NCA Essential Cybersecurity Controls (ECC-1:2018) — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each NCA ECC requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clause1-1 Cybersecurity Strategy
Rationale
PM-01 information security program plan; PM-07 enterprise architecture; PM-08 critical infrastructure plan; PM-09 risk management strategy; PM-11 mission/business process definition. PL-01 security planning policy; PL-09 (Rev 5) central management supports unified security strategy governance. PM-29 (Rev 5) risk management program leadership addresses senior leadership roles in strategy execution.
Gaps
NCA ECC requires a board-approved national-context cybersecurity strategy aligned with the Kingdom's Vision 2030 and NCA strategic objectives. SP 800-53 covers information security program planning but does not address national cybersecurity strategy alignment, NCA-specific strategic reporting, or alignment with Saudi national digital transformation goals.
1-2 Cybersecurity Management
Rationale
PM-01 security program plan; PM-02 senior information security officer; PM-03 information security resources; PM-06 measures of performance; PM-09 risk management strategy; PM-10 authorization process; PM-13 security workforce. PL-09 (Rev 5) central management enables unified cybersecurity management. PM-29 (Rev 5) risk management program leadership supports management accountability.
Gaps
NCA ECC requires a dedicated cybersecurity management committee with direct reporting to the organization head, cybersecurity function independence from IT operations, and NCA regulatory compliance management. SP 800-53 addresses security management roles but does not mandate organizational structure specifics or NCA-specific governance reporting lines.
1-3 Cybersecurity Policies and Procedures
Rationale
SP 800-53 has extensive policy controls (-01 controls) for every family. PL-01 overarching planning policy; PM-01 program plan. PT-01 (Rev 5) privacy and SR-01 (Rev 5) supply chain policies broaden the policy framework. Each family's -01 control requires documented policies and procedures with management approval, periodic review, and dissemination.
Gaps
NCA ECC requires policies specifically addressing Saudi regulatory context and NCA compliance obligations. SP 800-53 family-level policies are comprehensive but do not address NCA-specific policy requirements such as Arabic language documentation mandates or NCA template alignment.
1-4 Cybersecurity Roles and Responsibilities
Rationale
PM-02 senior information security officer role; PM-10 authorization process with designated officials; PM-13 security workforce management; PS-01 personnel security policy; PS-09 (Rev 5) position descriptions with security roles; PL-01 planning roles. PM-29 (Rev 5) risk management program leadership establishes senior leadership accountability for cybersecurity.
Gaps
NCA ECC requires a dedicated Chief Information Security Officer (or equivalent) reporting directly to the organization head, not under IT. Also requires specific cybersecurity roles for Saudi government entities and critical infrastructure operators that SP 800-53 does not prescribe, including NCA liaison roles and sector-specific cybersecurity coordinators.
1-5 Cybersecurity Risk Management
Rationale
RA-01 risk assessment policy; RA-02 security categorization; RA-03 risk assessment; RA-05 vulnerability scanning; PM-09 risk management strategy; CA-05 plan of action and milestones. RA-07 (Rev 5) risk response provides structured treatment actions; RA-09 (Rev 5) criticality analysis identifies critical assets; PM-28 (Rev 5) risk framing strengthens organizational risk context.
Gaps
NCA ECC requires risk management aligned with NCA risk management guidelines and may mandate specific risk assessment methodologies approved by NCA. Saudi national threat landscape considerations and critical national infrastructure risk classification are not addressed by SP 800-53.
1-6 Cybersecurity in Information Technology Projects
Rationale
SA-01 system and services acquisition policy; SA-02 resource allocation; SA-03 system development life cycle; SA-04 acquisition process security requirements; SA-08 security engineering principles; SA-10 developer configuration management; SA-11 developer security testing; SA-15 development process standards; SA-17 developer security architecture. PM-07 enterprise architecture integration ensures projects align with security architecture.
Gaps
NCA ECC requires cybersecurity involvement from project inception through delivery for all IT projects, including cybersecurity sign-off at project gates. SP 800-53 SA family addresses security in acquisition and development but does not mandate specific project governance gate processes or NCA project notification requirements.
1-7 Compliance with Cybersecurity Standards, Laws, and Regulations
Rationale
CA-02 security assessments; CA-07 continuous monitoring; PM-01 program plan addressing compliance; PM-06 measures of performance; PL-04 rules of behavior (compliance obligations); SA-04 contractual requirements for compliance.
Gaps
NCA ECC mandates compliance with Saudi cybersecurity laws (Anti-Cyber Crime Law, Personal Data Protection Law), NCA regulations, and sector-specific requirements. SP 800-53 is FISMA-oriented and does not address Saudi legal/regulatory compliance, NCA registration and reporting obligations, or National Data Governance policies. Significant gap for jurisdiction-specific legal compliance.
1-8 Periodical Cybersecurity Review and Audit
Rationale
CA-01 assessment policy; CA-02 security assessments; CA-05 plan of action and milestones; CA-07 continuous monitoring; CA-08 penetration testing; PM-06 measures of performance; PM-14 testing, training, and monitoring program; AU-06 audit review, analysis, and reporting.
Gaps
NCA ECC requires periodic cybersecurity reviews with results reported to the organization head and potentially to NCA. SP 800-53 covers assessments and continuous monitoring comprehensively but does not address NCA-specific review/audit reporting requirements or mandated review frequencies aligned with NCA compliance cycles.
1-9 Cybersecurity in Human Resources
Rationale
PS-01 personnel security policy; PS-02 position risk designation; PS-03 personnel screening; PS-04 personnel termination; PS-05 personnel transfer; PS-06 access agreements; PS-07 external personnel security; PS-08 personnel sanctions. PS-09 (Rev 5) position descriptions explicitly requires incorporating security responsibilities into position descriptions, directly supporting cybersecurity in HR.
Gaps
NCA ECC requires cybersecurity background checks aligned with Saudi national security vetting standards, potentially including security clearance for critical infrastructure roles. SP 800-53 covers screening comprehensively but does not address Saudi-specific vetting requirements or NCA personnel security guidelines.
1-10 Cybersecurity Awareness and Training Program
Rationale
AT-01 awareness and training policy; AT-02 security awareness training; AT-03 role-based training; AT-04 training records; PM-13 security workforce program; PM-16 threat awareness sharing. AT-06 (Rev 5) training feedback provides feedback on training results to senior personnel, enabling continuous improvement of training programs aligned with NCA awareness requirements.
Gaps
NCA ECC requires cybersecurity awareness programs aligned with NCA awareness guidelines and may mandate specific awareness content for Saudi government context (e.g., Arabic-language materials, national threat awareness). SP 800-53 covers training and awareness comprehensively; minor gap for NCA-specific content requirements.
1-11 Cybersecurity in Physical Security
Rationale
PE family comprehensively covers physical security: PE-01 policy; PE-02 physical access authorizations; PE-03 physical access control; PE-04 transmission medium access; PE-05 output device access; PE-06 monitoring; PE-08 visitor records; PE-09 through PE-15 environmental protections (power, fire, temperature, water); PE-17 alternate work site; PE-18 component location. PE-23 (Rev 5) facility location addresses planning facility location considering physical and environmental hazards.
Gaps
NCA ECC integrates physical security with cybersecurity controls for data centres and critical facilities. SP 800-53 PE family is comprehensive; minor gap for NCA-specific physical security standards for Saudi government facilities and critical national infrastructure physical protection requirements.
2-1 Asset Management
Rationale
CM-08 system component inventory; CM-09 configuration management plan; PM-05 system inventory; RA-02 security categorization of assets. CM-12 (Rev 5) information location identifies and documents where information types reside; CM-13 (Rev 5) data action mapping maps data lifecycle actions; RA-09 (Rev 5) criticality analysis identifies critical assets for prioritised protection.
Gaps
NCA ECC requires comprehensive IT asset management including classification aligned with Saudi data classification standards. SP 800-53 covers asset inventory thoroughly; minor gap for NCA-specific asset classification tiers and Saudi data sovereignty tagging requirements.
2-2 Identity and Access Management
Rationale
AC family provides comprehensive access control: AC-01 policy; AC-02 account management; AC-03 access enforcement; AC-05 separation of duties; AC-06 least privilege; AC-07 unsuccessful logon attempts; AC-08 system use notification; AC-10 concurrent session control; AC-11 session lock; AC-12 session termination; AC-14 permitted actions without identification; AC-17 remote access. AC-24 (Rev 5) access control decisions adds real-time authorization. IA family covers identification and authentication: IA-02 user I&A; IA-04 identifier management; IA-05 authenticator management; IA-08 non-organizational users; IA-11 re-authentication. IA-12 (Rev 5) identity proofing covers identity verification before credential issuance.
Gaps
Minimal gap. SP 800-53 AC and IA families are among the most comprehensive control areas. NCA ECC IAM requirements closely mirror NIST recommendations. Minor gap for Saudi National Single Sign-On integration requirements if mandated.
2-3 Information System and Information Processing Facilities Protection
Rationale
CM family for configuration management and hardening: CM-02 baselines; CM-03 change control; CM-06 configuration settings; CM-07 least functionality. SA family for secure development: SA-08 security engineering; SA-10 developer config management; SA-11 developer testing. SC family for system protection: SC-02 application partitioning; SC-03 security function isolation; SC-07 boundary protection; SC-18 mobile code; SC-28 protection at rest; SC-32 system partitioning. SI family: SI-02 flaw remediation; SI-03 malware protection; SI-07 integrity verification. CM-14 (Rev 5) signed components; SA-22 (Rev 5) unsupported system components; SI-16 (Rev 5) memory protection.
Gaps
Minimal gap. SP 800-53 provides deep technical protection controls. NCA ECC system protection requirements are well aligned with NIST. Minor gap for NCA-approved baseline configurations if mandated for Saudi government systems.
2-4 Email Protection
Rationale
SC-07 boundary protection including email gateway; SC-08 transmission confidentiality/integrity for email in transit; SI-03 malicious code protection for email attachments; SI-04 system monitoring including email monitoring; SI-08 spam protection directly addresses unsolicited email; SC-13 cryptographic protection for email encryption.
Gaps
NCA ECC has specific email protection requirements including email authentication (SPF, DKIM, DMARC), anti-phishing measures, and email archiving for Saudi regulatory compliance. SP 800-53 addresses email security through general controls but lacks a dedicated email security control. Email-specific standards like DMARC enforcement and Arabic-language phishing awareness are not explicitly covered.
2-5 Networks Security Management
Rationale
SC family comprehensively covers network security: SC-01 policy; SC-05 denial-of-service protection; SC-07 boundary protection with firewalls, DMZ, ingress/egress filtering; SC-08 transmission confidentiality/integrity; SC-10 network disconnect; SC-20/SC-21/SC-22 DNS security (secure name resolution, DNSSEC); SC-23 session authenticity; SC-32 system partitioning/network segmentation. AC-04 information flow enforcement; CA-03 information exchange; SI-04 network monitoring. SC-46 (Rev 5) cross-domain policy enforcement; CA-09 (Rev 5) internal system connections authorization.
Gaps
Minimal gap. SP 800-53 network security controls are highly comprehensive. NCA ECC network security requirements closely align with NIST. Minor gap for NCA-specific network architecture standards for Saudi government networks and interconnection with Saudi national networks.
2-6 Mobile Devices Security
Rationale
AC-19 access control for mobile devices (MDM, encryption, remote wipe); AC-20 use of external systems (BYOD); CM-07 least functionality for device hardening; CM-08 component inventory including mobile devices; SC-28 protection of information at rest (device encryption); MP-04 media storage; MP-05 media transport; PE-17 alternate work site.
Gaps
NCA ECC has specific requirements for mobile device management, BYOD policies, and mobile application security in Saudi government context. SP 800-53 addresses mobile security through multiple controls but lacks a unified MDM control. NCA may mandate specific mobile device management solutions or configurations not covered by SP 800-53.
2-7 Data and Information Protection
Rationale
AC-03 access enforcement; AC-04 information flow; AC-16 security/privacy attributes for data labelling; MP family for media protection (MP-01 through MP-06); RA-02 security categorization; SC-28 protection at rest; SI-12 information management and retention. SI-19 (Rev 5) de-identification; PT-02 (Rev 5) authority to process; PT-03 (Rev 5) data minimization.
Gaps
NCA ECC requires data classification aligned with Saudi National Data Governance standards and Personal Data Protection Law (PDPL). Data sovereignty requirements mandate certain data categories remain within Saudi Arabia. SP 800-53 covers data protection technically but does not address Saudi data localization, PDPL compliance, or NCA data classification tiers.
2-8 Cryptography
Rationale
SC-12 cryptographic key establishment and management; SC-13 cryptographic protection (FIPS-validated modules); SC-17 public key infrastructure certificates; SC-28 protection of information at rest (encryption); SC-08 transmission confidentiality and integrity.
Gaps
NCA ECC may mandate use of NCA-approved or nationally recognized cryptographic standards and key management practices. SP 800-53 references FIPS 140-validated cryptography which is widely accepted, but NCA-specific requirements for Saudi national PKI, government certificate authorities, or approved algorithm lists represent a minor gap.
2-9 Backup and Recovery Management
Rationale
CP-09 information system backup (scope, frequency, integrity testing); CP-06 alternate storage site; CP-10 system recovery and reconstitution; MP-04 media storage for backup media; MP-05 media transport for offsite backup movement.
Gaps
NCA ECC may require backup storage within Saudi Arabia for classified or sovereign data, and specific recovery time objectives aligned with NCA guidelines. SP 800-53 covers backup comprehensively but does not address Saudi data residency requirements for backup storage locations.
2-10 Vulnerability Management
Rationale
RA-05 vulnerability monitoring and scanning (automated tools, scan frequency, remediation timelines); SI-02 flaw remediation (patch management); SI-05 security alerts, advisories, and directives; SA-11 developer security testing; CM-06 configuration settings (CIS benchmarks). SA-22 (Rev 5) unsupported system components addresses end-of-life vulnerabilities; RA-07 (Rev 5) risk response ensures vulnerability findings drive structured remediation actions.
Gaps
Minimal gap. SP 800-53 vulnerability management controls are highly comprehensive. NCA ECC vulnerability management requirements closely align with NIST. Minor gap for NCA-specific vulnerability disclosure requirements or mandated scanning frequencies for Saudi government systems.
2-11 Penetration Testing
Rationale
CA-08 penetration testing directly addresses this requirement with scope, methodology, and reporting; RA-05 vulnerability scanning complements penetration testing; SA-11 developer security testing includes code review and security testing during development.
Gaps
NCA ECC may require penetration testing by NCA-licensed providers using NCA-approved methodologies, with results shared with NCA for critical infrastructure operators. SP 800-53 covers penetration testing but does not address NCA-specific testing provider licensing or mandatory result reporting to the national authority.
2-12 Cybersecurity Event Logs and Monitoring Management
Rationale
AU family comprehensively covers event logging and monitoring: AU-01 policy; AU-02 audit events; AU-03 content of audit records; AU-04 audit storage capacity; AU-05 response to audit processing failures; AU-06 audit review, analysis, and reporting; AU-07 audit reduction and report generation; AU-08 time stamps; AU-09 protection of audit information; AU-10 non-repudiation; AU-11 audit record retention; AU-12 audit record generation; AU-13 monitoring for information disclosure; AU-14 session audit. SI-04 system monitoring; CA-07 continuous monitoring. SC-45 (Rev 5) system time synchronization ensures accurate timestamps for log correlation.
Gaps
Minimal gap. SP 800-53 AU family is one of the most comprehensive control areas. NCA ECC logging requirements closely mirror NIST. Minor gap for NCA-mandated log retention periods or requirements to forward security events to a national SOC or CERT.
2-13 Cybersecurity Incident and Threat Management
Rationale
IR family comprehensively covers incident management: IR-01 policy; IR-02 training; IR-03 testing and exercises; IR-04 incident handling; IR-05 incident monitoring; IR-06 incident reporting; IR-07 incident response assistance; IR-08 incident response plan. IR-09 (Rev 5) information spillage response adds data exposure handling. PM-16 threat awareness program; SI-05 security alerts and advisories. RA-10 (Rev 5) threat hunting adds proactive threat detection capability.
Gaps
NCA ECC requires incident reporting to Saudi CERT (the national CERT) within specified timeframes and coordination with NCA during significant incidents. SP 800-53 covers incident management comprehensively but does not address Saudi CERT notification obligations, NCA incident classification levels, or mandatory information sharing with the national authority.
2-14 Web Application Security
Rationale
SA-04 acquisition requirements (secure web application requirements); SA-08 security engineering principles (secure by design for web applications); SA-11 developer security testing (including web application testing, OWASP coverage); SA-15 development process standards; SC-07 boundary protection (WAF, reverse proxy); SI-10 information input validation; SI-11 error handling; CM-07 least functionality (disable unnecessary web services). SI-16 (Rev 5) memory protection addresses code injection attacks; AC-04 information flow enforcement for web traffic.
Gaps
NCA ECC has specific web application security requirements including OWASP Top 10 remediation, web application firewall deployment, and secure coding standards. SP 800-53 addresses these through general development and protection controls but lacks a dedicated web application security control. NCA may mandate specific web application testing standards or WAF requirements.
3-1 Business Continuity Management Aspects of Cybersecurity
Rationale
CP family comprehensively covers business continuity: CP-01 policy; CP-02 contingency plan; CP-03 contingency training; CP-04 contingency plan testing; CP-06 alternate storage site; CP-07 alternate processing site; CP-08 telecommunications services; CP-09 system backup; CP-10 system recovery and reconstitution; PM-08 critical infrastructure plan; PM-11 mission/business process definition. CP-12 (Rev 5) safe mode; CP-13 (Rev 5) alternative security mechanisms. SC-24 (Rev 5) fail in known state; SI-17 (Rev 5) fail-safe procedures provide additional resilience for failure modes.
Gaps
NCA ECC requires business continuity planning integrated with cybersecurity that addresses Saudi-specific critical infrastructure protection requirements. SP 800-53 CP family is comprehensive for IT contingency but NCA may require alignment with Saudi Civil Defence requirements, national emergency coordination, or sector-specific continuity standards.
3-2 Disaster Recovery Aspects of Cybersecurity
Rationale
CP-02 contingency plan including disaster recovery procedures; CP-04 contingency plan testing (DR exercises); CP-06 alternate storage site; CP-07 alternate processing site; CP-09 system backup for DR data; CP-10 system recovery and reconstitution; IR-04 incident handling (DR activation triggers). SC-24 (Rev 5) fail in known state ensures systems recover to a secure state during disaster recovery.
Gaps
NCA ECC may require disaster recovery sites within Saudi Arabia for sovereign data and critical infrastructure systems. SP 800-53 covers DR comprehensively but does not address Saudi geographic requirements for DR sites, NCA-mandated recovery time objectives for critical national infrastructure, or coordination with national disaster management authorities.
4-1 Third-Party Cybersecurity
Rationale
SA-04 acquisition security requirements; SA-09 external system services; SA-12 supply chain protection. SR family for supply chain risk management: SR-01 policy; SR-02 supply chain risk assessment; SR-03 supply chain controls; SR-05 acquisition strategies; SR-06 supplier assessments; SR-08 notification agreements; SR-11 component authenticity. PS-07 external personnel security; CA-03 information exchange agreements.
Gaps
NCA ECC requires third-party cybersecurity assessments with specific Saudi regulatory compliance verification, including data sovereignty agreements and NCA-approved vendor assessment frameworks. SP 800-53 SR family is comprehensive for supply chain security but does not address NCA-specific third-party cybersecurity requirements, Saudi localisation mandates for third-party services, or mandatory cybersecurity clauses in Saudi government contracts.
4-2 Cloud Computing and Hosting Cybersecurity
Rationale
SA-09 external information system services (cloud service provider requirements); AC-20 use of external systems (cloud access); SC-07 boundary protection for cloud connectivity; CA-03 information exchange agreements with cloud providers; SC-28 protection at rest (cloud storage encryption). SR-01 supply chain policy applies to cloud vendors; SR-03 supply chain controls in cloud contracts. CA-09 (Rev 5) internal system connections for hybrid cloud architecture.
Gaps
NCA ECC has specific cloud computing requirements including mandatory use of cloud service providers with Saudi data centres for government data, compliance with NCA Cloud Cybersecurity Controls (CCC), and shared responsibility model documentation. SP 800-53 addresses cloud through general external service controls but does not cover NCA CCC requirements, Saudi cloud data residency mandates, CITC cloud licensing requirements, or NCA-specific cloud security classification. Significant gap for Saudi cloud sovereignty requirements.
5-1 ICS/OT Cybersecurity
Rationale
Relevant IT controls apply to ICS/OT environments: CA-07 continuous monitoring; CM-02 baseline configuration for ICS; CM-06 configuration settings; CM-07 least functionality (disable unnecessary services on SCADA/HMI); CP-02 contingency planning; IA-02 user authentication; IA-03 device identification (PLCs, RTUs); IA-09 service identification; IR-04 incident handling; PE-03 physical access control for ICS facilities; RA-03 risk assessment; RA-05 vulnerability scanning; SA-08 security engineering; SC-07 boundary protection (IT/OT DMZ); SC-32 system partitioning (network segmentation). SC-24 (Rev 5) fail in known state addresses ICS safety considerations; SC-46 (Rev 5) cross-domain policy enforcement supports IT/OT boundary governance; SI-04 monitoring; SI-07 integrity verification for firmware.
Gaps
Significant gap. SP 800-53 is IT-focused and does not adequately cover ICS/OT-specific requirements: SCADA protocol security (Modbus, DNP3, OPC UA), safety instrumented systems (SIS), process safety integration, zone/conduit architecture per IEC 62443, real-time determinism constraints, PLC/RTU firmware integrity, historian security, engineering workstation protection, and industrial safety (SIL) requirements. NCA ECC ICS controls reference IEC 62443 and NIST SP 800-82 which provide significantly deeper ICS/OT coverage. Saudi critical infrastructure (oil & gas, utilities, water) requires specialized OT security controls beyond SP 800-53 scope.
Methodology and Disclaimer
This coverage analysis maps from NCA ECC clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.