← Frameworks / SEC Custody (Digital Assets) / Control Mappings

SEC Custody Rule Modernization — Digital Asset Securities

SEC framework for custody of digital asset securities by broker-dealers and investment advisers. Covers qualified custodian requirements, exclusive control of private keys, multi-signature and threshold signature mandates, segregation of client assets, key management lifecycle, distributed ledger risk assessment, third-party custodian oversight, incident response, business continuity, transfer capability verification, independent examination, and safeguarding against theft, loss, and misuse.

Controls: 95

Total Mappings: 207

Publisher: U.S. Securities and Exchange Commission (SEC) Version: December 2025 (Discussion Draft)

SEC Custody (Digital Assets) → SP 800-53 SP 800-53 → SEC Custody (Digital Assets) Coverage Analysis

AC (8) AT (1) AU (12) CA (3) CM (5) CP (9) IA (3) IR (9) MA (1) MP (2) PE (3) PL (1) PM (4) PS (6) PT (3) RA (4) SA (4) SC (9) SI (4) SR (4)

AC Access Control

Control	Name	SEC Custody (Digital Assets) References
AC-01	Access Control Policies and Procedures	SEC-CD-02SEC-CD-05SEC-CD-17SEC-CD-20
AC-02	Account Management	SEC-CD-02SEC-CD-05SEC-CD-16
AC-03	Access Enforcement	SEC-CD-02SEC-CD-05
AC-04	Information Flow Enforcement	SEC-CD-04
AC-05	Separation Of Duties	SEC-CD-02SEC-CD-03SEC-CD-04SEC-CD-05SEC-CD-16SEC-CD-19
AC-06	Least Privilege	SEC-CD-02SEC-CD-03SEC-CD-04SEC-CD-05SEC-CD-16
AC-17	Remote Access	SEC-CD-05
AC-20	Use Of External Information Systems	SEC-CD-10

AT Awareness and Training

Control	Name	SEC Custody (Digital Assets) References
AT-03	Security Training	SEC-CD-19

AU Audit and Accountability

Control	Name	SEC Custody (Digital Assets) References
AU-01	Audit And Accountability Policy And Procedures	SEC-CD-14SEC-CD-15SEC-CD-17
AU-02	Auditable Events	SEC-CD-04SEC-CD-05SEC-CD-07SEC-CD-13SEC-CD-15SEC-CD-18SEC-CD-20
AU-03	Content Of Audit Records	SEC-CD-04SEC-CD-15SEC-CD-18SEC-CD-20
AU-04	Audit Storage Capacity	SEC-CD-15
AU-05	Response To Audit Processing Failures	SEC-CD-15
AU-06	Audit Monitoring, Analysis, And Reporting	SEC-CD-11SEC-CD-14SEC-CD-15SEC-CD-16SEC-CD-18SEC-CD-20
AU-07	Audit Reduction And Report Generation	SEC-CD-15
AU-08	Time Stamps	SEC-CD-15
AU-09	Protection Of Audit Information	SEC-CD-05SEC-CD-15SEC-CD-16
AU-10	Non-Repudiation	SEC-CD-05SEC-CD-15SEC-CD-16
AU-11	Audit Record Retention	SEC-CD-14SEC-CD-15SEC-CD-18SEC-CD-20
AU-12	Audit Record Generation	SEC-CD-15

CA Security Assessment and Authorization

Control	Name	SEC Custody (Digital Assets) References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	SEC-CD-01SEC-CD-14SEC-CD-17SEC-CD-19
CA-02	Security Assessments	SEC-CD-01SEC-CD-10SEC-CD-13SEC-CD-14SEC-CD-17
CA-07	Continuous Monitoring	SEC-CD-10SEC-CD-13SEC-CD-14

CM Configuration Management

Control	Name	SEC Custody (Digital Assets) References
CM-02	Baseline Configuration	SEC-CD-08
CM-03	Configuration Change Control	SEC-CD-07
CM-05	Access Restrictions For Change	SEC-CD-05
CM-06	Configuration Settings	SEC-CD-03SEC-CD-06SEC-CD-07SEC-CD-08
CM-08	Information System Component Inventory	SEC-CD-04SEC-CD-09SEC-CD-18

CP Contingency Planning

Control	Name	SEC Custody (Digital Assets) References
CP-01	Contingency Planning Policy And Procedures	SEC-CD-12
CP-02	Contingency Plan	SEC-CD-12
CP-03	Contingency Training	SEC-CD-12
CP-04	Contingency Plan Testing And Exercises	SEC-CD-12SEC-CD-13
CP-06	Alternate Storage Site	SEC-CD-06SEC-CD-08SEC-CD-12
CP-07	Alternate Processing Site	SEC-CD-12
CP-08	Telecommunications Services	SEC-CD-12
CP-09	Information System Backup	SEC-CD-06SEC-CD-12
CP-10	Information System Recovery And Reconstitution	SEC-CD-12

IA Identification and Authentication

Control	Name	SEC Custody (Digital Assets) References
IA-02	User Identification And Authentication	SEC-CD-03SEC-CD-05SEC-CD-16
IA-03	Device Identification And Authentication	SEC-CD-02
IA-05	Authenticator Management	SEC-CD-02SEC-CD-03SEC-CD-05SEC-CD-06SEC-CD-07SEC-CD-16

IR Incident Response

Control	Name	SEC Custody (Digital Assets) References
IR-01	Incident Response Policy And Procedures	SEC-CD-11
IR-02	Incident Response Training	SEC-CD-11
IR-03	Incident Response Testing And Exercises	SEC-CD-11
IR-04	Incident Handling	SEC-CD-11
IR-05	Incident Monitoring	SEC-CD-11
IR-06	Incident Reporting	SEC-CD-11
IR-07	Incident Response Assistance	SEC-CD-11
IR-08	Incident Response Plan	SEC-CD-11
IR-09	Information Spillage Response	SEC-CD-11

MA Maintenance

Control	Name	SEC Custody (Digital Assets) References
MA-02	Controlled Maintenance	SEC-CD-07

MP Media Protection

Control	Name	SEC Custody (Digital Assets) References
MP-04	Media Storage	SEC-CD-04SEC-CD-06SEC-CD-16
MP-05	Media Transport	SEC-CD-06

PE Physical and Environmental Protection

Control	Name	SEC Custody (Digital Assets) References
PE-02	Physical Access Authorizations	SEC-CD-02SEC-CD-06SEC-CD-08SEC-CD-16
PE-03	Physical Access Control	SEC-CD-02SEC-CD-06SEC-CD-08SEC-CD-16
PE-06	Monitoring Physical Access	SEC-CD-08SEC-CD-16

PL Planning

Control	Name	SEC Custody (Digital Assets) References
PL-01	Security Planning Policy And Procedures	SEC-CD-01SEC-CD-19

PM Program Management

Control	Name	SEC Custody (Digital Assets) References
PM-01	Information Security Program Plan	SEC-CD-01SEC-CD-14SEC-CD-17SEC-CD-18SEC-CD-19SEC-CD-20
PM-02	Information Security Program Leadership Role	SEC-CD-01SEC-CD-17SEC-CD-19
PM-07	Enterprise Architecture	SEC-CD-14
PM-09	Risk Management Strategy	SEC-CD-09SEC-CD-10SEC-CD-18

PS Personnel Security

Control	Name	SEC Custody (Digital Assets) References
PS-01	Personnel Security Policy And Procedures	SEC-CD-01SEC-CD-19
PS-03	Personnel Screening	SEC-CD-16
PS-04	Personnel Termination	SEC-CD-16
PS-06	Access Agreements	SEC-CD-19
PS-07	Third-Party Personnel Security	SEC-CD-16
PS-08	Personnel Sanctions	SEC-CD-16

PT Personally Identifiable Information Processing and Transparency

Control	Name	SEC Custody (Digital Assets) References
PT-01	Policy and Procedures	SEC-CD-20
PT-05	Privacy Notice	SEC-CD-20
PT-06	System of Records Notice	SEC-CD-20

RA Risk Assessment

Control	Name	SEC Custody (Digital Assets) References
RA-01	Risk Assessment Policy And Procedures	SEC-CD-01SEC-CD-09SEC-CD-17SEC-CD-18SEC-CD-19
RA-02	Security Categorization	SEC-CD-09
RA-03	Risk Assessment	SEC-CD-08SEC-CD-09SEC-CD-12SEC-CD-18
RA-05	Vulnerability Scanning	SEC-CD-09

SA System and Services Acquisition

Control	Name	SEC Custody (Digital Assets) References
SA-01	System And Services Acquisition Policy And Procedures	SEC-CD-01SEC-CD-14SEC-CD-17
SA-04	Acquisitions	SEC-CD-10
SA-08	Security Engineering Principles	SEC-CD-03SEC-CD-06SEC-CD-08
SA-09	External Information System Services	SEC-CD-01SEC-CD-09SEC-CD-10SEC-CD-17

SC System and Communications Protection

Control	Name	SEC Custody (Digital Assets) References
SC-02	Application Partitioning	SEC-CD-04
SC-03	Security Function Isolation	SEC-CD-04
SC-04	Information Remnance	SEC-CD-04
SC-07	Boundary Protection	SEC-CD-09
SC-12	Cryptographic Key Establishment And Management	SEC-CD-02SEC-CD-03SEC-CD-06SEC-CD-07SEC-CD-08SEC-CD-12SEC-CD-13SEC-CD-16
SC-13	Use Of Cryptography	SEC-CD-02SEC-CD-03SEC-CD-06SEC-CD-07SEC-CD-08
SC-17	Public Key Infrastructure Certificates	SEC-CD-02SEC-CD-06
SC-23	Session Authenticity	SEC-CD-03
SC-28	Protection of Information at Rest	SEC-CD-08

SI System and Information Integrity

Control	Name	SEC Custody (Digital Assets) References
SI-02	Flaw Remediation	SEC-CD-07
SI-04	Information System Monitoring Tools And Techniques	SEC-CD-11SEC-CD-16
SI-06	Security Functionality Verification	SEC-CD-13
SI-07	Software And Information Integrity	SEC-CD-09SEC-CD-13

SR Supply Chain Risk Management

Control	Name	SEC Custody (Digital Assets) References
SR-01	Policy and Procedures	SEC-CD-10
SR-02	Supply Chain Risk Management Plan	SEC-CD-09SEC-CD-10
SR-03	Supply Chain Controls and Processes	SEC-CD-10
SR-06	Supplier Assessments and Reviews	SEC-CD-10