FINMA Circular 2023/1 Operational Risk and Resilience — Banks — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each FINMA Circular 2023/1 requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseIV.A(23) ICT governance framework and policies
Rationale
Comprehensive coverage via policy controls across all families (AC-01, AT-01, AU-01, CA-01, CM-01, CP-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PL-02, PL-06, PS-01, RA-01, SA-01, SA-02, SC-01, SI-01, SR-01) plus CA-06 authorization and PL-03 plan update. PL-09 (new in Rev 5) central management strengthens governance by enabling unified control administration; PL-10 baseline selection and PL-11 baseline tailoring support governance-level control standard decisions.
Gaps
FINMA requires Swiss-specific governance with board-level accountability for ICT strategy. SP 800-53 covers comprehensive policy framework but not Swiss regulatory board oversight requirements or FINMA-specific governance reporting. PL-09/10/11 improve central governance but do not address Swiss board accountability structures.
IV.A(24) ICT strategy alignment with business strategy
Rationale
AC-01 and CA-01 policy; CA-06 authorization; PL-01/PL-02/PL-06 planning; SA-02 resource allocation. PL-09 (new in Rev 5) central management provides a mechanism for strategy-to-control alignment by establishing central oversight.
Gaps
FINMA requires ICT strategy to be approved by senior management and aligned with business strategy. SP 800-53 covers security planning and resource allocation but not Swiss-specific ICT strategy alignment with business objectives. PL-09 improves central coordination but does not close the strategic alignment gap.
IV.A(25) ICT strategy documentation and updates
Rationale
PL-02 system security plan; PL-03 plan update; SA-02 resource allocation. PL-10 (new in Rev 5) baseline selection and PL-11 baseline tailoring add documented processes for selecting and customizing control baselines, which support strategy documentation cycles.
Gaps
FINMA requires regular ICT strategy review and update cycles with documented approval. SP 800-53 covers plan documentation and updates. PL-10/PL-11 add baseline documentation but FINMA-specific strategy review cadence remains a gap.
IV.A(28) ICT infrastructure management and operations
Rationale
Extensive coverage via AU-04/AU-08 audit infrastructure; CM-01/CM-02/CM-06/CM-07/CM-08 configuration management; CP-08 telecommunications; MA family maintenance; PE family physical protection; SA-03/SA-05/SA-06/SA-08 system acquisition; SC-06/SC-20/SC-21/SC-22 network services. MA-07 (new in Rev 5) field maintenance adds off-site equipment servicing; PE-21 electromagnetic pulse protection, PE-22 component marking, PE-23 facility location expand physical infrastructure protection; CM-12 information location tracks where sensitive data resides across infrastructure; SI-13 predictive maintenance enables proactive failure prevention.
Gaps
Minor: FINMA-specific requirements for Swiss financial institution ICT infrastructure standards. SP 800-53 provides comprehensive technical infrastructure controls now strengthened by Rev 5 additions for field maintenance and physical resilience.
IV.A(29) ICT capacity and performance management
Rationale
AU-04 audit storage capacity; CM-02/CM-06/CM-08 configuration management; MA-02/MA-03/MA-06 maintenance; SA-08 security engineering; SC-06 resource priority. SI-13 (new in Rev 5) predictive maintenance enables proactive capacity monitoring and failure prediction, directly supporting performance management.
Gaps
FINMA requires specific capacity planning and performance monitoring for financial services. SP 800-53 covers capacity and performance through multiple controls. SI-13 improves proactive monitoring but financial sector-specific SLA requirements remain a gap.
IV.A(30) ICT asset inventory
Rationale
CM-02 baseline configuration; CM-08 component inventory. CM-12 (new in Rev 5) information location identifies where sensitive data resides, enriching the asset inventory with data-to-asset mapping; CM-13 data action mapping documents data processing flows across inventoried components.
Gaps
Minor: FINMA requires comprehensive ICT asset inventory. SP 800-53 CM-08 provides thorough component inventory, now enhanced by CM-12/CM-13 for data location and flow mapping.
IV.A(31) ICT architecture documentation
Rationale
CM-02 baseline configuration. CM-12 (new in Rev 5) information location and CM-13 data action mapping document where data resides and how it flows, supporting architecture documentation. PL-09 central management provides architectural visibility across controls.
Gaps
FINMA requires documented ICT architecture including network diagrams and system interconnections. CM-12/CM-13 improve data architecture documentation but comprehensive network and application architecture diagrams remain outside SP 800-53 scope.
IV.A(36) ICT change management framework
Rationale
CM-01 configuration management policy; CM-03/CM-04/CM-05 change control; MA-01/MA-02 maintenance policy; SA-01/SA-03/SA-05/SA-06/SA-07/SA-10/SA-11 acquisition and development lifecycle; SI-02 flaw remediation. CM-14 (new in Rev 5) signed components verifies integrity of changed software/firmware through cryptographic signatures, strengthening change management assurance.
Gaps
Minor: SP 800-53 provides comprehensive change management through CM and SA families, now with CM-14 for change integrity verification.
IV.A(37) Change control process and testing
Rationale
CM-03/CM-04/CM-05 change control and monitoring; SA-03 lifecycle support; SA-10 developer configuration management; SA-11 developer security testing. CM-14 (new in Rev 5) signed components ensures that changes are cryptographically verified before deployment.
Gaps
Minor: FINMA requires formal testing and approval processes for changes. SP 800-53 CM and SA families cover this comprehensively, strengthened by CM-14 integrity verification.
IV.A(38) Change impact analysis
Rationale
CM-03 configuration change control; CM-04 monitoring configuration changes; SA-10 developer configuration management. RA-07 (new in Rev 5) risk response adds explicit risk treatment actions that support structured impact analysis for proposed changes.
Gaps
Minor: FINMA requires documented change impact analysis. SP 800-53 CM-03, CM-04, and RA-07 cover change analysis, monitoring, and risk response.
IV.A(39) Change approval and documentation
Rationale
CM-03 configuration change control; SA-10 developer configuration management. CM-14 (new in Rev 5) signed components provides cryptographic evidence of authorized changes, supporting documented approval chains.
Gaps
Minor: FINMA requires formal change approval with documentation. SP 800-53 CM-03 provides change control with approval mechanisms, now supplemented by CM-14 for verifiable approval evidence.
IV.A(40) Emergency change procedures
Rationale
CM-03 configuration change control including emergency changes. RA-07 (new in Rev 5) risk response provides a framework for risk-based decisions during emergency change scenarios.
Gaps
FINMA requires specific emergency change procedures with retrospective approval. SP 800-53 CM-03 covers emergency changes and RA-07 adds risk treatment. FINMA-specific financial sector urgency protocols and retrospective approval timelines remain a gap.
IV.A(41) Incident management framework
Rationale
AU-05 audit processing failures; IR-01 through IR-05/IR-07 incident response family; SI-11 error handling. IR-09 (new in Rev 5) information spillage response adds specific handling for data breach/spillage incidents, which is directly relevant to FINMA's data protection incident requirements.
Gaps
FINMA requires Swiss financial sector incident management aligned with FINMA reporting requirements. SP 800-53 IR family provides strong incident management with IR-09 for spillage. FINMA-specific escalation and reporting timelines remain a gap.
IV.A(42) Incident classification and prioritisation
Rationale
IR-02 incident response training; IR-04 incident handling with classification. RA-07 (new in Rev 5) risk response supports risk-based incident prioritization; RA-09 criticality analysis identifies critical components to inform incident severity classification.
Gaps
FINMA requires specific incident classification for financial services including severity levels aligned with regulatory thresholds. RA-07/RA-09 improve prioritization but FINMA-specific classification criteria and regulatory thresholds remain a gap.
IV.A(43) Incident response and escalation
Rationale
IR-04 incident handling including containment, eradication, and recovery. IR-09 (new in Rev 5) information spillage response adds specific escalation procedures for data breach scenarios.
Gaps
FINMA requires specific escalation paths to senior management and board. SP 800-53 IR-04 covers incident handling and IR-09 adds spillage escalation, but FINMA-specific escalation to Swiss governance structures needs supplementation.
IV.A(44) Incident monitoring and tracking
IV.A(45) Incident reporting to FINMA
Rationale
IR-06 incident reporting. IR-09 (new in Rev 5) information spillage response provides specific data breach reporting procedures that partially align with FINMA notification requirements.
Gaps
FINMA requires specific incident reporting to FINMA within defined timeframes for material ICT incidents. SP 800-53 IR-06 and IR-09 cover incident reporting but FINMA-specific reporting timelines, formats, and materiality thresholds are Swiss regulatory requirements not addressed by SP 800-53.
IV.A(46) Incident notification to affected parties
Rationale
IR-06 incident reporting. IR-09 (new in Rev 5) information spillage response includes notification procedures for data spillage events affecting third parties.
Gaps
FINMA requires notification of affected clients and counterparties. IR-09 adds spillage notification but Swiss financial sector client notification requirements, including specific timelines and content requirements, are not fully addressed.
IV.B.a(47) Incident lessons learned
Rationale
IR-06 incident reporting. AT-06 (new in Rev 5) training feedback captures lessons from training exercises that can include incident response exercises, supporting the lessons learned cycle.
Gaps
FINMA requires formal lessons learned process and documented improvements. SP 800-53 IR-06 covers reporting and AT-06 adds feedback mechanisms. A structured post-incident improvement process with documented corrective actions remains a gap.
IV.B.a(48) ICT personnel and security awareness framework
Rationale
AT-01 through AT-05 awareness and training family; PL-01/PL-02/PL-04/PL-06 planning; PS-01/PS-02/PS-03/PS-06/PS-08 personnel security; RA-01 risk assessment policy. AT-06 (new in Rev 5) training feedback measures training effectiveness and captures lessons learned; PS-09 position descriptions explicitly requires incorporating security responsibilities into job roles.
Gaps
Minor: FINMA requires Swiss financial sector-specific personnel security. SP 800-53 provides comprehensive personnel and training controls, now strengthened by AT-06 feedback and PS-09 role definitions.
IV.B.a(49) ICT security training programme
Rationale
AT-01 training policy; AT-02 security awareness; AT-03 security training; AT-04 training records; PL-04 rules of behaviour. AT-06 (new in Rev 5) training feedback provides mechanisms to measure training programme effectiveness and improve content based on participant feedback.
Gaps
Minor: FINMA requires role-based training specific to financial services. SP 800-53 AT family covers training comprehensively with AT-06 adding effectiveness measurement.
IV.B.b(50) Security awareness for all staff
Rationale
AT-02 security awareness; AT-03 security training. AT-06 (new in Rev 5) training feedback enables continuous improvement of awareness programmes based on staff feedback and assessment results.
Gaps
Minor: SP 800-53 AT-02, AT-03, and AT-06 provide comprehensive security awareness with feedback mechanisms.
IV.B.b(51) Ongoing security awareness updates
Rationale
AT-02 security awareness with ongoing updates. AT-06 (new in Rev 5) training feedback supports iterative improvements to awareness content based on measured effectiveness.
Gaps
Minor: SP 800-53 AT-02 covers ongoing awareness. AT-06 adds feedback-driven updates. FINMA expects regular refresh aligned with evolving threats to financial sector.
IV.B.b(52) Threat intelligence and information sharing
Rationale
AT-05 contacts with security groups and associations; SI-05 security alerts and advisories. RA-07 (new in Rev 5) risk response provides a framework for acting on threat intelligence through structured risk treatment decisions.
Gaps
FINMA encourages participation in financial sector threat intelligence sharing (e.g., Swiss Financial CERT). SP 800-53 AT-05 and SI-05 cover external contacts and alerts. RA-07 improves threat-to-action pipeline but Swiss-specific financial sector ISAC participation is not addressed.
IV.B.c(53) External threat intelligence sources
Rationale
AT-05 contacts with security groups; SI-05 security alerts and advisories. RA-07 (new in Rev 5) risk response supports integration of external threat intelligence into risk treatment decisions.
Gaps
FINMA expects use of financial sector-specific threat intelligence feeds. SP 800-53 covers external threat sources with RA-07 adding action framework, but Swiss financial sector-specific intelligence feeds remain a gap.
IV.B.c(54) ICT risk assessment framework
Rationale
CA-05 POA&M; CM-08 component inventory; PS-02 position categorisation; RA-01 through RA-05 risk assessment family. RA-06 (new in Rev 5) technical surveillance countermeasures; RA-07 risk response adds explicit risk treatment actions; RA-08 privacy impact assessment extends risk to privacy domain; RA-09 criticality analysis identifies critical components for risk-based prioritization. Together these substantially strengthen the risk assessment framework.
Gaps
FINMA requires ICT risk assessment aligned with Swiss financial regulatory expectations. SP 800-53 RA family now provides comprehensive risk assessment with treatment, privacy, and criticality dimensions. Gap in FINMA-specific risk categories and financial materiality thresholds remains.
IV.B.c(55) ICT risk identification and analysis
Rationale
CA-05 POA&M; CM-08 inventory; RA-02 categorisation; RA-03 risk assessment; RA-04 risk assessment update. RA-07 (new in Rev 5) risk response provides structured treatment; RA-09 criticality analysis enables risk-informed identification of critical components.
Gaps
Minor: SP 800-53 RA family covers risk identification and analysis with RA-07/RA-09 strengthening treatment and prioritization. FINMA-specific financial risk categories may still require supplementation.
IV.B.c(56) Vulnerability management
Rationale
RA-03 risk assessment; RA-05 vulnerability scanning; SI-02 flaw remediation; SI-05 security alerts. RA-06 (new in Rev 5) technical surveillance countermeasures adds detection of unauthorized monitoring; RA-07 risk response supports vulnerability-to-treatment workflow.
Gaps
Minor: SP 800-53 provides comprehensive vulnerability management through RA-05, SI-02, and new Rev 5 additions.
IV.B.c(57) Vulnerability scanning and assessment
Rationale
RA-03 risk assessment; RA-05 vulnerability scanning. RA-06 (new in Rev 5) technical surveillance countermeasures extends scanning scope to detect unauthorized surveillance devices and techniques.
Gaps
Minor: SP 800-53 RA-05 provides strong vulnerability scanning capability, enhanced by RA-06 for surveillance detection.
IV.B.d(58) Risk assessment documentation and review
Rationale
RA-03 risk assessment with documentation requirements. RA-07 (new in Rev 5) risk response documents treatment decisions; RA-09 criticality analysis provides documented assessment of component criticality to support review cycles.
Gaps
Minor: SP 800-53 RA-03 covers risk assessment documentation, strengthened by RA-07/RA-09. FINMA expects regular review cycles aligned with regulatory calendar.
IV.B.d(59) Access control and security controls framework
Rationale
Extensive coverage via AC family (AC-01 through AC-20); AU-09 audit protection; CM-05 change access restrictions; IA family (IA-01 through IA-07) identification and authentication; MA-04 remote maintenance; MP-02 media access; PE-02/PE-03 physical access; PS-04/PS-05/PS-06 personnel termination/transfer/agreements; SA-08 security engineering; SC family communications protection; SI family system integrity. CA-09 (new in Rev 5) internal system connections authorizes and monitors internal connections; SC-24 fail in known state ensures security during failures; SC-46 cross-domain policy enforcement supports inter-domain access control; SC-48 sensor relocation adds dynamic sensor repositioning for monitoring.
Gaps
Minor: SP 800-53 provides comprehensive access control and security now enhanced by Rev 5 internal connection authorization, fail-safe, and cross-domain controls.
Mapped Controls
IV.B.d(60) Identity and access management
Rationale
AC-01/AC-02/AC-03/AC-05/AC-06/AC-13 access control; IA-01/IA-02/IA-04/IA-05 identification and authentication; PS-04/PS-05 personnel termination and transfer. PS-09 (new in Rev 5) position descriptions ties identity to role-based access by defining security responsibilities in job descriptions; CA-09 internal system connections strengthens internal identity controls.
Gaps
Minor: SP 800-53 provides comprehensive identity and access management controls, now with PS-09 for role-to-identity binding and CA-09 for internal connection identity.
IV.C(61) Authentication and session management
Rationale
AC-02/AC-03/AC-06/AC-07/AC-10/AC-11/AC-12 access control; IA-02/IA-05 authentication; SC-10 network disconnect. SC-24 (new in Rev 5) fail in known state ensures authentication systems fail securely, maintaining session integrity during component failures.
Gaps
Minor: SP 800-53 provides strong authentication and session management, enhanced by SC-24 for fail-safe authentication.
IV.C(62) Network security and segmentation
Rationale
AC-04/AC-17/AC-18 information flow and remote/wireless access; CA-03 system connections; IA-03 device authentication; MA-04 remote maintenance; PE-04 transmission medium; SC-02/SC-03/SC-05/SC-07/SC-14/SC-15/SC-19/SC-20/SC-21/SC-22 network protection. CA-09 (new in Rev 5) internal system connections manages internal network authorization; SC-46 cross-domain policy enforcement supports network segmentation between security domains; SC-47 alternate communications channels provides resilient network paths; SC-48 sensor relocation enables dynamic monitoring across network segments.
Gaps
Minor: SP 800-53 provides comprehensive network security controls now enhanced by Rev 5 internal connection, cross-domain, and sensor relocation controls.
IV.C(63) Cryptography and data protection in transit
Rationale
AC-04/AC-17 information flow; IA-07 cryptographic module authentication; MP-05 media transport; PE-19 information leakage; SC-02/SC-03/SC-07/SC-08/SC-09/SC-11/SC-12/SC-13/SC-16/SC-17/SC-19/SC-23 comprehensive cryptographic and communications protection. SC-37 (new in Rev 5) out-of-band channels provides alternative secure communication paths for key exchange and sensitive operations; SC-40 wireless link protection adds protections against wireless eavesdropping and tampering.
Gaps
Minor: SP 800-53 provides comprehensive cryptographic controls now enhanced by SC-37 out-of-band channels and SC-40 wireless protection. Very strong alignment with FINMA cryptography requirements.
IV.C(64) Endpoint and software security
Rationale
AC-19 mobile device access; CM-06/CM-07 configuration and least functionality; SA-07 user-installed software; SC-12/SC-13/SC-17/SC-18 cryptographic and mobile code; SI-02/SI-03/SI-07/SI-08 flaw remediation, malware protection, software integrity. CM-14 (new in Rev 5) signed components verifies software integrity; SC-34 non-modifiable executable programs protects critical endpoint software from modification; SC-44 detonation chambers (sandboxing) enables safe analysis of suspicious endpoint content; SI-16 memory protection (DEP/ASLR) hardens endpoint runtime environment.
Gaps
Minor: SP 800-53 provides comprehensive endpoint protection now enhanced by Rev 5 code signing, non-modifiable executables, sandboxing, and memory protection.
IV.C(65) Malware protection
Rationale
CM-07 least functionality; SC-05 denial of service protection; SI-03 malicious code protection. SC-44 (new in Rev 5) detonation chambers provides sandboxed malware analysis; SI-16 memory protection adds DEP/ASLR to harden against memory-based attacks.
Gaps
Minor: SP 800-53 SI-03 provides comprehensive malware protection now enhanced by SC-44 sandboxing and SI-16 memory hardening.
IV.C(66) Logging and monitoring framework
Rationale
AU-01 through AU-11 audit family; CA-07 continuous monitoring; CM-04 monitoring; IR-05 incident monitoring; PE-06/PE-08 physical monitoring; SI-01/SI-04/SI-11 system monitoring and error handling. SC-48 (new in Rev 5) sensor relocation enables dynamic repositioning of monitoring sensors to improve detection coverage.
Gaps
Minor: SP 800-53 AU and SI families provide comprehensive logging and monitoring, now enhanced by SC-48 for adaptive sensor placement.
IV.C(67) Security event logging
Rationale
AU-01/AU-02/AU-03/AU-05/AU-06/AU-07/AU-09/AU-10 audit family; CA-07 continuous monitoring; IR-05 incident monitoring; SI-04 system monitoring. SC-48 (new in Rev 5) sensor relocation enables dynamic log collection across network segments.
Gaps
Minor: SP 800-53 AU family provides comprehensive security event logging, enhanced by SC-48.
IV.C(68) Log analysis and correlation
Rationale
AU-02 auditable events; AU-06 audit review and analysis; CA-07 continuous monitoring; SI-04 system monitoring. SC-48 (new in Rev 5) sensor relocation enables broader data collection for correlation by dynamically repositioning monitoring sensors.
Gaps
Minor: SP 800-53 AU-06 and SI-04 cover log analysis and correlation. FINMA expects financial sector-specific SIEM requirements; SC-48 adds sensor flexibility but SIEM-specific requirements remain a gap.
IV.C(69) Automated monitoring and alerting
Rationale
AU-06 audit monitoring, analysis, and reporting; SI-04 system monitoring tools and techniques. SC-48 (new in Rev 5) sensor relocation supports adaptive monitoring by dynamically repositioning detection sensors.
Gaps
Minor: SP 800-53 AU-06 and SI-04 provide automated monitoring and alerting capabilities, enhanced by SC-48 for adaptive sensor deployment.
IV.C(70) Cyber incident response framework
Rationale
CP-10 system recovery; IR-01/IR-02 incident response policy and training; IR-04 incident handling; IR-07 incident response assistance. IR-09 (new in Rev 5) information spillage response adds data breach handling; SC-24 fail in known state ensures systems fail securely during cyber incidents.
Gaps
FINMA requires Swiss financial sector cyber incident response aligned with FINMA reporting obligations. SP 800-53 IR family provides strong incident response with Rev 5 additions. FINMA-specific cyber response requirements including reporting timelines remain a gap.
IV.D(71) Cyber incident containment and recovery
Rationale
CP-10 system recovery; IR-02 training; IR-04 incident handling; IR-07 assistance. IR-09 (new in Rev 5) information spillage response provides containment for data breach events; SC-24 fail in known state ensures secure containment; SI-14 (new in Rev 5) non-persistence supports containment by reverting to known-good states.
Gaps
FINMA requires specific containment and recovery procedures for financial system cyber incidents. SP 800-53 now provides stronger containment with IR-09, SC-24, and SI-14. FINMA-specific financial service continuity requirements during containment remain a gap.
IV.D(72) Cyber incident eradication
Rationale
CP-10 system recovery; IR-04 incident handling including eradication. SI-14 (new in Rev 5) non-persistence enables eradication through state reset to known-good baseline; SC-34 non-modifiable executable programs ensures critical software cannot be tampered with, supporting eradication verification.
Gaps
FINMA requires thorough eradication verification before system restoration. SP 800-53 covers eradication with SI-14 and SC-34 strengthening verification. FINMA-specific verification requirements for financial systems remain a gap.
IV.D(73) Cyber incident reporting to FINMA
Rationale
IR-06 incident reporting. IR-09 (new in Rev 5) information spillage response provides specific reporting procedures for data breach events.
Gaps
FINMA requires specific cyber incident reporting to FINMA within defined timeframes. SP 800-53 IR-06 and IR-09 cover reporting but FINMA-specific timelines, formats, and materiality thresholds are Swiss regulatory requirements not addressed. Coverage increase is marginal as the core gap is regulatory specificity.
IV.D(74) Cyber incident notification to clients
Rationale
IR-06 incident reporting. IR-09 (new in Rev 5) information spillage response includes third-party notification for data spillage events.
Gaps
FINMA requires client notification for material cyber incidents affecting financial services. IR-09 adds spillage notification but Swiss financial sector client notification requirements including timelines and content remain outside SP 800-53 scope.
IV.D(75) Security testing framework
Rationale
CA-01 assessment policy; CA-02 security assessments; CA-04 security certification; CA-05 POA&M; CA-06 authorization; CA-07 continuous monitoring; IR-03 incident response testing; RA-05 vulnerability scanning; SA-11 developer security testing; SI-06 security functionality verification. CA-09 (new in Rev 5) internal system connections adds testing of internal connection authorization; RA-06 technical surveillance countermeasures extends testing scope to detection of surveillance devices.
Gaps
Minor: SP 800-53 provides comprehensive security testing through CA, RA, and SA families, now enhanced by CA-09 and RA-06.
IV.D(76) Penetration testing and vulnerability assessment
Rationale
CA-02 security assessments; CA-04 certification; CA-07 continuous monitoring; IR-03 incident response testing; RA-05 vulnerability scanning; SA-11 developer testing; SI-06 security verification. CA-09 (new in Rev 5) tests internal connection integrity; RA-06 technical surveillance countermeasures extends penetration testing scope.
Gaps
Minor: FINMA requires regular penetration testing. SP 800-53 RA-05 and CA-02 provide strong vulnerability assessment. FINMA-specific TLPT (threat-led penetration testing) requirements may need supplementation.
IV.D(77) Independent security testing
Rationale
CA-02 security assessments; IR-03 incident response testing. CA-09 (new in Rev 5) internal system connections adds scope for independent assessment of internal connection controls.
Gaps
FINMA requires periodic independent security testing by qualified third parties. SP 800-53 CA-02 supports independent assessment with CA-09 adding internal scope. FINMA-specific independent testing cadence and qualifications require supplementation.
IV.D(78) Data classification and protection framework
Rationale
AC-15/AC-16 automated marking and labelling; MP-01 through MP-06 media protection; PE-19 information leakage; PL-05 privacy impact; PT-01 through PT-07 PII processing; RA-02 security categorisation; SC-01/SC-04/SC-08/SC-09 communications protection; SI-07/SI-09/SI-10/SI-12 system integrity. CM-12 (new in Rev 5) information location tracks where classified data resides; CM-13 data action mapping documents data processing flows; MP-08 media downgrading adds controls for reclassification; RA-08 privacy impact assessment extends classification to privacy domain; SC-42 sensor capability and data addresses privacy-sensitive data collection.
Gaps
Minor: SP 800-53 provides comprehensive data classification and protection now enhanced by Rev 5 data location, flow mapping, and privacy controls. FINMA Swiss banking secrecy and client data protection requirements may need supplementation.
IV.D(79) Data classification scheme
Rationale
AC-15/AC-16 automated marking/labelling; MP-01/MP-03 media protection and labelling; PL-05 privacy impact; PT-01/PT-02/PT-03/PT-07 PII processing. CM-12 (new in Rev 5) information location supports classification by identifying where data resides; CM-13 data action mapping documents classification across processing flows; MP-08 media downgrading supports reclassification procedures.
Gaps
FINMA requires data classification aligned with Swiss banking secrecy requirements. SP 800-53 covers security classification with improved data location and flow mapping. Swiss-specific banking data classification still needs supplementation.
IV.D(80) Data handling and processing controls
Rationale
AC-16 automated labelling; MP-02/MP-03 media access and labelling; PT-03/PT-07 PII processing purposes and categories; SI-09/SI-10 input restrictions and accuracy. CM-13 (new in Rev 5) data action mapping documents processing flows across systems; SI-20 (new in Rev 5) de-identification adds controls for privacy-preserving data handling.
Gaps
FINMA requires specific data handling procedures for Swiss financial data. SP 800-53 covers data handling with CM-13 and SI-20 improving processing documentation and privacy. Swiss banking secrecy and data locality requirements remain a gap.
IV.D(81) Data protection in storage and transit
Rationale
MP-04/MP-05 media storage and transport; PE-18 component location; SC-08/SC-09 transmission integrity and confidentiality. SC-25 (new in Rev 5) thin nodes reduces data exposure at endpoints by minimizing stored data; SC-38 operations security addresses operational security practices for data protection.
Gaps
Minor: SP 800-53 provides strong data protection in storage and transit, now enhanced by SC-25 and SC-38.
IV.D(82) Data retention and archiving
Rationale
AU-11 audit record retention; CP-09 backup; MP-04 media storage; PT-06 system of records; SI-12 information output handling and retention. MP-08 (new in Rev 5) media downgrading supports reclassification of aging data, relevant to retention lifecycle management.
Gaps
FINMA requires data retention aligned with Swiss financial regulatory requirements (typically 10 years). SP 800-53 covers retention with MP-08 adding lifecycle management. Swiss-specific financial regulatory retention periods remain a gap.
IV.E(83) Secure data disposal
Rationale
AU-11 audit retention; MP-06 media sanitisation; SC-04 information remnance; SI-12 information output handling; SR-12 component disposal. MP-08 (new in Rev 5) media downgrading supports secure reclassification before disposal.
Gaps
Minor: SP 800-53 provides comprehensive data disposal through MP-06, SC-04, SR-12, and now MP-08.
IV.E(84) Data quality and accuracy
Rationale
MP-06 media sanitisation; SI-10 information accuracy, completeness, validity. SI-18 (new in Rev 5) PII quality operations addresses personal data quality; SI-21 (new in Rev 5) information refresh maintains data currency and accuracy through regular refresh operations.
Gaps
FINMA requires data quality controls for financial data accuracy. SI-18 and SI-21 improve data quality coverage for PII and general data. FINMA-specific financial data quality requirements for transaction and reporting data still need supplementation.
IV.E(87) ICT business continuity management framework
Rationale
CP-01 contingency planning policy; CP-02 contingency plan; CP-05 contingency plan update. SC-24 (new in Rev 5) fail in known state supports business continuity by ensuring systems fail securely and predictably.
Gaps
FINMA requires comprehensive ICT BCM aligned with Swiss financial sector operational resilience requirements. SP 800-53 CP family covers contingency planning with SC-24 adding fail-safe. FINMA-specific BCM framework and Swiss financial sector resilience requirements remain a gap.
IV.E(88) Business impact analysis for ICT
Rationale
CP-01 contingency planning policy; CP-02 contingency plan with business impact analysis. RA-09 (new in Rev 5) criticality analysis identifies critical system components, directly supporting business impact analysis by informing which components have highest business impact.
Gaps
FINMA requires BIA specific to financial services with recovery time and recovery point objectives. SP 800-53 CP-02 includes BIA and RA-09 adds criticality analysis. FINMA-specific financial sector impact criteria and Swiss regulatory RTO/RPO thresholds remain a gap.
IV.E(89) ICT recovery capabilities
Rationale
CP-02 contingency plan; CP-06 alternate storage; CP-07 alternate processing; CP-08 telecommunications; CP-09 backup; CP-10 recovery; MA-06 timely maintenance; PE-09 through PE-15 physical environmental protection; PE-17 alternate work site. PE-21 (new in Rev 5) electromagnetic pulse protection adds resilience against EMP events; PE-23 facility location supports recovery site selection; SC-24 fail in known state ensures secure recovery; SI-13 predictive maintenance enables proactive failure prevention.
Gaps
Minor: SP 800-53 provides comprehensive recovery capabilities through CP and PE families, now enhanced by Rev 5 physical resilience and predictive maintenance controls.
IV.E(90) ICT disaster recovery planning
Rationale
CP-02 contingency plan; CP-06/CP-07/CP-08/CP-09/CP-10 recovery infrastructure; PE-17 alternate work site. SC-24 (new in Rev 5) fail in known state ensures DR systems fail securely; SC-47 alternate communications channels provides resilient communication paths during disaster recovery.
Gaps
Minor: SP 800-53 covers disaster recovery planning with SC-24 and SC-47 adding resilience. FINMA-specific Swiss financial sector DR requirements largely addressed.
IV.E(91) Recovery site and backup requirements
Rationale
CP-02 contingency plan; CP-06 alternate storage; CP-07 alternate processing; CP-09 backup. PE-23 (new in Rev 5) facility location adds requirements for physical siting of recovery facilities, relevant to Swiss data residency considerations.
Gaps
Minor: SP 800-53 covers alternate sites and backup with PE-23 adding facility location requirements. FINMA may have Swiss data residency requirements for recovery sites that remain outside SP 800-53 scope.
IV.E(92) Business continuity training
IV.E(93) Business continuity awareness
IV.E(94) Business continuity testing framework
Rationale
CP-04 contingency plan testing and exercises. RA-09 (new in Rev 5) criticality analysis informs testing prioritization by identifying which components are most critical to test.
Gaps
Minor: SP 800-53 CP-04 provides comprehensive BC testing with RA-09 adding criticality-based test prioritization. FINMA may require specific financial sector scenario testing.
IV.E(95) Disaster recovery testing
IV.E(96) Business continuity testing scenarios
Rationale
CP-04 contingency plan testing including realistic scenarios. RA-09 (new in Rev 5) criticality analysis supports scenario design by identifying critical failure points.
Gaps
FINMA requires severe but plausible scenario testing for financial services. SP 800-53 CP-04 covers testing and RA-09 informs scenario design. FINMA-specific financial sector scenario requirements (e.g., payment system failure, market infrastructure disruption) need supplementation.
IV.F(97) Business continuity test results and improvements
Rationale
CP-04 contingency plan testing with lessons learned. AT-06 (new in Rev 5) training feedback captures exercise outcomes and enables documented improvement cycles.
Gaps
FINMA requires documented test results and improvement actions. SP 800-53 CP-04 covers testing results and AT-06 adds feedback mechanisms. FINMA-specific improvement documentation requirements need supplementation.
IV.F(98) Business continuity plan maintenance 80%
Rationale
CP-05 contingency plan update.
Gaps
Minor: SP 800-53 CP-05 covers contingency plan maintenance and updates.
Mapped Controls
IV.F(99) Business continuity plan distribution 75%
Rationale
CP-05 contingency plan update including distribution.
Gaps
FINMA requires plan distribution to key personnel. SP 800-53 CP-05 covers plan updates but specific distribution requirements are less detailed.
Mapped Controls
IV.F(100) Outsourcing governance framework
Rationale
AC-20 external systems; CA-03 system connections; MA-05 maintenance personnel; PS-03/PS-07 personnel screening and third-party security; SA-01/SA-04 acquisition policy and requirements; SA-09 external services; SR-01/SR-02/SR-05 supply chain management. SA-21 (new in Rev 5) developer screening adds personnel vetting for third-party developers; SA-23 specialization addresses domain-specific security expertise requirements for outsourcing partners.
Gaps
FINMA requires comprehensive outsourcing governance including Swiss-specific regulatory approval for material outsourcing. SP 800-53 covers vendor management with SA-21/SA-23 improving developer vetting and specialization. FINMA-specific outsourcing governance and FINMA notification requirements not addressed.
V(101) Outsourcing risk assessment
Rationale
AC-20 external systems; CA-03 system connections; MA-05 maintenance personnel; PS-07 third-party personnel; SA-04 acquisitions; SA-09 external services; SR-01/SR-02/SR-05 supply chain. RA-07 (new in Rev 5) risk response supports outsourcing risk treatment decisions; RA-09 criticality analysis identifies critical outsourced components; SA-21 developer screening assesses third-party personnel risk.
Gaps
FINMA requires specific risk assessment for outsourcing arrangements including concentration risk. SP 800-53 covers third-party risk with RA-07/RA-09/SA-21 improving treatment, criticality, and personnel vetting. FINMA-specific outsourcing risk criteria and concentration risk remain gaps.
V(102) Outsourcing contractual requirements
Rationale
PS-07 third-party personnel security; SA-04 acquisitions; SA-09 external services; SR-02 supply chain risk management plan. SA-23 (new in Rev 5) specialization supports contractual requirements for domain-specific security expertise.
Gaps
FINMA requires specific contractual clauses including FINMA audit rights, sub-outsourcing restrictions, and data location requirements. SP 800-53 covers vendor contracts with SA-23 adding specialization. FINMA-specific contractual requirements remain a gap.
V(103) Outsourcing due diligence
Rationale
SA-04 acquisitions; SA-09 external services; SR-02 supply chain plan. SA-21 (new in Rev 5) developer screening adds vetting of outsourcing partner personnel; SA-23 specialization supports due diligence on domain-specific expertise.
Gaps
FINMA requires specific due diligence for outsourcing partners including financial stability and Swiss regulatory compliance. SP 800-53 covers vendor assessment with SA-21/SA-23 improving personnel and expertise vetting. FINMA-specific due diligence requirements remain a gap.
V(104) Outsourcing ongoing monitoring
Rationale
SA-09 external services; SR-03 supply chain controls. CA-09 (new in Rev 5) internal system connections adds monitoring of connections to outsourced services.
Gaps
FINMA requires ongoing monitoring of outsourcing providers including SLA monitoring and Swiss regulatory compliance tracking. SP 800-53 covers external service monitoring with CA-09 adding connection monitoring. FINMA-specific ongoing monitoring requirements remain a gap.
V(105) Sub-outsourcing controls 55%
Rationale
SR-03 supply chain controls and processes.
Gaps
FINMA requires specific controls for sub-outsourcing including approval requirements and chain monitoring. SP 800-53 SR-03 covers supply chain processes but FINMA-specific sub-outsourcing governance not addressed.
Mapped Controls
V(106) Sub-outsourcing notification and approval 50%
Rationale
SR-03 supply chain controls.
Gaps
FINMA requires notification and approval for material sub-outsourcing arrangements. SP 800-53 covers supply chain processes but not FINMA-specific sub-outsourcing approval requirements.
Mapped Controls
V(107) Sub-outsourcing risk management
Rationale
SR-03 supply chain controls. RA-07 (new in Rev 5) risk response supports risk treatment for multi-tier outsourcing chains.
Gaps
FINMA requires risk management for the entire outsourcing chain. SP 800-53 SR-03 covers supply chain controls and RA-07 adds risk treatment. FINMA-specific multi-tier outsourcing risk management still needs supplementation.
V(108) Sub-outsourcing audit rights 45%
Rationale
SR-03 supply chain controls.
Gaps
FINMA requires audit rights over sub-outsourcing arrangements. SP 800-53 covers supply chain verification but FINMA-specific audit rights for outsourcing chains not explicitly addressed.
Mapped Controls
V(109) Supply chain provenance
Rationale
SR-04 provenance. CM-14 (new in Rev 5) signed components adds cryptographic verification of component provenance through digital signatures.
Gaps
FINMA requires understanding of ICT supply chain provenance. SR-04 and CM-14 cover provenance and component integrity. FINMA-specific financial sector supply chain traceability may need supplementation.
V(110) Supply chain provenance verification
Rationale
SR-04 provenance. CM-14 (new in Rev 5) signed components provides cryptographic verification of component authenticity, strengthening provenance verification.
Gaps
FINMA requires verification of supply chain components. SR-04 and CM-14 provide provenance verification with component signing.
V(111) Acquisition strategy for ICT services
Rationale
SR-05 acquisition strategies, tools, and methods. SA-20 (new in Rev 5) customized development of critical components provides acquisition strategy for high-assurance bespoke components.
Gaps
FINMA requires structured acquisition approach for ICT services. SP 800-53 SR-05 covers acquisition strategies with SA-20 adding critical component acquisition.
VI(112) Acquisition methods and tools
Rationale
SR-05 acquisition strategies, tools, and methods. SA-20 (new in Rev 5) customized development addresses custom component acquisition methods.
Gaps
FINMA requires specific acquisition methods for financial sector ICT. SP 800-53 SR-05 covers acquisition methods with SA-20 for critical components.
VII.A(113) Supplier assessment and review
Rationale
SR-06 supplier assessments and reviews; SR-10 inspection. SA-21 (new in Rev 5) developer screening adds personnel vetting to supplier assessment.
Gaps
FINMA requires regular supplier assessment aligned with Swiss financial regulatory expectations. SR-06 covers supplier assessment with SA-21 adding personnel screening. FINMA-specific assessment criteria may need supplementation.
Methodology and Disclaimer
This coverage analysis maps from FINMA Circular 2023/1 clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.