NIST 800 53 Controls List

Num. Title Impact

AC-1 Access Control Policy And Procedures LOW
AC-2 Account Management LOW
AC-3 Access Enforcement LOW
AC-4 Information Flow Enforcement MODERATE
AC-5 Separation Of Duties MODERATE
AC-6 Least Privilege MODERATE
AC-7 Unsuccessful Logon Attempts LOW
AC-8 System Use Notification LOW
AC-9 Previous Logon (Access) Notification
AC-10 Concurrent Session Control HIGH
AC-11 Session Lock MODERATE
AC-12 Session Termination MODERATE
AC-13 Supervision And Review - Access
Control
AC-14 Permitted Actions Without LOW
Identification Or Authentication
AC-15 Automated Marking
AC-16 Security Attributes
AC-17 Remote Access LOW
AC-18 Wireless Access LOW
AC-19 Access Control For Mobile Devices LOW
AC-20 Use Of External Information Systems LOW
AC-21 Information Sharing MODERATE

AC-22 Publicly Accessible Content LOW

AC-23 Data Mining Protection P0
AC-24 Access Control Decisions P0
AC-25 Reference Monitor P0
AT-1 Security Awareness And Training LOW
Policy And Procedures
AT-2 Security Awareness Training LOW

AT-3 Role-Based Security Training LOW

AT-4 Security Training Records LOW

AT-5 Contacts With Security Groups And
Associations
AU-1 Audit And Accountability Policy And LOW
Procedures
AU-2 Audit Events LOW

AU-3 Content Of Audit Records LOW

AU-4 Audit Storage Capacity LOW

AU-5 Response To Audit Processing Failures LOW

AU-6 Audit Review, Analysis, And Reporting LOW

AU-7 Audit Reduction And Report MODERATE

Generation
AU-8 Time Stamps LOW

AU-9 Protection Of Audit Information LOW

AU-10 Non-Repudiation HIGH

AU-11 Audit Record Retention LOW

AU-12 Audit Generation LOW

AU-13 Monitoring For Information Disclosure P0

AU-14 Session Audit P0

AU-15 Alternate Audit Capability P0

AU-16 Cross-Organizational Auditing P0

CA-1 Security Assessment And LOW

Authorization Policy And Procedures

CA-2 Security Assessments LOW

CA-3 System Interconnections LOW

CA-4 Security Certification

CA-5 Plan Of Action And Milestones LOW

CA-6 Security Authorization LOW

CA-7 Continuous Monitoring LOW

CA-8 Penetration Testing HIGH

CA-9 Internal System Connections LOW

CM-1 Configuration Management Policy LOW

And Procedures
CM-2 Baseline Configuration LOW

CM-3 Configuration Change Control MODERATE

CM-4 Security Impact Analysis LOW

CM-5 Access Restrictions For Change MODERATE

CM-6 Configuration Settings LOW

CM-7 Least Functionality LOW

CM-8 Information System Component LOW

Inventory
CM-9 Configuration Management Plan MODERATE

CM-10 Software Usage Restrictions LOW

CM-11 User-Installed Software LOW

CP-1 Contingency Planning Policy And LOW

Procedures
CP-2 Contingency Plan LOW

CP-3 Contingency Training LOW

CP-4 Contingency Plan Testing LOW

CP-5 Contingency Plan Update

CP-6 Alternate Storage Site MODERATE

CP-7 Alternate Processing Site MODERATE

CP-8 Telecommunications Services MODERATE

CP-9 Information System Backup LOW

CP-10 Information System Recovery And LOW

Reconstitution
CP-11 Alternate Communications Protocols

CP-12 Safe Mode

CP-13 Alternative Security Mechanisms

IA-1 Identification And Authentication LOW

Policy And Procedures

IA-2 Identification And Authentication LOW

(Organizational Users)

IA-3 Device Identification And MODERATE

Authentication

IA-4 Identifier Management LOW

IA-5 Authenticator Management LOW

IA-6 Authenticator Feedback LOW

IA-7 Cryptographic Module Authentication LOW

IA-8 Identification And Authentication LOW

(Non-Organizational Users)

IA-9 Service Identification And P0

Authentication

IA-10 Adaptive Identification And P0

Authentication

IA-11 Re-Authentication P0
IA-11 Re-Authentication P0

IR-1 Incident Response Policy And LOW

Procedures
IR-2 Incident Response Training LOW

IR-3 Incident Response Testing MODERATE

IR-4 Incident Handling LOW

IR-5 Incident Monitoring LOW

IR-6 Incident Reporting LOW

IR-7 Incident Response Assistance LOW

IR-8 Incident Response Plan LOW

IR-9 Information Spillage Response

IR-10 Integrated Information Security

Analysis Team
MA-1 System Maintenance Policy And LOW
Procedures
MA-2 Controlled Maintenance LOW
MA-3 Maintenance Tools MODERATE
MA-4 Nonlocal Maintenance LOW
MA-5 Maintenance Personnel LOW
MA-6 Timely Maintenance MODERATE
MP-1 Media Protection Policy And LOW
Procedures
MP-2 Media Access LOW
MP-3 Media Marking MODERATE
MP-4 Media Storage MODERATE
MP-5 Media Transport MODERATE
MP-6 Media Sanitization LOW
MP-7 Media Use LOW
MP-8 Media Downgrading
PE-1 Physical And Environmental Protection LOW
Policy And Procedures

PE-2 Physical Access Authorizations LOW

PE-3 Physical Access Control LOW

PE-3 Physical Access Control LOW

PE-4 Access Control For Transmission MODERATE

Medium

PE-5 Access Control For Output Devices MODERATE

PE-6 Monitoring Physical Access LOW

PE-7 Visitor Control

PE-8 Visitor Access Records LOW

PE-9 Power Equipment And Cabling MODERATE

PE-10 Emergency Shutoff MODERATE

PE-11 Emergency Power MODERATE

PE-12 Emergency Lighting LOW

PE-13 Fire Protection LOW

PE-14 Temperature And Humidity Controls LOW

PE-15 Water Damage Protection LOW

PE-16 Delivery And Removal LOW

PE-17 Alternate Work Site MODERATE

PE-18 Location Of Information System HIGH

Components
PE-19 Information Leakage P0

PE-20 Asset Monitoring And Tracking P0

PL-1 Security Planning Policy And LOW

Procedures
PL-2 System Security Plan LOW
PL-3 System Security Plan Update
PL-4 Rules Of Behavior LOW
PL-5 Privacy Impact Assessment
PL-6 Security-Related Activity Planning
PL-7 Security Concept Of Operations P0
PL-8 Information Security Architecture MODERATE
PL-9 Central Management P0
PS-1 Personnel Security Policy And LOW
Procedures
PS-2 Position Risk Designation LOW

PS-3 Personnel Screening LOW

PS-4 Personnel Termination LOW

PS-5 Personnel Transfer LOW

PS-6 Access Agreements LOW

PS-7 Third-Party Personnel Security LOW

PS-8 Personnel Sanctions LOW

RA-1 Risk Assessment Policy And LOW

Procedures
RA-2 Security Categorization LOW
RA-3 Risk Assessment LOW
RA-4 Risk Assessment Update
RA-5 Vulnerability Scanning LOW
RA-6 Technical Surveillance P0
RA-6 P0
Countermeasures Survey
SA-1 System And Services Acquisition LOW
Policy And Procedures

SA-2 Allocation Of Resources LOW

SA-3 System Development Life Cycle LOW

SA-4 Acquisition Process LOW

SA-5 Information System Documentation LOW

SA-6 Software Usage Restrictions

SA-7 User-Installed Software

SA-8 Security Engineering Principles MODERATE
SA-9 External Information System Services LOW
SA-10 Developer Configuration MODERATE
Management
SA-11 Developer Security Testing And MODERATE
Evaluation
SA-12 Supply Chain Protection HIGH
SA-13 Trustworthiness
SA-14 Criticality Analysis
SA-15 Development Process, Standards, And Tools HIGH
SA-16 Developer-Provided Training HIGH
SA-17 Developer Security Architecture And HIGH
Design
SA-18 Tamper Resistance And Detection
SA-19 Component Authenticity
SA-20 Customized Development Of Critical
Components
SA-21 Developer Screening
SA-22 Unsupported System Components
SC-1 System And Communications LOW
Protection Policy And Procedures

SC-2 Application Partitioning MODERATE

SC-3 Security Function Isolation HIGH

SC-4 Information In Shared Resources MODERATE

SC-5 Denial Of Service Protection LOW

SC-6 Resource Availability P0

SC-7 Boundary Protection LOW

SC-8 Transmission Confidentiality And MODERATE

Integrity

SC-9 Transmission Confidentiality

SC-10 Network Disconnect MODERATE

SC-11 Trusted Path P0

SC-12 Cryptographic Key Establishment And LOW

Management
SC-13 Cryptographic Protection LOW
SC-14 Public Access Protections

SC-15 Collaborative Computing Devices LOW

SC-16 Transmission Of Security Attributes P0

SC-17 Public Key Infrastructure Certificates MODERATE

SC-18 Mobile Code MODERATE

SC-19 Voice Over Internet Protocol MODERATE

SC-20 Secure Name / Address Resolution LOW

Service (Authoritative Source)

SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver) LOW

SC-22 Architecture And Provisioning For LOW

Name / Address Resolution Service

SC-23 Session Authenticity MODERATE

SC-24 Fail In Known State HIGH

SC-25 Thin Nodes P0

SC-26 Honeypots P0

SC-27 Platform-Independent Applications

SC-28 Protection Of Information At Rest MODERATE

SC-29 Heterogeneity P0

SC-30 Concealment And Misdirection P0

SC-31 Covert Channel Analysis P0

SC-32 Information System Partitioning P0

SC-33 Transmission Preparation Integrity

SC-34 Non-Modifiable Executable Programs P0

SC-35 Honeyclients P0

SC-36 Distributed Processing And Storage P0

SC-37 Out-Of-Band Channels P0

SC-38 Operations Security P0

SC-39 Process Isolation LOW

SC-40 Wireless Link Protection P0

SC-41 Port And I/O Device Access

SC-42 Sensor Capability And Data
SC-43 Usage Restrictions
SC-44 Detonation Chambers
SI-1 System And Information Integrity LOW
Policy And Procedures

SI-2 Flaw Remediation LOW

SI-3 Malicious Code Protection LOW

SI-4 Information System Monitoring LOW

SI-5 Security Alerts, Advisories, And LOW

Directives

SI-6 Security Function Verification HIGH

SI-7 Software, Firmware, And Information MODERATE

Integrity

SI-8 Spam Protection MODERATE

SI-9 Information Input Restrictions

SI-10 Information Input Validation MODERATE

SI-11 Error Handling MODERATE

SI-12 Information Handling And Retention LOW
SI-13 Predictable Failure Prevention P0

SI-14 Non-Persistence P0

SI-15 Information Output Filtering P0

SI-15 Information Output Filtering P0

SI-16 Memory Protection MODERATE

SI-17 Fail-Safe Procedures P0

PM-1 Information Security Program Plan

PM-2 Senior Information Security Officer

PM-3 Information Security Resources

PM-4 Plan Of Action And Milestones

Process
PM-5 Information System Inventory

PM-6 Information Security Measures Of

Performance
PM-7 Enterprise Architecture

PM-8 Critical Infrastructure Plan

PM-9 Risk Management Strategy

PM-10 Security Authorization Process

PM-11 Mission/Business Process Definition

PM-12 Insider Threat Program

PM-13 Information Security Workforce

PM-14 Testing, Training, And Monitoring

PM-15 Contacts With Security Groups And

Associations
Priority Subject Area
P1 Access Control
P1 Access Control
P1 Access Control
P1 Access Control
P1 Access Control
P1 Access Control
P2 Access Control
P1 Access Control
P0 Access Control
P3 Access Control
P3 Access Control
P2 Access Control
Access Control

P3 Access Control

Access Control
P0 Access Control
P1 Access Control
P1 Access Control
P1 Access Control
P1 Access Control
P2 Access Control

www.sprinto.com

P3 Access Control
Access Control
Access Control
Access Control
P1 Awareness And
Training
P1 Awareness And
Training
P1 Awareness And
Training
P3 Awareness And
Training
Awareness And
Training
P1 Audit And
Accountability
P1 Audit And
Accountability
P1 Audit And
Accountability
P1 Audit And
Accountability
P1 Audit And
Accountability
P1 Audit And
Accountability
P2 Audit And
Accountability
P1 Audit And
Accountability
P1 Audit And
Accountability
P2 Audit And
Accountability
P3 Audit And
Accountability

P1 Audit And
Accountability
Audit And
Accountability
Audit And
Accountability
Audit And
Accountability
Audit And
Accountability
P1 Security Assessment And Authorization

P2 Security Assessment And Authorization

P1 Security Assessment And Authorization

Security
Assessment And
Authorization
P3 Security Assessment And Authorization

P2 Security Assessment And Authorization

P2 Security Assessment And Authorization

P2 Security Assessment And Authorization

P2 Security Assessment And Authorization

P1 Configuration
Management
P1 Configuration
Management
P1 Configuration
Management
P2 Configuration
Management
P1 Configuration
Management
P1 Configuration
Management
P1 Configuration
Management
P1 Configuration
Management
P1 Configuration
Management
P2 Configuration
Management
P1 Configuration
Management
P1 Contingency
Planning
P1 Contingency
Planning
P2 Contingency
Planning
P2 Contingency
Planning
Contingency
Planning
P1 Contingency
Planning
P1 Contingency
Planning
P1 Contingency
Planning
P1 Contingency
Planning
P1 Contingency
Planning
P0 Contingency
Planning
P0 Contingency
Planning
P0 Contingency
Planning
P1 Identification And Authentication

P1 Identification And Authentication

P1 Identification And Authentication

P1 Identification And Authentication

P1 Identification And Authentication

P2 Identification And Authentication

P1 Identification And Authentication

P1 Identification And Authentication

Identification And Authentication

Identification And Authentication

Identification And Authentication

 Identification And Authentication

P1 Incident
Response
P2 Incident
Response
P2 Incident
Response
P1 Incident
Response
P1 Incident
Response
P1 Incident
Response
P2 Incident
Response
P1 Incident
Response
P0 Incident
Response
P0 Incident
Response
P1 Maintenance

P2 Maintenance
P3 Maintenance
P2 Maintenance
P2 Maintenance
P2 Maintenance
P1 Media Protection

P1 Media Protection
P2 Media Protection
P1 Media Protection
P1 Media Protection
P1 Media Protection
P1 Media Protection
P0 Media Protection
P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P2 Physical And Environmental Protection

P1 Physical And Environmental Protection

Physical And
Environmental
Protection
P3 Physical And Environmental Protection

P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P1 Physical And Environmental Protection

P2 Physical And Environmental Protection

P2 Physical And Environmental Protection

P3 Physical And Environmental Protection

 Physical And Environmental Protection

Physical And Environmental Protection

P1 Planning

P1 Planning
Planning
P2 Planning
Planning
Planning
Planning
P1 Planning
Planning
P1 Personnel
Security
P1 Personnel
Security

www.sprinto.com

P1 Personnel
Security
P1 Personnel
Security
P2 Personnel
Security
P3 Personnel
Security
P1 Personnel
Security
P3 Personnel
Security
P1 Risk Assessment

P1 Risk Assessment
P1 Risk Assessment
Risk Assessment
P1 Risk Assessment
Risk Assessment
 Risk Assessment

P1 System And Services Acquisition

P1 System And Services Acquisition

P1 System And Services Acquisition

P1 System And Services Acquisition

P2 System And Services Acquisition

System And
Services
Acquisition

www.sprinto.com

System And Services Acquisition

P1 System And Services Acquisition
P1 System And Services Acquisition
P1 System And Services Acquisition

P1 System And Services Acquisition

P1 System And Services Acquisition

P0 System And Services Acquisition
P0 System And Services Acquisition
P2 System And Services Acquisition
P2 System And Services Acquisition
P1 System And Services Acquisition

P0 System And Services Acquisition

P0 System And Services Acquisition
P0 System And Services Acquisition
 www.sprinto.com

P0 System And Services Acquisition

P0 System And Services Acquisition
P1 System And Communications Protection

P1 System And Communications Protection

P1 System And Communications Protection

P1 System And Communications Protection

P1 System And Communications Protection

System And Communications Protection

P1 System And Communications Protection

P1 System And Communications Protection

System And
Communications
Protection
P2 System And Communications Protection

System And Communications Protection

P1 System And Communications Protection

www.sprinto.com
P1 System And Communications Protection
System And
Communications
Protection
P1 System And Communications Protection

System And Communications Protection

P1 System And Communications Protection

P2 System And Communications Protection

P1 System And Communications Protection

P1 System And Communications Protection

P1 System And Communications Protection

P1 System And Communications Protection

P1 System And Communications Protection

P1 System And Communications Protection

System And Communications Protection

System And Communications Protection

www.sprinto.com

P0 System And Communications Protection

P1 System And Communications Protection

System And Communications Protection

System And Communications Protection

System And Communications Protection

System And Communications Protection

System And
Communications
Protection
System And Communications Protection

System And Communications Protection

System And Communications Protection

System And Communications Protection

System And Communications Protection

P1 System And Communications Protection

System And Communications Protection

www.sprinto.com

P0 System And Communications Protection

P0 System And Communications Protection
P0 System And Communications Protection
P0 System And Communications Protection
P1 System And Information Integrity

P1 System And Information Integrity

P1 System And Information Integrity

P1 System And Information Integrity

P1 System And Information Integrity

P1 System And Information Integrity

P1 System And Information Integrity

P2 System And Information Integrity

System And
Information
Integrity
P1 System And Information Integrity

www.sprinto.com

P2 System And Information Integrity

P2 System And Information Integrity
System And Information Integrity

System And Information Integrity

System And Information Integrity

 System And Information Integrity

P1 System And Information Integrity

System And Information Integrity

Program
Management
Program
Management
Program
Management
Program
Management
Program
Management
Program
Management
Program
Management
Program
Management

www.sprinto.com

Program
Management
Program
Management
Program
Management
Program
Management
Program
Management
Program
Management
Program
Management
www.sprinto.com