APPENDIX C CONTROL SUMMARIES - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

IMPLEMENTATION, WITHDRAWAL, AND ASSURANCE DESIGNATIONS

Tables C-1 through C-20 provide a summary of the security and privacy controls and control enhancements in Chapter Three. Each table focuses on a different control family.

• A control or control enhancement that has been withdrawn from the control catalog is indicated by a “w” and an explanation of the control or control enhancement disposition in light gray text.
• A control or control enhancement that is typically implemented by an information system through technical means is indicated by an “S” in the implemented by column.
• A control or control enhancement that is typically implemented by an organization (i.e., by an individual through nontechnical means) is indicated by an “O” in the implemented by column.³⁶
• A control or control enhancement that can be implemented by an organization, a system, or a combination of the two is indicated by an “O/S.”
• A control or control enhancement marked with a “√” in the assurance column indicates the control or control enhancement contributes to the grounds for confidence that a security or privacy claim has been or will be achieved.³⁷

Each control and control enhancement in Tables C-1 through C-20 is hyperlinked to the text for that control and control enhancement in Chapter Three.

Families of controls contain base controls and control enhancements, which are directly related to their base controls. Control enhancements either add functionality or specificity to a base control or increase the strength of a base control. In both cases, control enhancements are used in systems and environments of operation that require greater protection than provided by the base control. This increased protection is required due to the potential adverse organizational or individual impacts or when organizations require additions to the base control functionality or assurance based on organizational assessments of risk. The use of control enhancements always requires the use of the base control.

The families are arranged in alphabetical order, while the controls and control enhancements within each family are arranged in numerical order. The alphabetical or numerical order of the families, controls, and control enhancements does not imply any type of prioritization, level of importance, or order in which the controls or control enhancements are to be implemented.

---

³⁶ The indication that a certain control or control enhancement is implemented by a system or by an organization in Tables C-1 through C-20 is notional. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements. In certain situations, a control or control enhancement may be implemented by the system, the organization, or a combination of the two entities.

³⁷ Assurance is a critical aspect in determining the trustworthiness of systems. Assurance is the measure of confidence that the security and privacy functions, features, practices, policies, procedures, mechanisms, and architecture of organizational systems accurately mediate and enforce established security and privacy policies.