← Frameworks / Regulatory

NCA Essential Cybersecurity Controls (ECC-1:2018)

Saudi National Cybersecurity Authority mandatory controls for all government entities, government-affiliated organizations, and critical infrastructure operators. 5 domains: cybersecurity governance, defence, resilience, third-party and cloud computing, and ICS/OT cybersecurity. Designed referencing NIST CSF, NIST 800-53, and ISO 27001.

Clauses: 30

Avg Coverage: 84.9%

Publisher: National Cybersecurity Authority (NCA) Version: 2018 (updated 2022)

NCA ECC → SP 800-53 SP 800-53 → NCA ECC Coverage Analysis

Clause	Title	SP 800-53 Controls
1-1	Cybersecurity Strategy	PM-01 PM-07 PM-08 PM-09 PM-11 PL-01 PL-09 PM-29
1-2	Cybersecurity Management	PM-01 PM-02 PM-03 PM-06 PM-09 PM-10 PM-13 PL-09 PM-29
1-3	Cybersecurity Policies and Procedures	PL-01 PM-01 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PS-01 RA-01 SA-01 SC-01 SI-01 PT-01 SR-01
1-4	Cybersecurity Roles and Responsibilities	PM-02 PM-10 PM-13 PS-01 PS-09 PL-01 PM-29
1-5	Cybersecurity Risk Management	RA-01 RA-02 RA-03 RA-05 RA-07 RA-09 PM-09 PM-28 CA-05 PM-04
1-6	Cybersecurity in Information Technology Projects	SA-01 SA-02 SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-17 PM-07
1-7	Compliance with Cybersecurity Standards, Laws, and Regulations	CA-02 CA-07 PM-01 PM-06 PL-04 SA-04
1-8	Periodical Cybersecurity Review and Audit	CA-01 CA-02 CA-05 CA-07 CA-08 PM-06 PM-14 AU-06
1-9	Cybersecurity in Human Resources	PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09
1-10	Cybersecurity Awareness and Training Program	AT-01 AT-02 AT-03 AT-04 AT-06 PM-13 PM-16
1-11	Cybersecurity in Physical Security	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18 PE-23
2-1	Asset Management	CM-08 CM-09 CM-12 CM-13 PM-05 RA-02 RA-09
2-2	Identity and Access Management	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-08 AC-10 AC-11 AC-12 AC-14 AC-17 AC-24 IA-01 IA-02 IA-04 IA-05 IA-06 IA-08 IA-11 IA-12
2-3	Information System and Information Processing Facilities Protection	CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-14 SA-08 SA-10 SA-11 SA-22 SC-02 SC-03 SC-07 SC-18 SC-28 SC-32 SI-02 SI-03 SI-07 SI-16
2-4	Email Protection	SC-07 SC-08 SI-03 SI-04 SI-08 SC-13
2-5	Networks Security Management	SC-01 SC-05 SC-07 SC-08 SC-10 SC-20 SC-21 SC-22 SC-23 SC-32 SC-46 AC-04 CA-03 CA-09 SI-04
2-6	Mobile Devices Security	AC-19 AC-20 CM-07 CM-08 SC-28 MP-04 MP-05 PE-17
2-7	Data and Information Protection	AC-03 AC-04 AC-16 MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 RA-02 SC-28 SI-12 SI-19 PT-02 PT-03
2-8	Cryptography	SC-12 SC-13 SC-17 SC-28 SC-08
2-9	Backup and Recovery Management	CP-06 CP-09 CP-10 MP-04 MP-05
2-10	Vulnerability Management	RA-05 SI-02 SI-05 SA-11 SA-22 CM-06 RA-07
2-11	Penetration Testing	CA-08 RA-05 SA-11
2-12	Cybersecurity Event Logs and Monitoring Management	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 AU-13 AU-14 SI-04 CA-07 SC-45
2-13	Cybersecurity Incident and Threat Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 PM-16 RA-03 RA-10 SI-05
2-14	Web Application Security	SA-04 SA-08 SA-11 SA-15 SC-07 SI-10 SI-11 SI-16 CM-07 AC-04
3-1	Business Continuity Management Aspects of Cybersecurity	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-12 CP-13 PM-08 PM-11 SC-24 SI-17
3-2	Disaster Recovery Aspects of Cybersecurity	CP-02 CP-04 CP-06 CP-07 CP-09 CP-10 IR-04 SC-24
4-1	Third-Party Cybersecurity	CA-03 PS-07 SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06 SR-08 SR-11
4-2	Cloud Computing and Hosting Cybersecurity	SA-09 AC-20 SC-07 CA-03 CA-09 SR-01 SR-03 SC-28
5-1	ICS/OT Cybersecurity	CA-07 CM-02 CM-06 CM-07 CP-02 IA-02 IA-03 IA-09 IR-04 PE-03 RA-03 RA-05 SA-08 SC-07 SC-24 SC-32 SC-46 SI-04 SI-07