NCA Essential Cybersecurity Controls (ECC-1:2018)
Saudi National Cybersecurity Authority mandatory controls for all government entities, government-affiliated organizations, and critical infrastructure operators. 5 domains: cybersecurity governance, defence, resilience, third-party and cloud computing, and ICS/OT cybersecurity. Designed referencing NIST CSF, NIST 800-53, and ISO 27001.
Controls: 198
Total Mappings: 325
Publisher: National Cybersecurity Authority (NCA) Version: 2018 (updated 2022) AC (17) AT (5) AU (14) CA (7) CM (12) CP (11) IA (10) IR (9) MA (1) MP (6) PE (17) PL (3) PM (16) PS (9) PT (3) RA (7) SA (11) SC (20) SI (13) SR (7)
AC Access Control
| Control | Name | NCA ECC References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | 1-32-2 |
| AC-02 | Account Management | 2-2 |
| AC-03 | Access Enforcement | 2-22-7 |
| AC-04 | Information Flow Enforcement | 2-142-52-7 |
| AC-05 | Separation Of Duties | 2-2 |
| AC-06 | Least Privilege | 2-2 |
| AC-07 | Unsuccessful Login Attempts | 2-2 |
| AC-08 | System Use Notification | 2-2 |
| AC-10 | Concurrent Session Control | 2-2 |
| AC-11 | Session Lock | 2-2 |
| AC-12 | Session Termination | 2-2 |
| AC-14 | Permitted Actions Without Identification Or Authentication | 2-2 |
| AC-16 | Automated Labeling | 2-7 |
| AC-17 | Remote Access | 2-2 |
| AC-19 | Access Control For Portable And Mobile Devices | 2-6 |
| AC-20 | Use Of External Information Systems | 2-64-2 |
| AC-24 | Access Control Decisions | 2-2 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | NCA ECC References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | 1-32-12 |
| AU-02 | Auditable Events | 2-12 |
| AU-03 | Content Of Audit Records | 2-12 |
| AU-04 | Audit Storage Capacity | 2-12 |
| AU-05 | Response To Audit Processing Failures | 2-12 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | 1-82-12 |
| AU-07 | Audit Reduction And Report Generation | 2-12 |
| AU-08 | Time Stamps | 2-12 |
| AU-09 | Protection Of Audit Information | 2-12 |
| AU-10 | Non-Repudiation | 2-12 |
| AU-11 | Audit Record Retention | 2-12 |
| AU-12 | Audit Record Generation | 2-12 |
| AU-13 | Monitoring for Information Disclosure | 2-12 |
| AU-14 | Session Audit | 2-12 |
CA Security Assessment and Authorization
| Control | Name | NCA ECC References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | 1-31-8 |
| CA-02 | Security Assessments | 1-71-8 |
| CA-03 | Information System Connections | 2-54-14-2 |
| CA-05 | Plan Of Action And Milestones | 1-51-8 |
| CA-07 | Continuous Monitoring | 1-71-82-125-1 |
| CA-08 | Penetration Testing | 1-82-11 |
| CA-09 | Internal System Connections | 2-54-2 |
CM Configuration Management
| Control | Name | NCA ECC References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | 1-3 |
| CM-02 | Baseline Configuration | 2-35-1 |
| CM-03 | Configuration Change Control | 2-3 |
| CM-04 | Monitoring Configuration Changes | 2-3 |
| CM-05 | Access Restrictions For Change | 2-3 |
| CM-06 | Configuration Settings | 2-102-35-1 |
| CM-07 | Least Functionality | 2-142-32-65-1 |
| CM-08 | Information System Component Inventory | 2-12-6 |
| CM-09 | Configuration Management Plan | 2-1 |
| CM-12 | Information Location | 2-1 |
| CM-13 | Data Action Mapping | 2-1 |
| CM-14 | Signed Components | 2-3 |
CP Contingency Planning
| Control | Name | NCA ECC References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | 1-33-1 |
| CP-02 | Contingency Plan | 3-13-25-1 |
| CP-03 | Contingency Training | 3-1 |
| CP-04 | Contingency Plan Testing And Exercises | 3-13-2 |
| CP-06 | Alternate Storage Site | 2-93-13-2 |
| CP-07 | Alternate Processing Site | 3-13-2 |
| CP-08 | Telecommunications Services | 3-1 |
| CP-09 | Information System Backup | 2-93-13-2 |
| CP-10 | Information System Recovery And Reconstitution | 2-93-13-2 |
| CP-12 | Safe Mode | 3-1 |
| CP-13 | Alternative Security Mechanisms | 3-1 |
IA Identification and Authentication
| Control | Name | NCA ECC References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | 1-32-2 |
| IA-02 | User Identification And Authentication | 2-25-1 |
| IA-03 | Device Identification And Authentication | 5-1 |
| IA-04 | Identifier Management | 2-2 |
| IA-05 | Authenticator Management | 2-2 |
| IA-06 | Authenticator Feedback | 2-2 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | 2-2 |
| IA-09 | Service Identification and Authentication | 5-1 |
| IA-11 | Re-authentication | 2-2 |
| IA-12 | Identity Proofing | 2-2 |
IR Incident Response
| Control | Name | NCA ECC References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | 1-32-13 |
| IR-02 | Incident Response Training | 2-13 |
| IR-03 | Incident Response Testing And Exercises | 2-13 |
| IR-04 | Incident Handling | 2-133-25-1 |
| IR-05 | Incident Monitoring | 2-13 |
| IR-06 | Incident Reporting | 2-13 |
| IR-07 | Incident Response Assistance | 2-13 |
| IR-08 | Incident Response Plan | 2-13 |
| IR-09 | Information Spillage Response | 2-13 |
MA Maintenance
| Control | Name | NCA ECC References |
|---|---|---|
| MA-01 | System Maintenance Policy And Procedures | 1-3 |
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | NCA ECC References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | 1-111-3 |
| PE-02 | Physical Access Authorizations | 1-11 |
| PE-03 | Physical Access Control | 1-115-1 |
| PE-04 | Access Control For Transmission Medium | 1-11 |
| PE-05 | Access Control For Display Medium | 1-11 |
| PE-06 | Monitoring Physical Access | 1-11 |
| PE-08 | Access Records | 1-11 |
| PE-09 | Power Equipment And Power Cabling | 1-11 |
| PE-10 | Emergency Shutoff | 1-11 |
| PE-11 | Emergency Power | 1-11 |
| PE-12 | Emergency Lighting | 1-11 |
| PE-13 | Fire Protection | 1-11 |
| PE-14 | Temperature And Humidity Controls | 1-11 |
| PE-15 | Water Damage Protection | 1-11 |
| PE-17 | Alternate Work Site | 1-112-6 |
| PE-18 | Location Of Information System Components | 1-11 |
| PE-23 | Facility Location | 1-11 |
PL Planning
PM Program Management
| Control | Name | NCA ECC References |
|---|---|---|
| PM-01 | Information Security Program Plan | 1-11-21-31-7 |
| PM-02 | Information Security Program Leadership Role | 1-21-4 |
| PM-03 | Information Security and Privacy Resources | 1-2 |
| PM-04 | Plan of Action and Milestones Process | 1-5 |
| PM-05 | System Inventory | 2-1 |
| PM-06 | Measures of Performance | 1-21-71-8 |
| PM-07 | Enterprise Architecture | 1-11-6 |
| PM-08 | Critical Infrastructure Plan | 1-13-1 |
| PM-09 | Risk Management Strategy | 1-11-21-5 |
| PM-10 | Authorization Process | 1-21-4 |
| PM-11 | Mission and Business Process Definition | 1-13-1 |
| PM-13 | Security and Privacy Workforce | 1-101-21-4 |
| PM-14 | Testing, Training, and Monitoring | 1-8 |
| PM-16 | Threat Awareness Program | 1-102-13 |
| PM-28 | Risk Framing | 1-5 |
| PM-29 | Risk Management Program Leadership Roles | 1-11-21-4 |
PS Personnel Security
| Control | Name | NCA ECC References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | 1-31-41-9 |
| PS-02 | Position Categorization | 1-9 |
| PS-03 | Personnel Screening | 1-9 |
| PS-04 | Personnel Termination | 1-9 |
| PS-05 | Personnel Transfer | 1-9 |
| PS-06 | Access Agreements | 1-9 |
| PS-07 | Third-Party Personnel Security | 1-94-1 |
| PS-08 | Personnel Sanctions | 1-9 |
| PS-09 | Position Descriptions | 1-41-9 |
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
SA System and Services Acquisition
| Control | Name | NCA ECC References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | 1-31-6 |
| SA-02 | Allocation Of Resources | 1-6 |
| SA-03 | Life Cycle Support | 1-6 |
| SA-04 | Acquisitions | 1-61-72-144-1 |
| SA-08 | Security Engineering Principles | 1-62-142-35-1 |
| SA-09 | External Information System Services | 4-14-2 |
| SA-10 | Developer Configuration Management | 1-62-3 |
| SA-11 | Developer Security Testing | 1-62-102-112-142-3 |
| SA-15 | Development Process, Standards, and Tools | 1-62-14 |
| SA-17 | Developer Security and Privacy Architecture and Design | 1-6 |
| SA-22 | Unsupported System Components | 2-102-3 |
SC System and Communications Protection
| Control | Name | NCA ECC References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | 1-32-5 |
| SC-02 | Application Partitioning | 2-3 |
| SC-03 | Security Function Isolation | 2-3 |
| SC-05 | Denial Of Service Protection | 2-5 |
| SC-07 | Boundary Protection | 2-142-32-42-54-25-1 |
| SC-08 | Transmission Integrity | 2-42-52-8 |
| SC-10 | Network Disconnect | 2-5 |
| SC-12 | Cryptographic Key Establishment And Management | 2-8 |
| SC-13 | Use Of Cryptography | 2-42-8 |
| SC-17 | Public Key Infrastructure Certificates | 2-8 |
| SC-18 | Mobile Code | 2-3 |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | 2-5 |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | 2-5 |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | 2-5 |
| SC-23 | Session Authenticity | 2-5 |
| SC-24 | Fail in Known State | 3-13-25-1 |
| SC-28 | Protection of Information at Rest | 2-32-62-72-84-2 |
| SC-32 | System Partitioning | 2-32-55-1 |
| SC-45 | System Time Synchronization | 2-12 |
| SC-46 | Cross Domain Policy Enforcement | 2-55-1 |
SI System and Information Integrity
| Control | Name | NCA ECC References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | 1-3 |
| SI-02 | Flaw Remediation | 2-102-3 |
| SI-03 | Malicious Code Protection | 2-32-4 |
| SI-04 | Information System Monitoring Tools And Techniques | 2-122-42-55-1 |
| SI-05 | Security Alerts And Advisories | 2-102-13 |
| SI-07 | Software And Information Integrity | 2-35-1 |
| SI-08 | Spam Protection | 2-4 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | 2-14 |
| SI-11 | Error Handling | 2-14 |
| SI-12 | Information Output Handling And Retention | 2-7 |
| SI-16 | Memory Protection | 2-142-3 |
| SI-17 | Fail-safe Procedures | 3-1 |
| SI-19 | De-identification | 2-7 |
SR Supply Chain Risk Management
| Control | Name | NCA ECC References |
|---|---|---|
| SR-01 | Policy and Procedures | 1-34-14-2 |
| SR-02 | Supply Chain Risk Management Plan | 4-1 |
| SR-03 | Supply Chain Controls and Processes | 4-14-2 |
| SR-05 | Acquisition Strategies, Tools, and Methods | 4-1 |
| SR-06 | Supplier Assessments and Reviews | 4-1 |
| SR-08 | Notification Agreements | 4-1 |
| SR-11 | Component Authenticity | 4-1 |