NIST SP 800-53A Appendix H

From FISMApedia
Jump to: navigation, search




The work sheet provided in this appendix summarizes all of the assessment procedures and associated assessment objectives listed in Appendix F (Assessment Procedure Catalog) by NIST Special Publication 800-53 security control/control enhancement identifier. This work sheet is intended to assist users of this document in identifying and selecting the base set of procedures for assessing the information system security controls. The base set of assessment procedures requires tailoring as appropriate (see Section 3.3) to reflect the security controls defined and documented in the security plan and to support the type of security assessment being conducted. The first column of the work sheet can be used by organizations to identify the security controls and control enhancements that are contained in the security plan for the information system.61 [1] The second column can be used to identify which security controls are part of the current assessment if the organization is conducting a partial assessment (for example, conducting an assessment as part of continuous monitoring where a subset of the security controls are assessed on an ongoing basis). The third and fourth columns list all of the security controls (and control enhancements) in Special Publication 800-53 by shorthand identifier and formal control name, respectively. The fifth column lists all of the assessment objectives for each assessment procedure in Appendix F. The set of procedures to be tailored and used in assessing the security controls in the organizational information system correspond to the security controls and security control enhancements checked in the first column (or second column for partial assessments). Assessment procedures developed for the assessment of organization-specific or system-specific controls not listed in Appendix F must also be executed. A section of the work sheet is reserved for listing these additional security controls.

Assessment Procedure Work Sheet


Access Control

      AC-1 Access Control Policy and Procedures AC-1.1, AC-1.2
      AC-2 Account Management AC-2.1
      AC-2(1) Account Management AC-2(1).1
      AC-2(2) Account Management AC-2(2).1
      AC-2(3) Account Management AC-2(3).1
      AC-2(4) Account Management AC-2(4).1
      AC-3 Access Enforcement AC-3.1
      AC-3(1) Access Enforcement AC-3(1).1
      AC-3 (ICS-1) Access Enforcement AC-3(ICS-1).1
      AC-4 Information Flow Enforcement AC-4.1, AC-4.2
      AC-4(1) Information Flow Enforcement AC-4(1).1
      AC-4(2) Information Flow Enforcement AC-4(2).1
      AC-4(3) Information Flow Enforcement AC-4(3).1
      AC-5 Separation of Duties AC-5.1
      AC-6 Least Privilege AC-6.1
      AC-7 Unsuccessful Login Attempts AC-7.1
      AC-7(1) Unsuccessful Login Attempts AC-7(1).1
      AC-8 System Use Notification AC-8.1
      AC-9 Previous Logon Notification AC-9.1
      AC-10 Concurrent Session Control AC-10.1
      AC-11 Session Lock AC-11.1
      AC-12 Session Termination AC-12.1
      AC-12(1) Session Termination AC-12(1).1
      AC-13 Supervision and Review—Access Control AC-13.1
      AC-13(1) Supervision and Review—Access Control AC-13(1).1
      AC-14 Permitted Actions w/o Identification or Authentication AC-14.1
      AC-14(1) Permitted Actions w/o Identification or Authentication AC-14(1).1
      AC-15 Automated Marking AC-15.1
      AC-16 Automated Labeling AC-16.1
      AC-17 Remote Access AC-17.1
      AC-17(1) Remote Access AC-17(1).1
      AC-17(2) Remote Access AC-17(2).1
      AC-17(3) Remote Access AC-17(3).1
      AC-17(4) Remote Access AC-17(4).1
      AC-18 Wireless Access Restrictions AC-18.1
      AC-18(1) Wireless Access Restrictions AC-18(1).1
      AC-18(2) Wireless Access Restrictions AC-18(2).1
      AC-19 Access Control for Portable and Mobile Devices AC-19.1
      AC-20 Use of External Information Systems AC-20.1
      AC-20(1) Use of External Information Systems AC-20(1).1

Awareness and Training

      AT-1 Security Awareness and Training Policy and Procedures AT-1.1, AT-1.2
      AT-2 Security Awareness AT-2.1
      AT-3 Security Training AT-3.1
      AT-4 Security Training Records AT-4.1
      AT-5 Contacts with Security Groups and Associations AT-5.1

Audit and Accountability

      AU-1 Audit and Accountability Policy and Procedures AU-1.1, AU-1.2
      AU-2 Auditable Events AU-2.1
      AU-2(1) Auditable Events AU-2(1).1
      AU-2(2) Auditable Events AU-2(2).1
      AU-2(3) Auditable Events AU-2(3).1
      AU-3 Content of Audit Records AU-3.1
      AU-3(1) Content of Audit Records AU-3(1).1
      AU-3(2) Content of Audit Records AU-3(2).1
      AU-4 Audit Storage Capacity AU-4.1
      AU-5 Response to Audit Processing Failures AU-5.1
      AU-5(1) Response to Audit Processing Failures AU-5(1).1
      AU-5(2) Response to Audit Processing Failures AU-5(2).1
      AU-6 Audit Monitoring, Analysis, and Reporting AU-6.1, AU-6.2
      AU-6(1) Audit Monitoring, Analysis, and Reporting AU-6(1).1
      AU-6(2) Audit Monitoring, Analysis, and Reporting AU-6(2).1
      AU-7 Audit Reduction and Report Generation AU-7.1
      AU-7(1) Audit Reduction and Report Generation AU-7(1).1
      AU-8 Time Stamps AU-8.1
      AU-8(1) Time Stamps AU-8(1).1
      AU-9 Protection of Audit Information AU-9.1
      AU-9(1) Protection of Audit Information AU-9(1).1
      AU-10 Non-repudiation AU-10.1
      AU-11 Audit Record Retention AU-11.1

Certification, Accreditation, and Security Assessments

      CA-1 Certification, Accreditation, and Security Assessment Policies and Procedures CA-1.1, CA-1.2
      CA-2 Security Assessments CA-2.1
      CA-3 Information System Connections CA-3.1
      CA-4 Security Certification CA-4.1
      CA-4(1) Security Certification CA-4(1).1
      CA-5 Plan of Action and Milestones CA-5.1
      CA-6 Security Accreditation CA-6.1
      CA-7 Continuous Monitoring CA-7.1, CA-7.2
      CA-7(1) Continuous Monitoring CA-7(1).1

Configuration Management

      CM-1 Configuration Management Policy and Procedures CM-1.1, CM-1.2
      CM-2 Baseline Configuration CM-2.1
      CM-2(1) Baseline Configuration CM-2(1).1
      CM-2(2) Baseline Configuration CM-2(2).1
      CM-3 Configuration Change Control CM-3.1
      CM-3(1) Configuration Change Control CM-3(1).1
      CM-3 (ICS-1) Configuration Change Control CM-3(ICS-1).1
      CM-4 Monitoring Configuration Changes CM-4.1
      CM-5 Access Restrictions for Change CM-5.1
      CM-5(1) Access Restrictions for Change CM-5(1).1
      CM-6 Configuration Settings CM-6.1
      CM-6(1) Configuration Settings CM-6(1).1
      CM-7 Least Functionality CM-7.1
      CM-7(1) Least Functionality CM-7(1).1
      CM-8 Information System Component Inventory CM-8.1
      CM-8(1) Information System Component Inventory CM-8(1).1
      CM-8(2) Information System Component Inventory CM-8(2).1

Contingency Planning

      CP-1 Contingency Planning Policy and Procedures CP-1.1, CP-1.2
      CP-2 Contingency Plan CP-2.1
      CP-2(1) Contingency Plan CP-2(1).1
      CP-2(2) Contingency Plan CP-2(2).1
      CP-3 Contingency Training CP-3.1, CP-3.2
      CP-3(1) Contingency Training CP-3(1).1
      CP-3(2) Contingency Training CP-3(2).1
      CP-4 Contingency Plan Testing and Exercises CP-4.1, CP-4.2
      CP-4(1) Contingency Plan Testing and Exercises CP-4(1).1
      CP-4(2) Contingency Plan Testing and Exercises CP-4(2).1
      CP-4(3) Contingency Plan Testing and Exercises CP-4(3).1
      CP-5 Contingency Plan Update CP-5.1, CP-5.2
      CP-6 Alternate Storage Site CP-6.1
      CP-6(1) Alternate Storage Site CP-6(1).1
      CP-6(2) Alternate Storage Site CP-6(2).1
      CP-6(3) Alternate Storage Site CP-6(3).1
      CP-7 Alternate Processing Site CP-7.1
      CP-7(1) Alternate Processing Site CP-7(1).1
      CP-7(2) Alternate Processing Site CP-7(2).1
      CP-7(3) Alternate Processing Site CP-7(3).1
      CP-7(4) Alternate Processing Site CP-7(4).1
      CP-8 Telecommunications Services CP-8.1, CP-8.2
      CP-8(1) Telecommunications Services CP-8(1).1
      CP-8(2) Telecommunications Services CP-8(2).1
      CP-8(3) Telecommunications Services CP-8(3).1
      CP-8(4) Telecommunications Services CP-8(4).1
      CP-9 Information System Backup CP-9.1, CP-9.2
      CP-9(1) Information System Backup CP-9(1).1
      CP-9(2) Information System Backup CP-9(2).1
      CP-9(3) Information System Backup CP-9(3).1
      CP-9(4) Information System Backup CP-9(4).1
      CP-10 Information System Recovery and Reconstitution CP-10.1
      CP-10(1) Information System Recovery and Reconstitution CP-10(1).1

Identification and Authentication

      IA-1 Identification and Authentication Policy and Procedures IA-1.1, IA-1.2
      IA-2 User Identification and Authentication IA-2.1
      IA-2(1) User Identification and Authentication IA-2(1).1
      IA-2(2) User Identification and Authentication IA-2(2).1
      IA-2(3) User Identification and Authentication IA-2(3).1
      IA-3 Device Identification and Authentication IA-3.1
      IA-4 Identifier Management IA-4.1
      IA-5 Authenticator Management IA-5.1
      IA-6 Authenticator Feedback IA-6.1
      IA-7 Cryptographic Module Authentication IA-7.1

Incident Response

      IR-1 Incident Response Policy and Procedures IR-1.1, IR-1.2
      IR-2 Incident Response Training IR-2.1
      IR-2(1) Incident Response Training IR-2(1).1
      IR-2(2) Incident Response Training IR-2(2).1
      IR-3 Incident Response Testing and Exercises IR-3.1
      IR-3(1) Incident Response Testing and Exercises IR-3(1).1
      IR-4 Incident Handling IR-4.1
      IR-4(1) Incident Handling IR-4(1).1
      IR-5 Incident Monitoring IR-5.1
      IR-5(1) Incident Monitoring IR-5(1).1
      IR-6 Incident Reporting IR-6.1
      IR-6(1) Incident Reporting IR-6(1).1
      IR-7 Incident Response Assistance IR-7.1
      IR-7(1) Incident Response Assistance IR-7(1).1


      MA-1 System Maintenance Policy and Procedures MA-1.1, MA-1.2
      MA-2 Controlled Maintenance MA-2.1
      MA-2(1) Controlled Maintenance MA-2(1).1
      MA-2(2) Controlled Maintenance MA-2(2).1
      MA-3 Maintenance Tools MA-3.1
      MA-3(1) Maintenance Tools MA-3(1).1
      MA-3(2) Maintenance Tools MA-3(2).1
      MA-3(3) Maintenance Tools MA-3(3).1
      MA-3(4) Maintenance Tools MA-3(4).1
      MA-4 Remote Maintenance MA-4.1
      MA-4(1) Remote Maintenance MA-4(1).1
      MA-4(2) Remote Maintenance MA-4(2).1
      MA-4(3) Remote Maintenance MA-4(3).1
      MA-5 Maintenance Personnel MA-5.1
      MA-6 Timely Maintenance MA-6.1

Media Protection

      MP-1 Media Protection Policy and Procedures MP-1.1, MP-1.2
      MP-2 Media Access MP-2.1
      MP-2(1) Media Access MP-2(1).1
      MP-3 Media Labeling MP-3.1
      MP-4 Media Storage MP-4.1
      MP-5 Media Transport MP-5.1
      MP-5(1) Media Transport MP-5(1).1
      MP-5(2) Media Transport MP-5(2).1
      MP-5(3) Media Transport MP-5(3).1
      MP-6 Media Sanitization and Disposal MP-6.1
      MP-6(1) Media Sanitization and Disposal MP-6(1).1
      MP-6(2) Media Sanitization and Disposal MP-6(2).1

Physical and Environmental Protection

      PE-1 Physical and Environmental Protection Policy and Procedures PE-1.1, PE-1.2
      PE-2 Physical Access Authorizations PE-2.1
      PE-3 Physical Access Control PE-3.1, PE-3.2, PE-3.3
      PE-3(1) Physical Access Control PE-3(1).1
      PE-4 Access Control for Transmission Medium PE-4.1
      PE-5 Access Control for Display Medium PE-5.1
      PE-6 Monitoring Physical Access PE-6.1
      PE-6(1) Monitoring Physical Access PE-6(1).1
      PE-6(2) Monitoring Physical Access PE-6(2).1
      PE-7 Visitor Control PE-7.1
      PE-7(1) Visitor Control PE-7(1).1
      PE-8 Access Records PE-8.1
      PE-8(1) Access Records PE-8(1).1
      PE-8(2) Access Records PE-8(2).1
      PE-9 Power Equipment and Power Cabling PE-9.1
      PE-9(1) Power Equipment and Power Cabling PE-9(1).1
      PE-10 Emergency Shutoff PE-10.1
      PE-10(1) Emergency Shutoff PE-10(1).1
      PE-11 Emergency Power PE-11.1
      PE-11(1) Emergency Power PE-11(1).1
      PE-11(2) Emergency Power PE-11(2).1
      PE-12 Emergency Lighting PE-12.1
      PE-13 Fire Protection PE-13.1
      PE-13(1) Fire Protection PE-13(1).1
      PE-13(2) Fire Protection PE-13(2).1
      PE-13(3) Fire Protection PE-13(3).1
      PE-14 Temperature and Humidity Controls PE-14.1
      PE-15 Water Damage Protection PE-15.1
      PE-15(1) Water Damage Protection PE-15(1).1
      PE-16 Delivery and Removal PE-16.1
      PE-17 Alternate Work Site PE-17.1
      PE-18 Location of Information System Components PE-18.1
      PE-18(1) Location of Information System Components PE-18(1).1
      PE-19 Information Leakage PE-19.1


      PL-1 Security Planning Policy and Procedures PL-1.1, PL-1.2
      PL-2 System Security Plan PL-2.1
      PL-3 System Security Plan Update PL-3.1
      PL-4 Rules of Behavior PL-4.1
      PL-5 Privacy Impact Assessment PL-5.1
      PL-6 Security-Related Activity Planning PL-6.1

Personnel Security

      PS-1 Personnel Security Policy and Procedures PS-1.1, PS-1.2
      PS-2 Position Categorization PS-2.1
      PS-3 Personnel Screening PS-3.1
      PS-4 Personnel Termination PS-4.1
      PS-5 Personnel Transfer PS-5.1
      PS-6 Access Agreements PS-6.1
      PS-7 Third-Party Personnel Security PS-7.1
      PS-8 Personnel Sanctions PS-8.1

Risk Assessment

      RA-1 Risk Assessment Policy and Procedures RA-1.1, RA-1.2
      RA-2 Security Categorization RA-2.1
      RA-3 Risk Assessment RA-3.1
      RA-4 Risk Assessment Update RA-4.1
      RA-5 Vulnerability Scanning RA-5.1
      RA-5(1) Vulnerability Scanning RA-5(1).1
      RA-5(2) Vulnerability Scanning RA-5(2).1
      RA-5(3) Vulnerability Scanning RA-5(3).1

System and Services Acquisition

      SA-1 System and Services Acquisition Policy and Procedures SA-1.1, SA-1.2
      SA-2 Allocation of Resources SA-2.1
      SA-3 Life Cycle Support SA-3.1
      SA-4 Acquisitions SA-4.1
      SA-4(1) Acquisitions SA-4(1).1
      SA-4(2) Acquisitions SA-4(2).1
      SA-5 Information System Documentation SA-5.1
      SA-5(1) Information System Documentation SA-5(1).1
      SA-5(2) Information System Documentation SA-5(2).1
      SA-6 Software Usage Restrictions SA-6.1
      SA-7 User Installed Software SA-7.1
      SA-8 Security Engineering Principles SA-8.1
      SA-9 External Information System Services SA-9.1
      SA-10 Developer Configuration Management SA-10.1
      SA-11 Developer Security Testing SA-11.1

System and Communications Protection

      SC-1 System and Communications Protection Policy and Procedures SC-1.1, SC-1.2
      SC-2 Application Partitioning SC-2.1
      SC-3 Security Function Isolation SC-3.1
      SC-3(1) Security Function Isolation SC-3(1).1
      SC-3(2) Security Function Isolation SC-3(2).1
      SC-3(3) Security Function Isolation SC-3(3).1
      SC-3(4) Security Function Isolation SC-3(4).1
      SC-3(5) Security Function Isolation SC-3(5).1
      SC-4 Information Remnance SC-4.1
      SC-5 Denial of Service Protection SC-5.1
      SC-5(1) Denial of Service Protection SC-5(1).1
      SC-5(2) Denial of Service Protection SC-5(2).1
      SC-6 Resource Priority SC-6.1
      SC-7 Boundary Protection SC-7.1
      SC-7(1) Boundary Protection SC-7(1).1
      SC-7(2) Boundary Protection SC-7(2).1
      SC-7(3) Boundary Protection SC-7(3).1
      SC-7(4) Boundary Protection SC-7(4).1
      SC-7(5) Boundary Protection SC-7(5).1
      SC-7(6) Boundary Protection SC-7(6).1
      SC-8 Transmission Integrity SC-8.1
      SC-8(1) Transmission Integrity SC-8(1).1
      SC-9 Transmission Confidentiality SC-9.1
      SC-9(1) Transmission Confidentiality SC-9(1).1
      SC-10 Network Disconnect SC-10.1
      SC-11 Trusted Path SC-11.1
      SC-12 Cryptographic Key Establishment and Management SC-12.1
      SC-13 Use of Cryptography SC-13.1
      SC-14 Public Access Protections SC-14.1
      SC-15 Collaborative Computing SC-15.1
      SC-15(1) Collaborative Computing SC-15(1).1
      SC-16 Transmission of Security Parameters SC-16.1
      SC-17 Public Key Infrastructure Certificates SC-17.1
      SC-18 Mobile Code SC-18.1
      SC-19 Voice Over Internet Protocol SC-19.1
      SC-20 Secure Name /Address Resolution Service (Authoritative Source) SC-20.1
      SC-20(1) Secure Name /Address Resolution Service (Authoritative Source) SC-20(1).1
      SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) SC-21.1
      SC-21(1) Secure Name /Address Resolution Service (Recursive or Caching Resolver) SC-21(1).1
      SC-22 Architecture and Provisioning for Name/Address Resolution Service SC-22.1
      SC-23 Session Authenticity SC-23.1

System and Information Integrity

      SI-1 System and Information Integrity Policy and Procedures SI-1.1, SI-1.2
      SI-2 Flaw Remediation SI-2.1
      SI-2(1) Flaw Remediation SI-2(1).1
      SI-2(2) Flaw Remediation SI-2(2).1
      SI-3 Malicious Code Protection SI-3.1
      SI-3(1) Malicious Code Protection SI-3(1).1
      SI-3(2) Malicious Code Protection SI-3(2).1
      SI-4 Information System Monitoring Tools and Techniques SI-4.1
      SI-4(1) Information System Monitoring Tools and Techniques SI-4(1).1
      SI-4(2) Information System Monitoring Tools and Techniques SI-4(2).1
      SI-4(3) Information System Monitoring Tools and Techniques SI-4(3).1
      SI-4(4) Information System Monitoring Tools and Techniques SI-4(4).1
      SI-4(5) Information System Monitoring Tools and Techniques SI-4(5).1
      SI-5 Security Alerts and Advisories SI-5.1
      SI-5(1) Security Alerts and Advisories SI-5(1).1
      SI-6 Security Functionality Verification SI-6.1
      SI-6(1) Security Functionality Verification SI-6(1).1
      SI-6(2) Security Functionality Verification SI-6(2).1
      SI-7 Software and Information Integrity SI-7.1
      SI-7(1) Software and Information Integrity SI-7(1).1
      SI-7(2) Software and Information Integrity SI-7(2).1
      SI-7(3) Software and Information Integrity SI-7(3).1
      SI-8 Spam Protection SI-8.1
      SI-8(1) Spam Protection SI-8(1).1
      SI-8(2) Spam Protection SI-8(2).1
      SI-9 Information Input Restrictions SI-9.1
      SI-10 Information Accuracy, Completeness, Validity, and Authenticity SI-10.1
      SI-11 Error Handling SI-11.1
      SI-12 Information Output Handling and Retention SI-12.1


Additional Security Controls Not Contained in NIST Special Publication 800-53



  1. The security plan column can also be used to indicate whether the security control is a system-specific control, common control, or a hybrid control. For common controls, a notation should also be made as to the FIPS 199 impact level at which the common control (or the common portion of the hybrid control) is being managed by the organization to ensure that it is commensurate with the impact level of the information system being assessed.