integrity protects interconnections. SC-10 network disconnect manages session security. SC-20/SC-21/SC-22 provide secure name/address resolution. SC-23 session authenticity protects communication sessions. CA-03 information exchange and CA-09 (Rev 5) internal system connections manage interconnection agreements. AC-04 information flow enforcement and AC-20 use of external systems control data flows across boundaries. SA-09 external system services manages third-party interconnections.
Gaps
FFIEC specifically addresses payment network interconnections (FedLine, SWIFT, ACH, card networks) and correspondent banking connections. These financial-sector-specific interconnection types and their regulatory requirements are not enumerated in SP 800-53.
II.C.7 User Security Controls
Rationale
PS-01 through PS-09 comprehensively address personnel security including screening (PS-03), termination (PS-04), transfer (PS-05), access agreements (PS-06), external personnel (PS-07), sanctions (PS-08), and PS-09 (Rev 5) position descriptions. AC-02 account management, AC-05 separation of duties, and AC-06 least privilege implement user access controls. PL-04 rules of behavior establishes acceptable use. AT-02/AT-03 provide security awareness and role-based training.
Gaps
FFIEC's user security controls include GLBA-mandated employee screening requirements specific to financial institution staff handling customer information. SP 800-53 covers personnel security broadly but not GLBA-specific vetting requirements.
II.C.7(a) Security Screening in Hiring Practices
Rationale
PS-03 personnel screening is the direct mapping, covering background investigations before granting access. PS-02 position risk designation classifies positions by sensitivity, informing screening depth. PS-06 access agreements formalizes pre-employment security obligations. PS-07 external personnel extends screening to contractors. PS-09 (Rev 5) position descriptions ensures security responsibilities are documented in job descriptions.
Gaps
FFIEC references Section 19 of the Federal Deposit Insurance Act (FDIA) prohibiting individuals with criminal histories from banking employment. This statutory prohibition and FDIC waiver process are US banking-specific requirements not addressed by SP 800-53.
II.C.7(b) User Access Program
Rationale
AC-02 account management addresses the full user access lifecycle (provisioning, review, de-provisioning). AC-03 access enforcement implements authorization. AC-05 separation of duties prevents conflicts. AC-06 least privilege limits access. AC-24 (Rev 5) access control decisions supports fine-grained authorization. IA-01 through IA-05 cover identification, authentication, identifier management, and authenticator management. IA-12 (Rev 5) identity proofing strengthens enrollment processes.
Gaps
FFIEC user access programs expect periodic access recertification by business line managers specific to financial application access (e.g., wire transfer, general ledger, trading systems). SP 800-53 covers access review but not the banking-specific recertification cadence expectations.
II.C.7(c) Segregation of Duties
Rationale
AC-05 separation of duties directly addresses segregation of incompatible functions, a cornerstone of banking internal controls. CM-05 access restrictions for change limits change authority to prevent unauthorized modifications. PS-02 position risk designation informs duty segregation decisions based on role sensitivity.
Gaps
FFIEC's segregation of duties expectations reference banking-specific duty conflicts (e.g., separating wire initiation from approval, loan origination from disbursement, trading from settlement). These financial process-specific segregation requirements are beyond SP 800-53's general control scope.
II.C.7(d) Confidentiality Agreements
Rationale
PS-06 access agreements directly addresses confidentiality and non-disclosure agreements before information access. PS-07 external personnel extends confidentiality requirements to third parties. PL-04 rules of behavior establishes acceptable use and confidentiality expectations for all users.
Gaps
FFIEC expects confidentiality agreements to specifically reference GLBA Section 501(b) customer information protection requirements. SP 800-53 provides the agreement framework but does not prescribe banking-specific statutory references.
II.C.7(e) Training
Rationale
AT-01 security awareness policy establishes training requirements. AT-02 awareness training covers all users. AT-03 role-based training addresses specialized training needs. AT-04 training records maintains evidence. AT-06 (Rev 5) training feedback enables measurement of training effectiveness, directly supporting FFIEC's expectation for measurable security awareness. PM-13 security workforce ensures training adequacy. PM-14 testing/exercises validates training through practical scenarios.
Gaps
FFIEC expects training to cover banking-specific topics including social engineering targeting financial institution employees, fraudulent transaction recognition, and regulatory compliance awareness (BSA/AML red flags, GLBA customer data handling). SP 800-53 training controls are comprehensive but content-neutral.
II.C.8 Physical Security
Rationale
The PE family provides comprehensive physical security coverage. PE-02/PE-03 physical access authorizations and control. PE-04/PE-05 access control for transmission/display. PE-06 monitoring physical access. PE-07 visitor control. PE-08 access records. PE-09 through PE-15 cover power, emergency shutoff, environmental controls, fire protection, temperature/humidity, and water damage. PE-16 delivery/removal, PE-17 alternate work site, PE-18 location of components, PE-19 information leakage, and PE-20 asset monitoring provide additional coverage.
Gaps
FFIEC physical security references banking-specific facilities including vault areas, ATM locations, check processing centers, and branch offices. SP 800-53 PE controls are facility-agnostic and do not address bank branch physical security or vault access requirements.
II.C.9 Network Controls
Rationale
SC-07 boundary protection provides firewall and segmentation controls. SC-08 transmission confidentiality/integrity secures network communications. SC-10 network disconnect handles idle sessions. SC-11 trusted path establishes secure communication channels. SC-23 session authenticity validates sessions. SC-44 detonation chambers support advanced network threat analysis. AC-04 information flow enforcement, AC-17 remote access, and AC-18 wireless access control network data flows. SI-04 system monitoring detects network anomalies. CA-03 system interconnections manages network boundaries.
Gaps
FFIEC network controls guidance addresses banking-specific network architectures including payment processing networks, core banking system segmentation, and real-time transaction monitoring networks. These financial network topology requirements are not specified in SP 800-53.
II.C.10 Change Management Within the IT Environment
Rationale
CM-03 configuration change control is the primary change management control, requiring documented change requests, impact analysis, approval, and verification. CM-01 policy establishes change management governance. CM-02 baseline configuration defines the controlled state. CM-04 impact analyses evaluates change effects. CM-05 access restrictions for change limits change authority. CM-06 configuration settings maintains secure configurations. CM-07 least functionality reduces attack surface. CM-09 configuration management plan documents the overall process. SA-10 developer configuration management extends change control to development.
Gaps
FFIEC change management expectations include regulatory notification requirements for significant technology changes and examiner assessment of change management maturity. These examination-specific expectations are beyond SP 800-53's scope.
II.C.11 End-of-Life Management
Rationale
SA-22 unsupported system components directly addresses end-of-life management, requiring identification and replacement/mitigation of unsupported components. CM-07 least functionality supports decommissioning unnecessary components. CM-08 system component inventory tracks lifecycle status. CM-11 user-installed software prevents unauthorized software. SI-02 flaw remediation manages patching through end-of-life. RA-05 vulnerability monitoring identifies end-of-life exposure.
Gaps
FFIEC's end-of-life guidance specifically addresses legacy banking systems (mainframes, middleware, core platforms) where replacement cycles span years and require regulatory engagement. SP 800-53 SA-22 covers unsupported components generically but does not address the multi-year migration planning and examiner oversight typical in banking.
II.C.12 Malware Mitigation
Rationale
SI-03 malicious code protection is the primary anti-malware control. SI-04 system monitoring detects malware activity. SI-07 software/firmware/information integrity validates system integrity. SI-08 spam protection blocks malware delivery vector. SI-16 memory protection prevents exploitation. SC-07 boundary protection blocks malware at network perimeter. SC-18 mobile code controls risky code execution. SC-44 detonation chambers provide advanced malware analysis (sandboxing). AT-02 security awareness training educates users on malware threats.
Gaps
FFIEC malware guidance references banking-specific malware threats (e.g., banking trojans, POS malware, ATM jackpotting malware). SP 800-53 provides comprehensive malware controls without enumerating financial-sector-specific malware types.
II.C.13 Control of Information
Rationale
MP-01 through MP-07 provide comprehensive media protection covering policy, access, marking, storage, transport, sanitization, and use. SC-08 transmission confidentiality/integrity protects information in transit. SC-28 protection of information at rest secures stored data. AC-04 information flow enforcement controls data movement. AC-21 information sharing restricts data exchange. AC-22 publicly accessible content controls public information. SI-12 information management and retention addresses lifecycle management.
Gaps
FFIEC's information control expectations reference GLBA customer information disposal requirements (FTC Disposal Rule) and banking-specific records retention schedules. SP 800-53 covers information handling broadly but without banking-specific statutory requirements.
II.C.13(a) Storage
Rationale
SC-28 protection of information at rest is the primary storage protection control, covering encryption of stored data. MP-02 media access restricts who can access storage media. MP-04 media storage secures physical media storage locations. AC-03/AC-06 access enforcement and least privilege control logical access to stored information. PE-03 physical access control protects physical storage locations.
Gaps
FFIEC storage guidance addresses banking-specific data retention for regulatory examinations, litigation holds, and BSA/AML record-keeping requirements. These statutory storage obligations are beyond SP 800-53's technical storage controls.
II.C.13(b) Electronic Transmission of Information
Rationale
SC-08 transmission confidentiality and integrity directly secures electronic transmission. SC-12 cryptographic key management and SC-13 cryptographic protection provide the encryption framework for secure transmission. SC-23 session authenticity validates communication endpoints. AC-04 information flow enforcement controls permitted transmission paths. AC-17 remote access secures remote data transmission.
Gaps
FFIEC transmission guidance references specific financial messaging protocols (SWIFT, FedLine, ACH file transmission) and their mandated security requirements. SP 800-53 provides transmission security generically without addressing banking payment protocol requirements.
II.C.13(c) Disposal of Information
Rationale
MP-06 media sanitization directly addresses information disposal through clearing, purging, and destruction methods. SI-12 information management and retention governs retention and disposal policies. MP-05 media transport ensures secure handling during transport to disposal.
Gaps
FFIEC disposal references the FTC Disposal Rule under FACTA requiring proper disposal of consumer report information. SP 800-53 covers sanitization methods but not the statutory consumer data disposal obligations specific to financial institutions.
II.C.13(d) Transit of Physical Media
Rationale
MP-05 media transport directly addresses physical media transit controls including custodial tracking, encryption, and authorized courier use. MP-07 media use restricts media usage to authorized devices. PE-16 delivery and removal controls physical entry/exit of media from facilities.
Gaps
FFIEC physical media transit references banking-specific transport scenarios (check transport, backup tape courier, ATM cassette delivery). SP 800-53 covers general media transport without financial-specific chain-of-custody requirements.
II.C.13(e) Rogue or Shadow IT
Rationale
CM-07 least functionality removes unauthorized software/services. CM-08 system component inventory identifies sanctioned components. CM-10 software usage restrictions and CM-11 user-installed software prevent unauthorized application deployment. AC-20 use of external systems controls shadow cloud service usage. PM-05 system inventory maintains authorized system records. AT-02 security awareness training educates users on shadow IT risks and reporting procedures.
Gaps
FFIEC's shadow IT guidance specifically addresses cloud service sprawl, unauthorized SaaS adoption by business lines, and employee use of personal devices for banking operations. SP 800-53 controls address the concept but not the banking-specific shadow IT governance challenges.
II.C.14 Supply Chain
Rationale
The SR family (Rev 5) provides comprehensive supply chain risk management. SR-01 policy, SR-02 supply chain controls/processes, SR-03 supply chain controls and processes, SR-04 provenance, SR-05 acquisition strategies, SR-06 supplier assessments, SR-07 supply chain operations security, SR-08 notification agreements, SR-09 tamper resistance, SR-10 inspection of systems, SR-11 component authenticity, and SR-12 component disposal cover the full supply chain lifecycle. SA-04 acquisition process, SA-09 external system services, and SA-22 unsupported components address procurement and lifecycle management.
Gaps
FFIEC supply chain guidance references banking-specific vendor concentration risk (e.g., core banking processors, card networks) and regulatory expectations for critical service provider oversight per FFIEC Outsourcing Technology booklet. SP 800-53's SR family addresses supply chain broadly but not financial-sector concentration risk.
II.C.15 Logical Security
Rationale
AC-01 through AC-11 provide comprehensive logical access controls including policy, account management, enforcement, information flow, separation of duties, least privilege, unsuccessful logon attempts, system use notification, previous logon notification, concurrent session control, and session lock. IA-01 through IA-12 cover identification and authentication across all user types including IA-08 identification of non-organizational users and IA-12 (Rev 5) identity proofing. AU-02/AU-03/AU-06/AU-12 provide audit logging and analysis for logical access events.
Gaps
FFIEC logical security references FFIEC Authentication Guidance for multi-factor authentication in internet banking and layered security for online transactions. These banking-specific authentication requirements exceed SP 800-53's general MFA guidance.
II.C.15(a) Operating System Access
Rationale
AC-03 access enforcement and AC-06 least privilege control OS-level access. IA-02 identification and authentication verifies OS user identity. IA-05 authenticator management secures OS credentials. CM-06 configuration settings hardens OS security settings. CM-07 least functionality reduces OS attack surface. SC-39 process isolation and SC-03 security function isolation protect OS kernel integrity.
Gaps
FFIEC OS access guidance addresses hardening requirements for banking-specific operating environments including mainframe access controls (RACF, ACF2, Top Secret) common in core banking. SP 800-53 covers OS security generically without legacy mainframe-specific guidance.
II.C.15(b) Application Access
Rationale
AC-03 access enforcement and AC-06 least privilege control application-level access. AC-24 (Rev 5) access control decisions provides fine-grained application authorization. IA-02 user identification/authentication and IA-08 non-organizational user identification secure application login. SC-02 application partitioning isolates security functions within applications. SA-11 developer testing validates application security controls.
Gaps
FFIEC application access references banking-specific applications (wire transfer, ACH origination, loan origination systems) with dual-control and dual-authorization requirements. SP 800-53 covers application access generically without financial transaction-specific controls.
II.C.15(c) Remote Access
Rationale
AC-17 remote access is the primary control, covering VPN, remote desktop, and telework access. AC-18 wireless access controls wireless connectivity. AC-19 access control for mobile devices secures mobile platforms. AC-20 use of external systems restricts external access. IA-02/IA-08 authenticate remote users. SC-08 transmission confidentiality, SC-10 network disconnect, SC-12 cryptographic key management, and SC-13 cryptographic protection secure remote communication channels.
Gaps
FFIEC remote access guidance specifically addresses customer-facing remote banking services (online banking, mobile banking) in addition to employee remote access. SP 800-53 covers employee remote access comprehensively but does not address customer-facing channel security.
II.C.16 Customer Remote Access to Financial Services
Rationale
AC-17 remote access and AC-20 external systems provide baseline access control. IA-02/IA-08 identification and authentication address customer authentication. SC-07 boundary protection, SC-08 transmission security, SC-12/SC-13 cryptographic controls, and SC-23 session authenticity protect customer-facing channels. SI-04 system monitoring enables transaction monitoring. PT-01/PT-02/PT-03 (Rev 5) privacy controls address customer data protection, notice, and consent.
Gaps
Significant gap. FFIEC's customer remote access section specifically addresses online/mobile banking security, layered security controls, customer authentication guidance (2005/2011 FFIEC Authentication Guidance), anomalous transaction detection, customer notification, and Reg E/UCC Article 4A liability allocation. These are banking-specific customer-facing requirements well beyond SP 800-53's enterprise security scope.
II.C.17 Application Security
Rationale
SA-03 system development lifecycle, SA-04 acquisition process, SA-08 security engineering principles, SA-10 developer configuration management, SA-11 developer testing and evaluation, SA-15 development process standards, and SA-17 developer security architecture provide comprehensive application security lifecycle coverage. SI-10 information input validation and SI-11 error handling address runtime application security. CM-04 impact analyses and CM-14 (Rev 5) signed components ensure application integrity through change management.
Gaps
FFIEC application security references banking-specific application testing requirements including transaction integrity validation, financial calculation accuracy, and regulatory reporting application assurance. SP 800-53 covers application security generically without financial application-specific testing requirements.
II.C.18 Database Security
Rationale
AC-03 access enforcement and AC-06 least privilege control database access. SC-28 protection of information at rest secures database storage including encryption. AU-02/AU-03/AU-06/AU-12 provide database activity monitoring through event logging, content, analysis, and generation. CM-06 configuration settings hardens database security settings. SC-04 information in shared resources prevents unauthorized data access between database users.
Gaps
FFIEC database security expects specific controls for financial databases including database activity monitoring (DAM), privileged user access controls for DBAs with access to customer financial records, and data masking for non-production environments containing real customer data. These database-specific operational controls exceed SP 800-53's general access and audit scope.
II.C.19 Encryption
Rationale
SC-08 transmission confidentiality and integrity mandates encryption in transit. SC-12 cryptographic key establishment and management addresses the full key lifecycle. SC-13 cryptographic protection specifies approved algorithms (FIPS-validated). SC-17 PKI certificates governs certificate management. SC-28 protection of information at rest mandates encryption at rest. IA-07 cryptographic module authentication validates cryptographic implementations.
Gaps
FFIEC encryption guidance references banking-specific requirements including FFIEC Authentication Guidance encryption expectations, PCI DSS cardholder data encryption alignment, and FIPS 140-2/140-3 validation requirements for modules handling financial data. SP 800-53 covers cryptographic controls comprehensively but FFIEC adds financial-sector-specific encryption mandates.
II.C.20 Oversight of Third-Party Service Providers
Rationale
SA-04 acquisition process and SA-09 external system services manage vendor selection and service agreements. SR-01/SR-02/SR-03/SR-06 provide supply chain risk management including assessments. PS-07 external personnel addresses third-party staffing. CA-03/CA-09 (Rev 5) manage system interconnections with service providers. PM-30 (Rev 5) supply chain risk management strategy and PM-31 (Rev 5) acquisition policy for supply chain provide enterprise-level third-party oversight.
Gaps
Significant gap. FFIEC's third-party oversight references the FFIEC Outsourcing Technology booklet and interagency guidance on third-party risk management (OCC 2013-29/2023-17), requiring due diligence, contract management, ongoing monitoring, and business continuity planning specific to critical banking service providers (core processors, payment networks, cloud service providers). These examiner expectations for vendor management maturity exceed SP 800-53's general supply chain controls.
II.D Risk Monitoring and Reporting
Rationale
CA-07 continuous monitoring is the primary ongoing risk monitoring control. CA-02 control assessments provide periodic risk evaluation. PM-06 performance measures and PM-14 testing/exercises track security program effectiveness. AU-06 audit record review and AU-13 monitoring for information disclosure support risk monitoring. RA-03 risk assessment and RA-07 (Rev 5) risk response document risk status. SI-04 system monitoring provides real-time risk indicators.
Gaps
FFIEC risk reporting expects board-level risk reporting with metrics tailored to director comprehension, regulatory reporting to examiners, and alignment with the institution's risk appetite statement. These governance reporting requirements and examiner communication expectations are beyond SP 800-53's technical monitoring scope.
III.A Threat Identification and Assessment
Rationale
RA-03 risk assessment includes threat assessment. RA-05 vulnerability scanning identifies exploitable weaknesses. RA-10 (Rev 5) threat hunting provides proactive threat discovery. PM-12 insider threat program addresses internal threats. PM-15 contacts with security groups and PM-16 threat awareness program leverage external threat intelligence sources (US-CERT, FS-ISAC). SI-04 system monitoring and SI-05 security alerts/advisories detect and notify on threats. CA-07 continuous monitoring maintains ongoing threat awareness.
Gaps
FFIEC threat assessment expects institutions to assess threats from government sources (US-CERT), sector sources (FS-ISAC), and institution-specific intelligence. While PM-15/PM-16 address this, FFIEC's specific expectation for participation in financial sector information sharing exceeds SP 800-53's general guidance.
III.B Threat Monitoring
Rationale
SI-04 system monitoring is the primary threat monitoring control. SI-05 security alerts/advisories and SI-07 integrity verification support monitoring activities. The AU family provides comprehensive audit capabilities: AU-02 event logging, AU-03 content of audit records, AU-04 audit log storage, AU-05 response to processing failures, AU-06 review/analysis, AU-07 audit record reduction and report generation, AU-08 time stamps, AU-09 protection of audit information, AU-11 retention, AU-12 generation, AU-13 monitoring for information disclosure, and AU-14 session audit. CA-07 continuous monitoring maintains ongoing vigilance. IR-04 incident handling provides response when threats are detected.
Gaps
FFIEC threat monitoring guidance addresses financial transaction monitoring, suspicious activity identification (for BSA/AML and fraud detection), and network monitoring specific to payment processing environments. SP 800-53 provides comprehensive monitoring controls but not financial transaction-specific monitoring requirements.
III.C Incident Identification and Assessment
Rationale
IR-01 incident response policy establishes classification and identification procedures. IR-04 incident handling includes detection and analysis phases. IR-05 incident monitoring tracks incidents. IR-06 incident reporting addresses internal and external notification. IR-09 (Rev 5) information spillage response handles data breach incidents. SI-04 system monitoring and SI-05 security alerts support incident detection. AU-06 audit review/analysis identifies potential incidents from log data.
Gaps
FFIEC incident classification expects severity levels tied to banking-specific impact criteria (customer account compromise, payment system disruption, regulatory notification thresholds). SAR filing requirements for cyber incidents per FinCEN guidance and interagency notification requirements are US banking-specific obligations not addressed by SP 800-53.
III.D Incident Response
Rationale
IR-01 through IR-08 provide comprehensive incident response: policy (IR-01), training (IR-02), testing (IR-03), handling (IR-04), monitoring (IR-05), reporting (IR-06), assistance (IR-07), and response plan (IR-08). CP-02 contingency planning and CP-10 system recovery support business continuity during incidents. PM-14 testing/exercises validates response readiness. SI-05 security alerts supports coordination.
Gaps
FFIEC incident response references banking-specific obligations: SAR filing (FinCEN), primary regulator notification (OCC/FDIC/Fed/NCUA), law enforcement coordination (FBI/Secret Service), customer notification (state breach notification laws), and coordination with payment networks for card compromise. SP 800-53 covers incident response broadly but not these multi-stakeholder banking regulatory notification chains.
IV.A Assurance and Testing
Rationale
CA-02 control assessments evaluates control effectiveness. CA-05 POA&M tracks remediation. CA-07 continuous monitoring provides ongoing assurance. CA-08 penetration testing validates security posture. PM-06 performance measures quantifies program effectiveness. PM-14 testing/exercises validates operational readiness. SA-11 developer testing evaluates development security. RA-05 vulnerability scanning identifies exploitable weaknesses.
Gaps
FFIEC assurance expectations include examiner-driven testing requirements and regulatory examination procedures (the Appendix A exam procedures). SP 800-53 covers security testing comprehensively but the regulatory examination process itself is a supervisory function beyond technical controls.
IV.A.1 Key Testing Factors
Rationale
CA-02 control assessments addresses scope and methodology of testing. CA-08 penetration testing covers testing depth and technique. PM-06 performance measures ensures meaningful test metrics. PM-14 testing/exercises establishes testing cadence and coverage. AT-03 role-based training ensures tester competency, aligning with FFIEC's emphasis on tester qualifications.
Gaps
FFIEC's key testing factors include tester notification management (who knows about tests), test scope validation by management, and regulatory expectations for testing frequency proportional to risk profile. These examination-specific factors exceed SP 800-53's general testing guidance.
IV.A.2 Types of Tests and Evaluations
Rationale
CA-02 control assessments covers self-assessments and audit evaluations. CA-08 penetration testing directly maps to FFIEC's penetration test requirements. RA-05 vulnerability scanning maps to vulnerability assessments. SA-11 developer testing addresses application testing. PM-14 testing/exercises covers tabletop and operational exercises. Together these address FFIEC's four test types: self-assessments, penetration tests, vulnerability assessments, and audits.
Gaps
FFIEC expects social engineering testing as part of the penetration testing program and specific testing of business continuity for critical banking functions. SP 800-53 CA-08 covers penetration testing but does not prescribe social engineering testing scope for financial institutions.
IV.A.3 Independence of Tests and Audits
Rationale
CA-02 control assessments includes requirements for assessor independence. CA-08 penetration testing by independent parties addresses external testing independence. CA-07 continuous monitoring provides independent validation. PM-14 testing/exercises can require independent exercise teams. SP 800-53 addresses independence in control assessment contexts.
Gaps
FFIEC independence requirements reference banking regulatory examination standards including independence of internal audit from IT management, external audit independence per FDICIA requirements for institutions over $500M, and regulatory expectations for rotating test providers. These regulatory audit independence standards exceed SP 800-53's general independence guidance.
IV.A.4 Assurance Reporting
Rationale
CA-02 control assessments generates assessment reports. CA-05 POA&M provides remediation status reporting. PM-06 performance measures produces program effectiveness metrics. AU-06 audit review/analysis and AU-07 audit reduction/report generation support security reporting. PL-02 system security plans documents the security posture baseline for reporting.
Gaps
FFIEC assurance reporting expects reports to be formatted for board consumption, filed with primary regulators, and aligned with examination report formats. SOC 2 reports for service providers and FFIEC Cybersecurity Assessment Tool results are expected reporting artifacts not addressed by SP 800-53's general reporting controls.
Methodology and Disclaimer
This coverage analysis maps from FFIEC IS clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.