SEBI Cybersecurity and Cyber Resilience Framework for Regulated Entities — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each SEBI CSCRF requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseAUDIT Periodic Audit and Compliance Reporting
Rationale
CA-02 security assessments; CA-05 plan of action and milestones; CA-06 (Rev 5) authorisation. CA-07 continuous monitoring; AU-06 audit review and analysis. PM-06 measures of performance; PM-14 testing, training, and monitoring.
Gaps
Significant: SEBI CSCRF mandates periodic audits by CERT-In empanelled IS auditing organisations. Standardised compliance reporting formats are prescribed in Part III (compliance report, incident report, VAPT report, etc.). Audit findings must be reported to the Board and submitted to SEBI within prescribed timelines. Annual CSCRF compliance certification by the Board is required. ISO 27001 certification is mandatory for major REs (MIIs and Qualified REs). These prescriptive audit and compliance requirements are entirely SEBI-specific.
BCP-DR Business Continuity and Disaster Recovery
Rationale
CP family comprehensively addresses BCP/DR: CP-01 policy; CP-02 contingency plan; CP-03 training; CP-04 testing; CP-05 plan update; CP-06 alternate storage; CP-07 alternate processing; CP-08 telecommunications; CP-09 backup; CP-10 recovery/reconstitution; CP-11 alternate communications. PM-08 critical infrastructure plan and PM-11 mission/business process definition support BIA.
Gaps
SEBI CSCRF mandates BCP and DR planning with specific focus on market continuity. RTOs and RPOs must be defined for all critical market infrastructure systems. DR site with geographic separation and synchronous replication for core trading/settlement systems is prescribed. Annual DR drills with switchover/switchback testing are mandatory. Near-zero RPO for MII core systems and coordinated DR testing with connected market entities are SEBI-specific requirements.
CAPACITY Capacity Building and Cyber Awareness
Rationale
AT-01 policy; AT-02 literacy training and awareness; AT-03 role-based training; AT-04 training records. AT-05 (Rev 5) contacts and groups facilitates cyber community building. AT-06 (Rev 5) training feedback enables simulation exercises. PM-13 security workforce ensures qualified staff. PM-15 security groups for knowledge sharing. PM-27 (Rev 5) privacy reporting for stakeholder transparency.
Gaps
SEBI CSCRF mandates capacity building programs at all levels including Board, senior management, IT staff, and market participants. Cyber awareness training must cover securities market-specific threats and SEBI compliance obligations. Training for market participants (brokers, sub-brokers, depository participants) on cyber hygiene extends beyond organisational workforce training. CERT-In coordinated awareness campaigns and SEBI investor education initiatives are India-specific.
CCI Cyber Capability Index Assessment
Rationale
CA-02 security assessments provides the assessment framework. CA-07 continuous monitoring and PM-31 (Rev 5) continuous monitoring strategy define ongoing measurement. PM-06 measures of performance establishes cybersecurity metrics. PM-14 testing, training, and monitoring ensures assessment coverage.
Gaps
Significant: The Cyber Capability Index (CCI) is a SEBI-specific construct for rating cybersecurity and resilience controls of REs. MIIs and Qualified REs must undergo third-party CCI assessment half-yearly; other Qualified REs self-assess yearly. CCI scoring methodology, CCI submission to SEBI, and CCI-based compliance benchmarking are entirely SEBI-specific with no NIST equivalent. The CCI integrates elements across all CSCRF functions into a single maturity index.
CCMP Cyber Crisis Management Plan
Rationale
CP-02 contingency plan and IR-08 incident response plan provide the crisis management planning framework. CP-03/IR-03 training and testing for crisis preparedness. CP-04 contingency plan testing validates crisis response. IR-01 incident response policy establishes crisis escalation procedures. PM-08 critical infrastructure plan addresses sector-critical operations. PM-09 risk management strategy provides risk context.
Gaps
SEBI CSCRF's cyber resilience goals (Anticipate, Withstand, Contain, Recover, Evolve) are derived from CERT-In's Cyber Crisis Management Plan (CCMP). Mandatory participation in CERT-In coordinated cyber drills, crisis escalation to SEBI and NCIIPC (National Critical Information Infrastructure Protection Centre), and coordination with other financial regulators (RBI, IRDAI, PFRDA) during sector-wide cyber crises are India-specific. Market-wide cyber crisis protocols for coordinated trading halt decisions and settlement continuity are unique to SEBI-regulated markets.
CERTIF ISO 27001 Certification and Standards Compliance
Rationale
CA-02 security assessments provides assessment framework. CA-06 (Rev 5) authorisation formalises approval. CA-09 internal system connections. PM-01 program plan; PM-10 security authorisation process. These controls support a security assessment and authorisation framework but do not mandate specific certification.
Gaps
Significant: SEBI CSCRF mandates ISO 27001 certification for MIIs and Qualified REs. This is a prescriptive certification requirement that goes beyond NIST's assessment-based approach. ISO 27001 certification by accredited bodies, periodic recertification, and compliance evidence submission to SEBI are regulatory mandates. NIST SP 800-53 provides a controls framework but does not mandate specific external certification.
CLASSIFY Entity Classification and Compliance Matrix
Rationale
PM-01 information security program plan provides planning context. PM-10 security authorisation; PM-11 mission/business process definition addresses business context. PM-32 (Rev 5) purposing provides system categorisation. RA-02 security categorisation classifies systems. PL-02 system security plans documents security posture.
Gaps
Significant: SEBI CSCRF classifies REs into five categories — Market Infrastructure Institutions (MIIs), Qualified REs, Mid-size REs, Small-size REs, and Self-certified REs — based on operational thresholds (client count, trade volume, AUM). Each category has different compliance obligations, timelines, and audit requirements. This tiered regulatory compliance model with entity classification-specific obligations is entirely SEBI-specific with no NIST equivalent.
CYBER-INS Cyber Insurance
Rationale
PM-09 risk management strategy encompasses risk transfer mechanisms including insurance. PM-11 mission/business process definition provides context for insurance coverage assessment. However, NIST SP 800-53 does not directly address cyber insurance procurement.
Gaps
Significant: SEBI CSCRF recommends cyber insurance as a risk transfer mechanism for regulated entities. Cyber insurance coverage should address market disruption, data breach, third-party liability, and regulatory penalty costs. NIST SP 800-53 addresses risk management comprehensively but does not address insurance as a control — this is a risk transfer strategy outside technical control frameworks.
DATALOC Data Localisation and Cross-Border Data Transfer
Rationale
SC-28 protection of information at rest addresses data storage security but not location. SC-12/SC-13 cryptographic key management and protection. PT-02/PT-04/PT-05 privacy controls for data handling. AC-04 information flow enforcement can constrain data flows. SI-12 information management and retention covers data lifecycle.
Gaps
Significant: SEBI CSCRF mandates data localisation requirements — encryption keys and key management operations must be handled within India's boundaries. Cross-border data transfer of securities market data is restricted. Alignment with India's Digital Personal Data Protection (DPDP) Act 2023, RBI data localisation norms (for entities also regulated by RBI), and IT Act 2000 provisions for data stored in India are India-specific jurisdictional requirements with no NIST equivalent. NIST controls address data protection technically but not geographically.
DE.AU Detect — Audit Logging and Monitoring
Rationale
AU family comprehensively addresses audit logging: AU-01 policy; AU-02 event logging; AU-03 content of audit records; AU-04 storage capacity; AU-05 response to failures; AU-06 review, analysis, and reporting; AU-07 reduction and report generation; AU-08 timestamps; AU-09 protection of audit information; AU-10 non-repudiation; AU-11 retention; AU-12 audit record generation; AU-14 session audit for detailed activity tracking on critical market infrastructure.
Gaps
Minimal: SEBI CSCRF audit logging requirements are well addressed by the AU family. SEBI mandates effective log collection and retention policy with specific retention periods for securities market transaction records. Tamper-evident log storage for forensic admissibility under Indian IT Act 2000 (Section 65B) and audit trail requirements for trading system activities need minor supplementation.
DE.CM Detect — Security Continuous Monitoring and SOC
Rationale
SI-04 system monitoring is the core continuous monitoring control. AU-06 audit review, analysis, and reporting; AU-13 monitoring for information disclosure. CA-07 continuous monitoring and PM-31 (Rev 5) continuous monitoring strategy. PM-14 testing, training, and monitoring. SC-26 (Rev 5) honeypots and SC-35 (Rev 5) external malicious code identification provide advanced detection. RA-10 (Rev 5) threat hunting enables proactive threat identification.
Gaps
SEBI CSCRF mandates all REs establish appropriate security monitoring through a Security Operations Centre (SOC) — own/group SOC, market SOC, or third-party managed SOC. MIIs and Qualified REs must measure SOC functional efficacy half-yearly; other REs yearly. SOC effectiveness metrics, SOC staffing requirements, and SOC-specific SEBI reporting obligations are India-specific operational requirements not captured in NIST monitoring controls.
DE.DP Detect — Detection Processes and Threat Intelligence
Rationale
SI-03 malware protection; SI-04 system monitoring; SI-05 security alerts and advisories. PM-16 threat awareness program provides threat intelligence context. RA-05 vulnerability monitoring/scanning; RA-10 (Rev 5) threat hunting for proactive detection. SC-44 (Rev 5) detonation chambers for advanced malware analysis. AU-12 audit record generation ensures detection event logging.
Gaps
SEBI CSCRF requires integration with CERT-In threat intelligence feeds and sectoral CERT coordination. Real-time threat intelligence sharing with SEBI and fellow market participants is mandated. Detection processes must cover securities market-specific threats (market manipulation via cyber means, algorithmic trading anomalies, settlement system attacks). These domain-specific detection requirements need supplementation.
DE.VA Detect — Vulnerability Assessment and Penetration Testing
Rationale
CA-02 security assessments; CA-08 penetration testing; RA-05 vulnerability monitoring and scanning are the core VAPT controls. RA-06 technical surveillance countermeasures; RA-07 (Rev 5) risk response adds explicit vulnerability remediation actions. RA-09 (Rev 5) criticality analysis for risk-based test prioritisation. RA-10 (Rev 5) threat hunting complements VAPT with proactive threat identification. PM-14 testing, training, and monitoring ensures regular assessment cycles.
Gaps
SEBI CSCRF mandates VAPT by CERT-In empanelled auditors to detect vulnerabilities across all critical systems, infrastructure components, and other IT systems. Red teaming exercises are required for MIIs and Qualified REs to simulate adversarial attacks. Scenario-based cyber resilience testing (SBCRT) is prescribed in Part IV annexures. VAPT scope, frequency, and reporting to SEBI are prescriptive regulatory requirements beyond NIST technical controls.
EMAIL-SEC Secure Communication and Email Security
Rationale
SC-07 boundary protection provides email gateway security. SC-08 transmission confidentiality and integrity protects communications in transit. SC-13 cryptographic protection enables encrypted communications (S/MIME, TLS). SI-08 spam protection addresses email-based threat filtering. AC-04 information flow enforcement enables DLP for email content.
Gaps
Minor: SEBI CSCRF communication security requirements are well addressed. Secure communication channels for market-sensitive information (order data, settlement instructions) and regulatory correspondence with SEBI require domain-specific encryption and non-repudiation controls beyond standard email security.
GV.OC Governance — Organisational Context
Rationale
PM-01 information security program plan establishes organisational security context. PM-07 enterprise architecture and PL-08 security and privacy architectures define structural context. PM-08 critical infrastructure plan and PM-11 mission/business process definition address business context for securities market entities. PM-09 risk management strategy; PM-28 (Rev 5) risk framing provides organisational risk context. PM-32 (Rev 5) purposing classifies systems by mission criticality. RA-09 (Rev 5) criticality analysis prioritises assets based on business impact.
Gaps
SEBI CSCRF requires organisational context specific to Indian securities market operations — classification of REs into five categories (MIIs, Qualified REs, Mid-size REs, Small-size REs, Self-certified REs) based on operational thresholds. Entity categorisation determines compliance obligations and timelines, which has no NIST equivalent. Market infrastructure-specific context (exchange operations, depository services, clearing functions) needs supplementation.
GV.OV Governance — Oversight and Compliance
Rationale
CA-02 security assessments and CA-07 continuous monitoring provide oversight mechanisms. CA-05 plan of action and milestones tracks remediation. CA-06 (Rev 5) authorisation formalises approval processes. PM-06 measures of performance establishes cybersecurity metrics. PM-14 testing, training, and monitoring ensures ongoing oversight. PM-31 (Rev 5) continuous monitoring strategy defines oversight methodology.
Gaps
SEBI CSCRF mandates periodic audits by CERT-In empanelled IS auditing organisations. Compliance must be demonstrated through standardised formats prescribed in Part III of CSCRF. MIIs and Qualified REs must prepare a Cyber Capability Index (CCI) for third-party assessment on a half-yearly basis. SEBI circular compliance reporting, audit report submission timelines to SEBI, and annual Board-level cyber resilience review are India-specific regulatory oversight requirements outside NIST scope.
GV.PO Governance — Cybersecurity and Cyber Resilience Policy
Rationale
PM-01 information security program plan and PL-01 planning policy establish the governance framework. PL-02 system security and privacy plans; PL-04 rules of behaviour. PM-09 risk management strategy; PM-10 security authorisation process; PM-11 mission/business process definition. PM-24 (Rev 5) data integrity board addresses organisational data governance relevant to securities market integrity.
Gaps
SEBI CSCRF requires a Board-approved comprehensive cybersecurity and cyber resilience policy reviewed annually, covering all six functions (Governance, Identify, Protect, Detect, Respond, Recover). Policy must address SEBI-specific compliance obligations, CERT-In reporting requirements, and alignment with SEBI circulars. The framework mandates separate documentation of cyber risk management framework for MIIs, Qualified REs, and Mid-size REs. India-specific regulatory policy elements are not captured by NIST.
GV.RM Governance — Cyber Risk Management Framework
Rationale
PM-09 risk management strategy and PM-28 (Rev 5) risk framing establish the risk management framework. PM-29 (Rev 5) risk management program leadership ensures senior management engagement. PM-30 (Rev 5) supply chain risk management strategy addresses third-party risks. RA-01 risk assessment policy; RA-03 risk assessment; RA-07 (Rev 5) risk response adds explicit risk treatment. RA-09 (Rev 5) criticality analysis enables risk-based prioritisation. PL-09 (Rev 5) central management provides unified governance.
Gaps
SEBI CSCRF requires MIIs, Qualified REs, and Mid-size REs to prepare a cyber risk management framework for identification, analysis, evaluation, prioritisation, response, and monitoring of cyber risks on a continuous basis. Integration with enterprise risk management specific to securities market operations (trading risk, settlement risk, custody risk) needs supplementation. SEBI's prescribed risk assessment methodology and risk appetite framework for capital market entities are India-specific requirements.
GV.RR Governance — Roles, Responsibilities and Authorities
Rationale
PM-02 senior information security officer addresses CISO designation. PM-13 security workforce ensures qualified security personnel. PS-01 personnel security policy; PS-02 position risk designation; PS-03 personnel screening; PS-06 access agreements. PS-07 external personnel security covers third-party staff roles. PS-09 (Rev 5) position descriptions formalises cybersecurity responsibilities in organisational roles.
Gaps
SEBI CSCRF mandates a designated CISO responsible for implementing and maintaining the cybersecurity framework, with specific reporting lines to the Board. Board-level cybersecurity oversight is prescribed with defined composition requirements. The Board must approve the cybersecurity policy and review it annually. SEBI-specific role requirements for SOC staffing, CERT-In empanelled auditors, and compliance officers for SEBI reporting obligations are not addressed by NIST controls.
GV.SC Governance — Supply Chain Risk Management
Rationale
SR-01/SR-02/SR-03 supply chain risk management policy, controls, and provenance. SR-05 acquisition strategies; SR-06 supplier assessments. SA-04 acquisition process; SA-09 external system services; SA-21 (Rev 5) developer screening for vendor personnel vetting. SA-22 (Rev 5) unsupported system components manages end-of-life vendor technology. PM-30 (Rev 5) supply chain risk management strategy provides strategic oversight. PS-07 external personnel security covers third-party staff.
Gaps
SEBI CSCRF requires risk assessment of third-party vendors and service providers with specific focus on cloud service providers hosting critical market infrastructure. SBOM (Software Bill of Materials) requirements for all software used in critical operations are mandated. India-specific requirements include data localisation for encryption keys and key management operations within India's boundaries, right-to-audit clauses, and regulatory access to third-party premises. Concentration risk assessment for shared market infrastructure service providers is SEBI-specific.
ID.AM Identify — Asset Management
Rationale
CM-08 system component inventory directly addresses IT asset identification and inventory requirements. CM-09 configuration management plan ensures inventory governance. CM-12 (Rev 5) information location tracking identifies where critical data resides. CM-13 (Rev 5) data action mapping tracks data flows across systems. PM-05 system inventory provides organisational-level asset tracking. RA-02 security categorisation classifies assets by criticality. RA-09 (Rev 5) criticality analysis enables risk-based prioritisation of market infrastructure assets.
Gaps
Minor: SEBI CSCRF asset management requirements are well addressed by NIST controls. SEBI mandates classification of IT assets based on criticality to market operations (trading systems, clearing engines, depository systems). India-specific data localisation tracking for personal data stored in Indian jurisdiction needs supplementation.
ID.RA Identify — Risk Assessment
Rationale
RA-01 risk assessment policy; RA-02 security categorisation; RA-03 risk assessment provides comprehensive risk identification and evaluation. RA-05 vulnerability monitoring/scanning; RA-07 (Rev 5) risk response adds explicit risk treatment actions. RA-08 (Rev 5) privacy impact assessments addresses data protection risks. RA-09 (Rev 5) criticality analysis enables risk-based prioritisation. RA-10 (Rev 5) threat hunting provides proactive risk identification. PM-16 threat awareness program provides threat intelligence context.
Gaps
Minor: SEBI CSCRF risk assessment aligns well with NIST RA family. SEBI requires risk assessment to include securities market-specific threat scenarios (market manipulation via cyber means, trading system disruption, settlement failure). Threat intelligence sharing with CERT-In and sectoral CERTs is an India-specific coordination requirement.
PR.AA Protect — Identity Management, Authentication and Access Control
Rationale
AC family comprehensively addresses access control: AC-01 policy; AC-02 account management; AC-03 access enforcement; AC-04 information flow enforcement; AC-05 separation of duties; AC-06 least privilege; AC-07 unsuccessful login attempts; AC-10 concurrent session control; AC-11/AC-12 session controls; AC-17 remote access; AC-24 access control decisions. IA family provides authentication: IA-01/IA-02 authentication policy and MFA; IA-04/IA-05 identifier and authenticator management; IA-06 authentication feedback; IA-08 non-organisational user authentication. IA-12 (Rev 5) identity proofing strengthens user verification.
Gaps
Minor: SEBI CSCRF mandates MFA for critical systems, especially when accessed from untrusted networks. Privileged access management for market infrastructure systems (trading engines, clearing systems) requires additional domain-specific controls. India-specific identity verification through Aadhaar-based eKYC for customer-facing systems needs supplementation.
PR.AS Protect — Application Security and SBOM
Rationale
SA-03 system development life cycle; SA-04 acquisition process; SA-08 security engineering principles; SA-10 developer configuration management; SA-11 developer testing and evaluation. SA-15 development standards; SA-17 developer security architecture. SA-20 (Rev 5) customized development for critical components; SA-21 (Rev 5) developer screening. SI-10 information input validation. SR-04 provenance supports software component tracking relevant to SBOM requirements.
Gaps
SEBI CSCRF mandates SBOM generation for all software used in critical/core operations — new software at time of purchase, existing software within six months. SBOM must include licence information, supplier name, component inventory (all dependencies), encryption details, and cryptographic hashes. This prescriptive SBOM requirement goes significantly beyond NIST SA/SR controls. API security with specific rate limiting, throttling, and authentication requirements needs supplementation.
PR.AT Protect — Awareness and Training
Rationale
AT-01 security awareness policy; AT-02 literacy training and awareness; AT-03 role-based training; AT-04 training records. AT-05 (Rev 5) contacts and groups facilitates security community building. AT-06 (Rev 5) training feedback enables phishing simulation and user reporting mechanisms. PM-13 security workforce ensures qualified security personnel. PM-15 security groups enables knowledge sharing across the organisation.
Gaps
SEBI CSCRF mandates cybersecurity awareness programs for all levels including Board members and senior management. Capacity building programs must include securities market-specific cyber threat scenarios. Training must cover SEBI-specific incident reporting procedures and CERT-In compliance obligations. Customer education for market participants (investors, traders) on cyber hygiene is outside NIST workforce-focused training scope.
PR.CS Protect — Cloud Security
Rationale
SA-09 external system services is the primary control for cloud service governance. AC-20 use of external systems; SC-07 boundary protection for cloud boundaries; SC-08 transmission confidentiality for cloud connectivity; SC-28 protection of information at rest in cloud environments. SR-01/SR-06 supply chain risk management for cloud providers. CA-03 information exchange addresses cloud interconnections.
Gaps
SEBI CSCRF allows cloud hosting for critical applications but mandates in-depth risk evaluations, comparative analysis, and regulatory assessment before adoption. Data localisation requirements — encryption keys and key management must remain within India. Cloud provider assessment must cover SEBI-specific compliance obligations. Market infrastructure institutions have additional restrictions on cloud deployment for core trading and settlement systems.
PR.DS Protect — Data Security and Classification
Rationale
SC-08 transmission confidentiality/integrity; SC-12 cryptographic key management; SC-13 cryptographic protection; SC-28 protection of information at rest collectively address encryption requirements. MP family covers media protection. AC-04 information flow enforcement; AC-23 (Rev 5) data mining protection restricts unauthorised data extraction. SI-12 information management and retention; SI-19 (Rev 5) de-identification; SI-20 (Rev 5) tainting for data provenance. PT-02/PT-03 privacy controls for data minimisation and use limitation.
Gaps
SEBI CSCRF mandates comprehensive data classification and data localisation requirements. Encryption keys and key management operations must be handled within India's boundaries. Full-disk encryption (FDE) layered with file-based encryption (FE) is required. India-specific data protection requirements under the DPDP Act 2023 and data localisation norms for financial data must be addressed. Cross-border data transfer restrictions for securities market data are SEBI-specific.
PR.ES Protect — Endpoint and Platform Security
Rationale
CM-06 configuration settings for endpoint hardening; CM-07 least functionality restricts unnecessary software/services; CM-10/CM-11 software usage restrictions. CM-14 (Rev 5) signed components ensures cryptographic verification. SC-18 mobile code restrictions; SC-41 (Rev 5) port and I/O device access restriction strengthens endpoint controls. SI-03 malware protection; SI-07 software integrity verification; SI-16 (Rev 5) memory protection (DEP/ASLR). AC-19 access control for mobile devices addresses mobile endpoint security.
Gaps
Minor: SEBI CSCRF endpoint security requirements are well addressed. API security solutions with rate limiting, throttling, and proper authentication/authorisation are specifically mandated and need supplementation beyond standard endpoint controls. Mobile device management for market participants accessing trading platforms needs additional domain-specific guidance.
PR.IP Protect — Information Protection Processes and Procedures
Rationale
CM family comprehensively addresses configuration and change management: CM-01 policy; CM-02 baseline configuration; CM-03 change control; CM-04 impact analysis; CM-05 access restrictions for change; CM-06 configuration settings; CM-07 least functionality; CM-10/CM-11 software restrictions; CM-14 (Rev 5) signed components. SI-02 flaw remediation addresses patching. SI-07 integrity verification. SA-03 system development life cycle; SA-08 security engineering; SA-10 developer configuration management; SA-11 developer testing; SA-15 development standards address secure development.
Gaps
Minor: SEBI CSCRF secure development and change management requirements are well addressed. SBOM (Software Bill of Materials) generation for all software used in critical/core operations — required at time of purchase for new software and within six months for existing software — goes beyond standard NIST configuration management. API security requirements with rate limiting, throttling, and proper authentication mechanisms need specific supplementation.
PR.MA Protect — Maintenance
Rationale
MA-01 maintenance policy; MA-02 controlled maintenance; MA-03 maintenance tools; MA-04 nonlocal maintenance; MA-05 maintenance personnel; MA-06 timely maintenance. SI-13 (Rev 5) predictive maintenance enables proactive maintenance scheduling for critical market infrastructure systems, supporting uptime requirements for trading and settlement systems.
Gaps
Minor: SEBI CSCRF maintenance requirements are well addressed by the MA family. Market infrastructure-specific maintenance windows (post-trading hours, weekends) and coordination with exchange/depository operations schedules are operational requirements not captured in NIST controls.
PR.NS Protect — Network Security and Segmentation
Rationale
SC-07 boundary protection is the core network segmentation control. SC-05 denial of service protection; SC-08 transmission confidentiality and integrity; SC-20/SC-21/SC-22 DNS security. SC-32 (Rev 5) system partitioning isolates network segments. SC-39 process isolation; SC-44 (Rev 5) detonation chambers (sandboxing). SC-47 (Rev 5) alternate communication paths provides network resilience. AC-04 information flow enforcement controls data flows between network zones. SI-04 system monitoring provides network-level monitoring.
Gaps
SEBI CSCRF mandates network segmentation techniques to restrict access to sensitive information, hosts, and services. Securities market-specific network architecture requirements for trading connectivity (co-location, DMA, algo trading infrastructure) need domain-specific controls. Network security for market data feeds and order routing requires supplementation.
PR.PE Protect — Physical and Environmental Security
Rationale
PE family comprehensively addresses physical and environmental controls. PE-01 policy; PE-02/PE-03/PE-04/PE-05/PE-06/PE-08 physical access controls and visitor management; PE-09/PE-10/PE-11 power and emergency systems; PE-12/PE-13 emergency lighting and fire protection; PE-14/PE-15 environmental controls and water damage protection; PE-17 alternate work site; PE-18 facility location; PE-20 asset monitoring and tracking.
Gaps
Minor: SEBI CSCRF physical security requirements are well addressed. Data centre certification requirements (for MIIs hosting critical market infrastructure) and co-location facility security for trading infrastructure need domain-specific supplementation. Disaster recovery site requirements with geographic separation for market continuity are SEBI-specific.
RC.CO Recover — Recovery Communication
Rationale
IR-06 incident reporting addresses communication during recovery. CP-02 contingency plan includes communication procedures. PM-26 (Rev 5) complaint management addresses stakeholder concerns during recovery. PM-27 (Rev 5) privacy reporting keeps stakeholders informed of data-related recovery status.
Gaps
Significant: SEBI CSCRF mandates stakeholder communication during recovery including market participants, clearing members, and depositories. Recovery status must be communicated to SEBI in real-time for market infrastructure incidents. Coordination with stock exchanges for trading halt/resumption decisions, communication to investors through exchange mechanisms, and media communication protocols during market-impacting incidents are India-specific regulatory requirements outside NIST scope.
RC.IM Recover — Recovery Improvements
Rationale
CP-02 contingency plan maintenance; CP-04 contingency plan testing drives improvement through exercise findings. CA-02 security assessments evaluate recovery effectiveness. CA-05/PM-04 plan of action and milestones tracks recovery improvement actions. PM-14 testing, training, and monitoring ensures ongoing recovery capability improvement.
Gaps
SEBI CSCRF requires post-recovery review incorporating lessons learned, with improvement recommendations reported to the Board. Recovery capability must be enhanced through periodic cyber drills coordinated by CERT-In and SEBI. MIIs and Qualified REs must conduct scenario-based cyber resilience testing (SBCRT) to validate recovery improvements.
RC.RP Recover — Incident Recovery Plan Execution
Rationale
CP family comprehensively addresses recovery: CP-01 contingency planning policy; CP-02 contingency plan; CP-04 testing; CP-06 alternate storage site; CP-07 alternate processing site; CP-08 telecommunications services; CP-09 system backup; CP-10 recovery and reconstitution; CP-11 alternate communications protocol; CP-12 (Rev 5) safe mode; CP-13 (Rev 5) alternative security mechanisms. SC-24 (Rev 5) fail in known state; SI-17 (Rev 5) fail-safe procedures.
Gaps
SEBI CSCRF requires comprehensive response and recovery plan that can be triggered to ensure prompt restoration of systems affected by cybersecurity incidents. Recovery time objectives (RTOs) for market infrastructure must ensure minimal disruption to market operations. Disaster recovery site with geographic separation and synchronous replication for critical trading/settlement systems are prescribed. SEBI-mandated DR drill frequency and switchover/switchback testing requirements need supplementation.
RS.AN Respond — Incident Analysis and Forensics
Rationale
AU-06 audit review and analysis supports forensic investigation. AU-09 protection of audit information ensures evidence integrity. AU-10 non-repudiation establishes evidence chain. AU-11 retention preserves evidence. IR-04 incident handling includes forensic analysis during response. IR-05 incident monitoring; IR-09 information spillage response. SI-04 system monitoring provides investigation data.
Gaps
SEBI CSCRF mandates forensic analysis where root cause analysis is inconclusive. Digital forensic capabilities must align with Indian IT Act 2000 and Evidence Act requirements for electronic evidence admissibility (Section 65B). Engagement of CERT-In empanelled forensic auditors, evidence preservation per Indian legal standards, and forensic report submission to SEBI and law enforcement are India-specific requirements.
RS.CO Respond — Incident Reporting and Communication
Rationale
IR-06 incident reporting is the primary reporting control. PM-15 security groups and PM-16 threat awareness program support information sharing. PM-26 (Rev 5) complaint management addresses stakeholder communication. SI-05 security alerts, advisories, and directives provides a framework for disseminating incident information.
Gaps
Significant: SEBI CSCRF mandates reporting all cybersecurity incidents to CERT-In within 6 hours (per CERT-In April 2022 directions) and to SEBI through the incident reporting portal within prescribed timelines. Incident classification and reporting formats are standardised in Part III. Communication to market participants (exchanges, clearing corporations, depositories) during market-impacting incidents, coordination with other regulators (RBI, IRDAI), and public disclosure requirements for material cyber incidents are India-specific regulatory obligations with no NIST equivalent.
RS.IM Respond — Incident Response Improvements
Rationale
IR-04 incident handling includes lessons learned. IR-05 incident monitoring enables trend analysis. IR-08 incident response plan review incorporates improvements. CA-02 security assessments; CA-05 plan of action and milestones for tracking remediation. CA-07 continuous monitoring verifies improvement effectiveness. PM-04 plan of action and milestones process.
Gaps
SEBI CSCRF requires post-incident review with specific focus on market impact assessment and control improvement recommendations. Improvement actions must be reported to the Board and tracked to closure. Lessons learned must be shared with SEBI and relevant market participants for sector-wide improvement. Cyber drill participation (CERT-In coordinated) informs improvement processes.
RS.MA Respond — Incident Management
Rationale
IR family comprehensively addresses incident management: IR-01 incident response policy; IR-02 incident response training; IR-03 incident response testing; IR-04 incident handling; IR-05 incident monitoring; IR-07 incident response assistance; IR-08 incident response plan; IR-09 information spillage response. These controls address the full incident management lifecycle from preparation through lessons learned.
Gaps
SEBI CSCRF mandates root cause analysis (RCA) for all cybersecurity incidents, and forensic analysis where RCA is inconclusive. Comprehensive response and recovery plan must be documented and testable. The CISO is designated as the incident commander. Market infrastructure-specific incident handling for trading disruptions, settlement failures, and data breaches affecting market participants requires domain-specific procedures beyond NIST incident handling.
SOC Security Operations Centre Requirements
Rationale
SI-04 system monitoring is the foundational SOC control. AU-06 audit review and analysis; CA-07 continuous monitoring. IR-04 incident handling and IR-05 incident monitoring address SOC response functions. PM-14 testing and monitoring; PM-16 threat awareness program. SC-26 (Rev 5) honeypots and RA-10 (Rev 5) threat hunting support advanced SOC capabilities.
Gaps
SEBI CSCRF mandates SOC establishment for all REs through own/group SOC, market SOC, or third-party managed SOC. SOC functional efficacy must be measured half-yearly for MIIs/Qualified REs and yearly for others. SOC staffing, technology, and process requirements are prescribed. SOC efficacy metrics and reporting to SEBI are regulatory requirements. Market-specific SOC monitoring for trading anomalies and settlement system threats needs domain supplementation.
VAPT VAPT and Red Team Exercises
Rationale
CA-02 security assessments; CA-08 penetration testing are core VAPT controls. RA-05 vulnerability scanning; RA-06 technical surveillance countermeasures. RA-07 (Rev 5) risk response adds vulnerability remediation actions. RA-09 (Rev 5) criticality analysis for risk-based testing. RA-10 (Rev 5) threat hunting for proactive vulnerability identification. PM-14 testing cycle management.
Gaps
SEBI CSCRF mandates VAPT by CERT-In empanelled auditors with defined scope covering all critical systems, infrastructure components, and IT systems. Red teaming exercises (simulated adversarial attacks) are required for MIIs and Qualified REs. Scenario-based cyber resilience testing (SBCRT) is prescribed in Part IV. VAPT frequency, scope definition, and result reporting to SEBI/Board are prescriptive regulatory requirements. CERT-In empanelment requirement is India-specific.
Methodology and Disclaimer
This coverage analysis maps from SEBI CSCRF clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.