← Frameworks / NAIC Insurance Data Security / Control Mappings

NAIC Insurance Data Security Model Law (#668)

Model law adopted by 24+ US states requiring insurers, agents, and other licensed entities to develop comprehensive information security programs. 24 sections covering information security program requirements, risk assessment, board oversight, CISO designation, access controls, system and data safeguards, secure development practices, incident response, investigation and notification, third-party service provider oversight, and annual compliance certification to the commissioner.

Controls: 140

Total Mappings: 251

Publisher: National Association of Insurance Commissioners (NAIC) Version: Model Law #668 (2017)

NAIC Insurance Data Security → SP 800-53 SP 800-53 → NAIC Insurance Data Security Coverage Analysis

AC (12) AT (5) AU (11) CA (5) CM (11) CP (8) IA (5) IR (8) MP (4) PE (3) PL (8) PM (18) PS (8) PT (4) RA (6) SA (7) SC (6) SI (6) SR (5)

AC Access Control

Control	Name	NAIC Insurance Data Security References
AC-01	Access Control Policies and Procedures	4-access4B
AC-02	Account Management	4-access4B
AC-03	Access Enforcement	4-access4B
AC-04	Information Flow Enforcement	4B8
AC-05	Separation Of Duties	4-access4B
AC-06	Least Privilege	4-access4-audit4B
AC-07	Unsuccessful Login Attempts	4-access
AC-11	Session Lock	4-access
AC-17	Remote Access	4-access4-audit
AC-19	Access Control For Portable And Mobile Devices	4-access
AC-20	Use Of External Information Systems	4-access4D
AC-21	Information Sharing	8

AT Awareness and Training

Control	Name	NAIC Insurance Data Security References
AT-01	Security Awareness And Training Policy And Procedures	4-training4B
AT-02	Security Awareness	4-training4B
AT-03	Security Training	4-training4B
AT-04	Security Training Records	4-training
AT-06	Training Feedback	4-training

AU Audit and Accountability

Control	Name	NAIC Insurance Data Security References
AU-01	Audit And Accountability Policy And Procedures	7
AU-02	Auditable Events	4-audit4B
AU-03	Content Of Audit Records	4-audit4B
AU-04	Audit Storage Capacity	4-audit
AU-05	Response To Audit Processing Failures	4-audit
AU-06	Audit Monitoring, Analysis, And Reporting	4-audit4B56-a
AU-07	Audit Reduction And Report Generation	4-audit5
AU-08	Time Stamps	4-audit
AU-09	Protection Of Audit Information	4-audit7
AU-11	Audit Record Retention	4-audit
AU-12	Audit Record Generation	4-audit4B

CA Security Assessment and Authorization

Control	Name	NAIC Insurance Data Security References
CA-02	Security Assessments	44-monitoring4A4E7
CA-03	Information System Connections	4D
CA-05	Plan Of Action And Milestones	44A4E
CA-07	Continuous Monitoring	44-monitoring4A4E57
CA-08	Penetration Testing	4-monitoring

CM Configuration Management

Control	Name	NAIC Insurance Data Security References
CM-01	Configuration Management Policy And Procedures	4-config
CM-02	Baseline Configuration	4-config4B
CM-03	Configuration Change Control	4-config4E
CM-04	Monitoring Configuration Changes	4-config4E
CM-05	Access Restrictions For Change	4-config
CM-06	Configuration Settings	4-config4B
CM-07	Least Functionality	4-config4B
CM-08	Information System Component Inventory	34-asset
CM-09	Configuration Management Plan	4-config
CM-12	Information Location	34-asset
CM-13	Data Action Mapping	4-asset

CP Contingency Planning

Control	Name	NAIC Insurance Data Security References
CP-01	Contingency Planning Policy And Procedures	4F-b
CP-02	Contingency Plan	44F-b
CP-03	Contingency Training	4F-b
CP-04	Contingency Plan Testing And Exercises	4F-b
CP-06	Alternate Storage Site	4F-b
CP-07	Alternate Processing Site	4F-b
CP-09	Information System Backup	4F-b
CP-10	Information System Recovery And Reconstitution	4F-b

IA Identification and Authentication

Control	Name	NAIC Insurance Data Security References
IA-01	Identification And Authentication Policy And Procedures	4-access4B
IA-02	User Identification And Authentication	4-access4B
IA-04	Identifier Management	4-access4B
IA-05	Authenticator Management	4-access4B
IA-08	Identification and Authentication (Non-Organizational Users)	4-access

IR Incident Response

Control	Name	NAIC Insurance Data Security References
IR-01	Incident Response Policy And Procedures	4F-a
IR-02	Incident Response Training	4F-a
IR-03	Incident Response Testing And Exercises	4F-a
IR-04	Incident Handling	44F-a4F-b5
IR-05	Incident Monitoring	4F-a5
IR-06	Incident Reporting	4F-a56-a6-b
IR-07	Incident Response Assistance	4F-a
IR-08	Incident Response Plan	4F-a

MP Media Protection

Control	Name	NAIC Insurance Data Security References
MP-02	Media Access	4B
MP-04	Media Storage	4-encryption4B
MP-05	Media Transport	4-encryption
MP-06	Media Sanitization And Disposal	4-asset4B

PE Physical and Environmental Protection

Control	Name	NAIC Insurance Data Security References
PE-02	Physical Access Authorizations	4B
PE-03	Physical Access Control	4B
PE-06	Monitoring Physical Access	4B

PL Planning

Control	Name	NAIC Insurance Data Security References
PL-01	Security Planning Policy And Procedures	44C
PL-02	System Security Plan	44B4E9
PL-03	System Security Plan Update	4E
PL-04	Rules Of Behavior	104-training
PL-07	Concept of Operations	4
PL-08	Security and Privacy Architectures	44B
PL-09	Central Management	4B
PL-10	Baseline Selection	9

PM Program Management

Control	Name	NAIC Insurance Data Security References
PM-01	Information Security Program Plan	1044C4E79
PM-02	Information Security Program Leadership Role	44-personnel4C
PM-03	Information Security and Privacy Resources	44C
PM-04	Plan of Action and Milestones Process	44E
PM-05	System Inventory	34-asset
PM-06	Measures of Performance	44E
PM-08	Critical Infrastructure Plan	4A
PM-09	Risk Management Strategy	44A
PM-11	Mission and Business Process Definition	349
PM-13	Security and Privacy Workforce	4-personnel4-training4C
PM-14	Testing, Training, and Monitoring	44-monitoring4-training4E4F-a5
PM-16	Threat Awareness Program	4A
PM-20	Dissemination of Privacy Program Information	6-b
PM-22	Personally Identifiable Information Quality Management	6-b
PM-26	Complaint Management	6-a
PM-29	Risk Management Program Leadership Roles	4C
PM-30	Supply Chain Risk Management Strategy	4D
PM-31	Continuous Monitoring Strategy	4D

PS Personnel Security

Control	Name	NAIC Insurance Data Security References
PS-01	Personnel Security Policy And Procedures	4-personnel
PS-02	Position Categorization	4-personnel
PS-03	Personnel Screening	4-personnel4B
PS-04	Personnel Termination	4-access4-personnel4B
PS-05	Personnel Transfer	4-access4-personnel
PS-06	Access Agreements	4-personnel4B
PS-07	Third-Party Personnel Security	4-personnel4D
PS-08	Personnel Sanctions	10

PT Personally Identifiable Information Processing and Transparency

Control	Name	NAIC Insurance Data Security References
PT-01	Policy and Procedures	8
PT-03	Personally Identifiable Information Processing Purposes	34-asset8
PT-04	Consent	36-b8
PT-05	Privacy Notice	6-b

RA Risk Assessment

Control	Name	NAIC Insurance Data Security References
RA-01	Risk Assessment Policy And Procedures	44A4C
RA-02	Security Categorization	34A
RA-03	Risk Assessment	44A4E
RA-05	Vulnerability Scanning	4-monitoring4A
RA-07	Risk Response	4-monitoring4A4E
RA-09	Criticality Analysis	4A

SA System and Services Acquisition

Control	Name	NAIC Insurance Data Security References
SA-03	Life Cycle Support	4-config
SA-04	Acquisitions	4D
SA-08	Security Engineering Principles	4-config
SA-09	External Information System Services	4-personnel4D
SA-11	Developer Security Testing	4-config
SA-15	Development Process, Standards, and Tools	4-config
SA-22	Unsupported System Components	4-asset

SC System and Communications Protection

Control	Name	NAIC Insurance Data Security References
SC-07	Boundary Protection	44-monitoring4B
SC-08	Transmission Integrity	4-encryption4B
SC-12	Cryptographic Key Establishment And Management	4-encryption4B
SC-13	Use Of Cryptography	4-encryption4B
SC-28	Protection of Information at Rest	4-encryption4B
SC-44	Detonation Chambers	4-monitoring

SI System and Information Integrity

Control	Name	NAIC Insurance Data Security References
SI-02	Flaw Remediation	4B
SI-03	Malicious Code Protection	4-monitoring4B
SI-04	Information System Monitoring Tools And Techniques	44-audit4-monitoring4B5
SI-05	Security Alerts And Advisories	4-monitoring
SI-07	Software And Information Integrity	4B5
SI-12	Information Output Handling And Retention	4-asset8

SR Supply Chain Risk Management

Control	Name	NAIC Insurance Data Security References
SR-01	Policy and Procedures	4D
SR-02	Supply Chain Risk Management Plan	4D
SR-03	Supply Chain Controls and Processes	4D
SR-05	Acquisition Strategies, Tools, and Methods	4D
SR-06	Supplier Assessments and Reviews	4D