Draft 150 267 - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
3.7 IDENTIFICATION AND AUTHENTICATION
Quick link to Identification and Authentication Summary Table
IA-1 POLICY AND PROCEDURES
Control:
a. Develop, document, and disseminate to [ Assignment: organization-defined personnel or
roles ]:
- [ Selection (one or more): organization-level; mission/business process-level; system- level ] identification and authentication policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; b. Designate an [ Assignment: organization-defined official ] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and c. Review and update the current identification and authentication:
- Policy [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and
- Procedures [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security or privacy incidents, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. Related Controls: AC-1, PM-9, PS-8, SI-12. Control Enhancements: None. References: [OMB A-130], [FIPS 201-2], [SP 800-12], [SP 800- 30 ], [SP 800-39], [SP 800- 63 -3], [SP 800 -73-4], [SP 800 -76-2], [SP 800 -78-4], [SP 800 -100], [IR 7874].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
Control: Uniquely identify and authenticate organizational users and associate that unique
identification with processes acting on behalf of those users.
Discussion: Organizations can satisfy the identification and authentication requirements by
complying with the requirements in [HSPD 12]. Organizational users include employees or
individuals who organizations consider to have an equivalent status to employees (e.g.,
contractors and guest researchers). Unique identification and authentication of users applies to
all accesses other than those that are explicitly identified in AC-14 and that occur through the
authorized use of group authenticators without individual authentication. Since processes
execute on behalf of groups and roles, organizations may require unique identification of
individuals in group accounts or for detailed accountability of individual activity.
Organizations employ passwords, physical authenticators, or biometrics to authenticate user
identities or, in the case of multi-factor authentication, some combination thereof. Access to
organizational systems is defined as either local access or network access. Local access is any
access to organizational systems by users or processes acting on behalf of users, where access is
obtained through direct connections without the use of networks. Network access is access to
organizational systems by users (or processes acting on behalf of users) where access is obtained
through network connections (i.e., nonlocal accesses). Remote access is a type of network access
that involves communication through external networks. Internal networks include local area
networks and wide area networks.
The use of encrypted virtual private networks for network connections between organization-
controlled endpoints and non-organization-controlled endpoints may be treated as internal
networks with respect to protecting the confidentiality and integrity of information traversing
the network. Identification and authentication requirements for non-organizational users are
described in IA -8.
Related Controls: AC-2, AC-3, AC-4, AC-14, AC-17, AC-18, AU-1, AU-6, IA -4, IA -5, IA -8, MA-4, MA-
5 , PE-2, PL-4, SA-4, SA-8.
Control Enhancements:
(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | MULTI-FACTOR
AUTHENTICATION TO PRIVILEGED ACCOUNTS
Implement multi-factor authentication for access to privileged accounts.
Discussion: Multi-factor authentication requires the use of two or more different factors to
achieve authentication. The authentication factors are defined as follows: something you
know (e.g., a personal identification number [PIN]), something you have (e.g., a physical
authenticator such as a cryptographic private key), or something you are (e.g., a biometric).
Multi-factor authentication solutions that feature physical authenticators include hardware
authenticators that provide time-based or challenge-response outputs and smart cards such
as the U.S. Government Personal Identity Verification (PIV) card or the Department of
Defense (DoD) Common Access Card. In addition to authenticating users at the system level
(i.e., at logon), organizations may employ authentication mechanisms at the application
level, at their discretion, to provide increased security. Regardless of the type of access (i.e.,
local, network, remote), privileged accounts are authenticated using multi-factor options
appropriate for the level of risk. Organizations can add additional security measures, such as
additional or more rigorous authentication mechanisms, for specific types of access.
Related Controls: AC-5, AC-6.
(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | MULTI-FACTOR
AUTHENTICATION TO NON-PRIVILEGED ACCOUNTS
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
Implement multi-factor authentication for access to non-privileged accounts.
Discussion: Multi-factor authentication requires the use of two or more different factors to
achieve authentication. The authentication factors are defined as follows: something you
know (e.g., a personal identification number [PIN]), something you have (e.g., a physical
authenticator such as a cryptographic private key), or something you are (e.g., a biometric).
Multi-factor authentication solutions that feature physical authenticators include hardware
authenticators that provide time-based or challenge-response outputs and smart cards such
as the U.S. Government Personal Identity Verification card or the DoD Common Access Card.
In addition to authenticating users at the system level, organizations may also employ
authentication mechanisms at the application level, at their discretion, to provide increased
information security. Regardless of the type of access (i.e., local, network, remote), non-
privileged accounts are authenticated using multi-factor options appropriate for the level of
risk. Organizations can provide additional security measures, such as additional or more
rigorous authentication mechanisms, for specific types of access.
Related Controls: AC-5.
(3) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO PRIVILEGED
ACCOUNTS
[Withdrawn: Incorporated into IA -2(1).]
(4) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO NON-
PRIVILEGED ACCOUNTS
[Withdrawn: Incorporated into IA -2(2).]
(5) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | INDIVIDUAL AUTHENTICATION
WITH GROUP AUTHENTICATION
When shared accounts or authenticators are employed, require users to be individually
authenticated before granting access to the shared accounts or resources.
Discussion: Individual authentication prior to shared group authentication mitigates the risk
of using group accounts or authenticators.
Related Controls: None.
(6) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCESS TO ACCOUNTS —
SEPARATE DEVICE
Implement multi-factor authentication for [ Selection (one or more): local; network;
remote ] access to [ Selection (one or more): privileged accounts; non-privileged accounts ]
such that:
(a) One of the factors is provided by a device separate from the system gaining access;
and
(b) The device meets [ Assignment: organization-defined strength of mechanism
requirements ].
Discussion: The purpose of requiring a device that is separate from the system to which the
user is attempting to gain access for one of the factors during multi-factor authentication is
to reduce the likelihood of compromising authenticators or credentials stored on the
system. Adversaries may be able to compromise such authenticators or credentials and
subsequently impersonate authorized users. Implementing one of the factors on a separate
device (e.g., a hardware token), provides a greater strength of mechanism and an increased
level of assurance in the authentication process.
Related Controls: AC-6.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
(7) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCESS TO NON-PRIVILEGED
ACCOUNTS — SEPARATE DEVICE
[Withdrawn: Incorporated into IA -2(6).]
(8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCESS TO ACCOUNTS —
REPLAY RESISTANT
Implement replay-resistant authentication mechanisms for access to [ Selection (one or
more): privileged accounts; non-privileged accounts ].
Discussion: Authentication processes resist replay attacks if it is impractical to achieve
successful authentications by replaying previous authentication messages. Replay-resistant
techniques include protocols that use nonces or challenges such as time synchronous or
cryptographic authenticators.
Related Controls: None.
(9) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-
PRIVILEGED ACCOUNTS — REPLAY RESISTANT
[Withdrawn: Incorporated into IA -2(8).]
(10) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | SINGLE SIGN-ON
Provide a single sign-on capability for [ Assignment: organization-defined system accounts
and services ].
Discussion: Single sign-on enables users to log in once and gain access to multiple system
resources. Organizations consider the operational efficiencies provided by single sign-on
capabilities with the risk introduced by allowing access to multiple systems via a single
authentication event. Single sign-on can present opportunities to improve system security,
for example by providing the ability to add multi-factor authentication for applications and
systems (existing and new) that may not be able to natively support multi-factor
authentication.
Related Controls: None.
(11) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | REMOTE ACCESS — SEPARATE
DEVICE
[Withdrawn: Incorporated into IA -2(6).]
(12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV
CREDENTIALS
Accept and electronically verify Personal Identity Verification-compliant credentials.
Discussion: Acceptance of Personal Identity Verification (PIV)-compliant credentials applies
to organizations implementing logical access control and physical access control systems.
PIV-compliant credentials are those credentials issued by federal agencies that conform to
FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV
card issuers are authorized using [SP 800- 79 -2]. Acceptance of PIV-compliant credentials
includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD
Common Access Card (CAC) is an example of a PIV credential.
Related Controls: None.
(13) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | OUT-OF-BAND
AUTHENTICATION
Implement the following out-of-band authentication mechanisms under [ Assignment:
organization-defined conditions ]: [ Assignment: organization-defined out-of-band
authentication ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
Discussion: Out-of-band authentication refers to the use of two separate communication
paths to identify and authenticate users or devices to an information system. The first path
(i.e., the in-band path) is used to identify and authenticate users or devices and is generally
the path through which information flows. The second path (i.e., the out-of-band path) is
used to independently verify the authentication and/or requested action. For example, a
user authenticates via a notebook computer to a remote server to which the user desires
access and requests some action of the server via that communication path. Subsequently,
the server contacts the user via the user’s cell phone to verify that the requested action
originated from the user. The user may confirm the intended action to an individual on the
telephone or provide an authentication code via the telephone. Out-of-band authentication
can be used to mitigate actual or suspected “man-in the-middle” attacks. The conditions or
criteria for activation include suspicious activities, new threat indicators, elevated threat
levels, or the impact or classification level of information in requested transactions.
Related Controls: IA-10, IA -11, SC-37.
References: [FIPS 140-3], [FIPS 201 -2], [FIPS 202 ], [SP 800-63-3], [SP 800 -73-4], [SP 800 -76-2], [SP
800 -78-4], [SP 800 -79-2], [SP 800 -156], [SP 800- 166 ], [IR 7539 ], [IR 7676 ], [IR 7817 ], [IR 7849], [IR
7870 ], [IR 7874], [IR 7966 ].
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
Control: Uniquely identify and authenticate [ Assignment: organization-defined devices and/or
types of devices ] before establishing a [ Selection (one or more): local; remote; network ]
connection.
Discussion: Devices that require unique device-to-device identification and authentication are
defined by type, device, or a combination of type and device. Organization-defined device types
include devices that are not owned by the organization. Systems use shared known information
(e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP]
addresses) for device identification or organizational authentication solutions (e.g., Institute of
Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP],
RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and
authenticate devices on local and wide area networks. Organizations determine the required
strength of authentication mechanisms based on the security categories of systems and mission
or business requirements. Because of the challenges of implementing device authentication on a
large scale, organizations can restrict the application of the control to a limited number/type of
devices based on mission or business needs.
Related Controls: AC-17, AC-18, AC-19, AU-6, CA-3, CA-9, IA -4, IA -5, IA -9, IA -11, SI-4.
Control Enhancements:
(1) DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION
Authenticate [ Assignment: organization-defined devices and/or types of devices ] before
establishing [ Selection (one or more): local; remote; network ] connection using
bidirectional authentication that is cryptographically based.
Discussion: A local connection is a connection with a device that communicates without the
use of a network. A network connection is a connection with a device that communicates
through a network. A remote connection is a connection with a device that communicates
through an external network. Bidirectional authentication provides stronger protection to
validate the identity of other devices for connections that are of greater risk.
Related Controls: SC-8, SC-12, SC-13.
(2) DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL NETWORK
AUTHENTICATION
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
[Withdrawn: Incorporated into IA -3(1).]
(3) DEVICE IDENTIFICATION AND AUTHENTICATION | DYNAMIC ADDRESS ALLOCATION
(a) Where addresses are allocated dynamically, standardize dynamic address allocation
lease information and the lease duration assigned to devices in accordance with
[ Assignment: organization-defined lease information and lease duration ]; and
(b) Audit lease information when assigned to a device.
Discussion: The Dynamic Host Configuration Protocol (DHCP) is an example of a means by
which clients can dynamically receive network address assignments.
Related Controls: AU-2.
(4) DEVICE IDENTIFICATION AND AUTHENTICATION | DEVICE ATTESTATION
Handle device identification and authentication based on attestation by [ Assignment:
organization-defined configuration management process ].
Discussion: Device attestation refers to the identification and authentication of a device
based on its configuration and known operating state. Device attestation can be determined
via a cryptographic hash of the device. If device attestation is the means of identification and
authentication, then it is important that patches and updates to the device are handled via a
configuration management process such that the patches and updates are done securely
and do not disrupt identification and authentication to other devices.
Related Controls: CM-2, CM-3, CM-6.
References: None.
IA-4 IDENTIFIER MANAGEMENT
Control: Manage system identifiers by:
a. Receiving authorization from [ Assignment: organization-defined personnel or roles ] to assign
an individual, group, role, service, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, service, or device;
c. Assigning the identifier to the intended individual, group, role, service, or device; and
d. Preventing reuse of identifiers for [ Assignment: organization-defined time period ].
Discussion: Common device identifiers include Media Access Control (MAC) addresses, Internet
Protocol (IP) addresses, or device-unique token identifiers. The management of individual
identifiers is not applicable to shared system accounts. Typically, individual identifiers are the
usernames of the system accounts assigned to those individuals. In such instances, the account
management activities of AC-2 use account names provided by IA -4. Identifier management also
addresses individual identifiers not necessarily associated with system accounts. Preventing the
reuse of identifiers implies preventing the assignment of previously used individual, group, role,
service, or device identifiers to different individuals, groups, roles, services, or devices.
Related Controls: AC-5, IA -2, IA -3, IA -5, IA -8, IA -9, IA -12, MA-4, PE-2, PE-3, PE-4, PL-4, PM-12, PS-
3 , PS-4, PS-5, SC-37.
Control Enhancements:
(1) IDENTIFIER MANAGEMENT | PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS
Prohibit the use of system account identifiers that are the same as public identifiers for
individual accounts.
Discussion: Prohibiting account identifiers as public identifiers applies to any publicly
disclosed account identifier used for communication such as, electronic mail and instant
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
messaging. Prohibiting the use of systems account identifiers that are the same as some
public identifier, such as the individual identifier section of an electronic mail address, makes
it more difficult for adversaries to guess user identifiers. Prohibiting account identifiers as
public identifiers without the implementation of other supporting controls only complicates
guessing of identifiers. Additional protections are required for authenticators and credentials
to protect the account.
Related Controls: AT-2, PT- 7.
(2) IDENTIFIER MANAGEMENT | SUPERVISOR AUTHORIZATION
[Withdrawn: Incorporated into IA -12(1).]
(3) IDENTIFIER MANAGEMENT | MULTIPLE FORMS OF CERTIFICATION
[Withdrawn: Incorporated into IA -12(2).]
(4) IDENTIFIER MANAGEMENT | IDENTIFY USER STATUS
Manage individual identifiers by uniquely identifying each individual as [ Assignment:
organization-defined characteristic identifying individual status ].
Discussion: Characteristics that identify the status of individuals include contractors, foreign
nationals, and non-organizational users. Identifying the status of individuals by these
characteristics provides additional information about the people with whom organizational
personnel are communicating. For example, it might be useful for a government employee
to know that one of the individuals on an email message is a contractor.
Related Controls: None.
(5) IDENTIFIER MANAGEMENT | DYNAMIC MANAGEMENT
Manage individual identifiers dynamically in accordance with [ Assignment: organization-
defined dynamic identifier policy ].
Discussion: In contrast to conventional approaches to identification that presume static
accounts for preregistered users, many distributed systems establish identifiers at runtime
for entities that were previously unknown. When identifiers are established at runtime for
previously unknown entities, organizations can anticipate and provision for the dynamic
establishment of identifiers. Pre-established trust relationships and mechanisms with
appropriate authorities to validate credentials and related identifiers are essential.
Related Controls: AC-16.
(6) IDENTIFIER MANAGEMENT | CROSS-ORGANIZATION MANAGEMENT
Coordinate with the following external organizations for cross-organization management
of identifiers: [ Assignment: organization-defined external organizations ].
Discussion: Cross-organization identifier management provides the capability to identify
individuals, groups, roles, or devices when conducting cross-organization activities involving
the processing, storage, or transmission of information.
Related Controls: AU-16, IA -2, IA -5.
(7) IDENTIFIER MANAGEMENT | IN-PERSON REGISTRATION
[Withdrawn: Incorporated into IA -12(4).]
(8) IDENTIFIER MANAGEMENT | PAIRWISE PSEUDONYMOUS IDENTIFIERS
Generate pairwise pseudonymous identifiers.
Discussion: A pairwise pseudonymous identifier is an opaque unguessable subscriber
identifier generated by an identity provider for use at a specific individual relying party.
Generating distinct pairwise pseudonymous identifiers with no identifying information about
a subscriber discourages subscriber activity tracking and profiling beyond the operational
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
requirements established by an organization. The pairwise pseudonymous identifiers are
unique to each relying party except in situations where relying parties can show a
demonstrable relationship justifying an operational need for correlation, or all parties
consent to being correlated in such a manner.
Related Controls: IA-5.
(9) IDENTIFIER MANAGEMENT | ATTRIBUTE MAINTENANCE AND PROTECTION
Maintain the attributes for each uniquely identified individual, device, or service in
[ Assignment: organization-defined protected central storage ].
Discussion: For each of the entities covered in IA-2, IA -3, IA -8, and IA -9, it is important to
maintain the attributes for each authenticated entity on an ongoing basis in a central
(protected) store.
Related Controls: None.
References: [FIPS 201 -2], [SP 800- 63 -3], [SP 800 -73-4], [SP 800 -76-2], [SP 800 -78-4].
IA-5 AUTHENTICATOR MANAGEMENT
Control: Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual,
group, role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator
distribution, for lost or compromised or damaged authenticators, and for revoking
authenticators;
e. Changing default authenticators prior to first use;
f. Changing or refreshing authenticators [ Assignment: organization-defined time period by
authenticator type ] or when [ Assignment: organization-defined events ] occur;
g. Protecting authenticator content from unauthorized disclosure and modification;
h. Requiring individuals to take, and having devices implement, specific controls to protect
authenticators; and
i. Changing authenticators for group or role accounts when membership to those accounts
changes.
Discussion: Authenticators include passwords, cryptographic devices, biometrics, certificates,
one-time password devices, and ID badges. Device authenticators include certificates and
passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial
password). In contrast, the requirements for authenticator content contain specific criteria or
characteristics (e.g., minimum password length). Developers may deliver system components
with factory default authentication credentials (i.e., passwords) to allow for initial installation
and configuration. Default authentication credentials are often well known, easily discoverable,
and present a significant risk. The requirement to protect individual authenticators may be
implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by
controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including
passwords stored in hashed or encrypted formats or files containing encrypted or hashed
passwords accessible with administrator privileges.
Systems support authenticator management by organization-defined settings and restrictions for
various authenticator characteristics (e.g., minimum password length, validation time window for
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
time synchronous one-time tokens, and number of allowed rejections during the verification
stage of biometric authentication). Actions can be taken to safeguard individual authenticators,
including maintaining possession of authenticators, not sharing authenticators with others, and
immediately reporting lost, stolen, or compromised authenticators. Authenticator management
includes issuing and revoking authenticators for temporary access when no longer needed.
Related Controls: AC-3, AC-6, CM-6, IA -2, IA -4, IA -7, IA -8, IA -9, MA-4, PE-2, PL-4, SC-12, SC-13.
Control Enhancements:
(1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update
the list [ Assignment: organization-defined frequency ] and when organizational
passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on
the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a
keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all
printable characters;
(g) Employ automated tools to assist the user in selecting strong password
authenticators; and
(h) Enforce the following composition and complexity rules: [ Assignment: organization-
defined composition and complexity rules ].
Discussion: Password-based authentication applies to passwords regardless of whether they
are used in single-factor or multi-factor authentication. Long passwords or passphrases are
preferable over shorter passwords. Enforced composition rules provide marginal security
benefits while decreasing usability. However, organizations may choose to establish certain
rules for password generation (e.g., minimum character length for long passwords) under
certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can
occur, for example, in situations when a password is forgotten. Cryptographically protected
passwords include salted one-way cryptographic hashes of passwords. The list of commonly
used, compromised, or expected passwords includes passwords obtained from previous
breach corpuses, dictionary words, and repetitive or sequential characters. The list includes
context-specific words, such as the name of the service, username, and derivatives thereof.
Related Controls: IA-6.
(2) AUTHENTICATOR MANAGEMENT | PUBLIC KEY-BASED AUTHENTICATION
(a) For public key-based authentication:
(1) Enforce authorized access to the corresponding private key; and
(2) Map the authenticated identity to the account of the individual or group; and
(b) When public key infrastructure (PKI) is used:
(1) Validate certificates by constructing and verifying a certification path to an
accepted trust anchor, including checking certificate status information; and
(2) Implement a local cache of revocation data to support path discovery and
validation.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
Discussion: Public key cryptography is a valid authentication mechanism for individuals,
machines, and devices. For PKI solutions, status information for certification paths includes
certificate revocation lists or certificate status protocol responses. For PIV cards, certificate
validation involves the construction and verification of a certification path to the Common
Policy Root trust anchor, which includes certificate policy processing. Implementing a local
cache of revocation data to support path discovery and validation also supports system
availability in situations where organizations are unable to access revocation information via
the network.
Related Controls: IA-3, SC-17.
(3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED EXTERNAL PARTY REGISTRATION
[Withdrawn: Incorporated into IA -12(4).]
(4) AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH
DETERMINATION
[Withdrawn: Incorporated into IA -5(1).]
(5) AUTHENTICATOR MANAGEMENT | CHANGE AUTHENTICATORS PRIOR TO DELIVERY
Require developers and installers of system components to provide unique authenticators
or change default authenticators prior to delivery and installation.
Discussion: Changing authenticators prior to the delivery and installation of system
components extends the requirement for organizations to change default authenticators
upon system installation by requiring developers and/or installers to provide unique
authenticators or change default authenticators for system components prior to delivery
and/or installation. However, it typically does not apply to developers of commercial off-the-
shelf information technology products. Requirements for unique authenticators can be
included in acquisition documents prepared by organizations when procuring systems or
system components.
Related Controls: None.
(6) AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS
Protect authenticators commensurate with the security category of the information to
which use of the authenticator permits access.
Discussion: For systems that contain multiple security categories of information without
reliable physical or logical separation between categories, authenticators used to grant
access to the systems are protected commensurate with the highest security category of
information on the systems. Security categories of information are determined as part of the
security categorization process.
Related Controls: RA-2.
(7) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS
Ensure that unencrypted static authenticators are not embedded in applications or
other forms of static storage.
Discussion: In addition to applications, other forms of static storage include access scripts
and function keys. Organizations exercise caution when determining whether embedded or
stored authenticators are in encrypted or unencrypted form. If authenticators are used in
the manner stored, then those representations are considered unencrypted authenticators.
Related Controls: None.
(8) AUTHENTICATOR MANAGEMENT | MULTIPLE SYSTEM ACCOUNTS
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
Implement [ Assignment: organization-defined security controls ] to manage the risk of
compromise due to individuals having accounts on multiple systems.
Discussion: When individuals have accounts on multiple systems and use the same
authenticators such as passwords, there is the risk that a compromise of one account may
lead to the compromise of other accounts. Alternative approaches include having different
authenticators (passwords) on all systems, employing a single sign-on or federation
mechanism, or using some form of one-time passwords on all systems. Organizations can
also use rules of behavior (see PL-4) and access agreements (see PS-6) to mitigate the risk of
multiple system accounts.
Related Controls: PS-6.
(9) AUTHENTICATOR MANAGEMENT | FEDERATED CREDENTIAL MANAGEMENT
Use the following external organizations to federate credentials: [ Assignment:
organization-defined external organizations ].
Discussion: Federation provides organizations with the capability to authenticate individuals
and devices when conducting cross-organization activities involving the processing, storage,
or transmission of information. Using a specific list of approved external organizations for
authentication helps to ensure that those organizations are vetted and trusted.
Related Controls: AU-7, AU-16.
(10) AUTHENTICATOR MANAGEMENT | DYNAMIC CREDENTIAL BINDING
Bind identities and authenticators dynamically using the following rules: [ Assignment:
organization-defined binding rules ].
Discussion: Authentication requires some form of binding between an identity and the
authenticator that is used to confirm the identity. In conventional approaches, binding is
established by pre-provisioning both the identity and the authenticator to the system. For
example, the binding between a username (i.e., identity) and a password (i.e., authenticator)
is accomplished by provisioning the identity and authenticator as a pair in the system. New
authentication techniques allow the binding between the identity and the authenticator to
be implemented external to a system. For example, with smartcard credentials, the identity
and authenticator are bound together on the smartcard. Using these credentials, systems
can authenticate identities that have not been pre-provisioned, dynamically provisioning the
identity after authentication. In these situations, organizations can anticipate the dynamic
provisioning of identities. Pre-established trust relationships and mechanisms with
appropriate authorities to validate identities and related credentials are essential.
Related Controls: AU-16, IA -5.
(11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION
[Withdrawn: Incorporated into IA -2(1) and IA -2(2).]
(12) AUTHENTICATOR MANAGEMENT | BIOMETRIC AUTHENTICATION PERFORMANCE
For biometric-based authentication, employ mechanisms that satisfy the following
biometric quality requirements [ Assignment: organization-defined biometric quality
requirements ].
Discussion: Unlike password-based authentication, which provides exact matches of user-
input passwords to stored passwords, biometric authentication does not provide exact
matches. Depending on the type of biometric and the type of collection mechanism, there is
likely to be some divergence from the presented biometric and the stored biometric that
serves as the basis for comparison. Matching performance is the rate at which a biometric
algorithm correctly results in a match for a genuine user and rejects other users. Biometric
performance requirements include the match rate, which reflects the accuracy of the
biometric matching algorithm used by a system.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
Related Controls: AC-7.
(13) AUTHENTICATOR MANAGEMENT | EXPIRATION OF CACHED AUTHENTICATORS
Prohibit the use of cached authenticators after [ Assignment: organization-defined time
period ].
Discussion: Cached authenticators are used to authenticate to the local machine when the
network is not available. If cached authentication information is out of date, the validity of
the authentication information may be questionable.
Related Controls: None.
(14) AUTHENTICATOR MANAGEMENT | MANAGING CONTENT OF PKI TRUST STORES
For PKI-based authentication, employ an organization-wide methodology for managing the
content of PKI trust stores installed across all platforms, including networks, operating
systems, browsers, and applications.
Discussion: An organization-wide methodology for managing the content of PKI trust stores
helps improve the accuracy and currency of PKI-based authentication credentials across the
organization.
Related Controls: None.
(15) AUTHENTICATOR MANAGEMENT | GSA-APPROVED PRODUCTS AND SERVICES
Use only General Services Administration-approved products and services for identity,
credential, and access management.
Discussion: General Services Administration (GSA)-approved products and services are
products and services that have been approved through the GSA conformance program,
where applicable, and posted to the GSA Approved Products List. GSA provides guidance for
teams to design and build functional and secure systems that comply with Federal Identity,
Credential, and Access Management (FICAM) policies, technologies, and implementation
patterns.
Related Controls: None.
(16) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED EXTERNAL PARTY AUTHENTICATOR
ISSUANCE
Require that the issuance of [ Assignment: organization-defined types of and/or specific
authenticators ] be conducted [ Selection: in person; by a trusted external party ] before
[ Assignment: organization-defined registration authority ] with authorization by
[Assignment: organization-defined personnel or roles ].
Discussion: Issuing authenticators in person or by a trusted external party enhances and
reinforces the trustworthiness of the identity proofing process.
Related Controls: IA-12.
(17) AUTHENTICATOR MANAGEMENT | PRESENTATION ATTACK DETECTION FOR BIOMETRIC
AUTHENTICATORS
Employ presentation attack detection mechanisms for biometric-based authentication.
Discussion: Biometric characteristics do not constitute secrets. Such characteristics can be
obtained by online web accesses, taking a picture of someone with a camera phone to
obtain facial images with or without their knowledge, lifting from objects that someone has
touched (e.g., a latent fingerprint), or capturing a high-resolution image (e.g., an iris
pattern). Presentation attack detection technologies including liveness detection, can
mitigate the risk of these types of attacks by making it difficult to produce artifacts intended
to defeat the biometric sensor.
Related Controls: AC-7.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
(18) AUTHENTICATOR MANAGEMENT | PASSWORD MANAGERS
(a) Employ [ Assignment: organization-defined password managers ] to generate and
manage passwords; and
(b) Protect the passwords using [ Assignment: organization-defined controls ].
Discussion: For systems where static passwords are employed, it is often a challenge to
ensure that the passwords are suitably complex and that the same passwords are not
employed on multiple systems. A password manager is a solution to this problem as it
automatically generates and stores strong and different passwords for various accounts. A
potential risk of using password managers is that adversaries can target the collection of
passwords generated by the password manager. Therefore, the collection of passwords
requires protection including encrypting the passwords (see IA -5(1)(d)) and storing the
collection offline in a token.
Related Controls: None.
References: [FIPS 140-3], [FIPS 180 -4], [FIPS 201 -2], [FIPS 202 ], [SP 800- 63 -3], [SP 800 -73-4], [SP
800 -76-2], [SP 800 -78-4], [IR 7539], [IR 7817 ], [IR 7849 ], [IR 7870 ], [IR 8040 ].
IA-6 AUTHENTICATION FEEDBACK
Control: Obscure feedback of authentication information during the authentication process to
protect the information from possible exploitation and use by unauthorized individuals.
Discussion: Authentication feedback from systems does not provide information that would
allow unauthorized individuals to compromise authentication mechanisms. For some types of
systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as
shoulder surfing) may be significant. For other types of systems, such as mobile devices with
small displays, the threat may be less significant and is balanced against the increased likelihood
of typographic input errors due to small keyboards. Thus, the means for obscuring authentication
feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks
when users type passwords into input devices or displaying feedback for a very limited time
before obscuring it.
Related Controls: AC-3.
Control Enhancements: None.
References: None.
IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION
Control: Implement mechanisms for authentication to a cryptographic module that meet the
requirements of applicable laws, executive orders, directives, policies, regulations, standards,
and guidelines for such authentication.
Discussion: Authentication mechanisms may be required within a cryptographic module to
authenticate an operator accessing the module and to verify that the operator is authorized to
assume the requested role and perform services within that role.
Related Controls: AC-3, IA -5, SA-4, SC-12, SC-13.
Control Enhancements: None.
References: [FIPS 140-3].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
Control: Uniquely identify and authenticate non-organizational users or processes acting on
behalf of non-organizational users.
Discussion: Non-organizational users include system users other than organizational users
explicitly covered by IA -2. Non-organizational users are uniquely identified and authenticated for
accesses other than those explicitly identified and documented in AC-14. Identification and
authentication of non-organizational users accessing federal systems may be required to protect
federal, proprietary, or privacy-related information (with exceptions noted for national security
systems). Organizations consider many factors—including security, privacy, scalability, and
practicality—when balancing the need to ensure ease of use for access to federal information
and systems with the need to protect and adequately mitigate risk.
Related Controls: AC-2, AC-6, AC-14, AC-17, AC-18, AU-6, IA -2, IA -4, IA -5, IA -10, IA -11, MA-4, RA-
3 , SA-4, SC-8.
Control Enhancements:
(1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV
CREDENTIALS FROM OTHER AGENCIES
Accept and electronically verify Personal Identity Verification-compliant credentials from
other federal agencies.
Discussion: Acceptance of Personal Identity Verification (PIV) credentials from other federal
agencies applies to both logical and physical access control systems. PIV credentials are
those credentials issued by federal agencies that conform to FIPS Publication 201 and
supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and
authorized using [SP 800 -79- 2 ].
Related Controls: PE-3.
(2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF EXTERNAL
AUTHENTICATORS
(a) Accept only external authenticators that are NIST-compliant; and
(b) Document and maintain a list of accepted external authenticators.
Discussion: Acceptance of only NIST-compliant external authenticators applies to
organizational systems that are accessible to the public (e.g., public-facing websites).
External authenticators are issued by nonfederal government entities and are compliant
with [SP 800-63B]. Approved external authenticators meet or exceed the minimum Federal
Government-wide technical, security, privacy, and organizational maturity requirements.
Meeting or exceeding Federal requirements allows Federal Government relying parties to
trust external authenticators in connection with an authentication transaction at a specified
authenticator assurance level.
Related Controls: None.
(3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-APPROVED
PRODUCTS
[Withdrawn: Incorporated into IA -8(2).]
(4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF DEFINED PROFILES
Conform to the following profiles for identity management [ Assignment: organization-
defined identity management profiles ].
Discussion: Organizations define profiles for identity management based on open identity
management standards. To ensure that open identity management standards are viable,
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
robust, reliable, sustainable, and interoperable as documented, the Federal Government
assesses and scopes the standards and technology implementations against applicable laws,
executive orders, directives, policies, regulations, standards, and guidelines.
Related Controls: None.
(5) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV-I
CREDENTIALS
Accept and verify federated or PKI credentials that meet [ Assignment: organization-
defined policy ].
Discussion: Acceptance of PIV-I credentials can be implemented by PIV, PIV-I, and other
commercial or external identity providers. The acceptance and verification of Personal
Identity Verification (PIV)-I-compliant credentials apply to both logical and physical access
control systems. The acceptance and verification of PIV-I credentials address nonfederal
issuers of identity cards that desire to interoperate with United States Government PIV
systems and that can be trusted by Federal Government-relying parties. The X.509 certificate
policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements.
The PIV-I card is commensurate with the PIV credentials as defined in cited references. PIV-I
credentials are the credentials issued by a PIV-I provider whose PIV-I certificate policy maps
to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified with the FBCA
(directly or through another PKI bridge) with policies that have been mapped and approved
as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy.
Related Controls: None.
(6) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | DISASSOCIABILITY
Implement the following measures to disassociate user attributes or identifier assertion
relationships among individuals, credential service providers, and relying parties:
[ Assignment: organization-defined measures ].
Discussion: Federated identity solutions can create increased privacy risks due to the
tracking and profiling of individuals. Using identifier mapping tables or cryptographic
techniques to blind credential service providers and relying parties from each other or to
make identity attributes less visible to transmitting parties can reduce these privacy risks.
Related Controls: None.
References: [OMB A-130], [FED PKI], [FIPS 201 -2], [SP 800- 63 -3], [SP 800- 79 -2], [SP 800 -116], [IR
8062 ].
IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION
Control: Uniquely identify and authenticate [ Assignment: organization-defined system services
and applications ] before establishing communications with devices, users, or other services or
applications.
Discussion: Services that may require identification and authentication include web applications
using digital certificates or services or applications that query a database. Identification and
authentication methods for system services and applications include information or code signing,
provenance graphs, and electronic signatures that indicate the sources of services. Decisions
regarding the validity of identification and authentication claims can be made by services
separate from the services acting on those decisions. This can occur in distributed system
architectures. In such situations, the identification and authentication decisions (instead of actual
identifiers and authentication data) are provided to the services that need to act on those
decisions.
Related Controls: IA-3, IA -4, IA -5, SC-8.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
Control Enhancements:
(1) SERVICE IDENTIFICATION AND AUTHENTICATION | INFORMATION EXCHANGE
[Withdrawn: Incorporated into IA -9.]
(2) SERVICE IDENTIFICATION AND AUTHENTICATION | TRANSMISSION OF DECISIONS
[Withdrawn: Incorporated into IA -9.]
References: None.
IA-10 ADAPTIVE AUTHENTICATION
Control: Require individuals accessing the system to employ [ Assignment: organization-defined
supplemental authentication techniques or mechanisms ] under specific [ Assignment:
organization-defined circumstances or situations ].
Discussion: Adversaries may compromise individual authentication mechanisms employed by
organizations and subsequently attempt to impersonate legitimate users. To address this threat,
organizations may employ specific techniques or mechanisms and establish protocols to assess
suspicious behavior. Suspicious behavior may include accessing information that individuals do
not typically access as part of their duties, roles, or responsibilities; accessing greater quantities
of information than individuals would routinely access; or attempting to access information from
suspicious network addresses. When pre-established conditions or triggers occur, organizations
can require individuals to provide additional authentication information. Another potential use
for adaptive authentication is to increase the strength of mechanism based on the number or
types of records being accessed. Adaptive authentication does not replace and is not used to
avoid the use of multi-factor authentication mechanisms but can augment implementations of
multi-factor authentication.
Related Controls: IA-2, IA -8.
Control Enhancements: None.
References: [SP 800-63-3].
IA-11 RE-AUTHENTICATION
Control: Require users to re-authenticate when [ Assignment: organization-defined
circumstances or situations requiring re-authentication ].
Discussion: In addition to the re-authentication requirements associated with device locks,
organizations may require re-authentication of individuals in certain situations, including when
roles, authenticators or credentials change, when security categories of systems change, when
the execution of privileged functions occurs, after a fixed time period, or periodically.
Related Controls: AC-3, AC-11, IA -2, IA -3, IA -4, IA -8.
Control Enhancements: None.
References: None.
IA-12 IDENTITY PROOFING
Control:
a. Identity proof users that require accounts for logical access to systems based on appropriate
identity assurance level requirements as specified in applicable standards and guidelines;
b. Resolve user identities to a unique individual; and
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
c. Collect, validate, and verify identity evidence.
Discussion: Identity proofing is the process of collecting, validating, and verifying a user’s
identity information for the purposes of establishing credentials for accessing a system. Identity
proofing is intended to mitigate threats to the registration of users and the establishment of
their accounts. Standards and guidelines specifying identity assurance levels for identity proofing
include [SP^800 -63-3] and [SP^800 -63A]. Organizations may be subject to laws, executive orders,
directives, regulations, or policies that address the collection of identity evidence. Organizational
personnel consult with the senior agency official for privacy and legal counsel regarding such
requirements.
Related Controls: AC-5, IA -1, IA -2, IA -3, IA -4, IA -5, IA -6, IA -8.
Control Enhancements:
(1) IDENTITY PROOFING | SUPERVISOR AUTHORIZATION
Require that the registration process to receive an account for logical access includes
supervisor or sponsor authorization.
Discussion: Including supervisor or sponsor authorization as part of the registration process
provides an additional level of scrutiny to ensure that the user’s management chain is aware
of the account, the account is essential to carry out organizational missions and functions,
and the user’s privileges are appropriate for the anticipated responsibilities and authorities
within the organization.
Related Controls: None.
(2) IDENTITY PROOFING | IDENTITY EVIDENCE
Require evidence of individual identification be presented to the registration authority.
Discussion: I dentity evidence, such as documentary evidence or a combination of
documents and biometrics, reduces the likelihood of individuals using fraudulent
identification to establish an identity or at least increases the work factor of potential
adversaries. The forms of acceptable evidence are consistent with the risks to the systems,
roles, and privileges associated with the user’s account.
Related Controls: None.
(3) IDENTITY PROOFING | IDENTITY EVIDENCE VALIDATION AND VERIFICATION
Require that the presented identity evidence be validated and verified through
[ Assignment: organizational defined methods of validation and verification ].
Discussion: Validation and verification of identity evidence increases the assurance that
accounts and identifiers are being established for the correct user and authenticators are
being bound to that user. Validation refers to the process of confirming that the evidence is
genuine and authentic, and the data contained in the evidence is correct, current, and
related to an individual. Verification confirms and establishes a linkage between the claimed
identity and the actual existence of the user presenting the evidence. Acceptable methods
for validating and verifying identity evidence are consistent with the risks to the systems,
roles, and privileges associated with the users account.
Related Controls: None.
(4) IDENTITY PROOFING | IN-PERSON VALIDATION AND VERIFICATION
Require that the validation and verification of identity evidence be conducted in person
before a designated registration authority.
Discussion: In-person proofing reduces the likelihood of fraudulent credentials being issued
because it requires the physical presence of individuals, the presentation of physical identity
documents, and actual face-to-face interactions with designated registration authorities.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
Related Controls: None.
(5) IDENTITY PROOFING | ADDRESS CONFIRMATION
Require that a [ Selection: registration code; notice of proofing ] be delivered through an
out-of-band channel to verify the users address (physical or digital) of record.
Discussion: To make it more difficult for adversaries to pose as legitimate users during the
identity proofing process, organizations can use out-of-band methods to ensure that the
individual associated with an address of record is the same individual that participated in the
registration. Confirmation can take the form of a temporary enrollment code or a notice of
proofing. The delivery address for these artifacts is obtained from records and not self-
asserted by the user. The address can include a physical or digital address. A home address is
an example of a physical address. Email addresses and telephone numbers are examples of
digital addresses.
Related Controls: IA -12.
(6) IDENTITY PROOFING | ACCEPT EXTERNALLY-PROOFED IDENTITIES
Accept externally-proofed identities at [ Assignment: organization-defined identity
assurance level ].
Discussion: To limit unnecessary re-proofing of identities, particularly of non-PIV users,
organizations accept proofing conducted at a commensurate level of assurance by other
agencies or organizations. Proofing is consistent with organizational security policy and the
identity assurance level appropriate for the system, application, or information accessed.
Accepting externally-proofed identities is a fundamental component of managing federated
identities across agencies and organizations.
Related Controls: IA-3, IA -4, IA -5, IA -8.
References: [FIPS 201 -2], [SP 800- 63 -3], [SP 800-63A], [SP 800 -79-2].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
3.8 INCIDENT RESPONSE
Quick link to Incident Response Summary Table
IR-1 POLICY AND PROCEDURES
Control:
a. Develop, document, and disseminate to [ Assignment: organization-defined personnel or
roles ]:
- [ Selection (one or more): organization-level; mission/business process-level; system- level ] incident response policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; b. Designate an [ Assignment: organization-defined official ] to manage the development, documentation, and dissemination of the incident response policy and procedures; and c. Review and update the current incident response:
- Policy [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and
- Procedures [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security or privacy incidents, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Related Controls: PM-9, PS-8, SI-12.
Control Enhancements: None.
References: [OMB A-130], [SP 800-12], [SP 800- 30 ], [SP 800-39], [SP 800- 50 ], [SP 800 -61], [SP
800 -83], [SP 800 -100].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.
- 53r
IR-2 INCIDENT RESPONSE TRAINING
Control:
a. Provide incident response training to system users consistent with assigned roles and
responsibilities:
- Within [ Assignment: organization-defined time period ] of assuming an incident response role or responsibility or acquiring system access;
- When required by system changes; and
- [ Assignment: organization-defined frequency ] thereafter; and b. Review and update incident response training content [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3. Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Related Controls: AT-2, AT-3, AT-4, CP-3, IR -3, IR -4, IR -8, IR -9.
Control Enhancements:
(1) INCIDENT RESPONSE TRAINING | SIMULATED EVENTS
Incorporate simulated events into incident response training to facilitate the required
response by personnel in crisis situations.
Discussion: Organizations establish requirements for responding to incidents in incident
response plans. Incorporating simulated events into incident response training helps to
ensure that personnel understand their individual responsibilities and what specific actions
to take in crisis situations. Incident response training includes tabletop exercises that
simulate a breach. See IR -2(3).
Related Controls: None.
(2) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTS
Provide an incident response training environment using [ Assignment: organization-
defined automated mechanisms ].
Discussion: Automated mechanisms can provide a more thorough and realistic incident
response training environment. This can be accomplished, for example, by providing more
complete coverage of incident response issues, selecting more realistic training scenarios
and environments, and stressing the response capability.
Related Controls: None.
(3) INCIDENT RESPONSE TRAINING | BREACH
Provide incident response training on how to identify and respond to a breach, including
the organization’s process for reporting a breach.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: For federal agencies, an incident that involves personally identifiable
information is considered a breach. A breach results in the loss of control, compromise,
unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person
other than an authorized user accesses or potentially accesses personally identifiable
information or an authorized user accesses or potentially accesses such information for
other than authorized purposes. The incident response training emphasizes the obligation of
individuals to report both confirmed and suspected breaches involving information in any
medium or form, including paper, oral, and electronic. Incident response training includes
tabletop exercises that simulate a breach. See IR -2(1).
Related Controls: None.
References: [OMB M-17-12], [SP 800 -50].
IR-3 INCIDENT RESPONSE TESTING
Control: Test the effectiveness of the incident response capability for the system [ Assignment:
organization-defined frequency ] using the following tests: [ Assignment: organization-defined
tests ].
Discussion: Organizations test incident response capabilities to determine their effectiveness
and identify potential weaknesses or deficiencies. Incident response testing includes the use of
checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident
response testing can include a determination of the effects on organizational operations and
assets and individuals due to incident response. The use of qualitative and quantitative data aids
in determining the effectiveness of incident response processes.
Related Controls: CP-3, CP-4, IR -2, IR -4, IR -8, PM-14.
Control Enhancements:
(1) INCIDENT RESPONSE TESTING | AUTOMATED TESTING
Test the incident response capability using [ Assignment: organization-defined automated
mechanisms ].
Discussion: Organizations use automated mechanisms to more thoroughly and effectively
test incident response capabilities. This can be accomplished by providing more complete
coverage of incident response issues, selecting realistic test scenarios and environments, and
stressing the response capability.
Related Controls: None.
(2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS
Coordinate incident response testing with organizational elements responsible for related
plans.
Discussion: Organizational plans related to incident response testing include business
continuity plans, disaster recovery plans, continuity of operations plans, contingency plans,
crisis communications plans, critical infrastructure plans, and occupant emergency plans.
Related Controls: None.
(3) INCIDENT RESPONSE TESTING | CONTINUOUS IMPROVEMENT
Use qualitative and quantitative data from testing to:
(a) Determine the effectiveness of incident response processes;
(b) Continuously improve incident response processes; and
(c) Provide incident response measures and metrics that are accurate, consistent, and in a
reproducible format.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: To help incident response activities function as intended, organizations may use
metrics and evaluation criteria to assess incident response programs as part of an effort to
continually improve response performance. These efforts facilitate improvement in incident
response efficacy and lessen the impact of incidents.
Related Controls: None.
References: [OMB A-130], [SP 800 -84], [SP 800 -115].
IR-4 INCIDENT HANDLING
Control:
a. Implement an incident handling capability for incidents that is consistent with the incident
response plan and includes preparation, detection and analysis, containment, eradication,
and recovery;
b. Coordinate incident handling activities with contingency planning activities;
c. Incorporate lessons learned from ongoing incident handling activities into incident response
procedures, training, and testing, and implement the resulting changes accordingly; and
d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable
and predictable across the organization.
Discussion: Organizations recognize that incident response capabilities are dependent on the
capabilities of organizational systems and the mission and business processes being supported by
those systems. Organizations consider incident response as part of the definition, design, and
development of mission and business processes and systems. Incident-related information can
be obtained from a variety of sources, including audit monitoring, physical access monitoring,
and network monitoring; user or administrator reports; and reported supply chain events. An
effective incident handling capability includes coordination among many organizational entities
(e.g., mission or business owners, system owners, authorizing officials, human resources offices,
physical security offices, personnel security offices, legal departments, risk executive [function],
operations personnel, procurement offices). Suspected security incidents include the receipt of
suspicious email communications that can contain malicious code. Suspected supply chain
incidents include the insertion of counterfeit hardware or malicious code into organizational
systems or system components. For federal agencies, an incident that involves personally
identifiable information is considered a breach. A breach results in unauthorized disclosure, the
loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person
other than an authorized user accesses or potentially accesses personally identifiable
information or an authorized user accesses or potentially accesses such information for other
than authorized purposes.
Related Controls: AC-19, AU-6, AU-7, CM-6, CP-2, CP-3, CP-4, IR -2, IR -3, IR -6, IR -8, PE-6, PL-2,
PM-12, SA-8, SC-5, SC-7, SI-3, SI-4, SI-7.
Control Enhancements:
(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
Support the incident handling process using [ Assignment: organization-defined automated
mechanisms ].
Discussion: Automated mechanisms that support incident handling processes include online
incident management systems and tools that support the collection of live response data,
full network packet capture, and forensic analysis.
Related Controls: None.
(2) INCIDENT HANDLING | DYNAMIC RECONFIGURATION
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Include the following types of dynamic reconfiguration for [ Assignment: organization-
defined system components ] as part of the incident response capability: [ Assignment:
organization-defined types of dynamic reconfiguration ].
Discussion: Dynamic reconfiguration includes changes to router rules, access control lists,
intrusion detection or prevention system parameters, and filter rules for guards or firewalls.
Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect
attackers, and isolate components of systems, thus limiting the extent of the damage from
breaches or compromises. Organizations include specific time frames for achieving the
reconfiguration of systems in the definition of the reconfiguration capability, considering the
potential need for rapid response to ef fectively address cyber threats.
Related Controls: AC-2, AC-4, CM-2.
(3) INCIDENT HANDLING | CONTINUITY OF OPERATIONS
Identify [ Assignment: organization-defined classes of incidents ] and take the following
actions in response to those incidents to ensure continuation of organizational mission and
business functions: [ Assignment: organization-defined actions to take in response to
classes of incidents ].
Discussion: Classes of incidents include malfunctions due to design or implementation
errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident
response actions include orderly system degradation, system shutdown, fall back to manual
mode or activation of alternative technology whereby the system operates differently,
employing deceptive measures, alternate information flows, or operating in a mode that is
reserved for when systems are under attack. Organizations consider whether continuity of
operations requirements during an incident conflict with the capability to automatically
disable the system as specified as part of IR -4(5).
Related Controls: None.
(4) INCIDENT HANDLING | INFORMATION CORRELATION
Correlate incident information and individual incident responses to achieve an
organization-wide perspective on incident awareness and response.
Discussion: Sometimes, a threat event, such as a hostile cyber-attack, can only be observed
by bringing together information from different sources, including various reports and
reporting procedures established by organizations.
Related Controls: None.
(5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM
Implement a configurable capability to automatically disable the system if [ Assignment:
organization-defined security violations ] are detected.
Discussion: Organizations consider whether the capability to automatically disable the
system conflicts with continuity of operations requirements specified as part of CP-2 or IR -
4(3). Security violations include cyber-attacks that have compromised the integrity of the
system or exfiltrated organizational information and serious errors in software programs
that could adversely impact organizational missions or functions or jeopardize the safety of
individuals.
Related Controls: None.
(6) INCIDENT HANDLING | INSIDER THREATS
Implement an incident handling capability for incidents involving insider threats.
Discussion: Explicit focus on handling incidents involving insider threats provides additional
emphasis on this type of threat and the need for specific incident handling capabilities to
provide appropriate and timely responses.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Related Controls: None.
(7) INCIDENT HANDLING | INSIDER THREATS — INTRA-ORGANIZATION COORDINATION
Coordinate an incident handling capability for insider threats that includes the following
organizational entities [ Assignment: organization-defined entities ].
Discussion: Incident handling for insider threat incidents (e.g., preparation, detection and
analysis, containment, eradication, and recovery) requires coordination among many
organizational entities, including mission or business owners, system owners, human
resources offices, procurement offices, personnel offices, physical security offices, senior
agency information security officer, operations personnel, risk executive (function), senior
agency official for privacy, and legal counsel. In addition, organizations may require external
support from federal, state, and local law enforcement agencies.
Related Controls: None.
(8) INCIDENT HANDLING | CORRELATION WITH EXTERNAL ORGANIZATIONS
Coordinate with [ Assignment: organization-defined external organizations ] to correlate
and share [ Assignment: organization-defined incident information ] to achieve a cross-
organization perspective on incident awareness and more effective incident responses.
Discussion: The coordination of incident information with external organizations—including
mission or business partners, military or coalition partners, customers, and developers—can
provide significant benefits. Cross-organizational coordination can serve as an important risk
management capability. This capability allows organizations to leverage information from a
variety of sources to effectively respond to incidents and breaches that could potentially
affect the organization’s operations, assets, and individuals.
Related Controls: AU-16, PM-16.
(9) INCIDENT HANDLING | DYNAMIC RESPONSE CAPABILITY
Employ [ Assignment: organization-defined dynamic response capabilities ] to respond to
incidents.
Discussion: The dynamic response capability addresses the timely deployment of new or
replacement organizational capabilities in response to incidents. This includes capabilities
implemented at the mission and business process level and at the system level.
Related Controls: None.
(10) INCIDENT HANDLING | SUPPLY CHAIN COORDINATION
Coordinate incident handling activities involving supply chain events with other
organizations involved in the supply chain.
Discussion: Organizations involved in supply chain activities include product developers,
system integrators, manufacturers, packagers, assemblers, distributors, vendors, and
resellers. Supply chain incidents can occur anywhere through or to the supply chain and
include compromises or breaches that involve primary or sub-tier providers, information
technology products, system components, development processes or personnel, and
distribution processes or warehousing facilities. Organizations consider including processes
for protecting and sharing incident information in information exchange agreements and
their obligations for reporting incidents to government oversight bodies (e.g., Federal
Acquisition Security Council).
Related Controls: CA-3, MA-2, SA-9, SR-8.
(11) INCIDENT HANDLING | INTEGRATED INCIDENT RESPONSE TEAM
Establish and maintain an integrated incident response team that can be deployed to any
location identified by the organization in [ Assignment: organization-defined time period ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: An integrated incident response team is a team of experts that assesses,
documents, and responds to incidents so that organizational systems and networks can
recover quickly and implement the necessary controls to avoid future incidents. Incident
response team personnel include forensic and malicious code analysts, tool developers,
systems security and privacy engineers, and real-time operations personnel. The incident
handling capability includes performing rapid forensic preservation of evidence and analysis
of and response to intrusions. For some organizations, the incident response team can be a
cross-organizational entity.
An integrated incident response team facilitates information sharing and allows
organizational personnel (e.g., developers, implementers, and operators) to leverage team
knowledge of the threat and implement defensive measures that enable organizations to
deter intrusions more effectively. Moreover, integrated teams promote the rapid detection
of intrusions, the development of appropriate mitigations, and the deployment of effective
defensive measures. For example, when an intrusion is detected, the integrated team can
rapidly develop an appropriate response for operators to implement, correlate the new
incident with information on past intrusions, and augment ongoing cyber intelligence
development. Integrated incident response teams are better able to identify adversary
tactics, techniques, and procedures that are linked to the operations tempo or specific
mission and business functions and to define responsive actions in a way that does not
disrupt those mission and business functions. Incident response teams can be distributed
within organizations to make the capability resilient.
Related Controls: AT-3.
(12) INCIDENT HANDLING | MALICIOUS CODE AND FORENSIC ANALYSIS
Analyze malicious code and/or other residual artifacts remaining in the system after the
incident.
Discussion: When conducted carefully in an isolated environment, analysis of malicious code
and other residual artifacts of a security incident or breach can give the organization insight
into adversary tactics, techniques, and procedures. It can also indicate the identity or some
defining characteristics of the adversary. In addition, malicious code analysis can help the
organization develop responses to future incidents.
Related Controls: None.
(13) INCIDENT HANDLING | BEHAVIOR ANALYSIS
Analyze anomalous or suspected adversarial behavior in or related to [ Assignment:
organization-defined environments or resources ].
Discussion: If the organization maintains a deception environment, an analysis of behaviors
in that environment, including resources targeted by the adversary and timing of the
incident or event, can provide insight into adversarial tactics, techniques, and procedures.
External to a deception environment, the analysis of anomalous adversarial behavior (e.g.,
changes in system performance or usage patterns) or suspected behavior (e.g., changes in
searches for the location of specific resources) can give the organization such insight.
Related Controls: None.
(14) INCIDENT HANDLING | SECURITY OPERATIONS CENTER
Establish and maintain a security operations center.
Discussion: A security operations center (SOC) is the focal point for security operations and
computer network defense for an organization. The purpose of the SOC is to defend and
monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing
basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity
incidents in a timely manner. The organization staffs the SOC with skilled technical and
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
operational personnel (e.g., security analysts, incident response personnel, systems security
engineers) and implements a combination of technical, management, and operational
controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate,
analyze, and respond to threat and security-relevant event data from multiple sources.
These sources include perimeter defenses, network devices (e.g., routers, switches), and
endpoint agent data feeds. The SOC provides a holistic situational awareness capability to
help organizations determine the security posture of the system and organization. A SOC
capability can be obtained in a variety of ways. Larger organizations may implement a
dedicated SOC while smaller organizations may employ third-party organizations to provide
such a capability.
Related Controls: None.
(15) INCIDENT HANDLING | PUBLIC RELATIONS AND REPUTATION REPAIR
(a) Manage public relations associated with an incident; and
(b) Employ measures to repair the reputation of the organization.
Discussion: It is important for an organization to have a strategy in place for addressing
incidents that have been brought to the attention of the general public, have cast the
organization in a negative light, or have affected the organization’s constituents (e.g.,
partners, customers). Such publicity can be extremely harmful to the organization and affect
its ability to carry out its mission and business functions. Taking proactive steps to repair the
organization’s reputation is an essential aspect of reestablishing the trust and confidence of
its constituents.
Related Controls: None.
References: [FASC18], [41 CFR 201], [OMB M-17-12], [SP 800 -61], [SP 800 -86], [SP 800 -101], [SP
800 -150], [SP 800- 160 -2], [SP 800 -184], [IR 7559 ].
IR-5 INCIDENT MONITORING
Control: Track and document incidents.
Discussion: Documenting incidents includes maintaining records about each incident, the status
of the incident, and other pertinent information necessary for forensics as well as evaluating
incident details, trends, and handling. Incident information can be obtained from a variety of
sources, including network monitoring, incident reports, incident response teams, user
complaints, supply chain partners, audit monitoring, physical access monitoring, and user and
administrator reports. IR -4 provides information on the types of incidents that are appropriate
for monitoring.
Related Controls: AU-6, AU-7, IR -8, PE-6, PM-5, SC-5, SC-7, SI-3, SI-4, SI-7.
Control Enhancements:
(1) INCIDENT MONITORING | AUTOMATED TRACKING, DATA COLLECTION, AND ANALYSIS
Track incidents and collect and analyze incident information using [ Assignment:
organization-defined automated mechanisms ].
Discussion: Automated mechanisms for tracking incidents and collecting and analyzing
incident information include Computer Incident Response Centers or other electronic
databases of incidents and network monitoring devices.
Related Controls: AU-7, IR -4.
References: [SP 800 -61].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
IR-6 INCIDENT REPORTING
Control:
a. Require personnel to report suspected incidents to the organizational incident response
capability within [ Assignment: organization-defined time period ]; and
b. Report incident information to [ Assignment: organization-defined authorities ].
Discussion: The types of incidents reported, the content and timeliness of the reports, and the
designated reporting authorities reflect applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines. Incident information can inform risk assessments, control
effectiveness assessments, security requirements for acquisitions, and selection criteria for
technology products.
Related Controls: CM-6, CP-2, IR -4, IR -5, IR -8, IR -9.
Control Enhancements:
(1) INCIDENT REPORTING | AUTOMATED REPORTING
Report incidents using [ Assignment: organization-defined automated mechanisms ].
Discussion: The recipients of incident reports are specified in IR -6b. Automated reporting
mechanisms include email, posting on websites (with automatic updates), and automated
incident response tools and programs.
Related Controls: IR-7.
(2) INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS
Report system vulnerabilities associated with reported incidents to [ Assignment:
organization-defined personnel or roles ].
Discussion: Reported incidents that uncover system vulnerabilities are analyzed by
organizational personnel including system owners, mission and business owners, senior
agency information security officers, senior agency officials for privacy, authorizing officials,
and the risk executive (function). The analysis can serve to prioritize and initiate mitigation
actions to address the discovered system vulnerability.
Related Controls: None.
(3) INCIDENT REPORTING | SUPPLY CHAIN COORDINATION
Provide incident information to the provider of the product or service and other
organizations involved in the supply chain or supply chain governance for systems or
system components related to the incident.
Discussion: Organizations involved in supply chain activities include product developers,
system integrators, manufacturers, packagers, assemblers, distributors, vendors, and
resellers. Entities that provide supply chain governance include the Federal Acquisition
Security Council (FASC). Supply chain incidents include compromises or breaches that involve
information technology products, system components, development processes or personnel,
distribution processes, or warehousing facilities. Organizations determine the appropriate
information to share and consider the value gained from informing external organizations
about supply chain incidents, including the ability to improve processes or to identify the
root cause of an incident.
Related Controls: SR-8.
References: [FASC18], [41 CFR 201], [USCERT IR], [SP 800 -61].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
IR-7 INCIDENT RESPONSE ASSISTANCE
Control: Provide an incident response support resource, integral to the organizational incident
response capability, that offers advice and assistance to users of the system for the handling and
reporting of incidents.
Discussion: Incident response support resources provided by organizations include help desks,
assistance groups, automated ticketing systems to open and track incident response tickets, and
access to forensics services or consumer redress services, when required.
Related Controls: AT-2, AT-3, IR -4, IR -6, IR -8, PM-22, PM-26, SA-9, SI-18.
Control Enhancements:
(1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION AND
SUPPORT
Increase the availability of incident response information and support using [ Assignment:
organization-defined automated mechanisms ].
Discussion: Automated mechanisms can provide a push or pull capability for users to obtain
incident response assistance. For example, individuals may have access to a website to query
the assistance capability, or the assistance capability can proactively send incident response
information to users (general distribution or targeted) as part of increasing understanding of
current response capabilities and support.
Related Controls: None.
(2) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS
(a) Establish a direct, cooperative relationship between its incident response capability
and external providers of system protection capability; and
(b) Identify organizational incident response team members to the external providers.
Discussion: External providers of a system protection capability include the Computer
Network Defense program within the U.S. Department of Defense. External providers help to
protect, monitor, analyze, detect, and respond to unauthorized activity within organizational
information systems and networks. It may be beneficial to have agreements in place with
external providers to clarify the roles and responsibilities of each party before an incident
occurs.
Related Controls: None.
References: [OMB A-130], [IR 7559 ].
IR-8 INCIDENT RESPONSE PLAN
Control:
a. Develop an incident response plan that:
- Provides the organization with a roadmap for implementing its incident response capability;
- Describes the structure and organization of the incident response capability;
- Provides a high-level approach for how the incident response capability fits into the overall organization;
- Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
- Defines reportable incidents;
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. Addresses the sharing of incident information; 9. Is reviewed and approved by [ Assignment: organization-defined personnel or roles ] [ Assignment: organization-defined frequency ]; and 10. Explicitly designates responsibility for incident response to [ Assignment: organization- defined entities, personnel, or roles ]. b. Distribute copies of the incident response plan to [ Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements ];
c. Update the incident response plan to address system and organizational changes or
problems encountered during plan implementation, execution, or testing;
d. Communicate incident response plan changes to [ Assignment: organization-defined incident
response personnel (identified by name and/or by role) and organizational elements ]; and
e. Protect the incident response plan from unauthorized disclosure and modification.
Discussion: It is important that organizations develop and implement a coordinated approach to
incident response. Organizational mission and business functions determine the structure of
incident response capabilities. As part of the incident response capabilities, organizations
consider the coordination and sharing of information with external organizations, including
external service providers and other organizations involved in the supply chain. For incidents
involving personally identifiable information (i.e., breaches), include a process to determine
whether notice to oversight organizations or affected individuals is appropriate and provide that
notice accordingly.
Related Controls: AC-2, CP-2, CP-4, IR -4, IR -7, IR -9, PE-6, PL-2, SA- 15 , SI-12, SR- 8.
Control Enhancements:
(1) INCIDENT RESPONSE PLAN | BREACHES
Include the following in the Incident Response Plan for breaches involving personally
identifiable information:
(a) A process to determine if notice to individuals or other organizations, including
oversight organizations, is needed;
(b) An assessment process to determine the extent of the harm, embarrassment,
inconvenience, or unfairness to affected individuals and any mechanisms to mitigate
such harms; and
(c) Identification of applicable privacy requirements.
Discussion: Organizations may be required by law, regulation, or policy to follow specific
procedures relating to breaches, including notice to individuals, affected organizations, and
oversight bodies; standards of harm; and mitigation or other specific requirements.
Related Controls: PT-1, PT-2, PT-3, PT-4, PT-5, PT- 7.
References: [OMB A-130], [SP 800 -61], [OMB M- 17 -12].
IR-9 INFORMATION SPILLAGE RESPONSE
Control: Respond to information spills by:
a. Assigning [ Assignment: organization-defined personnel or roles ] with responsibility for
responding to information spills;
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
b. Identifying the specific information involved in the system contamination;
c. Alerting [ Assignment: organization-defined personnel or roles ] of the information spill using
a method of communication not associated with the spill;
d. Isolating the contaminated system or system component;
e. Eradicating the information from the contaminated system or component;
f. Identifying other systems or system components that may have been subsequently
contaminated; and
g. Performing the following additional actions: [ Assignment: organization-defined actions ].
Discussion: Information spillage refers to instances where information is placed on systems that
are not authorized to process such information. Information spills occur when information that is
thought to be a certain classification or impact level is transmitted to a system and subsequently
is determined to be of a higher classification or impact level. At that point, corrective action is
required. The nature of the response is based on the classification or impact level of the spilled
information, the security capabilities of the system, the specific nature of the contaminated
storage media, and the access authorizations of individuals with authorized access to the
contaminated system. The methods used to communicate information about the spill after the
fact do not involve methods directly associated with the actual spill to minimize the risk of
further spreading the contamination before such contamination is isolated and eradicated.
Related Controls: CP-2, IR -6, PM-26, PM-27, PT-2, PT-3, PT-7, RA- 7.
Control Enhancements:
(1) INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL
[Withdrawn: Incorporated into IR -9.]
(2) INFORMATION SPILLAGE RESPONSE | TRAINING
Provide information spillage response training [ Assignment: organization-defined
frequency ].
Discussion: Organizations establish requirements for responding to information spillage
incidents in incident response plans. Incident response training on a regular basis helps to
ensure that organizational personnel understand their individual responsibilities and what
specific actions to take when spillage incidents occur.
Related Controls: AT-2, AT-3, CP-3, IR -2.
(3) INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS
Implement the following procedures to ensure that organizational personnel impacted by
information spills can continue to carry out assigned tasks while contaminated systems are
undergoing corrective actions: [ Assignment: organization-defined procedures ].
Discussion: Corrective actions for systems contaminated due to information spillages may
be time-consuming. Personnel may not have access to the contaminated systems while
corrective actions are being taken, which may potentially affect their ability to conduct
organizational business.
Related Controls: None.
(4) INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL
Employ the following controls for personnel exposed to information not within assigned
access authorizations: [ Assignment: organization-defined controls ].
Discussion: Controls include ensuring that personnel who are exposed to spilled information
are made aware of the laws, executive orders, directives, regulations, policies, standards,
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
and guidelines regarding the information and the restrictions imposed based on exposure to
such information.
Related Controls: None.
References: None.
IR-10 INCIDENT ANALYSIS
[Withdrawn: Incorporated into IR -4(11).]
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
3.9 MAINTENANCE
Quick link to Maintenance Summary Table
MA-1 POLICY AND PROCEDURES
Control:
a. Develop, document, and disseminate to [ Assignment: organization-defined personnel or
roles ]:
- [ Selection (one or more): organization-level; mission/business process-level; system- level ] maintenance policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; b. Designate an [ Assignment: organization-defined official ] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and c. Review and update the current maintenance:
- Policy [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and
- Procedures [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security or privacy incidents, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Related Controls: PM-9, PS-8, SI-12.
Control Enhancements: None.
References: [OMB A-130], [SP 800-12], [SP 800- 30 ], [SP 800-39], [SP 800- 100 ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
MA-2 CONTROLLED MAINTENANCE
Control:
a. Schedule, document, and review records of maintenance, repair, and replacement on
system components in accordance with manufacturer or vendor specifications and/or
organizational requirements;
b. Approve and monitor all maintenance activities, whether performed on site or remotely and
whether the system or system components are serviced on site or removed to another
location;
c. Require that [ Assignment: organization-defined personnel or roles ] explicitly approve the
removal of the system or system components from organizational facilities for off-site
maintenance, repair, or replacement;
d. Sanitize equipment to remove the following information from associated media prior to
removal from organizational facilities for off-site maintenance, repair, or replacement:
[ Assignment: organization-defined information ];
e. Check all potentially impacted controls to verify that the controls are still functioning
properly following maintenance, repair, or replacement actions; and
f. Include the following information in organizational maintenance records: [ Assignment:
organization-defined information ].
Discussion: Controlling system maintenance addresses the information security aspects of the
system maintenance program and applies to all types of maintenance to system components
conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners,
copiers, and printers. Information necessary for creating effective maintenance records includes
the date and time of maintenance, a description of the maintenance performed, names of the
individuals or group performing the maintenance, name of the escort, and system components
or equipment that are removed or replaced. Organizations consider supply chain-related risks
associated with replacement components for systems.
Related Controls: CM-2, CM-3, CM-4, CM-5, CM-8, MA-4, MP-6, PE-16, SI-2, SR-3, SR-4, SR- 11.
Control Enhancements:
(1) CONTROLLED MAINTENANCE | RECORD CONTENT
[Withdrawn: Incorporated into MA-2.]
(2) CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES
(a) Schedule, conduct, and document maintenance, repair, and replacement actions for
the system using [ Assignment: organization-defined automated mechanisms ]; and
(b) Produce up-to date, accurate, and complete records of all maintenance, repair, and
replacement actions requested, scheduled, in process, and completed.
Discussion: The use of automated mechanisms to manage and control system maintenance
programs and activities helps to ensure the generation of timely, accurate, complete, and
consistent maintenance records.
Related Controls: MA-3.
References: [OMB A-130], [IR 8023].
MA-3 MAINTENANCE TOOLS
Control:
a. Approve, control, and monitor the use of system maintenance tools; and
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
b. Review previously approved system maintenance tools [ Assignment: organization-defined
frequency ].
Discussion: Approving, controlling, monitoring, and reviewing maintenance tools address
security-related issues associated with maintenance tools that are not within system
authorization boundaries and are used specifically for diagnostic and repair actions on
organizational systems. Organizations have flexibility in determining roles for the approval of
maintenance tools and how that approval is documented. A periodic review of maintenance
tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-
used tools. Maintenance tools can include hardware, software, and firmware items and may be
pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded
from a website. Such tools can be vehicles for transporting malicious code, either intentionally or
unintentionally, into a facility and subsequently into systems. Maintenance tools can include
hardware and software diagnostic test equipment and packet sniffers. The hardware and
software components that support maintenance and are a part of the system (including the
software implementing utilities such as “ping,” “ls,” “ipconfig,” or the hardware and software
implementing the monitoring port of an Ethernet switch) are not addressed by maintenance
tools.
Related Controls: MA-2, PE-16.
Control Enhancements:
(1) MAINTENANCE TOOLS | INSPECT TOOLS
Inspect the maintenance tools used by maintenance personnel for improper or
unauthorized modifications.
Discussion: Maintenance tools can be directly brought into a facility by maintenance
personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance
tools, organizations determine that the tools have been modified in an improper manner or
the tools contain malicious code, the incident is handled consistent with organizational
policies and procedures for incident handling.
Related Controls: SI-7.
(2) MAINTENANCE TOOLS | INSPECT MEDIA
Check media containing diagnostic and test programs for malicious code before the media
are used in the system.
Discussion: If, upon inspection of media containing maintenance, diagnostic, and test
programs, organizations determine that the media contains malicious code, the incident is
handled consistent with organizational incident handling policies and procedures.
Related Controls: SI-3.
(3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL
Prevent the removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [ Assignment: organization-defined personnel or roles ]
explicitly authorizing removal of the equipment from the facility.
Discussion: Organizational information includes all information owned by organizations and
any information provided to organizations for which the organizations serve as information
stewards.
Related Controls: MP-6.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
(4) MAINTENANCE TOOLS | RESTRICTED TOOL USE
Restrict the use of maintenance tools to authorized personnel only.
Discussion: Restricting the use of maintenance tools to only authorized personnel applies to
systems that are used to carry out maintenance functions.
Related Controls: AC-3, AC-5, AC-6.
(5) MAINTENANCE TOOLS | EXECUTION WITH PRIVILEGE
Monitor the use of maintenance tools that execute with increased privilege.
Discussion: Maintenance tools that execute with increased system privilege can result in
unauthorized access to organizational information and assets that would otherwise be
inaccessible.
Related Controls: AC-3, AC-6.
(6) MAINTENANCE TOOLS | SOFTWARE UPDATES AND PATCHES
Inspect maintenance tools to ensure the latest software updates and patches are installed.
Discussion: Maintenance tools using outdated and/or unpatched software can provide a
threat vector for adversaries and result in a significant vulnerability for organizations.
Related Controls: AC-3, AC-6.
References: [SP 800-88].
MA-4 NONLOCAL MAINTENANCE
Control:
a. Approve and monitor nonlocal maintenance and diagnostic activities;
b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with
organizational policy and documented in the security plan for the system;
c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic
sessions;
d. Maintain records for nonlocal maintenance and diagnostic activities; and
e. Terminate session and network connections when nonlocal maintenance is completed.
Discussion: Nonlocal maintenance and diagnostic activities are conducted by individuals who
communicate through either an external or internal network. Local maintenance and diagnostic
activities are carried out by individuals who are physically present at the system location and not
communicating across a network connection. Authentication techniques used to establish
nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA -2.
Strong authentication requires authenticators that are resistant to replay attacks and employ
multi-factor authentication. Strong authenticators include PKI where certificates are stored on a
token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is
accomplished, in part, by other controls. [SP 800-63B] provides additional guidance on strong
authentication and authenticators.
Related Controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA -2, IA -4, IA -5, IA -8, MA-2, MA-5, PL-2,
SC-7, SC-10.
Control Enhancements:
(1) NONLOCAL MAINTENANCE | LOGGING AND REVIEW
(a) Log [ Assignment: organization-defined audit events ] for nonlocal maintenance and
diagnostic sessions; and
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
(b) Review the audit records of the maintenance and diagnostic sessions to detect
anomalous behavior.
Discussion: Audit logging for nonlocal maintenance is enforced by AU-2. Audit events are
defined in AU-2a.
Related Controls: AU-6, AU-12.
(2) NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE
[Withdrawn: Incorporated into MA-1, MA-4.]
(3) NONLOCAL MAINTENANCE | COMPARABLE SECURITY AND SANITIZATION
(a) Require that nonlocal maintenance and diagnostic services be performed from a
system that implements a security capability comparable to the capability
implemented on the system being serviced; or
(b) Remove the component to be serviced from the system prior to nonlocal maintenance
or diagnostic services; sanitize the component (for organizational information); and
after the service is performed, inspect and sanitize the component (for potentially
malicious software) before reconnecting the component to the system.
Discussion: Comparable security capability on systems, diagnostic tools, and equipment
providing maintenance services implies that the implemented controls on those systems,
tools, and equipment are at least as comprehensive as the controls on the system being
serviced.
Related Controls: MP-6, SI-3, SI-7.
(4) NONLOCAL MAINTENANCE | AUTHENTICATION AND SEPARATION OF MAINTENANCE SESSIONS
Protect nonlocal maintenance sessions by:
(a) Employing [ Assignment: organization-defined authenticators that are replay
resistant ]; and
(b) Separating the maintenance sessions from other network sessions with the system by
either:
(1) Physically separated communications paths; or
(2) Logically separated communications paths.
Discussion: Communications paths can be logically separated using encryption.
Related Controls: None.
(5) NONLOCAL MAINTENANCE | APPROVALS AND NOTIFICATIONS
(a) Require the approval of each nonlocal maintenance session by [ Assignment:
organization-defined personnel or roles ]; and
(b) Notify the following personnel or roles of the date and time of planned nonlocal
maintenance: [ Assignment: organization-defined personnel or roles ].
Discussion: Notification may be performed by maintenance personnel. Approval of nonlocal
maintenance is accomplished by personnel with sufficient information security and system
knowledge to determine the appropriateness of the proposed maintenance.
Related Controls: None.
(6) NONLOCAL MAINTENANCE | CRYPTOGRAPHIC PROTECTION
Implement the following cryptographic mechanisms to protect the integrity and
confidentiality of nonlocal maintenance and diagnostic communications: [ Assignment:
organization-defined cryptographic mechanisms ].
Discussion: Failure to protect nonlocal maintenance and diagnostic communications can
result in unauthorized individuals gaining access to organizational information. Unauthorized
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
access during remote maintenance sessions can result in a variety of hostile actions,
including malicious code insertion, unauthorized changes to system parameters, and
exfiltration of organizational information. Such actions can result in the loss or degradation
of mission or business capabilities.
Related Controls: SC-8, SC-12, SC-13.
(7) NONLOCAL MAINTENANCE | DISCONNECT VERIFICATION
Verify session and network connection termination after th e completion of nonlocal
maintenance and diagnostic sessions.
Discussion: Verifying the termination of a connection once maintenance is completed
ensures that connections established during nonlocal maintenance and diagnostic sessions
have been terminated and are no longer available for use.
Related Controls: AC-12.
References: [FIPS 140-3], [FIPS 197], [FIPS 201-2], [SP 800-63-3], [SP 800- 88 ].
MA-5 MAINTENANCE PERSONNEL
Control:
a. Establish a process for maintenance personnel authorization and maintain a list of
authorized maintenance organizations or personnel;
b. Verify that non-escorted personnel performing maintenance on the system possess the
required access authorizations; and
c. Designate organizational personnel with required access authorizations and technical
competence to supervise the maintenance activities of personnel who do not possess the
required access authorizations.
Discussion: Maintenance personnel refers to individuals who perform hardware or software
maintenance on organizational systems, while PE-2 addresses physical access for individuals
whose maintenance duties place them within the physical protection perimeter of the systems.
Technical competence of supervising individuals relates to the maintenance performed on the
systems, while having required access authorizations refers to maintenance on and near the
systems. Individuals not previously identified as authorized maintenance personnel—such as
information technology manufacturers, vendors, systems integrators, and consultants—may
require privileged access to organizational systems, such as when they are required to conduct
maintenance activities with little or no notice. Based on organizational assessments of risk,
organizations may issue temporary credentials to these individuals. Temporary credentials may
be for one-time use or for very limited time periods.
Related Controls: AC-2, AC-3, AC-5, AC-6, IA -2, IA -8, MA-4, MP-2, PE-2, PE-3, PS-7, RA-3.
Control Enhancements:
(1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS
(a) Implement procedures for the use of maintenance personnel that lack appropriate
security clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations,
clearances, or formal access approvals are escorted and supervised during the
performance of maintenance and diagnostic activities on the system by approved
organizational personnel who are fully cleared, have appropriate access
authorizations, and are technically qualified; and
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not
have needed access authorizations, clearances or formal access approvals, all
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
volatile information storage components within the system are sanitized and all
nonvolatile storage media are removed or physically disconnected from the
system and secured; and
(b) Develop and implement [ Assignment: organization-defined alternate controls ] in the
event a system component cannot be sanitized, removed, or disconnected from the
system.
Discussion: Procedures for individuals who lack appropriate security clearances or who are
not U.S. citizens are intended to deny visual and electronic access to classified or controlled
unclassified information contained on organizational systems. Procedures for the use of
maintenance personnel can be documented in security plans for the systems.
Related Controls: MP-6, PL-2.
(2) MAINTENANCE PERSONNEL | SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS
Verify that personnel performing maintenance and diagnostic activities on a system
processing, storing, or transmitting classified information possess security clearances and
formal access approvals for at least the highest classification level and for compartments
of information on the system.
Discussion: Personnel who conduct maintenance on organizational systems may be exposed
to classified information during the course of their maintenance activities. To mitigate the
inherent risk of such exposure, organizations use maintenance personnel that are cleared
(i.e., possess security clearances) to the classification level of the information stored on the
system.
Related Controls: PS-3.
(3) MAINTENANCE PERSONNEL | CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS
Verify that personnel performing maintenance and diagnostic activities on a system
processing, storing, or transmitting classified information are U.S. citizens.
Discussion: Personnel who conduct maintenance on organizational systems may be exposed
to classified information during the course of their maintenance activities. If access to
classified information on organizational systems is restricted to U.S. citizens, the same
restriction is applied to personnel performing maintenance on those systems.
Related Controls: PS-3.
(4) MAINTENANCE PERSONNEL | FOREIGN NATIONALS
Ensure that:
(a) Foreign nationals with appropriate security clearances are used to conduct
maintenance and diagnostic activities on classified systems only when the systems are
jointly owned and operated by the United States and foreign allied governments, or
owned and operated solely by foreign allied governments; and
(b) Approvals, consents, and detailed operational conditions regarding the use of foreign
nationals to conduct maintenance and diagnostic activities on classified systems are
fully documented within Memoranda of Agreements.
Discussion: Personnel who conduct maintenance and diagnostic activities on organizational
systems may be exposed to classified information. If non-U.S. citizens are permitted to
perform maintenance and diagnostics activities on classified systems, then additional vetting
is required to ensure agreements and restrictions are not being violated.
Related Controls: PS-3.
(5) MAINTENANCE PERSONNEL | NON-SYSTEM MAINTENANCE
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Ensure that non-escorted personnel performing maintenance activities not directly
associated with the system but in the physical proximity of the system, have required
access authorizations.
Discussion: Personnel who perform maintenance activities in other capacities not directly
related to the system include physical plant personnel and custodial personnel.
Related Controls: None.
References: None.
MA-6 TIMELY MAINTENANCE
Control: Obtain maintenance support and/or spare parts for [ Assignment: organization-defined
system components ] within [ Assignment: organization-defined time period ] of failure.
Discussion: Organizations specify the system components that result in increased risk to
organizational operations and assets, individuals, other organizations, or the Nation when the
functionality provided by those components is not operational. Organizational actions to obtain
maintenance support include having appropriate contracts in place.
Related Controls: CM-8, CP-2, CP-7, RA-7, SA-15, SI-13, SR-2, SR-3, SR-4.
Control Enhancements:
(1) TIMELY MAINTENANCE | PREVENTIVE MAINTENANCE
Perform preventive maintenance on [ Assignment: organization-defined system
components ] at [ Assignment: organization-defined time intervals ].
Discussion: Preventive maintenance includes proactive care and the servicing of system
components to maintain organizational equipment and facilities in satisfactory operating
condition. Such maintenance provides for the systematic inspection, tests, measurements,
adjustments, parts replacement, detection, and correction of incipient failures either before
they occur or before they develop into major defects. The primary goal of preventive
maintenance is to avoid or mitigate the consequences of equipment failures. Preventive
maintenance is designed to preserve and restore equipment reliability by replacing worn
components before they fail. Methods of determining what preventive (or other) failure
management policies to apply include original equipment manufacturer recommendations;
statistical failure records; expert opinion; maintenance that has already been conducted on
similar equipment; requirements of codes, laws, or regulations within a jurisdiction; or
measured values and performance indications.
Related Controls: None.
(2) TIMELY MAINTENANCE | PREDICTIVE MAINTENANCE
Perform predictive maintenance on [ Assignment: organization-defined system
components ] at [ Assignment: organization-defined time intervals ].
Discussion: Predictive maintenance evaluates the condition of equipment by performing
periodic or continuous (online) equipment condition monitoring. The goal of predictive
maintenance is to perform maintenance at a scheduled time when the maintenance activity
is most cost-effective and before the equipment loses performance within a threshold. The
predictive component of predictive maintenance stems from the objective of predicting the
future trend of the equipment's condition. The predictive maintenance approach employs
principles of statistical process control to determine at what point in the future maintenance
activities will be appropriate. Most predictive maintenance inspections are performed while
equipment is in service, thus minimizing disruption of normal system operations. Predictive
maintenance can result in substantial cost savings and higher system reliability.
Related Controls: None.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
(3) TIMELY MAINTENANCE | AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE
Transfer predictive maintenance data to a maintenance management system using
[ Assignment: organization-defined automated mechanisms ].
Discussion: A computerized maintenance management system maintains a database of
information about the maintenance operations of organizations and automates the
processing of equipment condition data to trigger maintenance planning, execution, and
reporting.
Related Controls: None.
References: None.
MA-7 FIELD MAINTENANCE
Control: Restrict or prohibit field maintenance on [ Assignment: organization-defined systems or
system components ] to [ Assignment: organization-defined trusted maintenance facilities ].
Discussion: Field maintenance is the type of maintenance conducted on a system or system
component after the system or component has been deployed to a specific site (i.e., operational
environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not
be executed with the same degree of rigor or with the same quality control checks as depot
maintenance. For critical systems designated as such by the organization, it may be necessary to
restrict or prohibit field maintenance at the local site and require that such maintenance be
conducted in trusted facilities with additional controls.
Related Controls: MA-2, MA-4, MA-5.
Control Enhancements: None.
References: None.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
3.10 MEDIA PROTECTION
Quick link to Media Protection Summary Table
MP-1 POLICY AND PROCEDURES
Control:
a. Develop, document, and disseminate to [ Assignment: organization-defined personnel or
roles ]:
- [ Selection (one or more): organization-level; mission/business process-level; system- level ] media protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; b. Designate an [ Assignment: organization-defined official ] to manage the development, documentation, and dissemination of the media protection policy and procedures; and c. Review and update the current media protection:
- Policy [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and
- Procedures [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security or privacy incidents, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. Related Controls: PM-9, PS-8, SI-12. Control Enhancements: None. References: [OMB A-130], [SP 800-12], [SP 800- 30 ], [SP 800-39], [SP 800- 100 ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
MP-2 MEDIA ACCESS
Control: Restrict access to [ Assignment: organization-defined types of digital and/or non-digital
media ] to [ Assignment: organization-defined personnel or roles ].
Discussion: System media includes digital and non-digital media. Digital media includes flash
drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state,
magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and
microfilm. Denying access to patient medical records in a community hospital unless the
individuals seeking access to such records are authorized healthcare providers is an example of
restricting access to non-digital media. Limiting access to the design specifications stored on
compact discs in the media library to individuals on the system development team is an example
of restricting access to digital media.
Related Controls: AC-19, AU-9, CP-2, CP-9, CP-10, MA-5, MP-4, MP-6, PE-2, PE-3, SC-12, SC-13,
SC-34, SI-12.
Control Enhancements:
(1) MEDIA ACCESS | AUTOMATED RESTRICTED ACCESS
[Withdrawn: Incorporated into MP-4(2).]
(2) MEDIA ACCESS | CRYPTOGRAPHIC PROTECTION
[Withdrawn: Incorporated into SC-28(1).]
References: [OMB A-130], [FIPS 199 ], [SP 800 -111].
MP-3 MEDIA MARKING
Control:
a. Mark system media indicating the distribution limitations, handling caveats, and applicable
security markings (if any) of the information; and
b. Exempt [ Assignment: organization-defined types of system media ] from marking if the media
remain within [ Assignment: organization-defined controlled areas ].
Discussion: Security marking refers to the application or use of human-readable security
attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk
drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-
digital media includes paper and microfilm. Controlled unclassified information is defined by the
National Archives and Records Administration along with the appropriate safeguarding and
dissemination requirements for such information and is codified in [32 CFR 2002]. Security
markings are generally not required for media that contains information determined by
organizations to be in the public domain or to be publicly releasable. Some organizations may
require markings for public information indicating that the information is publicly releasable.
System media marking reflects applicable laws, executive orders, directives, policies, regulations,
standards, and guidelines.
Related Controls: AC-16, CP-9, MP-5, PE-22, SI-12.
Control Enhancements: None.
References: [32 CFR 2002], [FIPS 199 ].
MP-4 MEDIA STORAGE
Control:
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
a. Physically control and securely store [ Assignment: organization-defined types of digital
and/or non-digital media ] within [ Assignment: organization-defined controlled areas ]; and
b. Protect system media types defined in MP-4a until the media are destroyed or sanitized
using approved equipment, techniques, and procedures.
Discussion: System media includes digital and non-digital media. Digital media includes flash
drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state,
magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and
microfilm. Physically controlling stored media includes conducting inventories, ensuring
procedures are in place to allow individuals to check out and return media to the library, and
maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or
cabinet or a controlled media library. The type of media storage is commensurate with the
security category or classification of the information on the media. Controlled areas are spaces
that provide physical and procedural controls to meet the requirements established for
protecting information and systems. Fewer controls may be needed for media that contains
information determined to be in the public domain, publicly releasable, or have limited adverse
impacts on organizations, operations, or individuals if accessed by other than authorized
personnel. In these situations, physical access controls provide adequate protection.
Related Controls: AC-19, CP-2, CP-6, CP-9, CP-10, MP-2, MP-7, PE-3, PL-2, SC-12, SC-13, SC-28,
SC-34, SI-12.
Control Enhancements:
(1) MEDIA STORAGE | CRYPTOGRAPHIC PROTECTION
[Withdrawn: Incorporated into SC-28(1).]
(2) MEDIA STORAGE | AUTOMATED RESTRICTED ACCESS
Restrict access to media storage areas and log access attempts and access granted using
[ Assignment: organization-defined automated mechanisms ].
Discussion: Automated mechanisms include keypads, biometric readers, or card readers on
the external entries to media storage areas.
Related Controls: AC-3, AU-2, AU-6, AU-9, AU-12, PE-3.
References: [FIPS 199 ], [SP 800 -56A], [SP 800 -56B], [SP 800 -56C], [SP 800-57-1], [SP 800-57- 2 ],
[SP 800-57-3], [SP 800 -111].
MP-5 MEDIA TRANSPORT
Control:
a. Protect and control [ Assignment: organization-defined types of system media ] during
transport outside of controlled areas using [ Assignment: organization-defined controls ];
b. Maintain accountability for system media during transport outside of controlled areas;
c. Document activities associated with the transport of system media; and
d. Restrict the activities associated with the transport of system media to authorized
personnel.
Discussion: System media includes digital and non-digital media. Digital media includes flash
drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and
magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and
paper. Controlled areas are spaces for which organizations provide physical or procedural
controls to meet requirements established for protecting information and systems. Controls to
protect media during transport include cryptography and locked containers. Cryptographic
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
mechanisms can provide confidentiality and integrity protections depending on the mechanisms
implemented. Activities associated with media transport include releasing media for transport,
ensuring that media enters the appropriate transport processes, and the actual transport.
Authorized transport and courier personnel may include individuals external to the organization.
Maintaining accountability of media during transport includes restricting transport activities to
authorized personnel and tracking and/or obtaining records of transport activities as the media
moves through the transportation system to prevent and detect loss, destruction, or tampering.
Organizations establish documentation requirements for activities associated with the transport
of system media in accordance with organizational assessments of risk. Organizations maintain
the flexibility to define record-keeping methods for the different types of media transport as part
of a system of transport-related records.
Related Controls: AC-7, AC-19, CP-2, CP-9, MP-3, MP-4, PE-16, PL-2, SC-12, SC-13, SC-28, SC-34.
Control Enhancements:
(1) MEDIA TRANSPORT | PROTECTION OUTSIDE OF CONTROLLED AREAS
[Withdrawn: Incorporated into MP-5.]
(2) MEDIA TRANSPORT | DOCUMENTATION OF ACTIVITIES
[Withdrawn: Incorporated into MP-5.]
(3) MEDIA TRANSPORT | CUSTODIANS
Employ an identified custodian during transport of system media outside of controlled
areas.
Discussion: Identified custodians provide organizations with specific points of contact during
the media transport process and facilitate individual accountability. Custodial responsibilities
can be transferred from one individual to another if an unambiguous custodian is identified.
Related Controls: None.
(4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION
[Withdrawn: Incorporated into SC-28(1).]
References: [FIPS 199 ], [SP 800-60-1], [SP 800-60- 2 ].
MP-6 MEDIA SANITIZATION
Control:
a. Sanitize [ Assignment: organization-defined system media ] prior to disposal, release out of
organizational control, or release for reuse using [ Assignment: organization-defined
sanitization techniques and procedures ]; and
b. Employ sanitization mechanisms with the strength and integrity commensurate with the
security category or classification of the information.
Discussion: Media sanitization applies to all digital and non-digital system media subject to
disposal or reuse, whether or not the media is considered removable. Examples include digital
media in scanners, copiers, printers, notebook computers, workstations, network components,
mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process
removes information from system media such that the information cannot be retrieved or
reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-
identification of personally identifiable information, and destruction—prevent the disclosure of
information to unauthorized individuals when such media is reused or released for disposal.
Organizations determine the appropriate sanitization methods, recognizing that destruction is
sometimes necessary when other methods cannot be applied to media requiring sanitization.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Organizations use discretion on the employment of approved sanitization techniques and
procedures for media that contains information deemed to be in the public domain or publicly
releasable or information deemed to have no adverse impact on organizations or individuals if
released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a
classified appendix from an otherwise unclassified document, or redacting selected sections or
words from a document by obscuring the redacted sections or words in a manner equivalent in
effectiveness to removing them from the document. NSA standards and policies control the
sanitization process for media that contains classified information. NARA policies control the
sanitization process for controlled unclassified information.
Related Controls: AC-3, AC-7, AU-11, MA-2, MA-3, MA-4, MA-5, PM-22, SI-12, SI-18, SI-19, SR-11.
Control Enhancements:
(1) MEDIA SANITIZATION | REVIEW, APPROVE, TRACK, DOCUMENT, AND VERIFY
Review, approve, track, document, and verify media sanitization and disposal actions.
Discussion: Organizations review and approve media to be sanitized to ensure compliance
with records retention policies. Tracking and documenting actions include listing personnel
who reviewed and approved sanitization and disposal actions, types of media sanitized, files
stored on the media, sanitization methods used, date and time of the sanitization actions,
personnel who performed the sanitization, verification actions taken and personnel who
performed the verification, and the disposal actions taken. Organizations verify that the
sanitization of the media was effective prior to disposal.
Related Controls: None.
(2) MEDIA SANITIZATION | EQUIPMENT TESTING
Test sanitization equipment and procedures [ Assignment: organization-defined frequency ]
to ensure that the intended sanitization is being achieved.
Discussion: Testing of sanitization equipment and procedures may be conducted by
qualified and authorized external entities, including federal agencies or external service
providers.
Related Controls: None.
(3) MEDIA SANITIZATION | NONDESTRUCTIVE TECHNIQUES
Apply nondestructive sanitization techniques to portable storage devices prior to
connecting such devices to the system under the following circumstances: [ Assignment:
organization-defined circumstances requiring sanitization of portable storage devices ].
Discussion: Portable storage devices include external or removable hard disk drives (e.g.,
solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash
memory cards, and other external or removable disks. Portable storage devices can be
obtained from untrustworthy sources and contain malicious code that can be inserted into
or transferred to organizational systems through USB ports or other entry portals. While
scanning storage devices is recommended, sanitization provides additional assurance that
such devices are free of malicious code. Organizations consider nondestructive sanitization
of portable storage devices when the devices are purchased from manufacturers or vendors
prior to initial use or when organizations cannot maintain a positive chain of custody for the
devices.
Related Controls: None.
(4) MEDIA SANITIZATION | CONTROLLED UNCLASSIFIED INFORMATION
[Withdrawn: Incorporated into MP-6.]
(5) MEDIA SANITIZATION | CLASSIFIED INFORMATION
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
[Withdrawn: Incorporated into MP-6.]
(6) MEDIA SANITIZATION | MEDIA DESTRUCTION
[Withdrawn: Incorporated into MP-6.]
(7) MEDIA SANITIZATION | DUAL AUTHORIZATION
Enforce dual authorization for the sanitization of [ Assignment: organization-defined
system media ].
Discussion: Organizations employ dual authorization to help ensure that system media
sanitization cannot occur unless two technically qualified individuals conduct the designated
task. Individuals who sanitize system media possess sufficient skills and expertise to
determine if the proposed sanitization reflects applicable federal and organizational
standards, policies, and procedures. Dual authorization also helps to ensure that sanitization
occurs as intended, protecting against errors and false claims of having performed the
sanitization actions. Dual authorization may also be known as two-person control. To reduce
the risk of collusion, organizations consider rotating dual authorization duties to other
individuals.
Related Controls: AC-3, MP-2.
(8) MEDIA SANITIZATION | REMOTE PURGING OR WIPING OF INFORMATION
Provide the capability to purge or wipe information from [ Assignment: organization-
defined systems or system components ] [ Selection: remotely; under the following
conditions: [ Assignment: organization-defined conditions ]].
Discussion: Remote purging or wiping of information protects information on organizational
systems and system components if systems or components are obtained by unauthorized
individuals. Remote purge or wipe commands require strong authentication to help mitigate
the risk of unauthorized individuals purging or wiping the system, component, or device. The
purge or wipe function can be implemented in a variety of ways, including by overwriting
data or information multiple times or by destroying the key necessary to decrypt encrypted
data.
Related Controls: None.
References: [32 CFR 2002], [OMB A-130], [NARA CUI], [FIPS 199], [SP 800- 60 -1], [SP 800- 60 -2],
[SP 800 -88], [SP 800-124], [IR 8023], [NSA MEDIA].
MP-7 MEDIA USE
Control:
a. [ Selection: Restrict; Prohibit ] the use of [ Assignment: organization-defined types of system
media ] on [ Assignment: organization-defined systems or system components ] using
[ Assignment: organization-defined controls ]; and
b. Prohibit the use of portable storage devices in organizational systems when such devices
have no identifiable owner.
Discussion: System media includes both digital and non-digital media. Digital media includes
diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard
disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to
mobile devices with information storage capabilities. In contrast to MP-2, which restricts user
access to media, MP-7 restricts the use of certain types of media on systems, for example,
restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use
technical and nontechnical controls to restrict the use of system media. Organizations may
restrict the use of portable storage devices, for example, by using physical cages on workstations
to prohibit access to certain external ports or disabling or removing the ability to insert, read, or
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
write to such devices. Organizations may also limit the use of portable storage devices to only
approved devices, including devices provided by the organization, devices provided by other
approved organizations, and devices that are not personally owned. Finally, organizations may
restrict the use of portable storage devices based on the type of device, such as by prohibiting
the use of writeable, portable storage devices and implementing this restriction by disabling or
removing the capability to write to such devices. Requiring identifiable owners for storage
devices reduces the risk of using such devices by allowing organizations to assign responsibility
for addressing known vulnerabilities in the devices.
Related Controls: AC-19, AC-20, PL-4, PM-12, SC-34, SC-41.
Control Enhancements:
(1) MEDIA USE | PROHIBIT USE WITHOUT OWNER
[Withdrawn: Incorporated into MP-7.]
(2) MEDIA USE | PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA
Prohibit the use of sanitization-resistant media in organizational systems.
Discussion: Sanitization resistance refers to how resistant media are to non-destructive
sanitization techniques with respect to the capability to purge information from media.
Certain types of media do not support sanitization commands, or if supported, the interfaces
are not supported in a standardized way across these devices. Sanitization-resistant media
includes compact flash, embedded flash on boards and devices, solid state drives, and USB
removable media.
Related Controls: MP-6.
References: [FIPS 199 ], [SP 800 -111].
MP-8 MEDIA DOWNGRADING
Control:
a. Establish [ Assignment: organization-defined system media downgrading process ] that
includes employing downgrading mechanisms with strength and integrity commensurate
with the security category or classification of the information;
b. Verify that the system media downgrading process is commensurate with the security
category and/or classification level of the information to be removed and the access
authorizations of the potential recipients of the downgraded information;
c. Identify [ Assignment: organization-defined system media requiring downgrading ]; and
d. Downgrade the identified system media using the established process.
Discussion: Media downgrading applies to digital and non-digital media subject to release
outside of the organization, whether the media is considered removable or not. When applied to
system media, the downgrading process removes information from the media, typically by
security category or classification level, such that the information cannot be retrieved or
reconstructed. Downgrading of media includes redacting information to enable wider release
and distribution. Downgrading ensures that empty space on the media is devoid of information.
Related Controls: None.
Control Enhancements:
(1) MEDIA DOWNGRADING | DOCUMENTATION OF PROCESS
Document system media downgrading actions.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: Organizations can document the media downgrading process by providing
information, such as the downgrading technique employed, the identification number of the
downgraded media, and the identity of the individual that authorized and/or performed the
downgrading action.
Related Controls: None.
(2) MEDIA DOWNGRADING | EQUIPMENT TESTING
Test downgrading equipment and procedures [ Assignment: organization-defined
frequency ] to ensure that downgrading actions are being achieved.
Discussion: None.
Related Controls: None.
(3) MEDIA DOWNGRADING | CONTROLLED UNCLASSIFIED INFORMATION
Downgrade system media containing controlled unclassified information prior to public
release.
Discussion: The downgrading of controlled unclassified information uses approved
sanitization tools, techniques, and procedures.
Related Controls: None.
(4) MEDIA DOWNGRADING | CLASSIFIED INFORMATION
Downgrade system media containing classified information prior to release to individuals
without required access authorizations.
Discussion: Downgrading of classified information uses approved sanitization tools,
techniques, and procedures to transfer information confirmed to be unclassified from
classified systems to unclassified media.
Related Controls: None.
References: [32 CFR 2002], [NSA MEDIA].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
3.11 PHYSICAL AND ENVIRONMENTAL PROTECTION
Quick link to Physical and Environmental Protection Summary Table
PE-1 POLICY AND PROCEDURES
Control:
a. Develop, document, and disseminate to [ Assignment: organization-defined personnel or
roles ]:
- [ Selection (one or more): organization-level; mission/business process-level; system- level ] physical and environmental protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; b. Designate an [ Assignment: organization-defined official ] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and c. Review and update the current physical and environmental protection:
- Policy [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and
- Procedures [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security or privacy incidents, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. Related Controls: AT-3, PM-9, PS-8, SI-12. Control Enhancements: None. References: [SP 800-12], [SP 800- 30 ], [SP 800-39], [SP 800- 100 ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PE-2 PHYSICAL ACCESS AUTHORIZATIONS
Control:
a. Develop, approve, and maintain a list of individuals with authorized access to the facility
where the system resides;
b. Issue authorization credentials for facility access;
c. Review the access list detailing authorized facility access by individuals [ Assignment:
organization-defined frequency ]; and
d. Remove individuals from the facility access list when access is no longer required.
Discussion: Physical access authorizations apply to employees and visitors. Individuals with
permanent physical access authorization credentials are not considered visitors. Authorization
credentials include ID badges, identification cards, and smart cards. Organizations determine the
strength of authorization credentials needed consistent with applicable laws, executive orders,
directives, regulations, policies, standards, and guidelines. Physical access authorizations may not
be necessary to access certain areas within facilities that are designated as publicly accessible.
Related Controls: AT-3, AU-9, IA -4, MA-5, MP-2, PE-3, PE-4, PE-5, PE-8, PM-12, PS-3, PS-4, PS-5,
PS-6.
Control Enhancements:
(1) PHYSICAL ACCESS AUTHORIZATIONS | ACCESS BY POSITION OR ROLE
Authorize physical access to the facility where the system resides based on position or
role.
Discussion: Role-based facility access includes access by authorized permanent and
regular/routine maintenance personnel, duty officers, and emergency medical staff.
Related Controls: AC-2, AC-3, AC-6.
(2) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF IDENTIFICATION
Require two forms of identification from the following forms of identification for visitor
access to the facility where the system resides: [ Assignment: organization-defined list of
acceptable forms of identification ].
Discussion: Acceptable forms of identification include passports, REAL ID -compliant drivers’
licenses, and Personal Identity Verification (PIV) cards. For gaining access to facilities using
automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics.
Related Controls: IA-2, IA -4, IA -5.
(3) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT UNESCORTED ACCESS
Restrict unescorted access to the facility where the system resides to personnel with
[ Selection (one or more): security clearances for all information contained within the
system; formal access authorizations for all information contained within the system; need
for access to all information contained within the system; [ Assignment: organization-
defined physical access authorizations ]].
Discussion: I ndividuals without required security clearances, access approvals, or need to
know are escorted by individuals with appropriate physical access authorizations to ensure
that information is not exposed or otherwise compromised.
Related Controls: PS-2, PS-6.
References: [FIPS 201-2], [SP 800- 73 -4], [SP 800- 76 -2], [SP 800- 78 -4].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PE-3 PHYSICAL ACCESS CONTROL
Control:
a. Enforce physical access authorizations at [ Assignment: organization-defined entry and exit
points to the facility where the system resides ] by:
- Verifying individual access authorizations before granting access to the facility; and
- Controlling ingress and egress to the facility using [ Selection (one or more): [ Assignment: organization-defined physical access control systems or devices ]; guards ]; b. Maintain physical access audit logs for [ Assignment: organization-defined entry or exit points ];
c. Control access to areas within the facility designated as publicly accessible by implementing
the following controls: [ Assignment: organization-defined physical access controls ];
d. Escort visitors and control visitor activity [ Assignment: organization-defined circumstances
requiring visitor escorts and control of visitor activity ];
e. Secure keys, combinations, and other physical access devices;
f. Inventory [ Assignment: organization-defined physical access devices ] every [ Assignment:
organization-defined frequency ]; and
g. Change combinations and keys [ Assignment: organization-defined frequency ] and/or when
keys are lost, combinations are compromised, or when individuals possessing the keys or
combinations are transferred or terminated.
Discussion: Physical access control applies to employees and visitors. Individuals with permanent
physical access authorizations are not considered visitors. Physical access controls for publicly
accessible areas may include physical access control logs/records, guards, or physical access
devices and barriers to prevent movement from publicly accessible areas to non-public areas.
Organizations determine the types of guards needed, including professional security staff, system
users, or administrative staff. Physical access devices include keys, locks, combinations, biometric
readers, and card readers. Physical access control systems comply with applicable laws, executive
orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in
the types of audit logs employed. Audit logs can be procedural, automated, or some combination
thereof. Physical access points can include facility access points, interior access points to systems
that require supplemental access controls, or both. Components of systems may be in areas
designated as publicly accessible with organizations controlling access to the components.
Related Controls: AT-3, AU-2, AU-6, AU-9, AU-13, CP-10, IA -3, IA -8, MA-5, MP-2, MP-4, PE-2, PE-
4 , PE-5, PE-8, PS-2, PS-3, PS-6, PS-7, RA-3, SC-28, SI-4, SR- 3.
Control Enhancements:
(1) PHYSICAL ACCESS CONTROL | SYSTEM ACCESS
Enforce physical access authorizations to the system in addition to the physical access
controls for the facility at [ Assignment: organization-defined physical spaces containing
one or more components of the system ].
Discussion: Control of physical access to the system provides additional physical security for
those areas within facilities where there is a concentration of system components.
Related Controls: None.
(2) PHYSICAL ACCESS CONTROL | FACILITY AND SYSTEMS
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Perform security checks [ Assignment: organization-defined frequency ] at the physical
perimeter of the facility or system for exfiltration of information or removal of system
components.
Discussion: Organizations determine the extent, frequency, and/or randomness of security
checks to adequately mitigate risk associated with exfiltration.
Related Controls: AC-4, SC-7.
(3) PHYSICAL ACCESS CONTROL | CONTINUOUS GUARDS
Employ guards to control [ Assignment: organization-defined physical access points ] to the
facility where the system resides 24 hours per day, 7 days per week.
Discussion: Employing guards at selected physical access points to the facility provides a
more rapid response capability for organizations. Guards also provide the opportunity for
human surveillance in areas of the facility not covered by video surveillance.
Related Controls: CP-6, CP-7, PE-6.
(4) PHYSICAL ACCESS CONTROL | LOCKABLE CASINGS
Use lockable physical casings to protect [ Assignment: organization-defined system
components ] from unauthorized physical access.
Discussion: The greatest risk from the use of portable devices—such as smart phones,
tablets, and notebook computers—is theft. Organizations can employ lockable, physical
casings to reduce or eliminate the risk of equipment theft. Such casings come in a variety of
sizes, from units that protect a single notebook computer to full cabinets that can protect
multiple servers, computers, and peripherals. Lockable physical casings can be used in
conjunction with cable locks or lockdown plates to prevent the theft of the locked casing
containing the computer equipment.
Related Controls: None.
(5) PHYSICAL ACCESS CONTROL | TAMPER PROTECTION
Employ [ Assignment: organization-defined anti-tamper technologies ] to [ Selection (one or
more): detect; prevent ] physical tampering or alteration of [ Assignment: organization-
defined hardware components ] within the system.
Discussion: Organizations can implement tamper detection and prevention at selected
hardware components or implement tamper detection at some components and tamper
prevention at other components. Detection and prevention activities can employ many
types of anti-tamper technologies, including tamper-detection seals and anti-tamper
coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting
and other supply chain-related risks.
Related Controls: SA-16, SR-9, SR-11.
(6) PHYSICAL ACCESS CONTROL | FACILITY PENETRATION TESTING
[Withdrawn: Incorporated into CA-8.]
(7) PHYSICAL ACCESS CONTROL | PHYSICAL BARRIERS
Limit access using physical barriers.
Discussion: Physical barriers include bollards, concrete slabs, jersey walls, and hydraulic
active vehicle barriers.
Related Controls: None.
(8) PHYSICAL ACCESS CONTROL | ACCESS CONTROL VESTIBULES
Employ access control vestibules at [ Assignment: organization-defined locations within the
facility ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: An access control vestibule, or mantrap, is part of a physical access control
system that typically provides a space between two sets of interlocking doors. Mantraps are
designed to prevent unauthorized individuals from following authorized individuals into
facilities with controlled access. This activity, also known as piggybacking or tailgating,
results in unauthorized access to the facility. Interlocking door controllers can be used to
limit the number of individuals who enter controlled access points and to provide
containment areas while authorization for physical access is verified. Interlocking door
controllers can be fully automated (i.e., controlling the opening and closing of the doors) or
partially automated (i.e., using security guards to control the number of individuals entering
the containment area).
Related Controls: None.
References: [FIPS 201-2], [SP 800- 73 -4], [SP 800- 76 -2], [SP 800- 78 -4], [SP 800- 116 ].
PE-4 ACCESS CONTROL FOR TRANSMISSION
Control: Control physical access to [ Assignment: organization-defined system distribution and
transmission lines ] within organizational facilities using [ Assignment: organization-defined
security controls ].
Discussion: Security controls applied to system distribution and transmission lines prevent
accidental damage, disruption, and physical tampering. Such controls may also be necessary to
prevent eavesdropping or modification of unencrypted transmissions. Security controls used to
control physical access to system distribution and transmission lines include disconnected or
locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and
wiretapping sensors.
Related Controls: AT-3, IA -4, MP-2, MP-4, PE-2, PE-3, PE-5, PE-9, SC-7, SC-8.
Control Enhancements: None.
References: None.
PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
Control: Control physical access to output from [ Assignment: organization-defined output
devices ] to prevent unauthorized individuals from obtaining the output.
Discussion: Controlling physical access to output devices includes placing output devices in
locked rooms or other secured areas with keypad or card reader access controls and allowing
access to authorized individuals only, placing output devices in locations that can be monitored
by personnel, installing monitor or screen filters, and using headphones. Examples of output
devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.
Related Controls: PE-2, PE-3, PE-4, PE-18.
Control Enhancements:
(1) ACCESS CONTROL FOR OUTPUT DEVICES | ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS
[Withdrawn: Incorporated into PE-5.]
(2) ACCESS CONTROL FOR OUTPUT DEVICES | LINK TO INDIVIDUAL IDENTITY
Link individual identity to receipt of output from output devices.
Discussion: Methods for linking individual identity to the receipt of output from output
devices include installing security functionality on facsimile machines, copiers, and printers.
Such functionality allows organizations to implement authentication on output devices prior
to the release of output to individuals.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Related Controls: None.
(3) ACCESS CONTROL FOR OUTPUT DEVICES | MARKING OUTPUT DEVICES
[Withdrawn: Incorporated into PE-22.]
References: [IR 8023].
PE-6 MONITORING PHYSICAL ACCESS
Control:
a. Monitor physical access to the facility where the system resides to detect and respond to
physical security incidents;
b. Review physical access logs [ Assignment: organization-defined frequency ] and upon
occurrence of [ Assignment: organization-defined events or potential indications of events ];
and
c. Coordinate results of reviews and investigations with the organizational incident response
capability.
Discussion: Physical access monitoring includes publicly accessible areas within organizational
facilities. Examples of physical access monitoring include the employment of guards, video
surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can
help identify suspicious activity, anomalous events, or potential threats. The reviews can be
supported by audit logging controls, such as AU-2, if the access logs are part of an automated
system. Organizational incident response capabilities include investigations of physical security
incidents and responses to the incidents. Incidents include security violations or suspicious
physical access activities. Suspicious physical access activities include accesses outside of normal
work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of
time, and out-of-sequence accesses.
Related Controls: AU-2, AU-6, AU-9, AU-12, CA-7, CP-10, IR -4, IR -8.
Control Enhancements:
(1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS AND SURVEILLANCE EQUIPMENT
Monitor physical access to the facility where the system resides using physical intrusion
alarms and surveillance equipment.
Discussion: Physical intrusion alarms can be employed to alert security personnel when
unauthorized access to the facility is attempted. Alarm systems work in conjunction with
physical barriers, physical access control systems, and security guards by triggering a
response when these other forms of security have been compromised or breached. Physical
intrusion alarms can include different types of sensor devices, such as motion sensors,
contact sensors, and broken glass sensors. Surveillance equipment includes video cameras
installed at strategic locations throughout the facility.
Related Controls: None.
(2) MONITORING PHYSICAL ACCESS | AUTOMATED INTRUSION RECOGNITION AND RESPONSES
Recognize [ Assignment: organization-defined classes or types of intrusions ] and initiate
[ Assignment: organization-defined response actions ] using [ Assignment: organization-
defined automated mechanisms ].
Discussion: Response actions can include notifying selected organizational personnel or law
enforcement personnel. Automated mechanisms implemented to initiate response actions
include system alert notifications, email and text messages, and activating door locking
mechanisms. Physical access monitoring can be coordinated with intrusion detection
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
systems and system monitoring capabilities to provide integrated threat coverage for the
organization.
Related Controls: SI-4.
(3) MONITORING PHYSICAL ACCESS | VIDEO SURVEILLANCE
(a) Employ video surveillance of [ Assignment: organization-defined operational areas ];
(b) Review video recordings [ Assignment: organization-defined frequency ]; and
(c) Retain video recordings for [ Assignment: organization-defined time period ].
Discussion: Video surveillance focuses on recording activity in specified areas for the
purposes of subsequent review, if circumstances so warrant. Video recordings are typically
reviewed to detect anomalous events or incidents. Monitoring the surveillance video is not
required, although organizations may choose to do so. There may be legal considerations
when performing and retaining video surveillance, especially if such surveillance is in a public
location.
Related Controls: None.
(4) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO SYSTEMS
Monitor physical access to the system in addition to the physical access monitoring of the
facility at [ Assignment: organization-defined physical spaces containing one or more
components of the system ].
Discussion: Monitoring physical access to systems provides additional monitoring for those
areas within facilities where there is a concentration of system components, including server
rooms, media storage areas, and communications centers. Physical access monitoring can be
coordinated with intrusion detection systems and system monitoring capabilities to provide
comprehensive and integrated threat coverage for the organization.
Related Controls: None.
References: None.
PE-7 VISITOR CONTROL
[Withdrawn: Incorporated into PE-2 and PE-3.]
PE-8 VISITOR ACCESS RECORDS
Control:
a. Maintain visitor access records to the facility where the system resides for [ Assignment:
organization-defined time period ];
b. Review visitor access records [ Assignment: organization-defined frequency ]; and
c. Report anomalies in visitor access records to [ Assignment: organization-defined personnel ].
Discussion: Visitor access records include the names and organizations of individuals visiting,
visitor signatures, forms of identification, dates of access, entry and departure times, purpose of
visits, and the names and organizations of individuals visited. Access record reviews determine if
access authorizations are current and are still required to support organizational mission and
business functions. Access records are not required for publicly accessible areas.
Related Controls: PE-2, PE-3, PE-6.
Control Enhancements:
(1) VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE AND REVIEW
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Maintain and review visitor access records using [ Assignment: organization-defined
automated mechanisms ].
Discussion: Visitor access records may be stored and maintained in a database management
system that is accessible by organizational personnel. Automated access to such records
facilitates record reviews on a regular basis to determine if access authorizations are current
and still required to support organizational mission and business functions.
Related Controls: None.
(2) VISITOR ACCESS RECORDS | PHYSICAL ACCESS RECORDS
[Withdrawn: Incorporated into PE-2.]
(3) VISITOR ACCESS RECORDS | LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS
Limit personally identifiable information contained in visitor access records to the
following elements identified in the privacy risk assessment: [ Assignment: organization-
defined elements ].
Discussion: Organizations may have requirements that specify the contents of visitor access
records. Limiting personally identifiable information in visitor access records when such
information is not needed for operational purposes helps reduce the level of privacy risk
created by a system.
Related Controls: RA-3, SA-8.
References: None.
PE-9 POWER EQUIPMENT AND CABLING
Control: Protect power equipment and power cabling for the system from damage and
destruction.
Discussion: Organizations determine the types of protection necessary for the power equipment
and cabling employed at different locations that are both internal and external to organizational
facilities and environments of operation. Types of power equipment and cabling include internal
cabling and uninterruptable power sources in offices or data centers, generators and power
cabling outside of buildings, and power sources for self-contained components such as satellites,
vehicles, and other deployable systems.
Related Controls: PE-4.
Control Enhancements:
(1) POWER EQUIPMENT AND CABLING | REDUNDANT CABLING
Employ redundant power cabling paths that are physically separated by [ Assignment:
organization-defined distance ].
Discussion: Physically separate and redundant power cables ensure that power continues to
flow in the event that one of the cables is cut or otherwise damaged.
Related Controls: None.
(2) POWER EQUIPMENT AND CABLING | AUTOMATIC VOLTAGE CONTROLS
Employ automatic voltage controls for [ Assignment: organization-defined critical system
components ].
Discussion: Automatic voltage controls can monitor and control voltage. Such controls
include voltage regulators, voltage conditioners, and voltage stabilizers.
Related Controls: None.
References: None.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PE-10 EMERGENCY SHUTOFF
Control:
a. Provide the capability of shutting off power to [ Assignment: organization-defined system or
individual system components ] in emergency situations;
b. Place emergency shutoff switches or devices in [ Assignment: organization-defined location
by system or system component ] to facilitate access for authorized personnel; and
c. Protect emergency power shutoff capability from unauthorized activation.
Discussion: Emergency power shutoff primarily applies to organizational facilities that contain
concentrations of system resources, including data centers, mainframe computer rooms, server
rooms, and areas with computer-controlled machinery.
Related Controls: PE-15.
Control Enhancements:
(1) EMERGENCY SHUTOFF | ACCIDENTAL AND UNAUTHORIZED ACTIVATION
[Withdrawn: Incorporated into PE-10.]
References: None.
PE-11 EMERGENCY POWER
Control: Provide an uninterruptible power supply to facilitate [ Selection (one or more): an
orderly shutdown of the system; transition of the system to long-term alternate power ] in the
event of a primary power source loss.
Discussion: An uninterruptible power supply (UPS) is an electrical system or mechanism that
provides emergency power when there is a failure of the main power source. A UPS is typically
used to protect computers, data centers, telecommunication equipment, or other electrical
equipment where an unexpected power disruption could cause injuries, fatalities, serious
mission or business disruption, or loss of data or information. A UPS differs from an emergency
power system or backup generator in that the UPS provides near-instantaneous protection from
unanticipated power interruptions from the main power source by providing energy stored in
batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but
provides sufficient time to start a standby power source, such as a backup generator, or properly
shut down the system.
Related Controls: AT-3, CP-2, CP-7.
Control Enhancements:
(1) EMERGENCY POWER | ALTERNATE POWER SUPPLY — MINIMAL OPERATIONAL CAPABILITY
Provide an alternate power supply for the system that is activated [ Selection: manually;
automatically ] and that can maintain minimally required operational capability in the
event of an extended loss of the primary power source.
Discussion: Provision of an alternate power supply with minimal operating capability can be
satisfied by accessing a secondary commercial power supply or other external power supply.
Related Controls: None.
(2) EMERGENCY POWER | ALTERNATE POWER SUPPLY — SELF-CONTAINED
Provide an alternate power supply for the system that is activated [ Selection: manually;
automatically ] and that is:
(a) Self-contained;
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
(b) Not reliant on external power generation; and
(c) Capable of maintaining [ Selection: minimally required operational capability; full
operational capability ] in the event of an extended loss of the primary power source.
Discussion: The provision of a long-term, self-contained power supply can be satisfied by
using one or more generators with sufficient capacity to meet the needs of the organization.
Related Controls: None.
References: None.
PE-12 EMERGENCY LIGHTING
Control: Employ and maintain automatic emergency lighting for the system that activates in the
event of a power outage or disruption and that covers emergency exits and evacuation routes
within the facility.
Discussion: The provision of emergency lighting applies primarily to organizational facilities that
contain concentrations of system resources, including data centers, server rooms, and
mainframe computer rooms. Emergency lighting provisions for the system are described in the
contingency plan for the organization. If emergency lighting for the system fails or cannot be
provided, organizations consider alternate processing sites for power-related contingencies.
Related Controls: CP-2, CP-7.
Control Enhancements:
(1) EMERGENCY LIGHTING | ESSENTIAL MISSION AND BUSINESS FUNCTIONS
Provide emergency lighting for all areas within the facility supporting essential mission and
business functions.
Discussion: Organizations define their essential missions and functions.
Related Controls: None.
References: None.
PE-13 FIRE PROTECTION
Control: Employ and maintain fire detection and suppression systems that are supported by an
independent energy source.
Discussion: The provision of fire detection and suppression systems applies primarily to
organizational facilities that contain concentrations of system resources, including data centers,
server rooms, and mainframe computer rooms. Fire detection and suppression systems that may
require an independent energy source include sprinkler systems and smoke detectors. An
independent energy source is an energy source, such as a microgrid, that is separate, or can be
separated, from the energy sources providing power for the other parts of the facility.
Related Controls: AT-3.
Control Enhancements:
(1) FIRE PROTECTION | DETECTION SYSTEMS – AUTOMATIC ACTIVATION AND NOTIFICATION
Employ fire detection systems that activate automatically and notify [ Assignment:
organization-defined personnel or roles ] and [ Assignment: organization-defined
emergency responders ] in the event of a fire.
Discussion: Organizations can identify personnel, roles, and emergency responders if
individuals on the notification list need to have access authorizations or clearances (e.g., to
enter to facilities where access is restricted due to the classification or impact level of
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
information within the facility). Notification mechanisms may require independent energy
sources to ensure that the notification capability is not adversely affected by the fire.
Related Controls: None.
(2) FIRE PROTECTION | SUPPRESSION SYSTEMS – AUTOMATIC ACTIVATION AND NOTIFICATION
(a) Employ fire suppression systems that activate automatically and notify [ Assignment:
organization-defined personnel or roles ] and [ Assignment: organization-defined
emergency responders ]; and
(b) Employ an automatic fire suppression capability when the facility is not staffed on a
continuous basis.
Discussion: Organizations can identify specific personnel, roles, and emergency responders
if individuals on the notification list need to have appropriate access authorizations and/or
clearances (e.g., to enter to facilities where access is restricted due to the impact level or
classification of information within the facility). Notification mechanisms may require
independent energy sources to ensure that the notification capability is not adversely
affected by the fire.
Related Controls: None.
(3) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION
[Withdrawn: Incorporated into PE-13(2).]
(4) FIRE PROTECTION | INSPECTIONS
Ensure that the facility undergoes [ Assignment: organization-defined frequency ] fire
protection inspections by authorized and qualified inspectors and identified deficiencies
are resolved within [ Assignment: organization-defined time period ].
Discussion: Authorized and qualified personnel within the jurisdiction of the organization
include state, county, and city fire inspectors and fire marshals. Organizations provide
escorts during inspections in situations where the systems that reside within the facilities
contain sensitive information.
Related Controls: None.
References: None.
PE-14 ENVIRONMENTAL CONTROLS
Control:
a. Maintain [ Selection (one or more): temperature; humidity; pressure; radiation; [ Assignment:
organization-defined environmental control ]] levels within the facility where the system
resides at [ Assignment: organization-defined acceptable levels ]; and
b. Monitor environmental control levels [ Assignment: organization-defined frequency ].
Discussion: The provision of environmental controls applies primarily to organizational facilities
that contain concentrations of system resources (e.g., data centers, mainframe computer rooms,
and server rooms). Insufficient environmental controls, especially in very harsh environments,
can have a significant adverse impact on the availability of systems and system components that
are needed to support organizational mission and business functions.
Related Controls: AT-3, CP-2.
Control Enhancements:
(1) ENVIRONMENTAL CONTROLS | AUTOMATIC CONTROLS
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Employ the following automatic environmental controls in the facility to prevent
fluctuations potentially harmful to the system: [ Assignment: organization-defined
automatic environmental controls ].
Discussion: The implementation of automatic environmental controls provides an
immediate response to environmental conditions that can damage, degrade, or destroy
organizational systems or systems components.
Related Controls: None.
(2) ENVIRONMENTAL CONTROLS | MONITORING WITH ALARMS AND NOTIFICATIONS
Employ environmental control monitoring that provides an alarm or notification of
changes potentially harmful to personnel or equipment to [ Assignment: organization-
defined personnel or roles ].
Discussion: The alarm or notification may be an audible alarm or a visual message in real
time to personnel or roles defined by the organization. Such alarms and notifications can
help minimize harm to individuals and damage to organizational assets by facilitating a
timely incident response.
Related Controls: None.
References: None.
PE-15 WATER DAMAGE PROTECTION
Control: Protect the system from damage resulting from water leakage by providing master
shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Discussion: The provision of water damage protection primarily applies to organizational
facilities that contain concentrations of system resources, including data centers, server rooms,
and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of
master shutoff valves to shut off water supplies in specific areas of concern without affecting
entire organizations.
Related Controls: AT-3, PE-10.
Control Enhancements:
(1) WATER DAMAGE PROTECTION | AUTOMATION SUPPORT
Detect the presence of water near the system and alert [ Assignment: organization-defined
personnel or roles ] using [ Assignment: organization-defined automated mechanisms ].
Discussion: Automated mechanisms include notification systems, water detection sensors,
and alarms.
Related Controls: None.
References: None.
PE-16 DELIVERY AND REMOVAL
Control:
a. Authorize and control [ Assignment: organization-defined types of system components ]
entering and exiting the facility; and
b. Maintain records of the system components.
Discussion: Enforcing authorizations for entry and exit of system components may require
restricting access to delivery areas and isolating the areas from the system and media libraries.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Related Controls: CM-3, CM-8, MA-2, MA-3, MP-5, PE-20, SR-2, SR-3, SR-4, SR- 6.
Control Enhancements: None.
References: None.
PE-17 ALTERNATE WORK SITE
Control:
a. Determine and document the [ Assignment: organization-defined alternate work sites ]
allowed for use by employees;
b. Employ the following controls at alternate work sites: [ Assignment: organization-defined
controls ];
c. Assess the effectiveness of controls at alternate work sites; and
d. Provide a means for employees to communicate with information security and privacy
personnel in case of incidents.
Discussion: Alternate work sites include government facilities or the private residences of
employees. While distinct from alternative processing sites, alternate work sites can provide
readily available alternate locations during contingency operations. Organizations can define
different sets of controls for specific alternate work sites or types of sites depending on the
work-related activities conducted at the sites. Implementing and assessing the effectiveness of
organization-defined controls and providing a means to communicate incidents at alternate work
sites supports the contingency planning activities of organizations.
Related Controls: AC-17, AC-18, CP-7.
Control Enhancements: None.
References: [SP 800-46].
PE-18 LOCATION OF SYSTEM COMPONENTS
Control: Position system components within the facility to minimize potential damage from
[ Assignment: organization-defined physical and environmental hazards ] and to minimize the
opportunity for unauthorized access.
Discussion: Physical and environmental hazards include floods, fires, tornadoes, earthquakes,
hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other
forms of incoming electromagnetic radiation. Organizations consider the location of entry points
where unauthorized individuals, while not being granted access, might nonetheless be near
systems. Such proximity can increase the risk of unauthorized access to organizational
communications using wireless packet sniffers or microphones, or unauthorized disclosure of
information.
Related Controls: CP-2, PE-5, PE-19, PE-20, RA- 3.
(1) LOCATION OF SYSTEM COMPONENTS | FACILITY SITE
[Withdrawn: Moved to PE-23.]
References: None.
PE-19 INFORMATION LEAKAGE
Control: Protect the system from information leakage due to electromagnetic signals
emanations.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: Information leakage is the intentional or unintentional release of data or information
to an untrusted environment from electromagnetic signals emanations. The security categories
or classifications of systems (with respect to confidentiality), organizational security policies, and
risk tolerance guide the selection of controls employed to protect systems against information
leakage due to electromagnetic signals emanations.
Related Controls: AC-18, PE-18, PE-20.
Control Enhancements:
(1) INFORMATION LEAKAGE | NATIONAL EMISSIONS AND TEMPEST POLICIES AND PROCEDURES
Protect system components, associated data communications, and networks in accordance
with national Emissions Security policies and procedures based on the security category or
classification of the information.
Discussion: Emissions Security (EMSEC) policies include the former TEMPEST policies.
Related Controls: None.
References: [FIPS 199].
PE-20 ASSET MONITORING AND TRACKING
Control: Employ [ Assignment: organization-defined asset location technologies ] to track and
monitor the location and movement of [ Assignment: organization-defined assets ] within
[ Assignment: organization-defined controlled areas ].
Discussion: Asset location technologies can help ensure that critical assets—including vehicles,
equipment, and system components—remain in authorized locations. Organizations consult with
the Office of the General Counsel and senior agency official for privacy regarding the deployment
and use of asset location technologies to address potential privacy concerns.
Related Controls: CM-8, PE-16, PM-8.
Control Enhancements: None.
References: None.
PE-21 ELECTROMAGNETIC PULSE PROTECTION
Control: Employ [ Assignment: organization-defined protective measures ] against
electromagnetic pulse damage for [ Assignment: organization-defined systems and system
components ].
Discussion: An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is
spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP
interference may be disruptive or damaging to electronic equipment. Protective measures used
to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth
grounding. EMP protection may be especially significant for systems and applications that are
part of the U.S. critical infrastructure.
Related Controls: PE-18, PE-19.
Control Enhancements: None.
References: None.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PE-22 COMPONENT MARKING
Control: Mark [ Assignment: organization-defined system hardware components ] indicating the
impact level or classification level of the information permitted to be processed, stored, or
transmitted by the hardware component.
Discussion: Hardware components that may require marking include input and output devices.
Input devices include desktop and notebook computers, keyboards, tablets, and smart phones.
Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers,
and audio devices. Permissions controlling output to the output devices are addressed in AC-3 or
AC-4. Components are marked to indicate the impact level or classification level of the system to
which the devices are connected, or the impact level or classification level of the information
permitted to be output. Security marking refers to the use of human-readable security attributes.
Security labeling refers to the use of security attributes for internal system data structures.
Security marking is generally not required for hardware components that process, store, or
transmit information determined by organizations to be in the public domain or to be publicly
releasable. However, organizations may require markings for hardware components that
process, store, or transmit public information in order to indicate that such information is
publicly releasable. Marking of system hardware components reflects applicable laws, executive
orders, directives, policies, regulations, and standards.
Related Controls: AC-3, AC-4, AC-16, MP-3.
Control Enhancements: None.
References: [IR 8023].
PE-23 FACILITY LOCATION
Control:
a. Plan the location or site of the facility where the system resides considering physical and
environmental hazards; and
b. For existing facilities, consider the physical and environmental hazards in the organizational
risk management strategy.
Discussion: Physical and environmental hazards include floods, fires, tornadoes, earthquakes,
hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other
forms of incoming electromagnetic radiation. The location of system components within the
facility is addressed in PE-18.
Related Controls: CP-2, PE-18, PE-19, PM-8, PM-9, RA-3.
References: None.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
3.12 PLANNING
Quick link to Planning Summary Table
PL-1 POLICY AND PROCEDURES
Control:
a. Develop, document, and disseminate to [ Assignment: organization-defined personnel or
roles ]:
- [ Selection (one or more): organization-level; mission/business process-level; system- level ] planning policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Procedures to facilitate the implementation of the planning policy and the associated planning controls; b. Designate an [ Assignment: organization-defined official ] to manage the development, documentation, and dissemination of the planning policy and procedures; and c. Review and update the current planning:
- Policy [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and
- Procedures [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security or privacy incidents, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Related Controls: PM-9, PS-8, SI-12.
Control Enhancements: None.
References: [OMB A-130], [SP 800-12], [SP 800- 18 ], [SP 800-30], [SP 800- 39 ], [SP 800- 100 ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PL-2 SYSTEM SECURITY AND PRIVACY PLANS
Control:
a. Develop security and privacy plans for the system that:
- Are consistent with the organization’s enterprise architecture;
- Explicitly define the constituent system components;
- Describe the operational context of the system in terms of mission and business processes;
- Identify the individuals that fulfill system roles and responsibilities;
- Identify the information types processed, stored, and transmitted by the system;
- Provide the security categorization of the system, including supporting rationale;
- Describe any specific threats to the system that are of concern to the organization;
8. Provide the results of a privacy risk assessment for systems processing personally
identifiable information;
- Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
- Provide an overview of the security and privacy requirements for the system;
- Identify any relevant control baselines or overlays, if applicable;
- Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
- Include risk determinations for security and privacy architecture and design decisions;
- Include security- and privacy-related activities affecting the system that require planning and coordination with [ Assignment: organization-defined individuals or groups ]; and
- Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b. Distribute copies of the plans and communicate subsequent changes to the plans to [ Assignment: organization-defined personnel or roles ]; c. Review the plans [ Assignment: organization-defined frequency ]; d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e. Protect the plans from unauthorized disclosure and modification. Discussion: System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2. 1 describes the different types of requirements that are
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
relevant to organizations during the system development life cycle and the relationship between
requirements and controls.
Organizations may develop a single, integrated security and privacy plan or maintain separate
plans. Security and privacy plans relate security and privacy requirements to a set of controls and
control enhancements. The plans describe how the controls and control enhancements meet the
security and privacy requirements but do not provide detailed, technical descriptions of the
design or implementation of the controls and control enhancements. Security and privacy plans
contain sufficient information (including specifications of control parameter values for selection
and assignment operations explicitly or by reference) to enable a design and implementation
that is unambiguously compliant with the intent of the plans and subsequent determinations of
risk to organizational operations and assets, individuals, other organizations, and the Nation if
the plan is implemented.
Security and privacy plans need not be single documents. The plans can be a collection of various
documents, including documents that already exist. Effective security and privacy plans make
extensive use of references to policies, procedures, and additional documents, including design
and implementation specifications where more detailed information can be obtained. The use of
references helps reduce the documentation associated with security and privacy programs and
maintains the security- and privacy-related information in other established management and
operational areas, including enterprise architecture, system development life cycle, systems
engineering, and acquisition. Security and privacy plans need not contain detailed contingency
plan or incident response plan information but can instead provide—explicitly or by reference—
sufficient information to define what needs to be accomplished by those plans.
Security- and privacy-related activities that may require coordination and planning with other
individuals or groups within the organization include assessments, audits, inspections, hardware
and software maintenance, acquisition and supply chain risk management, patch management,
and contingency plan testing. Planning and coordination include emergency and nonemergency
(i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan
and coordinate security- and privacy-related activities can also be included in other documents,
as appropriate.
Related Controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CM-13, CP-2, CP-4,
IR -4, IR -8, MA-4, MA-5, MP-4, MP-5, PL-7, PL-8, PL-10, PL-11, PM-1, PM-7, PM-8, PM-9, PM-10,
PM-11, RA-3, RA-8, RA-9, SA-5, SA-17, SA-22, SI-12, SR-2, SR- 4.
Control Enhancements:
(1) SYSTEM SECURITY AND PRIVACY PLANS | CONCEPT OF OPERATIONS
[Withdrawn: Incorporated into PL-7.]
(2) SYSTEM SECURITY AND PRIVACY PLANS | FUNCTIONAL ARCHITECTURE
[Withdrawn: Incorporated into PL-8.]
(3) SYSTEM SECURITY AND PRIVACY PLANS | PLAN AND COORDINATE WITH OTHER ORGANIZATIONAL
ENTITIES
[Withdrawn: Incorporated into PL-2.]
References: [OMB A-130, Appendix II], [SP 800 -18], [SP 800-37], [SP 800- 160 -1], [SP 800- 160 -2].
PL-3 SYSTEM SECURITY PLAN UPDATE
[Withdrawn: Incorporated into PL-2.]
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PL-4 RULES OF BEHAVIOR
Control:
a. Establish and provide to individuals requiring access to the system, the rules that describe
their responsibilities and expected behavior for information and system usage, security, and
privacy;
b. Receive a documented acknowledgment from such individuals, indicating that they have
read, understand, and agree to abide by the rules of behavior, before authorizing access to
information and the system;
c. Review and update the rules of behavior [ Assignment: organization-defined frequency ]; and
d. Require individuals who have acknowledged a previous version of the rules of behavior to
read and re-acknowledge [ Selection (one or more): [ Assignment: organization-defined
frequency ]; when the rules are revised or updated ].
Discussion: Rules of behavior represent a type of access agreement for organizational users.
Other types of access agreements include nondisclosure agreements, conflict-of-interest
agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior
based on individual user roles and responsibilities and differentiate between rules that apply to
privileged users and rules that apply to general users. Establishing rules of behavior for some
types of non-organizational users, including individuals who receive information from federal
systems, is often not feasible given the large number of such users and the limited nature of their
interactions with the systems. Rules of behavior for organizational and non-organizational users
can also be established in AC-8. The related controls section provides a list of controls that are
relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of
the control, may be satisfied by the literacy training and awareness and role-based training
programs conducted by organizations if such training includes rules of behavior. Documented
acknowledgements for rules of behavior include electronic or physical signatures and electronic
agreement check boxes or radio buttons.
Related Controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA -2,
IA -4, IA -5, MP-7, PS-6, PS-8, SA-5, SI-12.
Control Enhancements:
(1) RULES OF BEHAVIOR | SOCIAL MEDIA AND EXTERNAL SITE/APPLICATION USAGE RESTRICTIONS
Include in the rules of behavior, restrictions on:
(a) Use of social media, social networking sites, and external sites/applications;
(b) Posting organizational information on public websites; and
(c) Use of organization-provided identifiers (e.g., email addresses) and authentication
secrets (e.g., passwords) for creating accounts on external sites/applications.
Discussion: Social media, social networking, and external site/application usage restrictions
address rules of behavior related to the use of social media, social networking, and external
sites when organizational personnel are using such sites for official duties or in the conduct
of official business, when organizational information is involved in social media and social
networking transactions, and when personnel access social media and networking sites from
organizational systems. Organizations also address specific rules that prevent unauthorized
entities from obtaining non-public organizational information from social media and
networking sites either directly or through inference. Non-public information includes
personally identifiable information and system account information.
Related Controls: AC-22, AU-13.
References: [OMB A-130], [SP 800- 18 ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PL-5 PRIVACY IMPACT ASSESSMENT
[Withdrawn: Incorporated into RA-8.]
PL-6 SECURITY-RELATED ACTIVITY PLANNING
[Withdrawn: Incorporated into PL-2.]
PL-7 CONCEPT OF OPERATIONS
Control:
a. Develop a Concept of Operations (CONOPS) for the system describing how the organization
intends to operate the system from the perspective of information security and privacy; and
b. Review and update the CONOPS [ Assignment: organization-defined frequency ].
Discussion: The CONOPS may be included in the security or privacy plans for the system or in
other system development life cycle documents. The CONOPS is a living document that requires
updating throughout the system development life cycle. For example, during system design
reviews, the concept of operations is checked to ensure that it remains consistent with the
design for controls, the system architecture, and the operational procedures. Changes to the
CONOPS are reflected in ongoing updates to the security and privacy plans, security and privacy
architectures, and other organizational documents, such as procurement specifications, system
development life cycle documents, and systems engineering documents.
Related Controls: PL-2, SA-2, SI-12.
Control Enhancements: None.
References: [OMB A-130, Appendix II].
PL-8 SECURITY AND PRIVACY ARCHITECTURES
Control:
a. Develop security and privacy architectures for the system that:
- Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
- Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
- Describe how the architectures are integrated into and support the enterprise architecture; and
- Describe any assumptions about, and dependencies on, external systems and services;
b. Review and update the architectures [ Assignment: organization-defined frequency ] to reflect
changes in the enterprise architecture; and
c. Reflect planned architecture changes in security and privacy plans, Concept of Operations
(CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.
Discussion: The security and privacy architectures at the system level are consistent with the
organization-wide security and privacy architectures described in PM-7, which are integral to and
developed as part of the enterprise architecture. The architectures include an architectural
description, the allocation of security and privacy functionality (including controls), security- and
privacy-related information for external interfaces, information being exchanged across the
interfaces, and the protection mechanisms associated with each interface. The architectures can
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
also include other information, such as user roles and the access privileges assigned to each role;
security and privacy requirements; types of information processed, stored, and transmitted by
the system; supply chain risk management requirements; restoration priorities of information
and system services; and other protection needs.
[SP 800- 160 -1] provides guidance on the use of security architectures as part of the system
development life cycle process. [OMB M-19- 03 ] requires the use of the systems security
engineering concepts described in [SP 800- 160 -1] for high value assets. Security and privacy
architectures are reviewed and updated throughout the system development life cycle, from
analysis of alternatives through review of the proposed architecture in the RFP responses to the
design reviews before and during implementation (e.g., during preliminary design reviews and
critical design reviews).
In today’s modern computing architectures, it is becoming less common for organizations to
control all information resources. There may be key dependencies on external information
services and service providers. Describing such dependencies in the security and privacy
architectures is necessary for developing a comprehensive mission and business protection
strategy. Establishing, developing, documenting, and maintaining under configuration control a
baseline configuration for organizational systems is critical to implementing and maintaining
effective architectures. The development of the architectures is coordinated with the senior
agency information security officer and the senior agency official for privacy to ensure that the
controls needed to support security and privacy requirements are identified and effectively
implemented. In many circumstances, there may be no distinction between the security and
privacy architecture for a system. In other circumstances, security objectives may be adequately
satisfied, but privacy objectives may only be partially satisfied by the security requirements. In
these cases, consideration of the privacy requirements needed to achieve satisfaction will result
in a distinct privacy architecture. The documentation, however, may simply reflect the combined
architectures.
PL-8 is primarily directed at organizations to ensure that architectures are developed for the
system and, moreover, that the architectures are integrated with or tightly coupled to the
enterprise architecture. In contrast, SA-17 is primarily directed at the external information
technology product and system developers and integrators. SA- 17 , which is complementary to
PL-8, is selected when organizations outsource the development of systems or components to
external entities and when there is a need to demonstrate consistency with the organization’s
enterprise architecture and security and privacy architectures.
Related Controls: CM-2, CM-6, PL-2, PL-7, PL-9, PM-5, PM-7, RA-9, SA-3, SA-5, SA-8, SA-17, SC-7.
Control Enhancements:
(1) SECURITY AND PRIVACY ARCHITECTURES | DEFENSE IN DEPTH
Design the security and privacy architectures for the system using a defense-in -depth
approach that:
(a) Allocates [ Assignment: organization-defined controls ] to [ Assignment: organization-
defined locations and architectural layers ]; and
(b) Ensures that the allocated controls operate in a coordinated and mutually reinforcing
manner.
Discussion: Organizations strategically allocate security and privacy controls in the security
and privacy architectures so that adversaries must overcome multiple controls to achieve
their objective. Requiring adversaries to defeat multiple controls makes it more difficult to
attack information resources by increasing the work factor of the adversary; it also increases
the likelihood of detection. The coordination of allocated controls is essential to ensure that
an attack that involves one control does not create adverse, unintended consequences by
interfering with other controls. Unintended consequences can include system lockout and
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
cascading alarms. The placement of controls in systems and organizations is an important
activity that requires thoughtful analysis. The value of organizational assets is an important
consideration in providing additional layering. Defense-in-depth architectural approaches
include modularity and layering (see SA-8(3)), separation of system and user functionality
(see SC-2), and security function isolation (see SC-3).
Related Controls: SC-2, SC-3, SC-29, SC-36.
(2) SECURITY AND PRIVACY ARCHITECTURES | SUPPLIER DIVERSITY
Require that [ Assignment: organization-defined controls ] allocated to [ Assignment:
organization-defined locations and architectural layers ] are obtained from different
suppliers.
Discussion: I nformation technology products have different strengths and weaknesses.
Providing a broad spectrum of products complements the individual offerings. For example,
vendors offering malicious code protection typically update their products at different times,
often developing solutions for known viruses, Trojans, or worms based on their priorities
and development schedules. By deploying different products at different locations, there is
an increased likelihood that at least one of the products will detect the malicious code. With
respect to privacy, vendors may offer products that track personally identifiable information
in systems. Products may use different tracking methods. Using multiple products may result
in more assurance that personally identifiable information is inventoried.
Related Controls: SC-29, SR-3.
References: [OMB A-130], [SP 800- 160 -1], [SP 800- 160 -2].
PL-9 CENTRAL MANAGEMENT
Control: Centrally manage [ Assignment: organization-defined controls and related processes ].
Discussion: Central management refers to organization-wide management and implementation
of selected controls and processes. This includes planning, implementing, assessing, authorizing,
and monitoring the organization-defined, centrally managed controls and processes. As the
central management of controls is generally associated with the concept of common (inherited)
controls, such management promotes and facilitates standardization of control implementations
and management and the judicious use of organizational resources. Centrally managed controls
and processes may also meet independence requirements for assessments in support of initial
and ongoing authorizations to operate and as part of organizational continuous monitoring.
Automated tools (e.g., security information and event management tools or enterprise security
monitoring and management tools) can improve the accuracy, consistency, and availability of
information associated with centrally managed controls and processes. Automation can also
provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards
to support risk-based decision-making within the organization.
As part of the control selection processes, organizations determine the controls that may be
suitable for central management based on resources and capabilities. It is not always possible to
centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid
control with the control managed and implemented centrally or at the system level. The controls
and control enhancements that are candidates for full or partial central management include but
are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-4(all), AC-17(1), AC-17(2), AC-17(3), AC-
17 (9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1),
AT-3(2), AT-3(3), AT-4, AU-3, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-
11 , AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2),
CM-3(1), CM-3(4), CM-4, CM-6, CM-6(1), CM-7(2), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10,
CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-4(all), SI-7, SI-8.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Related Controls: PL-8, PM-9.
Control Enhancements: None.
References: [OMB A-130], [SP 800- 37 ].
PL-10 BASELINE SELECTION
Control: Select a control baseline for the system.
Discussion: Control baselines are predefined sets of controls specifically assembled to address
the protection needs of a group, organization, or community of interest. Controls are chosen for
baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations,
policies, standards, and guidelines or address threats common to all users of the baseline under
the assumptions specific to the baseline. Baselines represent a starting point for the protection
of individuals’ privacy, information, and information systems with subsequent tailoring actions to
manage risk in accordance with mission, business, or other constraints (see PL-11). Federal
control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined
by the needs of stakeholders. Stakeholder needs consider mission and business requirements as
well as mandates imposed by applicable laws, executive orders, directives, policies, regulations,
standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the
requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and
guidelines implementing the legislation, direct organizations to select one of the control
baselines after the reviewing the information types and the information that is processed,
stored, and transmitted on the system; analyzing the potential adverse impact of the loss or
compromise of the information or system on the organization’s operations and assets,
individuals, other organizations, or the Nation; and considering the results from system and
organizational risk assessments. [CNSSI 1253] provides guidance on control baselines for national
security systems.
Related Controls: PL-2, PL-11, RA-2, RA-3, SA- 8.
Control Enhancements: None.
References: [FIPS 199], [FIPS 200 ], [SP 800-30], [SP 800- 37 ], [SP 800-39], [SP 800-53B], [SP 800-
60- 1 ], [SP 800-60-2], [SP 800 -160-1], [CNSSI 1253].
PL-11 BASELINE TAILORING
Control: Tailor the selected control baseline by applying specified tailoring actions.
Discussion: The concept of tailoring allows organizations to specialize or customize a set of
baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such
specialization and customization by allowing organizations to develop security and privacy plans
that reflect their specific mission and business functions, the environments where their systems
operate, the threats and vulnerabilities that can affect their systems, and any other conditions or
situations that can impact their mission or business success. Tailoring guidance is provided in [SP
800 -53B]. Tailoring a control baseline is accomplished by identifying and designating common
controls, applying scoping considerations, selecting compensating controls, assigning values to
control parameters, supplementing the control baseline with additional controls as needed, and
providing information for control implementation. The general tailoring actions in [SP 800-53B]
can be supplemented with additional actions based on the needs of organizations. Tailoring
actions can be applied to the baselines in [SP 800-53B] in accordance with the security and
privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest
adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize
or customize the controls that represent the specific needs and concerns of those entities.
Related Controls: PL-10, RA-2, RA-3, RA-9, SA-8.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Control Enhancements: None.
References: [FIPS 199], [FIPS 200], [SP 800-30], [SP 800- 37 ], [SP 800-39], [SP 800-53B], [SP 800-
60- 1 ], [SP 800-60-2], [SP 800- 160 -1], [CNSSI 1253].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
3.13 PROGRAM MANAGEMENT
Quick link to Program Management Summary Table
PM-1 INFORMATION SECURITY PROGRAM PLAN
Control:
a. Develop and disseminate an organization-wide information security program plan that:
- Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
- Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
- Reflects the coordination among organizational entities responsible for information security; and
- Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b. Review and update the organization-wide information security program plan [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and c. Protect the information security program plan from unauthorized disclosure and modification. Discussion: An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program
PROGRAM MANAGEMENT CONTROLS
[FISMA], [PRIVACT], and [OMB A-130] require federal agencies to develop, implement, and
provide oversight for organization-wide information security and privacy programs to help
ensure the confidentiality, integrity, and availability of federal information processed, stored,
and transmitted by federal information systems and to protect individual privacy. The program
management (PM) controls described in this section are implemented at the organization level
and not directed at individual information systems. The PM controls have been designed to
facilitate organizational compliance with applicable federal laws, executive orders, directives,
policies, regulations, and standards. The controls are independent of [FIPS 200] impact levels
and, therefore, are not associated with the control baselines described in [SP 800-53B].
Organizations document program management controls in the information security and privacy
program plans. The organization-wide information security program plan (see PM-1) and privacy
program plan (see PM-18) supplement system security and privacy plans (see PL-2) developed
for organizational information systems. Together, the system security and privacy plans for the
individual information systems and the information security and privacy program plans cover
the totality of security and privacy controls employed by the organization.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
and describes the program management controls and common controls in place or planned for
meeting those requirements. An information security program plan can be represented in a
single document or compilations of documents. Privacy program plans and supply chain risk
management plans are addressed separately in PM-18 and SR-2, respectively.
An information security program plan documents implementation details about program
management and common controls. The plan provides sufficient information about the controls
(including specification of parameters for assignment and selection operations, explicitly or by
reference) to enable implementations that are unambiguously compliant with the intent of the
plan and a determination of the risk to be incurred if the plan is implemented as intended.
Updates to information security program plans include organizational changes and problems
identified during plan implementation or control assessments.
Program management controls may be implemented at the organization level or the mission or
business process level, and are essential for managing the organization’s information security
program. Program management controls are distinct from common, system-specific, and hybrid
controls because program management controls are independent of any particular system.
Together, the individual system security plans and the organization-wide information security
program plan provide complete coverage for the security controls employed within the
organization.
Common controls available for inheritance by organizational systems are documented in an
appendix to the organization’s information security program plan unless the controls are
included in a separate security plan for a system. The organization-wide information security
program plan indicates which separate security plans contain descriptions of common controls.
Events that may precipitate an update to the information security program plan include, but are
not limited to, organization-wide assessment or audit findings, security or privacy incidents, or
changes in laws, executive orders, directives, regulations, policies, standards, and guidelines.
Related Controls: PL-2, PM-18, PM-30, RA-9, SI-12, SR-2.
Control Enhancements: None.
References: [FISMA], [OMB A-130], [ SP 800-37], [SP 800- 39 ].
PM-2 INFORMATION SECURITY PROGRAM LEADERSHIP ROLE
Control: Appoint a senior agency information security officer with the mission and resources to
coordinate, develop, implement, and maintain an organization-wide information security
program.
Discussion: The senior agency information security officer is an organizational official. For
federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies,
and standards), this official is the senior agency information security officer. Organizations may
also refer to this official as the senior information security officer or chief information security
officer.
Related Controls: None.
Control Enhancements: None.
References: [OMB M-17-25], [SP 800- 37 ], [SP 800- 39 ].
PM-3 INFORMATION SECURITY AND PRIVACY RESOURCES
Control:
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
a. Include the resources needed to implement the information security and privacy programs
in capital planning and investment requests and document all exceptions to this
requirement;
b. Prepare documentation required for addressing information security and privacy programs
in capital planning and investment requests in accordance with applicable laws, executive
orders, directives, policies, regulations, standards; and
c. Make available for expenditure, the planned information security and privacy resources.
Discussion: Organizations consider establishing champions for information security and privacy
and, as part of including the necessary resources, assign specialized expertise and resources as
needed. Organizations may designate and empower an Investment Review Board or similar
group to manage and provide oversight for the information security and privacy aspects of the
capital planning and investment control process.
Related Controls: PM-4, SA- 2.
Control Enhancements: None.
References: [OMB A-130].
PM-4 PLAN OF ACTION AND MILESTONES PROCESS
Control:
a. Implement a process to ensure that plans of action and milestones for the information
security, privacy, and supply chain risk management programs and associated organizational
systems:
- Are developed and maintained;
- Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
- Are reported in accordance with established reporting requirements. b. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. Discussion: The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission/business process level, and organizational/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in CA-5. Related Controls: CA-5, CA-7, PM-3, RA-7, SI-12.
Control Enhancements: None.
References: [PRIVACT], [OMB A-130], [SP 800-37].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PM-5 SYSTEM INVENTORY
Control: Develop and update [ Assignment: organization-defined frequency ] an inventory of
organizational systems.
Discussion: [ OMB A-130] provides guidance on developing systems inventories and associated
reporting requirements. System inventory refers to an organization-wide inventory of systems,
not system components as described in CM-8.
Related Controls: None.
Control Enhancements:
(1) SYSTEM INVENTORY | INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION
Establish, maintain, and update [ Assignment: organization-defined frequency ] an
inventory of all systems, applications, and projects that process personally identifiable
information.
Discussion: An inventory of systems, applications, and projects that process personally
identifiable information supports the mapping of data actions, providing individuals with
privacy notices, maintaining accurate personally identifiable information, and limiting the
processing of personally identifiable information when such information is not needed for
operational purposes. Organizations may use this inventory to ensure that systems only
process the personally identifiable information for authorized purposes and that this
processing is still relevant and necessary for the purpose specified therein.
Related Controls: AC-3, CM-8, CM-12, CM-13, PL-8, PM-22, PT-3, PT-5, SI-12, SI-18.
References: [IR 8062].
PM-6 MEASURES OF PERFORMANCE
Control: Develop, monitor, and report on the results of information security and privacy
measures of performance.
Discussion: Measures of performance are outcome-based metrics used by an organization to
measure the effectiveness or efficiency of the information security and privacy programs and the
controls employed in support of the program. To facilitate security and privacy risk management,
organizations consider aligning measures of performance with the organizational risk tolerance
as defined in the risk management strategy.
Related Controls: CA-7, PM-9.
Control Enhancements: None.
References: [OMB A-130], [SP 800-37], [SP 800- 39 ], [SP 800-55], [SP 800- 137 ].
PM-7 ENTERPRISE ARCHITECTURE
Control: Develop and maintain an enterprise architecture with consideration for information
security, privacy, and the resulting risk to organizational operations and assets, individuals, other
organizations, and the Nation.
Discussion: The integration of security and privacy requirements and controls into the enterprise
architecture helps to ensure that security and privacy considerations are addressed throughout
the system development life cycle and are explicitly related to the organization’s mission and
business processes. The process of security and privacy requirements integration also embeds
into the enterprise architecture and the organization’s security and privacy architectures
consistent with the organizational risk management strategy. For PM-7, security and privacy
architectures are developed at a system-of-systems level, representing all organizational
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
systems. For PL-8, the security and privacy architectures are developed at a level that represents
an individual system. The system-level architectures are consistent with the security and privacy
architectures defined for the organization. Security and privacy requirements and control
integration are most effectively accomplished through the rigorous application of the Risk
Management Framework [SP 800- 37 ] and supporting security standards and guidelines.
Related Controls: AU-6, PL-2, PL-8, PM-11, RA-2, SA-3, SA-8, SA-17.
Control Enhancements:
(1) ENTERPRISE ARCHITECTURE | OFFLOADING
Offload [ Assignment: organization-defined non-essential functions or services ] to other
systems, system components, or an external provider.
Discussion: Not every function or service that a system provides is essential to
organizational mission or business functions. Printing or copying is an example of a non-
essential but supporting service for an organization. Whenever feasible, such supportive but
non-essential functions or services are not co-located with the functions or services that
support essential mission or business functions. Maintaining such functions on the same
system or system component increases the attack surface of the organization’s mission-
essential functions or services. Moving supportive but non-essential functions to a non-
critical system, system component, or external provider can also increase efficiency by
putting those functions or services under the control of individuals or providers who are
subject matter experts in the functions or services.
Related Controls: SA-8.
References: [OMB A-130], [SP 800-37], [SP 800- 39 ], [SP 800- 160 -1], [SP 800- 160 -2].
PM-8 CRITICAL INFRASTRUCTURE PLAN
Control: Address information security and privacy issues in the development, documentation,
and updating of a critical infrastructure and key resources protection plan.
Discussion: Protection strategies are based on the prioritization of critical assets and resources.
The requirement and guidance for defining critical infrastructure and key resources and for
preparing an associated critical infrastructure protection plan are found in applicable laws,
executive orders, directives, policies, regulations, standards, and guidelines.
Related Controls: CP-2, CP-4, PE-18, PL-2, PM-9, PM-11, PM-18, RA-3, SI-12.
Control Enhancements: None.
References: [OMB A-130], [HSPD 7], [DHS NIPP].
PM-9 RISK MANAGEMENT STRATEGY
Control:
a. Develops a comprehensive strategy to manage:
- Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and
- Privacy risk to individuals resulting from the authorized processing of personally identifiable information; b. Implement the risk management strategy consistently across the organization; and c. Review and update the risk management strategy [ Assignment: organization-defined frequency ] or as required, to address organizational changes.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: An organization-wide risk management strategy includes an expression of the
security and privacy risk tolerance for the organization, security and privacy risk mitigation
strategies, acceptable risk assessment methodologies, a process for evaluating security and
privacy risk across the organization with respect to the organization’s risk tolerance, and
approaches for monitoring risk over time. The senior accountable official for risk management
(agency head or designated official) aligns information security management processes with
strategic, operational, and budgetary planning processes. The risk executive function, led by the
senior accountable official for risk management, can facilitate consistent application of the risk
management strategy organization-wide. The risk management strategy can be informed by
security and privacy risk-related inputs from other sources, both internal and external to the
organization, to ensure that the strategy is broad-based and comprehensive. The supply chain
risk management strategy described in PM-30 can also provide useful inputs to the organization-
wide risk management strategy.
Related Controls: AC-1, AU-1, AT-1, CA-1, CA-2, CA-5, CA-6, CA-7, CM-1, CP-1, IA -1, IR -1, MA-1,
MP-1, PE-1, PL-1, PL-2, PM-2, PM-8, PM-18, PM-28, PM-30, PS-1, PT-1, PT-2, PT-3, RA-1, RA- 3 ,
RA-9, SA-1, SA-4, SC-1, SC-38, SI-1, SI-12, SR-1, SR- 2.
Control Enhancements: None.
References: [OMB A-130], [SP 800-30], [SP 800- 37 ], [SP 800-39], [SP 800- 161 ], [IR 8023].
PM-10 AUTHORIZATION PROCESS
Control:
a. Manage the security and privacy state of organizational systems and the environments in
which those systems operate through authorization processes;
b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk
management process; and
c. Integrate the authorization processes into an organization-wide risk management program.
Discussion: Authorization processes for organizational systems and environments of operation
require the implementation of an organization-wide risk management process and associated
security and privacy standards and guidelines. Specific roles for risk management processes
include a risk executive (function) and designated authorizing officials for each organizational
system and common control provider. The authorization processes for the organization are
integrated with continuous monitoring processes to facilitate ongoing understanding and
acceptance of security and privacy risks to organizational operations, organizational assets,
individuals, other organizations, and the Nation.
Related Controls: CA-6, CA-7, PL-2.
Control Enhancements: None.
References: [SP 800-37], [SP 800- 39 ].
PM-11 MISSION AND BUSINESS PROCESS DEFINITION
Control:
a. Define organizational mission and business processes with consideration for information
security and privacy and the resulting risk to organizational operations, organizational assets,
individuals, other organizations, and the Nation; and
b. Determine information protection and personally identifiable information processing needs
arising from the defined mission and business processes; and
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
c. Review and revise the mission and business processes [ Assignment: organization-defined
frequency ].
Discussion: Protection needs are technology-independent capabilities that are required to
counter threats to organizations, individuals, systems, and the Nation through the compromise
of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information
protection and personally identifiable information processing needs are derived from the mission
and business needs defined by organizational stakeholders, the mission and business processes
designed to meet those needs, and the organizational risk management strategy. Information
protection and personally identifiable information processing needs determine the required
controls for the organization and the systems. Inherent to defining protection and personally
identifiable information processing needs is an understanding of the adverse impact that could
result if a compromise or breach of information occurs. The categorization process is used to
make such potential impact determinations. Privacy risks to individuals can arise from the
compromise of personally identifiable information, but they can also arise as unintended
consequences or a byproduct of the processing of personally identifiable information at any
stage of the information life cycle. Privacy risk assessments are used to prioritize the risks that
are created for individuals from system processing of personally identifiable information. These
risk assessments enable the selection of the required privacy controls for the organization and
systems. Mission and business process definitions and the associated protection requirements
are documented in accordance with organizational policies and procedures.
Related Controls: CP-2, PL-2, PM-7, PM-8, RA-2, RA-3, SA- 2.
Control Enhancements: None.
References: [OMB A-130], [FIPS 199],[SP 800-39], [SP 800- 60 -1], [SP 800- 60 -2], [SP 800- 160 -1].
PM-12 INSIDER THREAT PROGRAM
Control: Implement an insider threat program that includes a cross-discipline insider threat
incident handling team.
Discussion: Organizations that handle classified information are required, under Executive Order
13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat
programs. The same standards and guidelines that apply to insider threat programs in classified
environments can also be employed effectively to improve the security of controlled unclassified
and other information in non-national security systems. Insider threat programs include controls
to detect and prevent malicious insider activity through the centralized integration and analysis
of both technical and nontechnical information to identify potential insider threat concerns. A
senior official is designated by the department or agency head as the responsible individual to
implement and provide oversight for the program. In addition to the centralized integration and
analysis capability, insider threat programs require organizations to prepare department or
agency insider threat policies and implementation plans, conduct host-based user monitoring of
individual employee activities on government-owned classified computers, provide insider threat
awareness training to employees, receive access to information from offices in the department
or agency for insider threat analysis, and conduct self-assessments of department or agency
insider threat posture.
Insider threat programs can leverage the existence of incident handling teams that organizations
may already have in place, such as computer security incident response teams. Human resources
records are especially important in this effort, as there is compelling evidence to show that some
types of insider crimes are often preceded by nontechnical behaviors in the workplace, including
ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues.
These precursors can guide organizational officials in more focused, targeted monitoring efforts.
However, the use of human resource records could raise significant concerns for privacy. The
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
participation of a legal team, including consultation with the senior agency official for privacy,
ensures that monitoring activities are performed in accordance with applicable laws, executive
orders, directives, regulations, policies, standards, and guidelines.
Related Controls: AC-6, AT-2, AU-6, AU-7, AU-10, AU-12, AU-13, CA-7, IA -4, IR -4, MP-7, PE-2, PM-
16 , PS-3, PS-4, PS-5, PS-7, PS-8, SC-7, SC-38, SI-4, PM-14.
Control Enhancements: None.
References: [EO 13587], [ODNI NITP].
PM-13 SECURITY AND PRIVACY WORKFORCE
Control: Establish a security and privacy workforce development and improvement program.
Discussion: Security and privacy workforce development and improvement programs include
defining the knowledge, skills, and abilities needed to perform security and privacy duties and
tasks; developing role-based training programs for individuals assigned security and privacy roles
and responsibilities; and providing standards and guidelines for measuring and building individual
qualifications for incumbents and applicants for security- and privacy-related positions. Such
workforce development and improvement programs can also include security and privacy career
paths to encourage security and privacy professionals to advance in the field and fill positions
with greater responsibility. The programs encourage organizations to fill security- and privacy-
related positions with qualified personnel. Security and privacy workforce development and
improvement programs are complementary to organizational security awareness and training
programs and focus on developing and institutionalizing the core security and privacy capabilities
of personnel needed to protect organizational operations, assets, and individuals.
Related Controls: AT-2, AT-3.
Control Enhancements: None.
References: [OMB A-130], [SP 800- 181 ].
PM-14 TESTING, TRAINING, AND MONITORING
Control:
a. Implement a process for ensuring that organizational plans for conducting security and
privacy testing, training, and monitoring activities associated with organizational systems:
- Are developed and maintained; and
- Continue to be executed; and b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Discussion: A process for organization-wide security and privacy testing, training, and monitoring
helps ensure that organizations provide oversight for testing, training, and monitoring activities
and that those activities are coordinated. With the growing importance of continuous monitoring
programs, the implementation of information security and privacy across the three levels of the
risk management hierarchy and the widespread use of common controls, organizations
coordinate and consolidate the testing and monitoring activities that are routinely conducted as
part of ongoing assessments supporting a variety of controls. Security and privacy training
activities, while focused on individual systems and specific roles, require coordination across all
organizational elements. Testing, training, and monitoring plans and activities are informed by
current threat and vulnerability assessments.
Related Controls: AT-2, AT-3, CA-7, CP-4, IR -3, PM-12, SI-4.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Control Enhancements: None.
References: [OMB A-130], [SP 800-37], [SP 800- 39 ], [SP 800-53A], [SP 800 -115], [SP 800- 137 ].
PM-15 SECURITY AND PRIVACY GROUPS AND ASSOCIATIONS
Control: Establish and institutionalize contact with selected groups and associations within the
security and privacy communities:
a. To facilitate ongoing security and privacy education and training for organizational
personnel;
b. To maintain currency with recommended security and privacy practices, techniques, and
technologies; and
c. To share current security and privacy information, including threats, vulnerabilities, and
incidents.
Discussion: Ongoing contact with security and privacy groups and associations is important in an
environment of rapidly changing technologies and threats. Groups and associations include
special interest groups, professional associations, forums, news groups, users’ groups, and peer
groups of security and privacy professionals in similar organizations. Organizations select security
and privacy groups and associations based on mission and business functions. Organizations
share threat, vulnerability, and incident information as well as contextual insights, compliance
techniques, and privacy problems consistent with applicable laws, executive orders, directives,
policies, regulations, standards, and guidelines.
Related Controls: SA-11, SI-5.
Control Enhancements: None.
References: [OMB A-130].
PM-16 THREAT AWARENESS PROGRAM
Control: Implement a threat awareness program that includes a cross-organization information-
sharing capability for threat intelligence.
Discussion: Because of the constantly changing and increasing sophistication of adversaries,
especially the advanced persistent threat (APT), it may be more likely that adversaries can
successfully breach or compromise organizational systems. One of the best techniques to
address this concern is for organizations to share threat information, including threat events (i.e.,
tactics, techniques, and procedures) that organizations have experienced, mitigations that
organizations have found are effective against certain types of threats, and threat intelligence
(i.e., indications and warnings about threats). Threat information sharing may be bilateral or
multilateral. Bilateral threat sharing includes government-to-commercial and government-to-
government cooperatives. Multilateral threat sharing includes organizations taking part in threat-
sharing consortia. Threat information may require special agreements and protection, or it may
be freely shared.
Related Controls: IR-4, PM-12.
Control Enhancements:
(1) THREAT AWARENESS PROGRAM | AUTOMATED MEANS FOR SHARING THREAT INTELLIGENCE
Employ automated mechanisms to maximize the effectiveness of sharing threat
intelligence information.
Discussion: To maximize the effectiveness of monitoring, it is important to know what
threat observables and indicators the sensors need to be searching for. By using well-
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
established frameworks, services, and automated tools, organizations improve their ability
to rapidly share and feed the relevant threat detection signatures into monitoring tools.
Related Controls: None.
References: None.
PM-17 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION ON EXTERNAL SYSTEMS
Control:
a. Establish policy and procedures to ensure that requirements for the protection of controlled
unclassified information that is processed, stored or transmitted on external systems, are
implemented in accordance with applicable laws, executive orders, directives, policies,
regulations, and standards; and
b. Review and update the policy and procedures [ Assignment: organization-defined frequency ].
Discussion: Controlled unclassified information is defined by the National Archives and Records
Administration along with the safeguarding and dissemination requirements for such information
and is codified in [32 CFR 2002] and, specifically for systems external to the federal organization,
32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in
accordance with organizational procedures, including via its contracting processes.
Related Controls: CA-6, PM-10.
Control Enhancements: None.
References: [32 CFR 2002], [SP 800-171], [NARA CUI].
PM-18 PRIVACY PROGRAM PLAN
Control:
a. Develop and disseminate an organization-wide privacy program plan that provides an
overview of the agency’s privacy program, and:
- Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;
- Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;
- Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;
- Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;
- Reflects coordination among organizational entities responsible for the different aspects of privacy; and
- Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
b. Update the plan [ Assignment: organization-defined frequency ] and to address changes in
federal privacy laws and policy and organizational changes and problems identified during
plan implementation or privacy control assessments.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: A privacy program plan is a formal document that provides an overview of an
organization’s privacy program, including a description of the structure of the privacy program,
the resources dedicated to the privacy program, the role of the senior agency official for privacy
and other privacy officials and staff, the strategic goals and objectives of the privacy program,
and the program management controls and common controls in place or planned for meeting
applicable privacy requirements and managing privacy risks. Privacy program plans can be
represented in single documents or compilations of documents.
The senior agency official for privacy is responsible for designating which privacy controls the
organization will treat as program management, common, system-specific, and hybrid controls.
Privacy program plans provide sufficient information about the privacy program management
and common controls (including the specification of parameters and assignment and selection
operations explicitly or by reference) to enable control implementations that are unambiguously
compliant with the intent of the plans and a determination of the risk incurred if the plans are
implemented as intended.
Program management controls are generally implemented at the organization level and are
essential for managing the organization’s privacy program. Program management controls are
distinct from common, system-specific, and hybrid controls because program management
controls are independent of any particular information system. Together, the privacy plans for
individual systems and the organization-wide privacy program plan provide complete coverage
for the privacy controls employed within the organization.
Common controls are documented in an appendix to the organization’s privacy program plan
unless the controls are included in a separate privacy plan for a system. The organization-wide
privacy program plan indicates which separate privacy plans contain descriptions of privacy
controls.
Related Controls: PM-8, PM-9, PM-19.
Control Enhancements: None.
References: [PRIVACT], [OMB A-130].
PM-19 PRIVACY PROGRAM LEADERSHIP ROLE
Control: Appoint a senior agency official for privacy with the authority, mission, accountability,
and resources to coordinate, develop, and implement, applicable privacy requirements and
manage privacy risks through the organization-wide privacy program.
Discussion: The privacy officer is an organizational official. For federal agencies—as defined by
applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this
official is designated as the senior agency official for privacy. Organizations may also refer to this
official as the chief privacy officer. The senior agency official for privacy also has roles on the data
management board (see PM-23) and the data integrity board (see PM-24).
Related Controls: PM-18, PM-20, PM-23, PM-24.
Control Enhancements: None.
References: [OMB A-130].
PM-20 DISSEMINATION OF PRIVACY PROGRAM INFORMATION
Control: Maintain a central resource webpage on the organization’s principal public website that
serves as a central source of information about the organization’s privacy program and that:
a. Ensures that the public has access to information about organizational privacy activities and
can communicate with its senior agency official for privacy;
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
b. Ensures that organizational privacy practices and reports are publicly available; and
c. Employs publicly facing email addresses and/or phone lines to enable the public to provide
feedback and/or direct questions to privacy offices regarding privacy practices.
Discussion: For federal agencies, the webpage is located at http://www.[agency].gov/privacy. Federal
agencies include public privacy impact assessments, system of records notices, computer
matching notices and agreements, [PRIVACT] exemption and implementation rules, privacy
reports, privacy policies, instructions for individuals making an access or amendment request,
email addresses for questions/complaints, blogs, and periodic publications.
Related Controls: AC-3, PM-19, PT-5, PT-6, PT-7, RA-8.
Control Enhancements:
(1) DISSEMINATION OF PRIVACY PROGRAM INFORMATION | PRIVACY POLICIES ON WEBSITES,
APPLICATIONS, AND DIGITAL SERVICES
Develop and post privacy policies on all external-facing websites, mobile applications, and
other digital services, that:
(a) Are written in plain language and organized in a way that is easy to understand and
navigate;
(b) Provide information needed by the public to make an informed decision about
whether and how to interact with the organization; and
(c) Are updated whenever the organization makes a substantive change to the practices it
describes and includes a time/date stamp to inform the public of the date of the most
recent changes.
Discussion: Organizations post privacy policies on all external-facing websites, mobile
applications, and other digital services. Organizations post a link to the relevant privacy
policy on any known, major entry points to the website, application, or digital service. In
addition, organizations provide a link to the privacy policy on any webpage that collects
personally identifiable information. Organizations may be subject to applicable laws,
executive orders, directives, regulations, or policies that require the provision of specific
information to the public. Organizational personnel consult with the senior agency official
for privacy and legal counsel regarding such requirements.
Related Controls: None.
References: [PRIVACT], [OMB A-130], [OMB M-17-06].
PM-21 ACCOUNTING OF DISCLOSURES
Control:
a. Develop and maintain an accurate accounting of disclosures of personally identifiable
information, including:
- Date, nature, and purpose of each disclosure; and
- Name and address, or other contact information of the individual or organization to which the disclosure was made; b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: The purpose of accounting of disclosures is to allow individuals to learn to whom
their personally identifiable information has been disclosed, to provide a basis for subsequently
advising recipients of any corrected or disputed personally identifiable information, and to
provide an audit trail for subsequent reviews of organizational compliance with conditions for
disclosures. For federal agencies, keeping an accounting of disclosures is required by the
[PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel
on this requirement and be aware of the statutory exceptions and OMB guidance relating to the
provision.
Organizations can use any system for keeping notations of disclosures, if it can construct from
such a system, a document listing of all disclosures along with the required information.
Automated mechanisms can be used by organizations to determine when personally identifiable
information is disclosed, including commercial services that provide notifications and alerts.
Accounting of disclosures may also be used to help organizations verify compliance with
applicable privacy statutes and policies governing the disclosure or dissemination of information
and dissemination restrictions.
Related Controls: AC-3, AU-2, PT- 2.
Control Enhancements: None.
References: [PRIVACT], [OMB A-130].
PM-22 PERSONALLY IDENTIFIABLE INFORMATION QUALITY MANAGEMENT
Control: Develop and document organization-wide policies and procedures for:
a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally
identifiable information across the information life cycle;
b. Correcting or deleting inaccurate or outdated personally identifiable information;
c. Disseminating notice of corrected or deleted personally identifiable information to
individuals or other appropriate entities; and
d. Appeals of adverse decisions on correction or deletion requests.
Discussion: Personally identifiable information quality management includes steps that
organizations take to confirm the accuracy and relevance of personally identifiable information
throughout the information life cycle. The information life cycle includes the creation, collection,
use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally
identifiable information. Organizational policies and procedures for personally identifiable
information quality management are important because inaccurate or outdated personally
identifiable information maintained by organizations may cause problems for individuals.
Organizations consider the quality of personally identifiable information involved in business
functions where inaccurate information may result in adverse decisions or the denial of benefits
and services, or the disclosure of the information may cause stigmatization. Correct information,
in certain circumstances, can cause problems for individuals that outweigh the benefits of
organizations maintaining the information. Organizations consider creating policies and
procedures for the removal of such information.
The senior agency official for privacy ensures that practical means and mechanisms exist and are
accessible for individuals or their authorized representatives to seek the correction or deletion of
personally identifiable information. Processes for correcting or deleting data are clearly defined
and publicly available. Organizations use discretion in determining whether data is to be deleted
or corrected based on the scope of requests, the changes sought, and the impact of the changes.
Additionally, processes include the provision of responses to individuals of decisions to deny
requests for correction or deletion. The responses include the reasons for the decisions, a means
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
to record individual objections to the decisions, and a means of requesting reviews of the initial
determinations.
Organizations notify individuals or their designated representatives when their personally
identifiable information is corrected or deleted to provide transparency and confirm the
completed action. Due to the complexity of data flows and storage, other entities may need to
be informed of the correction or deletion. Notice supports the consistent correction and deletion
of personally identifiable information across the data ecosystem.
Related Controls: PM-23, SI-18.
Control Enhancements: None.
References: [OMB A-130], [SP 800 -188].
PM-23 DATA GOVERNANCE BODY
Control: Establish a Data Governance Body consisting of [ Assignment: organization-defined
roles ] with [ Assignment: organization-defined responsibilities ].
Discussion: A Data Governance Body can help ensure that the organization has coherent policies
and the ability to balance the utility of data with security and privacy requirements. The Data
Governance Body establishes policies, procedures, and standards that facilitate data governance
so that data, including personally identifiable information, is effectively managed and maintained
in accordance with applicable laws, executive orders, directives, regulations, policies, standards,
and guidance. Responsibilities can include developing and implementing guidelines that support
data modeling, quality, integrity, and the de-identification needs of personally identifiable
information across the information life cycle as well as reviewing and approving applications to
release data outside of the organization, archiving the applications and the released data, and
performing post-release monitoring to ensure that the assumptions made as part of the data
release continue to be valid. Members include the chief information officer, senior agency
information security officer, and senior agency official for privacy. Federal agencies are required
to establish a Data Governance Body with specific roles and responsibilities in accordance with
the [EVIDACT] and policies set forth under [OMB M-19- 23 ].
Related Controls: AT-2, AT-3, PM-19, PM-22, PM-24, PT-7, SI-4, SI-19.
Control Enhancements: None.
References: [EVIDACT], [OMB A-130], [OMB M-19-23], [SP 800-188].
PM-24 DATA INTEGRITY BOARD
Control: Establish a Data Integrity Board to:
a. Review proposals to conduct or participate in a matching program; and
b. Conduct an annual review of all matching programs in which the agency has participated.
Discussion: A Data Integrity Board is the board of senior officials designated by the head of a
federal agency and is responsible for, among other things, reviewing the agency’s proposals to
conduct or participate in a matching program and conducting an annual review of all matching
programs in which the agency has participated. As a general matter, a matching program is a
computerized comparison of records from two or more automated [PRIVACT] systems of records
or an automated system of records and automated records maintained by a non-federal agency
(or agent thereof). A matching program either pertains to Federal benefit programs or Federal
personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector
General of the agency, if any, and the senior agency official for privacy.
Related Controls: AC-4, PM-19, PM-23, PT- 8.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Control Enhancements: None.
References: [PRIVACT], [OMB A-130, Appendix II], [OMB A-108].
PM-25 MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION USED IN TESTING,
TRAINING, AND RESEARCH
Control:
a. Develop, document, and implement policies and procedures that address the use of
personally identifiable information for internal testing, training, and research;
b. Limit or minimize the amount of personally identifiable information used for internal testing,
training, and research purposes;
c. Authorize the use of personally identifiable information when such information is required
for internal testing, training, and research; and
d. Review and update policies and procedures [ Assignment: organization-defined frequency ].
Discussion: The use of personally identifiable information in testing, research, and training
increases the risk of unauthorized disclosure or misuse of such information. Organizations
consult with the senior agency official for privacy and/or legal counsel to ensure that the use of
personally identifiable information in testing, training, and research is compatible with the
original purpose for which it was collected. When possible, organizations use placeholder data to
avoid exposure of personally identifiable information when conducting testing, training, and
research.
Related Controls: PM-23, PT-3, SA-3, SA-8.
Control Enhancements: None.
References: [OMB A-130, Appendix II].
PM-26 COMPLAINT MANAGEMENT
Control: Implement a process for receiving and responding to complaints, concerns, or questions
from individuals about the organizational security and privacy practices that includes:
a. Mechanisms that are easy to use and readily accessible by the public;
b. All information necessary for successfully filing complaints;
c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within
[ Assignment: organization-defined time period ];
d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within
[ Assignment: organization-defined time period ]; and
e. Response to complaints, concerns, or questions from individuals within [ Assignment:
organization-defined time period ].
Discussion: Complaints, concerns, and questions from individuals can serve as valuable sources
of input to organizations and ultimately improve operational models, uses of technology, data
collection practices, and controls. Mechanisms that can be used by the public include telephone
hotline, email, or web-based forms. The information necessary for successfully filing complaints
includes contact information for the senior agency official for privacy or other official designated
to receive complaints. Privacy complaints may also include personally identifiable information
which is handled in accordance with relevant policies and processes.
Related Controls: IR-7, IR -9, PM-22, SI-18.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Control Enhancements: None.
References: [OMB A-130].
PM-27 PRIVACY REPORTING
Control:
a. Develop [ Assignment: organization-defined privacy reports ] and disseminate to:
- [ Assignment: organization-defined oversight bodies ] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and
- [ Assignment: organization-defined officials ] and other personnel with responsibility for monitoring privacy program compliance; and
b. Review and update privacy reports [ Assignment: organization-defined frequency ].
Discussion: Through internal and external reporting, organizations promote accountability and
transparency in organizational privacy operations. Reporting can also help organizations to
determine progress in meeting privacy compliance requirements and privacy controls, compare
performance across the federal government, discover vulnerabilities, identify gaps in policy and
implementation, and identify models for success. For federal agencies, privacy reports include
annual senior agency official for privacy reports to OMB, reports to Congress required by
Implementing Regulations of the 9/11 Commission Act, and other public reports required by law,
regulation, or policy, including internal policies of organizations. The senior agency official for
privacy consults with legal counsel, where appropriate, to ensure that organizations meet all
applicable privacy reporting requirements.
Related Controls: IR-9, PM-19.
Control Enhancements: None.
References: [FISMA], [OMB A-130], [OMB A-108].
PM-28 RISK FRAMING
Control:
a. Identify and document:
- Assumptions affecting risk assessments, risk responses, and risk monitoring;
- Constraints affecting risk assessments, risk responses, and risk monitoring;
3. Priorities and trade-offs considered by the organization for managing risk; and
4. Organizational risk tolerance;
b. Distribute the results of risk framing activities to [ Assignment: organization-defined
personnel ]; and
c. Review and update risk framing considerations [ Assignment: organization-defined
frequency ].
Discussion: Risk framing is most effective when conducted at the organization level and in
consultation with stakeholders throughout the organization including mission, business, and
system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified
as part of the risk framing process inform the risk management strategy, which in turn informs
the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results
are shared with organizational personnel, including mission and business owners, information
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
owners or stewards, system owners, authorizing officials, senior agency information security
officer, senior agency official for privacy, and senior accountable official for risk management.
Related Controls: CA-7, PM-9, RA-3, RA- 7.
Control Enhancements: None.
References: [OMB A-130], [SP 800- 39 ].
PM-29 RISK MANAGEMENT PROGRAM LEADERSHIP ROLES
Control:
a. Appoint a Senior Accountable Official for Risk Management to align organizational
information security and privacy management processes with strategic, operational, and
budgetary planning processes; and
b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide
perspective and ensure management of risk is consistent across the organization.
Discussion: The senior accountable official for risk management leads the risk executive
(function) in organization-wide risk management activities.
Related Controls: PM-2, PM-19.
Control Enhancements: None.
References: [SP 800-37].
PM-30 SUPPLY CHAIN RISK MANAGEMENT STRATEGY
Control:
a. Develop an organization-wide strategy for managing supply chain risks associated with the
development, acquisition, maintenance, and disposal of systems, system components, and
system services;
b. Implement the supply chain risk management strategy consistently across the organization;
and
c. Review and update the supply chain risk management strategy on [ Assignment:
organization-defined frequency ] or as required, to address organizational changes.
Discussion: An organization-wide supply chain risk management strategy includes an
unambiguous expression of the supply chain risk appetite and tolerance for the organization,
acceptable supply chain risk mitigation strategies or controls, a process for consistently
evaluating and monitoring supply chain risk, approaches for implementing and communicating
the supply chain risk management strategy, and the associated roles and responsibilities. Supply
chain risk management includes considerations of the security and privacy risks associated with
the development, acquisition, maintenance, and disposal of systems, system components, and
system services. The supply chain risk management strategy can be incorporated into the
organization’s overarching risk management strategy and can guide and inform supply chain
policies and system-level supply chain risk management plans. In addition, the use of a risk
executive function can facilitate a consistent, organization-wide application of the supply chain
risk management strategy. The supply chain risk management strategy is implemented at the
organization and mission/business levels, whereas the supply chain risk management plan (see
SR- 2 ) is implemented at the system level.
Related Controls: CM-10, PM-9, SR-1, SR-2, SR-3, SR-4, SR-5, SR-6, SR-7, SR-8, SR-9, SR-11.
Control Enhancements:
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
(1) SUPPLY CHAIN RISK MANAGEMENT STRATEGY | SUPPLIERS OF CRITICAL OR MISSION-ESSENTIAL ITEMS
Identify, prioritize, and assess suppliers of critical or mission-essential technologies,
products, and services.
Discussion: The identification and prioritization of suppliers of critical or mission-essential
technologies, products, and services is paramount to the mission/business success of
organizations. The assessment of suppliers is conducted using supplier reviews (see SR-6)
and supply chain risk assessment processes (see RA-3(1)). An analysis of supply chain risk
can help an organization identify systems or components for which additional supply chain
risk mitigations are required.
Related Controls: RA-3, SR-6.
References: [PRIVACT], [FASC18], [41 CFR 201], [EO 13873], [OMB A-130], [OMB M-17- 06 ] [ISO
27036 ], [ISO 20243], [ SP 800-161], [ IR 8272].
PM-31 CONTINUOUS MONITORING STRATEGY
Control: Develop an organization-wide continuous monitoring strategy and implement
continuous monitoring programs that include:
a. Establishing the following organization-wide metrics to be monitored: [ Assignment:
organization-defined metrics ];
b. Establishing [ Assignment: organization-defined frequencies ] for monitoring and
[ Assignment: organization-defined frequencies ] for assessment of control effectiveness;
c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous
monitoring strategy;
d. Correlation and analysis of information generated by control assessments and monitoring;
e. Response actions to address results of the analysis of control assessment and monitoring
information; and
f. Reporting the security and privacy status of organizational systems to [ Assignment:
organization-defined personnel or roles ] [ Assignment: organization-defined frequency ].
Discussion: Continuous monitoring at the organization level facilitates ongoing awareness of the
security and privacy posture across the organization to support organizational risk management
decisions. The terms “continuous” and “ongoing” imply that organizations assess and monitor
their controls and risks at a frequency sufficient to support risk-based decisions. Different types
of controls may require different monitoring frequencies. The results of continuous monitoring
guide and inform risk response actions by organizations. Continuous monitoring programs allow
organizations to maintain the authorizations of systems and common controls in highly dynamic
environments of operation with changing mission and business needs, threats, vulnerabilities,
and technologies. Having access to security- and privacy-related information on a continuing
basis through reports and dashboards gives organizational officials the capability to make
effective, timely, and informed risk management decisions, including ongoing authorization
decisions. To further facilitate security and privacy risk management, organizations consider
aligning organization-defined monitoring metrics with organizational risk tolerance as defined in
the risk management strategy. Monitoring requirements, including the need for monitoring, may
be referenced in other controls and control enhancements such as, AC-2g, AC-2(7), AC-2(12)(a),
AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c,
IR -5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-
5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.
Related Controls: AC-2, AC-6, AC-17, AT-4, AU-6, AU-13, CA-2, CA-5, CA-6, CA-7, CM-3, CM-4,
CM-6, CM-11, IA -5, IR -5, MA-2, MA-3, MA-4, PE-3, PE-6, PE-14, PE-16, PE-20, PL-2, PM-4, PM-6,
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PM-9, PM-10, PM-12, PM-14, PM-23, PM-28, PS-7, PT-7, RA-3, RA-5, RA-7, SA-9, SA-11, SC-5, SC-
7 , SC-18, SC-38, SC-43, SI-3, SI-4, SI-12, SR-2, SR- 4.
References: [SP 800-37], [SP 800- 39 ], [SP 800- 137 ].
PM-32 PURPOSING
Control: Analyze [ Assignment: organization-defined systems or systems components ] supporting
mission essential services or functions to ensure that the information resources are being used
consistent with their intended purpose.
Discussion: Systems are designed to support a specific mission or business function. However,
over time, systems and system components may be used to support services and functions that
are outside of the scope of the intended mission or business functions. This can result in
exposing information resources to unintended environments and uses that can significantly
increase threat exposure. In doing so, the systems are more vulnerable to compromise, which
can ultimately impact the services and functions for which they were intended. This is especially
impactful for mission-essential services and functions. By analyzing resource use, organizations
can identify such potential exposures.
Related Controls: CA-7, PL-2, RA-3, RA- 9.
Control Enhancements: None.
References: [SP 800-137].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
3.14 PERSONNEL SECURITY
Quick link to Personnel Security Summary Table
PS-1 POLICY AND PROCEDURES
Control:
a. Develop, document, and disseminate to [ Assignment: organization-defined personnel or
roles ]:
- [ Selection (one or more): organization-level; mission/business process-level; system- level ] personnel security policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; b. Designate an [ Assignment: organization-defined official ] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and c. Review and update the current personnel security:
- Policy [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and
- Procedures [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security or privacy incidents, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Related Controls: PM-9, PS-8, SI-12.
Control Enhancements: None.
References: [SP 800-12], [SP 800- 30 ], [SP 800-39], [SP 800- 100 ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PS-2 POSITION RISK DESIGNATION
Control:
a. Assign a risk designation to all organizational positions;
b. Establish screening criteria for individuals filling those positions; and
c. Review and update position risk designations [ Assignment: organization-defined frequency ].
Discussion: Position risk designations reflect Office of Personnel Management (OPM) policy and
guidance. Proper position designation is the foundation of an effective and consistent suitability
and personnel security program. The Position Designation System (PDS) assesses the duties and
responsibilities of a position to determine the degree of potential damage to the efficiency or
integrity of the service due to misconduct of an incumbent of a position and establishes the risk
level of that position. The PDS assessment also determines if the duties and responsibilities of
the position present the potential for position incumbents to bring about a material adverse
effect on national security and the degree of that potential effect, which establishes the
sensitivity level of a position. The results of the assessment determine what level of investigation
is conducted for a position. Risk designations can guide and inform the types of authorizations
that individuals receive when accessing organizational information and information systems.
Position screening criteria include explicit information security role appointment requirements.
Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for
organizations to evaluate relevant covered positions for a position sensitivity and position risk
designation commensurate with the duties and responsibilities of those positions.
Related Controls: AC-5, AT-3, PE-2, PE-3, PL-2, PS-3, PS-6, SA-5, SA-21, SI-12.
Control Enhancements: None.
References: [5 CFR 731], [ SP 800- 181 ].
PS-3 PERSONNEL SCREENING
Control:
a. Screen individuals prior to authorizing access to the system; and
b. Rescreen individuals in accordance with [ Assignment: organization-defined conditions
requiring rescreening and, where rescreening is so indicated, the frequency of rescreening ].
Discussion: Personnel screening and rescreening activities reflect applicable laws, executive
orders, directives, regulations, policies, standards, guidelines, and specific criteria established for
the risk designations of assigned positions. Examples of personnel screening include background
investigations and agency checks. Organizations may define different rescreening conditions and
frequencies for personnel accessing systems based on types of information processed, stored, or
transmitted by the systems.
Related Controls: AC-2, IA -4, MA-5, PE-2, PM-12, PS-2, PS-6, PS-7, SA-21.
Control Enhancements:
(1) PERSONNEL SCREENING | CLASSIFIED INFORMATION
Verify that individuals accessing a system processing, storing, or transmitting classified
information are cleared and indoctrinated to the highest classification level of the
information to which they have access on the system.
Discussion: Classified information is the most sensitive information that the Federal
Government processes, stores, or transmits. It is imperative that individuals have the
requisite security clearances and system access authorizations prior to gaining access to such
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
information. Access authorizations are enforced by system access controls (see AC-3) and
flow controls (see AC-4).
Related Controls: AC-3, AC-4.
(2) PERSONNEL SCREENING | FORMAL INDOCTRINATION
Verify that individuals accessing a system processing, storing, or transmitting types of
classified information that require formal indoctrination, are formally indoctrinated for all
the relevant types of information to which they have access on the system.
Discussion: Types of classified information that require formal indoctrination include Special
Access Program (SAP), Restricted Data (RD), and Sensitive Compartmented Information (SCI).
Related Controls: AC-3, AC-4.
(3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTIVE MEASURES
Verify that individuals accessing a system processing, storing, or transmitting information
requiring special protection:
(a) Have valid access authorizations that are demonstrated by assigned official
government duties; and
(b) Satisfy [ Assignment: organization-defined additional personnel screening criteria ].
Discussion: Organizational information that requires special protection includes controlled
unclassified information. Personnel security criteria include position sensitivity background
screening requirements.
Related Controls: None.
(4) PERSONNEL SCREENING | CITIZENSHIP REQUIREMENTS
Verify that individuals accessing a system processing, storing, or transmitting [ Assignment:
organization-defined information types ] meet [ Assignment: organization-defined
citizenship requirements ].
Discussion: None.
Related Controls: None.
References: [EO 13526], [EO 13587], [FIPS 199], [FIPS 201-2], [SP 800-60-1], [SP 800-60-2], [SP
800 -73-4], [SP 800- 76 -2], [SP 800- 78 -4].
PS-4 PERSONNEL TERMINATION
Control: Upon termination of individual employment:
a. Disable system access within [ Assignment: organization-defined time period ];
b. Terminate or revoke any authenticators and credentials associated with the individual;
c. Conduct exit interviews that include a discussion of [ Assignment: organization-defined
information security topics ];
d. Retrieve all security-related organizational system-related property; and
e. Retain access to organizational information and systems formerly controlled by terminated
individual.
Discussion: System property includes hardware authentication tokens, system administration
technical manuals, keys, identification cards, and building passes. Exit interviews ensure that
terminated individuals understand the security constraints imposed by being former employees
and that proper accountability is achieved for system-related property. Security topics at exit
interviews include reminding individuals of nondisclosure agreements and potential limitations
on future employment. Exit interviews may not always be possible for some individuals, including
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit
interviews are important for individuals with security clearances. The timely execution of
termination actions is essential for individuals who have been terminated for cause. In certain
situations, organizations consider disabling the system accounts of individuals who are being
terminated prior to the individuals being notified.
Related Controls: AC-2, IA -4, PE-2, PM-12, PS-6, PS-7.
Control Enhancements:
(1) PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS
(a) Notify terminated individuals of applicable, legally binding post-employment
requirements for the protection of organizational information; and
(b) Require terminated individuals to sign an acknowledgment of post-employment
requirements as part of the organizational termination process.
Discussion: Organizations consult with the Office of the General Counsel regarding matters
of post-employment requirements on terminated individuals.
Related Controls: None.
(2) PERSONNEL TERMINATION | AUTOMATED ACTIONS
Use [ Assignment: organization-defined automated mechanisms ] to [ Selection (one or
more): notify [ Assignment: organization-defined personnel or roles ] of individual
termination actions ; disable access to system resources ].
Discussion: In organizations with many employees, not all personnel who need to know
about termination actions receive the appropriate notifications, or if such notifications are
received, they may not occur in a timely manner. Automated mechanisms can be used to
send automatic alerts or notifications to organizational personnel or roles when individuals
are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways,
including via telephone, electronic mail, text message, or websites. Automated mechanisms
can also be employed to quickly and thoroughly disable access to system resources after an
employee is terminated.
Related Controls: None.
References: None.
PS-5 PERSONNEL TRANSFER
Control:
a. Review and confirm ongoing operational need for current logical and physical access
authorizations to systems and facilities when individuals are reassigned or transferred to
other positions within the organization;
b. Initiate [ Assignment: organization-defined transfer or reassignment actions ] within
[ Assignment: organization-defined time period following the formal transfer action ];
c. Modify access authorization as needed to correspond with any changes in operational need
due to reassignment or transfer; and
d. Notify [ Assignment: organization-defined personnel or roles ] within [ Assignment:
organization-defined time period ].
Discussion: Personnel transfer applies when reassignments or transfers of individuals are
permanent or of such extended duration as to make the actions warranted. Organizations define
actions appropriate for the types of reassignments or transfers, whether permanent or extended.
Actions that may be required for personnel transfers or reassignments to other positions within
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
organizations include returning old and issuing new keys, identification cards, and building
passes; closing system accounts and establishing new accounts; changing system access
authorizations (i.e., privileges); and providing for access to official records to which individuals
had access at previous work locations and in previous system accounts.
Related Controls: AC-2, IA -4, PE-2, PM-12, PS-4, PS-7.
Control Enhancements: None.
References: None.
PS-6 ACCESS AGREEMENTS
Control:
a. Develop and document access agreements for organizational systems;
b. Review and update the access agreements [ Assignment: organization-defined frequency ];
and
c. Verify that individuals requiring access to organizational information and systems:
- Sign appropriate access agreements prior to being granted access; and
- Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [ Assignment: organization-defined frequency ]. Discussion: Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related Controls: AC-17, PE-2, PL-4, PS-2, PS-3, PS-6, PS-7, PS-8, SA-21, SI-12.
Control Enhancements:
(1) ACCESS AGREEMENTS | INFORMATION REQUIRING SPECIAL PROTECTION
[Withdrawn: Incorporated into PS-3.]
(2) ACCESS AGREEMENTS | CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION
Verify that access to classified information requiring special protection is granted only to
individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official
government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have read, understood, and signed a nondisclosure agreement.
Discussion: Classified information that requires special protection includes collateral
information, Special Access Program (SAP) information, and Sensitive Compartmented
Information (SCI). Personnel security criteria reflect applicable laws, executive orders,
directives, regulations, policies, standards, and guidelines.
Related Controls: None.
(3) ACCESS AGREEMENTS | POST-EMPLOYMENT REQUIREMENTS
(a) Notify individuals of applicable, legally binding post-employment requirements for
protection of organizational information; and
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
(b) Require individuals to sign an acknowledgment of these requirements, if applicable, as
part of granting initial access to covered information.
Discussion: Organizations consult with the Office of the General Counsel regarding matters
of post-employment requirements on terminated individuals.
Related Controls: PS-4.
References: None.
PS-7 EXTERNAL PERSONNEL SECURITY
Control:
a. Establish personnel security requirements, including security roles and responsibilities for
external providers;
b. Require external providers to comply with personnel security policies and procedures
established by the organization;
c. Document personnel security requirements;
d. Require external providers to notify [ Assignment: organization-defined personnel or roles ] of
any personnel transfers or terminations of external personnel who possess organizational
credentials and/or badges, or who have system privileges within [ Assignment: organization-
defined time period ]; and
e. Monitor provider compliance with personnel security requirements.
Discussion: External provider refers to organizations other than the organization operating or
acquiring the system. External providers include service bureaus, contractors, and other
organizations that provide system development, information technology services, testing or
assessment services, outsourced applications, and network/security management. Organizations
explicitly include personnel security requirements in acquisition-related documents. External
providers may have personnel working at organizational facilities with credentials, badges, or
system privileges issued by organizations. Notifications of external personnel changes ensure the
appropriate termination of privileges and credentials. Organizations define the transfers and
terminations deemed reportable by security-related characteristics that include functions, roles,
and the nature of credentials or privileges associated with transferred or terminated individuals.
Related Controls: AT-2, AT-3, MA-5, PE-3, PS-2, PS-3, PS-4, PS-5, PS-6, SA-5, SA-9, SA-21.
Control Enhancements: None.
References: [SP 800-35], [ SP 800- 63 -3].
PS-8 PERSONNEL SANCTIONS
Control:
a. Employ a formal sanctions process for individuals failing to comply with established
information security and privacy policies and procedures; and
b. Notify [ Assignment: organization-defined personnel or roles ] within [ Assignment:
organization-defined time period ] when a formal employee sanctions process is initiated,
identifying the individual sanctioned and the reason for the sanction.
Discussion: Organizational sanctions reflect applicable laws, executive orders, directives,
regulations, policies, standards, and guidelines. Sanctions processes are described in access
agreements and can be included as part of general personnel policies for organizations and/or
specified in security and privacy policies. Organizations consult with the Office of the General
Counsel regarding matters of employee sanctions.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Related Controls: All XX-1 Controls, PL-4, PM-12, PS-6, PT-1.
Control Enhancements: None.
References: None.
PS-9 POSITION DESCRIPTIONS
Control: Incorporate security and privacy roles and responsibilities into organizational position
descriptions.
Discussion: Specification of security and privacy roles in individual organizational position
descriptions facilitates clarity in understanding the security or privacy responsibilities associated
with the roles and the role-based security and privacy training requirements for the roles.
Related Controls: None.
Control Enhancements: None.
References: [SP 800-181].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
3.15 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND
TRANSPARENCY
Quick link to Personally Identifiable Information Processing and Transparency table
PT-1 POLICY AND PROCEDURES
Control:
a. Develop, document, and disseminate to [ Assignment: organization-defined personnel or
roles ]:
- [ Selection (one or more): organization-level; mission/business process-level; system- level ] personally identifiable information processing and transparency policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies,
standards, and guidelines; and
- Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; b. Designate an [ Assignment: organization-defined official ] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and c. Review and update the current personally identifiable information processing and transparency:
- Policy [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and
- Procedures [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of personally identifiable information processing and transparency policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personally identifiable information processing and transparency policy and procedures include assessment or audit findings, privacy breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Related Controls: None.
Control Enhancements: None.
References: [OMB A-130].
PT-2 AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION
Control:
a. Determine and document the [ Assignment: organization-defined authority ] that permits the
[ Assignment: organization-defined processing ] of personally identifiable information; and
b. Restrict the [ Assignment: organization-defined processing ] of personally identifiable
information to only that which is authorized.
Discussion: The processing of personally identifiable information is an operation or set of
operations that the information system or organization performs with respect to personally
identifiable information across the information life cycle. Processing includes but is not limited to
creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and
disposal. Processing operations also include logging, generation, and transformation, as well as
analysis techniques, such as data mining.
Organizations may be subject to laws, executive orders, directives, regulations, or policies that
establish the organization’s authority and thereby limit certain types of processing of personally
identifiable information or establish other requirements related to the processing. Organizational
personnel consult with the senior agency official for privacy and legal counsel regarding such
authority, particularly if the organization is subject to multiple jurisdictions or sources of
authority. For organizations whose processing is not determined according to legal authorities,
the organization’s policies and determinations govern how they process personally identifiable
information. While processing of personally identifiable information may be legally permissible,
privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with
the authorized processing of personally identifiable information and support solutions to manage
such risks.
Organizations consider applicable requirements and organizational policies to determine how to
document this authority. For federal agencies, the authority to process personally identifiable
information is documented in privacy policies and notices, system of records notices, privacy
impact assessments, [PRIVACT] statements, computer matching agreements and notices,
contracts, information sharing agreements, memoranda of understanding, and other
documentation.
Organizations take steps to ensure that personally identifiable information is only processed for
authorized purposes, including training organizational personnel on the authorized processing of
personally identifiable information and monitoring and auditing organizational use of personally
identifiable information.
Related Controls: AC-2, AC-3, CM-13, IR -9, PM-9, PM-24, PT-1, PT-3, PT-5, PT-6, RA-3, RA-8, SI-
12 , SI-18.
Control Enhancements:
(1) AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION | DATA TAGGING
Attach data tags containing [ Assignment: organization-defined permissible processing ] to
[ Assignment: organization-defined elements of personally identifiable information ].
Discussion: Data tags support the tracking and enforcement of authorized processing by
conveying the types of processing that are authorized along with the relevant elements of
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
personally identifiable information throughout the system. Data tags may also support the
use of automated tools.
Related Controls: AC-16, CA-6, CM-12, PM-5, PM-22, PT-4, SC-16, SC-43, SI-10, SI-15, SI-19.
(2) AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION | AUTOMATION
Manage enforcement of the authorized processing of personally identifiable information
using [ Assignment: organization-defined automated mechanisms ].
Discussion: Automated mechanisms augment verification that only authorized processing is
occurring.
Related Controls: CA-6, CM-12, PM-5, PM-22, PT-4, SC-16, SC-43, SI-10, SI-15, SI-19.
References: [PRIVACT], [OMB A-130, Appendix II], [IR 8112].
PT-3 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES
Control:
a. Identify and document the [Assignment organization-defined purpose(s)] for processing
personally identifiable information;
b. Describe the purpose(s) in the public privacy notices and policies of the organization;
c. Restrict the [ Assignment: organization-defined processing ] of personally identifiable
information to only that which is compatible with the identified purpose(s); and
d. Monitor changes in processing personally identifiable information and implement
[ Assignment: organization-defined mechanisms ] to ensure that any changes are made in
accordance with [ Assignment: organization-defined requirements ].
Discussion: Identifying and documenting the purpose for processing provides organizations with
a basis for understanding why personally identifiable information may be processed. The term
“process” includes every step of the information life cycle, including creation, collection, use,
processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and
documenting the purpose of processing is a prerequisite to enabling owners and operators of the
system and individuals whose information is processed by the system to understand how the
information will be processed. This enables individuals to make informed decisions about their
engagement with information systems and organizations and to manage their privacy interests.
Once the specific processing purpose has been identified, the purpose is described in the
organization’s privacy notices, policies, and any related privacy compliance documentation,
including privacy impact assessments, system of records notices, [PRIVACT] statements,
computer matching notices, and other applicable Federal Register notices.
Organizations take steps to help ensure that personally identifiable information is processed only
for identified purposes, including training organizational personnel and monitoring and auditing
organizational processing of personally identifiable information.
Organizations monitor for changes in personally identifiable information processing.
Organizational personnel consult with the senior agency official for privacy and legal counsel to
ensure that any new purposes that arise from changes in processing are compatible with the
purpose for which the information was collected, or if the new purpose is not compatible,
implement mechanisms in accordance with defined requirements to allow for the new
processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising
privacy policies, or other measures to manage privacy risks that arise from changes in personally
identifiable information processing purposes.
Related Controls: AC-2, AC-3, AT-3, CM-13, IR -9, PM-9, PM-25, PT-2, PT-5, PT-6, PT-7, RA-8, SC-
43 , SI-12, SI-18.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Control Enhancements:
(1) PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES | DATA TAGGING
Attach data tags containing the following purposes to [ Assignment: organization-defined
elements of personally identifiable information ]: [ Assignment: organization-defined
processing purposes ].
Discussion: Data tags support the tracking of processing purposes by conveying the
purposes along with the relevant elements of personally identifiable information throughout
the system. By conveying the processing purposes in a data tag along with the personally
identifiable information as the information transits a system, a system owner or operator
can identify whether a change in processing would be compatible with the identified and
documented purposes. Data tags may also support the use of automated tools.
Related Controls: CA-6, CM-12, PM-5, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.
(2) PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES | AUTOMATION
Track processing purposes of personally identifiable information using [ Assignment:
organization-defined automated mechanisms ].
Discussion: Automated mechanisms augment tracking of the processing purposes.
Related Controls: CA-6, CM-12, PM-5, PM-22, SC-16, SC-43, SI-10, SI-15, SI-19.
References: [PRIVACT], [OMB A-130, Appendix II], [IR 8112].
PT-4 CONSENT
Control: Implement [ Assignment: organization-defined tools or mechanisms ] for individuals to
consent to the processing of their personally identifiable information prior to its collection that
facilitate individuals’ informed decision-making.
Discussion: Consent allows individuals to participate in making decisions about the processing of
their information and transfers some of the risk that arises from the processing of personally
identifiable information from the organization to an individual. Consent may be required by
applicable laws, executive orders, directives, regulations, policies, standards, or guidelines.
Otherwise, when selecting consent as a control, organizations consider whether individuals can
be reasonably expected to understand and accept the privacy risks that arise from their
authorization. Organizations consider whether other controls may more effectively mitigate
privacy risk either alone or in conjunction with consent. Organizations also consider any
demographic or contextual factors that may influence the understanding or behavior of
individuals with respect to the processing carried out by the system or organization. When
soliciting consent from individuals, organizations consider the appropriate mechanism for
obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly
authenticate and identity proof individuals and how to obtain consent through electronic means.
In addition, organizations consider providing a mechanism for individuals to revoke consent once
it has been provided, as appropriate. Finally, organizations consider usability factors to help
individuals understand the risks being accepted when providing consent, including the use of
plain language and avoiding technical jargon.
Related Controls: AC-16, PT-2, PT- 5.
Control Enhancements:
(1) CONSENT | TAILORED CONSENT
Provide [ Assignment: organization-defined mechanisms ] to allow individuals to tailor
processing permissions to selected elements of personally identifiable information.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Discussion: While some processing may be necessary for the basic functionality of the
product or service, other processing may not. In these circumstances, organizations allow
individuals to select how specific personally identifiable information elements may be
processed. More tailored consent may help reduce privacy risk, increase individual
satisfaction, and avoid adverse behaviors, such as abandonment of the product or service.
Related Controls: PT- 2.
(2) CONSENT | JUST-IN-TIME CONSENT
Present [ Assignment: organization-defined consent mechanisms ] to individuals at
[ Assignment: organization-defined frequency ] and in conjunction with [ Assignment:
organization-defined personally identifiable information processing ].
Discussion: Just-in-time consent enables individuals to participate in how their personally
identifiable information is being processed at the time or in conjunction with specific types
of data processing when such participation may be most useful to the individual. Individual
assumptions about how personally identifiable information is being processed might not be
accurate or reliable if time has passed since the individual last gave consent or the type of
processing creates significant privacy risk. Organizations use discretion to determine when
to use just-in-time consent and may use supporting information on demographics, focus
groups, or surveys to learn more about individuals’ privacy interests and concerns.
Related Controls: PT- 2.
(3) CONSENT | REVOCATION
Implement [ Assignment: organization-defined tools or mechanisms ] for individuals to
revoke consent to the processing of their personally identifiable information.
Discussion: Revocation of consent enables individuals to exercise control over their initial
consent decision when circumstances change. Organizations consider usability factors in
enabling easy-to-use revocation capabilities.
Related Controls: PT- 2.
References: [PRIVACT], [OMB A-130], [SP 800-63-3].
PT-5 PRIVACY NOTICE
Control: Provide notice to individuals about the processing of personally identifiable information
that:
a. Is available to individuals upon first interacting with an organization, and subsequently at
[ Assignment: organization-defined frequency ];
b. Is clear and easy-to-understand, expressing information about personally identifiable
information processing in plain language;
c. Identifies the authority that authorizes the processing of personally identifiable information;
d. Identifies the purposes for which personally identifiable information is to be processed; and
e. Includes [ Assignment: organization-defined information ].
Discussion: Privacy notices help inform individuals about how their personally identifiable
information is being processed by the system or organization. Organizations use privacy notices
to inform individuals about how, under what authority, and for what purpose their personally
identifiable information is processed, as well as other information such as choices individuals
might have with respect to that processing and other parties with whom information is shared.
Laws, executive orders, directives, regulations, or policies may require that privacy notices
include specific elements or be provided in specific formats. Federal agency personnel consult
with the senior agency official for privacy and legal counsel regarding when and where to provide
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
privacy notices, as well as elements to include in privacy notices and required formats. In
circumstances where laws or government-wide policies do not require privacy notices,
organizational policies and determinations may require privacy notices and may serve as a source
of the elements to include in privacy notices.
Privacy risk assessments identify the privacy risks associated with the processing of personally
identifiable information and may help organizations determine appropriate elements to include
in a privacy notice to manage such risks. To help individuals understand how their information is
being processed, organizations write materials in plain language and avoid technical jargon.
Related Controls: PM-20, PM-22, PT-2, PT-3, PT-4, PT-7, RA-3, SI-18.
Control Enhancements:
(1) PRIVACY NOTICE | JUST-IN-TIME NOTICE
Present notice of personally identifiable information processing to individuals at a time
and location where the individual provides personally identifiable information or in
conjunction with a data action, or [ Assignment: organization-defined frequency ].
Discussion: Just-in-time notices inform individuals of how organizations process their
personally identifiable information at a time when such notices may be most useful to the
individuals. Individual assumptions about how personally identifiable information will be
processed might not be accurate or reliable if time has passed since the organization last
presented notice or the circumstances under which the individual was last provided notice
have changed. A just-in -time notice can explain data actions that organizations have
identified as potentially giving rise to greater privacy risk for individuals. Organizations can
use a just-in-time notice to update or remind individuals about specific data actions as they
occur or highlight specific changes that occurred since last presenting notice. A just-in -time
notice can be used in conjunction with just-in-time consent to explain what will occur if
consent is declined. Organizations use discretion to determine when to use a just-in-time
notice and may use supporting information on user demographics, focus groups, or surveys
to learn about users’ privacy interests and concerns.
Related Controls: PM-21.
(2) PRIVACY NOTICE | PRIVACY ACT STATEMENTS
Include Privacy Act statements on forms that collect information that will be maintained in
a Privacy Act system of records, or provide Privacy Act statements on separate forms that
can be retained by individuals.
Discussion: If a federal agency asks individuals to supply information that will become part
of a system of records, the agency is required to provide a [PRIVACT] statement on the form
used to collect the information or on a separate form that can be retained by the individual.
The agency provides a [PRIVACT] statement in such circumstances regardless of whether the
information will be collected on a paper or electronic form, on a website, on a mobile
application, over the telephone, or through some other medium. This requirement ensures
that the individual is provided with sufficient information about the request for information
to make an informed decision on whether or not to respond.
[PRIVACT] statements provide formal notice to individuals of the authority that authorizes
the solicitation of the information; whether providing the information is mandatory or
voluntary; the principal purpose(s) for which the information is to be used; the published
routine uses to which the information is subject; the effects on the individual, if any, of not
providing all or any part of the information requested; and an appropriate citation and link
to the relevant system of records notice. Federal agency personnel consult with the senior
agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT].
Related Controls: PT- 6.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Control Enhancements: None.
References: [PRIVACT], [OMB A-130], [OMB A-108].
PT-6 SYSTEM OF RECORDS NOTICE
Control: For systems that process information that will be maintained in a Privacy Act system of
records:
a. Draft system of records notices in accordance with OMB guidance and submit new and
significantly modified system of records notices to the OMB and appropriate congressional
committees for advance review;
b. Publish system of records notices in the Federal Register; and
c. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.
Discussion: The [PRIVACT] requires that federal agencies publish a system of records notice in
the Federal Register upon the establishment and/or modification of a [PRIVACT] system of
records. As a general matter, a system of records notice is required when an agency maintains a
group of any records under the control of the agency from which information is retrieved by the
name of an individual or by some identifying number, symbol, or other identifier. The notice
describes the existence and character of the system and identifies the system of records, the
purpose(s) of the system, the authority for maintenance of the records, the categories of records
maintained in the system, the categories of individuals about whom records are maintained, the
routine uses to which the records are subject, and additional details about the system as
described in [OMB A-108].
Related Controls: AC-3, PM-20, PT-2, PT-3, PT-5.
Control Enhancements:
(1) SYSTEM OF RECORDS NOTICE | ROUTINE USES
Review all routine uses published in the system of records notice at [ Assignment:
organization-defined frequency ] to ensure continued accuracy, and to ensure that routine
uses continue to be compatible with the purpose for which the information was collected.
Discussion: A [PRIVACT] routine use is a particular kind of disclosure of a record outside of
the federal agency maintaining the system of records. A routine use is an exception to the
[PRIVACT] prohibition on the disclosure of a record in a system of records without the prior
written consent of the individual to whom the record pertains. To qualify as a routine use,
the disclosure must be for a purpose that is compatible with the purpose for which the
information was originally collected. The [PRIVACT] requires agencies to describe each
routine use of the records maintained in the system of records, including the categories of
users of the records and the purpose of the use. Agencies may only establish routine uses by
explicitly publishing them in the relevant system of records notice.
Related Controls: None.
(2) SYSTEM OF RECORDS NOTICE | EXEMPTION RULES
Review all Privacy Act exemptions claimed for the system of records at [Assignment:
organization-defined frequency] to ensure they remain appropriate and necessary in
accordance with law, that they have been promulgated as regulations, and that they are
accurately described in the system of records notice.
Discussion: The [PRIVACT] includes two sets of provisions that allow federal agencies to
claim exemptions from certain requirements in the statute. In certain circumstances, these
provisions allow agencies to promulgate regulations to exempt a system of records from
select provisions of the [PRIVACT]. At a minimum, organizations’ [PRIVACT] exemption
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
regulations include the specific name(s) of any system(s) of records that will be exempt, the
specific provisions of the [PRIVACT] from which the system(s) of records is to be exempted,
the reasons for the exemption, and an explanation for why the exemption is both necessary
and appropriate.
Related Controls: None.
References: [PRIVACT], [OMB A-108].
PT-7 SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION
Control: Apply [ Assignment: organization-defined processing conditions ] for specific categories of
personally identifiable information.
Discussion: Organizations apply any conditions or protections that may be necessary for specific
categories of personally identifiable information. These conditions may be required by laws,
executive orders, directives, regulations, policies, standards, or guidelines. The requirements may
also come from the results of privacy risk assessments that factor in contextual changes that may
result in an organizational determination that a particular category of personally identifiable
information is particularly sensitive or raises particular privacy risks. Organizations consult with
the senior agency official for privacy and legal counsel regarding any protections that may be
necessary.
Related Controls: IR-9, PT-2, PT-3, RA-3.
Control Enhancements:
(1) SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION | SOCIAL SECURITY NUMBERS
When a system processes Social Security numbers:
(a) Eliminate unnecessary collection, maintenance, and use of Social Security numbers,
and explore alternatives to their use as a personal identifier;
(b) Do not deny any individual any right, benefit, or privilege provided by law because of
such individual’s refusal to disclose his or her Social Security number; and
(c) Inform any individual who is asked to disclose his or her Social Security number
whether that disclosure is mandatory or voluntary, by what statutory or other
authority such number is solicited, and what uses will be made of it.
Discussion: Federal law and policy establish specific requirements for organizations’
processing of Social Security numbers. Organizations take steps to eliminate unnecessary
uses of Social Security numbers and other sensitive information and observe any particular
requirements that apply.
Related Controls: IA-4.
(2) SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION | FIRST AMENDMENT
INFORMATION
Prohibit the processing of information describing how any individual exercises rights
guaranteed by the First Amendment unless expressly authorized by statute or by the
individual or unless pertinent to and within the scope of an authorized law enforcement
activity.
Discussion: The [PRIVACT] limits agencies’ ability to process information that describes how
individuals exercise rights guaranteed by the First Amendment. Organizations consult with
the senior agency official for privacy and legal counsel regarding these requirements.
Related Controls: None.
References: [PRIVACT], [OMB A-130], [OMB A-108].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
PT-8 COMPUTER MATCHING REQUIREMENTS
Control: When a system or organization processes information for the purpose of conducting a
matching program:
a. Obtain approval from the Data Integrity Board to conduct the matching program;
b. Develop and enter into a computer matching agreement;
c. Publish a matching notice in the Federal Register;
d. Independently verify the information produced by the matching program before taking
adverse action against an individual, if required; and
e. Provide individuals with notice and an opportunity to contest the findings before taking
adverse action against an individual.
Discussion: The [PRIVACT] establishes requirements for federal and non-federal agencies if they
engage in a matching program. In general, a matching program is a computerized comparison of
records from two or more automated [PRIVACT] systems of records or an automated system of
records and automated records maintained by a non-federal agency (or agent thereof). A
matching program either pertains to federal benefit programs or federal personnel or payroll
records. A federal benefit match is performed to determine or verify eligibility for payments
under federal benefit programs or to recoup payments or delinquent debts under federal benefit
programs. A matching program involves not just the matching activity itself but also the
investigative follow-up and ultimate action, if any.
Related Controls: PM-24.
Control Enhancements: None.
References: [PRIVACT], [OMB A-130], [OMB A-108].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
3.16 RISK ASSESSMENT
Quick link to Risk Assessment Summary Table
RA-1 POLICY AND PROCEDURES
Control:
a. Develop, document, and disseminate to [ Assignment: organization-defined personnel or
roles ]:
- [ Selection (one or more): organization-level; mission/business process-level; system- level ] risk assessment policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; b. Designate an [ Assignment: organization-defined official ] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and c. Review and update the current risk assessment:
- Policy [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]; and
- Procedures [ Assignment: organization-defined frequency ] and following [ Assignment: organization-defined events ]. Discussion: Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security or privacy incidents, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Related Controls: PM-9, PS-8, SI-12.
Control Enhancements: None.
References: [OMB A-130], [SP 800-12], [SP 800- 30 ], [SP 800-39], [SP 800- 100 ].
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
RA-2 SECURITY CATEGORIZATION
Control:
a. Categorize the system and information it processes, stores, and transmits;
b. Document the security categorization results, including supporting rationale, in the security
plan for the system; and
c. Verify that the authorizing official or authorizing official designated representative reviews
and approves the security categorization decision.
Discussion: Security categories describe the potential adverse impacts or negative consequences
to organizational operations, organizational assets, and individuals if organizational information
and systems are compromised through a loss of confidentiality, integrity, or availability. Security
categorization is also a type of asset loss characterization in systems security engineering
processes that is carried out throughout the system development life cycle. Organizations can
use privacy risk assessments or privacy impact assessments to better understand the potential
adverse effects on individuals. [CNSSI 1253] provides additional guidance on categorization for
national security systems.
Organizations conduct the security categorization process as an organization-wide activity with
the direct involvement of chief information officers, senior agency information security officers,
senior agency officials for privacy, system owners, mission and business owners, and information
owners or stewards. Organizations consider the potential adverse impacts to other organizations
and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential
national-level adverse impacts.
Security categorization processes facilitate the development of inventories of information assets
and, along with CM-8, mappings to specific system components where information is processed,
stored, or transmitted. The security categorization process is revisited throughout the system
development life cycle to ensure that the security categories remain accurate and relevant.
Related Controls: CM-8, MP-4, PL-2, PL-10, PL-11, PM-7, RA-3, RA-5, RA-7, RA-8, SA-8, SC-7, SC-
38 , SI-12.
Control Enhancements:
(1) SECURITY CATEGORIZATION | IMPACT-LEVEL PRIORITIZATION
Conduct an impact-level prioritization of organizational systems to obtain additional
granularity on system impact levels.
Discussion: Organizations apply the “high-water mark” concept to each system categorized
in accordance with [FIPS 199], resulting in systems designated as low impact, moderate
impact, or high impact. Organizations that desire additional granularity in the system impact
designations for risk-based decision-making, can further partition the systems into sub-
categories of the initial system categorization. For example, an impact-level prioritization on
a moderate-impact system can produce three new sub-categories: low-moderate systems,
moderate-moderate systems, and high-moderate systems. Impact-level prioritization and
the resulting sub-categories of the system give organizations an opportunity to focus their
investments related to security control selection and the tailoring of control baselines in
responding to identified risks. Impact-level prioritization can also be used to determine
those systems that may be of heightened interest or value to adversaries or represent a
critical loss to the federal enterprise, sometimes described as high value assets. For such
high value assets, organizations may be more focused on complexity, aggregation, and
information exchanges. Systems with high value assets can be prioritized by partitioning
high-impact systems into low-high systems, moderate-high systems, and high-high systems.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Alternatively, organizations can apply the guidance in [CNSSI 1253] for security objective-
related categorization.
Related Controls: None.
References: [FIPS 199], [FIPS 200], [SP 800-30], [SP 800- 37 ], [SP 800-39], [SP 800- 60 -1], [SP 800-
60- 2 ], [SP 800- 160 -1], [ CNSSI 1253].
RA-3 RISK ASSESSMENT
Control:
a. Conduct a risk assessment, including:
- Identifying threats to and vulnerabilities in the system;
- Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
- Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
b. Integrate risk assessment results and risk management decisions from the organization and
mission or business process perspectives with system-level risk assessments;
c. Document risk assessment results in [ Selection: security and privacy plans; risk assessment
report; [ Assignment: organization-defined document ]];
d. Review risk assessment results [ Assignment: organization-defined frequency ];
e. Disseminate risk assessment results to [ Assignment: organization-defined personnel or
roles ]; and
f. Update the risk assessment [ Assignment: organization-defined frequency ] or when there are
significant changes to the system, its environment of operation, or other conditions that may
impact the security or privacy state of the system.
Discussion: Risk assessments consider threats, vulnerabilities, likelihood, and impact to
organizational operations and assets, individuals, other organizations, and the Nation. Risk
assessments also consider risk from external parties, including contractors who operate systems
on behalf of the organization, individuals who access organizational systems, service providers,
and outsourcing entities.
Organizations can conduct risk assessments at all three levels in the risk management hierarchy
(i.e., organization level, mission/business process level, or information system level) and at any
stage in the system development life cycle. Risk assessments can also be conducted at various
steps in the Risk Management Framework, including preparation, categorization, control
selection, control implementation, control assessment, authorization, and control monitoring.
Risk assessment is an ongoing activity carried out throughout the system development life cycle.
Risk assessments can also address information related to the system, including system design,
the intended use of the system, testing results, and supply chain-related information or artifacts.
Risk assessments can play an important role in control selection processes, particularly during
the application of tailoring guidance and in the earliest phases of capability determination.
Related Controls: CA-3, CA-6, CM-4, CM-13, CP-6, CP-7, IA -8, MA-5, PE-3, PE-8, PE-18, PL-2, PL-
10 , PL-11, PM-8, PM-9, PM-28, PT-7, RA-2, RA-5, RA-7, SA-8, SA-9, SC-38, SI-12.
Control Enhancements:
(1) RISK ASSESSMENT | SUPPLY CHAIN RISK ASSESSMENT
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
(a) Assess supply chain risks associated with [ Assignment: organization-defined systems,
system components, and system services ]; and
(b) Update the supply chain risk assessment [ Assignment: organization-defined
frequency ], when there are significant changes to the relevant supply chain, or when
changes to the system, environments of operation, or other conditions may
necessitate a change in the supply chain.
Discussion: Supply chain-related events include disruption, use of defective components,
insertion of counterfeits, theft, malicious development practices, improper delivery
practices, and insertion of malicious code. These events can have a significant impact on the
confidentiality, integrity, or availability of a system and its information and, therefore, can
also adversely impact organizational operations (including mission, functions, image, or
reputation), organizational assets, individuals, other organizations, and the Nation. The
supply chain-related events may be unintentional or malicious and can occur at any point
during the system life cycle. An analysis of supply chain risk can help an organization identify
systems or components for which additional supply chain risk mitigations are required.
Related Controls: RA-2, RA-9, PM-17, PM-30, SR-2.
(2) RISK ASSESSMENT | USE OF ALL-SOURCE INTELLIGENCE
Use all-source intelligence to assist in the analysis of risk.
Discussion: Organizations employ all-source intelligence to inform engineering, acquisition,
and risk management decisions. All-source intelligence consists of information derived from
all available sources, including publicly available or open-source information, measurement
and signature intelligence, human intelligence, signals intelligence, and imagery intelligence.
All-source intelligence is used to analyze the risk of vulnerabilities (both intentional and
unintentional) from development, manufacturing, and delivery processes, people, and the
environment. The risk analysis may be performed on suppliers at multiple tiers in the supply
chain sufficient to manage risks. Organizations may develop agreements to share all-source
intelligence information or resulting decisions with other organizations, as appropriate.
Related Controls: None.
(3) RISK ASSESSMENT | DYNAMIC THREAT AWARENESS
Determine the current cyber threat environment on an ongoing basis using [ Assignment:
organization-defined means ].
Discussion: The threat awareness information that is gathered feeds into the organization’s
information security operations to ensure that procedures are updated in response to the
changing threat environment. For example, at higher threat levels, organizations may
change the privilege or authentication thresholds required to perform certain operations.
Related Controls: AT-2.
(4) RISK ASSESSMENT | PREDICTIVE CYBER ANALYTICS
Employ the following advanced automation and analytics capabilities to predict and
identify risks to [ Assignment: organization-defined systems or system components ]:
[ Assignment: organization-defined advanced automation and analytics capabilities ].
Discussion: A properly resourced Security Operations Center (SOC) or Computer Incident
Response Team (CIRT) may be overwhelmed by the volume of information generated by the
proliferation of security tools and appliances unless it employs advanced automation and
analytics to analyze the data. Advanced automation and analytics capabilities are typically
supported by artificial intelligence concepts, including machine learning. Examples include
Automated Threat Discovery and Response (which includes broad-based collection, context-
based analysis, and adaptive response capabilities), automated workflow operations, and
machine assisted decision tools. Note, however, that sophisticated adversaries may be able
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
to extract information related to analytic parameters and retrain the machine learning to
classify malicious activity as benign. Accordingly, machine learning is augmented by human
monitoring to ensure that sophisticated adversaries are not able to conceal their activities.
Related Controls: None.
References: [OMB A-130], [SP 800-30], [SP 800- 39 ], [SP 800- 161 ], [IR 8023], [IR 8062], [IR 8272].
RA-4 RISK ASSESSMENT UPDATE
[Withdrawn: Incorporated into RA-3.]
RA-5 VULNERABILITY MONITORING AND SCANNING
Control:
a. Monitor and scan for vulnerabilities in the system and hosted applications [ Assignment:
organization-defined frequency and/or randomly in accordance with organization-defined
process ] and when new vulnerabilities potentially affecting the system are identified and
reported;
b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among
tools and automate parts of the vulnerability management process by using standards for:
- Enumerating platforms, software flaws, and improper configurations;
- Formatting checklists and test procedures; and
- Measuring vulnerability impact;
c. Analyze vulnerability scan reports and results from vulnerability monitoring;
d. Remediate legitimate vulnerabilities [ Assignment: organization-defined response times ] in
accordance with an organizational assessment of risk;
e. Share information obtained from the vulnerability monitoring process and control
assessments with [ Assignment: organization-defined personnel or roles ] to help eliminate
similar vulnerabilities in other systems; and
f. Employ vulnerability monitoring tools that include the capability to readily update the
vulnerabilities to be scanned.
Discussion: Security categorization of information and systems guides the frequency and
comprehensiveness of vulnerability monitoring (including scans). Organizations determine the
required vulnerability monitoring for system components, ensuring that the potential sources of
vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors),
networked printers, scanners, and copiers—are not overlooked. The capability to readily update
vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new
scanning methods are developed helps to ensure that new vulnerabilities are not missed by
employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps
to ensure that potential vulnerabilities in the system are identified and addressed as quickly as
possible. Vulnerability monitoring and analyses for custom software may require additional
approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three
approaches. Organizations can use these analysis approaches in source code reviews and in a
variety of tools, including web-based application scanners, static analysis tools, and binary
analyzers.
Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports,
protocols, and services that should not be accessible to users or devices; and scanning for flow
control mechanisms that are improperly configured or operating incorrectly. Vulnerability
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
monitoring may also include continuous vulnerability monitoring tools that use instrumentation
to continuously analyze components. Instrumentation-based tools may improve accuracy and
may be run throughout an organization without scanning. Vulnerability monitoring tools that
facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-
validated. Thus, organizations consider using scanning tools that express vulnerabilities in the
Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open
Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources
for vulnerability information include the Common Weakness Enumeration (CWE) listing and the
National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide
additional sources of potential vulnerabilities for which to scan. Organizations also consider using
scanning tools that express vulnerability impact by the Common Vulnerability Scoring System
(CVSS).
Vulnerability monitoring includes a channel and process for receiving reports of security
vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as
publishing a monitored email address or web form that can receive reports, including notification
authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally
expect that such research is happening with or without their authorization and can use public
vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are
reported directly to the organization for remediation.
Organizations may also employ the use of financial incentives (also known as “bug bounties”) to
further encourage external security researchers to report discovered vulnerabilities. Bug bounty
programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or
over a defined period of time and can be offered to the general public or to a curated group.
Organizations may run public and private bounties simultaneously and could choose to offer
partially credentialed access to certain participants in order to evaluate security vulnerabilities
from privileged vantage points.
Related Controls: CA-2, CA-7, CA-8, CM-2, CM-4, CM-6, CM-8, RA-2, RA-3, SA- 11 , SA-15, SC-38,
SI-2, SI-3, SI-4, SI-7, SR-11.
Control Enhancements:
(1) VULNERABILITY MONITORING AND SCANNING | UPDATE TOOL CAPABILITY
[Withdrawn: Incorporated into RA-5.]
(2) VULNERABILITY MONITORING AND SCANNING | UPDATE VULNERABILITIES TO BE SCANNED
Update the system vulnerabilities to be scanned [ Selection (one or more): [ Assignment:
organization-defined frequency ] ; prior to a new scan; when new vulnerabilities are
identified and reported ].
Discussion: Due to the complexity of modern software, systems, and other factors, new
vulnerabilities are discovered on a regular basis. It is important that newly discovered
vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the
organization can take steps to mitigate those vulnerabilities in a timely manner.
Related Controls: SI-5.
(3) VULNERABILITY MONITORING AND SCANNING | BREADTH AND DEPTH OF COVERAGE
Define the breadth and depth of vulnerability scanning coverage.
Discussion: The breadth of vulnerability scanning coverage can be expressed as a
percentage of components within the system, by the particular types of systems, by the
criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the
depth of vulnerability scanning coverage can be expressed as the level of the system design
that the organization intends to monitor (e.g., component, module, subsystem, element).
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
Organizations can determine the sufficiency of vulnerability scanning coverage with regard
to its risk tolerance and other factors. Scanning tools and how the tools are configured may
affect the depth and coverage. Multiple scanning tools may be needed to achieve the
desired depth and coverage. [SP 800 -53A] provides additional information on the breadth
and depth of coverage.
Related Controls: None.
(4) VULNERABILITY MONITORING AND SCANNING | DISCOVERABLE INFORMATION
Determine information about the system that is discoverable and take [ Assignment:
organization-defined corrective actions ].
Discussion: Discoverable information includes information that adversaries could obtain
without compromising or breaching the system, such as by collecting information that the
system is exposing or by conducting extensive web searches. Corrective actions include
notifying appropriate organizational personnel, removing designated information, or
changing the system to make the designated information less relevant or attractive to
adversaries. This enhancement excludes intentionally discoverable information that may be
part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the
organization.
Related Controls: AU-13, SC-26.
(5) VULNERABILITY MONITORING AND SCANNING | PRIVILEGED ACCESS
Implement privileged access authorization to [ Assignment: organization-defined system
components ] for [ Assignment: organization-defined vulnerability scanning activities ].
Discussion: In certain situations, the nature of the vulnerability scanning may be more
intrusive, or the system component that is the subject of the scanning may contain classified
or controlled unclassified information, such as personally identifiable information. Privileged
access authorization to selected system components facilitates more thorough vulnerability
scanning and protects the sensitive nature of such scanning.
Related Controls: None.
(6) VULNERABILITY MONITORING AND SCANNING | AUTOMATED TREND ANALYSES
Compare the results of multiple vulnerability scans using [ Assignment: organization-
defined automated mechanisms ].
Discussion: Using automated mechanisms to analyze multiple vulnerability scans over time
can help determine trends in system vulnerabilities and identify patterns of attack.
Related Controls: None.
(7) VULNERABILITY MONITORING AND SCANNING | AUTOMATED DETECTION AND NOTIFICATION OF
UNAUTHORIZED COMPONENTS
[Withdrawn: Incorporated into CM-8.]
(8) VULNERABILITY MONITORING AND SCANNING | REVIEW HISTORIC AUDIT LOGS
Review historic audit logs to determine if a vulnerability identified in a [ Assignment:
organization-defined system ] has been previously exploited within an [ Assignment:
organization-defined time period ].
Discussion: Reviewing historic audit logs to determine if a recently detected vulnerability in
a system has been previously exploited by an adversary can provide important information
for forensic analyses. Such analyses can help identify, for example, the extent of a previous
intrusion, the trade craft employed during the attack, organizational information exfiltrated
or modified, mission or business capabilities affected, and the duration of the attack.
Related Controls: AU-6, AU-11.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
(9) VULNERABILITY MONITORING AND SCANNING | PENETRATION TESTING AND ANALYSES
[Withdrawn: Incorporated into CA-8.]
(10) VULNERABILITY MONITORING AND SCANNING | CORRELATE SCANNING INFORMATION
Correlate the output from vulnerability scanning tools to determine the presence of multi-
vulnerability and multi-hop attack vectors.
Discussion: An attack vector is a path or means by which an adversary can gain access to a
system in order to deliver malicious code or exfiltrate information. Organizations can use
attack trees to show how hostile activities by adversaries interact and combine to produce
adverse impacts or negative consequences to systems and organizations. Such information,
together with correlated data from vulnerability scanning tools, can provide greater clarity
regarding multi-vulnerability and multi-hop attack vectors. The correlation of vulnerability
scanning information is especially important when organizations are transitioning from older
technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).
During such transitions, some system components may inadvertently be unmanaged and
create opportunities for adversary exploitation.
Related Controls: None.
(11) VULNERABILITY MONITORING AND SCANNING | PUBLIC DISCLOSURE PROGRAM
Establish a public reporting channel for receiving reports of vulnerabilities in
organizational systems and system components.
Discussion: The reporting channel is publicly discoverable and contains clear language
authorizing good-faith research and the disclosure of vulnerabilities to the organization. The
organization does not condition its authorization on an expectation of indefinite non-
disclosure to the public by the reporting entity but may request a specific time period to
properly remediate the vulnerability.
Related Controls: None.
References: [ISO 29147], [SP 800- 40 ], [SP 800-53A], [SP 800-70], [SP 800- 115 ], [SP 800- 126 ], [IR
7788 ], [IR 8011-4], [IR 8023].
RA-6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY
Control: Employ a technical surveillance countermeasures survey at [ Assignment: organization-
defined locations ] [ Selection (one or more): [ Assignment: organization-defined frequency ]; when
the following events or indicators occur: [ Assignment: organization-defined events or
indicators ]].
Discussion: A technical surveillance countermeasures survey is a service provided by qualified
personnel to detect the presence of technical surveillance devices and hazards and to identify
technical security weaknesses that could be used in the conduct of a technical penetration of the
surveyed facility. Technical surveillance countermeasures surveys also provide evaluations of the
technical security posture of organizations and facilities and include visual, electronic, and
physical examinations of surveyed facilities, internally and externally. The surveys also provide
useful input for risk assessments and information regarding organizational exposure to potential
adversaries.
Related Controls: None.
Control Enhancements: None.
References: None.
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
RA-7 RISK RESPONSE
Control: Respond to findings from security and privacy assessments, monitoring, and audits in
accordance with organizational risk tolerance.
Discussion: Organizations have many options for responding to risk including mitigating risk by
implementing new controls or strengthening existing controls, accepting risk with appropriate
justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the
organization influences risk response decisions and actions. Risk response addresses the need to
determine an appropriate response to risk before generating a plan of action and milestones
entry. For example, the response may be to accept risk or reject risk, or it may be possible to
mitigate the risk immediately so that a plan of action and milestones entry is not needed.
However, if the risk response is to mitigate the risk, and the mitigation cannot be completed
immediately, a plan of action and milestones entry is generated.
Related Controls: CA-5, IR -9, PM-4, PM-28, RA-2, RA-3, SR-2.
Control Enhancements: None.
References: [FIPS 199], [FIPS 200], [SP 800-30], [SP 800- 37 ], [SP 800-39], [SP 800- 160 -1].
RA-8 PRIVACY IMPACT ASSESSMENTS
Control: Conduct privacy impact assessments for systems, programs, or other activities before:
a. Developing or procuring information technology that processes personally identifiable
information; and
b. Initiating a new collection of personally identifiable information that:
- Will be processed using information technology; and
- Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government. Discussion: A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document that details the process and the outcome of the analysis. Organizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology. To conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes that may have different names,
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
including privacy threshold analyses. A privacy impact assessment can also serve as notice to the
public regarding the organization’s practices with respect to privacy. Although conducting and
publishing privacy impact assessments may be required by law, organizations may develop such
policies in the absence of applicable laws. For federal agencies, privacy impact assessments may
be required by [EGOV]; agencies should consult with their senior agency official for privacy and
legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance
relating to the provision.
Related Controls: CM-4, CM-9, CM-13, PT-2, PT-3, PT-5, RA-1, RA-2, RA-3, RA- 7.
Control Enhancements: None.
References: [EGOV], [OMB A-130, Appendix II], [ OMB M-03- 22 ].
RA-9 CRITICALITY ANALYSIS
Control: Identify critical system components and functions by performing a criticality analysis for
[ Assignment: organization-defined systems, system components, or system services ] at
[ Assignment: organization-defined decision points in the system development life cycle ].
Discussion: Not all system components, functions, or services necessarily require significant
protections. For example, criticality analysis is a key tenet of supply chain risk management and
informs the prioritization of protection activities. The identification of critical system components
and functions considers applicable laws, executive orders, regulations, directives, policies,
standards, system functionality requirements, system and component interfaces, and system and
component dependencies. Systems engineers conduct a functional decomposition of a system to
identify mission-critical functions and components. The functional decomposition includes the
identification of organizational missions supported by the system, decomposition into the
specific functions to perform those missions, and traceability to the hardware, software, and
firmware components that implement those functions, including when the functions are shared
by many components within and external to the system.
The operational environment of a system or a system component may impact the criticality,
including the connections to and dependencies on cyber-physical systems, devices, system-of-
systems, and outsourced IT services. System components that allow unmediated access to critical
system components or functions are considered critical due to the inherent vulnerabilities that
such components create. Component and function criticality are assessed in terms of the impact
of a component or function failure on the organizational missions that are supported by the
system that contains the components and functions.
Criticality analysis is performed when an architecture or design is being developed, modified, or
upgraded. If such analysis is performed early in the system development life cycle, organizations
may be able to modify the system design to reduce the critical nature of these components and
functions, such as by adding redundancy or alternate paths into the system design. Criticality
analysis can also influence the protection measures required by development contractors. In
addition to criticality analysis for systems, system components, and system services, criticality
analysis of information is an important consideration. Such analysis is conducted as part of
security categorization in RA-2.
Related Controls: CP-2, PL-2, PL-8, PL-11, PM-1, RA-2, SA-8, SA- 15 , SA-20, SR- 5.
Control Enhancements: None.
References: [IR 8179].
RA-10 THREAT HUNTING
Control:
_________________________________________________________________________________________________
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800
- 53r5
a. Establish and maintain a cyber threat hunting capability to:
- Search for indicators of compromise in organizational systems; and
- Detect, track, and disrupt threats that evade existing controls; and b. Employ the threat hunting capability [ Assignment: organization-defined frequency ]. Discussion: Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.
Related Controls: CA-2, CA-7, CA-8, RA-3, RA-5, RA-6, SI-4.
Control Enhancements: None.
References: [SP 800-30].