SAMA Cyber Security Framework — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each SAMA CSF requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clause1.1 Cyber Security Governance
Rationale
PM-01 information security program plan establishes the governance foundation. PM-02 senior information security officer designates CISO-equivalent role. PM-03 resources ensures adequate funding and staffing. PM-09 risk management strategy and PM-10 security authorisation process formalise governance decision-making. PM-29 (Rev 5) risk management program leadership adds explicit senior executive risk oversight. PL-01 planning policy; PL-08 security and privacy architectures integrates security into enterprise architecture. PL-09 (Rev 5) central management enables unified governance across the organisation. PS-09 (Rev 5) position descriptions formalises security responsibilities.
Gaps
SAMA CSF requires a dedicated cyber security governance structure approved by the Board of Directors, including a Board-level cyber security committee, designated CISO reporting to the Board or CEO, and a documented cyber security strategy aligned to the institution's business strategy. SAMA-specific governance requirements include periodic Board reporting on cyber posture, alignment with SAMA regulatory expectations for financial institutions, and governance over cyber security budget allocation. SP 800-53 provides programme-level governance but not the prescriptive Board committee structure and regulatory reporting cadence mandated by SAMA.
1.2 Cyber Security Policy
Rationale
SP 800-53 has comprehensive policy controls across every family — each family's '-01' control establishes policy and procedures. PM-01 provides the overarching information security program plan. PM-09 risk management strategy; PM-10 security authorisation process; PM-11 mission/business process definition contextualises policies. PM-24 (Rev 5) data integrity board addresses organisational data governance policies. The breadth of family-level policy controls (AC-01 through SR-01) maps well to SAMA CSF's requirement for a comprehensive cyber security policy framework covering all security domains.
Gaps
SAMA CSF requires a single Board-approved cyber security policy document with mandatory annual review cycle and formal change management process for policy updates. The policy must explicitly address SAMA-specific requirements including alignment with SAMA regulations, Saudi Arabian data protection requirements, and Islamic finance-specific considerations. SP 800-53 distributes policy across individual control families rather than mandating a unified policy document structure.
1.3 Compliance with Legal, Regulatory and Industry Standards
Rationale
PM-01 program plan includes legal/regulatory compliance context. PM-09 risk strategy addresses regulatory risk. CA-02 security assessments and CA-05 plan of action track compliance status and remediation. CA-07 continuous monitoring and PM-31 (Rev 5) continuous monitoring strategy enable ongoing compliance verification. PM-06 measures of performance tracks compliance metrics. PM-14 testing supports compliance validation. PL-09 (Rev 5) central management provides organisational compliance oversight.
Gaps
SAMA CSF requires explicit compliance tracking against Saudi Arabian legal and regulatory requirements including SAMA Circular on Cyber Security Framework, Saudi Personal Data Protection Law (PDPL), Saudi Anti-Cyber Crime Law, Saudi National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC), and industry standards such as PCI DSS and SWIFT CSP. SP 800-53 provides assessment and monitoring mechanisms but does not address jurisdiction-specific regulatory compliance tracking, SAMA examination readiness, or the requirement to maintain a regulatory compliance register with evidence of conformity against each applicable Saudi regulation.
1.4 Cyber Security in Project Management
Rationale
SA-03 system development life cycle integrates security into project methodology. SA-04 acquisition process addresses security in procurement projects. SA-08 security and privacy engineering principles ensures security-by-design. SA-15 development process, standards, and tools governs development projects. SA-17 developer security architecture provides security design documentation. PM-07 enterprise architecture connects project-level security to enterprise strategy. SA-20 (Rev 5) customised development of critical components addresses bespoke development for high-assurance financial systems.
Gaps
SAMA CSF requires security considerations integrated into the full project management lifecycle — from initiation through closure — including security requirements in business cases, security sign-off at project gates, and security testing before go-live. Project risk assessment must include cyber risk dimensions. SP 800-53 SA family addresses security within development and acquisition but not the broader project governance discipline including project funding approval with security budget line items, SAMA notification for material technology projects, and post-implementation security review.
1.5 Cyber Security Roles and Responsibilities
Rationale
PM-02 senior information security officer designates the CISO role with authority and accountability. PS-01 personnel security policy and PS-02 position risk designation establish role-based security responsibilities. PS-07 external personnel security extends responsibilities to third-party staff. PS-09 (Rev 5) position descriptions directly addresses formalising security responsibilities in organisational role definitions, significantly strengthening this mapping. PL-01 planning policy establishes planning responsibilities. AC-05 separation of duties ensures distinct security roles do not conflict.
Gaps
SAMA CSF prescribes specific cyber security roles including CISO with direct Board/CEO reporting line, cyber security team structure, and defined responsibilities for the three lines of defence model (1st line business units, 2nd line risk/compliance, 3rd line internal audit). PS-09 improves role definition but SAMA-specific requirements for CISO qualifications, minimum team size relative to institution size, and the formal three-lines-of-defence cyber security accountability model are not addressed. SAMA also requires designation of a cyber security liaison officer for regulatory communications.
1.6 Cyber Security Awareness and Training
Rationale
AT-01 training policy establishes the awareness programme foundation. AT-02 literacy training and awareness provides organisation-wide security awareness. AT-03 role-based training delivers specialised training for security-critical roles. AT-04 training records maintains training completion evidence. AT-05 (Rev 5) contacts and groups facilitates security community building and information sharing. AT-06 (Rev 5) training feedback enables phishing simulation response mechanisms and training effectiveness measurement. PM-13 security workforce ensures adequate skilled security personnel. PM-15 security groups enables knowledge sharing communities.
Gaps
Minor: SAMA CSF requires cyber security awareness programmes tailored to all organisational levels including Board members, senior management, IT staff, and general users. AT-06 improves effectiveness measurement. SAMA-specific requirements include Arabic-language training materials, awareness about Saudi-specific cyber threats (regional APT groups, sectarian hacktivism), and mandatory awareness for new joiners within 30 days. Annual awareness programme review and Board-level briefings on awareness programme effectiveness are SAMA expectations not fully addressed.
1.7 Cyber Security in Human Resources
Rationale
PS family comprehensively addresses human resources security. PS-01 personnel security policy; PS-02 position risk designation categorises roles by sensitivity. PS-03 personnel screening covers background checks before employment. PS-04 personnel termination and PS-05 personnel transfer ensure access revocation and role transition controls. PS-06 access agreements formalise security obligations. PS-07 external personnel security extends controls to contractors. PS-08 personnel sanctions provides enforcement mechanism. PS-09 (Rev 5) position descriptions formalises security responsibilities in every role, directly strengthening pre-employment security integration.
Gaps
Minor: SP 800-53 PS family aligns well with SAMA CSF HR security requirements. SAMA-specific gaps include background check requirements aligned to Saudi labour law, security clearance verification through Saudi government channels for sensitive financial roles, and mandatory non-disclosure agreements meeting Saudi legal enforceability requirements. SAMA also expects integration with Saudi Mofawtar (employee registration) systems and compliance with SAMA workforce localisation (Saudisation) requirements for cyber security roles.
1.8 Cyber Security Risk Management
Rationale
PM-09 risk management strategy and PM-28 (Rev 5) risk framing establish the risk management foundation. PM-29 (Rev 5) risk management program leadership adds executive oversight. PM-30 (Rev 5) supply chain risk management strategy extends risk to third parties. PM-32 (Rev 5) purposing provides system classification for risk-based treatment. RA-01 risk assessment policy; RA-02 security categorisation; RA-03 risk assessment. RA-05 vulnerability monitoring; RA-07 (Rev 5) risk response adds explicit risk treatment actions. RA-09 (Rev 5) criticality analysis identifies critical components. PL-09 (Rev 5) central management enables unified risk governance. CA-05 plan of action tracks risk remediation.
Gaps
SAMA CSF requires a formal cyber risk management framework integrated into the institution's enterprise risk management (ERM) programme. Risk appetite must be defined and approved by the Board specifically for cyber risk. SAMA expects cyber risk quantification methodologies, regular cyber risk reporting to the Board risk committee, and alignment with SAMA's supervisory risk assessment framework. Integration of cyber risk with other banking risks (credit, market, operational) and Saudi NCA threat intelligence into risk assessments are SAMA-specific requirements.
1.9 Cyber Security Review and Audit
Rationale
CA-02 security assessments with independent assessors addresses security review requirements. CA-05 plan of action tracks remediation. CA-06 (Rev 5) authorisation formalises approval processes for audit activities. CA-07 continuous monitoring and PM-31 (Rev 5) continuous monitoring strategy provide ongoing security review mechanisms. CA-08 penetration testing covers technical security assessments. PM-06 measures of performance; PM-14 testing, training, and monitoring. AU-06 audit review and analysis. RA-05 vulnerability scanning; RA-10 (Rev 5) threat hunting adds proactive security review capability.
Gaps
SAMA CSF requires periodic independent cyber security reviews by qualified third parties, internal audit coverage of cyber security controls, and regular vulnerability assessments and penetration testing. SAMA expects audit findings to be reported to the Board Audit Committee and tracked to closure within defined timelines. SAMA-specific requirements include regulatory examination readiness, engagement of SAMA-approved auditors for certain assessments, and submission of audit findings to SAMA upon request. The three-lines-of-defence audit model with specific cyber security audit scope is a SAMA expectation beyond SP 800-53.
2.1 Asset Management
Rationale
CM-08 system component inventory directly addresses IT asset identification and tracking. CM-09 configuration management plan governs asset inventory processes. CM-12 (Rev 5) information location identifies where sensitive data resides across the asset landscape, critical for data classification. CM-13 (Rev 5) data action mapping documents data processing flows across assets. PM-05 system inventory provides organisational-level asset catalogue. RA-02 security categorisation classifies assets by criticality and sensitivity. RA-09 (Rev 5) criticality analysis enables risk-based prioritisation of assets. SC-07 boundary protection defines network asset boundaries.
Gaps
Minor: CM-12/CM-13 significantly improve data-centric asset management. SAMA CSF requires a comprehensive asset register including hardware, software, data, network, and personnel assets with assigned ownership and classification. Asset lifecycle management from procurement to disposal must align with SAMA expectations. Saudi data sovereignty classification for assets processing or storing data related to Saudi financial operations is a jurisdiction-specific requirement.
2.2 Regulatory Compliance and Reporting
Rationale
PM-01 programme plan includes regulatory context. PM-06 measures of performance tracks compliance metrics. PM-09 risk strategy addresses regulatory risk. CA-02 security assessments; CA-05 plan of action and milestones. CA-07 and PM-31 (Rev 5) continuous monitoring provide ongoing compliance status. PM-14 testing supports compliance validation. IR-06 incident reporting addresses regulatory notification after incidents.
Gaps
Significant: SAMA CSF requires extensive regulatory reporting including periodic compliance status submissions to SAMA, cyber incident notification within prescribed timeframes, annual cyber security posture reports, and self-assessment against SAMA CSF maturity levels. Specific regulatory obligations include reporting to SAMA on material cyber events, maintaining regulatory examination readiness, submitting remediation plans for identified deficiencies, and compliance with Saudi NCA reporting requirements. SP 800-53 provides internal assessment and monitoring but not the external regulatory reporting discipline, SAMA examination protocols, or Saudi Central Bank-specific submission formats.
3.1 Identity and Access Management
Rationale
AC and IA families provide comprehensive identity and access management coverage. AC-01 through AC-12 address access policy, account management, enforcement, information flow, separation of duties, least privilege, login controls, notifications, concurrent sessions, session locks, and session termination. AC-14 permitted actions without identification; AC-16 security/privacy attributes; AC-17 remote access; AC-18 wireless access; AC-19 mobile device access; AC-24 access control decisions. IA-01 through IA-12 cover identification/authentication policy, organisational/device/service authentication, identifier management, authenticator management, cryptographic module authentication, external identity management, cross-organisation trust, session re-authentication, and IA-12 (Rev 5) identity proofing strengthens user onboarding verification for financial institution personnel.
Gaps
Minimal: SP 800-53 AC/IA families are exceptionally strong for IAM. SAMA CSF requires privileged access management (PAM) with session recording and just-in-time access for critical banking systems, multi-factor authentication for all remote and administrative access, and periodic access recertification reviews. Customer-facing authentication requirements for online banking and SAMA-specific identity verification using Saudi National ID and Absher integration are jurisdiction-specific gaps.
3.2 Application Security
Rationale
SA family provides comprehensive application security lifecycle coverage. SA-03 system development lifecycle; SA-04 acquisition process; SA-08 security engineering principles; SA-10 developer configuration management; SA-11 developer testing and evaluation including code review and static/dynamic analysis. SA-15 development process, standards, and tools; SA-16 developer-provided training; SA-17 developer security architecture. SA-20 (Rev 5) customised development for critical financial components. SA-21 (Rev 5) developer screening vets development personnel. SA-22 (Rev 5) unsupported system components addresses legacy application risk. CM-04 impact analysis; CM-14 (Rev 5) signed components ensures application integrity. SI-10 information input validation; SI-11 error handling.
Gaps
Minor: SA-20/SA-21/CM-14 strengthen application security assurance significantly. SAMA CSF requires secure coding standards aligned to OWASP, mandatory code review before production deployment, application security testing (SAST/DAST/IAST) as part of CI/CD pipelines, and web application firewall deployment for internet-facing banking applications. API security requirements for open banking initiatives under SAMA's open banking framework are emerging requirements not directly addressed.
3.3 Infrastructure Security (Networks, Systems, Endpoints)
Rationale
SC-07 boundary protection provides core network security with DMZ, segmentation, and perimeter controls. SC-08 transmission confidentiality/integrity; SC-05 denial of service protection; SC-20/SC-21/SC-22 DNS security. SC-32 system partitioning for network segmentation; SC-40 (Rev 5) wireless link protection; SC-41 (Rev 5) port and I/O device access restriction strengthens endpoint hardening. CM-02 baseline configuration; CM-03 configuration change control; CM-06 configuration settings; CM-07 least functionality. SI-03 malware protection; SI-04 system monitoring; SI-07 software integrity verification; SI-16 (Rev 5) memory protection adds DEP/ASLR-type endpoint protection. AC-04 information flow; AC-17 remote access; AC-18 wireless; AC-19 mobile devices.
Gaps
Minor: SC-40/SC-41/SI-16 add wireless, port control, and memory protection for endpoints. SAMA CSF requires network segmentation specifically isolating SWIFT infrastructure, payment processing systems, and internet-facing services. Endpoint detection and response (EDR) deployment across all endpoints, network access control (NAC) implementation, and DDoS protection for internet-facing banking services are expected. SAMA-specific requirements for protecting critical national infrastructure classifications assigned by Saudi NCA are not addressed.
3.4 Cryptography
Rationale
SC-12 cryptographic key establishment and management provides comprehensive key lifecycle management. SC-13 cryptographic protection mandates approved cryptographic algorithms. SC-08 transmission confidentiality and integrity covers encryption in transit. SC-17 public key infrastructure certificates addresses PKI governance. SC-28 protection of information at rest covers encryption at rest. SC-40 (Rev 5) wireless link protection adds cryptographic requirements for wireless communications. IA-07 cryptographic module authentication ensures FIPS-validated modules.
Gaps
Minor: SC-40 extends cryptographic coverage to wireless links. SAMA CSF requires cryptographic standards aligned to international best practices with specific key management procedures including key generation, distribution, storage, rotation, and destruction. SAMA expects HSM usage for key storage in payment processing systems. Saudi-specific considerations include potential alignment with Saudi NCA cryptographic requirements and any future Saudi national cryptographic standards. Quantum-readiness and crypto-agility planning are emerging SAMA expectations not directly addressed.
3.5 Secure Configuration and Patch Management
Rationale
CM-02 baseline configuration establishes secure configuration baselines. CM-03 configuration change control; CM-04 impact analysis; CM-05 access restrictions for change; CM-06 configuration settings enforces hardened configurations. CM-07 least functionality removes unnecessary services and ports. CM-09 configuration management plan provides governance. CM-14 (Rev 5) signed components ensures configuration integrity. SI-02 flaw remediation directly addresses patch management. RA-05 vulnerability monitoring and scanning identifies systems requiring patching. RA-07 (Rev 5) risk response adds explicit risk treatment for unpatched vulnerabilities. SA-22 (Rev 5) unsupported system components addresses legacy system risk where patches are unavailable.
Gaps
Minor: CM-14/RA-07/SA-22 strengthen configuration and patch assurance. SAMA CSF requires patch deployment within defined timeframes — critical patches within 72 hours, high-severity within 30 days — and a formal exception process for deferred patching with compensating controls. Configuration baselines aligned to CIS benchmarks or equivalent hardening standards are expected. SAMA-specific requirements for patch management of ATM networks, SWIFT infrastructure, and core banking systems where maintenance windows are constrained.
3.6 Cyber Security Event and Incident Management
Rationale
IR family provides comprehensive incident management: IR-01 policy; IR-02 training; IR-03 testing; IR-04 incident handling; IR-05 monitoring; IR-06 reporting; IR-07 assistance; IR-08 incident response plan. IR-09 (Rev 5) information spillage response addresses data breach incidents. SI-04 system monitoring and AU-06 audit review provide event detection. SI-05 security alerts/advisories. PM-16 threat awareness programme. RA-10 (Rev 5) threat hunting enables proactive incident discovery. SC-26 (Rev 5) honeypots provide deception-based detection. SC-44 (Rev 5) detonation chambers enable sandbox analysis of suspicious artefacts.
Gaps
SAMA CSF requires a formal cyber incident response plan tested at least annually through simulation exercises. Incident classification and escalation procedures must include mandatory notification to SAMA within prescribed timeframes for material incidents. SAMA expects a Security Operations Centre (SOC) — internal or managed — operating 24/7 with defined SLAs for event triage and incident response. Integration with Saudi CERT (Saudi CERT under NCA) for threat intelligence sharing and coordinated incident response is a jurisdiction-specific requirement. Cyber crisis management plan with Board notification procedures and public communications strategy are SAMA expectations beyond SP 800-53 scope.
3.7 Physical Security
Rationale
PE family comprehensively addresses physical security. PE-01 policy; PE-02/PE-03 physical access authorisation and enforcement; PE-04 access control for transmission; PE-05 access control for output devices; PE-06 monitoring physical access; PE-08 visitor access records; PE-09 power equipment and cabling; PE-10 emergency shutoff; PE-11 emergency power; PE-12 emergency lighting; PE-13 fire protection; PE-14 environmental controls (temperature/humidity); PE-15 water damage protection; PE-17 alternate work site; PE-18 location of system components; PE-19 information leakage (TEMPEST); PE-20 asset monitoring and tracking; PE-21 electromagnetic pulse protection; PE-23 facility location.
Gaps
Minor: PE family coverage is strong for physical security. SAMA CSF requires physical security for data centres, server rooms, and critical infrastructure areas including biometric access control, CCTV with retention requirements, and visitor management procedures. SAMA-specific considerations include physical security requirements for ATM infrastructure, branch security for technology equipment, and data centre tier classification (Tier III minimum for primary, Tier II for DR). Saudi building code compliance and NCA critical national infrastructure physical protection requirements need supplementation.
3.8 Bring Your Own Device (BYOD)
Rationale
AC-19 access control for mobile devices directly addresses BYOD device management including enrolment, configuration, and access policies. AC-20 use of external systems governs access from non-organisational devices. AC-17 remote access controls BYOD connectivity to corporate resources. CM-02 baseline configuration and CM-06 configuration settings apply security baselines to BYOD devices. SC-08 transmission confidentiality protects data in transit from personal devices. SC-10 network disconnect; SC-23 session authenticity for remote sessions. SC-43 usage restrictions provides additional control over system component usage.
Gaps
SAMA CSF requires a formal BYOD policy that addresses device enrolment, mobile device management (MDM/MAM) deployment, containerisation to separate personal and corporate data, remote wipe capability, and acceptable use requirements. SAMA expects data classification enforcement on BYOD devices preventing sensitive financial data from being stored on personal devices. Specific requirements include device compliance checking before network access, application whitelisting on BYOD devices accessing banking systems, and BYOD risk acceptance by business owners with documented risk assessments.
3.9 Secure Disposal of Information Assets
Rationale
MP-06 media sanitisation directly addresses secure disposal with NIST SP 800-88 methods (clear, purge, destroy). MP-01 media protection policy; MP-02 media access; MP-03 media marking; MP-04 media storage; MP-05 media transport; MP-07 media use restrictions; MP-08 media downgrading. PE-16 delivery and removal tracking controls physical asset movement. SR-12 component disposal addresses supply chain disposal security including component sanitisation and destruction verification.
Gaps
Minor: MP-06 with NIST SP 800-88 guidance and SR-12 component disposal provide strong coverage. SAMA CSF requires documented disposal procedures with certificates of destruction, verified sanitisation before asset disposal or repurposing, and a disposal register maintained as audit evidence. SAMA-specific requirements include compliance with Saudi data protection regulations during disposal, ensuring no Saudi customer financial data persists on disposed assets, and engagement of approved disposal vendors with chain-of-custody documentation.
4.1 Third Party Risk Management
Rationale
SA-04 acquisition process includes security requirements in vendor contracts. SA-09 external system services governs third-party service security. SA-12 supply chain protection. SR-01 supply chain risk management policy; SR-02 supply chain risk assessment; SR-03 supply chain controls and processes; SR-05 acquisition strategies; SR-06 supplier assessments and reviews. PM-30 (Rev 5) supply chain risk management strategy provides enterprise-level third-party risk governance. SA-21 (Rev 5) developer screening adds personnel vetting for third-party development teams. PS-07 external personnel security addresses contractor and consultant controls.
Gaps
SAMA CSF requires a formal third-party risk management framework with risk-based due diligence before engagement, ongoing monitoring of third-party security posture, and periodic reassessment. Specific requirements include right-to-audit clauses in all third-party contracts, SAMA notification for material outsourcing arrangements, concentration risk assessment across critical third parties, and exit strategy planning. SAMA expects third-party compliance with SAMA CSF requirements proportionate to the services provided, and data localisation requirements where Saudi customer data must remain within approved jurisdictions.
4.2 Outsourcing Cyber Security Requirements
Rationale
SA-04 acquisition and SA-09 external services establish security requirements for outsourced functions. SR-01/SR-02/SR-03 supply chain risk management covers outsourcing risk assessment and controls. SR-06 supplier assessments provides ongoing monitoring of outsourced service providers. SA-21 (Rev 5) developer screening addresses personnel vetting for outsourced development. PS-07 external personnel security for outsourced staff. CA-02 security assessments and PM-14 testing enable assessment of outsourced service security.
Gaps
SAMA CSF requires prior SAMA approval for outsourcing critical cyber security functions. Outsourcing agreements must include specific cyber security requirements, SLAs for security services (e.g., SOC response times, vulnerability remediation timelines), right-to-audit, regulatory access to outsourced service provider premises, and data protection obligations. SAMA expects a register of all outsourced cyber security functions with risk ratings. Restrictions on outsourcing to jurisdictions that may impede SAMA supervisory access, business continuity requirements for outsourced services, and mandatory fallback capabilities are SAMA-specific regulatory requirements beyond SP 800-53 scope.
4.3 Cloud Computing Security
Rationale
SA-09 external system services is the primary control for cloud service security including SLAs and security requirements. AC-20 use of external systems governs access from and to cloud environments. SC-07 boundary protection addresses cloud network security; SC-08 transmission security for cloud connectivity. SC-12/SC-13 cryptographic key management and protection for cloud-hosted data. SC-28 encryption at rest for cloud storage. CM-02/CM-06 configuration management for cloud workloads. CA-09 (Rev 5) internal system connections addresses hybrid cloud connectivity. SR-01 supply chain risk management policy and SR-06 supplier assessments provide cloud vendor governance.
Gaps
SAMA CSF requires a cloud computing risk assessment before adoption, alignment with SAMA cloud computing regulatory framework, and specific security controls for IaaS/PaaS/SaaS deployment models. SAMA mandates data classification-based cloud eligibility — certain data categories may not be hosted in public cloud or must remain within Saudi Arabia or approved jurisdictions. Shared responsibility model documentation, cloud-specific incident response procedures, cloud exit strategy with data portability guarantees, and SAMA notification for material cloud adoption decisions are regulatory requirements. Saudi data residency requirements and NCA cloud security certifications for cloud providers are jurisdiction-specific gaps.
Methodology and Disclaimer
This coverage analysis maps from SAMA CSF clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.