Security Controls Taxonomy
Introduction
The security pattern templates and ‘How To’ guide use NIST Special Publication 800-53 (Rev. 5) for the baseline list of Security Controls.
Version 5 has been used (rather than Version 4) given the improved updates made to the taxonomy list.
References
Below is the summary list of security controls currently published for 800-53 (Rev. 5)
Security Controls List
| Control Identifier | Control or Control Name |
|---|---|
| AC-01 | Policy and Procedures |
| AC-02 | Account Management |
| AC-03 | Access Enforcement |
| AC-04 | Information Flow Enforcement |
| AC-05 | Separation of Duties |
| AC-06 | Least Privilege |
| AC-07 | Unsuccessful Logon Attempts |
| AC-08 | System Use Notification |
| AC-09 | Previous Logon Notification |
| AC-10 | Concurrent Session Control |
| AC-11 | Device Lock |
| AC-12 | Session Termination |
| AC-13 | Supervision and Review - Access Control |
| AC-14 | Permitted Actions Without Identification or Authentication |
| AC-15 | Automated Marking |
| AC-16 | Security and Privacy Attributes |
| AC-17 | Remote Access |
| AC-18 | Wireless Access |
| AC-19 | Access Control for Mobile Devices |
| AC-20 | Use of External Systems |
| AC-21 | Information Sharing |
| AC-22 | Publicly Accessible Content |
| AC-23 | Data Mining Protection |
| AC-24 | Access Control Decisions |
| AC-25 | Reference Monitor |
| AT-01 | Policy and Procedures |
| AT-02 | Awareness Training |
| AT-03 | Role-based Training |
| AT-04 | Training Records |
| AT-05 | Contacts with Security Groups and Associations |
| AU-01 | Policy and Procedures |
| AU-02 | Event Logging |
| AU-03 | Content of Audit Records |
| AU-04 | Audit Log Storage Capacity |
| AU-05 | Response to Audit Logging Process Failures |
| AU-06 | Audit Record Review, Analysis, and Reporting |
| AU-07 | Audit Record Reduction and Report Generation |
| AU-08 | Time Stamps |
| AU-09 | Protection of Audit Information |
| AU-10 | Non-repudiation |
| AU-11 | Audit Record Retention |
| AU-12 | Audit Record Generation |
| AU-13 | Monitoring for Information Disclosure |
| AU-14 | Session Audit |
| AU-15 | Alternate Audit Logging Capability |
| AU-16 | Cross-organizational Audit Logging |
| CA-01 | Policy and Procedures |
| CA-02 | Control Assessments |
| CA-03 | Information Exchange |
| CA-04 | Security Certification |
| CA-05 | Plan of Action and Milestones |
| CA-06 | Authorization |
| CA-07 | Continuous Monitoring |
| CA-08 | Penetration Testing |
| CA-09 | Internal System Connections |
| CM-01 | Policy and Procedures |
| CM-02 | Baseline Configuration |
| CM-03 | Configuration Change Control |
| CM-04 | Impact Analyses |
| CM-05 | Access Restrictions for Change |
| CM-06 | Configuration Settings |
| CM-07 | Least Functionality |
| CM-08 | System Component Inventory |
| CM-09 | Configuration Management Plan |
| CM-10 | Software Usage Restrictions |
| CM-11 | User-installed Software |
| CM-12 | Information Location |
| CM-13 | Data Action Mapping |
| CP-01 | Policy and Procedures |
| CP-02 | Contingency Plan |
| CP-03 | Contingency Training |
| CP-04 | Contingency Plan Testing |
| CP-05 | Contingency Plan Update |
| CP-06 | Alternate Storage Site |
| CP-07 | Alternate Processing Site |
| CP-08 | Telecommunications Services |
| CP-09 | System Backup |
| CP-10 | System Recovery and Reconstitution |
| CP-11 | Alternate Communications Protocols |
| CP-12 | Safe Mode |
| CP-13 | Alternative Security Mechanisms |
| CP-14 | Self-challenge |
| IA-01 | Policy and Procedures |
| IA-02 | Identification and Authentication (organizational Users) |
| IA-03 | Device Identification and Authentication |
| IA-04 | Identifier Management |
| IA-05 | Authenticator Management |
| IA-06 | Authenticator Feedback |
| IA-07 | Cryptographic Module Authentication |
| IA-08 | Identification and Authentication (non-organizational Users) |
| IA-09 | Service Identification and Authentication |
| IA-10 | Adaptive Authentication |
| IA-11 | Re-authentication |
| IA-12 | Identity Proofing |
| IR-01 | Policy and Procedures |
| IR-02 | Incident Response Training |
| IR-03 | Incident Response Testing |
| IR-04 | Incident Handling |
| IR-05 | Incident Monitoring |
| IR-06 | Incident Reporting |
| IR-07 | Incident Response Assistance |
| IR-08 | Incident Response Plan |
| IR-09 | Information Spillage Response |
| IR-10 | Incident Analysis |
| MA-01 | Policy and Procedures |
| MA-02 | Controlled Maintenance |
| MA-03 | Maintenance Tools |
| MA-04 | Nonlocal Maintenance |
| MA-05 | Maintenance Personnel |
| MA-06 | Timely Maintenance |
| MA-07 | Field Maintenance |
| MP-01 | Policy and Procedures |
| MP-02 | Media Access |
| MP-03 | Media Marking |
| MP-04 | Media Storage |
| MP-05 | Media Transport |
| MP-06 | Media Sanitization |
| MP-07 | Media Use |
| MP-08 | Media Downgrading |
| PE-01 | Policy and Procedures |
| PE-02 | Physical Access Authorizations |
| PE-03 | Physical Access Control |
| PE-04 | Access Control for Transmission |
| PE-05 | Access Control for Output Devices |
| PE-06 | Monitoring Physical Access |
| PE-07 | Visitor Control |
| PE-08 | Visitor Access Records |
| PE-09 | Power Equipment and Cabling |
| PE-10 | Emergency Shutoff |
| PE-11 | Emergency Power |
| PE-12 | Emergency Lighting |
| PE-13 | Fire Protection |
| PE-14 | Environmental Controls |
| PE-15 | Water Damage Protection |
| PE-16 | Delivery and Removal |
| PE-17 | Alternate Work Site |
| PE-18 | Location of System Components |
| PE-19 | Information Leakage |
| PE-20 | Asset Monitoring and Tracking |
| PE-21 | Electromagnetic Pulse Protection |
| PE-22 | Component Marking |
| PE-23 | Facility Location |
| PL-01 | Policy and Procedures |
| PL-02 | System Security and Privacy Plans |
| PL-03 | System Security Plan Update |
| PL-04 | Rules of Behavior |
| PL-05 | Privacy Impact Assessment |
| PL-06 | Security-related Activity Planning |
| PL-07 | Concept of Operations |
| PL-08 | Security and Privacy Architectures |
| PL-09 | Central Management |
| PL-10 | Baseline Selection |
| PL-11 | Baseline Tailoring |
| PM-01 | Information Security Program Plan |
| PM-02 | Information Security Program Leadership Role |
| PM-03 | Information Security and Privacy Resources |
| PM-04 | Plan of Action and Milestones Process |
| PM-05 | System Inventory |
| PM-06 | Measures of Performance |
| PM-07 | Enterprise Architecture |
| PM-08 | Critical Infrastructure Plan |
| PM-09 | Risk Management Strategy |
| PM-10 | Authorization Process |
| PM-11 | Mission and Business Process Definition |
| PM-12 | Insider Threat Program |
| PM-13 | Security and Privacy Workforce |
| PM-14 | Testing, Training, and Monitoring |
| PM-15 | Security and Privacy Groups and Associations |
| PM-16 | Threat Awareness Program |
| PM-17 | Protecting Controlled Unclassified Information on External Systems |
| PM-18 | Privacy Program Plan |
| PM-19 | Privacy Program Leadership Role |
| PM-20 | Dissemination of Privacy Program Information |
| PM-21 | Accounting of Disclosures |
| PM-22 | Personally Identifiable Information Quality Management |
| PM-23 | Data Governance Body |
| PM-24 | Data Integrity Board |
| PM-25 | Minimization of Pii Used in Testing, Training, and Research |
| PM-26 | Complaint Management |
| PM-27 | Privacy Reporting |
| PM-28 | Risk Framing |
| PM-29 | Risk Management Program Leadership Roles |
| PM-30 | Supply Chain Risk Management Strategy |
| PM-31 | Continuous Monitoring Strategy |
| PM-32 | Purposing |
| PM-33 | Privacy Policies on Websites, Applications, and Digital Services |
| PS-01 | Policy and Procedures |
| PS-02 | Position Risk Designation |
| PS-03 | Personnel Screening |
| PS-04 | Personnel Termination |
| PS-05 | Personnel Transfer |
| PS-06 | Access Agreements |
| PS-07 | External Personnel Security |
| PS-08 | Personnel Sanctions |
| PT-01 | Policy and Procedures |
| PT-02 | Authority to Process Personally Identifiable Information |
| PT-03 | Personally Identifiable Information Processing Purposes |
| PT-04 | Minimization |
| PT-05 | Consent |
| PT-06 | Privacy Notice |
| PT-07 | System of Records Notice |
| PT-08 | Specific Categories of Personally Identifiable Information |
| PT-09 | Computer Matching Requirements |
| RA-01 | Policy and Procedures |
| RA-02 | Security Categorization |
| RA-03 | Risk Assessment |
| RA-04 | Risk Assessment Update |
| RA-05 | Vulnerability Monitoring and Scanning |
| RA-06 | Technical Surveillance Countermeasures Survey |
| RA-07 | Risk Response |
| RA-08 | Privacy Impact Assessments |
| RA-09 | Criticality Analysis |
| RA-10 | Threat Hunting |
| SA-01 | Policy and Procedures |
| SA-02 | Allocation of Resources |
| SA-03 | System Development Life Cycle |
| SA-04 | Acquisition Process |
| SA-05 | System Documentation |
| SA-06 | Software Usage Restrictions |
| SA-07 | User-installed Software |
| SA-08 | Security and Privacy Engineering Principles |
| SA-09 | External System Services |
| SA-10 | Developer Configuration Management |
| SA-11 | Developer Testing and Evaluation |
| SA-12 | Supply Chain Protection |
| SA-13 | Trustworthiness |
| SA-14 | Criticality Analysis |
| SA-15 | Development Process, Standards, and Tools |
| SA-16 | Developer-provided Training |
| SA-17 | Developer Security Architecture and Design |
| SA-18 | Tamper Resistance and Detection |
| SA-19 | Component Authenticity |
| SA-20 | Customized Development of Critical Components |
| SA-21 | Developer Screening |
| SA-22 | Unsupported System Components |
| SA-23 | Specialization |
| SC-01 | Policy and Procedures |
| SC-02 | Separation of System and User Functionality |
| SC-03 | Security Function Isolation |
| SC-04 | Information in Shared System Resources |
| SC-05 | Denial of Service Protection |
| SC-06 | Resource Availability |
| SC-07 | Boundary Protection |
| SC-08 | Transmission Confidentiality and Integrity |
| SC-09 | Transmission Confidentiality |
| SC-10 | Network Disconnect |
| SC-11 | Trusted Path |
| SC-12 | Cryptographic Key Establishment and Management |
| SC-13 | Cryptographic Protection |
| SC-14 | Public Access Protections |
| SC-15 | Collaborative Computing Devices and Applications |
| SC-16 | Transmission of Security and Privacy Attributes |
| SC-17 | Public Key Infrastructure Certificates |
| SC-18 | Mobile Code |
| SC-19 | Voice Over Internet Protocol |
| SC-20 | Secure Name/address Resolution Service (authoritative Source) |
| SC-21 | Secure Name/address Resolution Service (recursive or Caching Resolver) |
| SC-22 | Architecture and Provisioning for Name/address Resolution Service |
| SC-23 | Session Authenticity |
| SC-24 | Fail in Known State |
| SC-25 | Thin Nodes |
| SC-26 | Decoys |
| SC-27 | Platform-independent Applications |
| SC-28 | Protection of Information at Rest |
| SC-29 | Heterogeneity |
| SC-30 | Concealment and Misdirection |
| SC-31 | Covert Channel Analysis |
| SC-32 | System Partitioning |
| SC-33 | Transmission Preparation Integrity |
| SC-34 | Non-modifiable Executable Programs |
| SC-35 | External Malicious Code Identification |
| SC-36 | Distributed Processing and Storage |
| SC-37 | Out-of-band Channels |
| SC-38 | Operations Security |
| SC-39 | Process Isolation |
| SC-40 | Wireless Link Protection |
| SC-41 | Port and I/O Device Access |
| SC-42 | Sensor Capability and Data |
| SC-43 | Usage Restrictions |
| SC-44 | Detonation Chambers |
| SC-45 | System Time Synchronization |
| SC-46 | Cross Domain Policy Enforcement |
| SC-47 | Communications Path Diversity |
| SC-48 | Sensor Relocation |
| SC-49 | Hardware-enforced Separation and Policy Enforcement |
| SC-50 | Software-enforced Separation and Policy Enforcement |
| SC-51 | Operational and Internet-based Technologies |
| SI-01 | Policy and Procedures |
| SI-02 | Flaw Remediation |
| SI-03 | Malicious Code Protection |
| SI-04 | System Monitoring |
| SI-05 | Security Alerts, Advisories, and Directives |
| SI-06 | Security and Privacy Function Verification |
| SI-07 | Software, Firmware, and Information Integrity |
| SI-08 | Spam Protection |
| SI-09 | Information Input Restrictions |
| SI-10 | Information Input Validation |
| SI-11 | Error Handling |
| SI-12 | Information Management and Retention |
| SI-13 | Predictable Failure Prevention |
| SI-14 | Non-persistence |
| SI-15 | Information Output Filtering |
| SI-16 | Memory Protection |
| SI-17 | Fail-safe Procedures |
| SI-18 | Personally Identifiable Information Quality Operations |
| SI-19 | De-identification |
| SI-20 | Tainting |
| SI-21 | Information Refresh |
| SI-22 | Information Diversity |
| SI-23 | Information Fragmentation |
| SR-01 | Policy and Procedures |
| SR-02 | Supply Chain Risk Management Plan |
| SR-03 | Supply Chain Controls and Processes |
| SR-04 | Provenance |
| SR-05 | Acquisition Strategies, Tools, and Methods |
| SR-06 | Supplier Reviews |
| SR-07 | Supply Chain Operations Security |
| SR-08 | Notification Agreements |
| SR-09 | Tamper Resistance and Detection |
| SR-10 | Inspection of Systems or Components |
| SR-11 | Component Authenticity |