Security Controls Taxonomy


The security pattern templates and ‘How To’ guide use NIST Special Publication 800-53 (Rev. 5) for the baseline list of Security Controls.

Version 5 has been used (rather than Version 4) given the improved updates made to the taxonomy list.


Below is the summary list of security controls currently published for 800-53 (Rev. 5)

Security Controls List

Control Identifier Control or Control Name
AC-01 Policy and Procedures
AC-02 Account Management
AC-03 Access Enforcement
AC-04 Information Flow Enforcement
AC-05 Separation of Duties
AC-06 Least Privilege
AC-07 Unsuccessful Logon Attempts
AC-08 System Use Notification
AC-09 Previous Logon Notification
AC-10 Concurrent Session Control
AC-11 Device Lock
AC-12 Session Termination
AC-13 Supervision and Review - Access Control
AC-14 Permitted Actions Without Identification or Authentication
AC-15 Automated Marking
AC-16 Security and Privacy Attributes
AC-17 Remote Access
AC-18 Wireless Access
AC-19 Access Control for Mobile Devices
AC-20 Use of External Systems
AC-21 Information Sharing
AC-22 Publicly Accessible Content
AC-23 Data Mining Protection
AC-24 Access Control Decisions
AC-25 Reference Monitor
AT-01 Policy and Procedures
AT-02 Awareness Training
AT-03 Role-based Training
AT-04 Training Records
AT-05 Contacts with Security Groups and Associations
AU-01 Policy and Procedures
AU-02 Event Logging
AU-03 Content of Audit Records
AU-04 Audit Log Storage Capacity
AU-05 Response to Audit Logging Process Failures
AU-06 Audit Record Review, Analysis, and Reporting
AU-07 Audit Record Reduction and Report Generation
AU-08 Time Stamps
AU-09 Protection of Audit Information
AU-10 Non-repudiation
AU-11 Audit Record Retention
AU-12 Audit Record Generation
AU-13 Monitoring for Information Disclosure
AU-14 Session Audit
AU-15 Alternate Audit Logging Capability
AU-16 Cross-organizational Audit Logging
CA-01 Policy and Procedures
CA-02 Control Assessments
CA-03 Information Exchange
CA-04 Security Certification
CA-05 Plan of Action and Milestones
CA-06 Authorization
CA-07 Continuous Monitoring
CA-08 Penetration Testing
CA-09 Internal System Connections
CM-01 Policy and Procedures
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-04 Impact Analyses
CM-05 Access Restrictions for Change
CM-06 Configuration Settings
CM-07 Least Functionality
CM-08 System Component Inventory
CM-09 Configuration Management Plan
CM-10 Software Usage Restrictions
CM-11 User-installed Software
CM-12 Information Location
CM-13 Data Action Mapping
CP-01 Policy and Procedures
CP-02 Contingency Plan
CP-03 Contingency Training
CP-04 Contingency Plan Testing
CP-05 Contingency Plan Update
CP-06 Alternate Storage Site
CP-07 Alternate Processing Site
CP-08 Telecommunications Services
CP-09 System Backup
CP-10 System Recovery and Reconstitution
CP-11 Alternate Communications Protocols
CP-12 Safe Mode
CP-13 Alternative Security Mechanisms
CP-14 Self-challenge
IA-01 Policy and Procedures
IA-02 Identification and Authentication (organizational Users)
IA-03 Device Identification and Authentication
IA-04 Identifier Management
IA-05 Authenticator Management
IA-06 Authenticator Feedback
IA-07 Cryptographic Module Authentication
IA-08 Identification and Authentication (non-organizational Users)
IA-09 Service Identification and Authentication
IA-10 Adaptive Authentication
IA-11 Re-authentication
IA-12 Identity Proofing
IR-01 Policy and Procedures
IR-02 Incident Response Training
IR-03 Incident Response Testing
IR-04 Incident Handling
IR-05 Incident Monitoring
IR-06 Incident Reporting
IR-07 Incident Response Assistance
IR-08 Incident Response Plan
IR-09 Information Spillage Response
IR-10 Incident Analysis
MA-01 Policy and Procedures
MA-02 Controlled Maintenance
MA-03 Maintenance Tools
MA-04 Nonlocal Maintenance
MA-05 Maintenance Personnel
MA-06 Timely Maintenance
MA-07 Field Maintenance
MP-01 Policy and Procedures
MP-02 Media Access
MP-03 Media Marking
MP-04 Media Storage
MP-05 Media Transport
MP-06 Media Sanitization
MP-07 Media Use
MP-08 Media Downgrading
PE-01 Policy and Procedures
PE-02 Physical Access Authorizations
PE-03 Physical Access Control
PE-04 Access Control for Transmission
PE-05 Access Control for Output Devices
PE-06 Monitoring Physical Access
PE-07 Visitor Control
PE-08 Visitor Access Records
PE-09 Power Equipment and Cabling
PE-10 Emergency Shutoff
PE-11 Emergency Power
PE-12 Emergency Lighting
PE-13 Fire Protection
PE-14 Environmental Controls
PE-15 Water Damage Protection
PE-16 Delivery and Removal
PE-17 Alternate Work Site
PE-18 Location of System Components
PE-19 Information Leakage
PE-20 Asset Monitoring and Tracking
PE-21 Electromagnetic Pulse Protection
PE-22 Component Marking
PE-23 Facility Location
PL-01 Policy and Procedures
PL-02 System Security and Privacy Plans
PL-03 System Security Plan Update
PL-04 Rules of Behavior
PL-05 Privacy Impact Assessment
PL-06 Security-related Activity Planning
PL-07 Concept of Operations
PL-08 Security and Privacy Architectures
PL-09 Central Management
PL-10 Baseline Selection
PL-11 Baseline Tailoring
PM-01 Information Security Program Plan
PM-02 Information Security Program Leadership Role
PM-03 Information Security and Privacy Resources
PM-04 Plan of Action and Milestones Process
PM-05 System Inventory
PM-06 Measures of Performance
PM-07 Enterprise Architecture
PM-08 Critical Infrastructure Plan
PM-09 Risk Management Strategy
PM-10 Authorization Process
PM-11 Mission and Business Process Definition
PM-12 Insider Threat Program
PM-13 Security and Privacy Workforce
PM-14 Testing, Training, and Monitoring
PM-15 Security and Privacy Groups and Associations
PM-16 Threat Awareness Program
PM-17 Protecting Controlled Unclassified Information on External Systems
PM-18 Privacy Program Plan
PM-19 Privacy Program Leadership Role
PM-20 Dissemination of Privacy Program Information
PM-21 Accounting of Disclosures
PM-22 Personally Identifiable Information Quality Management
PM-23 Data Governance Body
PM-24 Data Integrity Board
PM-25 Minimization of Pii Used in Testing, Training, and Research
PM-26 Complaint Management
PM-27 Privacy Reporting
PM-28 Risk Framing
PM-29 Risk Management Program Leadership Roles
PM-30 Supply Chain Risk Management Strategy
PM-31 Continuous Monitoring Strategy
PM-32 Purposing
PM-33 Privacy Policies on Websites, Applications, and Digital Services
PS-01 Policy and Procedures
PS-02 Position Risk Designation
PS-03 Personnel Screening
PS-04 Personnel Termination
PS-05 Personnel Transfer
PS-06 Access Agreements
PS-07 External Personnel Security
PS-08 Personnel Sanctions
PT-01 Policy and Procedures
PT-02 Authority to Process Personally Identifiable Information
PT-03 Personally Identifiable Information Processing Purposes
PT-04 Minimization
PT-05 Consent
PT-06 Privacy Notice
PT-07 System of Records Notice
PT-08 Specific Categories of Personally Identifiable Information
PT-09 Computer Matching Requirements
RA-01 Policy and Procedures
RA-02 Security Categorization
RA-03 Risk Assessment
RA-04 Risk Assessment Update
RA-05 Vulnerability Monitoring and Scanning
RA-06 Technical Surveillance Countermeasures Survey
RA-07 Risk Response
RA-08 Privacy Impact Assessments
RA-09 Criticality Analysis
RA-10 Threat Hunting
SA-01 Policy and Procedures
SA-02 Allocation of Resources
SA-03 System Development Life Cycle
SA-04 Acquisition Process
SA-05 System Documentation
SA-06 Software Usage Restrictions
SA-07 User-installed Software
SA-08 Security and Privacy Engineering Principles
SA-09 External System Services
SA-10 Developer Configuration Management
SA-11 Developer Testing and Evaluation
SA-12 Supply Chain Protection
SA-13 Trustworthiness
SA-14 Criticality Analysis
SA-15 Development Process, Standards, and Tools
SA-16 Developer-provided Training
SA-17 Developer Security Architecture and Design
SA-18 Tamper Resistance and Detection
SA-19 Component Authenticity
SA-20 Customized Development of Critical Components
SA-21 Developer Screening
SA-22 Unsupported System Components
SA-23 Specialization
SC-01 Policy and Procedures
SC-02 Separation of System and User Functionality
SC-03 Security Function Isolation
SC-04 Information in Shared System Resources
SC-05 Denial of Service Protection
SC-06 Resource Availability
SC-07 Boundary Protection
SC-08 Transmission Confidentiality and Integrity
SC-09 Transmission Confidentiality
SC-10 Network Disconnect
SC-11 Trusted Path
SC-12 Cryptographic Key Establishment and Management
SC-13 Cryptographic Protection
SC-14 Public Access Protections
SC-15 Collaborative Computing Devices and Applications
SC-16 Transmission of Security and Privacy Attributes
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-19 Voice Over Internet Protocol
SC-20 Secure Name/address Resolution Service (authoritative Source)
SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver)
SC-22 Architecture and Provisioning for Name/address Resolution Service
SC-23 Session Authenticity
SC-24 Fail in Known State
SC-25 Thin Nodes
SC-26 Decoys
SC-27 Platform-independent Applications
SC-28 Protection of Information at Rest
SC-29 Heterogeneity
SC-30 Concealment and Misdirection
SC-31 Covert Channel Analysis
SC-32 System Partitioning
SC-33 Transmission Preparation Integrity
SC-34 Non-modifiable Executable Programs
SC-35 External Malicious Code Identification
SC-36 Distributed Processing and Storage
SC-37 Out-of-band Channels
SC-38 Operations Security
SC-39 Process Isolation
SC-40 Wireless Link Protection
SC-41 Port and I/O Device Access
SC-42 Sensor Capability and Data
SC-43 Usage Restrictions
SC-44 Detonation Chambers
SC-45 System Time Synchronization
SC-46 Cross Domain Policy Enforcement
SC-47 Communications Path Diversity
SC-48 Sensor Relocation
SC-49 Hardware-enforced Separation and Policy Enforcement
SC-50 Software-enforced Separation and Policy Enforcement
SC-51 Operational and Internet-based Technologies
SI-01 Policy and Procedures
SI-02 Flaw Remediation
SI-03 Malicious Code Protection
SI-04 System Monitoring
SI-05 Security Alerts, Advisories, and Directives
SI-06 Security and Privacy Function Verification
SI-07 Software, Firmware, and Information Integrity
SI-08 Spam Protection
SI-09 Information Input Restrictions
SI-10 Information Input Validation
SI-11 Error Handling
SI-12 Information Management and Retention
SI-13 Predictable Failure Prevention
SI-14 Non-persistence
SI-15 Information Output Filtering
SI-16 Memory Protection
SI-17 Fail-safe Procedures
SI-18 Personally Identifiable Information Quality Operations
SI-19 De-identification
SI-20 Tainting
SI-21 Information Refresh
SI-22 Information Diversity
SI-23 Information Fragmentation
SR-01 Policy and Procedures
SR-02 Supply Chain Risk Management Plan
SR-03 Supply Chain Controls and Processes
SR-04 Provenance
SR-05 Acquisition Strategies, Tools, and Methods
SR-06 Supplier Reviews
SR-07 Supply Chain Operations Security
SR-08 Notification Agreements
SR-09 Tamper Resistance and Detection
SR-10 Inspection of Systems or Components
SR-11 Component Authenticity