SP800 82 Rev 2 To SP800 53 Rev 4

Informative Reference Submission Form
Field Name
Informative Reference Name
Reference Version
Web Address
Focal Document Version
Security Control Baseline
Summary
Target Audience (Community)
Comprehensive
Reference Document Author
Reference Document
Reference Document Date
Reference Document URL
Reference Developer
Comments
Point of Contact
Dependency/ Requirement
Citations
e Reference Submission Form
Value
SP800-82-Rev-2-to-SP800-53-Rev-4
1.0.0
https://csrc.nist.gov/CSRC/media/Projects/olir/documents/submissions/SP800-82-Rev-2-to-SP800-53-Rev-4.xlsx
SP 800-53 Rev. 4
Low, Moderate, and High
The purpose of this document is to provide guidance for

securing ICS, including SCADA and DCS systems,
PLCs, and other systems performing industrial control
functions.
The intended audience is varied and includes the following:

• Control engineers, integrators, and architects who design or
implement secure ICS.
• System administrators, engineers, and other information
technology (IT) professionals who
administer, patch, or secure ICS.
• Security consultants who perform security assessments and
penetration testing of ICS.
• Managers who are responsible for ICS.
• Senior management who are trying to understand
implications and consequences as they justify and
apply an ICS cybersecurity program to help mitigate impacts to
business functionality.
• Researchers and analysts who are trying to understand the
unique security needs of ICS.
• Vendors that are developing products that will be deployed as
part of an ICS.
Yes
National Institute of Standards and Technology
SP 800-82 Rev. 2
05/01/2015
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
National Institute of Standards and Technology
N/A
olir@nist.gov
N/A
N/A
SP 800-53 Control
Number
(Focal Document Element)
AC-1
AC-2
AC-2 (1)
AC-2 (2)
AC-2 (3)
AC-2 (4)
AC-2 (5)
AC-2 (6)
AC-2 (7)
AC-2 (8)
AC-2 (9)
AC-2 (10)
AC-2 (11)
AC-2 (12)
AC-2 (13)
AC-3
AC-3 (1)
AC-3 (2)
AC-3 (3)
AC-3 (4)
AC-3 (5)
AC-3 (6)
AC-3 (7)
AC-3 (8)
AC-3 (9)
AC-3 (10)
AC-4
AC-4 (1)
AC-4 (2)
AC-4 (3)
AC-4 (4)
AC-4 (5)
AC-4 (6)
AC-4 (7)
AC-4 (8)
AC-4 (9)
AC-4 (10)
AC-4 (11)
AC-4 (12)
AC-4 (13)
AC-4 (14)
AC-4 (15)
AC-4 (16)
AC-4 (17)
AC-4 (18)
AC-4 (19)
AC-4 (20)
AC-4 (21)
AC-4 (22)
AC-5
AC-6
AC-6 (1)
AC-6 (2)
AC-6 (3)
AC-6 (4)
AC-6 (5)
AC-6 (6)
AC-6 (7)
AC-6 (8)
AC-6 (9)
AC-6 (10)
AC-7
AC-7 (1)
AC-7 (2)
AC-8
AC-9
AC-9 (1)
AC-9 (2)
AC-9 (3)
AC-9 (4)
AC-10
AC-11
AC-11 (1)
AC-12
AC-12 (1)
AC-13
AC-14
AC-14 (1)
AC-15
AC-16
AC-16 (1)
AC-16 (2)
AC-16 (3)
AC-16 (4)
AC-16 (5)
AC-16 (6)
AC-16 (7)
AC-16 (8)
AC-16 (9)
AC-16 (10)
AC-17
AC-17 (1)
AC-17 (2)
AC-17 (3)
AC-17 (4)
AC-17 (5)
AC-17 (6)
AC-17 (7)
AC-17 (8)
AC-17 (9)
AC-18
AC-18 (1)
AC-18 (2)
AC-18 (3)
AC-18 (4)
AC-18 (5)
AC-19
AC-19 (1)
AC-19 (2)
AC-19 (3)
AC-19 (4)
AC-19 (5)
AC-20
AC-20 (1)
AC-20 (2)
AC-20 (3)
AC-20 (4)
AC-21
AC-21 (1)
AC-21 (2)
AC-22
AC-23
AC-24
AC-24 (1)
AC-24 (2)
AC-25
SP 800-53 Control or Control Enhancement Security Control
(Focal Document Element Description) Baseline
The organization:
a. Develops, documents,
Identifies and selects the andfollowing
disseminates
typestoof[Assignment: organization-defined
information system personnel
accounts to support
or roles]:
organizational missions/business functions: [Assignment: organization-defined information
1. An access
system control
account policy that addresses purpose, scope, roles, responsibilities,
types];
management
b. commitment,
Assigns account managerscoordination
for informationamong
system organizational
accounts; entities, and compliance;
and
c. Establishes conditions for group and role membership; Low
2.
d. Procedures to facilitate
Specifies authorized theofimplementation
users the informationofsystem,
the access
groupcontrol policy
and role and associated
membership, and
controls; and (i.e., privileges) and other attributes (as required) for each account;
access authorizations
b. Requires
e. Reviews and updates
approvals bythe current: organization-defined personnel or roles] for requests
[Assignment:
1.
to Access control policy
create information [Assignment:
system accounts; organization-defined frequency]; and
2. Access control procedures [Assignment:
f. Creates, enables, modifies, disables, and removes organization-defined
information frequency].
system accounts in
accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
Low
h.
The Notifies account
organization managers:
employs automated mechanisms to support the management of
1. When accounts are no longer required; Moderate
information system accounts.
2.
The When users are
information terminated
system or transferred;
automatically and removes; disables] temporary and
[Selection:
3. When individual information system usage or
emergency accounts after [Assignment: organization-defined need-to-knowtimechanges;
period for each type of Moderate
i.account].
Authorizes access to the information system based on:
1. A valid access authorization;
The
2. information
Intended systemsystem
usage;automatically
and disables inactive accounts after [Assignment:
The information system automatically audits account creation, modification, enabling, Moderate
organization-defined
3. Other attributes time period].
as required
disabling, and removal actions, byandthe organization
notifies or associated
[Assignment: missions/business
organization-defined personnel or Moderate
functions;
The organization requires that users log out when [Assignment: organization-defined time-
roles].
j.period
Reviews accountsinactivity
for compliance with account management High
of expected or description of when to log out].requirements [Assignment:
organization-defined frequency]; and
The information
k. Establishes systemfor
a process implements the following dynamic
reissuing shared/group privilege management
account credentials (if deployed) when
capabilities: [Assignment: organization-defined
individuals are removed from the group. list of dynamic privilege management Not Selected
capabilities].
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based
access scheme that organizes allowed information system access and privileges into roles;
Not Selected
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are
no longer appropriate.
The information system creates [Assignment: organization-defined information system

Not Selected
accounts] dynamically.
The organization only permits the use of shared/group accounts that meet [Assignment:
Not Selected
organization-defined conditions for establishing shared/group accounts].
The information system terminates shared/group account credentials when members leave
Not Selected
the group.
The
The organization:
information system enforces [Assignment: organization-defined circumstances and/or
(a) Monitors information system accounts for [Assignment: organization-defined atypical High
usage conditions] for [Assignment: organization-defined information system accounts].
usage]; and High
The organization
(b) Reports disables
atypical usageaccounts of users
of information posing
system a significant
accounts risk within [Assignment:
to [Assignment: organization- High
defined
The personnel
information time period]
or roles].
system of discovery of the risk.
enforces approved authorizations for logical access to information
Low
and system resources in accordance with applicable access control policies.
[Withdrawn: Incorporated into AC-6]. Withdrawn
The information system enforces dual authorization for [Assignment: organization-defined
Not Selected
privileged commands and/or other organization-defined actions].
The information system enforces [Assignment: organization-defined mandatory access
control policy] over all subjects and objects where the policy:
(a) Is uniformly enforced across all subjects and objects within the boundary of the
information system;
(b) Specifies that a subject that has been granted access to information is constrained from
doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
Not Selected
(3) Changing one or more security attributes on subjects, objects, the information system, or
information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created
or modified objects; or
(5) Changing the rules governing access control; and
(c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted
[Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they
are not limited by some or all of the above constraints.
The information system enforces [Assignment: organization-defined discretionary access

control policy] over defined subjects and objects where the policy specifies that a subject
that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects; Not Selected
(c) Change security attributes on subjects, objects, the information system, or the
information systemï¿½s components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control.
The information system prevents access to [Assignment: organization-defined security-

Not Selected
relevant information] except during secure, non-operable system states.
[Withdrawn: Incorporated into MP-4 and SC-28]. Withdrawn

The information system enforces a role-based access control policy over defined subjects
and objects and controls
The information access based
system enforces upon [Assignment:
the revocation of access organization-defined roles
authorizations resulting and
from Not Selected
users authorized
changes to assume
to the security such roles].
attributes of subjects and objects based on [Assignment: Not Selected
organization-defined rules governing the timing of revocations of access authorizations].
The information system does not release information outside of the established system
boundary unless:
(a) The receiving [Assignment: organization-defined information system or system
Not Selected
component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the
appropriateness of the information designated for release.
The organization employs an audited override of automated access control mechanisms

Not Selected
under [Assignment: organization-defined conditions].
The information system enforces approved authorizations for controlling the flow of
information within the system and between interconnected systems based on [Assignment: Moderate
organization-defined information flow control policies].
The information system uses [Assignment: organization-defined security attributes]
associated with [Assignment: organization-defined information, source, and destination
Not Selected
objects] to enforce [Assignment: organization-defined information flow control policies] as a
basis for flow control decisions.
The information system uses protected processing domains to enforce [Assignment:
Not Selected
The information dynamic
flow control policies] flow
as a basis forbased
flow control decisions.
The information
information system
system enforces
prevents encryptedinformation
information fromcontrol
bypassing on [Assignment:
content-checking Not Selected
organization-defined policies].
mechanisms by [Selection (one or more): decrypting the information; blocking the flow of
Not Selected
the encrypted information; terminating
The information system enforces communications
[Assignment: sessions attempting
organization-defined to pass
limitations] on
encrypted information; [Assignment: organization-defined procedure or method]]. Not Selected
embedding data types within other data types.
The information system enforces information flow control based on [Assignment:
Not Selected
organization-defined metadata].
The information system enforces [Assignment: organization-defined one-way information

Not Selected
flows] using hardware mechanisms.
The information system enforces information flow control using [Assignment: organization-
defined security policy filters] as a basis for flow control decisions for [Assignment: Not Selected
organization-defined information flows].
The information system enforces the use of human reviews for [Assignment: organization-
defined information flows] under the following conditions: [Assignment: organization- Not Selected
defined conditions].
The information system provides the capability for privileged administrators to

enable/disable [Assignment: organization-defined security policy filters] under the following Not Selected
conditions: [Assignment: organization-defined conditions].
The information system provides the capability for privileged administrators to configure
[Assignment: organization-defined security policy filters] to support different security Not Selected
policies.
The information system, when transferring information between different security domains,
uses [Assignment: organization-defined data type identifiers] to validate data essential for Not Selected
information flow decisions.
decomposes information into [Assignment: organization-defined policy-relevant Not Selected
subcomponents] for submission to policy enforcement mechanisms.
implements [Assignment: organization-defined security policy filters] requiring fully Not Selected
enumerated formats
The information thatwhen
system, restrict data structure
transferring and content.
information between different security domains,
examines the information for the presence of [Assignment: organized-defined unsanctioned
Not Selected
information] and prohibits the transfer of such information in accordance with the
[Assignment: organization-defined
[Withdrawn: Incorporated security policy].
into AC-4]. Withdrawn
The information system uniquely identifies and authenticates source and destination points
by [Selection (one or more): organization, system, application, individual] for information Not Selected
transfer.
The information system binds security attributes to information using [Assignment:

Not Selected
organization-defined binding techniques] to facilitate information flow policy enforcement.
Not Selected
applies the same security policy filtering to metadata as it applies to data payloads.
The organization employs [Assignment: organization-defined solutions in approved

configurations] to control the flow of [Assignment: organization-defined information] across Not Selected
security domains.
The information system separates information flows logically or physically using
The information mechanisms
system provides access and/ordevice
from a single techniques] to accomplish
to computing platforms, Not Selected
[Assignment:
applications, or data residing on multiple different security domains,information].
organization-defined required separations by types of while preventing any Not Selected
information flow between the different security domains.
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
Moderate
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
The organization employs the principle of least privilege, allowing only authorized accesses
for users (or processes acting on behalf of users) which are necessary to accomplish assigned Moderate
tasks in accordance with organizational missions and business functions.
The organization explicitly authorizes access to [Assignment: organization-defined security

functions (deployed in hardware, software, and firmware) and security-relevant Moderate
information].
The organization requires that users of information system accounts, or roles, with access to
[Assignment: organization-defined security functions or security-relevant information], use Moderate
non-privileged accounts or roles, when accessing nonsecurity functions.
The organization authorizes network access to [Assignment: organization-defined privileged

commands] only for [Assignment: organization-defined compelling operational needs] and High
documents the rationale for such access in the security plan for the information system.
The information system provides separate processing domains to enable finer-grained

Not Selected
allocation of user privileges.
The organization restricts privileged accounts on the information system to [Assignment:

Moderate
organization-defined personnel or roles].
The organization prohibits privileged access to the information system by non-organizational
Not Selected
users.
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to
[Assignment: organization-defined roles or classes of users] to validate the need for such
Not Selected
privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational
mission/business needs.
The information system prevents [Assignment: organization-defined software] from

Not Selected
executing at higher privilege levels than users executing the software.
The information system audits the execution of privileged functions. Moderate
The information system prevents non-privileged users from executing privileged functions to
include disabling, circumventing, or altering implemented security Moderate
safeguards/countermeasures.
The information system:

a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon
attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization- Low
defined time period]; locks the account/node until released by an administrator; delays next
logon prompt according to [Assignment: organization-defined delay algorithm]] when the
maximum number of unsuccessful attempts is exceeded.
The information system purges/wipes information from [Assignment: organization-defined

mobile devices] based on [Assignment: organization-defined purging/wiping
Not Selected
requirements/techniques] after [Assignment: organization-defined number] consecutive,
unsuccessful device logon attempts.
a. Displays to users [Assignment: organization-defined system use notification message or
banner] before granting access to the system that provides privacy and security notices
consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil
penalties; and
4. Use of the information system indicates consent to monitoring and recording; Low
b. Retains the notification message or banner on the screen until users acknowledge the
usage conditions and take explicit actions to log on to or further access the information
system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before
granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with
privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system.
The information system notifies the user, upon successful logon (access) to the system, of
Not Selected
the date and time of the last logon (access).
The information system notifies the user, upon successful logon/access, of the number of
Not Selected
unsuccessful logon/access attempts since the last successful logon/access.
The information system notifies the user of the number of [Selection: successful
logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: Not Selected
organization-defined time period].
The information system notifies the user of changes to [Assignment: organization-defined
security-related
The information characteristics/parameters of the
system notifies the user, upon userï¿½slogon
successful account] during
(access), of [Assignment:
the following Not Selected
additional time
information: period]. organization-defined information to be included in
[Assignment: Not Selected
The information system limits the number of concurrent sessions for each [Assignment:
addition to the date and
organization-defined time and/or
account of the last logontype]
account (access)].
to [Assignment: organization-defined High
number].
a. Prevents further access to the system by initiating a session lock after [Assignment:
organization-defined time period] of inactivity or upon receiving a request from a user; and Moderate
b. Retains the session lock until the user reestablishes access using established identification
and authentication procedures.
The information system conceals, via the session lock, information previously visible on the
Moderate
display with a publicly viewable image.
The information system automatically terminates a user session after [Assignment:

Moderate
organization-defined conditions or trigger events requiring session disconnect].

(a) Provides a logout capability for user-initiated communications sessions whenever
authentication is used to gain access to [Assignment: organization-defined information
Not Selected
resources]; and
(b) Displays an explicit logout message to users indicating the reliable termination of
authenticated communications sessions.
The organization:
[Withdrawn: Incorporated into AC-2 and AU-6]. Withdrawn
a. Identifies [Assignment: organization-defined user actions] that can be performed on the
information system without identification or authentication consistent with organizational
Low
missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information
system, user actions not requiring identification or authentication.
[Withdrawn: Incorporated into MP-3]. Withdrawn
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security
attributes] having [Assignment: organization-defined security attribute values] with
information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the
Not Selected
information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for
[Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of
the established security attributes.
The information system dynamically associates security attributes with [Assignment:
organization-defined subjects and objects] in accordance with [Assignment: organization- Not Selected
defined security policies] as information is created and combined.
The information system provides authorized individuals (or processes acting on behalf of
Not Selected
individuals) the capability to define or change the value of associated security attributes.
The information system maintains the association and integrity of [Assignment:

organization-defined security attributes] to [Assignment: organization-defined subjects and Not Selected
objects].
The information system supports the association of [Assignment: organization-defined

security attributes] with [Assignment: organization-defined subjects and objects] by Not Selected
authorized individuals
The information system(ordisplays
processes actingattributes
security on behalfinofhuman-readable
individuals). form on each object
that the system transmits to output devices to identify [Assignment: organization-identified
Not Selected
special dissemination, handling, or distribution instructions] using [Assignment:
organization-identified
The organization allowshuman-readable, standard
personnel to associate, andnaming conventions].
maintain the association of
[Assignment: organization-defined security attributes] with [Assignment: organization-
Not Selected
defined subjects and objects] in accordance with [Assignment: organization-defined security
policies].
The organization provides a consistent interpretation of security attributes transmitted

Not Selected
between distributed information system components.
The information system implements [Assignment: organization-defined techniques or

technologies] with [Assignment: organization-defined level of assurance] in associating Not Selected
security attributes to information.
The organization ensures that security attributes associated with information are reassigned
only via re-grading mechanisms validated using [Assignment: organization-defined Not Selected
techniques or procedures].
The information system provides authorized individuals the capability to define or change
Not Selected
the type and value of security attributes available for association with subjects and objects.
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements,
Low
and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
The information system monitors and controls remote access methods. Moderate
The information system implements cryptographic mechanisms to protect the

Moderate
confidentiality and integrity of remote access sessions.
The information system routes all remote accesses through [Assignment: organization-
Moderate
defined number] managed network access control points.
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant
Moderate
information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents
[Withdrawn: the rationale
Incorporated forSI-4].
into such access in the security plan for the information system. Withdrawn
The organization ensures that users protect information about remote access mechanisms
Not Selected
from unauthorized use and disclosure.
[Withdrawn: Incorporated into AC-3 (10)]. Withdrawn
[Withdrawn: Incorporated into CM-7]. Withdrawn
The organization provides the capability to expeditiously disconnect or disable remote

Not Selected
access to the information system within [Assignment: organization-defined time period].
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and
Low
implementation guidance for wireless access; and
b.
TheAuthorizes wireless
information systemaccess to the
protects information
wireless access system prior tousing
to the system allowing such connections.
authentication of
Moderate
[Selection (one or more): users; devices] and encryption.
[Withdrawn: Incorporated into SI-4]. Withdrawn

The organization disables, when not intended for use, wireless networking capabilities
internally embedded within information system components prior to issuance and Not Selected
deployment.
The organization identifies and explicitly authorizes users allowed to independently

High
configure wireless networking capabilities.
The organization selects radio antennas and calibrates transmission power levels to reduce
the probability that usable signals can be received outside of organization-controlled High
boundaries.
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and
Low
implementation guidance for organization-controlled mobile devices; and
b. AuthorizesIncorporated
[Withdrawn: the connection ofMP-7].
into mobile devices to organizational information systems. Withdrawn
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information
systems processing, storing, or transmitting classified information unless specifically
permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to
use unclassified mobile devices in facilities containing information systems processing,
storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires Not Selected
approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile
devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to
random reviews and inspections by [Assignment: organization-defined security officials], and
if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in
accordance with [Assignment: organization-defined security policies].
The organization employs [Selection: full-device encryption; container encryption] to protect

the confidentiality and integrity of information on [Assignment: organization-defined mobile Moderate
devices].
The organization establishes terms and conditions, consistent with any trust relationships
established with other organizations owning, operating, and/or maintaining external
information systems, allowing authorized individuals to:
Low
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information
systems.
The organization permits authorized individuals to use an external information system to

access the information system or to process, store, or transmit organization-controlled
information only when the organization:
(a) Verifies the implementation of required security controls on the external system as Moderate
specified in the organizations information security policy and security plan; or
The organization
(b) Retains [Selection:
approved restricts;
information prohibits]
system the use
connection of organization-controlled
or processing agreements with portable
the Moderate
storage devicesentity
organizational by authorized individuals
hosting the external on external information
information system. systems.
The organization [Selection: restricts; prohibits] the use of non-organizationally owned

information systems, system components, or devices to process, store, or transmit Not Selected
organizational information.
The
The organization:
organization prohibits the use of [Assignment: organization-defined network accessible
a. Facilitates information sharing by enabling authorized users to determine whether access Not Selected
storage devices] in external information systems.
authorizations assigned to the sharing partner match the access restrictions on the
information for [Assignment:
The information organization-defined
system enforces information
information-sharing decisions sharing circumstances
by authorized where
users based Moderate
user discretion is required]; and
on access authorizations of sharing partners and access restrictions on information to be Not Selected
b. Employs [Assignment: organization-defined automated mechanisms or manual processes]
shared.
The information
to assist users in system
making implements
information information search anddecisions.
sharing/collaboration retrieval services that enforce
Not Selected
[Assignment: organization-defined information sharing restrictions].
The organization:
a. Designates individuals authorized to post information onto a publicly accessible
information system;
b. Trains authorized individuals to ensure that publicly accessible information does not
contain nonpublic information;
Low
c. Reviews the proposed content of information prior to posting onto the publicly accessible
information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic
information [Assignment: organization-defined frequency] and removes such information, if
discovered.
The organization employs [Assignment: organization-defined data mining prevention and

detection techniques] for [Assignment: organization-defined data storage objects] to Not Selected
adequately detect and protect against data mining.
The organization establishes procedures to ensure [Assignment: organization-defined access

Not Selected
control decisions] are applied to each access request prior to access enforcement.
The information system transmits [Assignment: organization-defined access authorization
information] using [Assignment: organization-defined security safeguards] to [Assignment: Not Selected
organization-defined information systems] that enforce access control decisions.
The information system enforces access control decisions based on [Assignment:
organization-defined security attributes] that do not include the identity of the user or Not Selected
process acting on behalf of the user.
Not Selected
Reference Document
Rationale Relationship
Element
AC-1
AC-2
AC-2 (1)
AC-2 (2)
AC-2 (3)
AC-2 (4)
AC-2 (5)
AC-2 (11)
AC-2 (12)
AC-2 (13)
AC-3
AC-4
AC-5
AC-6
AC-6 (1)
AC-6 (2)
AC-6 (3)
AC-6 (5)
AC-6 (9)
AC-6 (10)
AC-7
AC-8
AC-10
AC-11
AC-11 (1)
AC-12
AC-14
AC-17
AC-17 (1)
AC-17 (2)
AC-17 (3)
AC-17 (4)
AC-18
AC-18 (1)
AC-18 (4)
AC-18 (5)
AC-19
AC-19 (5)
AC-20
AC-20 (1)
AC-20 (2)
AC-21
AC-22
Reference Document Element Fulfilled By Group Identifier
Description (Y/N) (optional)
The policy specifically addresses the unique

properties and requirements of ICS and the
relationship to non-ICS systems. ICS access
by vendors and maintenance staff can occur
over a very large facility footprint or
geographic area and into unobserved spaces
such as mechanical/electrical rooms, ceilings,
floors, field substations, switch and valve
vaults, and pump stations.
Example compensating controls include

providing increased physical security,
Example
personnelcompensating controls
security, intrusion include
detection,
employing
In nonautomated
situations
auditing where the ICS (e.g., field or
measures. mechanisms
procedures.
devices) cannot support temporary or
emergency accounts, this enhancement does
not apply. Example compensating controls
include employing
Example nonautomated
compensating controls include
mechanisms
employing or procedures.
nonautomated mechanisms
Example compensating controls includeor
procedures.
employing nonautomated mechanisms
Example compensating controls includeor
procedures.
employing nonautomated mechanisms or
procedures.
The organization ensures that access

enforcement mechanisms do not adversely
impact the operational performance of the
ICS. Example compensating controls include
encapsulation. Policy for logical access
control to Non-Addressable and Non-
No ICS Supplemental
Routable Guidance.
system resources and the
No ICS Supplemental
associated information Guidance.
is made explicit.
Access control mechanisms
No ICS Supplemental include
Guidance.
hardware, firmware, and software that
controls or has device access, such as device
drivers and communications controllers.
Physical access control may serve as a
compensating control for logical access
control, however, it may not provide
sufficient granularity in situations where
users require access to different functions.
Logical access enforcement may be
implemented in encapsulating hardware and
software.
Physical addresses (e.g., a serial port) may be
implicitly or explicitly associated
with labels or attributes (e.g., hardware I/O
address). Manual methods are typically
static. Label or attribute policy mechanisms
may be implemented in hardware, firmware,
and software that controls or has device
access, such as device drivers and
communications controllers. Information
flow policy may be supported by labeling or
coloring physical connectors as an aid to
manual hookup. Inspection of message
content may enforce information flow policy.
For example, a message containing a
command to an actuator may not be
permitted to flow between the control
network and any other network.
providing increased personnel security and
auditing. The organization carefully considers
the appropriateness of a single individual
performing multiple critical roles.

providing increased personnel security and
auditing. The organization carefully considers
the appropriateness of a single individual
having multiple critical privileges. System
privilege models may be tailored to enforce
integrity and availability (e.g., lower
privileges include read access and higher
privileges include write access).
In situations where the ICS cannot support

access control to security functions, the
organization employs nonautomated
mechanisms or procedures as compensating
controls in accordance with the general
tailoring guidance.
access control to nonsecurity functions, the
tailoring guidance.
network access control to privileged
commands, the organization employs
nonautomated mechanisms or procedures as
compensating controls in accordance with
the general tailoring guidance.

access control to privileged accounts, the
tailoring guidance.
In general, audit record processing is not
performed on the ICS, but on a separate
information system. Example compensating
controls include providing an auditing
capability on a separate information system.

enhanced auditing.
Many ICS must remain continuously on and

operators remain logged onto the system at
all times. A “log-over” capability may be
employed. Example compensating controls
include logging or recording all unsuccessful
login attempts and alerting ICS security
personnel though alarms or other means
when the number of organization-defined
consecutive invalid access attempts is
exceeded.
Many ICS must remain continuously on and
system use notification may not be
supported or effective. Example
compensating controls include posting
physical notices in ICS facilities.
The number, account type, and privileges of

concurrent sessions takes into account the
roles and responsibilities of the affected
individuals. Example compensating controls
include providing increased auditing
measures.
This control assumes a staffed environment
where users interact with information
system displays. When this assumption does
not apply the organization tailors the control
appropriately (e.g., the ICS may be physically
protected by placement in a locked
enclosure). The control may also be tailored
for ICS that are not configured with displays,
but which have the capability to support
displays (e.g., ICS to which a maintenance
technician may attach a display). In some
cases, session lock for ICS operator
workstations/nodes is not advised (e.g.,
when immediate operator responses are
required in emergency situations). Example
compensating controls include locating the
display in an area with physical access
controls that limit access to individuals with
permission and need-to-know for the
displayed information.
ICS may employ physical protection to

prevent access to a display or to prevent
attachment of a display. In situations where
the ICS cannot conceal displayed
information, the organization employs
nonautomated mechanisms or procedures as
compensating controls in accordance with
the general tailoring guidance.

providing increased auditing measures or
limiting remote access privileges to key
personnel.
No ICS Supplemental Guidance.

In situations where the ICS cannot
implement any or all of the components of
this control, the organization employs other
tailoring guidance.

procedures as compensating controls in
accordance with the general tailoring
guidance.

procedures as compensating controls (e.g.,
following manual authentication [see IA2],
dial-in remote access may be enabled for a
specified period
ICS security of timeoften
objectives or a rank
call may be
placed from the ICS site to the
confidentiality below availability authenticated
and
remote
integrity.entity.
The organization explores all
possible cryptographic mechanism (e.g.,
encryption, digital signature, hash function).
Each mechanism has a different delay
impact. Example compensating controls
Example compensating
include providing controls
increased include
auditing for
connectionspecific
remote sessions or limiting remote access of
manual authentication
the remotetoentity.
privileges key personnel).

implement any or all of the components of
this control,
See AC-17 the organization
Control employs
Enhancement: other
(1) ICS
mechanisms or procedures
Supplemental Guidance. Exampleas compensating
controls in accordance
compensating controls with theproviding
include general
tailoring guidance.
increased auditing for wireless access or
limiting wireless access privileges to key
personnel.
No ICS Supplemental Guidance

Organizations refine the definition of
“external” to reflect lines of authority and
responsibility; granularity of organization
entity; and their relationships. An
organization may consider a system to be
external if that system performs different
functions, implements different policies,
comes under different managers, or does not
provide sufficient visibility into the
implementation of security controls to allow
the establishment of a satisfactory trust
relationship. For example, a process control
system and a business data processing
system would typically be considered
external to each other. Access to an ICS for
support by a business partner, such as a
vendor or support contractor, is another
common example. The definition and
trustworthiness of external information
systems is reexamined with respect to ICS
functions, purposes, technology, and
limitations to establish a clear documented
technical or business case for use and an
acceptance of the risk inherent in the use of
an external information system.
The organization should collaborate and share information about potential incidents on a timely basis. The DHS Nat
Generally, public access to ICS systems is not
permitted. Selected information may be
transferred to a publicly accessible
information system, possibly with added
controls (e.g., introduction of fuzziness or
delay).
Strength of Relationship
Comments (optional)
(optional)
AC-21 has been added as a LOW baseline
control
Rationale for adding AC-21 to low baseline:

ICS systems provide essential services and
control functions and are often connected to
other ICS systems or business systems that
can be vectors of attack. It is therefore
necessary to provide a uniform defense
encompassing all baselines.
SP 800-53 Control
Number
(Focal Document
Element)
AT-1
AT-2
AT-2 (1)
AT-2 (2)
AT-3
AT-3 (1)
AT-3 (2)
AT-3 (3)
AT-3 (4)
AT-4
AT-5
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and
associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
The organization provides basic security awareness training to information system users (including
managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
The organization includes practical exercises in security awareness training that simulate actual
cyber attacks.
The organization includes security awareness training on recognizing and reporting potential
indicators of insider threat.
The organization provides role-based security training to personnel with assigned security roles and
responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
The organization provides [Assignment: organization-defined personnel or roles] with initial and
[Assignment: organization-defined frequency] training in the employment and operation of
environmental controls.
The organization provides [Assignment: organization-defined personnel or roles] with initial and
[Assignment: organization-defined frequency] training in the employment and operation of physical
security controls.
The organization includes practical exercises in security training that reinforce training objectives.
The organization provides training to its personnel on [Assignment: organization-defined indicators
of malicious code] to recognize suspicious communications and anomalous behavior in
organizational information systems.
The organization:
a. Documents and monitors individual information system security training activities including basic
security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
Security Control Reference Document
Baseline Element
Low AT-1
Low AT-2
Not Selected
Moderate AT-2 (2)
Low AT-3
Not Selected
Not Selected
Not Selected
Not Selected
Low AT-4
Withdrawn
The policy specifically addresses the

unique properties and requirements
of ICS and the relationship to non-ICS
systems.
Security awareness training includes

initial and periodic review of ICS-
specific policies, standard operating
procedures, security trends, and
vulnerabilities. The ICS security
awareness program is consistent with
the requirements of the security
awareness and training policy
established by the organization.

Security training includes initial and
periodic review of ICS-specific
policies, standard operating
procedures, security trends, and
vulnerabilities. The ICS security
training program is consistent with
the requirements of the security
awareness and training policy
established by the organization.
Comments (optional)
(optional)
SP 800-53 Control
Number
(Focal Document
Element)
AU-1
AU-2
AU-2 (1)
AU-2 (2)
AU-2 (3)
AU-2 (4)
AU-3
AU-3 (1)
AU-3 (2)
AU-4
AU-4 (1)
AU-5
AU-5 (1)
AU-5 (2)
AU-5 (3)
AU-5 (4)
AU-6
AU-6 (1)
AU-6 (2)
AU-6 (3)
AU-6 (4)
AU-6 (5)
AU-6 (6)
AU-6 (7)
AU-6 (8)
AU-6 (9)
AU-6 (10)
AU-7
AU-7 (1)
AU-7 (2)
AU-8
AU-8 (1)
AU-8 (2)
AU-9
AU-9 (1)
AU-9 (2)
AU-9 (3)
AU-9 (4)
AU-9 (5)
AU-9 (6)
AU-10
AU-10 (1)
AU-10 (2)
AU-10 (3)
AU-10 (4)
AU-10 (5)
AU-11
AU-11 (1)
AU-12
AU-12 (1)
AU-12 (2)
AU-12 (3)
AU-13
AU-13 (1)
AU-13 (2)
AU-14
AU-14 (1)
AU-14 (2)
AU-14 (3)
AU-15
AU-16
AU-16 (1)
AU-16 (2)
The organization:
roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities,
2. Procedures to facilitate the implementation of the audit and accountability policy and
associated audit and accountability controls; and
The organization:
a.
1. Determines that the information
Audit and accountability system is capable
policy [Assignment: of auditing the frequency];
organization-defined following events:
and
2. Audit and accountability auditable
procedures events];organization-defined frequency].
[Assignment:
b. Coordinates the security audit function with other organizational entities requiring audit-
related information to enhance mutual support and to help guide the selection of auditable
events;
c. Provides a rationale
[Withdrawn: for why
Incorporated intothe auditable events are deemed to be adequate to support after-
AU-12].
the-fact investigations of security incidents; and
[Withdrawn:
d. Determines Incorporated
that into AU-12].
the following eventstheareaudited
to be audited within the information system:
The organization reviews and updates events [Assignment: organization-defined
[Assignment:
frequency]. organization-defined audited events (the subset of the auditable events defined in
The
AU-2 information system
a.) alongIncorporated
[Withdrawn: with generates
the frequency
into AC-6audit
of records containing
(or situation
(9)]. requiring) information
auditing for that
eachestablishes what
identified event].
type of event occurred, when the event occurred, where the event occurred, the source of the
event, the outcome of the event, and the identity of any individuals or subjects associated with
the event.
The information system generates audit records containing the following additional information:
[Assignment: organization-defined additional, more detailed information].
The information system provides centralized management and configuration of the content to be
captured in audit records generated by [Assignment: organization-defined information system
components].
The organization allocates audit record storage capacity in accordance with [Assignment:
The information system audit recordaudit
off-loads storage requirements].
records [Assignment: organization-defined frequency]
onto a different system or media than the system being audited.
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit
processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken
(e.g., shut down information system, overwrite oldest audit records, stop generating audit
records)].
The information system provides a warning to [Assignment: organization-defined personnel,
roles, and/or locations]
The information systemwithin
provides[Assignment: organization-defined
an alert in [Assignment: time period] when
organization-defined allocated
real-time period]
audit record storage volume reaches [Assignment: organization-defined percentage]
to [Assignment: organization-defined personnel, roles, and/or locations] when the following of audit
repository
The
failure maximum
information
events system
occur: audit recordconfigurable
enforces
[Assignment: storage capacity.
network communications
organization-defined audit failure eventstraffic volumereal-time
requiring thresholds
reflecting
alerts].
The limits on auditing capacity and [Selection: rejects; delays] network traffic above those
information
The organization:system invokes a [Selection: full system shutdown; partial system shutdown;
thresholds.
degraded
a. Reviewsoperational
and analyzes mode with limited
information mission/business
system functionality available]
audit records [Assignment: in the event of
[Assignment:
frequency] organization-defined
for indications audit
of [Assignment: failures], unless an
organization-defined alternate audit
inappropriate capability
or unusualexists.
The organization employs automated mechanisms to integrate audit review, analysis, and
activity]; and
reporting processes to support organizational processes for investigation and response to
b. Reports activities.
suspicious findings to [Assignment: organization-defined personnel or roles].
[Withdrawn: Incorporated into SI-4].
The organization analyzes and correlates audit records across different repositories to gain
organization-wide
The organization
information systemsituational awareness.
provides theofcapability to centrally reviewof and analyze audit records
The integrates analysis audit records with analysis [Selection (one or more):
from
vulnerability scanning information;the
multiple components within system. data; information system monitoring
performance
The organization
information; correlatesorganization-defined
[Assignment: information from audit records with information
data/information collected fromobtained
otherfrom
sources]]
monitoring
to further
The physical
enhance
organization access to
the ability
specifies further
the to enhance
identify actions
permitted the ability
inappropriate
for each to identify
or[Selection suspicious,
unusual activity. inappropriate,
(one or more): information
unusual,
system or malevolent
process; role; activity.
user]
The organization performs aassociated with the
full text analysis ofreview,
auditedanalysis, and
privileged reporting in
commands of aaudit
physically
information.
distinct component or subsystem of the information system, or other information system that is
dedicated to that analysis.
The organization correlates information from nontechnical sources with audit information to
The organization
enhance adjusts thesituational
organization-wide level of audit review, analysis, and reporting within the information
awareness.
The information
system when theresystem provides
is a change in an
riskaudit
based reduction and report generation
on law enforcement capability
information, that:
intelligence
a. Supports on-demand audit review, analysis,
information, or other credible sources of information. and reporting requirements and after-the-fact
investigations
The information of system
securityprovides
incidents; theand
capability to process audit records for events of interest
b.
TheDoes not alter
information the
systemoriginal content
provides or timeaudit
the capability
based on [Assignment: organization-defined ordering
to sort of
and
fields audit records.
search
within audit
audit records for events of
records].
interest based on the content of [Assignment: organization-defined audit fields within audit
records].
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time
(UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity
The information
of time system:
measurement].
(a) Compares the internal information system clocks [Assignment: organization-defined
frequency] with [Assignment: organization-defined authoritative time source]; and
The information system
(b) Synchronizes identifies
the internal system a secondary authoritative
clocks to the time
authoritative source
time thatwhen
source is located in a
the time
different
difference
The geographic
is greater
information region than
thanprotects
system the
[Assignment: primary authoritative
audit information time
and audittime source.
toolsperiod].
from unauthorized access,
modification, and deletion.
The
The information
information system writesup
system backs audit trails
audit to hardware-enforced,
records write-once media.
[Assignment: organization-defined frequency]
onto a physically different system or system component than the system or component being
The information system implements cryptographic mechanisms to protect the integrity of audit
audited.
information and audit
The organization tools. access to management of audit functionality to only [Assignment:
authorizes
The organization enforcessubset of privileged
dual authorizationusers].
for [Selection (one or more): movement; deletion]
of [Assignment:
The organizationorganization-defined
authorizes read-onlyaudit accessinformation].
to audit information to [Assignment: organization-
defined subset of privileged users].
The information system protects against an individual (or process acting on behalf of an
individual) falsely denying having performed [Assignment: organization-defined actions to be
covered by non-repudiation].

(a) Binds the identity of the information producer with the information to [Assignment:
organization-defined strength of binding]; and
(b) Provides the means for authorized individuals to determine the identity of the producer of the
information.
(a) Validates the binding of the information producer identity to the information at [Assignment:
The
The information
information system:
system frequency];
maintainsand reviewer/releaser identity and credentials within the
(b)
(a) Performs
Validates [Assignment:
the binding
established chain of custody oforganization-defined
the
forinformation
all information actions]
reviewer
reviewed inorthe
identity toevent of a validation
the information
released. error.
at the transfer or
release points prior to release/transfer between [Assignment: organization-defined security
domains];
[Withdrawn: andIncorporated into SI-7].
The organization
(b) Performs retains audit
[Assignment: records for [Assignment:
organization-defined actions]organization-defined time period
in the event of a validation error.
consistent
The with records
information system:retention policy] to provide support for after-the-fact investigations of
The
a. organization
security incidents
Provides employs
audit record [Assignment:
and togeneration
meet regulatory organization-defined
and for
capability organizational
the auditable measures]
information toretention
events defined ensure that long-term
requirements.
in AU-2 a. at
audit records
[Assignment: generated by the
organization-defined information
informationsystem can be retrieved.
The information system compiles audit records system components];
from [Assignment: organization-defined
b. Allows [Assignment:
information organization-defined
system components] personnel
into a system-wide or roles]
(logical to select audit
or physical) whichtrailauditable
that is events
time-
are to be
correlated audited
to withinby specific
[Assignment:components of the information
organization-defined level system;
of and
tolerance for the relationship
The
The information
information system
system produces aevents
system-wide (logical ord.physical)
the audit traildefined
composed of audit
c. Generates
between
records time audit
stamps ofprovides
records for thethe
individual capability
recordsdefined
in theforin[Assignment:
AU-2
audit trail].withorganization-defined
content individuals
in AU-3.
or roles]intoachange
standardized format.
the auditing to be performed on [Assignment: organization-defined
The organization
information system monitors [Assignment:
components] based on organization-defined open source information
[Assignment: organization-defined selectable and/or
event
information sites] [Assignment: organization-defined
criteria] within [Assignment: organization-defined time thresholds]. frequency] for evidence of unauthorized
The organization
disclosure employs automated
of organizational information. mechanisms to determine if organizational information has
been disclosed in an unauthorized manner.
The organization reviews the open source information sites being monitored [Assignment:
The information system frequency].
provides the capability for authorized users to select a user session to
capture/record or view/hear.
The information system initiates session audits at system start-up.
The information system provides the capability for authorized users to capture/record and log
content related to
The information a userprovides
system session. the capability for authorized users to remotely view/hear all
content related toprovides
The organization an established user session
an alternate in real time.
audit capability in the event of a failure in primary audit
The organization employs [Assignment: organization-defined
capability that provides [Assignment: organization-defined alternate methods] for functionality].
audit coordinating
[Assignment: organization-defined audit information] among external organizations when audit
information is transmitted across organizational boundaries.
The organization requires that the identity of individuals be preserved in cross-organizational
audit trails.
Baseline Element
Low AU-1
Low AU-2
Withdrawn
Withdrawn
Moderate AU-2 (3)
Withdrawn
Low AU-3
Moderate AU-3 (1)
High AU-3 (2)
Low AU-4
Not Selected AU-4 (1)
Low AU-5
High AU-5 (1)

High AU-5 (2)
Not Selected
Not Selected
Low AU-6
Moderate AU-6 (1)
Withdrawn
Moderate AU-6 (3)
Not Selected
High AU-6 (5)
High AU-6 (6)
Not Selected
Not Selected
Not Selected
Not Selected
Moderate AU-7
Moderate AU-7 (1)
Not Selected
Low AU-8
Moderate AU-8 (1)

Not Selected
Low AU-9
Not Selected
High AU-9 (2)
High AU-9 (3)
Moderate AU-9 (4)
Not Selected
Not Selected
High AU-10
Not Selected
Not Selected
Not Selected
Not Selected
Withdrawn
Low AU-11
Not Selected
Low AU-12
High AU-12 (1)
Not Selected
High AU-12 (3)
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected

systems.
The organization may designate ICS

events as audit events, requiring that
ICS data and/or telemetry be
recorded as audit data.

Example compensating controls
include providing an auditing
capability on a separate information
system.
Legacy ICS are typically configured

with
No ICSremote storage on
Supplemental a separate
Guidance.
information system (e.g., the
historian accumulates historical
operational ICS data and
No ICS Supplemental is backed up
Guidance.
for storage at a different site). ICS are
currently using online backup services
and increasingly moving to Cloud
based and Virtualized services.
Retention of some data (e.g., SCADA
No ICS Supplemental
telemetry) Guidance.
may be required by
regulatory authorities.

No ICS Supplemental controls
Guidance.
include manual mechanisms or
procedures.


include using a separate information
system designated as an authoritative
time source.
ICS employ suitable mechanisms (e.g.,
GPS, IEEE 1588) for time stamps.


include providing non-repudiation on
a separate information system.
No ICS Supplemental controls
Guidance.
include providing timecorrelated
audit records on a separate
information
Example system. controls
compensating
include employing nonautomated
mechanisms or procedures.
Comments (optional)
(optional)
AU-4 (1) has been added as a LOW baseline

control enhancement
Rationale for adding AU-4 (1) to all baselines:

Legacy ICS components typically do not have
capacity to store or analyze audit data. The
retention periods for some data, particularly
compliance data, may require large volumes of
storage.
SP 800-53 Control
Number
(Focal Document
Element)
CA-1
CA-2
CA-2 (1)
CA-2 (2)
CA-2 (3)
CA-3
CA-3 (1)
CA-3 (2)
CA-3 (3)
CA-3 (4)
CA-3 (5)
CA-4
CA-5
CA-5 (1)
CA-6
CA-7
CA-7 (1)
CA-7 (2)
CA-7 (3)
CA-8
CA-8 (1)
CA-8 (2)
CA-9
CA-9 (1)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel
or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization Low
policy and associated security assessment and authorization controls; and
1. Security assessment and authorization policy [Assignment: organization-defined
frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined
frequency].
The organization:
a. Develops a security assessment plan that describes the scope of the assessment
including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of
Low
operation [Assignment: organization-defined frequency] to determine the extent to which
the controls are implemented correctly, operating as intended, and producing the desired
outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment;
and
d. Provides the results of the security control assessment to [Assignment: organization-
defined individuals or roles].
The organization employs assessors or assessment teams with [Assignment: organization-

Moderate
defined level of independence] to conduct security control assessments.
The organization includes as part of security control assessments, [Assignment:
organization-defined frequency], [Selection: announced; unannounced], [Selection (one or
more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat High
assessment; performance/load testing; [Assignment: organization-defined other forms of
security assessment]].
The organization accepts the results of an assessment of [Assignment: organization-defined

information system] performed by [Assignment: organization-defined external
Not Selected
organization] when the assessment meets [Assignment: organization-defined
requirements].
The organization:
a. Authorizes connections from the information system to other information systems
through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security Low
requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-
defined frequency].
The organization prohibits the direct connection of an [Assignment: organization-defined

unclassified, national
The organization security
prohibits thesystem] to an external
direct connection of a network
classified,without the
national use of system to
security Not Selected
[Assignment:
an organization-defined boundary protection device].
Theexternal network
organization without
prohibits thethe use connection
direct of [Assignment:
of anorganization-defined boundary
[Assignment: organization-defined Not Selected
protection device].
unclassified, non-national security system] to an external network without the use of Not Selected
The organization
[Assignment; prohibits the direct
organization-defined connection
boundary of an [Assignment:
protection device]. organization-defined
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by- Not Selected
information system] to a public network.
exception] policy for allowing [Assignment: organization-defined information systems] to Moderate
connect to external
[Withdrawn: information
Incorporated systems.
into CA-2]. Withdrawn
The organization:
a. Develops a plan of action and milestones for the information system to document the
organizations planned remedial actions to correct weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in
Low
the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined
frequency] based on the findings from security controls assessments, security impact
analyses, and continuous monitoring activities.
The organization:
The organization
a. Assigns employs
a senior-level automated
executive mechanisms
or manager toauthorizing
as the help ensureofficial
that the
forplan
the of action
information Not Selected
and milestones
system; for the information system is accurate, up to date, and readily available.
Low
b. Ensures that the authorizing official authorizes the information system for processing
before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].
The organization develops a continuous monitoring strategy and implements a continuous
monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and
[Assignment: organization-defined frequencies] for assessments supporting such
monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous
monitoring strategy; Low
d. Ongoing security status monitoring of organization-defined metrics in accordance with
the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and
monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment:
organization-defined personnel or roles] [Assignment: organization-defined frequency].
The organization employs assessors or assessment teams with [Assignment: organization-
defined level of independence] to monitor the security controls in the information system Moderate
on an ongoingIncorporated
[Withdrawn: basis. into CA-2]. Withdrawn
The organization employs trend analyses to determine if security control implementations,
the frequency of continuous monitoring
The organization conducts penetration testing activities, and/or theorganization-defined
[Assignment: types of activities used in the Not Selected
continuous monitoring process need to be modified based on
frequency] on [Assignment: organization-defined information systems empiricalordata.
system High
The organization employs an independent penetration agent or penetration team to
components].
The organization employs [Assignment: organization-defined red team exercises] to Not Selected
perform
The penetration
organization: testing on the information system or system components.
simulate
a. attempts
Authorizes by adversaries
internal connectionstoofcompromise
[Assignment:organizational information
organization-defined systems in
information Not Selected
accordance with [Assignment:
system components or classes organization-defined
of components] to therules of engagement].
information system; and Low
b. Documents, for each internal connection, the interface characteristics, security Not Selected
requirements, and the nature of the information communicated.
Reference Document
Element
CA-1
CA-2
CA-2 (1)
CA-2 (2)
CA-3
CA-3 (5)
CA-5
CA-6
CA-7
CA-7 (1)
CA-8
CA-9
Reference Document Element Group Identifier
Fulfilled By (Y/N)
Description (optional)

systems.
Assessments are performed and
documented by qualified assessors
(i.e., experienced in assessing ICS)
authorized by the organization. The
organization ensures that
assessments do not interfere with ICS
functions. The individual/group
conducting the assessment fully
understands the organizational
information security policies and
procedures, the ICS security policies
and procedures, and the specific
health, safety, and environmental
risks associated with a particular
facility and/or process. The
organization ensures that the
assessment does not affect system
operation or result in unintentional
system modification. If assessment
activities must be performed on the
production ICS, it may need to be
taken off-line before an assessment
can be conducted. If an ICS must be
taken off-line to conduct an
assessment, the assessment is
scheduled to occur during planned
ICS outages whenever possible.

The organization conducts risk
analysis to support the selection of
assessment target (e.g., the live
system, an off-line replica, a
simulation).
Organizations perform risk-benefit
analysis to support determination
whether an ICS should be connected
to other information system(s). The
Authorizing Official fully understands
the organizational information
security policies and procedures; the
ICS security policies and procedures;
the risks to organizational operations
and assets, individuals, other
organizations, and the Nation
associated with the connection to
other information system(s); and the
specific health, safety, and
environmental risks associated with a
particular interconnection. The AO
documents risk acceptance in the ICS
system security plan.

Continuous monitoring programs for
ICS are designed, documented, and
implemented by qualified personnel
(i.e., experienced with ICS) selected
by the organization. The organization
ensures that continuous monitoring
does not interfere with ICS functions.
The individual/group designing and
conducting the continuous
monitoring fully understands the
organizational information security
policies and procedures, the ICS
security policies and procedures, and
the specific health, safety, and
environmental
Penetration risks isassociated
testing used withwith carea
Organizations
particular
on ICS networks perform
facility and/or
to ensurerisk-benefit
process.
that ICSThe
analysis
organization
functions toare
support
ensures determination
that continuous
not adversely impacted
whether
monitoring an ICS
does should
by the testing process. not be
affect connected
systemICS
In general,
to
are other
highlyinternal
operation or result
sensitive information
in
tointentional
timing or
system(s)
unintentional
constraints and
and (separate)
system constituent
modification.
have limited
No ICS Supplemental
system
Example
resources. components.
compensating Guidance.
The
Example compensating Authorizing
controls
Official fully
include external
controls understands
monitoring.a
include employing the
organizational information
replicated, virtualized, security
or simulated
policies
system to and procedures;
conduct the ICS
penetration
security policies andICS
testing. Production procedures;
may need the to
risks to organizational
be taken off-line beforeoperations
testing can and
assets, individuals, other
be conducted. If ICS are taken off-line
organizations,
for testing, tests and arethe Nation to
scheduled
associated
occur during with the connected
planned ICS outages to
other
wheneverinformation
possible.system(s) and
If penetration
(separate) constituent
testing is performed onsystem
non-ICS
components,
networks, extra whether
care is by authorizing
taken to
each
ensure individual
that tests internal
do notconnection
propagate or
authorizing
into the ICS internal
network.connections for a
class of components with common
characteristics and/or configurations;
and the specific health, safety, and
environmental risks associated with a
particular interconnection. The AO
documents risk acceptance in the ICS
system security plan.
Comments (optional)
(optional)
SP 800-53 Control
Number
(Focal Document
Element)
CM-1
CM-2
CM-2 (1)
CM-2 (2)
CM-2 (3)
CM-2 (4)
CM-2 (5)
CM-2 (6)
CM-2 (7)
CM-3
CM-3 (1)
CM-3 (2)
CM-3 (3)
CM-3 (4)
CM-3 (5)
CM-3 (6)
CM-4
CM-4 (1)
CM-4 (2)
CM-5
CM-5 (1)
CM-5 (2)
CM-5 (3)
CM-5 (4)
CM-5 (5)
CM-5 (6)
CM-5 (7)
CM-6
CM-6 (1)
CM-6 (2)
CM-6 (3)
CM-6 (4)
CM-7
CM-7 (1)
CM-7 (2)
CM-7 (3)
CM-7 (4)
CM-7 (5)
CM-8
CM-8 (1)
CM-8 (2)
CM-8 (3)
CM-8 (4)
CM-8 (5)
CM-8 (6)
CM-8 (7)
CM-8 (8)
CM-8 (9)
CM-9
CM-9 (1)
CM-10
CM-10 (1)
CM-11
CM-11 (1)
CM-11 (2)
The organization: SP 800-53 Control or Control Enhancement
(Focal Document
a. Develops, documents, and disseminates Elementorganization-defined
to [Assignment: Description) personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated
The
The organization
configuration develops,
management
organization reviews documents,
controls;
and updatesand andbaseline
the maintains under configuration
configuration control, asystem:
of the information current baseline
configuration
b. Reviews
(a) andofupdates
[Assignment: the information system.
the current:
organization-defined frequency];
1.
(b)
TheConfiguration
When required
organization management
employs policy [Assignment:
due to [Assignment
automated organization-defined
mechanisms to maintain frequency];
circumstances];
an up-to-date, and and accurate, and
complete,
2.
(c)Configuration
readily integralmanagement
As anavailable baseline procedures
part of information system
configuration of [Assignment:
the component
informationorganization-defined
installations
system. frequency].
and upgrades.
The organization retains [Assignment: organization-defined previous versions of baseline configurations
of the information system] to support rollback.
[Withdrawn: Incorporated into CM-7].
The organization maintains a baseline configuration for information system development and test
environments that is managed separately from the operational baseline configuration.
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with
[Assignment: organization-defined configurations] to individuals traveling to locations that the
organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals
return.
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or
disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment:
organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information
system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment:
organization-defined configuration change control element (e.g., committee, board)] that convenes
The organization
[Selection (one oremploys automated mechanisms
more): [Assignment: to:
organization-defined frequency]; [Assignment: organization-
(a) Document proposed changes to
defined configuration change conditions]]. the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information
system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by
[Assignment:
tests, validates, and time period]; changes to the information system before implementing
documents
(d)
the Prohibit
changes changes
on the to the information
operational system. system until designated approvals are received;
The organization
(e) Document employs
all changes automated
to mechanisms
the information system; to and
implement changes to the current information
system
The baseline
organization and deploys
requires an the updated
information baseline
security
(f) Notify [Assignment: organization-defined personnel] when across the installed
representative to be base.
approved achanges
membertoofthe
theinformation
[Assignment:
system are completed. configuration change control element].
The information system implements [Assignment: organization-defined security responses] automatically
if baseline
The configurations
organization ensures are
thatchanged in an unauthorized
cryptographic mechanisms used manner.
to provide [Assignment: organization-
defined security safeguards] are under configuration management.
The organization analyzes changes to the information system to determine potential security impacts
The
priororganization analyzes changes to the information system in a separate test environment before
to change implementation.
implementation in
The organization, after an operational environment,
the information system islooking
changed, forchecks
security impacts
the due
security to flaws,toweaknesses,
functions verify that the
incompatibility,
functions or intentional
are implemented malice. operating as intended, and producing the desired outcome with
correctly,
The organization
regard to meetingdefines, documents,
the security approves,
requirements for and enforces physical and logical access restrictions
the system.
associated with changes to the information system.
The organization
reviewsenforces
informationaccess restrictions
system changes and supports auditing
[Assignment: of the enforcement
organization-defined actions.
frequency] and
[Assignment: organization-defined circumstances] to determine whether unauthorized
The information system prevents the installation of [Assignment: organization-defined software and changes have
occurred.
firmware components] without verification that the component has been digitally signed using a
The
The organization
certificate that is enforces
organization: recognized dualandauthorization
approved byfor theimplementing
organization.changes to [Assignment: organization-
defined
(a) Limitsinformation
privileges to system
change components
informationand system-level
system components information].
and system-related information within a
production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency].
The organization:
a. Establishes and documents configuration settings for information technology products employed
The organization
within limits system
the information privileges to change
using software
[Assignment: resident within software
organization-defined libraries.
security configuration checklists]
that reflect the most restrictive
[Withdrawn: Incorporated into SI-7]. mode consistent with operational requirements;
b. Implements the configuration settings;
c.
TheIdentifies, documents,
organization employsand approvesmechanisms
automated any deviations from established
to centrally manage, configuration settings
apply, and verify for
configuration
[Assignment:
settings organization-defined
for [Assignment: information
organization-defined system components] based
information system components]. on [Assignment: organization-
The organization
defined operationalemploys [Assignment:
requirements]; and organization-defined security safeguards] to respond to
unauthorized
d. Monitors and changes to [Assignment:
controls changes organization-defined
to the configuration settings configuration
in accordancesettings].
with organizational policies
and
The procedures.
organization:
The organization:
a. Configures the information system to provide only essential capabilities; and
(a) Reviews or
b. Prohibits therestricts
information
the usesystem [Assignment:
of the organization-defined
following functions, frequency]
ports, protocols, and/or to identify[Assignment:
services: unnecessary
and/or
The nonsecure
information systemfunctions,
prohibitedports, protocols,
preventsorprogram
restricted and services;
functions,
execution and
ports, protocols,
in accordance and/or services].
with [Selection (one or more):
(b) Disables [Assignment:
organization-defined functions,
policies regarding ports,program
software protocols, andand
usage services within the
restrictions]; rules
information
The
authorizing system
organization
the terms deemed
ensures to be unnecessary
andcompliance
conditions with
of and/or
[Assignment:
software program nonsecure].
usage]. registration requirements
for functions, ports, protocols, and services].
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the
information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software
programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization-defined
frequency].
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the
information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software
programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization-defined
frequency].
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective
information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined
frequency].
organization updates the inventory of information system components as an integral part of
The organization:
component
(a)
TheEmploys installations,
automated
organization employs removals,
mechanisms
automated and information
[Assignment:
mechanisms tosystem updates.an up-to-date,
help maintain frequency] complete,
to detect the
accurate,
presence of unauthorized hardware, software, and firmware
and readily available inventory of information system components. components within the information system;
and
The organization includes in the information system component inventory information, a means for
(b) Takes the
identifying byfollowing
[Selectionactions
(one orwhen unauthorized
more): components
name; position; are detected:
role], individuals [Selection (one or more):
responsible/accountable for
disables
The network
organization
administering access
verifies
those by such
that
components. components;within
all components isolates the
the components;boundary
authorization notifies [Assignment:
of the information
system
The organization personnel
are not duplicated
includes or roles]].
in other
assessed information
component system component
configurations inventories.
and any approved deviations to current
deployed configurations in the information system component inventory.
The organization provides a centralized repository for the inventory of information system components.
The organization employs automated mechanisms to support tracking of information system components
by geographic location.
The organization:
(a) Assigns [Assignment: organization-defined acquired information system components] to an
information system; and
(b) Receives an acknowledgement from the information system owner of this assignment.
The organization develops, documents, and implements a configuration management plan for the
information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle
and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under
configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
The organization assigns responsibility for developing the configuration management process to
organizational personnel that are not directly involved in information system development.
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright
laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control
copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is
not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
The
The organization
organization:establishes the following restrictions on the use of open source software: [Assignment:
organization-defined restrictions].
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through
The information system alerts [Assignment: [Assignment: organization-defined
organization-defined personnel or roles]methods];
when the and
c. Monitors policy compliance at [Assignment:
unauthorized installation of software is detected.organization-defined frequency].
Baseline Element
Low CM-1
Low CM-2
Moderate CM-2 (1)
High CM-2 (2)
Moderate CM-2 (3)
Withdrawn
Withdrawn
Not Selected
Moderate CM-2 (7)
Moderate CM-3
High CM-3 (1)

Moderate CM-3 (2)
Not Selected
Not Selected
Not Selected
Not Selected
Low CM-4
High CM-4 (1)
Not Selected
Moderate CM-5
High CM-5 (1)
High CM-5 (2)
High CM-5 (3)
Not Selected
Not Selected
Not Selected
Withdrawn
Low CM-6
High CM-6 (1)
High CM-6 (2)
Withdrawn
Withdrawn
Low CM-7
Moderate CM-7 (1)
Moderate CM-7 (2)
Not Selected
Moderate CM-7 (4)
High CM-7 (5)
Low CM-8
Moderate CM-8 (1)

High CM-8 (2)
Moderate CM-8 (3)
High CM-8 (4)
Moderate CM-8 (5)
Not Selected
Not Selected
Not Selected
Not Selected
Moderate CM-9
Not Selected
Low CM-10
Not Selected
Low CM-11
Not Selected
Not Selected
Fulfilled By (Y/N)
unique properties and requirements of
ICS and the relationship to non-ICS
systems.

The organization considers ICS safety

and security interdependencies.

Ports, as used in NIST SP 800-53 Rev. 4,
are part of the address space in
network protocols and are often
associated with specific
No ICS Supplemental protocols or
Guidance.
functions. As such, ports are not
relevant to nonroutable protocols and
No ICS Supplemental
devices. When dealingGuidance.
with non-
routable and non-addressable protocols
and devices, prohibiting or restricting
the use of specified functions,
protocols, and/or services must be
No ICS Supplemental
implemented Guidance.
for the (sub)system
granularity that is available
No ICS Supplemental (e.g., at a
Guidance.
low level, interrupts could be disabled;
at a high level, set points could be
made read-only except for privileged
users). Example compensating controls
include employing nonautomated
mechanisms or procedures.
Whitelisting (CE 5) is more effective than blacklisting (CE 4). The set of applications that run in ICS is essentially sta
Whitelisting (CE 5) is more effective than blacklisting (CE 4). The set of applications that run in ICS is essentially sta


Comments (optional)
(optional)
CM-7 (1) has been added as a LOW
baseline control enhancement
Rationale for adding CM-7 (1) to all

baselines: Periodic review and
removal of unnecessary and/or
nonsecure functions, ports,
protocols, and services are added to
the LOW baseline because many of
the LOW impact ICS components
could adversely affect the systems
to which they are connected.
SP 800-53 Control
Number
(Focal Document
Element)
CP-1
CP-2
CP-2 (1)
CP-2 (2)
CP-2 (3)
CP-2 (4)
CP-2 (5)
CP-2 (6)
CP-2 (7)
CP-2 (8)
CP-3
CP-3 (1)
CP-3 (2)
CP-4
CP-4 (1)
CP-4 (2)
CP-4 (3)
CP-4 (4)
CP-5
CP-6
CP-6 (1)
CP-6 (2)
CP-6 (3)
CP-7
CP-7 (1)
CP-7 (2)
CP-7 (3)
CP-7 (4)
CP-7 (5)
CP-7 (6)
CP-8
CP-8 (1)
CP-8 (2)
CP-8 (3)
CP-8 (4)
CP-8 (5)
CP-9
CP-9 (1)
CP-9 (2)
CP-9 (3)
CP-9 (4)
CP-9 (5)
CP-9 (6)
CP-9 (7)
CP-10
CP-10 (1)
CP-10 (2)
CP-10 (3)
CP-10 (4)
CP-10 (5)
CP-10 (6)
CP-11
CP-12
CP-13
The organization: SP 800-53 Control or Control Enhancement
a. Develops, documents, and disseminates
(Focal Document to [Assignment: organization-defined personnel or
Element Description)
roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities,
2. Procedures to facilitate the implementation of the contingency planning policy and
associated contingency planning controls; and
The organization:
a. Develops
1. Contingencya contingency plan [Assignment:
planning policy for the information system that: frequency]; and
1. Identifies essential missions and business functions and associated contingency
2. Contingency planning procedures [Assignment: organization-defined frequency].
requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information
system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security
safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key
contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined
frequency];
e. Updates the contingency plan to address changes to the organization, information system, or
environment of operation and problems encountered during contingency plan implementation,
execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key
contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.
The organization coordinates contingency plan development with organizational elements
The organization
responsible conducts
for related capacity planning so that necessary capacity for information
plans.
processing, telecommunications, and environmental support exists during contingency
The organization plans for the resumption of essential missions and business functions within
operations.
[Assignment:
The organization organization-defined time period]
plans for the resumption of all of contingency
missions plan activation.
and business functions within
The organization
[Assignment: plans for the continuance
organization-defined of essential
time period] missionsplan
of contingency andactivation.
business functions with
littleorganization
The or no loss ofplans
operational
for thecontinuity
transfer ofand sustains
essential that continuity
missions until functions
and business full information
to alternate
system
processingrestoration at primary
and/or storage sitesprocessing
with little and/or storage
or no loss sites.
of operational continuity and sustains that
The organization
continuity through coordinates
information itssystem
contingency plan with
restoration the contingency
to primary processingplans
and/or of external service
storage sites.
providers to ensure that contingency requirements can be satisfied.
The organization identifies critical information system assets supporting essential missions and
business functions.
The organization provides contingency training to information system users consistent with
assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or
responsibility;
The organization incorporates simulated events into contingency training to facilitate effective
response by personnel in crisis situations.
The organization employs automated mechanisms to provide a more thorough and realistic
contingency training environment.
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined
frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the
plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
The organization coordinates contingency plan testing with organizational elements responsible
for related
The plans. tests the contingency plan at the alternate processing site:
organization
(a) To familiarize contingency personnel with the facility and available resources; and
(b)
TheTo evaluate the
organization capabilities
employs of the alternate
automated mechanismsprocessing
to moresite to support
thoroughly andcontingency
effectively test the
operations.
contingency plan.
The organization includes a full recovery and reconstitution of the information system to a
known state as part of contingency plan testing.
[Withdrawn: Incorporated into CP-2].
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage
and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to
that of the primary site.
The organization:
The organization
a. Establishes identifies processing
an alternate an alternate storage
site site necessary
including that is separated from to
agreements thepermit
primarythestorage
site
The to reduce
organization susceptibility
configures to
thethe same
alternate threats.
storage site to facilitate recovery
transfer and resumption of [Assignment: organization-defined information system operations] operations in
accordance
for with recovery time and recovery point objectives.
The organization identifies potential accessibility problems to the alternate storage site inperiod
essential missions/business functions within [Assignment: organization-defined time the
consistent
event of anwith recovery
area-wide time andorrecovery
disruption disasterpoint objectives]
and outlines when
explicit the primary
mitigation processing
actions.
capabilities are unavailable;
The organization
b. Ensures identifies and
that equipment an alternate
supplies processing
required tosite that isand
transfer separated
resume from the primary
operations are
processing
available site
the to reduce
alternate susceptibility
processing to
site the
or same
contracts threats.
The organization identifies potential accessibility problems to the alternate processingtosite
at are in place to support delivery theinsite
The
the organization
within theof
event develops disruption
an area-wide alternate
timeprocessing
period
or for site
disaster andagreements
transfer/resumption; that mitigation
outlines explicit contain
and priority-of-service
actions.
provisions in accordance
c. Ensures that withprocessing
the alternate organizational availability
site provides requirements
information (including
security recovery time
safeguards
The organization
objectives).
equivalent prepares
to those the alternate
of the primary site. processing site so that the site is ready to be used as
the operational site supporting essential missions and business functions.
The
The organization
organization establishes alternatefortelecommunications
plans and prepares circumstances that services
precludeincluding
returningnecessary
to the primary
agreements
processing site.to permit the resumption of [Assignment: organization-defined information system
operations] for essential missions and business functions within [Assignment: organization-
defined time period] when the primary telecommunications capabilities are unavailable at
The organization:
either the
(a) Develops primary or and
primary alternate processing
alternate or storage sites.
telecommunications service agreements that contain
priority-of-service provisions in accordance with organizational availability requirements
(including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for
national security emergency preparedness in the event that the primary and/or alternate
telecommunications services are provided by a common carrier.
The organization
organization:obtains alternate telecommunications services to reduce the likelihood of
sharing
(a) a single
Requires
organization
The organization: point
primary of failure
and
obtains withtelecommunications
alternate
alternate primary telecommunications
telecommunications service services.
servicesproviders
from to havethat
providers contingency
are
plans;
separated
a. Conductsfrom primary
backups service providers
of user-level to reduce
information susceptibility
contained to the same
in the information threats.
system
(b) Reviews provider
[Assignment: contingency plans
organization-defined to ensure
frequency that the
consistent plans
with meet organizational
recovery time and recovery point
contingency
objectives]; requirements; and
The organization tests alternate telecommunication services [Assignment: organization-defined
(c)
b. Obtains evidence
Conducts
frequency]. backups of of contingency
system-leveltesting/training by providers
information contained in the[Assignment: organization-
information system
defined frequency].
[Assignment: organization-defined frequency consistent with recovery time and recovery point
objectives];
The organization tests backup information [Assignment: organization-defined frequency] to
c. Conducts
verify mediabackups
reliabilityof information system documentation including security-related
The organization
documentation uses aand
[Assignment:
information
sample of backupintegrity.
information
organization-defined in the restoration
frequency of selected
consistent with recovery information
time and
The organization
system functions stores
as part backup
of copies ofplan
contingency [Assignment:
testing. organization-defined critical information
recovery point objectives];
system software and other andsecurity-related information] in a separate facility or in a fire-rated
d. Protectsthat
container the isconfidentiality,
not collocatedintegrity,
with the and availability
operational of backup information at storage
system.
locations.
The organization transfers information system backup information to the alternate storage site
[Assignment: organization-defined time period and transfer rate consistent with the recovery
time and recovery point objectives].
The organization accomplishes information system backup by maintaining a redundant

secondary system that is not collocated with the primary system and that can be activated
without loss of information or disruption to operations.
The organization enforces dual authorization for the deletion or destruction of [Assignment:
organization-defined backup information].
The organization provides for the recovery and reconstitution of the information system to a
known state after a disruption, compromise, or failure.
The information system implements transaction recovery for systems that are transaction-
based.
[Withdrawn: Addressed
The organization through
provides tailoringtoprocedures].
the capability restore information system components within
[Assignment: organization-defined restoration time-periods] from configuration-controlled and
integrity-protected information
[Withdrawn: Incorporated representing a known, operational state for the components.
into SI-13].
The organization protects backup and restoration hardware, firmware, and software.
The information system provides the capability to employ [Assignment: organization-defined
The information
alternative system, when
communications [Assignment:
protocols] organization-defined
in support conditions]
of maintaining continuity ofare detected,
operations.
enters a safe mode of operation with [Assignment: organization-defined restrictions of safe
mode of operation].
Security
Reference Document
Control Rationale Relationship
Element
Baseline
Low CP-1
Low CP-2
Moderate CP-2 (1)

High CP-2 (2)
Moderate CP-2 (3)
High CP-2 (4)
High CP-2 (5)
Not Selected
Not Selected
Moderate CP-2 (8)
Low CP-3
High CP-3 (1)
Not Selected
Low CP-4
Moderate CP-4 (1)
High CP-4 (2)

Not Selected
Not Selected
Withdrawn
Moderate CP-6
Moderate CP-6 (1)

High CP-6 (2)
Moderate CP-6 (3)
Moderate CP-7
Moderate CP-7 (1)
Moderate CP-7 (2)
Moderate CP-7 (3)
High CP-7 (4)
Withdrawn
Not Selected
Moderate CP-8
Moderate CP-8 (1)
Moderate CP-8 (2)

High CP-8 (3)
High CP-8 (4)
Not Selected
Low CP-9
Moderate CP-9 (1)
High CP-9 (2)
High CP-9 (3)
Withdrawn
High CP-9 (5)
Not Selected
Not Selected
Low CP-10
Withdrawn
Moderate CP-10 (2)
Withdrawn
High CP-10 (4)
Withdrawn
Not Selected
Not Selected
Not Selected CP-12
Not Selected
systems.
The organization defines contingency

plans for categories of disruptions or
failures. In the event of a loss of
processing within the ICS or
communication with operational
facilities, the ICS executes
predetermined procedures (e.g., alert
the operator of the failure and then do
nothing, alert the operator and then
safely shut down the industrial
process, alert the operator and then
Plans
maintainfor the
the resumption
last operational of essential
setting
missions
Plans
prior to and business
forfailure). functions,
the resumption of essential and
for resumption of all missions
missions and business functions, and and
business
for functions
resumption take
of all into account
missions and
the effects
business of the disruption
functions on the
take into account
environment
the effects of of theoperation.
disruptionRestoration
on the
and resumption
environment plans
Organizationalofelements should
operation. include
Restoration
responsible
prioritization
and of efforts. Disruptions
for related plans may include include
resumption plans should suppliers
may
such affect
prioritization theofquality
as electric efforts.and
power, quantity
fuel, fresh of
Disruptions
resources
No ICS
may
water affect
and in thequality
Supplemental
the environment,
wastewater. Guidance.
and quantitysuch of
as
electric power, fuel, fresh water
resources in the environment, such as and
wastewater,
electric power, and thefresh
fuel, abilitywater
of these
and
suppliers to also
wastewater, andresume
the abilityprovision
of theseof
essential mission
No ICS Supplemental
suppliers and Guidance.
to also resume business
provision of
functions. Contingency
essential mission plans for
and business
widespread
functions. Contingency plansinvolve
disruption may for
specialized organizations
widespread disruption may (e.g., FEMA,
involve
emergency services, regulatory
specialized organizations (e.g., FEMA,
No ICS Supplemental
authorities).
emergency Reference:
services, Guidance.
NFPA 1600:
regulatory
Standard on Disaster/Emergency
authorities). Reference: NFPA 1600:
Management and Business Continuity
Standard on Disaster/Emergency
Programs.
Management and Business Continuity
Programs.


Quality of service factors for ICS

include latency and throughput.


Reconstitution of the ICS includes

consideration whether system state
variables should be restored to initial
values or values before disruption
(e.g., are valves restored to full open,
full closed, or settings prior to
disruption). Restoring system state
variables may be disruptive to ongoing
No ICS Supplemental
physical Guidance.
processes (e.g., valves initially
closed may adversely affect system
cooling).
The organization-defined conditions
and corresponding restrictions of safe
mode of operation may vary among
baselines. The same condition(s) may
trigger different response depending
on the impact level. The conditions
may be external to the ICS (e.g.,
electricity supply brown-out). Related
controls: SI-17.
Comments (optional)
(optional)
CP-12 has been added as a LOW baseline
control
Rationale for adding CP-12 to all

baselines: This control provides a
framework for the organization to plan
their policy and procedures for dealing
with conditions beyond their control in
the environment of operations. Creating
a written record of the decision process
for selecting incidents and appropriate
response is part of risk management in
light of changing environment of
operations.
SP 800-53 Control
Number
(Focal Document
Element)
IA-1
IA-2
IA-2 (1)
IA-2 (2)
IA-2 (3)
IA-2 (4)
IA-2 (5)
IA-2 (6)
IA-2 (7)
IA-2 (8)
IA-2 (9)
IA-2 (10)
IA-2 (11)
IA-2 (12)
IA-2 (13)
IA-3
IA-3 (1)
IA-3 (2)
IA-3 (3)
IA-3 (4)
IA-4
IA-4 (1)
IA-4 (2)
IA-4 (3)
IA-4 (4)
IA-4 (5)
IA-4 (6)
IA-4 (7)
IA-5
IA-5 (1)
IA-5 (2)
IA-5 (3)
IA-5 (4)
IA-5 (5)
IA-5 (6)
IA-5 (7)
IA-5 (8)
IA-5 (9)
IA-5 (10)
IA-5 (11)
IA-5 (12)
IA-5 (13)
IA-5 (14)
IA-5 (15)
IA-6
IA-7
IA-8
IA-8 (1)
IA-8 (2)
IA-8 (3)
IA-8 (4)
IA-8 (5)
IA-9
IA-9 (1)
IA-9 (2)
IA-10
IA-11
The organization:
roles]:
1. An identification and authentication policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities, and
compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy
and associated identification and authentication controls; and
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined
frequency].
The information system uniquely identifies and authenticates organizational users (or
processes
The acting system
information on behalf of organizational
implements users).
multifactor authentication for network access to
privileged accounts.
The information system implements multifactor authentication for network access to non-
privileged
The informationaccounts. system implements multifactor authentication for local access to privileged
accounts.
The information system implements multifactor authentication for local access to non-
privileged
The informationaccounts.
organization requires individualsmultifactor
to be authenticated with an
The system implements authentication forindividual
network authenticator
access to
when a
privilegedgroup authenticator
accounts such that isone
employed.
of the factors is provided by a device separate from the
The information system implements multifactor authentication for network access to non-
system
privileged accounts such that one of the factors is provided by a device separate from theof
gaining access and the device meets [Assignment: organization-defined strength
mechanism
system gaining requirements].
access and the devicereplay-resistant
meets [Assignment: organization-defined strength of
The information system implements authentication mechanisms for network
mechanism
access to requirements].
privileged accounts.
The information system implements replay-resistant authentication mechanisms for network
access
The to non-privileged provides accounts.a single sign-on capability for [Assignment: organization-
The information
information system system implements multifactor authentication for remote access to
defined
privileged and non-privilegedaccounts
information system accountsand suchservices].
that one of the factors is provided by a device
separate from the system gaining
The information system accepts and electronically access and the device meets
verifies [Assignment:
Personal organization-
Identity Verification (PIV)
defined strength of mechanism requirements].
credentials.
The information system implements [Assignment: organization-defined out-of-band
The informationunder
authentication] system uniquely identifies
[Assignment: and authenticates
organization-defined [Assignment: organization-
conditions].
defined specific and/or types of devices] before
The information system authenticates [Assignment: organization-definedestablishing a [Selection (one or more):
specific deviceslocal;
remote; network] connection.
and/or types of devices] before establishing [Selection (one or more): local; remote; network]
The organization:
connection using bidirectional
[Withdrawn:
(a) Standardizes Incorporated
dynamic addressintoauthentication
IA-3 (1)].
allocation
that is cryptographically based.
lease information and the lease duration
The organization
assigned to devices manages information
in accordance with system identifiers
[Assignment: by:
organization-defined lease information
a.
TheReceiving
organizationauthorization
and lease duration]; and ensures from
that [Assignment:
device organization-defined
identification and authentication personnel
based onor roles] to is
attestation
assign
handled an individual,
(b) Auditsbylease[Assignment: group,
information role, or device
organization-defined identifier;
when assigned to aconfiguration
device. management process].
b. Selecting an identifier that identifies an individual, group, role, or device;
The organization
c. Assigning prohibitstothe
the identifier theuse of information
intended individual, system
group,account
role, oridentifiers
device; that are the
The
same
d. organization
as public
Preventing reusemanages
identifiers
of forinformation
individual
identifiers for system
electronic
[Assignment: authenticators
mail accounts.by:
The organization requires that the registration process to receive an individual time period]; and
identifier
a.
e. Verifying,
Disabling
includes as part
the
supervisor of theafter
identifier initial[Assignment:
authorization. authenticator distribution, the identity
organization-defined time of the individual,
period of inactivity].
The
group,organization
role, or device requires multiple
receiving the forms of certification of individual identification be
authenticator;
presented
The
b. to
organization
Establishing the registration
manages
initial authenticator authority.
individual identifiers
content by uniquely identifying
for authenticators defined by each
theindividual as
organization;
[Assignment:
c. Ensuring that organization-defined
authenticators havecharacteristic identifying
sufficient strength individual for
of mechanism status].
their intended use;
The
d. information
Establishing andsystem dynamically
implementing manages identifiers.
The organization coordinates withadministrative procedures for initial external
[Assignment: organization-defined authenticator
organizations]
distribution, for
for cross-organization lost/compromised
management or damaged
of identifiers. authenticators, and for revoking
The organization
authenticators; requires that the registration process to receive an individual identifier be
conducted in person before a designated registration authority.
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for
authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by
authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined
requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case
letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are
created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment:
organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a
permanent password.
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted
trust anchor including checking certificate status information;
The organization
(b) Enforces requires
authorized that the
access registration
to the process
corresponding to receive
private key; [Assignment: organization-
defined types of and/or specific authenticators] be conducted
(c) Maps the authenticated identity to the account of the individual [Selection: in person;
or group; and by a
trusted
The third
(d) Implements party] before
organizationa employs
local cache [Assignment:
of revocation
automated organization-defined
tools data to support
to determine registration
path discovery
if password authority] within
and validation
authenticators are
authorization
case of
sufficiently by
inability [Assignment:
to access
strongrequires organization-defined
revocation
to satisfy information viapersonnel
the
[Assignment: organization-defined or
network. roles].
requirements].
The organization developers/installers of information system components to provide
unique authenticators or change default authenticators prior to delivery/installation.
The organization protects authenticators commensurate with the security category of the
information
The to which
organization use of
ensures the
that authenticator
unencrypted permits
static access. are not embedded in
authenticators
The organization
applications implements
or access [Assignment:
scripts or organization-defined
stored on function keys. security safeguards] to
manage the risk of compromise due to individuals having accounts on multiple information
systems.
The organization coordinates with [Assignment: organization-defined external organizations]
for cross-organization management of credentials.
The information system dynamically provisions identities.

The information system, for hardware token-based authentication, employs mechanisms that
satisfy [Assignment:
The information organization-defined
system, token
for biometric-based quality requirements].
authentication, employs mechanisms that
satisfy [Assignment: organization-defined biometric quality requirements].
The information system prohibits the use of cached authenticators after [Assignment:
organization-defined time period].
The organization, for PKI-based authentication, employs a deliberate organization-wide
methodology for managing the content of PKI trust stores installed across all platforms
including networks, operating systems, browsers, and applications.
The organization uses only FICAM-approved path discovery and validation products and
services.
The information system obscures feedback of authentication information during the

authentication process to protect the information from possible exploitation/use by
unauthorized individuals.
The information system implements mechanisms for authentication to a cryptographic

module that meet the requirements of applicable federal laws, Executive Orders, directives,
policies, regulations, standards, and guidance for such authentication.
The information system uniquely identifies and authenticates non-organizational users (or
processes acting system
The information on behalf of non-organizational
accepts and electronicallyusers).
verifies Personal Identity Verification (PIV)
credentials from other federal agencies.
The information system accepts only FICAM-approved third-party credentials.
The organization employs only FICAM-approved information system components in
[Assignment: organization-defined information systems] to accept third-party credentials.
The information system conforms to FICAM-issued profiles.
The information system accepts and electronically verifies Personal Identity Verification-I
(PIV-I) credentials.identifies and authenticates [Assignment: organization-defined information
The organization
system
The services] using
organization ensures[Assignment:
that serviceorganization-defined securityand
providers receive, validate, safeguards].
transmit identification
and authentication information.
The organization ensures that identification and authentication decisions are transmitted
The organization
between requires
[Assignment: that individuals accessing
organization-defined services]the information
consistent withsystem employ policies.
organizational
[Assignment: organization-defined supplemental authentication techniques or mechanisms]
under specific [Assignment: organization-defined circumstances or situations].
Security Control
Baseline
Low
Low
Low
Moderate
Moderate
High
Not Selected
Not Selected
Not Selected
Moderate
High
Not Selected
Moderate
Low
Not Selected
Moderate
Not Selected
Withdrawn
Not Selected
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low
Low
Moderate
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Low
Low
Low
Low
Low
Low
Low
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By
Element Description (Y/N)

IA-1 Where
unique users function
properties andas a single group
requirements of ICS
(e.g.,
and the control room operators),
relationship to non-ICSusersystems.
identification and authentication may be
role-based, group-based, or device-based.
For certain ICS, the capability for
immediate operator interaction is critical.
Local emergency actions for ICS are not
hampered by identification or
authentication requirements. Access to
these systems may be restricted by
IA-2 appropriate physical security controls.
Example
compensating controls
controls include
include
IA-2 (1)
implementing
providingcompensating
Example physical
increased physicalsecurity measures.
security,
controls include
IA-2 (2) personnel security, and auditing measures.
implementing physical security
Example compensating controls include measures.
IA-2 (3) For example, manual voice authentication
implementing
Example physical security measures.
IA-2 (4) of remotecompensating
personnel andcontrols include
local, manual
implementing physical security
actions may be required in order to measures.
establish a remote access. See AC-17 ICS
Supplemental Guidance. Local user access
to ICS components
Example compensating is enabled
controls only when
include
Configuration
necessary, management
approved, and for NPE
authenticated.
IA-2 (8) provide
Example replay-resistance
compensating
identification andmay in an external
controls
authentication include of
The
system. organization permit connection
IA-2 (9) provide
customarily replay-resistance
devices, alsoinvolves
known as a humanin ansurrogate
non-person external or
system.
representative for the NPE.
entities (NPE), belonging Devices
to and are
authorized
Configuration
provided
Example
by another with management
compensating
organization forbusiness
their identification
controls
(e.g., NPE and
include
IA-2 (11) No ICS Supplemental
identification and Guidance.
authentication
authentication
implementing
partners) to theircredentials
support
ICS. based
for PIV
Especially on to
external
when
IA-2 (12) customarily
these devices are non-local, their The or
assertions
the ICS. byinvolves
the a
human human surrogate
surrogate.
representative
human surrogate
identification foralso
and the responds
NPE. Devices
authentication tocan are
events
be
IA-3 provided
and with
anomalies their
(e.g.,identification
credential
vital. Organizations may perform risk and and
expiration).
authentication
Credentials
impact analysis for credentials
software based
entities
to determine on
the(e.g.,
required
IA-3 (1) assertions by the human surrogate. Thewith
autonomous processes not
strength of authentication mechanisms.associated
human
aExample surrogate
specific person) also
compensatingbased responds to
forevents
on properties
controls of
devices
and
and anomalies
that (e.g.,digital
software (e.g.,
protocols which credential expiration).
do notsignatures)
provide may
Credentials
change fortime
every
authentication software
for entities
the software
remote networkis(e.g.,
changed
IA-3 (4)
autonomous
or patched.
connections, processes
Special not
purpose
include implementingassociated
hardware with
IA-4 aNo ICScustom
(e.g., Supplemental
specific person) based
integrated Guidance.
on properties
circuits and of
physical security measures.
that software (e.g.,
printed-circuit boards)digital
maysignatures)
exhibit similarmay
change every time
dependencies. the software
Organization is changed
definition of
or patched. Special
parameters may be purpose
differenthardware
among the
(e.g.,
impact custom
levels.integrated circuits and
printed-circuit boards) may exhibit similar
dependencies. Organization definition of
parameters may be different among the
impact levels.
physical access control, encapsulating the
IA-5
ICS to provide authentication external to
the ICS.
IA-5 (1) No ICS Supplemental Guidance.

This control assumes a visual interface that

provides feedback of authentication
information during the authentication
process. When ICS authentication uses an
IA-6
interface that does not support visual
feedback, (e.g., protocol-based
authentication) this control may be
tailored out.
IA-7 No ICS Supplemental Guidance.

The ICS Supplemental Guidance for IA-2,
Identification and Authentication
IA-8 (Organizational Users), iscontrols
Example compensating applicable for
include
IA-8 (1) Non- Organizational
implementing Users.
support external
Example compensating controlsto the ICS
include
IA-8 (2) and multi-factor
implementing authentication.
support external to the ICS
and multi-factor authentication.
IA-8 (3) implementing support external
Example compensating controlsto the ICS
include
IA-8 (4) and multi-factor authentication.
implementing support external to the ICS
and multi-factor authentication.
Group Identifier Strength of Relationship
Comments (optional)
(optional) (optional)
IA-3
IA-3 has been
(1) has added
been as aasLOW
added a
baseline control
MODERATE baseline control
enhancement
Rationale for adding IA-3 to all
baselines:
IA-3 (4) has
Rationale ICS
for mayadded
been
adding exchange
IA-3as(1)a to
information
MODERATE with many
baseline
moderate baselines: ICS external
control
may exchange
systems and with
enhancement
information devices.
many Identifying
external and
authenticating the devices
systems and devices. ntroduces
Identifying and
situations
Rationale that
for do
addingnot exist
IA-3 (4)with
authenticating the devices ntroduces to
humans.
situationsThese
moderate that controls
baselines:
do notICS include
may
exist exchange
with
assignments
information
humans. that
with
These enableexternal
many
controls the
include
organization
systems
assignments to categorize
and devices.
that devices
Identifying
enable the by
and
types, models,
authenticating
organization tothe or other group
devices devices
categorize ntroduces
by
characteristics.
situations that do
types, models, Assignments
or not exist
other group also
with
enable
humans. the organizations
These
characteristics. to select
controls include
Assignments also
appropriate
assignments
enable controls for local,
that enable
the organizations the remote,
to select
and networkcontrols
organization
appropriate connections.
to categorize devices
for local, by
remote,
types, models,
and network or other group
connections.
characteristics. Assignments also
enable the organizations to select
appropriate controls for local, remote,
and network connections.
SP 800-53 Control
Number
(Focal Document
Element)
IR-1
IR-2
IR-2 (1)
IR-2 (2)
IR-3
IR-3 (1)
IR-3 (2)
IR-4
IR-4 (1)
IR-4 (2)
IR-4 (3)
IR-4 (4)
IR-4 (5)
IR-4 (6)
IR-4 (7)
IR-4 (8)
IR-4 (9)
IR-4 (10)
IR-5
IR-5 (1)
IR-6
IR-6 (1)
IR-6 (2)
IR-6 (3)
IR-7
IR-7 (1)
IR-7 (2)
IR-8
IR-9
IR-9 (1)
IR-9 (2)
IR-9 (3)
IR-9 (4)
IR-10
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management
2. Procedures to facilitate the implementation of the incident response policy and associated incident
response controls; and
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency].
The organization provides incident response training to information system users consistent with
assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or
responsibility;
The organization incorporates simulated events into incident response training to facilitate effective
response
The by personnel
organization in crisis
employs situations.
automated mechanisms to provide a more thorough and realistic incident
response training environment.
The organization tests the incident response capability for the information system [Assignment:
organization-defined frequency] using [Assignment: organization-defined tests] to determine the
incident response effectiveness and documents the results.
The organization employs automated mechanisms to more thoroughly and effectively test the
incident response capability.
The
The organization
organization:coordinates incident response testing with organizational elements responsible for
related plans. an incident handling capability for security incidents that includes preparation,
a. Implements
detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
The
c. organizationlessons
Incorporates employs automated
learned mechanisms
from ongoing to support
incident handlingthe incidentinto
activities handling process.
incident response
The organization
procedures, includes
training, and dynamicand
testing, reconfiguration
implements of [Assignment:
the resulting organization-defined
changes accordingly. information
The organization
system components]identifies
as part[Assignment:
of the incidentorganization-defined
response capability. classes of incidents] and [Assignment:
organization-defined actions to take in response to classes of incidents] to ensure continuation of
The organization
organizational correlates
missions and incident
businessinformation
functions. and individual incident responses to achieve an
organization-wide perspective on incident
The organization implements a configurable awareness
capabilityand response. disable the information
to automatically
system if [Assignment: organization-defined security violations] are detected.
The organization implements incident handling capability for insider threats.
The organization coordinates incident handling capability for insider threats across [Assignment:
The organization coordinates
organization-defined componentswith or[Assignment:
elements oforganization-defined
the organization]. external organizations] to
correlate and share [Assignment: organization-defined incident information] to achieve a cross-
The organization
organization employson
perspective [Assignment: organization-defined
incident awareness dynamic
and more effective response
incident capabilities] to
responses.
effectively
The respond
organization to securityincident
coordinates incidents.handling activities involving supply chain events with other
organizations involved in the supply chain.
The organization tracks and documents information system security incidents.
The
The organization
organization:employs automated mechanisms to assist in the tracking of security incidents and in
the collection and analysis
a. Requires personnel of incident
to report information.
suspected security incidents to the organizational incident response
capability within [Assignment: organization-defined time period]; and
b. Reports security incident information to [Assignment: organization-defined authorities].
The organization employs automated mechanisms to assist in the reporting of security incidents.
The organization reports information system vulnerabilities associated with reported security
incidents to [Assignment:
The organization providesorganization-defined personnel
security incident information toor roles].
other organizations involved in the supply
The
chain for information systems or information system components integral
organization provides an incident response support resource, to the
related to the incident.
organizational
incident response capability that offers advice and assistance to users of the information system for
The organization
the handling
The and employs
organization: reportingautomated
of security mechanisms
incidents. to increase the availability of incident response-
related information and support.
(a) Establishes a direct, cooperative relationship between its incident response capability and
external providers of information system protection capability; and
(b) Identifies organizational incident response team members to the external providers.
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall
organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and
functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an
incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident
response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems
encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident
response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification.
The organization responds to information spills by:

a. Identifying the specific information involved in the information system contamination;
b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a
method of communication not associated with the spill;
c. Isolating the contaminated information system or system component;
d. Eradicating the information from the contaminated information system or component;
e. Identifying other information systems or system components that may have been subsequently
contaminated; and
f. Performing other [Assignment: organization-defined actions].
The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for
responding to information
The organization spills.
provides information spillage response training [Assignment: organization-defined
The organization
frequency]. implements [Assignment: organization-defined procedures] to ensure that
organizational personnel impacted by information spills can continue to carry out assigned tasks
The
whileorganization
contaminatedemploys [Assignment:
systems organization-defined
are undergoing security safeguards] for personnel
corrective actions.
exposed to information not within assigned access authorizations.
Security Control
Baseline
Low
Low
High
High
Moderate
Not Selected
Moderate
Low
Moderate
Not Selected
Not Selected
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low
High
Low
Moderate
Not Selected
Not Selected
Low
Moderate
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected

IR-1 properties and requirements of ICS and the
relationship to non-ICS systems.
IR-2 No ICS Supplemental Guidance.
IR-2 (1) No ICS Supplemental Guidance.



IR-6 The organization should report incidents on a timely basis. The DHS National Cybersecu
The automated mechanisms used to
support the incident reporting process are
IR-6 (1)
not necessarily part of, or connected to, the
ICS.


Comments (optional)
SP 800-53 Control
Number
(Focal Document
Element)
MA-1
MA-2
MA-2 (1)
MA-2 (2)
MA-3
MA-3 (1)
MA-3 (2)
MA-3 (3)
MA-3 (4)
MA-4
MA-4 (1)
MA-4 (2)
MA-4 (3)
MA-4 (4)
MA-4 (5)
MA-4 (6)
MA-4 (7)
MA-5
MA-5 (1)
MA-5 (2)
MA-5 (3)
MA-5 (4)
MA-5 (5)
MA-6
MA-6 (1)
MA-6 (2)
MA-6 (3)
The organization:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management
2. Procedures to facilitate the implementation of the system maintenance policy and associated
system maintenance controls; and
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency].
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information
system components in accordance with manufacturer or vendor specifications and/or organizational
requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and
whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal
of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from
organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning
properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational
maintenance records.
[Withdrawn: Incorporated into MA-2].
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs;
and
(b) Produces
The up-to
organization date, accurate,
prevents and complete
the unauthorized records
removal of all maintenance
of maintenance and repair
equipment actions
containing
requested, scheduled,
organizational in process,
information by: and completed.
(a)
TheVerifying
The that approves,
organization
organization there is no
inspects the organizational
controls, information
and monitors
maintenance contained
information
tools carried on the
system
into a facility equipment;tools.
maintenance
by maintenance personnel for
(b) Sanitizing
improper or destroying
or unauthorized the equipment;
modifications.
The organization checks media containing diagnostic
(c) Retaining the equipment within the facility; or and test programs for malicious code before the
media are used in the information system.
(d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly
authorizing removal of the equipment from the facility.
The information system restricts the use of maintenance tools to authorized personnel only.
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational
policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic
sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed.
The organization:
(a) Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit
events]; and
(b) Reviews
The the records
organization of theinmaintenance
documents and diagnostic
the security plan sessions. system, the policies and
for the information
procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
The organization:
(a) Requires that nonlocal maintenance and diagnostic services be performed from an information
system that implements a security capability comparable to the capability implemented on the
system being serviced; or
(b) Removes the component to be serviced from the information system prior to nonlocal
maintenance or diagnostic services, sanitizes the component (with regard to organizational
information) before removal from organizational facilities, and after the service is performed,
inspects and sanitizes the component (with regard to potentially malicious software) before
reconnecting the component to the information system.
The organization protects nonlocal maintenance sessions by:

(a) Employing [Assignment: organization-defined authenticators that are replay resistant]; and
(b)
TheSeparating the maintenance sessions from other network sessions with the information system by
organization:
either:
(a) Requires the approval of each nonlocal maintenance session by [Assignment: organization-
(1) Physically
defined separated
personnel communications
or roles]; and paths; or
(2)
(b) Logically separated communications
Notifies [Assignment: paths based
organization-defined uponorencryption.
personnel roles] of the date and time of planned
nonlocal maintenance.
The information system implements cryptographic mechanisms to protect the integrity and
confidentiality
The informationofsystem
nonlocal maintenance
implements and diagnostic
remote disconnectcommunications.
verification at the termination of nonlocal
maintenance and diagnostic sessions.
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security
clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations, clearances, or formal
The organization:
access approvals are escorted and supervised during the performance of maintenance and diagnostic
a. Establishes a process
activities on the for maintenance
information personnel
system by approved authorizationpersonnel
organizational and maintains a list
who are of authorized
fully cleared,
maintenance
have organizations
appropriate or personnel;and are technically qualified;
access authorizations,
b.
(2)Ensures
Prior tothat non-escorted
initiating personnel
maintenance performing
or diagnostic maintenance
activities on the
by personnel information
who do not have system have
needed
required access authorizations; and
access authorizations, clearances or formal access approvals, all volatile information storage
c. Designateswithin
components organizational personnel
the information with are
system required access
sanitized andauthorizations
all nonvolatileand technical
storage media competence
are
to supervise
removed the maintenance
or physically activities
disconnected fromof the
personnel
systemwho do not possess
and secured; and the required access
authorizations.
(b) Develops and implements alternate security safeguards in the event an information system
component cannot be sanitized, removed, or disconnected from the system.
The organization ensures that personnel performing maintenance and diagnostic activities on an
The organization
information ensures
system that: storing, or transmitting classified information possess security
processing,
(a) Cleared and
clearances foreign nationals
formal access(i.e., foreignfor
approvals nationals
at least with appropriate
the highest securitylevel
classification clearances), are used to
and for all
conduct maintenance
compartments and diagnostic
of information on the activities
system. on classified information systems only when the
systems are jointly owned and operated by the United States and foreign allied governments, or
owned and operated solely by foreign allied governments; and
The organization
(b) Approvals, ensuresand
consents, thatdetailed
personnel performing
operational maintenance
conditions and diagnostic
regarding activitiesnationals
the use of foreign on an to
information system processing, storing, or transmitting classified information are
conduct maintenance and diagnostic activities on classified information systems are fully U.S. citizens.
documented within Memoranda of Agreements.
The organization ensures that non-escorted personnel performing maintenance activities not directly
associated with the information system but in the physical proximity of the system, have required
access authorizations.
The organization obtains maintenance support and/or spare parts for [Assignment: organization-
defined information system components] within [Assignment: organization-defined time period] of
failure.
The organization performs preventive maintenance on [Assignment: organization-defined
information
The system
organization components]
performs at [Assignment:
predictive maintenanceorganization-defined time intervals]. information
on [Assignment: organization-defined
system components] at [Assignment: organization-defined time intervals].
Security Control
Baseline
Low
Low
Withdrawn
High
Moderate
Moderate
Moderate
High
Not Selected
Low
Not Selected
Moderate
High
Not Selected
Not Selected
Not Selected
Not Selected
Low
High
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Not Selected
Not Selected
Not Selected

MA-1
systems.
MA-2 No ICS Supplemental Guidance.
MA-2 (2) No ICS Supplemental Guidance.

In crisis or emergency situations, the

organization may need immediate
access to non-local maintenance and
diagnostic services in order to restore
essential ICS operations or services.
MA-4 (3) include limiting the extent of the
maintenance and diagnostic services
to the minimum essential activities,
carefully monitoring and auditing the
non-local maintenance and diagnostic
activities.

Comments (optional)
SP 800-53 Control
Number
(Focal Document Element)
MP-1
MP-2
MP-2 (1)
MP-2 (2)
MP-3
MP-4
MP-4 (1)
MP-4 (2)
MP-5
MP-5 (1)
MP-5 (2)
MP-5 (3)
MP-5 (4)
MP-6
MP-6 (1)
MP-6 (2)
MP-6 (3)
MP-6 (4)
MP-6 (5)
MP-6 (6)
MP-6 (7)
MP-6 (8)
MP-7
MP-7 (1)
MP-7 (2)
MP-8
MP-8 (1)
MP-8 (2)
MP-8 (3)
MP-8 (4)
The organization:
roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities,
2. Procedures to facilitate the implementation of the media protection policy and associated
media protection controls; and
1. Media protection policy [Assignment: organization-defined frequency]; and
2.
TheMedia protection
organization procedures
restricts access[Assignment:
to [Assignment: organization-defined frequency].
organization-defined types of digital and/or
non-digital media]
The organization: to [Assignment: organization-defined personnel or roles].
a. Marks information system media indicating the distribution limitations, handling caveats,
[Withdrawn: Incorporated
and organization:
applicable into MP-4
security markings (2)].of the information; and
(if any)
The
b.
a. Exempts [Assignment:
Physically controls organization-defined
and securely stores types of organization-defined
information system media] from
[Withdrawn:
marking as Incorporated
long as the mediaintoremain
SC-28 (1)].[Assignment:
within [Assignment: organization-defined
types of digital
controlled
and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
areas].
b. Protects information system media until the media are destroyed or sanitized using
approved equipment, techniques, and procedures.
The organization into SC-28 (1)].
employs automated mechanisms to restrict access to media storage areas
and to audit access attempts and access granted.
The organization:
a. Protects and controls [Assignment: organization-defined types of information system
media] during transport outside of controlled areas using [Assignment: organization-defined
security safeguards];
b. Maintains accountability for information system media during transport outside of
controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to
authorized personnel.
[Withdrawn: Incorporated into MP-5].
[Withdrawn:
The Incorporated into MP-5]. custodian during transport of information system
The organization employs
information system an identified
implements cryptographic mechanisms to protect the confidentiality
media outsideofofinformation
and integrity controlled areas.
stored on digital media during transport outside of controlled
areas.
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal,
release out of organizational control, or release for reuse using [Assignment: organization-
defined sanitization techniques and procedures] in accordance with applicable federal and
organizational standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the
security
The category reviews,
organization or classification of the
approves, information.
tracks, documents, and verifies media sanitization and
The organization
disposal actions. applies nondestructive sanitization techniques to portable storage devices
The
priororganization
to connectingtests
suchsanitization
devices toequipment and procedures
the information system under[Assignment: organization-
the following
defined frequency]
circumstances: to verify that
[Assignment: the intended sanitization
organization-defined is beingrequiring
circumstances achieved.
sanitization of
portable storage devices].
The organization into MP-6].
enforces dual authorization for the sanitization of [Assignment:
organization-defined information system media].
The
The organization
organization provides the
[Selection: capability
restricts; to purge/wipe
prohibits] the useinformation fromorganization-defined
of [Assignment: [Assignment:
organization-defined information systems, system components, or devices]
types of information system media] on [Assignment: organization-defined informationeither remotely
or underor
systems the following
system conditions:
components] [Assignment:
using organization-defined
[Assignment: conditions].
organization-defined security
safeguards].
The organization prohibits the use of portable storage devices in organizational information
systems when such
The organization devicesthe
prohibits have
usenoofidentifiable owner. media in organizational
sanitization-resistant
information systems.
The organization:
a. Establishes [Assignment: organization-defined information system media downgrading
process] that includes employing downgrading mechanisms with [Assignment: organization-
defined strength and integrity];
b. Ensures that the information system media downgrading process is commensurate with
the security category and/or classification level of the information to be removed and the
access authorizations of the potential recipients of the downgraded information;
c. Identifies [Assignment: organization-defined information system media requiring
downgrading]; and
d. Downgrades the identified information system media using the established process.
The organization employs [Assignment: organization-defined tests] of downgrading
The organization
equipment documentstoinformation
and procedures system
verify correct media downgrading
performance actions.
frequency].
The organization downgrades information system media containing [Assignment:

organization-defined Controlled Unclassified Information (CUI)] prior to public release in
accordance with applicable federal and organizational standards and policies.
Security Control
Baseline
Low
Low
Withdrawn
Withdrawn
Moderate
Moderate
Withdrawn
Not Selected
Moderate
Withdrawn
Withdrawn
Not Selected
Moderate
Low
High
High
High
Withdrawn
Withdrawn
Withdrawn
Not Selected
Not Selected
Low
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By Group Identifier
Element Description (Y/N) (optional)

MP-1 ICS and the relationship to non-ICS
systems.
MP-2 No ICS Supplemental Guidance.

MP-6 (1) No ICS Supplemental Guidance.

Comments (optional)
(optional)
SP 800-53 Control
Number
(Focal Document
Element)
PE-1
PE-2
PE-2 (1)
PE-2 (2)
PE-2 (3)
PE-3
PE-3 (1)
PE-3 (2)
PE-3 (3)
PE-3 (4)
PE-3 (5)
PE-3 (6)
PE-4
PE-5
PE-5 (1)
PE-5 (2)
PE-5 (3)
PE-6
PE-6 (1)
PE-6 (2)
PE-6 (3)
PE-6 (4)
PE-7
PE-8
PE-8 (1)
PE-8 (2)
PE-9
PE-9 (1)
PE-9 (2)
PE-10
PE-10 (1)
PE-11
PE-11 (1)
PE-11 (2)
PE-12
PE-12 (1)
PE-13
PE-13 (1)
PE-13 (2)
PE-13 (3)
PE-13 (4)
PE-14
PE-14 (1)
PE-14 (2)
PE-15
PE-15 (1)
PE-16
PE-17
PE-18
PE-18 (1)
PE-19
PE-19 (1)
PE-20
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined
personnel or roles]: SP 800-53 Control or Control Enhancement Security Control
(Focal Document
1. A physical and environmental protectionElement Description)
policy that addresses purpose, scope, roles, Baseline
responsibilities, management commitment, coordination among organizational entities,
and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental Low
protection policy and associated physical and environmental protection controls; and
The organization:
1. Physical and environmental protection policy [Assignment: organization-defined
a. Develops, approves, and maintains a list of individuals with authorized access to the
frequency]; and
facility where the information system resides;
2. Physical and environmental protection procedures [Assignment: organization-defined
b. Issues authorization credentials for facility access; Low
frequency].
c. Reviews the access list detailing authorized facility access by individuals [Assignment:
organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required.
The organization authorizes physical access to the facility where the information system
The organization requires two forms ofaccess
identification from where
[Assignment: organization- Not Selected
resides
The based on restricts
organization position or role.
unescorted to the facility the information system
defined
resides tolistpersonnel
of acceptable
with forms of identification]
[Selection (one or more):forsecurity
visitor access to the
clearances forfacility
all where Not Selected
the information
information systemwithin
contained resides.
the system; formal access authorizations for all Not Selected
information contained within the system; need for access to all information contained
within the system; [Assignment: organization-defined credentials]].
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined
entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment:
organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit
points];
c. Provides [Assignment: organization-defined security safeguards] to control access to
Low
areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined
circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every
[Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or
when keys are lost, combinations are compromised, or individuals are transferred or
terminated.
The organization enforces physical access authorizations to the information system in

addition to the physical access controls for the facility at [Assignment: organization- High
defined physical spaces containing one or more components of the information system].
The organization performs security checks [Assignment: organization-defined frequency]

at the physical boundary of the facility or information system for unauthorized Not Selected
exfiltration of information or removal of information system components.
The organization employs guards and/or alarms to monitor every physical access point
Not Selected
to
Thethe facility where
organization usesthe information
lockable system
physical resides
casings 24 hours
to protect per day, 7 organization-
[Assignment: days per week.
Not Selected
defined information system components] from unauthorized physical access.
The organization employs [Assignment: organization-defined security safeguards] to
[Selection (one or more): detect; prevent] physical tampering or alteration of
Not Selected
[Assignment: organization-defined hardware components] within the information
system.
The organization employs a penetration testing process that includes [Assignment:
organization-defined frequency], unannounced attempts to bypass or circumvent Not Selected
security controls associated with physical access points to the facility.
The organization controls physical access to [Assignment: organization-defined
information system distribution and transmission lines] within organizational facilities Moderate
using [Assignment: organization-defined security safeguards].
The organization controls physical access to information system output devices to

Moderate
prevent
The unauthorized individuals from obtaining the output.
organization:
(a) Controls physical
The information access to output from [Assignment: organization-defined output
system:
The organization: Not Selected
devices]; and
(a) Controls physical access to output from [Assignment: organization-defined output
a.
(b)
TheMonitors
Ensures physical
that
organization only access to theindividuals
authorized
marks [Assignment:facility where theoutput
receive information
organization-defined system
from the residesoutput
device.
information system to Not Selected
devices]; and
detect
devices]and respond
(b) Links indicating to
individual the physical security
appropriate
identity to receipt incidents;
security
of the marking of the
output from information
the device. permitted to be Not Selected
b. Reviews
output fromphysical access logs [Assignment: organization-defined frequency] and upon
the device. Low
occurrence of [Assignment: organization-defined events or potential indications of
The
The organization
events]; and
organization monitors physical intrusion
employs automated alarmstoand
mechanisms surveillance
recognize equipment.
[Assignment: Moderate
c. Coordinates results
organization-defined of reviews
classes/types and
of investigations
intrusions] with
and the
initiate organizational
[Assignment:
The organization employs video surveillance of [Assignment: organization-defined incident
organization- Not Selected
response
defined capability.
response actions].
operational areas] and retains video recordings for [Assignment: organization-defined Not Selected
time period].
The organization monitors physical access to the information system in addition to the
physical access monitoring of the facility as [Assignment: organization-defined physical High
spaces containing one or more components of the information system].
[Withdrawn: Incorporated into PE-2 and PE-3]. Withdrawn

The organization:
a. Maintains visitor access records to the facility where the information system resides
Low
for
The[Assignment:
organization organization-defined time period];toand
employs automated mechanisms facilitate the maintenance and
b. Reviews visitor access records [Assignment: organization-defined frequency]. High
review of visitor access records.
[Withdrawn: Incorporated into PE-2]. Withdrawn
The organization protects power equipment and power cabling for the information
Moderate
system from damage
organization
The organization: and destruction.
employs redundant power cabling paths that are physically separated
Not Selected
by
a. [Assignment: organization-defined
The organization employsof
Provides the capability shutting off
automatic distance].
power
voltage to the for
controls information system
[Assignment: or individual
organization-
system components in emergency situations; Not Selected
defined critical information system components].
b. Places emergency shutoff switches or devices in [Assignment: organization-defined Moderate
location
The
[Withdrawn:by information
organization provides
Incorporated system
ainto or system
short-term
PE-10]. component] to
uninterruptible facilitate
power safe
supply toand easy access
facilitate Withdrawn
for personnel;
[Selection (oneand
or more): an orderly shutdown of the information system; transition of
The organization provides Moderate
The
c. organization
theProtects provides
emergency
information system to aalong-term
power long-term
long-term alternate
shutoff alternate
capability power
alternatepower]
power
from insupply
supply
unauthorized for
for the
the event of ainformation
the information
activation.
primary power
system
system that is:
that is capable of maintaining minimally required operational capability in the
source loss. High
(a) Self-contained;
event of an extended loss of the primary power source.
The organization Not Selected
(b) Not reliant onemploys
external andpowermaintains automatic
generation; and emergency lighting for the
information
(c) Capable of system that activates
maintaining in the
[Selection: event ofrequired
minimally a poweroperational
outage or disruption
capability;andfullthat Low
covers emergency
operational exits
capability] and
in the evacuation
event of anroutes within
extended the
loss of facility.
the primary power
The organization provides emergency lighting for all areas within the facility supporting source.
Not Selected
essential missions and business functions.
The organization employs and maintains fire suppression and detection devices/systems
The organization employs Low
for the information systemfire detection
that devices/systems
are supported for the information
by an independent system that
energy source.
activate automatically and notify [Assignment: organization-defined personnel or roles] High
and [Assignment:employs
The organization organization-defined emergency
fire suppression responders]
devices/systems in the
for the event of asystem
information fire.
that provide automatic notification of any activation to Assignment: organization-
High
defined personnel or roles] and [Assignment: organization-defined emergency
responders].
The organization employs an automatic fire suppression capability for the information
Moderate
system when the facility is not staffed on a continuous basis.
The organization ensures that the facility undergoes [Assignment: organization-defined
frequency] inspections by authorized and qualified inspectors and resolves identified Not Selected
The organization:
deficiencies within [Assignment: organization-defined time period].
a. Maintains temperature and humidity levels within the facility where the information
system resides at [Assignment: organization-defined acceptable levels]; and Low
The organization
b. Monitors employsand
temperature automatic
humiditytemperature and humidity
levels [Assignment: controls in the facility to
organization-defined Not Selected
prevent fluctuations
frequency].
The organization potentially
employs harmfuland
temperature to the information
humidity system.
monitoring that provides an alarm
The organization Not Selected
or notification of protects the information
changes potentially system
harmful from damage
to personnel resulting from water
or equipment.
leakage by providing
The organization master
employs shutoff ormechanisms
automated isolation valves that are
to detect theaccessible,
presence of working
water in Low
properly,
the and
vicinity of known
the to key
information personnel.
system and alerts [Assignment: organization-defined High
The organization authorizes, monitors, and controls [Assignment: organization-defined
personnel
types or roles]. system components] entering and exiting the facility and maintains
of information Low
records of those items.
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and Moderate
c. Provides a means for employees to communicate with information security personnel
in case of security incidents or problems.
The organization positions information system components within the facility to

minimize potential damage from [Assignment: organization-defined physical and High
environmental hazards] and to minimize the opportunity for unauthorized access.
The organization plans the location or site of the facility where the information system
resides with regard to physical and environmental hazards and for existing facilities, Not Selected
considers the physical and environmental hazards in its risk mitigation strategy.
The organization protects the information system from information leakage due to
Not Selected
electromagnetic
The organization signals
ensuresemanations.
that information system components, associated data
communications, and networks are protected in accordance with national emissions and
Not Selected
TEMPEST policies and procedures based on the security category or classification of the
information.
Not Selected
Reference Document
Element
PE-1
PE-2
PE-3
PE-3 (1)
PE-4
PE-5
PE-6
PE-6 (1)
PE-6 (4)
PE-8
PE-8 (1)
PE-9
PE-9 (1)
PE-10
PE-11
PE-11 (1)
PE-11 (2)
PE-12
PE-13
PE-13 (1)
PE-13 (2)
PE-13 (3)
PE-14
PE-15
PE-15 (1)
PE-16
PE-17
PE-18
Reference
The policy Document
specifically Element
addresses the Fulfilled By Group Identifier
Description
unique properties and requirements of (Y/N) (optional)
systems. The ICS components can be
distributed over a large facility footprint
or geographic area and can be an entry
point into the entire organizational
network ICS. Regulatory controls may
also apply.
The organization considers ICS safety and

security interdependencies. The
organization considers access
requirements in emergency situations.
During an emergency-related event, the
organization may restrict access to ICS
facilities and assets to authorized
individuals only. ICS are often
constructed of devices that either do not
have or cannot use comprehensive access
control capabilities due to time-restrictive
safety constraints. Physical access
controls and defense-in-depth measures
are used by the organization when
necessary and possible to supplement ICS
security when electronic mechanisms are
unable to fulfill the security requirements
of the organization’s security plan.
Primary nodes, distribution closets, and
mechanical/electrical rooms should be
locked and require key or electronic
access control and incorporate intrusion
detection sensors.
No ICS Supplemental
Physical Guidance.
access controls and defense-in-
depth measures are used as
compensating controls by the
organization when necessary and
possible to supplement ICS security when
electronic mechanisms are unable to
monitor, detect and alarm when an ICS
No
hasICS Supplemental
been Guidance.
accessed. These compensating
controls are in addition to the PE-6
controls (e.g., employing PE-3(4) Lockable
Casings and/or PE-3(5) Tamper
Protection).
The locations of ICS components (e.g.,

field devices, remote terminal units) can
include various remote locations (e.g.,
substations, pumping stations).
Emergency power production,

transmission and distribution systems are
a type of ICS that are required to meet
extremely high performance
specifications. The systems are governed
by international, national, state and local
No ICS Supplemental
building codes, must be Guidance.
tested on a
continual basis, and must
No ICS Supplemental be repaired and
Guidance.
placed back into operations within a
short period of time. Traditionally,
No ICS Supplemental
emergency power hasGuidance.
been provided by
No ICS Supplemental
generators Guidance.
for short to mid-term power
It may notfor
(typically befire
possible or safety
and life advisable to
systems,
shutoffITpower
some to some
load, and ICS. Example
evacuation transport)
compensating
and UPS battery controls include
packs in fail in
distribution
known state
closets and emergency
and within work areasprocedures.
to allow
some level of business continuity and for
No
the ICS Supplemental
orderly shutdownGuidance.
of non-essential IT
andICS
No facility systems. Traditional
Supplemental Guidance.
emergency power systems
No ICS Supplemental typically are
Guidance.
offline until a loss of power occurs and
are typically on a separate network and
control system specific to the facility they
support. New methods of energy
generation and storage (e.g., solar voltaic,
geothermal, flywheel, microgrid,
distributed energy) that have a real-time
demand and storage connection to local
utilities or cross connected to multiple
Fire suppression mechanisms should take
the ICS environment into account (e.g.,
water
No ICSsprinkler systems
Supplemental could be
Guidance.
hazardous in specific environments).

Temperature and humidity controls are
typically
Water damagecomponents of other
protection and ICS
use of
systems
shutoff and isolation valvesprocess,
No ICS such as the
Supplemental HVAC, is both aor
Guidance.
lighting
procedural systems,
action,orand
canalso
be aastandalone
specific type
and
of ICS.unique ICS are
ICS that system.
usedICS can operate in
in the
extreme environments
manufacturing, and both interior
hydropower,
and
transportation/navigation, awater
exterior locations. For specific
andICS,
the temperature and humidity
wastewater industries rely on the design and
operational parameters dictate
movement of water and are specifically the
performance
designed to managespecifications. As ICS and IS
the quantity/flow
become
and pressure of water. As ICSthe
interconnected and andnetwork
IS
provides
become interconnected and the hybrid
connectivity across the network
domain,
provides power circuits,
connectivity distribution
across the hybrid
closets, routers
No ICS Supplemental
domain, and switches
power circuits, Guidance. that support
distribution
fire protection
closets, and life safety
routers and switches
No ICS Supplemental Guidance. systems
that support
must be maintained at the proper
fire protection and life safety systems
temperature
should ensureand thathumidity.
water will not disable
the system (e.g. a fire that activates the
sprinkler system doesGuidance.
No ICS Supplemental not spray onto the
fire control servers, router, switches and
short out the alarms, egress systems,
emergency lighting, and suppression
systems).
Comments (optional)
(optional)
PE-6 (4) has been added as a MODERATE
Rationale for adding PE-6 (4) to

moderate baseline: Many of the ICS
components are in remote geographical
and dispersed locations with little
capability to monitor all ICS components.
Other components may be in ceilings,
floors, or distribution closets with
minimal physical barriers to detect, delay
or deny access to the devices and no
electronic surveillance or guard forces
response capability.
PE-9 (1) has been added as a MODERATE

Rationale for adding PE-9 (1) to

moderate baseline: Continuity of ICS
PE-11
controlhas
andbeen added requires
operation as a LOW baseline
control
PE-11 (1) has
redundant beencabling.
power added as a LOW
baseline
PE-11 control enhancement
Rationale for addingadded
(2) has been PE-11astoaall
HIGH
baseline
baselines: control enhancement
ICSadding
may support critical
Rationale for PE-11 (1) to all
activities which
baselines:for will
ICSadding be
may supportneeded for safety
critical
Rationale
and reliability even inPE-11
the (2) to high
absence of
activities
baseline: which
ICS maywill be
supportneeded for safety
critical
reliable
and power
reliability from
even the
in thepublic
absencegrid.of
activities which will be needed for safety
reliable powereven
and reliability frominthethepublic
absencegrid.of
reliable power from the public grid.
SP 800-53 Control
Number
(Focal Document
Element)
PL-1
PL-2
PL-2 (1)
PL-2 (2)
PL-2 (3)
PL-3
PL-4
PL-4 (1)
PL-5
PL-6
PL-7
PL-8
PL-8 (1)
PL-8 (2)
PL-9
The organization:
roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management
2. Procedures to facilitate the implementation of the security planning policy and associated
security planning controls; and
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency].
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organizationï¿½s enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business
processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or
connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a
rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan
implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to
[Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined
frequency];
d. Updates the plan to address changes to the information system/environment of operation or
problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification.
[Withdrawn: Incorporated into PL-7].

The organization plans andinto PL-8]. security-related activities affecting the information system
coordinates
with [Assignment: organization-defined individuals or groups] before conducting such activities in
order to reduce
[Withdrawn: the impactinto
Incorporated on other
PL-2].organizational entities.
The organization:
a. Establishes and makes readily available to individuals requiring access to the information
system, the rules that describe their responsibilities and expected behavior with regard to
information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read,
understand, and agree to abide by the rules of behavior, before authorizing access to information
and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and re-
sign when the rules of behavior are revised/updated.
The organization includes in the rules of behavior, explicit restrictions on the use of social
media/networking sites and posting organizational information on public websites.
[Withdrawn: Incorporated into Appendix J, AR-2].
[Withdrawn: Incorporated into PL-2].
The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a
minimum, how the organization intends to operate the system from the perspective of
information security; and
b. Reviews and updates the CONOPS [Assignment: organization-defined frequency].
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to
protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the
enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined
frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security
plan, the security Concept of Operations (CONOPS), and organizational
procurements/acquisitions.
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-
defined locations and architectural layers]; and
(b) Ensures that the allocated security safeguards operate in a coordinated and mutually
reinforcing manner.
The organization requires that [Assignment: organization-defined security safeguards] allocated to

[Assignment: organization-defined locations and architectural layers] are obtained from different
suppliers.
Security Control
Baseline
Low
Low
Withdrawn
Withdrawn
Moderate
Withdrawn
Low
Moderate
Withdrawn
Withdrawn
Not Selected
Moderate
Not Selected
Not Selected
Not Selected

PL-1
systems.
PL-2 No ICS Supplemental Guidance.
PL-2 (3) No ICS Supplemental Guidance.

PL-4 (1) No ICS Supplemental Guidance.

Comments (optional)
PL-2 (3) has been added as a LOW

Rationale for adding PL-2 (3) to low

baseline: When systems are highly inter-
connected, coordinated planning is
essential. A low impact system could
adversely affect a higher impact system.
PL-7 has been added as a MODERATE
baseline control
Rationale for adding PL-7 to moderate

baseline: ICS are complex systems.
Organizations typically employ a
CONOPS to help define a system and
share that understanding with personnel
involved with that system and other
systems with which it interacts. A
CONOPS often helps identify information
protection requirements.
SP 800-53 Control
Number
(Focal Document
Element)
PS-1
PS-2
PS-3
PS-3 (1)
PS-3 (2)
PS-3 (3)
PS-4
PS-4 (1)
PS-4 (2)
PS-5
PS-6
PS-6 (1)
PS-6 (2)
PS-6 (3)
PS-7
PS-8
The organization:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management
2. Procedures to facilitate the implementation of the personnel security policy and associated
personnel security controls; and
b. Reviews and updates the current: PS-1b.1. Personnel security policy [Assignment: organization-
defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency].
The organization:
a.
TheAssigns a risk designation to all organizational positions;
organization:
b. Screens
a. Establishes screening
individuals criteria
prior for individuals
to authorizing accessfilling those
to the positions;system;
information and and
c.
b. Reviews
TheRescreens and
organizationupdates
ensuresposition
individuals risk
todesignations
that individuals
according accessing
[Assignment: [Assignment: organization-defined
an information system
organization-defined processing,
conditions frequency].
storing, or
requiring
transmitting
rescreening
The classified
and,
organization where
ensuresinformation
rescreening
that are
is
individualscleared
so and
indicated,
accessing indoctrinated
the
an frequency to
ofthe highest
such classification
rescreening]. level of
The
the organizationtoensures
information which that individuals
they have access accessing
on the an information system processing, storing,
information
system.
system processing, storing, or
or
transmitting
transmitting types of classified
information information
requiring which require formal indoctrination, are formally
special protection:
indoctrinated
(a) Have valid for all of
access the relevant types
authorizations that areof information
demonstrated to by
which they have
assigned access
official on the system.
government duties;
and
(b) Satisfy [Assignment: organization-defined additional personnel screening criteria].
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined
information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by
terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-
defined time period].
The organization:
(a) Notifies terminated individuals of applicable, legally binding post-employment requirements for
the protection of organizational information; and
The organization
(b) Requires employs
terminated automated
individuals to mechanisms to notify [Assignment:
sign an acknowledgment organization-defined
of post-employment requirements as
personnel or roles] upon termination
part of the organizational termination process.of an individual.
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access
authorizations to information systems/facilities when individuals are reassigned or transferred to
other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment:
organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due
to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-
The organization:
defined time period].
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access intotoPS-3].
agreements maintain access to organizational information systems when access
agreements have been updated or [Assignment: organization-defined frequency].
The organization ensures that access to classified information requiring special protection is granted
only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have
The read, understood, and signed a nondisclosure agreement.
organization:
(a) Notifies individuals of applicable, legally binding post-employment requirements for protection of
organizational information; and
(b) Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of
granting initial access to covered information.
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-
party providers;
b. Requires third-party providers to comply with personnel security policies and procedures
established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of
any personnel transfers or terminations of third-party personnel who possess organizational
credentials and/or badges, or who have information system privileges within [Assignment:
organization-defined time period]; and
e. Monitors provider compliance.
Baseline Element
Low PS-1
Low PS-2
Low PS-3
Not Selected
Not Selected
Not Selected
Low PS-4
Not Selected
High PS-4 (2)
Low PS-5
Low PS-6
Withdrawn
Not Selected
Not Selected
Low PS-7
Low PS-8

systems.



Comments (optional)
(optional)
SP 800-53 Control
Number
(Focal Document
Element)
RA-1
RA-2
RA-3
RA-4
RA-5
RA-5 (1)
RA-5 (2)
RA-5 (3)
RA-5 (4)
RA-5 (5)
RA-5 (6)
RA-5 (7)
RA-5 (8)
RA-5 (9)
RA-5 (10)
RA-6
The organization:
roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk
assessment controls; and
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency].
The organization:
a. Categorizes information and the information system in accordance with applicable federal
laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security
plan for the information system; and
c. Ensures that the authorizing official or authorizing official designated representative reviews
and approves the security categorization decision.
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the
unauthorized access, use, disclosure, disruption, modification, or destruction of the
information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report;
[Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or
roles]; and
The organization:
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever
a. Scans
there arefor vulnerabilities
significant changes in the
to theinformation
information system
system andorhosted applications
environment [Assignment:
of operation (including
the identification of new frequency
threatsand/or randomly in accordance
and vulnerabilities), with organization-defined
or other conditions that may impact the
process] and when
security state of thenew vulnerabilities potentially affecting the system/applications are
system.
identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among
tools and automate parts ofintotheRA-3].
vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2.
TheFormatting
organizationchecklists
employs and test procedures;
vulnerability andtools that include the capability to readily
scanning
3.
TheMeasuring
organizationvulnerability
updates impact;
the information
update the information system vulnerabilities to be system vulnerabilities
scanned. scanned [Selection (one or
c. Analyzes
more): vulnerability
[Assignment: scan reports and results
organization-defined from prior
frequency]; security
to acontrol
new scan;assessments;
when new
The organization
d. Remediates
vulnerabilities employs
legitimate
are identified vulnerability
vulnerabilities
and reported]. scanning procedures
[Assignment: that can identify
organization-defined the breadth
response times]and
in
depth of
accordance coverage
with an (i.e., information
organizational system
assessment components
of risk; andscanned and
The organization determines what information about the information system is discoverable vulnerabilities checked).
The
e. information
byShares
adversaries system
information
and implements
obtained
subsequently from
takesprivileged
the accessorganization-defined
vulnerability
[Assignment: authorization
scanning to [Assignment:
process andcorrective
security control
actions].
organization-identified
assessments with [Assignment: information system components]
organization-defined for selected
personnel [Assignment:
or roles] to help eliminate
The organization
similar employs
vulnerabilities automated
vulnerability
in other mechanisms
scanning
information to
activities].
systems compare
(i.e., systemictheweaknesses
results of vulnerability
or deficiencies).
scans over time to determine trends in information system vulnerabilities.
The organization reviews historic audit logs to determine if a vulnerability identified in the
information system has been previously exploited.
[Withdrawn: Incorporated into CA-8].
The organization correlates the output from vulnerability scanning tools to determine the
presence of multi-vulnerability/multi-hop attack vectors.
Security Control
Baseline
Low
Low
Low
Withdrawn
Low
Moderate
Moderate
Not Selected
High
Moderate
Not Selected
Withdrawn
Not Selected
Withdrawn
Not Selected
Not Selected

RA-1 properties and requirements of ICS and the
RA-2 No ICS Supplemental Guidance.
Active vulnerability scanning, which

introduces network traffic, is used with care
No ICS systems
on ICS Supplemental Guidance.
to ensure that ICS functions
RA-3
are not adversely impacted by the scanning
process. The organization makes a risk-based
determination whether to employ active
scanning. Passive monitoring /sniffing may
be used as part of a compensating control.
providing a replicated, virtualized, or
simulated system to conduct scanning.
Production ICS may need to be taken off-line
before scanning can be conducted. If ICS are
RA-5
taken off-line for scanning, scans are
RA-5 (1) No ICS Supplemental
scheduled Guidance.
to occur during planned ICS
RA-5 (2) outages whenever possible.
No ICS Supplemental If vulnerability
Guidance.
scanning tools are used on non-ICS networks,
extra care is taken to ensure that they do not
RA-5 (4) No
scanICS Supplemental
the ICS network.Guidance.
Network scanning is
RA-5 (5) No ICS
not Supplemental
applicable Guidance.
to non-addressable
communications. Vulnerability examination
may be performed using other mechanisms
than scanning to identify the objects being
examined. Host-based vulnerability
examination is an example compensating
control.
Comments (optional)
SP 800-53 Control
Number SP 800-53 Control or Control Enhancement
(Focal Document (Focal Document Element Description)
Element)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined
personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational
entities, and compliance; and
SA-1 2. Procedures to facilitate the implementation of the system and services
acquisition policy and associated system and services acquisition controls; and
1. System and services acquisition policy [Assignment: organization-defined
frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined
frequency].
The organization:
a. Determines information security requirements for the information system or
information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the
SA-2
information system or information system service as part of its capital planning and
investment control process; and
c. Establishes a discrete line item for information security in organizational
programming and budgeting documentation.
The organization:
a. Manages the information system using [Assignment: organization-defined system
development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities
SA-3
throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into
system development life cycle activities.
The organization includes the following requirements, descriptions, and criteria,

explicitly or by reference, in the acquisition contract for the information system,
system component, or information system service in accordance with applicable
federal laws, Executive Orders, directives, policies, regulations, standards,
guidelines, and organizational mission/business needs:
a. Security functional requirements;
SA-4 b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and
environment in which the system is intended to operate; and
g. Acceptance criteria.
The organization requires the developer of the information system, system
SA-4 (1) component, or information system service to provide a description of the functional
properties of the security controls to be employed.
component, or information system service to provide design and implementation
information for the security controls to be employed that includes: [Selection (one
SA-4 (2) or more): security-relevant external system interfaces; high-level design; low-level
design; source code or hardware schematics; [Assignment: organization-defined
design/implementation information]] at [Assignment: organization-defined level of
detail].
component, or information system service to demonstrate the use of a system
SA-4 (3) development life cycle that includes [Assignment: organization-defined state-of-
the-practice system/security engineering methods, software development
SA-4 (4) [Withdrawn:
methods, Incorporated into CM-8 (9)].
testing/evaluation/validation techniques, and quality control processes].

component, or information system service to:
(a) Deliver the system, component, or service with [Assignment: organization-
SA-4 (5)
defined security configurations] implemented; and
(b) Use the configurations as the default for any subsequent system, component, or
service reinstallation or upgrade.
The organization:
(a) Employs only government off-the-shelf (GOTS) or commercial off-the-shelf
(COTS) information assurance (IA) and IA-enabled information technology products
that compose an NSA-approved solution to protect classified information when the
SA-4 (6)
networks used to transmit the information are at a lower classification level than
The organization:
the
(a) Limits the usebeing
information transmitted;provided
of commercially and information assurance (IA) and IA-
(b) Ensures that these products have
enabled information technology products beento evaluated and/or that
those products validated by NSA or in
have been
accordance with NSA-approved procedures.
successfully evaluated against a National Information Assurance partnership (NIAP)-
approved Protection
The organization Profile
requires thefordeveloper
a specificoftechnology type, ifsystem,
the information such a profile
systemexists;
SA-4 (7)
and
component, or information system service to produce a plan for the continuous
SA-4 (8) (b) Requires,ofifsecurity
no NIAP-approved ProtectionthatProfile exists[Assignment:
for a specific technology
monitoring control effectiveness contains
The
type organization
but a requires
commercially the developer
provided
organization-defined level of detail]. of
informationthe information
technology system,relies
product systemon
component,
cryptographicorfunctionality
information tosystem service
enforce to identify
its security early
policy, in the cryptographic
that system
SA-4 (9)
development life cycle, the functions, ports, protocols, and services intended for
module is FIPS-validated.
organizational
The organization use.
employs only information technology products on the FIPS 201-
SA-4 (10) approved products list for Personal Identity Verification (PIV) capability
The organization:
implemented within organizational information systems.
a. Obtains administrator documentation for the information system, system
component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or
service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e.,
privileged) functions;
b. Obtains user documentation for the information system, system component, or
information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those
security functions/mechanisms;
SA-5
2. Methods for user interaction, which enables individuals to use the system,
component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or
service;
c. Documents attempts to obtain information system, system component, or
information system service documentation when such documentation is either
unavailable or nonexistent and takes [Assignment: organization-defined actions] in
response;
d. Protects documentation as required, in accordance with the risk management
strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or
roles].
SA-5 (1) [Withdrawn: Incorporated into SA-4 (1)].
The organization:
SA-6 [Withdrawn:
a. Requires that Incorporated
providers of into CM-10information
external and SI-7]. system services comply with
SA-7 [Withdrawn:
organizational
The organization Incorporated
information into CM-11
security
applies information and SI-7].
requirements
system andengineering
security employ [Assignment:
principles in the
SA-8 organization-defined
specification, design, security
development,controls] in accordanceand
implementation, withmodification
applicable federal
of the laws,
The organization:
Executive
information Orders,
system. directives, policies, regulations, standards, and guidance;
SA-9 (a) Conducts
b. Defines andandocuments
organizational assessment
government of risk and
oversight prioruser
to the acquisition
roles or
and responsibilities
SA-9 (1) outsourcing
The regard of
withorganizationto dedicated
external
requires information
information
providers of security
system services;
services;
[Assignment: andand
organization-defined external
SA-9 (2) (b)
The Ensures
c. Employs
information that
organization the
[Assignment:
system acquisition
establishes, or outsourcing
documents,
services] to identify and
the of dedicated
maintains
processes,
functions, information
trust relationships
methods,
ports, security
and and
protocols, with
techniques]
other
services
external is
to monitor
services approved
service
security
required by [Assignment:
providers
forcontrol based
the usecomplianceon organization-defined
[Assignment: personnel
organization-defined or roles].
security
by external service providers on an ongoing
of such services.
SA-9 (3) The organization employs factors,
[Assignment: organization-defined securitytrust
safeguards] to
requirements,
basis. properties, or conditions defining acceptable
SA-9 (4) The organization
ensure that
relationships].the restricts
interests ofthe location
[Assignment: of [Selection (one
organization-definedor more): information
external service
processing;
providers] areinformation/data;
consistent with information system services]
and reflect organizational to [Assignment:
interests.
SA-9 (5)
organization-defined locations] based on [Assignment: organization-defined
requirements or conditions].
a. Perform configuration management during system, component, or service
[Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment:
organization-defined configuration items under configuration management];
SA-10
c. Implement only organization-approved changes to the system, component, or
service;
d. Document approved changes to the system, component, or service and the
potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service
and report findings to [Assignment: organization-defined personnel].
SA-10 (1) component,
The organizationor information
provides ansystem service
alternate to enable integrity
configuration management verification
processofusing
SA-10 (2) software and
organizational firmware
personnel components.
The organization requiresinthe thedeveloper
absence of of athe
dedicated developer
information system, configuration
system
SA-10 (3) management
The
component, orteam.
organization requires the
information developer
system service of to
theenable
information system,
integrity systemof
verification
The organization
component,
hardware requires the
or information
components. developer
system service of to
theemploy
information system,
tools for systemnewly
comparing
SA-10 (4) component, or information system service to maintain the integrity
generated versions of security-relevant hardware descriptions and of the mapping
between the master
software/firmware requires
buildthe
source data
and developer
(hardware
object codeof drawings
the information
with system, system code)
and software/firmware
previous versions.
component,
describing the orcurrent
information
version system service to execute
of security-relevant procedures
hardware, for ensuring
software, and that
SA-10 (6)
security-relevant
firmware and the hardware,
on-site mastersoftware,
copy and
of thefirmware
data forupdates distributed
the current version.to the
organization are exactly as specified by the master copies.
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression]
SA-11 testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the
results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation.
SA-11 (1) component, or information system service to employ static code analysis tools to
identify
The common requires
organization flaws andthe
document theofresults
developer of the analysis.
the information system, system
component, or information system service to perform threat and vulnerability
SA-11 (2)
analyses and subsequent testing/evaluation of the as-built system, component, or
service.
The organization:
(a) Requires an independent agent satisfying [Assignment: organization-defined
independence criteria] to verify the correct implementation of the developer
security assessment plan and the evidence produced during security
SA-11 (3)
testing/evaluation; and
(b) Ensures that the independent agent is either provided with sufficient
information to complete the verification process or granted the authority to obtain
The
suchorganization
information.requires the developer of the information system, system
component,
The or information
organization requires the system service
developer of to
theperform a manual
information code
system, review of
system
SA-11 (4)
[Assignment:
component, ororganization-defined
information system specific
service tocode] usingpenetration
perform [Assignment: organization-
testing at
SA-11 (5) defined processes, procedures, and/or techniques].and with [Assignment:
[Assignment:
organization requires
requires the breadth/depth]
the developer
developer ofof the
the information
information system,
system, system
system
SA-11 (6) The
organization-defined constraints].
component,
component, or or information
information system
system service
service toto perform attack
verify that surface
the scope of reviews.
security
SA-11 (7)
testing/evaluation provides complete coverage of required security controls at
[Assignment:
The organizationorganization-defined depthofofthe
requires the developer testing/evaluation].
information system, system
SA-11 (8) component, or information system service to employ dynamic code analysis tools to
identify common protects
The organization flaws andagainst
document thechain
supply results of thetoanalysis.
threats the information system,
system component, or information system service by employing [Assignment:
SA-12
organization-defined security safeguards] as part of a comprehensive, defense-in-
The organization
breadth employs
information [Assignment:
security strategy. organization-defined tailored acquisition
strategies, contract tools, and procurement methods] for the purchase of the
SA-12 (1)
information system, system component, or information system service from
suppliers.
The organization conducts a supplier review prior to entering into a contractual
SA-12 (2) agreement to acquire the information system, system component, or information
SA-12 (3) system service.
[Withdrawn: Incorporated into SA-12 (1)].
SA-12 (4) [Withdrawn: Incorporated
The organization into SA-12 (13)].
employs [Assignment: organization-defined security safeguards] to
SA-12 (5) limit harm from potential adversaries identifying and targeting the organizational
SA-12 (6) supply chain. Incorporated into SA-12 (1)].
[Withdrawn:
The organization conducts an assessment of the information system, system
SA-12 (7) The organization uses all-source intelligence analysis of suppliers and potential
component, or information system service prior to selection, acceptance, or update.
suppliers employs [Assignment:
of the information organization-defined
system, system Operationssystem
component, or information Security
(OPSEC)
service. safeguards] in accordance with classification guides to protect supply
SA-12 (9) The organization employs [Assignment: organization-defined
chain-related information for the information system, systemsecurity safeguards]
component, or to
SA-12 (10) validate thatsystem
information the information
service. system or system component received is genuine and
has
The not been altered.
organization employs [Selection (one or more): organizational analysis,
independent third-party analysis, organizational penetration testing, independent
SA-12 (11) third-party penetration testing] of [Assignment: organization-defined supply chain
elements, processes, and actors] associated with the information system, system
component, or information
The organization establishessystem service.
inter-organizational agreements and procedures with
SA-12 (12) entities involved in the supply chain for the information
The organization employs [Assignment: organization-defined system, system
security component,
safeguards] to
SA-12 (13) or information
ensure system
an adequate service.
supply of [Assignment: organization-defined critical
information system components].
The organization establishes and retains unique identification of [Assignment:
SA-12 (14) organization-defined supply chain elements, processes, and actors] for the
information system, system component, or information system service.
The organization establishes a process to address weaknesses or deficiencies in
SA-12 (15) supply chain elements identified during independent or organizational assessments
of such elements.
The organization:
a. Describes the trustworthiness required in the [Assignment: organization-defined
information system, information system component, or information system service]
SA-13
supporting its critical missions/business functions; and
b. Implements [Assignment: organization-defined assurance overlay] to achieve
such trustworthiness.
The organization identifies critical information system components and functions by
performing a criticality analysis for [Assignment: organization-defined information
SA-14 systems, information system components, or information system services] at
[Assignment: organization-defined decision points in the system development life
cycle].
SA-14 (1) [Withdrawn: Incorporated into SA-20].
The organization:
a. Requires the developer of the information system, system component, or
information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the
SA-15 development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or
tools used in development; and
b. Reviews the development process, standards, tools, and tool
options/configurations [Assignment: organization-defined frequency] to determine
if the process, standards, tools, and tool options/configurations selected and
employed can satisfy [Assignment: organization-defined security requirements].

(a) Define quality metrics at the beginning of the development process; and
SA-15 (1)
(b) Provide evidence of meeting the quality metrics [Selection (one or more):
[Assignment: organization-defined frequency]; [Assignment: organization-defined
program review milestones]; theupon delivery].the information system, system
developer
The organization requires that developersofperform threat modeling and a
component, or
vulnerability requires
information
analysis the developer
for thesystem service
information of theselect
to
system information system,
and employ
at [Assignment: systemtracking
aorganization-
security
component,
tool for use
defined or information system
during the development
breadth/depth] that: service
process.to perform a criticality analysis at
SA-15 (3)
[Assignment: organization-defined breadth/depth] and at [Assignment:
(a) Uses [Assignment: organization-defined information concerning impact,
SA-15 (4) organization-defined
The organization decision
requires the pointsorinassumed
developer the system
of the development
information lifesystem
cycle].
environment of operations, known threats, andsystem,
acceptable risk levels];
SA-15 (5) component,
(b) Employs
The or information
[Assignment:
organization system serviceof to
requires organization-defined
the developer thereduce attack
tools and
information surfacessystem
methods];
system, to
and
SA-15 (6) [Assignment:
(c) Produces or
component, organization-defined
evidence that meets
information thresholds].
system[Assignment: organization-defined
service to implement acceptance
an explicit process to
criteria].
continuously improve the development process.
(a) Perform an automated vulnerability analysis using [Assignment: organization-
defined tools];
SA-15 (7)
(b) Determine the exploitation potential for discovered vulnerabilities;
(c) Determine potential risk mitigations for delivered vulnerabilities; and
(d) Deliver the outputs of the tools and results of the analysis to [Assignment:
The organization requirespersonnel or roles].of the information system, system
the developer
component, or information system service to use threat modeling and vulnerability
SA-15 (8) The organization approves, documents, and controls thetouse of live data in
analyses from similar systems, components, or services inform the current
SA-15 (9) development
development and test environments for the information system, system
process.
The organization
component, requires the
or information developer
system of the information system, system
service.
SA-15 (10)
component, or information system service to provide an incident response plan.
The organization requires the developer of the information system or system
SA-15 (11) component to archive the system or component to be released or delivered
together with therequires
The organization corresponding evidence
the developer ofsupporting the final
the information security
system, review.
system
component, or information system service to provide [Assignment: organization-
SA-16
defined training] on the correct use and operation of the implemented security
The organization
functions, requires
controls, and/orthe developer of the information system, system
mechanisms.
component, or information system service to produce a design specification and
security architecture that:
a. Is consistent with and supportive of the organization's security architecture which
is established within and is an integrated part of the organization's enterprise
SA-17 architecture;
b. Accurately and completely describes the required security functionality, and the
allocation of security controls among physical and logical components; and
c. Expresses how individual security functions, mechanisms, and services work
together to provide required security capabilities and a unified approach to
protection.
(a) Produce, as an integral part of the development process, a formal policy model
describing the [Assignment: organization-defined elements of organizational
SA-17 (1)
security policy] to be enforced; and
(b) Prove that the formal policy model is internally consistent and sufficient to
enforce the defined elements of the organizational security policy when
implemented.
SA-17 (2) (a) Define security-relevant hardware, software, and firmware; and
(b) Provide a rationale that the definition for security-relevant hardware, software,
and firmware is complete.
(a) Produce, as an integral part of the development process, a formal top-level
specification that specifies the interfaces to security-relevant hardware, software,
and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as
necessary, that the formal top-level specification is consistent with the formal
policy model;
SA-17 (3)
(c) Show via informal demonstration, that the formal top-level specification
completely covers the interfaces to security-relevant hardware, software, and
firmware;
(d) Show that the formal top-level specification is an accurate description of the
implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms
not addressed in the formal top-level specification but strictly internal to the
security-relevant hardware, software, and firmware.
(a) Produce, as an integral part of the development process, an informal descriptive
top-level specification that specifies the interfaces to security-relevant hardware,
software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration, convincing argument with formal
methods as feasible] that the descriptive top-level specification is consistent with
the formal policy model;
SA-17 (4)
(c) Show via informal demonstration, that the descriptive top-level specification
completely covers the interfaces to security-relevant hardware, software, and
firmware;
(d) Show that the descriptive top-level specification is an accurate description of the
interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms
not addressed in the descriptive top-level specification but strictly internal to the
security-relevant hardware, software, and firmware.
(a) Design and structure the security-relevant hardware, software, and firmware to
SA-17 (5) use a complete, conceptually simple protection mechanism with precisely defined
semantics; and
(b) Internally structure the security-relevant hardware, software, and firmware with
specific regard for this mechanism.
SA-17 (6) component, or information system service to structure security-relevant hardware,
software, and firmware to facilitate testing.
SA-17 (7) component, or information system service to structure security-relevant hardware,
software, and firmware to facilitate controlling access with least privilege.
The organization implements a tamper protection program for the information
SA-18 The organization employs anti-tamper technologies and techniques during multiple
system, system component, or information system service.
phases inspects
in the system [Assignment:
development organization-defined
life cycle including design,information
development,systems,
system components, or devices] [Selection
integration, operations, and maintenance. (one or more): at random; at
SA-18 (2)
[Assignment: organization-defined frequency], upon [Assignment: organization-
defined
The indications of need for inspection]] to detect tampering.
organization:
a. Develops and implements anti-counterfeit policy and procedures that include the
means to detect and prevent counterfeit components from entering the
SA-19 information system; and
b. Reports counterfeit information system components to [Selection (one or more):
source of counterfeit component; [Assignment: organization-defined external
reporting organizations]; [Assignment: organization-defined personnel or roles]].
The organization trains [Assignment: organization-defined personnel or roles] to
SA-19 (1) detect counterfeitmaintains
The organization information system components
configuration control over(including hardware,
[Assignment: software,
organization-
SA-19 (2) and firmware).
defined information system components] awaiting service/repair and
The organization disposes
serviced/repaired componentsof information systemtocomponents
awaiting return service. using [Assignment:
SA-19 (3)
organization-defined techniques and methods].
The organization scans for counterfeit information system components
SA-19 (4)
[Assignment: organization-defined frequency].
The organization re-implements or custom develops [Assignment: organization-
SA-20
defined critical information system components].
The organization requires that the developer of [Assignment: organization-defined
information system, system component, or information system service]:
a. Have appropriate access authorizations as determined by assigned [Assignment:
SA-21
organization-defined official government duties]; and
b. Satisfy [Assignment: organization-defined additional personnel screening
criteria].
component, or information system service take [Assignment: organization-defined
SA-21 (1)
actions] to ensure that the required access authorizations and screening criteria are
The organization:
satisfied.
a. Replaces information system components when support for the components is
SA-22 no longer available from the developer, vendor, or manufacturer; and
SA-22 (1) b. Provides justification and documents approval for the continued use of
unsupported system components required to satisfy mission/business needs.
Security Control
Baseline
Low
Low
Low
Low
Moderate
Moderate
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Low
Low
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Moderate
Low
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
High
Not Selected
Not Selected
Withdrawn
Withdrawn
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Withdrawn
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
High
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected

SA-1 properties and requirements of ICS and the
SA-2 No ICS Supplemental Guidance.
SA-4 Since ICS security has historically focused on physical protection and isolation, vendors an
Developers may not have access to required

SA-4 (1) information.
SA-4 (2)
information.

SA-4 (9) Example compensating controls include
information.
employing external products on the FIPS
201-approved products list for Personal
SA-4 (10)
Identity Verification (PIV) capability in
conjunction with ICS products.

SA-9 (2) No ICS Supplemental Guidance.


Comments (optional)
SP 800-53 Control
Number
(Focal Document
Element)
SC-1
SC-2
SC-2 (1)
SC-3
SC-3 (1)
SC-3 (2)
SC-3 (3)
SC-3 (4)
SC-3 (5)
SC-4
SC-4 (1)
SC-4 (2)
SC-5
SC-5 (1)
SC-5 (2)
SC-5 (3)
SC-6
SC-7
SC-7 (1)
SC-7 (2)
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (6)
SC-7 (7)
SC-7 (8)
SC-7 (9)
SC-7 (10)
SC-7 (11)
SC-7 (12)
SC-7 (13)
SC-7 (14)
SC-7 (15)
SC-7 (16)
SC-7 (17)
SC-7 (18)
SC-7 (19)
SC-7 (20)
SC-7 (21)
SC-7 (22)
SC-7 (23)
SC-8
SC-8 (1)
SC-8 (2)
SC-8 (3)
SC-8 (4)
SC-9
SC-10
SC-11
SC-11 (1)
SC-12
SC-12 (1)
SC-12 (2)
SC-12 (3)
SC-12 (4)
SC-12 (5)
SC-13
SC-13 (1)
SC-13 (2)
SC-13 (3)
SC-13 (4)
SC-14
SC-15
SC-15 (1)
SC-15 (2)
SC-15 (3)
SC-15 (4)
SC-16
SC-16 (1)
SC-17
SC-18
SC-18 (1)
SC-18 (2)
SC-18 (3)
SC-18 (4)
SC-18 (5)
SC-19
SC-20
SC-20 (1)
SC-20 (2)
SC-21
SC-21 (1)
SC-22
SC-23
SC-23 (1)
SC-23 (2)
SC-23 (3)
SC-23 (4)
SC-23 (5)
SC-24
SC-25
SC-26
SC-26 (1)
SC-27
SC-28
SC-28 (1)
SC-28 (2)
SC-29
SC-29 (1)
SC-30
SC-30 (1)
SC-30 (2)
SC-30 (3)
SC-30 (4)
SC-30 (5)
SC-31
SC-31 (1)
SC-31 (2)
SC-31 (3)
SC-32
SC-33
SC-34
SC-34 (1)
SC-34 (2)
SC-34 (3)
SC-35
SC-36
SC-36 (1)
SC-37
SC-37 (1)
SC-38
SC-39
SC-39 (1)
SC-39 (2)
SC-40
SC-40 (1)
SC-40 (2)
SC-40 (3)
SC-40 (4)
SC-41
SC-42
SC-42 (1)
SC-42 (2)
SC-42 (3)
SC-43
SC-44
The organization:
roles]: SP 800-53 Control or Control Enhancement
1. A system and communications protection policy
(Focal Document that addresses
Element purpose, scope, roles,
Description)
compliance; and
2. Procedures to facilitate the implementation of the system and communications protection
policy and associated system and communications protection controls; and
1. System and communications protection policy [Assignment: organization-defined frequency];
The
and information system separates user functionality (including user interface services) from
information
2. System andsystem managementprotection
communications functionality.
procedures [Assignment: organization-defined
frequency].
The information system prevents the presentation of information system management-related

functionality at an interface for non-privileged users.
The information system isolates security functions from nonsecurity functions.
The information system utilizes underlying hardware separation mechanisms to implement

security function isolation.
The information system isolates security functions enforcing access and information flow control
from nonsecurity functions and from other security functions.
The organization minimizes the number of nonsecurity functions included within the isolation
boundary containing security functions.
The organization implements security functions as largely independent modules that maximize
The organization
internal implements
cohesiveness security and
within modules functions as acoupling
minimize layered structure minimizing interactions
between modules.
between layers of the design and avoiding any dependence by lower layers on the functionality
or correctness of higher layers.
The information system prevents unauthorized and unintended information transfer via shared
system resources.
[Withdrawn:
The Incorporated
information into SC-4].
system prevents unauthorized information transfer via shared resources in
The information
accordance withsystem protects
[Assignment: against or limits theprocedures]
organization-defined effects of the following
when system types of denial of
processing
service attacks: [Assignment: organization-defined types of denial of service attacks
explicitly switches between different information classification levels or security categories. or
references to sources for such information] by employing [Assignment: organization-defined
The information system restricts the ability of individuals to launch [Assignment: organization-
The
The organization:
security
defined safeguards].
denial
information ofsystem
servicemanages
attacks] against
excess other information
capacity, systems.
bandwidth, or other redundancy to limit the
The
(a) information
Employs system: organization-defined monitoring tools] to detect indicators of denial of
[Assignment:
effects of information flooding denial of service attacks.
a.
TheMonitors
service andagainst
attacks
information controls
systemthe communications
information
protects at the and
system;
the availability external
of boundary
resources of the system
by allocating and at key
[Assignment:
internal boundaries
organization-defined within
(b) Monitors [Assignment: the
resources] system;
by [Selection (oneinformation
or more);system
priority;resources] to determine if
quota; [Assignment:
b. Implements
sufficient subnetworks
resources
organization-defined exist for publicly
to prevent
security accessible
effective
safeguards]]. denialsystem components
of service attacks. that are [Selection:
physically; logically] separated from internal organizational networks; and
[Withdrawn:
c. Connects to Incorporated into SC-7].
external networks or information systems only through managed interfaces
[Withdrawn:
consisting ofIncorporated into SC-7].
boundary protection devices arranged in accordance with an organizational security
The organization limits the number of external network connections to the information system.
architecture.
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each
interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need
and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency]
and removes exceptions that are no longer supported by an explicit mission/business need.
The information system at managed interfaces denies network communications traffic by default
and allows network communications traffic by exception (i.e., deny all, permit by exception).
[Withdrawn: Incorporated into SC-7 (18)].
The information system, in conjunction with a remote device, prevents the device from
simultaneously establishing non-remote connections with the system and communicating via
some other connection to resources in external networks.
The information system routes [Assignment: organization-defined internal communications
traffic] to [Assignment: organization-defined external networks] through authenticated proxy
servers
The at managed
information interfaces.
system:
(a) Detects and denies outgoing communications traffic posing a threat to external information
systems; and
(b) Audits the identity of internal users associated with denied communications.
The organization prevents the unauthorized exfiltration of information across managed
interfaces.
The information system only allows incoming communications from [Assignment: organization-
defined authorized sources] to be routed to [Assignment: organization-defined authorized
The implements
organization isolates
destinations]. [Assignment:
organization-defined host-based
information boundary
security tools, protection
mechanisms] and
mechanisms, at [Assignment: organization-defined
support components] information
from other internal system components].
information system components by
implementing
The organization physically
protectsseparate
against subnetworks
unauthorized with managed
physical interfaces
connections to other components of
at [Assignment:
the
The system.
information system managed interfaces].
routes all networked, privileged accesses through a dedicated, managed
interface for purposes of access control
The information system prevents discovery andofauditing.
specific system components composing a
managed interface.
The information system enforces adherence to protocol formats.
The information system fails securely in the event of an operational failure of a boundary
protection device.
The information system blocks both inbound and outbound communications traffic between
[Assignment: organization-defined communication clients] that are independently configured by
end users and external service providers.
The information system provides the capability to dynamically isolate/segregate [Assignment:
organization-defined information system components] from other components of the system.
The organization employs boundary protection mechanisms to separate [Assignment:
organization-defined information system components] supporting [Assignment: organization-
defined missions and/or business functions].
The information system implements separate network addresses (i.e., different subnets) to
connect to systems in different security domains.
The information system disables feedback to senders on protocol format validation failure.
The information system protects the [Selection (one or more): confidentiality; integrity] of
transmitted
The information.
information system implements cryptographic mechanisms to [Selection (one or more):
prevent unauthorized disclosure of information; detect changes to information] during
transmission
The information unless otherwise
system protected
maintains by [Assignment:
the [Selection organization-defined
(one or more): confidentiality; alternative
integrity] of
The information
physical system
safeguards]. implements cryptographic mechanisms
information during preparation for transmission and during reception. to protect message externals
unless
The otherwisesystem
information protected by [Assignment:
implements organization-defined
cryptographic mechanisms toalternative
conceal orphysical
randomize
safeguards].
communication patterns unless otherwise protected by [Assignment: organization-defined
alternative
[Withdrawn: physical
The information safeguards].
Incorporated
system into SC-8].
terminates the network connection associated with a communications
session
The at the end
information of theestablishes
system session or aafter [Assignment:
trusted organization-defined
communications path between time period]
the user andofthe
inactivity. security functions of the system: [Assignment: organization-defined security functions
following
to include at a minimum, information system authentication and re-authentication].
The information system provides a trusted communications path that is logically isolated and
distinguishable from other paths.
The organization establishes and manages cryptographic keys for required cryptography
employed within the information system in accordance with [Assignment: organization-defined
requirements for key generation, distribution, storage, access, and destruction].
The organization maintains availability of information in the event of the loss of cryptographic
keysorganization
The by users. produces, controls, and distributes symmetric cryptographic keys using
[Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes.
The organization produces, controls, and distributes asymmetric cryptographic keys using
[Selection: NSA-approved key management technology and processes; approved PKI Class 3
certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and
hardware security tokens that protect the user's private key].
[Withdrawn: Incorporated into SC-12].
The information system implements [Assignment: organization-defined cryptographic uses and

type of cryptography required for each use] in accordance with applicable federal laws,
Executive Orders, directives, policies, regulations, and standards.

The information
[Withdrawn: system:provided by AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10].
Capability
a. Prohibits remote activation of collaborative computing devices with the following exceptions:
[Assignment: organization-defined exceptions where remote activation is to be allowed]; and
b.
TheProvides an explicit
information systemindication
provides of use to users
physical physically
disconnect present at the
of collaborative devices.devices in a
computing
manner that supports ease of use.
The organization disables or removes collaborative computing devices from [Assignment:

organization-defined information systems or information system components] in [Assignment:
organization-defined secure work areas].
The information system provides an explicit indication of current participants in [Assignment:
organization-defined online meetings and teleconferences].
The information system associates [Assignment: organization-defined security attributes] with
information exchanged between information systems and between system components.
The information system validates the integrity of transmitted security attributes.
The organization issues public key certificates under an [Assignment: organization-defined

certificate policy] or obtains public key certificates from an approved service provider.
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and
mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system.
The information system identifies [Assignment: organization-defined unacceptable mobile code]
The organization
and takes ensures
[Assignment: that the acquisition,corrective
organization-defined development, and use of mobile code to be
actions].
deployed in the information system meets [Assignment: organization-defined mobile code
requirements].
The information system prevents the download and execution of [Assignment: organization-
defined unacceptable mobile code].
The information system prevents the automatic execution of mobile code in [Assignment:
organization-defined software applications] and enforces [Assignment: organization-defined
actions] prior to executing the code.
The
The organization allows execution of permitted mobile code only in confined virtual machine
organization:system:
information
environments.
Establishes
a. Provides usage restrictions
additional data origin and implementation
authentication guidance
and integrity for Voice artifacts
verification over Internet
alongProtocol
with the
(VoIP) technologies
authoritative based ondata
name resolution the potential
the systemto cause
returnsdamage to thetoinformation
in response system if used
external name/address
maliciously;
resolution and and
queries;
Authorizes,
b. Provides themonitors,
means toand controls
indicate the the use ofstatus
security VoIP of
within
childthe
zonesinformation system.
and (if the child supports
secure resolution services) to enable
[Withdrawn: Incorporated into SC-20]. verification of a chain of trust among parent and child
domains, when operating as part of a distributed, hierarchical namespace.
The information system provides data origin and integrity protection artifacts for internal
name/address resolution queries.
The information system requests and performs data origin authentication and data integrity
verification on the name/address resolution responses the system receives from authoritative
sources.
The information systems that collectively provide name/address resolution service for an
organization are fault-tolerant and implement internal/external role separation.
The information system protects the authenticity of communications sessions.
The information system invalidates session identifiers upon user logout or other session
termination.
[Withdrawn: Incorporated into AC-12 (1)].

The information system generates a unique session identifier for each session with [Assignment:
organization-defined randomness requirements] and recognizes only session identifiers that are
system-generated.
The information system only allows the use of [Assignment: organization-defined certificate
authorities] for verification of the establishment of protected sessions.
The information system fails to a [Assignment: organization-defined known-state] for
[Assignment: organization-defined types of failures] preserving [Assignment: organization-
defined system state information] in failure.
The organization employs [Assignment: organization-defined information system components]

with minimal functionality
The information and information
system includes storage.
components specifically designed to be the target of malicious
attacks for the purpose of detecting, deflecting, and analyzing such attacks.
The information system includes: [Assignment: organization-defined platform-independent
applications].
The information system protects the [Selection (one or more): confidentiality; integrity] of
[Assignment: organization-defined information at rest].
The information system implements cryptographic mechanisms to prevent unauthorized
disclosure and modification of [Assignment: organization-defined information] on [Assignment:
organization-defined information system components].
The organization removes from online storage and stores off-line in a secure location
The organization
[Assignment: employs a diverseinformation].
organization-defined set of information technologies for [Assignment:
organization-defined information system components]
The organization employs virtualization techniques in the implementation
to support the deploymentofofthe information
a diversity of
system.
operating systems and applications that are changed [Assignment: organization-defined
The organization employs [Assignment: organization-defined concealment and misdirection
frequency].
techniques] for [Assignment: organization-defined information systems] at [Assignment:
organization-defined time periods] to confuse and mislead adversaries.
The organization employs [Assignment: organization-defined techniques] to introduce
The organization
randomness changes the location
into organizational of [Assignment:
operations and assets. organization-defined processing and/or
storage] [Selection: [Assignment: organization-defined time frequency]; at random time
The organization employs realistic, but misleading information in [Assignment: organization-
intervals]].
The
The organization:
defined information
organization system[Assignment:
employs components]organization-defined
with regard to its security state ortoposture.
techniques] hide or conceal
a. Performs a covert channel analysis to identify those aspects
[Assignment: organization-defined information system components]. of communications within the
information system that are potential avenues for covert [Selection (one or more): storage;
timing]
The channels; tests
organization and a subset of the identified covert channels to determine which channels
b. Estimates
are exploitable.the maximum bandwidth of those channels.
The organization reduces the maximum bandwidth for identified covert [Selection (one or more);
storage;
The timing] channels
organization measuresto the
[Assignment:
bandwidthorganization-defined values].
of [Assignment: organization-defined subset of
identified covert channels] in the operational environment of the information system.
The organization partitions the information system into [Assignment: organization-defined
information system components] residing in separate physical domains or environments based
on [Assignment: organization-defined circumstances for physical separation of components].
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media;
and
b. Loads and executes [Assignment: organization-defined applications] from hardware-enforced,
read-only media.
The organization employs [Assignment: organization-defined information system components]
with organization
The no writeable storage
protects that is persistent
the integrity across component
of information restart on
prior to storage or power on/off.
read-only media and
controls the media after such information has been recorded onto the media.
The organization:
(a) Employs hardware-based, write-protect for [Assignment: organization-defined information
system firmware components]; and
(b) Implements specific procedures for [Assignment: organization-defined authorized individuals]
to manually disable hardware write-protect for firmware modifications and re-enable the write-
protect prior to returning to operational mode.
The information system includes components that proactively seek to identify malicious websites
and/or web-based malicious code.
The organization distributes [Assignment: organization-defined processing and storage] across

multiple physical locations.
polling techniques
The organization employs [Assignment: to identify potential
organization-defined faults, errors,
out-of-band or compromises
channels] for the
to [Assignment:
physical deliveryorganization-defined distributed
or electronic transmission processing organization-defined
of [Assignment: and storage components].information,
The organization
information system employs [Assignment:
components, organization-defined
or devices] security safeguards] individuals
to [Assignment: organization-defined to ensure that
or
only [Assignment:
systems]. individuals or information systems] receive the
The organization
[Assignment: employs [Assignment:
organization-defined organization-defined
information, operations
information system security or
components, safeguards]
devices]. to
protect key organizational information throughout the system development life cycle.
The information system maintains a separate execution domain for each executing process.
The information system implements underlying hardware separation mechanisms to facilitate

process separation.
The information system maintains a separate execution domain for each thread in [Assignment:
organization-defined protects external
multi-threaded and internal [Assignment: organization-defined wireless
processing].
links]information
The from [Assignment: organization-defined
system implements typesmechanisms
cryptographic of signal parameter attacks
that achieve or references to
[Assignment:
sources for such attacks].
organization-defined level of protection] against the effects of intentional electromagnetic
The information system implements cryptographic mechanisms to reduce the detection potential
interference.
of wireless links to [Assignment: organization-defined level of reduction].
The information system implements cryptographic mechanisms to identify and reject wireless
transmissions that are deliberate attempts to achieve imitative or manipulative communications
deception based on signal parameters.
The information system implements cryptographic mechanisms to prevent the identification of
[Assignment: organization-defined wireless transmitters] by using the transmitter signal
parameters.
The organization physically disables or removes [Assignment: organization-defined connection
ports or input/output devices] on [Assignment: organization-defined information systems or
information system components].

a. Prohibits the remote activation of environmental sensing capabilities with the following
exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is
The organization
allowed]; and ensures that the information system is configured so that data or information
collected
The
b. Providesby the
organization [Assignment:
employs
an explicit the organization-defined
following
indication measures:
of sensor sensors] is only
[Assignment:
use to [Assignment: reported to authorized
organization-defined measures],
class of
individuals
so or roles.
that data or information collected by [Assignment: organization-defined sensors] is only used
users].
for
Theauthorized purposes.
organization prohibits the use of devices possessing [Assignment: organization-defined
environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or
systems].
The organization:
a. Establishes usage restrictions and implementation guidance for [Assignment: organization-
defined information system components] based on the potential to cause damage to the
information system if used maliciously; and
b. Authorizes, monitors, and controls the use of such components within the information system.
Security Control
Baseline
Low
Moderate
Not Selected
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Withdrawn
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Low
Withdrawn
Withdrawn
Moderate
Moderate
Moderate
Withdrawn
Moderate
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
High
Not Selected
Not Selected
High
Not Selected
Not Selected
Moderate
Moderate
Not Selected
Not Selected
Not Selected
Withdrawn
Moderate
Not Selected
Not Selected
Low
High
Not Selected
Not Selected
Withdrawn
Withdrawn
Low
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Low
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Low
Withdrawn
Not Selected
Low
Withdrawn
Low
Moderate
Not Selected
Withdrawn
Not Selected
Withdrawn
Not Selected
High
Not Selected
Not Selected
Withdrawn
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By Group Identifier
Element Description (Y/N) (optional)
The policy specifically addresses
the unique properties and
SC-1
requirements of ICS and the
relationship
Systems used to non-ICS
to managesystems.
the ICS
should be separate from the
operational ICS components.
SC-2
include providing increased
auditing measures.

SC-3 auditing measures, limiting
network connectivity, architectural
allocation.

include architecting the use of the
SC-4
ICS to prevent sharing system
resources.
include ensuring a loss of
communication results in the ICS
SC-5 operating in nominal or safe mode.
Risk-based analysis informs the
establishment of policy and
procedure.
SC-7 No ICS Supplemental Guidance.
SC-7 (3) No ICS Supplemental Guidance.

The organization selects an

appropriate failure mode (e.g.,
SC-7 (18)
permit or block all
communications).
The organization explores all

possible cryptographic integrity
mechanisms (e.g., digital
SC-8 (1)
signature, hash function). Each
mechanism has a different delay
impact.
SC-10 auditing measures or limiting
remote access privileges to key
personnel.
The use of cryptographic key
SC-12 management in ICS is intended to
support internal nonpublic use.

SC-13

SC-15

SC-17

SC-18
The use of VoIP technologies is
determined after careful
The use of secure name/address
consideration and after
resolution services verification
is determined
SC-19
that
after careful considerationimpact
it does not adversely and
SC-20 the
afteroperational
verificationperformance of the
that it does not
ICS.
adversely impact the operation of
the ICS.
The use of secure name/address

resolution services is determined
after careful consideration and
SC-21
afteruse
The verification
of secure that it does not
name/address
adversely impact
resolution servicestheis operation
determinedof
the ICS.
after careful consideration and
SC-22
after verification that it does not
Example
adverselycompensating controls
impact the operational
SC-23
include auditing
performance measures.
of the ICS.
The organization selects an
appropriate failure state.
Preserving ICS state information
includes consistency among ICS
SC-24 state variables and the physical
state which the ICS represents
(e.g., whether valves are open or
closed, communication permitted
or blocked, continue operations).
The use of cryptographic

mechanisms is determined after
careful consideration and after
SC-28
verification that it does not
adversely impact the operational
performance of the ICS.
SC-39 include partition processes to
separate platforms.
Strength of
Comments (optional)
Relationship (optional)
SC-7 (18) has been added as a
MODERATE baseline control
enhancement
Rationale for adding SC-7 (18) to

Moderate Baseline: As part of the
architecture and design of the ICS, the
organization selects an appropriate
failure mode in accordance with the
function performed by the ICS and the
operational environment. The ability to
choose the failure mode for the physical
part of the ICS differentiates the ICS from
other IT systems. This choice may be a
significant influence in mitigating the
impact of a failure.
SC-24 has been added as a MODERATE
baseline control
Rationale for adding SC-24 to moderate

baseline: As part of the architecture and
design of the ICS, the organization
selects an appropriate failure state of an
ICS in accordance with the function
performed by the ICS and the
operational environment. The ability to
choose the failure mode for the physical
part of the ICS differentiates the ICS from
other IT systems. This choice may be a
significant influence in mitigating the
impact of a failure, since it may be
disruptive to ongoing physical processes
(e.g., valves failing in closed position may
adversely affect system cooling).
SC-41 has been added as a LOW baseline
control
Rationale for adding SC-24 to all

baselines: The function of ICS can be
readily determined in advance, making it
easier to identify ports and I/O devices
that are unnecessary. Disabling or
removing ports reinforces air-gap policy.
SP 800-53 Control
Number
(Focal Document
Element)
SI-1
SI-2
SI-2 (1)
SI-2 (2)
SI-2 (3)
SI-2 (4)
SI-2 (5)
SI-2 (6)
SI-3
SI-3 (1)
SI-3 (2)
SI-3 (3)
SI-3 (4)
SI-3 (5)
SI-3 (6)
SI-3 (7)
SI-3 (8)
SI-3 (9)
SI-3 (10)
SI-4
SI-4 (1)
SI-4 (2)
SI-4 (3)
SI-4 (4)
SI-4 (5)
SI-4 (6)
SI-4 (7)
SI-4 (8)
SI-4 (9)
SI-4 (10)
SI-4 (11)
SI-4 (12)
SI-4 (13)
SI-4 (14)
SI-4 (15)
SI-4 (16)
SI-4 (17)
SI-4 (18)
SI-4 (19)
SI-4 (20)
SI-4 (21)
SI-4 (22)
SI-4 (23)
SI-4 (24)
SI-5
SI-5 (1)
SI-6
SI-6 (1)
SI-6 (2)
SI-6 (3)
SI-7
SI-7 (1)
SI-7 (2)
SI-7 (3)
SI-7 (4)
SI-7 (5)
SI-7 (6)
SI-7 (7)
SI-7 (8)
SI-7 (9)
SI-7 (10)
SI-7 (11)
SI-7 (12)
SI-7 (13)
SI-7 (14)
SI-7 (15)
SI-7 (16)
SI-8
SI-8 (1)
SI-8 (2)
SI-8 (3)
SI-9
SI-10
SI-10 (1)
SI-10 (2)
SI-10 (3)
SI-10 (4)
SI-10 (5)
SI-11
SI-12
SI-13
SI-13 (1)
SI-13 (2)
SI-13 (3)
SI-13 (4)
SI-13 (5)
SI-14
SI-14 (1)
SI-15
SI-16
SI-17
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel
or roles]: SP 800-53 Control or Control Enhancement
1. A system and information (Focal Document
integrity Element
policy that Description)
addresses purpose, scope, roles,
The organization:
a. Identifies, and
compliance; reports, and corrects information system flaws;
b. Tests software and firmware
2. Procedures to facilitate updates related
the implementation ofto flaw
the remediation
system for effectiveness
and information integrity and
policy
potential side effects before installation;
and associated system and information integrity controls; and
c.
b. Installs
Reviews security-relevant
and updates the software and firmware updates within [Assignment: organization-
current: the
The organization
defined time centrally
period] of the manages
release of theflaw remediation
updates; process.
and organization-defined
1. System and information integrity policy [Assignment: frequency]; and
d. Incorporates flaw remediation into the organizational configuration
2. System and information integrity procedures [Assignment: organization-defined management process.
frequency].
The organization employs automated mechanisms [Assignment: organization-defined

frequency] to determine the state of information system components with regard to flaw
remediation.
The organization:
a.
TheEmploys malicious code protection mechanisms at information system entry and exit
organization:
points
(a) Measures theand
to detect eradicate
time betweenmalicious code;
flaw identification and flaw remediation; and
b.
(b)Updates
Establishesmalicious code
[Assignment: protection mechanisms
organization-defined whenever new
benchmarks] forreleases are available
taking corrective in
actions.
[Withdrawn:
The Incorporated
organization into SI-2]. organization-defined
installs [Assignment: security-relevant software and
accordance with organizational configuration management policy and procedures;
firmware
c. Configuresupdates] automatically
malicious code to [Assignment:
protection mechanisms organization-defined
to: information system
The organization
components]. removes [Assignment: organization-defined software and firmware
1. Perform periodic
components] scans ofversions
after updated the information
have beensystem [Assignment: organization-defined
installed.
frequency] and real-time scans of files from external sources at [Selection (one or more);
endpoint; networkcentrally
The organization entry/exit points] as
manages the files code
malicious are downloaded, opened, or executed in
protection mechanisms.
accordance with organizational security policy; and
The information system automatically updates malicious code protection mechanisms.
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to
[Withdrawn: Incorporated into AC-6 (10)].
administrator;
The information [Assignment:
system updatesorganization-defined action]] in mechanisms
malicious code protection response to malicious
only whencode
directed
The
by a organization:
detection; and user.
privileged
[Withdrawn:
(a)
d. Addresses Incorporated
Tests malicious code of
the receipt into MP-7].
protection
false mechanisms
positives during [Assignment:
malicious code organization-defined
detection and eradication
frequency] by introducing
and the resulting potentialaimpact
knownon benign, non-spreading
the availability of the test case into
information the information
system.
The information
system; and system implements nonsignature-based malicious code detection
mechanisms.
(b)
TheVerifies that both
information systemdetection
detectsof[Assignment:
the test caseorganization-defined
and associated incident reporting operating
unauthorized occur.
system commands] through the kernel application programming interface at [Assignment:
organization-defined information system hardware components] and [Selection (one or
more): issues a warning; audits the command execution; prevents the execution of the
command].
The
The organization:
information system implements [Assignment: organization-defined security safeguards]
(a) Employs
to authenticate [Assignment:
organization-defined tools and techniques]
remote commands].to analyze the
characteristics and behavior of malicious code; and
(b) Incorporates the results from malicious code analysis into organizational incident
response and flaw remediation processes.
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-
defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-
defined techniques and methods];
c. Deploys monitoring devices:
1. Strategically within the information system to collect organization-determined essential
information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to
the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access,
modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an
indication of increased risk to organizational operations and assets, individuals, other
organizations, or the Nation based on law enforcement information, intelligence information,
or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance
with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to
[Assignment: organization-defined personnel or roles] [Selection (one or more): as needed;
[Assignment: organization-defined frequency]].
The organization connects and configures individual intrusion detection tools into an
information system-wide intrusion detection system.
The organization employs automated tools to integrate
support near real-time
intrusion analysis
detection of into
tools events.
access
control and flow control mechanisms for rapid response to attacks by enabling
The informationofsystem
reconfiguration these monitors
mechanisms inbound and outbound
in support of attackcommunications
isolationpersonneltraffic [Assignment:
and elimination.
organization-defined alerts
frequency] [Assignment:
for unusual organization-defined
or unauthorized activities or roles] when
or conditions.
the following indications of compromise or potential compromise occur: [Assignment:
organization-defined compromise
[Withdrawn: Incorporated into AC-6indicators].
(10)].
The information system notifies [Assignment: organization-defined incident response
personnel (identified by name and/or by role)] of detected suspicious events and takes
[Assignment: organization-defined least-disruptive actions to terminate suspicious events].
The organization tests intrusion-monitoring tools [Assignment: organization-defined
The organization makes provisions so that [Assignment: organization-defined encrypted
frequency].
communications traffic] is visible to [Assignment: organization-defined information system
monitoring tools].
The organization analyzes outbound communications traffic at the external boundary of the
information system and selected [Assignment: organization-defined interior points within the
system (e.g., subnetworks, subsystems)] to discover anomalies.
organization employs automated mechanisms to alert security personnel of the following
The organization:
inappropriate
(a) or unusual activities
Analyzes communications with security
traffic/event implications:
patterns [Assignment:
for the information organization-
system;
defined
(b) activities
Develops that
profiles trigger alerts].
representing common traffic patterns and/or events;
The organization employs a wireless intrusion detection system to identify rogue wirelessand
(c) Usesand
devices the to
traffic/event
detect attackprofiles in tuning
attempts and system-monitoring devices to reduce
potential compromises/breaches the number
to the
The organization
of false positives
information system.employs
and an intrusion
the number detection
of false system to monitor wireless communications
negatives.
traffic as the traffic passes from wireless to wireline networks.
The organization correlates information from monitoring tools employed throughout the
information system.
The organization correlates information
analyzes outbound from monitoring
communications physical,
traffic at thecyber, andboundary
external supply chain
of the
activities to achieve integrated, organization-wide situational awareness.
information system (i.e., system perimeter) and at [Assignment: organization-defined interior
The
pointsorganization implements
within the system (e.g.,[Assignment:
subsystems, organization-defined
subnetworks)] to detect additional monitoring]ofof
covert exfiltration
individuals
information. who have been identified by [Assignment: organization-defined sources] as
posing
The an increased
organization level of risk.
implements [Assignment: organization-defined additional monitoring] of
privileged users.
The organization implements [Assignment: organization-defined additional monitoring] of
individuals during [Assignment: organization-defined probationary period].
The information system detects network services that have not been authorized or approved
by [Assignment: organization-defined authorization or approval processes] and [Selection
The
(oneorganization:
organization implements
or more): audits; [Assignment:organization-defined
alerts [Assignment: organization-definedpersonnel
host-based or monitoring
roles]].
a. Receives information
mechanisms] system
at [Assignment: security alerts, advisories,
organization-defined and system
information directives from [Assignment:
components].
The external organizations] on an ongoing basis;
The information
information system:
system discovers, collects, distributes, and uses indicators of compromise.
b.
a. Verifies the correct security
Generates internal operation alerts, advisories, organization-defined
of [Assignment: and directives as deemed necessary;
security functions];
c. Disseminates security alerts, advisories, and directives to: [Selection (one
b. Performs this verification [Selection (one or more): [Assignment: organization-defined or more):
[Assignment:
The organization
system organization-defined
transitionalemploys
states];automated personnel
upon command byoruser
mechanisms roles];
to [Assignment:
make
with organization-defined
security alert
appropriate and advisory
privilege; [Assignment:
elements within
information the organization];
available
organization-defined throughout the
frequency]]; [Assignment: organization-defined external
organization.
organizations]]; and
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification
d. Implements
[Withdrawn:
tests; and security
Incorporated directives in accordance with established time frames, or notifies the
into SI-6].
issuing organization of the degree
d. [Selection (one or more): shuts the of noncompliance.
information system down; restarts the information
The information
system; system
[Assignment: implements automated
organization-defined mechanisms
alternative to support
action(s)]] the management
when anomalies are of
distributed
discovered.security testing.
The organization reports the results of security function verification to [Assignment:

organization-defined personnel or roles].
organizationsystem
The information employs integrityan
performs verification tools to
integrity check of detect unauthorized
[Assignment: changes to
[Assignment:
software, organization-defined
firmware, and information] software,
[Selectionfirmware,
(one or and information].
more): at startup; at [Assignment:
The organization employs
organization-defined automated
transitional statestools that provide notification
or security-relevant events];to [Assignment:
[Assignment:
organization-defined personnel or roles] upon discovering discrepancies during integrity
frequency]].
verification.
The organization employs centrally managed integrity verification tools.
[Withdrawn: Incorporated into SA-12].
The information system automatically [Selection (one or more): shuts the information system
down; restarts the information system; implements [Assignment: organization-defined
security safeguards]] when integrity violations are discovered.
The information system implements cryptographic mechanisms to detect unauthorized

The organization
changes incorporates
to software, firmware, the
anddetection of unauthorized [Assignment: organization-
information.
The information
defined system,
security-relevant upon
changesdetection
to the of a potentialsystem]
information integrityinto
violation, provides theincident
the organizational
capability to audit
response capability. the event and initiates the following actions: [Selection (one or more):
generates an audit record; alerts current user; alerts [Assignment: organization-defined
The information
personnel system
or roles]; verifies the
[Assignment: integrity of the bootother
organization-defined process of [Assignment:
actions]].
organization-defined devices].
The information system implements [Assignment: organization-defined security safeguards]
to
Theprotect the integrity
organization of boot
requires thatfirmware
[Assignment: in [Assignment: organization-defined
organization-defined user-installeddevices].
software]
execute
The in a confined
organization physical
requires that or
the virtual machine
integrity of environment
[Assignment: with limited privileges.
allows execution of binary or machine-executable code obtained user-
from
The organization:
installed software] be verified prior to execution.
sources with limited or no warranty and without the provision of source code only in confined
(a) Prohibits
physical the use
or virtual of binary
machine or machine-executable
environments and with thecode from
explicit sources
approval ofwith limited or no
[Assignment:
warranty and without
organization-defined the provision
personnel of
or roles].source code; and
The information
(b) Provides system
exceptions implements
to the sourcecryptographic
code requirementmechanisms
only for to authenticate [Assignment:
compelling
The
The organization:
organization doessoftware
not or
allow firmware
processes components]
to execute prior
without to installation.
supervision for more than
mission/operational requirements and with the approval of the authorizing official.
a. Employs spam
[Assignment: protection mechanisms
organization-defined at information system entry and exit points to
time period].
detect and take action on unsolicited messages; and
b. Updates spam protection mechanisms when new releases are available in accordance
The
with organization
organizational centrally manages
configuration spam protection
management mechanisms.
policy and procedures.
The information system automatically updates spam protection mechanisms.

The information system implements spam protection mechanisms with a learning capability
to more effectively identify legitimate communications traffic.
[Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6].
The information system checks the validity of [Assignment: organization-defined information

inputs].
(a) Provides a manual override capability for input validation of [Assignment: organization-
defined inputs];
(b) Restricts the use of the manual override capability to only [Assignment: organization-
defined authorized individuals]; and
(c) Audits the use of the manual override capability.
The organization ensures that input validation errors are reviewed and resolved within
[Assignment:
The informationorganization-defined
system behaves intime period]. and documented manner that reflects
a predictable
organizational and system objectives when
The organization accounts for timing interactions invalidamong
inputs information
are received.
system components in
determining
The appropriate
organization restricts
information system: responses
the use for
of invalid
informationinputs.
inputs to [Assignment: organization-defined
trusted sources] and/or [Assignment: organization-defined formats].
a. Generates error messages that provide information necessary for corrective actions
The organization
revealing handles
organization:
without information andthat
retains
could information
be exploited within the information
by adversaries; andsystem and
information
a. Determines output
mean from
time thetosystem
failure in accordance
(MTTF) for with applicable
[Assignment: federal laws, Executive
b. Reveals error messages only to [Assignment: organization-defined personnel orinformation
roles].
Orders, components]
system directives, policies, regulations,
in specific standards,
environments and operational
of operation; and requirements.
b.
TheProvides substitute
organization takesinformation
informationsystem
systemcomponents
componentsand outaofmeans
servicetoby
exchange active and
transferring
standby components at [Assignment: organization-defined MTTF
component responsibilities to substitute components no later than [Assignment: substitution criteria].
organization-defined fraction or percentage] of mean time to failure.
[Withdrawn: Incorporated into SI-7 (16)].
The organization manually initiates transfers between active and standby information system
components [Assignment: organization-defined frequency] if the mean time to failure
The organization,
exceeds if information
[Assignment: system component
organization-defined failures are detected:
time period].
(a) Ensures that the standby components are successfully and transparently installed within
[Assignment: organization-defined time period]; and
The organization
(b) [Selection (oneprovides
implements
or more):[Selection: real-time;
non-persistent
activates nearorganization-defined
real-time]
[Assignment:
[Assignment: [Assignment: organization-
organization-defined information
alarm];
defined
system failover capability]
components
automatically for the
and services]
shuts down information system.
that aresystem].
the information initiated in a known state and terminated
The organization
[Selection (one orensures that software
more): upon and data
end of session employed
of use; duringat
periodically information system
[Assignment:
component
The and
information service
system refreshes
validates
organization-defined frequency]]. are obtained
information from
output [Assignment:
from organization-defined
trusted
softwaresources].
programs and/or applications] to ensure that the information is consistent with the
The information
expected system implements [Assignment: organization-defined security safeguards]
content.
to protect its memory from unauthorized code execution.
Security
Reference
Control Rationale Relationship
Document Element
Baseline
Low SI-1
Low SI-2
High SI-2 (1)
Moderate SI-2 (2)
Not Selected
Withdrawn
Not Selected
Not Selected
Low SI-3
Moderate SI-3 (1)
Moderate SI-3 (2)
Withdrawn
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low SI-4
Not Selected
Moderate SI-4 (2)
Not Selected
Moderate SI-4 (4)
Moderate SI-4 (5)
Withdrawn
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low SI-5
High SI-5 (1)
High SI-6
Withdrawn
Not Selected
Not Selected
Moderate SI-7
Moderate SI-7 (1)
High SI-7 (2)
Not Selected
Withdrawn
High SI-7 (5)
Not Selected
Moderate SI-7 (7)
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
High SI-7 (14)
Not Selected
Not Selected
Moderate SI-8
Moderate SI-8 (1)
Moderate SI-8 (2)

Not Selected
Withdrawn
Moderate SI-10
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate SI-11
Low SI-12
Not Selected SI-13
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate SI-16
Not Selected SI-17
and other software that is not current,
is no longer being maintained by the
vendors, and is not resistant to current
threats. ICS operators are often
dependent on product vendors to
validate the operability of a patch and
also sometimes to perform the
installation. Often flaws cannot be
remediated basedDescription
on circumstances (Y/N) (optional)
The policy
outside specifically
of the addresses
ICS operator's the
control
(e.g., lack of a vendor patch). of
ICS and the relationship
Sometime the organization has noto non-ICS
systems.
choice but to accept additional risk. In
these
No ICSsituations,
Supplementalcompensating
Guidance.
controls should be implemented (e.g.,
limit the exposure of the vulnerable
system). Other compensating controls
In situations
that where the
do not decrease theICS cannotrisk
residual
support the use of automated
but increase the ability to respond may
mechanisms to conduct
be desirable (e.g., and
provide report on
a timely
the
response in case of an incident;the
status of flaw remediation, devise
organization
a plan to ensureemploys
the ICSnonautomated
can identify
mechanisms
the exploitation or of
procedures
the flaw). which
Testing
incorporate
flaw remediation in an ICS maytrack,
methods to apply, require
and
moreverify mitigation
resources thanefforts as
the organization
compensating
can commit controls in accordance
with the general tailoring guidance.
The use and deployment of malicious

code protection is determined after
careful consideration and after
The organization
verification that it implements
does not adversely
automatic
impact
The updates
the operation
organization of of
malicious
the ICS.
implements code
central
protection with consideration
Malicious codeofprotection
management malicious tools of the
code should
impact
be on operation
configured
protection of the
withtoconsideration
minimize theirICS. In
of the
situations
potential where
impact onimpact thethe
on
operation ICS
of cannot
ICS
the (e.g.,
ICS.
support
employ the use of
notification automatic
rather
Example compensating controls than update of
malicious
quarantine).code protection,
Example
include increased auditing. the
compensating
organization
controls includeemploys nonautomated
increased traffic
procedures
monitoring and as compensating
auditing. controls
in accordance with the general tailoring
guidance.
The organization ensures that the use
of monitoring tools and techniques
does not adversely impact the
operational performance of the ICS.
include deploying sufficient network
monitoring.

support the use of automated tools to
support near-real-time analysis of
events, the organization employs
In situations where
compensating the (e.g.,
controls ICS cannot
providing
monitor inbound and outbound
an auditing capability on a separate
communications
system, nonautomatedtraffic, mechanisms
the or
Example
organizationcompensating
employs controls
compensating
procedures) in accordance with the
include
controls manual
include methods
providing of generating
general tailoring guidance.a monitoring
alerts.
capability on a separate information
system.
The
The DHS Industrial
shutting Control
down and Systems
restarting Cyber Emergency Response Team (ICSCERT) generates security alerts and a
of the
ICS may not always be feasible upon
the identification of an anomaly; these
actions should be scheduled according
to ICS operational requirements.
The organization determines whether

In
thesituations where verification
use of integrity the organization
cannot employ
applications automated
would adverselytools that
impact
The organization
provide ensures
notification
the operation of theof thatemploys
integrity
ICS and the use
of integrity verification
discrepancies,
compensating applications
the organization
controls (e.g., manual
does
employsnotverifications
integrity adversely impact
nonautomated dothe
thatmechanisms
not affect
operational
or procedures.
performance. performance
Example of the ICS.
compensating
controls include performing scheduled
manual inspections for integrity
violations.
The shutting down and restarting of the

ICS may not always be feasible upon
the identification of an anomaly; these
actions should be scheduled according
to ICS operational requirements.

detect unauthorized security-relevant
changes, the organization employs
compensating controls (e.g., manual
procedures) in accordance with the
general tailoring guidance.
ICS spam protection may be

implemented by removing spam
transport mechanisms, functions and
services (e.g., electronic mail, Internet
access) from the ICS. If any spam
transport mechanisms, functions and
services are present in the ICS, spam
protection in ICS takes into account
operational characteristics
Example compensating of ICS that
controls
differ from
include general local
employing purpose information
mechanisms
systems,
or (e.g., unusual traffic flow that
procedures.
may be misinterpreted and detected as
spam.
No ICSExample compensating
Supplemental Guidance. controls
include whitelist mail transfer agents
(MTA), digitally signed messages,
acceptable sources, and acceptable
message types.
deterministic. Stochastic failures can
be analyzed using probability theory,
while analysis of deterministic failures
is based on non-random properties of
the system. Known ICS failure modes
and causes are considered. The
calculation and use of statistical
descriptors, such as Mean Time To
Failure (MTTF), should incorporate
additional analysis to determine how
those failures manifest within the cyber
and physical domains. Knowledge of
No ICSpossible
these Supplemental Guidance.
manifestations may be
necessary to detect whether a failure
has occurred within the ICS, as failures
of the information systems may not be
easily identifiable. Emergent
properties, which may arise both within
the information systems and physical
processes, can potentially cause
system failures should be incorporated
into the analysis. For example,
cumulative effects of resource
exhaustion (e.g., memory leakage) or
errors
No ICS(e.g., rounding and
Supplemental truncation)
Guidance.
can occur when ICS processes
execute for unexpectedly long periods.
Deterministic failures (e.g., integer
counter overflow), once identified, are
preventable.
Often substitute components may not

be available or may not be sufficient to
protect against faults occurring before
predicted failure. Non-automated
mechanisms or physical safeguards
should be in place in order to protect
against these failures.
The selected
In addition to failure conditions
information and
concerning
corresponding
newly discovered vulnerabilities vary
procedures may (i.e.,
among baselines.
latent flaws) The same
potentially failure
affecting the
event may trigger different
system/applications that areresponse
depending
discovered on
by the impact
forensic
No ICS Supplemental level. new
studies,
Guidance.
Mechanical
vulnerabilities may be identified can
and analog system by be
used to provide mechanisms
organizations with responsibility for to ensure
fail-safe procedures.
disseminating Fail-safe
vulnerability states
information
should incorporate potential
(e.g., ICS-CERT) based upon an impacts to
human safety, physical systems,
analysis of a similar pattern of and
the environment.
incidents reportedRelated
to themcontrols:
or CP-
6.
vulnerabilities reported by other
researchers.
Related controls: IR-5, IR-6, RA-5, SI-

2, SI-5, SI-11.
Comments (optional)
(optional)
SC-13 has been added as a HIGH
baseline control
Rationale for adding SC-13 to High

Baseline: ICS are designed and built with
certain boundary conditions, design
parameters, and assumptions about
their environment and mode of
operation. ICS may run much longer than
conventional systems, allowing latent
flaws to become effective that are not
manifest in other environments. For
example, integer overflow might never
occur in systems that are re-initialized
more frequently than the occurrence of
the overflow. Experience and forensic
studies of anomalies and incidents in ICS
can lead to identification of emergent
properties that were previously
unknown, unexpected, or unanticipated.
Preventative and restorative actions
(e.g., re-starting the system or
application) are prudent but may not be
acceptable for operational reasons in
ICS.
SC-17 has been added as a LOW baseline
control
Rationale for adding SI-17 to all

baselines: This control provides a
structure for the organization to identify
their policy and procedures for dealing
with failures and other incidents.
Creating a written record of the decision
process for selecting incidents and
appropriate response is part of risk
management in light of changing
environment of operations.
SP 800-53 Control
Number
(Focal Document
Element)
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
PM-12
PM-13
PM-14
PM-15
PM-16
Security
The organization: (Focal Document Element Description) Control
a. Develops and disseminates an organization-wide information security program Baseline
plan that:
1. Provides an overview of the requirements for the security program and a
description of the security program management controls and common controls in
place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities,
management commitment, coordination among organizational entities, and
compliance;
3. Reflects coordination among organizational entities responsible for the different
aspects of information security (i.e., technical, physical, personnel, cyber-
Not Associated
physical); and
4. Is approved by a senior official with responsibility and accountability for the risk
being incurred to organizational operations (including mission, functions, image,
and reputation), organizational assets, individuals, other organizations, and the
Nation;
b. Reviews the organization-wide information security program plan [Assignment:
organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified
The
The organization:
organization:
during
The plan implementation
organization appointsfor aor security
senior control assessments;
information and
a.
a. Implements
Ensures thataall
process
capital ensuring
planning andthat planssecurity
investment
officer
of action
requests
with the mission
andinclude
milestones
the for the
resources
d.
andProtects
resourcesthe information
to coordinate, security program
develop, plan
implement, from
and unauthorized
maintain disclosure
an organization- Not Associated
security
needed program
to implementand associated
the program. organizational information systems:
information security program and documents all
and
wide modification.
1. Areinformation
developed
exceptions
security
to this and maintained;
requirement;
2. Not Associated
b. Document
Employs a the remedial
business information
case/Exhibit security actions
300/Exhibit to adequately
53 to record respond to
the resources
risk to organizational
required; and operations and assets, individuals, other organizations, and Not Associated
the Nation; and
c. Ensures that information security resources are available for expenditure as
3.
TheAre reported indevelops
organization
planned. accordance andwith OMB FISMA
maintains reporting
an inventory requirements.
of its information systems. Not Associated
b. Reviews plans of action and milestones for consistency with the organizational
risk management strategy and organization-wide priorities for risk response
actions.
The organization develops, monitors, and reports on the results of information
Not Associated
security measures of performance.
The organization develops an enterprise architecture with consideration for

information security and the resulting risk to organizational operations, Not Associated
organizational assets, individuals, other organizations, and the Nation.
The organization addresses information security issues in the development,

documentation, and updating of a critical infrastructure and key resources Not Associated
The organization:
protection plan.
a. Develops a comprehensive strategy to manage risk to organizational operations
and assets, individuals, other organizations, and the Nation associated with the
operation and use of information systems;
Not Associated
b. Implements the risk management strategy consistently across the organization;
The organization:
and
a. Manages (i.e., documents, tracks, and reports) the security state of
c. Reviews and updates the risk management strategy [Assignment: organization-
organizational information systems and the environments in which those systems
defined frequency] or as required, to address organizational changes.
operate through security authorization processes;
Not Associated
b. Designates individuals to fulfill specific roles and responsibilities within the
The organization:
organizational risk management process; and
a. Defines
c. Fully mission/business
integrates processes
the security with processes
authorization consideration
intofor
aninformation security
organization-wide
and the resulting risk
risk management to organizational operations, organizational assets,
program.
individuals, other organizations, and the Nation; and Not Associated
b. Determines information protection needs arising from the defined
mission/business processes and revises the processes as necessary, until
achievable protection needs are obtained.
The organization implements an insider threat program that includes a cross-
Not Associated
discipline insider threat incident handling team.
The organization:
a.
TheImplements
organizationa process for ensuring
establishes an that organizational
information security plans for
workforce conductingand
development
The organization
security testing, establishes
training, and and institutionalizes
monitoring activities contact withwith
associated selected groups
organizational Not Associated
improvement
and program.
associations within the security community:
information systems:
a.
1. To
Arefacilitate
developedongoing security education
and maintained; and and training for organizational Not Associated
personnel;
2. Continue to be executed in a timely manner; Not Associated
b.
b. To maintain
Reviews currency
testing, withand
training, recommended security
monitoring plans forpractices, techniques,
consistency with the and
technologies; and
organizational risk management strategy and organization-wide priorities for risk
c. To share
response current security-related information including threats, vulnerabilities,
actions.
and incidents.
Not Associated
Reference Document
Element
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
PM-12
PM-13
PM-14
PM-15
The policy specifically addresses

the unique properties and
requirements of ICS, the
relationship to non-ICS systems,
and the relationship to other
programs concerned with
operational characteristics of ICS
(e.g., safety, efficiency, reliability,
resilience).
Capital planning and investment
decisions address all of the
relevant
technologies and all phases of the
life cycle and needs to be informed
The
by plan of action
ICS and asmilestones
No ICS experts
includes
as well
Supplemental other
Guidance.
subject matter experts (e.g., and
both computational
physical
informationICSsecurity).
components.
Marshaling
Records of observed
interdisciplinary working shortcomings
teams to
and
adviseappropriate remedial
capital planning andaction
may be maintained in a
investment decisions can help single
document
tradeoff andor balance
in multiple
among
coordinated documents (e.g., and
conflicting equities, objectives,
future engineering plans).
responsibilities such as capability,
adaptability, resilience,Guidance.
No ICS Supplemental safety,
security, usability, and efficiency.
References: Executive Order

Risk
13636–management of ICS is
Improving Critical
considered along with
Infrastructure Cybersecurity,other
organizational
February 12, 2013 risks affecting
mission/business success from an
The authorization to
organization-wide operate
perspective.
processes for ICS
Organization-wide risk involves
multiple disciplines
management strategythatincludes
have
existing approval
sector-specific and riskas
guidance
Mission/business
management
appropriate. process processes
(e.g.,
refinement requires
physical security, protection of
safety).
physical assets from
Organization-wide damage
risk
originating
management in the cyber domain.
requires
These needs are
harmonization derived
among from the
these
mission/business
disciplines. needs defined by
the organization, the
mission/business processes
selected to meet the stated needs,
and the organizational risk
management strategy.
All aspects of information security
workforce development and
improvement programs include
knowledge and skill levels in both
computational and physical ICS
components.
The organization should collaborate and share information about potential incidents on a timely basis. The DHS Nat
Comments (optional)
(optional)
SP 800-53 Control
Number
(Focal Document
Element)
AP-1
AP-2
AR-1
AR-2
AR-3
AR-4
AR-5
AR-6
AR-7
AR-8
DI-1
DI-1 (1)
DI-1 (2)
DI-2
DI-2 (1)
DM-1
DM-1 (1)
DM-2
DM-2 (1)
DM-3
DM-3 (1)
IP-1
IP-1 (1)
IP-2
IP-3
IP-4
IP-4 (1)
SE-1
SE-2
TR-1
TR-1 (1)
TR-2
TR-2 (1)
TR-3
UL-1
UL-2
The organization determines and documents the legal authority that permits the Not Associated
collection, use, maintenance, and sharing of personally identifiable information (PII), either
generally or in support of a specific program or information system need.
The organization describes the purpose(s) for which personally identifiable information Not Associated
(PII) is collected, used, maintained, and shared in its privacy notices.
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO)
accountable for developing, implementing, and maintaining an organization-wide
governance and privacy program to ensure compliance with all applicable laws and
regulations regarding the collection, use, maintenance, sharing, and disposal of personally Not Associated
identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient
resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy
controls, policies, and procedures;
The organization:
e.
a. Documentsdisseminates,
Develops, and implementsand aimplements
privacy riskoperational
management privacy policies
process and procedures
that assesses privacy
that govern the appropriate privacy and security controls for programs, information
risk to individuals resulting from the collection, sharing, storing, transmitting, use, and
systems, orpersonally
disposal of technologies involvinginformation
identifiable PII; and (PII); and
f. Updates
b. Conductsprivacy
Privacyplan, policies,
Impact and procedures
Assessments (PIAs) for[Assignment:
systems, programs, or
frequency, at least
other activities thatbiennially].
pose a privacy risk in accordance with applicable law, OMB policy, or
any existing organizational policies and procedures. Not Associated
The organization: Not Associated

a. Establishes privacy roles, responsibilities, and access requirements for contractors and
service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents.
Not Associated
The organization monitors and audits privacy controls and internal privacy policy
[Assignment: organization-defined frequency] to ensure effective implementation.
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy Not Associated
aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least
annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment:
organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities
for privacy requirements [Assignment: organization-defined frequency, at least annually].
The organization develops, disseminates, and updates reports to the Office of Not Associated
Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to
demonstrate accountability with specific statutory and regulatory privacy program
mandates, and to senior management and other personnel with responsibility for
monitoring privacy
The organization program
designs progress and
information compliance.
systems to support privacy by automating privacy
controls. Not Associated
The organization:
a.
TheKeeps an accurate accounting of disclosures of information held in each system of
organization:
records under
a. Confirms to theits control,
greatestincluding:
extent practicable upon collection or creation of personally Not Associated
(1) Date, nature,
identifiable and purpose
information of each
(PII), the disclosure
accuracy, of a record;
relevance, and and completeness of that
timeliness,
(2) Name and address of the person or agency to which the disclosure was made;
information;
b.
b. Retains
Collects the accounting
PII directly fromofthedisclosures
individualfortothe
thelife of theextent
greatest recordpracticable;
or five years after the
disclosure is made, whichever is longer; and
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its
c. Makes the
programs accounting
or systems of disclosures
[Assignment: available to the person
organization-defined namedand
frequency]; in the record upon
request.
The
d. organization:
Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of
a. Documents
disseminated
The organization processes
requeststothat
information. ensure
the the integrity
individual or of personallyauthorized
individual’s identifiable information (PII)
representative Not Associated
through
validate existing security
PII duringrequests controls;
the collection and
process. Not Associated
The organization
b. Establishes thatBoard
a Data Integrity the individual or individual’s
when appropriate authorized
to oversee representative
organizational
revalidate
Computer Matching Agreements and to ensure that those agreements complyfrequency].
that PII collected is still accurate [Assignment: organization-defined with the Not Associated
computer matching provisions of the Privacy Act. Not Associated
Not Associated
The organization publishes Computer Matching Agreements on its public website.
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are Not Associated
relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the
purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for
regularly reviewingwhere
The organization, thosefeasible
holdingsand
within the limits frequency,
of technology, locates and at least
annually] to ensure that only PII identified in the notice is collected and retained,
removes/redacts specified PII and/or uses anonymization and de-identification techniques and that
thepermit
to PII continues to be
use of the necessary
retained to accomplish
information the legallyitsauthorized
while reducing sensitivitypurpose.
and reducing the
risk resulting from disclosure. Not Associated
The organization:
a. Retains each collection of personally identifiable information (PII) for [Assignment: Not Associated
The organization: time period] to fulfill the purpose(s) identified in the notice or as
required
a. Provides bymeans,
law; where feasible and appropriate, for individuals to authorize the
b. Disposesuse,
collection, of, destroys,
maintaining, erases,
andand/or
sharinganonymizes
of personally theidentifiable
PII, regardless of the method
information of to
(PII) prior
storage,
its in accordance with a NARA-approved record retention schedule and in a manner
collection;
that prevents
b. Provides loss, theft,means
appropriate misuse, fororindividuals
unauthorized access; andthe consequences of
to understand
c.
TheUses
decisions [Assignment:
to approve
organization, organization-defined
or decline
where feasible, the techniques
authorization
configures of the orcollection,
its information methods] totoensure
systemsuse, secure
dissemination,
record the dateandPII
The organization:
deletion or destruction of PII (including originals, copies, and archived records).
retention
is collected,
a. Develops of PII;
created, or updated and when PII is to be deleted or
policies and procedures that minimize the use of personally identifiable archived under an
The
c. organization:
Obtains consent, where feasible and appropriate, from individuals prior to any new uses
approved
information
a. Provides record retention
(PII) for
individuals testing, schedule.
training,
the ability and
to have research;
access and
to their personally identifiable information Not Associated
or
b. disclosure
Implements of previously
controls collected
tofeasible,
protect PII;
PII and
used for testing, training, the
andrisk
research. Not Associated
(PII)
The maintained
organization,
organization: in its
where system(s) of records;
uses techniques
d. Ensures that individuals are aware of and, where feasible, consent to minimize totoallprivacy
uses ofofPII
using
not
b.
a. Publishes
PIIProvides
for research,
initially rules
a process
described and
testing, regulations
foror
in the training.
individuals
public governing
noticetothat
havewas how individuals
inaccurate may
in effect personally request
at the timeidentifiable access to records
information
the organization Not Associated
maintained
(PII) theinPII.
maintained
collected a Privacy
by Act system ofcorrected
the organization records; or amended, as appropriate; and Not Associated
The
c. organization
Publishes access implements mechanisms toRecords
supportNotices
itemized or tiered consent for
b. Establishes
specific uses process for disseminatingof
a data.
of
procedures in System corrections (SORNs);
or amendments and
of the PII to other Not Associated
d. Adheres to
authorized usersPrivacy
of theAct requirements
PII, such as external and OMB policies and guidance
information-sharing partners forand,
thewhere
proper
processing
feasible andofappropriate,
Privacy Act requests.
notifies affected individuals that their information has been Not Associated
corrected or amended. Not Associated
Not Associated
The organization implements a process for receiving and responding to complaints,
concerns,
The or questions
organization fromtoindividuals
responds complaints,about the organizational
concerns, or questions privacy practices.within
from individuals
[Assignment: organization-defined time period]. Not Associated
The organization:
a. Establishes, maintains, and updates [Assignment: organization-defined frequency] an Not Associated
inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
b.
TheProvides each update of the PII inventory to the CIO or information security official
organization:
[Assignment:
a. Develops andorganization-defined frequency]
implements a Privacy Incidentto support Plan;
Response the establishment
and of information
security requirements for all new or modified information systems containing
b. Provides an organized and effective response to privacy incidents in accordancePII. with
the organizational Privacy Incident Response Plan. Not Associated
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that
impact privacy, including its collection, use, sharing, safeguarding, maintenance, and
disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the Not Associated
choices, if any, individuals may have regarding how the organization uses PII and the
consequences of exercising or not exercising those choices; and (iv) the ability to access
and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects
that information; (ii) how the organization uses PII internally; (iii) whether the organization
shares PII with external entities, the categories of those entities, and the purposes for such
sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII
and how to exercise any such consent; (v) how individuals may obtain access to PII; and
The organization:
(vi) how
a. Shares the
Publishes PII will be
System
personally of protected;
Records Notices
identifiable and (SORNs)
information (PII)inexternally,
the Federal onlyRegister,
for thesubject
authorizedto required
c. Revises its public
oversight identified
purposes notices
processes,infor the to
systems reflect
Actchanges
Privacycontaining in practice
and/orpersonally
described inoritspolicy
identifiable that
notice(s) affect
for aPII
information
or or changes
(PII);
purpose that
in
b.
is its activities
Keeps SORNs
compatible that impact
current;
with those andprivacy,
purposes; before or as soon as practicable after the change.
The
c. organization:
Includes Privacy Act Statements on its forms that collect PII, or on separate forms
b.
a. Where appropriate,
Ensures that the publicenters
has into
access Memoranda
to information of Understanding,
about itsnotice
privacyMemoranda
activities of isthat Not Associated
The
can beorganization
retained
Agreement, provides
by
Letters individuals,
of real-time
Intent, and/or
to provide
Computer layeredAgreements,
additional
Matching notice
formalwhen it similar
or collects
to PII. and
individuals fromable
agreements,
to
whomcommunicate
the parties with
information its Senior Agency
is being collected. Official for Privacy (SAOP)/Chief Privacy Officer Not Associated
with
(CPO); third
and that specifically describe the PII covered and specifically enumerate the
purposes
The for which the PII may
b. Ensures that its privacy practiceson
organization publishes SORNs be used;
itspublicly
are public website.
available through organizational websites Not Associated
c.
or Monitors,
otherwise. audits, and trains its staff on the authorized sharing of PII with third parties Not Associated
The organization
and uses personally
on the consequences identifiable
of unauthorized useinformation
or sharing of(PII) PII;internally
and only for the
authorized
d. Evaluatespurpose(s)
any proposed identified in the Privacy
new instances Act and/or
of sharing in third
PII with publicparties
notices.
to assess whether Not Associated
the sharing is authorized and whether additional or new public notice is required. Not Associated
Reference Document
Element
Fulfilled By (Y/N)
Comments (optional)
(optional)

SP800 82 Rev 2 To SP800 53 Rev 4

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SP800 82 Rev 2 To SP800 53 Rev 4

Uploaded by

Copyright:

Available Formats

Informative Reference Submission Form

Informative Reference Name

Focal Document Version

Security Control Baseline

Target Audience (Community)

Reference Document Date

Reference Document URL

Low, Moderate, and High

The purpose of this document is to provide guidance for

The intended audience is varied and includes the following:

National Institute of Standards and Technology

The information system creates [Assignment: organization-defined information system

The information system enforces [Assignment: organization-defined discretionary access

The information system prevents access to [Assignment: organization-defined security-

[Withdrawn: Incorporated into MP-4 and SC-28]. Withdrawn

The organization employs an audited override of automated access control mechanisms

The information system enforces [Assignment: organization-defined one-way information

The information system provides the capability for privileged administrators to

The information system binds security attributes to information using [Assignment:

The organization employs [Assignment: organization-defined solutions in approved

The organization explicitly authorizes access to [Assignment: organization-defined security

The organization authorizes network access to [Assignment: organization-defined privileged

The information system provides separate processing domains to enable finer-grained

The organization restricts privileged accounts on the information system to [Assignment:

The information system prevents [Assignment: organization-defined software] from

The information system audits the execution of privileged functions. Moderate

The information system:

[Withdrawn: Incorporated into AC-7]. Withdrawn

The information system purges/wipes information from [Assignment: organization-defined

The information system automatically terminates a user session after [Assignment:

The information system:

[Withdrawn: Incorporated into MP-3]. Withdrawn

The information system maintains the association and integrity of [Assignment:

The information system supports the association of [Assignment: organization-defined

The organization provides a consistent interpretation of security attributes transmitted

The information system implements [Assignment: organization-defined techniques or

The information system implements cryptographic mechanisms to protect the

[Withdrawn: Incorporated into AC-3 (10)]. Withdrawn

[Withdrawn: Incorporated into CM-7]. Withdrawn

The organization provides the capability to expeditiously disconnect or disable remote

[Withdrawn: Incorporated into SI-4]. Withdrawn

The organization identifies and explicitly authorizes users allowed to independently

[Withdrawn: Incorporated into MP-7]. Withdrawn

[Withdrawn: Incorporated into MP-7]. Withdrawn

The organization employs [Selection: full-device encryption; container encryption] to protect

The organization permits authorized individuals to use an external information system to

The organization [Selection: restricts; prohibits] the use of non-organizationally owned

The organization employs [Assignment: organization-defined data mining prevention and

The organization establishes procedures to ensure [Assignment: organization-defined access

The policy specifically addresses the unique

Example compensating controls include

The organization ensures that access

Example compensating controls include

In situations where the ICS cannot support

In situations where the ICS cannot support

Example compensating controls include

Many ICS must remain continuously on and

The number, account type, and privileges of

ICS may employ physical protection to

Example compensating controls include

No ICS Supplemental Guidance.

Example compensating controls include