← Frameworks / OSFI B-13 / Coverage Analysis

OSFI Guideline B-13 Technology and Cyber Risk Management — SP 800-53 Coverage

How well do NIST SP 800-53 Rev 5 controls address each OSFI B-13 requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.

Clauses: 17
Avg Coverage: 78.1%
Publisher: Office of the Superintendent of Financial Institutions (OSFI)
Coverage Distribution
Full (85-100%): 5 Substantial (65-84%): 10 Partial (40-64%): 2 Weak (1-39%): 0
OSFI B-13 → SP 800-53 SP 800-53 → OSFI B-13 Coverage Analysis

Clause-by-Clause Analysis

Sorted by clause
B-13.1.1 Technology and cyber risk governance, accountability, and culture
AC-05 AT-01 AT-02 AT-03 +13
73%

Rationale

AC-05 separation of duties; AT-01 through AT-05 awareness and training; PL-04 rules of behaviour; PS-01 through PS-08 personnel security. PS-09 (new in Rev 5) position descriptions formalizes security in role definitions. AT-06 (new in Rev 5) training feedback measures training effectiveness, supporting risk culture development.

Gaps

PS-09/AT-06 strengthen governance by formalizing security in roles and measuring training effectiveness. OSFI B-13 board/senior management accountability for technology and cyber risk, risk appetite statement, and technology risk culture requirements remain gaps.

Mapped Controls

AC-05 AT-01 AT-02 AT-03 AT-04 AT-05 PL-04 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09 AT-06
B-13.1.2 Technology and cyber risk strategy
PL-01 PL-02 PL-03 PL-06 +4
70%

Rationale

PL-01 security planning policy; PL-02 system security plan; PL-03 plan update; PL-06 security-related activity planning; SA-02 resource allocation. PL-09 (new in Rev 5) central management; PL-10 (new in Rev 5) baseline selection; PL-11 (new in Rev 5) baseline tailoring together provide a governance-select-tailor cycle supporting strategic security planning.

Gaps

PL-09/PL-10/PL-11 improve strategic control management. OSFI B-13 requires technology and cyber risk strategy aligned with business objectives and risk appetite; Canadian-specific regulatory expectations and OSFI risk appetite framework are not addressed.

Mapped Controls

PL-01 PL-02 PL-03 PL-06 SA-02 PL-09 PL-10 PL-11
B-13.1.3 Technology and cyber risk management framework
AC-01 AU-01 CA-01 CA-02 +22
80%

Rationale

Extensive policy controls; CA-02/CA-04/CA-05/CA-06/CA-07 security assessment and authorization; PL-05/PT-02/PT-03 privacy; RA-02/RA-03/RA-04 risk assessment. RA-07 (new in Rev 5) risk response adds explicit risk treatment. RA-08 (new in Rev 5) privacy impact assessments extend to privacy risk. RA-09 (new in Rev 5) criticality analysis strengthens risk prioritization. PL-09 (new in Rev 5) central management enables unified framework governance.

Gaps

RA-07/RA-08/RA-09/PL-09 significantly strengthen the risk management framework. OSFI-specific reporting requirements and Canadian regulatory risk appetite integration still need supplementation.

Mapped Controls

AC-01 AU-01 CA-01 CA-02 CA-04 CA-05 CA-06 CA-07 IA-01 PL-01 PL-02 PL-03 PL-05 PT-01 PT-02 PT-03 RA-01 RA-02 RA-03 RA-04 SC-01 SI-01 RA-07 RA-08 RA-09 PL-09
B-13.1.4 Technology and cyber risk reporting
CA-05 IR-06 RA-04 RA-07
57%

Rationale

CA-05 POA&M; IR-06 incident reporting; RA-04 risk assessment update. RA-07 (new in Rev 5) risk response documents risk treatment decisions that feed into reporting.

Gaps

RA-07 improves risk treatment documentation for reporting. OSFI B-13 requires regular board reporting on technology and cyber risk posture, OSFI self-assessment reporting, and risk posture dashboards which are regulatory requirements not addressed.

Mapped Controls

CA-05 IR-06 RA-04 RA-07
B-13.2.1 Technology asset management
CM-08 PE-16 SA-03 CM-12 +1
75%

Rationale

CM-08 component inventory; PE-16 delivery and removal; SA-03 lifecycle support. CM-12 (new in Rev 5) information location identifies where information assets reside. CM-13 (new in Rev 5) data action mapping documents data processing flows across technology assets.

Gaps

CM-12/CM-13 improve asset-to-data relationship tracking. OSFI B-13 comprehensive technology asset lifecycle management and end-of-life planning requirements now partially addressed; end-of-life risk management still needs supplementation.

Mapped Controls

CM-08 PE-16 SA-03 CM-12 CM-13
B-13.2.2 Technology architecture and standards
CA-03 CM-01 CM-02 CM-06 +12
78%

Rationale

CA-03 system connections; CM family configuration management; SA family system acquisition and architecture; SC-02/SC-03/SC-22 system protection. CM-14 (new in Rev 5) signed components ensures architectural integrity through cryptographic verification. SA-23 (new in Rev 5) specialization enables purpose-built security components in architecture.

Gaps

CM-14/SA-23 add architectural integrity verification and specialized security components. OSFI B-13 documented technology architecture aligned with risk appetite and Canadian financial sector technology standards need supplementation.

Mapped Controls

CA-03 CM-01 CM-02 CM-06 CM-07 SA-01 SA-03 SA-05 SA-06 SA-07 SA-08 SC-02 SC-03 SC-22 CM-14 SA-23
B-13.2.3 Technology change management
CM-01 CM-03 CM-04 CM-05 +10
87%

Rationale

CM-01/CM-03/CM-04/CM-05 configuration management and change control; MA-01 through MA-06 system maintenance; SA-01/SA-04/SA-10 acquisition and developer configuration management. CM-14 (new in Rev 5) signed components verifies integrity of changed software/firmware through cryptographic signatures.

Gaps

Minor: CM-14 adds change integrity verification. SP 800-53 provides comprehensive change management through CM and MA families. OSFI B-13 change management requirements well addressed.

Mapped Controls

CM-01 CM-03 CM-04 CM-05 MA-01 MA-02 MA-03 MA-04 MA-05 MA-06 SA-01 SA-04 SA-10 CM-14
B-13.2.4 Technology vulnerability and patch management
MA-06 RA-05 SI-01 SI-02 +2
87%

Rationale

MA-06 timely maintenance; RA-05 vulnerability scanning; SI-01 system integrity policy; SI-02 flaw remediation; SI-05 security alerts and advisories. RA-07 (new in Rev 5) risk response provides structured approach to vulnerability treatment decisions.

Gaps

Minor: RA-07 improves vulnerability risk treatment decisions. SP 800-53 provides comprehensive vulnerability and patch management.

Mapped Controls

MA-06 RA-05 SI-01 SI-02 SI-05 RA-07
B-13.2.5 Technology incident management
IR-01 IR-02 IR-03 IR-04 +4
82%

Rationale

IR-01 through IR-07 incident response family. IR-09 (new in Rev 5) information spillage response adds specific procedures for data exposure incidents relevant to financial data breaches.

Gaps

IR-09 strengthens incident management for data spillage scenarios. OSFI B-13 OSFI notification for significant technology incidents and Canadian regulatory reporting requirements need supplementation.

Mapped Controls

IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-09
B-13.2.6 Technology resilience and disaster recovery
CP-01 CP-02 CP-03 CP-04 +19
87%

Rationale

CP-01 through CP-10 contingency planning family; PE-09 through PE-18 physical environmental protection; SC-05 denial of service; SC-06 resource priority. SC-24 (new in Rev 5) fail in known state ensures systems preserve security during failures. SI-17 (new in Rev 5) fail-safe procedures provide additional resilience for critical financial systems.

Gaps

Minor: SC-24/SI-17 strengthen resilience through failure mode management. SP 800-53 provides comprehensive resilience and disaster recovery at the technical level.

Mapped Controls

CP-01 CP-02 CP-03 CP-04 CP-05 CP-06 CP-07 CP-08 CP-09 CP-10 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18 SC-05 SC-06 SC-24 SI-17
B-13.3.1 Cyber risk identification and assessment
CM-08 RA-02 RA-03 RA-05 +2
83%

Rationale

CM-08 component inventory; RA-02 security categorisation; RA-03 risk assessment; RA-05 vulnerability scanning. RA-09 (new in Rev 5) criticality analysis identifies critical financial system components. RA-07 (new in Rev 5) risk response provides structured risk treatment.

Gaps

RA-09/RA-07 improve criticality-based risk assessment and structured response. OSFI-specific cyber risk assessment methodology and Canadian threat landscape considerations may still need supplementation.

Mapped Controls

CM-08 RA-02 RA-03 RA-05 RA-09 RA-07
B-13.3.2 Cyber security controls
AC-01 AC-02 AC-03 AC-04 +85
92%

Rationale

Extensive coverage via AC, IA, MA, MP, PE, PS, PT, SA, SC, and SI families. SC-41 (new in Rev 5) port and I/O device access restriction strengthens endpoint control. SI-16 (new in Rev 5) memory protection adds DEP/ASLR-type protections. SC-44 (new in Rev 5) detonation chambers provides advanced malware analysis.

Gaps

Minor: SC-41/SI-16/SC-44 add endpoint hardening, memory protection, and malware sandboxing. Very strong alignment with OSFI B-13 cyber security control requirements across all technical domains.

Mapped Controls

AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AU-09 CA-03 CM-05 CM-06 CM-07 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 MA-04 MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-17 PE-19 PS-04 PS-05 PT-01 PT-07 SA-07 SA-08 SA-10 SA-11 SC-01 SC-02 SC-03 SC-04 SC-05 SC-07 SC-08 SC-09 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 SI-03 SI-07 SI-08 SI-09 SI-10 SI-11 SI-12 SC-41 SI-16 SC-44
B-13.3.3 Cyber security monitoring and detection
AC-13 AT-05 AU-01 AU-02 +22
87%

Rationale

AC-13 supervision/review; AT-05 contacts; AU-01 through AU-11 audit family; CA-07 continuous monitoring; CM-04 change monitoring; SI-03/SI-04/SI-05/SI-06/SI-07/SI-08 system integrity monitoring. SC-45 (new in Rev 5) system time synchronization ensures correlated monitoring timestamps. SC-42 (new in Rev 5) sensor capability/data addresses monitoring sensor management.

Gaps

Minor: SC-45/SC-42 improve monitoring correlation through time sync and sensor management. OSFI B-13 monitoring requirements well addressed.

Mapped Controls

AC-13 AT-05 AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 CA-07 CM-04 IR-05 PE-06 PE-08 SI-03 SI-04 SI-05 SI-06 SI-07 SI-08 SC-45 SC-42
B-13.3.4 Cyber incident response
CP-10 IR-01 IR-02 IR-03 +4
77%

Rationale

CP-10 system recovery; IR-01 through IR-04/IR-06/IR-07 incident response. IR-09 (new in Rev 5) information spillage response adds data breach-specific handling procedures relevant to financial data incidents.

Gaps

IR-09 strengthens data breach incident response. OSFI-specific notification requirements, Canadian CCIRC coordination, and regulatory escalation requirements need supplementation.

Mapped Controls

CP-10 IR-01 IR-02 IR-03 IR-04 IR-06 IR-07 IR-09
B-13.3.5 Cyber security testing
CA-02 CA-04 CP-04 IR-03 +3
82%

Rationale

CA-02 security assessments; CA-04 certification; CP-04 contingency testing; IR-03 incident response testing; SA-11 developer security testing; SI-06 functionality verification. RA-09 (new in Rev 5) criticality analysis enables risk-prioritized testing of critical financial system components.

Gaps

RA-09 improves test prioritization based on criticality. OSFI-specific testing cadence and Canadian financial sector testing requirements may need supplementation.

Mapped Controls

CA-02 CA-04 CP-04 IR-03 SA-11 SI-06 RA-09
B-13.4.1 Third-party technology risk management
AC-20 MA-05 PS-07 SA-04 +14
73%

Rationale

AC-20 external systems; MA-05 maintenance personnel; PS-07 third-party personnel; SA-04 acquisitions; SA-09 external services; SR-01 through SR-12 supply chain family. SA-21 (new in Rev 5) developer screening adds personnel vetting for third-party development teams.

Gaps

SA-21 strengthens third-party personnel assurance. OSFI B-13 concentration risk assessment, Canadian regulatory considerations, and OSFI notification for material outsourcing remain regulatory gaps.

Mapped Controls

AC-20 MA-05 PS-07 SA-04 SA-09 SR-01 SR-02 SR-03 SR-04 SR-05 SR-06 SR-07 SR-08 SR-09 SR-10 SR-11 SR-12 SA-21
B-13.4.2 Third-party technology risk oversight and monitoring
SA-09 CA-07 CA-09
58%

Rationale

SA-09 external information system services; CA-07 continuous monitoring. CA-09 (new in Rev 5) internal system connections authorizes and monitors connections including those to third-party systems.

Gaps

CA-09 adds connection-level monitoring for third-party integrations. OSFI B-13 ongoing oversight requirements including SLA monitoring, performance metrics, third-party risk reassessment cadence, and Canadian regulatory expectations need supplementation.

Mapped Controls

SA-09 CA-07 CA-09

Methodology and Disclaimer

This coverage analysis maps from OSFI B-13 clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.

Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.

This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.